updated 5/23/2005 6:23:25 PM ET 2005-05-23T22:23:25

Stealing Social Security numbers and other sensitive data isn't always a cloak-and-dagger, ultra-sophisticated operation: It's often a low-tech job made easier by carelessness and flimsy safeguards.

Plenty of inexpensive measures can protect data from the large-scale theft that big banks, data merchants and other companies have recently disclosed.

But "security and privacy, for a lot of large organizations, are an afterthought, not a priority," said Evan Hendricks, who publishes the newsletter "Privacy Times."

Consider the latest headache for some large banks:

Wachovia Corp., Bank of America Corp. say they have notified more than 100,000 customers that their accounts and personal information may be at risk after former bank employees allegedly sold account numbers and balances to a man who then sold them to data collection agencies. Nine people have been arrested in New Jersey in the case.

Or consider MCI Inc.'s privacy problem:

An MCI laptop containing the names and Social Security numbers of 16,500 current and former MCI Inc. employees was stolen last month from the car of an MCI financial analyst in Colorado. The car was parked in the analyst's home garage. The computer was password-protected; the company would not comment on whether the data was encrypted.

Encryption, which is relatively inexpensive, would make all those records all but impossible to access.

After a previous embarrassment, Bank of America Corp. is testing different encryption methods. It lost backup tapes in December containing the Social Security numbers and account information for 1.2 million federal workers, including senators and 900,000 Defense Department employees.

Time Warner Inc. also could have avoided a black eye had it encrypted the backup tapes with the names and Social Security numbers of 600,000 current and former employees lost after the tapes were misplaced by Iron Mountain Inc. The storage service company had been transporting the tapes by van.

After disclosing its loss, Time Warner said it would begin encrypting its employee data. (Iron Mountain, in a press release encouraging encryption, said it performs more than five million pickups and deliveries annually and has lost backup tapes only four times this year).

Such losses go to the heart of information technology security, whose importance is magnified as more data is concentrated in ever smaller packages.

That the backup tapes in the Bank of America case were shipped as commercial air cargo shows the bank didn't understand their worth, said Jim Harper, director of information policy studies at the Cato Institute think tank.

"That's like shipping stock certificates in an envelope," he said. "Personal data is cash money. If you leave it sitting out on a sidewalk, you're making a mistake."

Companies should also clean up their data before sending it to an outside party, said Jim Stickley, chief technology officer at TraceSecurity Inc., a Louisiana security company. Credit unions in San Diego sent their customer databases, including Social Security numbers, to a marketing firm. When the marketing firm was robbed, the numbers were stolen, he said.

Investments in security measures must be weighed against the potential payoff for an attacker, said Dan Geer, chief scientist at Verdasys Inc., a computer security company based in Waltham, Mass.

After a costly data theft by an insider that cost it millions, data broker Acxiom Corp. added a chief security officer, reconfigured its electronic files, added more encryption and increased both internal and customer audits, said Jennifer Barrett, the company's privacy leader.

The insider, contract employee Daniel J. Baas, was sentenced to 45 months in prison in March for stealing encrypted password files. Acxiom said the theft cost it $5.8 million, including employees' time and travel expenses, security audits and encryption software.

Greater scrutiny of clients could have spared ChoicePoint Inc. considerable grief, analysts say.

After ChoicePoint said in February that thieves using stolen identities had created 50 dummy businesses that pulled data including names, addresses and Social Security numbers on as many as 145,000 people, its stock dropped precipitously from $48 a share the day before the announcement to the current price of about $39.

A simple Google search on some of those company names came up empty but ChoicePoint "never had a system in place for really checking them," Hendricks said.

The company should have verified its clients' identities by visiting their offices and looking at their books, said Avivah Litan, vice president for payments and fraud research at Gartner Inc.

ChoicePoint says it has hired a retired Secret Service agent to help revamp its verification process. The data broker has also said it would limit access to Social Security numbers, dates of birth and drivers' license numbers to government agencies and publicly traded companies and would "re-credential" its remaining customers.

Hendricks says tighter screening and monitoring of employees and contractors would help, too, as would training employees to treat data as if they were their own and making them sign contracts promising to do so.

For inside jobs, like those at Bank of America, Wachovia and Acxiom, a well-monitored audit trail, which Hendricks recommends, would also come in handy.

Companies need to take shredding more seriously, too, said Stickley, of TraceSecurity, and limit access to sensitive information.

"An auto dealer shouldn't let any salesman pull a credit report any time they want," Hendricks said. "They should have a small number of people authorized to view very sensitive data."

One simple measure many companies can start with is collecting less information, said Stickley.

When Stickley signed his son up for karate recently, he was asked for his Social Security number, home address and drivers' license number.

"There's no reason for that," he said. "The security at the karate shop is not like a bank."

Copyright 2005 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.


Discussion comments


Most active discussions

  1. votes comments
  2. votes comments
  3. votes comments
  4. votes comments