Security Sentinel: Identity theft -- what, me worry?

By Toni McConnel, Contributing Editor
iApplianceWeb
(03/20/03, 08:40:39 PM EDT)

In December of 2002, hard drives containing more than 500,000 medical recordsof military personnel and their families were stolen from the Tri-West HealthcareAlliance in Phoenix.  These records included extensive personal information such as social security numbers and birth dates.  TriWest is a defense contractor that provides managed health care for 1.1 million active-duty personnel, their dependents, and retirees in 16 states, and is part of the Pentagon's efforts to build a network that computerizes the entire military health-care system.  An Associated Press story stated that the theft might be one of the largest identity thefts on record. 

More recently, an administrative data reporting program on the University of Texas (UT) at Austin's computer system was breached, exposing social security numbers, e-mail addresses and other personal information belonging to approximately 55,000 UT faculty, staff and current and former students. University officials admitted they did not have adequate security measures in place.

And in early March a financial manager for a Princeton University student publication discovered that when he accessed the magazine's bank account online, he also obtained access to all of the university's accounts - about $9.9 million. The log-on number for the magazine and the university are the same because it is Princeton's federal taxpayer identification number.  Proving once again that universities may be centers of learning, but not necessarily centers of intelligence.

What is so troubling about these and other security breaches is that any of them could have been prevented had the institutions involved taken advantage of available technology or correctly implemented the technology in place.  It's even more troubling that untold numbers of breaches are not reported because financial institutions fear that their customers will lose confidence. 

It's even more troubling yet if you start to consider how many institutions hold key information on us.  If in 2002 14 of 24 government agencies received failing grades on computer security from the House Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations, how secure can we feel about our personal records housed in these agencies?  How secure can we feel about the private institutions that have the same records?

Consider how many companies and institutions have your social security number, birth date, address, phone number, and e-mail address.  How secure are the computerized records of your bank, your employer, your insurance company, every credit card company you hold a card with, your school, the DMV, credit rating bureaus, every store you have an account with, health care providers, utility companies, the Social Security Administration, the IRS, and all the associations and clubs you belong to?  Do you know?  Do you have any way to find out?

The existence of organized hacking syndicates that target financial institutions is well-established and theft of records by the hundreds of thousands are occurring regularly.  Many, if not  most, of these syndicates are based overseas, making prosecution complicated and sometimes impossible, even when they can be identified. 
This brings me back to the topic I broached in my last column -- our blindness to the changing nature of war, the weapons with which it is fought, who the enemy is, and the government's blindness to its responsibility to protect us from attack. 

The FBI as well as state law enforcement and various government agencies and banking institutions are doing what they can after the fact, investigating the attacks and recommending security policies -- locking the barn door after the horse is gone. 

But should not our government establish standards for security that must be observed before any company or institution makes its records available over the Internet, requiring each and every implementation to be tested and passed by a government agency?  Should we not be entitled to know, before entrusting our personal records to any institution or business,  that their security systems are hack-proof? 

Who's in charge here?  The answer is “No one”, and that's the problem.