data leaks – Techdirt (original) (raw)

Stories filed under: "data leaks"

Should It Be Illegal To Get Hacked?

from the might-be-a-bit-extreme dept

A few years back, we asked if it should be illegal to get hacked. In that case, we were referring to some fines that the FTC had handed out to companies that had leaked data to hackers. This raised some troubling questions — as it’s often difficult-to-impossible to stop your computer systems from getting hacked, and putting liability on the company could lead to some serious unintended consequences. Yet, at the same time, over the past few years, we’ve heard about large security breaches on a regular basis (thanks, in large part, to new disclosure laws) — and often those breaches definitely seem to be due to negligence on the part of a corporate IT team that failed to lock down the data in any significant manner. That seems to be leading more people down the path of saying that companies should be liable for getting hacked.

For example, Slashdot points us to a blog post at InfoWorld, where it’s suggested that companies should be criminally liable for leaking such data. I can certainly understand the sentiment, but it may go too far. Again, it’s impossible to totally protect a system from getting hacked. Sooner or later there’s always going to be some sort of leak. Increasing penalties could make companies take things more seriously — especially in cases of gross negligence (which do seem all too common). But making the rules too strict can have serious negative unintended consequences as well, even to the point that some companies may stop accepting credit cards altogether, since the liability would just be too great. Would people be willing to give up the convenience of credit cards to protect their safety? From what we’ve seen, for most users the answer would be no. They know their credit cards are at risk, but they still use them because the benefit of the convenience still seems to outweigh the danger of the risk.

Filed Under: data leaks, hacked, legal, liabilitiy

Stolen Data So Plentiful, The Market For It Has Collapsed

from the valid-credit-cards?-sorry,-don't-need-any-more dept

There are so many data leaks these days that it’s hardly even newsworthy every time some company reveals your social security number and credit card. However, would you believe that it’s also impacting the economics for fraudsters? Matt Bennett alerts us to the news that the price of fraudulently obtained data is falling through the floor thanks to the glut of it on the market. There are so many collections of credit cards or bank account numbers that the crooks who are buying them are buying them in bigger batches at greatly deflated prices. By the way, the falling dollar has impacted this as well: European identity data is worth a lot more than American identity data. So, I guess there’s that to be thankful for.

Filed Under: data leaks, identity fraud, security, supply and demand

Laptop With Data Stolen? Announce It, Give 1-Year Free Credit Monitoring And Move On

from the yawn dept

We’ve noted in the past that it’s become somewhat standard for any company who has lost the private data of its customers/employees/partners/etc. to agonize for a little while and then offer one year of free credit monitoring as an apology. Apparently that formula has reached such a point that companies are doing it automatically. This way, the press can simply combine two stories into one. Horizon Blue Cross Blue Shield of New Jersey loses a laptop with data on 30,000 members? No big deal. With the announcement they immediately offer a year of free credit monitoring and everyone can forget about it and move on. At this point, you have to assume that anyone storing personal data is starting to mentally price in the cost of a single year’s free credit monitoring as a cost of doing business. It’s certainly cheaper than actually securing your data.

Filed Under: credit monitoring, data leaks, security

Should Allowing A Massive Data Breach Be A Criminal Offense?

from the might-be-a-bit-extreme dept

Following some massive data leaks in the UK, some politicians there are considering a plan to make it a criminal offense to “recklessly or repeatedly mishandle personal information.” Contrast this to the US, where courts have noted that there can be no finding of negligence if the data leak is never found to have been used by identity thieves (even if exposing the data was done through negligence or recklessness). Of course, this is a fine balancing act. Certainly, one of the biggest problems leading to these data leaks is that the companies that leak data generally just get wrist slaps as punishment — meaning that it’s more cost effective to be weak in security than to properly protect it. Adding the potential of criminal charges could increase the cost enough that people take security of private info a lot more seriously. On the flipside, however, it could also cause other problems. No matter what, some ingenious criminal somewhere will figure out how to get access to a dataset or some unimaginable combination of events will occur to lead to lost data — and it seems unfair to throw someone in jail for that. If anything, it may scare off some very smart folks from taking jobs securing that kind of data, as the personal liability might become too high. In the end, making the punishment for companies screwing up makes sense, but potentially putting individuals in jail without it being clear and egregious acts of negligence seems like a bad idea.

Filed Under: criminal offense, data leaks, security, uk

Ameritrade Knew About Data Leak Long Before It Told Customers

from the quite-some-time,-it-seems dept

Late Friday, the news broke that TD Ameritrade is the latest in a long, long, long, long, long list of companies who have leaked data of its customers. In this case (as in many others) it was apparently due to their computers getting hacked. Considering how many similar stories we see, it almost didn’t seem worth writing about. However, it appears that Ameritrade was well aware of the hacking long before they disclosed it. According to a lawsuit that was filed months ago, Ameritrade users had been receiving stock spam to unique email addresses provided only to Ameritrade as far back as October of 2006 — and some of those users had reported this to Ameritrade. Then, back in May, Slashdot ran a detailed piece on the apparent leaking of Ameritrade email addresses, and even questioned why Ameritrade had not disclosed this breach, as is required under California law. The lawsuit, filed at the end of May, questions this as well. Yet, Ameritrade waited until now to disclose that their systems had been hacked, making email addresses available to people. Amusingly, Slashdot’s report on this fails to note Slashdot’s earlier story that helped spur the lawsuit and apparently pushed Ameritrade to finally investigate the claims. Either way, it raises questions about why Ameritrade waited this long to inform its customers that their emails had been leaked, despite pretty clear evidence of a leak from quite some time ago.

Filed Under: data leaks, notification, security
Companies: td-ameritrade

Did TJX Know About Massive Security Breach Long Before It Revealed It?

from the dates-not-adding-up dept

We’ve already seen that, as with just about every other data leak, the massive data leak from clothing retailer TJX was a lot worse than originally reported. However, some are now asking whether the company also hasn’t come entirely clean about when the breach occurred and when the company knew about it. The official statements from TJX suggest that the company became aware that its own horrible security was breached on December 18th, 2006, and informed the FBI by December 22nd. However, as the article above notes, there’s evidence suggesting that TJX was familiar with the breach well before that. Remember that a bunch of folks had been arrested in Florida for using the TJX data in scams. The police in that case have filed some reports, noting that TJX had alerted them to a breach back in March of 2006 — and, in fact, the Florida investigators filed reports on their investigation in November 2006… well before TJX even claims that it knew of the breach. It certainly raises some questions about when TJX really became aware of the breach, and when the company finally alerted people that their data may have been compromised.

Filed Under: data leaks, security
Companies: tjx

No Harm, No Foul In Yet Another Data Leak Case

from the yet-again dept

Over the last few years we’ve been hearing story after story after story about data leaks. These kinds of leaks didn’t just start happening, but we’re finally hearing about them because of new laws that require disclosure. One of the big problems is that there’s very little risk to companies if they leak someone’s data. They issue an apology, agree to pay for one year of credit monitoring and go back to storing data in easily leaked ways. Not surprisingly, many of the folks whose data was put at risk don’t feel that’s adequate and have tried to sue over the matter, but in a decision that mimics earlier decisions the 7th U.S. Circuit Court of Appeals has said that those suing Old National Bancorp have no right to sue, because nothing was actually done with the leaked data. In other words, since they weren’t directly harmed, they don’t have standing to sue. You can understand the legal reasoning here, but it still makes you question why simply leaking data shouldn’t be considered negligence on the part of these companies, even if the data wasn’t later used for criminal purposes?

Filed Under: data leaks, liability
Companies: old national bancorp

Now Maybe TJX Will Take Data Security Seriously

from the when-you-put-it-that-way dept

While personal data leaks continue to occur at a pretty regular clip, very few companies or government agencies take the problem very seriously. This is mostly because after the initial bout of bad PR, the repercussions are minimal, so few groups bother to spend the time and resources needed to put proper preventative measures in place. Perhaps, though, that will begin to change as the costs of these data leaks and breaches become more publicized. For instance, TJX, the retailer that suffered the largest breach of credit-card data ever, reported this week that its second-quarter costs related to that breach came in at more than 10 times its initial estimates, and added up to 25 cents per share in the quarter. The raw figure of $117 million still isn’t that much, but it cut the company’s earnings per share in half from the year-ago quarter — and that’s bound to upset the company’s investors. They’re likely to be even more annoyed if they look into the details of the breach: earlier reports highlighted the company’s security incompetence, but a story this week made things look even worse. The breach was apparently perpetrated by using poorly secured in-store kiosks, which were on the corporate network and not behind firewalls. Attackers stuck USB keys in the kiosks and loaded software that allowed them to be controlled remotely, and used as gateways onto the network. While it certainly doesn’t look like TJX was paying a lot of attention to security, a 25 cent per share loss will make investors take notice — and that, hopefully, will force companies to take data leaks and security more seriously.

Filed Under: data leaks, security
Companies: tjx