Wayne Frazee.com
Login
Data Theft Ignorance in the Age of Information Assurance
  • Home
  • Scribblings
  • Avanade
  • ACS and other data industry breaches

Originally posted on my corporate blog at http://blog.avanadeadvisor.com/blogs/waynea

With a half drafted article on the subject of compromised IT equipment, I recieved a notice from ACS this morning that my information is potentially affected by the recent loss of a laptop.  How Ironc.

Fortunately, this is not my first experience with a data compromise and within about 10 minutes after recieving the notice, fraud alterts were placed appropriately, and my equifax credit monitoring subscription was renewed.  Still, a most personal edge has been added to this recent subject matter since i started drafting this post this morning....

Over the past several years, there can be no denying that as the culture of an electronic society has been burgeoning on the social consciousness, so too has the potential for identity theft been driven to the forefront of criminal enterprise.  These days, it is made so easy, billions of dollars in transactions cross electronic pathways every day: bank transfers, purchase orders, electronic shipping, electronic subscriptions.  Every day, millions of people sign up for some new account, newsletter, or service.  Names.  Birth Dates, Social Security Numbers, Credit Card Information, Phone Numbers, Addresses.  One could almost say that the Internet has provided one of the best crime accelerators of any invention in the past 200 years.

At the same time, it has seemed that enterprise adoption of information safeguards has been far outpaced by the growth of privacy breaches and directed theft.  Even those enterprises which have been bitten directly by mis-steps with information security, enterprises who have directly seen the impact of these events on the bottom line, seem slow to take steps that would impart additional investment into data security.

Lets take for example, this most recent incident with ACS.

The Current Colorado ACS Breach

More than a Million Potentially At-Risk for Identity Theft
Stolen Computer May Contain Data on 1.4 Million Coloradans

ACS Has a Less than Sparkling History

ACS Exposes 21000 College Individuals Information
Park at DIA? Your Credit Card Info Was Stolen.
Red Light Cameras Expose Thousands to Identity Theft
Motorola Employee data stolen

And lest you think it is ACS Only...

A Chronology of Data Breaches since the ChoicePoint Incident

When Does it Stop?

Please keep in mind that this last chronology list only includes data breaches since the ChoicePoint information network was found to have been operating in a way that was unsafe for the data retained in it.  This is a period of roughly a year and a half to the date of this writing and there are literally hundreds of incidents compromising the integrity of individual privacy for tens of millions of Americans.  When this incident was originally disclosed, a local college professor was cited in one of the linked articles as discussing the relatively low percieved cost of privacy breaches by contracting enterprises.  If you valued each identity at about $1000 and 50,000 identities were compromised, the loss would be roughly equvalent to $50 million.  People would be fired, there would be press releases and damage control.  If you extend that same principle to the latest loss from ACS, 1,400,000 times 1,000.  That is $1.4 BILLION.

Lets be realistic here.  Risk mitigation has a cost.  Implementing protective measures such as encrypted file systems, key-based encryption, IPSec (or equivalent) traffic encryption, these all have some hit in performance, or required hardware, or just the time and cost to control downtime and to implement these procedures.  Each possible protective measure (and probably combination of measures) has an operating cost to the enterprise that the enterprise does not see a return on, ever, and only sees value in when an undesirable event occurs.  Still, I like to compare it to maintaining a fire district.  Frankly, the firemen do nothing for the community.  They dont build things or sell things.  They dont generate tax revenue.  They suck hundreds and hundreds of thousands of dollars a year out of a community.  When a fire occurs, the value that these people have comes to bear.  Security is similar for the enterprise.

For companies like ACS, I cannot understand the lack of investment in this area.  They have been contractually penalized, sued in court, slandered in front of clients and the press.  They should know by now the comparative enterprise cost that these actions mitigate.  This latest breach could be all but dismissed were the PC configured such that the hard drives were encrypted or there was file encryption in place on the affected data. 

When do these contractors begin to understand that not taking the time and money to implement these basic tenets of risk management for information security will reap a very real loss - not only for themselves but for thier clients and thier client's customers?

All content and materials Copyright ©2004 by Wayne S. Frazee. All Rights Reserved.

Please note that the postings on this site, including news, scribblings, past writings, posted files, and other material, are my own and don't necessarily represent neither Avanade's nor Avanade's Customers' positions, strategies or opinions nor that of any organization I have previously worked with or represented.