Ubiquitous Technology, Bad Practices Drive Up Data Theft

Some critics say companies don't have enough financial incentive to safeguard sensitive data.
Some critics say companies don't have enough financial incentive to safeguard sensitive data. (By Mark Lennihan -- Associated Press)
By Jonathan Krim
Washington Post Staff Writer
Wednesday, June 22, 2005

Call 2005 the year of the data breach.

One day, tapes with the Social Security numbers of 1.2 million federal workers are reported missing. Another day it's hackers gaining access to private information on 120,000 alumni at Boston College. Then, last Friday, comes word that 40 million credit card numbers fell prey to computer criminals.

Collectively, nearly 50 million accounts have been exposed to the possibility of identity fraud since the beginning of the year, a significant increase from last year.

Security experts, law enforcement officials and privacy advocates agree that while computer crime is on the rise, it is hardly new.

So why the apparent escalation?

In part, organizations are telling their customers or employees about incidents more than they used to, many complying with a California notification law that is being considered as the basis of possible federal legislation.

After data broker ChoicePoint Inc. reported in February that it was infiltrated by identity thieves posing as legitimate customers, the company received a second black eye when reports surfaced that it did not notify consumers about a previous breach, before California's law took effect. Now, most organizations are choosing to notify potential victims.

Experts see other factors contributing to the data-theft siege.

A boom in data collection has created a marketplace of valuable information stored on computers in thousands of places, many with weak security.

"The current fiascos in cyber-security have been occurring for the past 10 years," said Tom Kellermann, who recently left his position as senior data risk management specialist for the World Bank.

Kellermann and others blame poorly designed software, inattention to data security and an underappreciation of the problem by top management in corporations and other institutions.

"We've used weak practices for some time," said Chuck Wade, an Internet security and commerce consultant. "The vulnerabilities are well known, and we have not been improving the security measures . . . as we should have been."

CONTINUED     1           >

© 2005 The Washington Post Company