What Are You Doing With 25 Million Social Security Numbers On Your Laptop?
from the seemed-like-a-good-idea-at-the-time dept
In the never-ending barrage of stories about customer data leaks, one question is never answered: why are people carrying around laptops with so much personal information anyway? As you might expect, the answer’s got more to do with laziness and stupidity than anything else. There’s really no good reason for people to be carrying all this data on their laptops when it can be more securely held (in theory, anyway) in a central location, and accessed as needed over a network. Of course, all that requires a lot of effort, as does ensuring employees’ computers are using encryption and other security techniques, and as long as companies have no incentive to protect customer data, there’s little reason for them to go to the trouble, and cost, of actually securing data.
Comments on “What Are You Doing With 25 Million Social Security Numbers On Your Laptop?”
Keeping data centralized
I used to work for a contractor who provided claims-processing services to Medicare. I had access to gobs of private health information. It was company policy that no data or work product of any sort was to be stored on your local PC — everything was to be stored on heavily-protected servers. It was also made very difficult to do things such as export large quantities of social security numbers from mainframes to PCs. We didn’t allow VPN access to our servers for laptop users either — when you were working remotely, all you could do was dial in to check your e-mail. All of this frequently slowed down my work and was frustrating and annoying — but we didn’t have problems with data walking out of the building, either.
Re: Keeping data centralized
Dealing in information is no different than physical inventory. An employer would fire anyone walking out of the building with selling inventory, no matter what it is. There’s no plausible reason for it, unless movement of that inventory has been recorded with the appropriate paperwork. So why is data treated any differently? I can’t take home a couple of carons of product to complete my work, why should a guy/gal with a laptop be able to move sensitive data?
Your employer was on top of things – mostly because they had to be. When other businesses have to be, under penalty of huge fines, this problem will be mitigated.
Annonomize the data
What I still can’t understand is in lieu of the public flogging of this type of news, why institutions still give out this information. Much of this work is outsourced to another firm, so this will happen more and more. Even if the workers sit at the company, the work was still farmed out.
Much of this information is so easy to anonomize (e.g. Addresses, phone numbers, SSN, etc.). The structure of data is the important thing, not necessarily the content. Take a representative sample of the structure and then put in bogus data. As the OP stated, this is complete laziness and stupidity. It is NOT that hard.
The next big screw up
I think that this is an issue at all levels of data storage, but government is one of the worst offenders. Even when notified they are reluctant to make changes. Just shows the amount of huberis and laziness that they have for being good stewards of private data. It won’t be resolved until there are heavy fines that get paid out to the victims.
Fat, bloated and cumbersome
Not that any of this is new news…I am a Fed, I know the process to implement these security measures take not only and act of God, there is mounds of red tape and every system manager asking who gets their budget cut. Even if they wanted to implement a security measure now, it would have to go through the process (bidding, due diligence, etc.) which makes it available sometime in 2010. The Government is slow and cumbersome, not to mention a bloated pig. Follow the money as the rest of these bean counters do…It is easier to ask forgiveness than to get permission.
Re: Fat, bloated and cumbersome
This is why Congress needs to pass a Feredal law adding jail time as a penalty for inept AND corrupt disclosure of sensitive data they are entrusted to hold by the American people. I am tired of excuses. We need some decisive action on the part of the people we elect to these positions. They are elected to lead. It is about time they started leading!!
Re: Re: Fat, bloated and cumbersome
Agreed! The only way to get the Government off their fat asses is to impose fines. Better yet, stop paying taxes that support these idiots and the bloated agencies that continually lose this information.
Re: Re: Fat, bloated and cumbersome
They are elected to govern, we only wish they would lead.
"Silly" status quo is hard to change
I am still amazed by all of the organizations that require one to give their SSN – when it is clearly not necessary. Utah driver’s license, Idaho fishing license, are two examples. The reasons given include; “because”, or “it’s necessary to properly identify you”. My social secirity card clearly states “for social security and tax purposes-not for identification”.
I can often get away with making one up. Until organizations change these “just because” default identifiers, I think we will experience more such breaches of information.
Re: "Silly" status quo is hard to change
In wisconsin they check for SSN to track down dead beat dads that aren’t paying child support. This would be no reason to hold this data on a laptop though.
Re: "Silly" status quo is hard to change
States do not require you to use a SSN on your license. My UT license very clearly states “Not Required” under the SSN field. Massachusetts used to allow people to use their SSN, but again, it was never mandated.
Also, the topic asks why this question of the data being carried on personal laptopts never comes up. I don’t understand this – it appears to be a major front story every single day. This topic itself looks like it was recycled from yesterday’s Wired post (http://www.wired.com/news/wireservice/0,71348-0.html)
Re: "Silly" status quo is hard to change
“I am still amazed by all of the organizations that require one to give their SSN – when it is clearly not necessary. Utah driver’s license”
Nitpicking, but Utah doesn’t demand you put in on. They can leave the field blank. As I did.
Back to the topic, I think we need a new social number, one that is for the federal government and a citizen only. That could be, you know, secure.
When my healthcare account number is my social security number, it proves we have lost focus of what a social security number is.
Re: Re: "Silly" status quo is hard to change
Point of clarification … one may opt out of displaying their SSN on their driver’s license, but not on obtaining the license (unless they have changed the policy in the last year).
Re: "Silly" status quo is hard to change
“I can often get away with making one up.”
Well, thats great, but while you managed to provide yourself a modicum of security, you did it while committing a felony.
Providing a FALSE Soc Sec Num is a felony. Do not do that. Simply refuse to provide it.
Re: Re: "Silly" status quo is hard to change
Only if the intent is to defraud.
Wait until the lawsuits start happening. You want an incentive and civil court can be the great equalizer.
Here’s a twist for you; I recently received a letter form an insurance co. that I haven’t dealt with in over 2 years. They claimed a laptop had been stolen with my info in it. They also were trying to sell me a subscription to a credit reporting service. I personally believe this is just a scam to sell credit reporting services.
Obvious
I think it is obvious that I’m selling them under the guise of having them stolen.
i’m going to patent and start a company that has one product: massive lists of generic, randomized non-real data that can be used for corporate computer system testing.
all i have to do is read the paper each day for the ‘fuck up du jour”, call that company’s IT executive (or his new replacement), ask them how many millions of names they need at 1/10 cent per name, and profit…
Re: anonymous coward
Please refrain from the use of free thought and discontinue the formulation of ideas or I will be forced to take legal action.
Maybe if these companies didn’t try to squeeze their employees so hard that they *have* to take work home, this wouldn’t happen.
Novel idea… yes, I know.
Haven’t any of these companies heard about encrypting sensitive customer and employee information?
It boggles the mind that the public sector can encrypt and send data on a daily basis that complies with or exceeds DOD standards, but the folks that are entrusted with our most sensitive personal information keep it in a completely insecure database on their laptop with no consideration of those that it will negatively effect.
Why not just put in an archive, encrypt it, and be done? It would be just as easy to access for the end user, but the common thugs that abscond with the laptop that was carelessly left in a vehicle wouldn’t be able to access it with ease, due to lack of knowledge.
Not hard to get at all
People forget all of the people that the data goes through before it finally reaches the *secure* servers. I have a data entry friend that pays almost minimum wage and handle claims for blue cross blue shield and others with all the information they could ever want. Also to get that job or a copy of those documents is not hard at all…. it’s like brining gold to a super secure place and first driving it in a donkey with the gold wrap around plastic bags…
Look in the mirror, sys admins
A few years back, I worked at a big manufacturing company, and data my department needed every day was stored in a big dumb mainframe, with a big dumb UI, managed by big dumb programmers. A co-worker wanted a couple minor changes to the db schema, and argued with the Deniers of Information Services for months with no help. Finally, he bought a copy of MS Access, loaded it on his desktop, did a big dump off the mainframe, and in a couple of days built an app that worked waaaaaaay better than anything the “pros” ever provided. So, this wasn’t personal data, and it wasn’t a laptop, but if you tie your users up in red tape instead of helping them do their work, don’t be surprised if they try to find a way around you. Unfortunately, that might lead to these kinds of security breaches.
what am I doing?
apparently I am not working at a company with an IT manager that has a G.D. brain!
No, really, it comes down to laziness. If I didn’t fight and prove that the potential losses would close the business I work for we wouldn’t have SafeBoot on our laptops right now. Everyone wants to have the security, but IT is supposed to take care of that. They don’t understand it starts with the user being responsible.
Of course, enter the obligatory IT Staff are not responsible for your own stupid carrying of said laptop into areas that are potentially dangerous, such as pool areas, bars, hot tubs, saunas, roof tops, crashing planes, etc., though our users probably think that we are…
almost forgot
when they do lose their laptops, they usually come to the IT staff and ask for their data back.
WTF? We’re not your storage racks; we keep you working!
Shrugged Off
I wrote an email to the IT department head once to write a simple script to get data for me and many co-workers that needed it. It would have saved the company tons of employee time, digging and searching. When I sent the email it was 10:35. By 10:37 I got a reply, “It can’t be done.” I responded. “Yes it can, attached here is the script. Please review and launch.” BAM! Instant time saving, and I wasn’t even in the IT dept. I copied the plant manager that time. Needless to say about 6 mo’s later he wasn’t working here anymore. WOOHOO!