Information breaches are becoming more common as more data is collected and more data is available on the Internet. Customer information and data collected by data aggregators can easily be used by criminals and terrorists to forge new identities, finance their lifestyles and fund their operations. Several recent incidents have been very high-profile. Choicepoint and T-Mobile were involved in the most recent ones.
ChoicePoint has a clear notice about the possible identity theft on its home page. Apparently T-Mobile and their partner Danger, the manufacturer of the trendy palmtop Sidekick, aren’t being very open about what’s been going on recently. If you look at Danger’s website, they say nothing in the news section about the recent exposure of T-Mobile and Danger customer information. T-mobile’s website isn’t any more forthcoming.
ChoicePoint’s recent faux pas in vetting their customers has left a huge window of vulnerability for many consumers. Wired.com has a story about it here. Bruce Schneier has a really good take on ChoicePoint and its behavoir on his blog.
What is really ironic about ChoicePoint selling data to bogus customers is they are one of the companies that has marketed itself and its services to DHS to help identify possible terrorists. This makes me wonder, “How accurate can the DHS terrorist screening process possibly be, if this is one of the vendors they are using?” A basic premise in computing is GIGO, garbage-in-garbage-out.
T-Mobile’s site had been compromised and private customer information had been accessed by unauthorized users for at least a year. The reason this case has become such a high-profile case is the involvement of the Secret Service. The “hackers” got access to some Secret Service internal documents that were being stored on an agent’s Danger palmtop. A story in the UK’s Register about this episode can be seen here.
More recently, a news story about Paris Hilton’s Danger Sidekick palmtop, and her personal cell phone number, cell phone address book and cell phone photos were posted on-line. I don’t know if her password was guessed… but given everything, Tinkerbell, the name of her Chihuahua is probably a good guess. The FBI and Secret Service have opened investigations into this matter. Here is the story from the Register.
In one way, we, the American consumer, were lucky in the case of ChoicePoint as California currently has a law requiring a company to notify any California customers of a security breach in which their personally identifiable information is “reasonably believed to have been” compromised. I believe they are one of the few states requiring companies who suffer security breaches to notify the customers possibly affected.
The first question these recent stories prompts me to ask is: “Who is responsible for the losses and costs suffered by the identity theft victims?”
Recent court decisions make it questionable whether ChoicePoint or T-Mobile can be held liable for those losses as a similar cases against Citibank, Capital One and Premier Bankcard were thrown out. In one case, the court had decided the consumer, whose identity was stolen, had no case as he was not actually the customer of the three companies. Ironic, considering it was his identity that was being used the customer. President’s Bush’s recent changes to the way class-action law suits are handled make it less likely for the courts to be a strong incentive for companies to secure customer information.
The second important question to ask is: “Would either of these two cases, T-Mobile and ChoicePoint, be getting the attention and high-level of involvement from federal officials if they weren’t so high-profile?”
The T-Mobile incidents involve both celebrities and Secret Service personnel. The ChoicePoint case involves a DHS vendor. The T-Mobile breach was discovered more than three months before anything was mentioned to the public at large. If this is the case, how many smaller, lower-profile cases are there, and how at risk is all the consumer information companies have gathered over the years? European privacy laws seem to be much more protective of consumer information than the current laws in the US.
The third question I would pose is: “Do companies have a responsibility to protect personal information which either belongs to their customers, or is the source of their income?”
From what has been going on in the corporate world recently, I would have to say the answer from the largest companies has been a resounding “No!” The reason I say this has a lot to do with the last five years of corporate scandals and wrong-doing. Halliburton, Enron, MCI-Worldcom, Computer Associates, and Tyco are just a few of the many.