Seems like everyone today is terrified of identity theft. TV and movies teach us that computer hackers are a sophisticated network of highly skilled evil-doers lurking in the cyber world, waiting for the opportunity to grab our banking information out of thin air so they can buy a Lexus or finance a terrorist organization in the Middle East. We demand increasingly high security software to protect us against these faceless criminals…but the truth about identity theft is far more boring than mysterious uber-hackers. Most security leaks are unbelievably ridiculous mistakes made by unthinking or under-trained employees.
Case in point-
In February, a city in Texas accidentally posted the personal records of 500 employees who had filed for worker’s comp in the last five years on its website. The info was online for about 20 hours – long enough to be indexed by search engines – and contained contact information, birth dates and social security numbers. The city manager told the victims not to worry, because the info wasn’t easy to find on the site. If the city manager is that clueless about internet security, how can we expect the data entry clerk who made the mistake to know anything?
This incident was hardly unique. One former employee of a mortgage brokerage firm made several spreadsheets containing sensitive information for over 5 thousand customers available on BearShare P2P network from his home computer.
In December of last year, a mortgage company in West Palm Beach, Florida dropped off about 200 mortgage applications at the local recycling center. The company’s environmental policy is commendable, but if you’ve ever filled out a mortgage application, you know that the information contained in that single document equals your entire life – contact info, social security numbers, bank and financial information…the stuff of nightmares.
In addition to employee blunders, there are also stolen laptops to consider. A major airline was indirectly responsible for the loss of an unencrypted laptop containing 4,300 hospital personnel records. The employee who lost the laptop says that she gave it to a flight attendant to store, and it disappeared. I don’t know where to place the blame here. The laptop should have been encrypted. That’s the hospital’s fault. The employee should have put the laptop under the seat in front of her and put her foot on the bag strap – that’s what I do – and the flight attendant should have stowed the laptop in overhead storage directly above where the owner was sitting, or suggested under-seat storage. Everybody made mistakes on this one. The Ponemon Institute, a data-security research organization, reports that half a million laptops are lost during air travel every year. Almost half of those contain some kind of sensitive data.
Which further lead me to wonder, how many executives send sensitive information or log into the company databases from unsecured hotel wi-fi connections – just a thought.
Perhaps the most amusing (and yet terrifying) scenario took place last June. A data storage facility in Salt Lake City offers its clients the ultimate in data security. An experienced driver for the company was scheduled to deliver 2.2 million hospital patient billing records to the fireproof company vault buried inside an impenetrable granite mountain, complete with steel vault doors and armed guards. Unfortunately, the driver left the box of records in his car overnight and a random car thief stole it.
The bottom line is that no matter how secure we think we are, there’s always going to be human error to mess everything up. Employers who really want to take electronic security seriously need to train employees properly, encrypt computers, and transport data in armored trucks. And for the record, securing the network is probably a good idea as well.