2005: The Year of Dataflation

Highlights:

• Dataflation: the tendency of data to lose value
• Factors include large-scale unauthorized access, excessive abuse and loss of confidentiality
• Roundup of 66 million records reported exposed in the first half of 2005

I recently coined the word dataflation to describe an emerging phenomenon, one that has some fairly serious implications for the future of many things (human commerce and planet earth, to name a few). As the inventor of this term, I reserve the right to tweak the definition, but here is my first stab at it:

Dataflation: the tendency of data to lose value due to factors such as large-scale unauthorized access, excessive abuse and loss of confidentiality.

(Derived from 'data,' meaning “Factual information, especially information organized for analysis or used to reason or make decisions,” and inflation, meaning “A persistent increase in the level of consumer prices or a persistent decline in the purchasing power of money, caused by an increase in available currency and credit beyond the proportion of available goods and services.”)

If you have been paying intention to media coverage of identity theft in recent months then you will have noted the string of dataflationary events reported in the first half of 2005. I have listed them here to make the point. The rough total of compromised records reported? 66 million.

January: A computer hacker apparently broke into a George Mason University database containing student and employee Social Security numbers, leaving 32,000 people uncertain whether their finances or identities might be compromised. January 11, 2005, Jonathan Krim, Washington Post Staff Writer
http://www.washingtonpost.com/wp-dyn/articles/A64150-2005Jan10.html

January: A sophisticated computer hacker had access to servers at wireless giant T-Mobile for at least a year, which he used to monitor U.S. Secret Service e-mail, obtain customers' passwords and Social Security numbers, and download candid photos taken by Sidekick users, including Hollywood celebrities...twenty-one year-old Nicolas Jacobsen was...behind an offer to provide T-Mobile customers' personal information to identity thieves through an Internet bulletin board...according to court records. Jacobsen could access information on any of the Bellevue, Washington-based company's 16.3 million customers, including many customers' Social Security numbers and dates of birth, voicemail PINs, and the passwords providing customers with Web access to their T-Mobile e-mail accounts.
http://www.securityfocus.com/news/10271

February: A confidential list of 4,500 Palm Beach County residents with AIDS and 2,000 who are HIV positive, including their addresses, was inadvertently emailed to more than 800 county workers, officials said. Feb 20, 2005, AP.
http://www.aegis.com/news/ap/2005/AP050234.html

February: Choicepoint, one of the nation's biggest information services...electronically delivered thousands of reports containing names, addresses, Social Security numbers, financial information and other details to people in the Los Angeles area posing as officials in legitimate debt collection, insurance and check-cashing businesses. At least 700 victims have had their mailing addresses changed, apparently by people connected to the scheme, authorities said. Identity thieves often change the addresses of victims in order to gain control of credit card offers and other mail. No one knows the extent of the fraud or the financial impact, authorities said. Only one suspect has been arrested. February 17, 2005, Robert O'Harrow Jr., Washington Post Staff Writer.

February: Backup tapes with records detailing the financial information of government employees were lost in shipment to a backup center, Bank of America said on Friday. The tapes contained information on the customers and accounts of the U.S. government's SmartPay charge card program, which has more than 2.1 million members and annual transactions totaling more than $21 billion, according to the General Services Administration. Reports have pegged the number of cards affected at 1.2 million. February 25, 2005, Robert Lemos, CNET News.com
http://news.com.com/Bank+of+America+loses+a+million+customer+records/2100-1029_3-5590989.html

March: Hackers have compromised databases belonging to LexisNexis and stolen information on at least 32,000 people, according to a statement issued today by LexisNexis's parent company, Reed Elsevier...March 09, 2005, Paul Roberts, IDG News Service.
http://www.pcworld.com/news/article/0,aid,119953,00.asp

March: California State University at Chico notified 59,000 students, faculty, and staff that their details had been kept on a computer compromised by remote intruders. The haul included names, addresses and Social Security numbers.

March: Boston College notified 120,000 of its alumni after a computer containing their addresses and Social Security numbers were compromised by an intruder.

March: Shoe retailer DSW notified more than 1,500,000 customers of a remote break-in of the company's computerized database of 103 of the chain's 175 stores.

March: Payroll outsourcer PayMaxx exposed more than 25,000 of its customers' payroll records on line.

March: Desktop computers belonging to government contractor Science Applications International Corp (SAIC) were stolen, exposing the details of stockholders past and present, many of them heavy hitters in the US government, such as former Defense Secretaries William Perry and Melvin Laird, former CIA Director John Deutch, former CIA Deputy Director Bobby Ray Inman, former Chief Weapons Inspector in Iraq David Kay, and former chief counter-terror advisor General Wayne Downing. http://www.channelregister.co.uk/2005/03/23/id_theft_cannot_be_escaped/

April: Last week, trading firm Ameritrade acknowledged that the company that handles its backup data [Iron Mountain] had lost a tape containing information on about 200,000 customers. The financial firm is now revising its backup policies and, in the interim, has halted all movement of backup tapes, a spokesperson said this week. 29th April 2005, Robert Lemos, SecurityFocus.
http://www.theregister.co.uk/2005/04/29/backup_tapes_are_backdoor_for_id_thieves/

April: LexisNexis Warns 300,000 of Possible Data Theft, Internal investigation reveals that many more people than previously thought may have fallen victim to hackers. An internal investigation at the LexisNexis division of Reed Elsevier has uncovered evidence that as many as 310,000 more people may have had their personal information exposed to unauthorized individuals who compromised the security of a massive database of public and private information, including Social Security and drivers license numbers. [These databases were the responsibility of Seisint, a contributor to the MATRIX government dossier system] April 13, 2005, Paul Roberts, IDG News Service.
http://www.pcworld.com/news/article/0,aid,120426,00.asp

May: Bank of America Corp. and Wachovia Corp. are among the big banks notifying more than 670,000 customers that account information was stolen in what may the biggest security breach to hit the banking industry...May 23, 2005, CNN/Money.
http://money.cnn.com/2005/05/23/news/fortune500/bank_info/

May: Time Warner this week said it will "quickly" begin encrypting all data saved to backup tapes after 40 tapes with personal information on about 600,000 current and former employees were lost in transit to a storage facility.
http://www.networkworld.com/news/2005/050605-timewarner.html

June: CitiFinancial, a consumer lending branch of Citigroup, New York, said June 6 that it has begun notifying 3.9 million of its U.S. branch network customers that computer tapes containing personal information were lost on the way to a credit bureau...The United Parcel Service lost the tape on May 2nd, and it hasn't been seen since. CitiFinancial only noticed the tape was missing on May 20. The tape contains Social Security numbers and transaction histories on both open and closed accounts at the bank’s lending branches in the US. 7th June 2005 09:06, Andrew Orlowski, The Register.
http://www.theregister.co.uk/2005/06/07/citigroup_lost_tape/

June: MasterCard International reported Friday that more than 40 million credit card accounts of all brands may have been exposed to fraud through a computer security breach at a payment processing company, Cardsystems, perhaps the single largest case of stolen consumer data to date. June 18, 2005, Joe Bel Bruno, Associated Press. This was well covered on this blog:
http://www.liewcf.com/blog/archives/2005/06/cardsystems-hacked-40-million-credit-card-accounts-stolen/

2005 in General: Some of the largest dataflation events have been 'lost' data tapes. As far as I can tell, none of these tapes were encrypted, a simple security measure that has been around for thirty years or more. Indeed, I think most people assumed that their bank would be encrypting data tapes, especially those that are taken outside of the banks's secure premses. So, an outfit called Enterprise Strategy Group polled almost 400 companies in 2005 and found that more than 60 per cent of them were not encrypting any of their backup data. Less than ten percent actually encrypt all their backup data. Two-thirds of the financial firms polled by ESG never encrypted the data that they were backing up. The majority of larger firms also failed to encrypt their backup data, with about 56 percent of companies with revenues greater than $5 billion never having encrypted their data before putting it on tape. (as reported by 29th April 2005, Robert Lemos, SecurityFocus).
http://www.theregister.co.uk/2005/04/29/backup_tapes_are_backdoor_for_id_thieves/

Return to Scobb's Non-Blog