Well we have heard many stories about compromised data, stolen laptops, disappearing hard drives and personal information gone missing. Too often we hear corporate or agency executives telling us not to be concerned. Too often we hear suggestions that although sensitive personal data has been compromised, no evidence exists that actually proves thieves have accessed this confidential information. However, a new opinion article in the online publication Computerworld Security suggests that executives view data compromises incorrectly. In fact, according to the author, after a breach has occurred, no forensic investigation tools can accurately portray whether thieves have taken confidential information. The author suggests that in today’s technological environment, no distinction really exists between a thief who just accesses a confidential database and a thief who actually takes data. In the age of mirroring and copying, either situation could result in identity theft.
According to the Computerworld Security author,
What does it mean, in the age of the Internet, to say that an intruder or attacker could “access” or “view” information, but that it was not “taken” from the database? These are old-school distinctions that ought to have been wiped aside by even the dimmest awareness of MP3 sharing and downloading, among many other examples. When one teenager copies another’s MP3, is the data “taken” in anything but a licensing sense? Of course not.
The author cites one example of a recent data breach exposing patients and donors to identity theft risks at an Ohio Hospital and reported in late October, 2006. Hospital executives stated the following remarks apparently designed to set donors and patients minds at ease about the data theft:
Immediately upon discovery of the unauthorized entries, we retained computer security consultants to determine the extent of the breaches. They have found no evidence that any specific data was downloaded, tampered with, or compromised; however, the opportunity to view the data existed.
Based upon the Computerworld Security article, the fact that a data breach occurred should be cause for concern. Identity thieves who know that a free fraud alert placed with credit reporting bureaus will last only ninety days will likely wait that much time before attempting to use or sell compromised data. After having reviewed the Akron Hospital’s description of what happend, it appears that over 242,000 patients and donors’ confidential information and bank account records were accessed by hackers. This intrusion was not discovered until September, 2006 and the FBI and the public was not informed until late October. For the reasons described in the Computerworld article, if you are a patient of or donor to the Akron Children’s Hospital, I would not feel confident in the hospital’s suggestion that no evidence exists to suggest that hackers used the data that they viewed. I would demand accountability and responsibility. I would also tell Hospital executives and other officers at corporations or agencies with problems securing data to play things straight. Do not sugarcoat the problem! Unrealistic optimism can create a public relations fiasco. Hospital executives should tell the public the truth about the real identity theft risks. Customers, patients or donors deserve nothing less. Realistic disclosures should help the public to understand the real risks of identity theft in light of our current technological environment.