US SECURITY AND PRIVACY TAKE CENTER STAGE IN PROTECTING PERSONAL DATASecurity and privacy take center stage in protecting personal data: South Florida Sun-SentinelSecurity and privacy take center stage in protecting personal data

By Ellen Simon
The Associated Press
Posted May 31 2005

NEW YORK · Stealing Social Security numbers and other sensitive data isn't always a cloak-and-dagger, ultra-sophisticated operation: It's often a low-tech job made easier by carelessness and flimsy safeguards.

Plenty of inexpensive measures can protect data from the large-scale theft that big banks, data merchants and other companies have recently disclosed.

But "security and privacy, for a lot of large organizations, are an afterthought, not a priority," said Evan Hendricks, who publishes the newsletter Privacy Times.

Consider the latest headache for some large banks:

Wachovia Corp. and Bank of America Corp. say they have notified more than 100,000 customers that their accounts and personal information may be at risk after former bank employees allegedly sold account numbers and balances to a man who then sold them to data collection agencies. Nine people have been arrested in New Jersey in the case.

Or consider MCI Inc.'s privacy problem:

An MCI laptop containing the names and Social Security numbers of 16,500 current and former MCI Inc. employees was stolen last month from the car of an MCI financial analyst in Colorado. The car was parked in the analyst's home garage. The computer was password-protected; the company would not comment on whether the data was encrypted.

Encryption, which is relatively inexpensive, would make all those records all but impossible to access.

After a previous embarrassment, Bank of America Corp. is testing different encryption methods. It lost backup tapes in December containing the Social Security numbers and account information for 1.2 million federal workers, including senators and 900,000 Defense Department employees.

Time Warner Inc. also could have avoided a black eye had it encrypted the backup tapes with the names and Social Security numbers of 600,000 current and former employees lost after the tapes were misplaced by Iron Mountain Inc. The storage service company had been transporting the tapes by van.

After disclosing its loss, Time Warner said it would begin encrypting its employee data. (Iron Mountain, in a press release encouraging encryption, said it performs more than 5 million pickups and deliveries annually and has lost backup tapes only four times this year).

Such losses go to the heart of information technology security, whose importance is magnified as more data is concentrated in ever-smaller packages.

That the backup tapes in the Bank of America case were shipped as commercial air cargo shows the bank didn't understand their worth, said Jim Harper, director of information policy studies at the Cato Institute think tank.

"That's like shipping stock certificates in an envelope," he said. "Personal data is cash money. If you leave it sitting out on a sidewalk, you're making a mistake."

Companies should also clean up their data before sending it to an outside party, said Jim Stickley, chief technology officer at TraceSecurity Inc., a Louisiana security company. Credit unions in San Diego sent their customer databases, including Social Security numbers, to a marketing firm. When the marketing firm was robbed, the numbers were stolen, he said.

Investments in security measures must be weighed against the potential payoff for an attacker, said Dan Geer, chief scientist at Verdasys Inc., a computer security company based in Waltham, Mass.

After a costly data theft by an insider that cost it millions, data broker Acxiom Corp. added a chief security officer, reconfigured its electronic files, added more encryption and increased both internal and customer audits, said Jennifer Barrett, the company's privacy leader.

The insider, contract employee Daniel J. Baas, was sentenced to 45 months in prison in March for stealing encrypted password files. Acxiom said the theft cost it $5.8 million, including employees' time and travel expenses, security audits and encryption software.

Greater scrutiny of clients could have saved ChoicePoint Inc. considerable grief, analysts say.

After ChoicePoint said in February that thieves using stolen identities had created 50 dummy businesses that pulled data including names, addresses and Social Security numbers on as many as 145,000 people, its stock dropped precipitously from $48 a share the day before the announcement to the current price of about $39.