PENNSYLVANIA COMPUTER SECURITY A PROBLEM EVERYWHEREConnected: Computer security a problem everywhereConnected: Computer security a problem everywhere
Saturday, October 15, 2005

By David Radin

Wouldn't it be nice to have a couple weeks without news of a major security breach?

At Bank of America, it's not business as usual, because bank employees are busy sending notices to some customers that their accounts and credit card numbers may be at risk.

Meanwhile, at the University of Georgia, between 1,600 and 2,429 current and former employees are at risk because a hacker broke into a file with their names and Social Security numbers.

Here's the rub: These are not the first incidents for either of these organizations.

Administrators at the University of Georgia believe that last year a hacker gained access to 32,000 student records that included credit card numbers. The university still doesn't know who the hacker was.

Similarly, in March, Bank of America confirmed that the records of 60,000 bank account holders were stolen as part of an identity theft ring.

Let's give these organizations -- and all those that have been breached -- a little credit. They are up against a huge and growing threat, the likes of which we've never seen before. But that doesn't excuse them from meeting the basic security requirements. The current Bank of America incident shows that doing the basics may be more difficult than we think. (It will surprise you how simple the breach was).

Somebody stole a laptop.

Not major news in itself; but the laptop, which belonged to an unnamed "service provider," had the data on it. Worse, the data was not encrypted -- so anybody who got his hands on the laptop would have access to the data, which in this case included credit card, bank account and routing numbers, as well as names of customers who purchased the company's Visa Buxx, a prepaid credit card for teenagers that Bank of America stopped selling in January.

If I were head of security for the bank, I would be particularly angry. Why was that data on a laptop? Why wasn't the laptop protected from theft? Why wasn't the data encrypted?

But the most disturbing question that I would have to ask is: How could we do business with a service provider who has such lax security? There are certain types of mistakes that don't get a second chance. This is one of them.
For several years, I've been preaching that your data is more secure in the hands of professionals than it is on your home computer. These situations might make you think otherwise, but don't.

Mistakes happen -- even mistakes that never should happen, such as in the Bank of America laptop theft. Usually the mistakes are caused when an individual doesn't follow company procedure -- and we hope that happens very rarely.

There will be more of these incidents -- at other banks, other schools, commercial enterprises and institutions that will probably surprise us -- but most data is being protected well.
Giving your data to these entities is as safe as crossing the street. Just make sure you look both ways.



--------------------------------------------------------------------------------
(David Radin is a Pittsburgh-based consultant whose daily nationally syndicated radio show can be heard locally on XM and Sirius. You can sign up for his tip letter, contact him and find an archive of his previous columns at www.MegabyteMinute.com.)