Another inconvenient truth

June 24, 2008
What will it take for public attitudes to shift regarding data theft?

Despite state laws on the books and several well-publicized -- and dozens of other less noticed -- incidents affecting more than 225 million Americans (according to Privacy Rights Clearinghouse), most ordinary people seem to be going about their day making believe there is no danger inherent in their personally identifiable information, stored on databases, being poised for exploitation.

As we now know, organized cybercriminal gangs in Russia, China, the U.S., and other locales have developed a flourishing and profitable market in stolen ID information. Using mainly cross-site scripting (XSS) and SQL (structured query language) attacks, these thieves can gather gigabytes worth of data from any server on earth not current with its anti-malware updates.

Recently, we’re hearing reports from our friends at SecureWorks of how attacks on health care organizations have risen exponentially in the past year. In February they were reporting a rise of 85 percent in attacks on health care providers. That figure is likely to have increased in the six months since.

Health care organizations, of course, store more personal information than many other businesses – besides patients’ medical information, Social Security numbers, names, addresses, birth dates and banking and credit card information. This makes these enterprises sitting ducks for the sharks mining for this desirable data.

Researchers at SecureWorks and other security companies can trace activity to uncover who is behind these acts. They can follow a trail of ISPs, they can dig deep into blogs to monitor conversations between the nefarious parties. But it’s nearly impossible to prosecute criminals overseas. In fact, the criminals are applauded by officials in their countries, some say.

Technology is not enough to stop the scourge of data theft. As long as there is a profit to be made from raw data, it will be traded on the black market as any other commodity.

The bigger problem might be that the public seems indifferent to the consequences of data theft. Just look at retailer TJX as an example. Did its customers care that their credit card info was breached? Did they protest, express outrage, stop shopping at the retailer? No. Nary a voice of complaint.

American consumers seem to consider the possibility of data breach an unavoidable shopping risk, one we are willing to risk, a side effect of the convenience of using credit cards, in store or via the web. We’re oblivious, or pretending to be oblivious, to the real danger lurking. Are we going to stop ordering books and CDs, or Omaha steaks for dad, or flowers for mom? I don’t think so.
prestitial ad