BBC article on UK data breach suggests why we are never sure if the information is used by criminals

Now that we KNOW the loss of computer discs containing the vital statistics of 25 million children in the UK wasn't caused by one person, everyone is probably going to start arguing (whether or not?) criminals are using the information.

Even worse, it's now been revealed that unencrypted discs with a lot of personal information were being sent snail mail as a routine method of transport.

Mark Ward at the BBC wrote an interesting article that suggests why we often aren't sure if the information is being used. In the article, he writes:

"In the fraud underworld the quality of data directly impacts the flexibility with which they can use it," said Andrew Moloney, financial services market director for RSA Security.

The more data you have around a subject the more different ways you can use that to commit fraud."

There was no evidence yet that the data was being talked about or sold on the fraud boards and net markets that his company monitors, he said.

However, most vendors of stolen data rarely mention where they got it from. Instead, they typically only mention its quality.

The bottom line is it can be almost impossible to track any one case of identity theft back to it's source. Furthermore, the criminals selling and buying aren't likely to advertise where they got it from.

Transparency is bad for criminals, also. It tends to get them arrested.

At this point in time, there have been so many data breaches we probably have no idea where the information came from when an identity is stolen.

The BBC article also covers a lot of common sense factors relative to protecting information. Time and time again, we discover that a lot of data breaches could have been prevented by using a little common sense.

The full BBC article (excellent read) can be seen, here.

The Privacy Rights Clearinghouse, Attrition.org and PogoWasRight are my favorite places to TRY to keep up on all the data breaches. As of this writing only PogoWasRight has information on this particular data breach.

Of course, these are only the occurrences that have been reported. My guess is there are probably many more that no one knows about.

Another safe bet is that the next big data breach not reported yet is probably happening right now!

Student narrowly escapes expulsion for revealing data breach

It might be a good idea to be careful (or extremely anonymous), when reporting a data breach.

Jaikumar Vijayan at Computer World is reporting an interesting case -- where reporting a data breach brought about some personal grief for both the person, who reported it -- and the person they reported it to.

This person, who was a student, was almost expelled for bringing the matter to light. And the person, who it was reported to is no longer employed.

I guess whistle-blower laws don't apply at institutions of higher-learning?

For more information on whistle-blower laws, whistleblower.com is a decent reference.

Jaikumar writes:

A student at Western Oregon University who accidentally discovered a file containing personal data on a publicly accessible university server and then handed that data over to the student newspaper has narrowly escaped being expelled for his actions.

But a contracted adviser to the newspaper has been dismissed for allegedly mishandling the data and for failing to properly advise the students on the university's policies relating to handling of personally identifiable data.

Brian Loving, a student at WOU, stumbled upon a file containing the names, Social Security numbers and grade point averages of between 50 to 100 students on a publicly accessible university server in June. Loving downloaded a copy of what he discovered and handed it over to the Western Oregon Journal, the campus newspaper.

Institutions of higher learning are frequently the targets of hackers stealing information. This has been well documented by the Privacy Rights Clearinghouse, Attrition.org and PogoWasRight.

Given all this evidence, it amazes me that the highly educated people running these institutions still insist on using social security numbers as the primary method of identifying their students.

Social security numbers are worth money to the people, who like to steal them. Perhaps, if these institutions of higher learning, understood this a little better, they wouldn't be targeted nearly so often.

A little common-sense goes a long way.

Computer World story, here.

If you get a chance, read the comments on Jaikumar's story. Some of them are pretty good!