Burton Group Identity Blog

Blogger: Gerry Gebel

"The Highest Standards - The Most Trusted Transactions" That's the slogan on Heartland Payment Systems web site, which is obviously off the mark based on reporting that a massive security breach has resulted because of malware code installed somewhere on their network. The exact extent of the breach is unknown at this time, but the potential numbers are staggering. Heartland processes credit card transactions for 250,000 US merchant locations which amounts to some 100 million transactions per month and 4 billion annually. The malware skimmed the information found on credit card magnetic stripes - card number, cardholder name, and expiration dates - as the data was transmitted from merchants to Heartland's systems.

Heartland's president and CFO, Robert Baldwin, made comments in another article that are unsettling to say the least: "In this case, the amount of information we know they did not get is long enough that except in very circumscribed cases identity theft is just not possible," said Baldwin. Based on this assessment, Heartland will not attempt to notify potential breach victims - even if it could identify all of them. It's great that Mr. Baldwin is so confident, but the reality is that a little searching and persistence will connect the Heartland identity "dots" with other pieces of readily available data. To quote my colleague, Kevin Kampman, "The problem here is that little pieces fit together nicely with others, enabling sophisticated thieves to assemble data from seemingly unrelated sources in order to accomplish wider ranging compromises. In their case, every little bit helps. There’s no sense in feeding them more."

Unfortunately, this latest breach highlights the continued vulnerability of our personal data as it transits a myriad of locations and handlers for the purpose of completing seemingly routine transactions. 2009 is not off to a good start, as chronicled by the Privacy Rights Clearinghouse - which doesn't yet include the Heartland incident. Will 2009 be the year when this trend is reversed? So far, the answer is "No"

Blogger: Kevin Kampman

When I was very young, I remember coming home from church on Sundays with my father the car salesman. We would drive by the car lot and he’d stop to write down the license plate numbers of people who were there looking at cars. When I asked him why, he said that he would go to the police department and find out who they were. It turns out this was a major source of leads for him, and he was quite successful at following up.

As it turns out, use of license information for personal purposes went out of favor by the time I was married (30 odd years ago). During a stint as a councilman in an Ohio village, I would “run radar” with the local police office on weekends. When I asked if he could check out who owned a certain car, he was adamant that that was not acceptable to run license checks for individuals.

And so, I believed that public servants had the best interests of the taxpayer and consumer in mind by protecting public records from misuse. At least, until Joe the Plumber (remember, Joe Wurtzelbacher?) came along. It turns out that if you become a celebrity, otherwise private information is fair game.

Last week, Helen Jones-Kelley, director of the State of Ohio’s Department of Jobs and Family Services indicated that whenever someone in Ohio draws media attention to themselves, it’s routine to conduct a background check. Ohio Gov. Ted Strickland placed Jones-Kelley on administrative leave, not because of the privacy implications, but the suspicion that a state owned computer or e-mail account was used for political fundraising. Sounds like its time to scratch government as a trusted custodian of public records, at least in Ohio.

So, who CAN we trust? It turns out that last week was a bad one for privacy in the health care industry. Express Scripts, a St. Louis-based pharmaceutical provider, apparently had a number of patient records stolen by an extortionist. Are other large pharmacies far behind? Are our prescription records just waiting to be compromised?

Recently I was at a pharmacy and noticed an interesting product, on the counter just above the prophylactics (hold that thought). A USB memory stick was for sale in association with a service called MedicKey. This company helps you to collect all of your medical records in one place, then carry it around on a portable device. Of course, you pay them to gather the data for you. But, it IS possible. In the case of companies like Wal*Mart, it’s encouraged. Wal*Mart is working with Dossia to provide electronic patient health records to all of its employees, in a manner similar to Google and Microsoft.

What’s coming is exciting and frightening at the same time. Not only are we giving folks options for personal control, we’re also aggregating information into massive targets of opportunity. Given the track records of government and commercial providers, a lot of information is going to be misused and stolen before we establish sufficient controls to protect us from politicians, thieves, and the well-meaning. Just because we don’t know what we don’t know doesn’t mean we should move health records to the control of the patient. I’m not worried about the memory sticks as much as I am the people who prepare them. What kinds of protection do THEY offer?

Blogger: Kevin Kampman

Following my rule of threes (when three related things come to my attention, it is time to blog), I just received a solicitation from the National Rifle Association (NRA) to protect myself from identity theft. No, they aren’t saying to lock, load, and take aim at the identity thieves (which might actually be a good start). Rather, they have joined forces with LifeLock to offer a trial and discount to use LifeLock’s services. In this respect, the NRA is to gun owners what the AARP is to folks over 50 years of age; they see them as a market opportunity.

If you don’t believe me, look at an AARP application. For $12.50, you get your name added to AARP-endorsed mailing lists. If you don’t want to be on the lists, try and find an opt-out option. It’s documented in the privacy policy, but not explicitly called out on the application. So, even though the AARP is a privacy advocate, they don’t conform to their own principles.

It’s really about the money. Your name and information is for sale. People over 50 haven’t learned to avoid this yet, even though older folks are a primary target for identity theft. It’s too bad that the AARP isn’t advocating for its audience, instead of making them targets for identity thieves.

Periodically I receive an application for privacy protection from one of the financial services companies. For $5.95 a month, I can get something similar to LifeLock. My contention, however, is that by collecting and sharing this information, the financial services companies, among others, contributed to our privacy and identity theft problems. Why should I reward them for the disservice? And why would I want to give them more ammunition? An identity protection industry is really the wrong answer.

Today, the identity protection market is so pervasive that you can walk through a supermarket checkout and buy identity theft protection. Whether or not these services provide you real protection and advocacy, or just line someone’s pockets is open to question. The real issue is how to prevent the problem in the first place.

When organizations that have custody of personally identifiable information (PII) exercise due care over what they trust, manage, and share, there will be real progress. One way for that to happen is to impose significant liability and damage claims on firms and organizations that are a party to the inappropriate acceptance, exposure and use of PII. Another would be to develop a consumer-protection discipline in businesses, similar to the Payment Card Industry. For example, business could leverage a sanctioned exchange from an identity oracle on demand, rather than amass and incubate a collection of information about principals that represents a target for compromise. Then we’ll see real improvements in terms of responsibilities and protection. Place the burden of the problem on those who created it. 

(The author is a life member of the NRA; has no affiliation whatsoever with the AARP).

Blogger: Kevin Kampman

In my blog entry about Google and Microsoft’s plans to publish the personal medical records of US citizens on the Internet, I questioned these firms ability to properly protect the privacy of these records. It was only a matter of time before the inadequacies of data protection came to light; it recently happened that Google fell prey to the exposure of employee records (by one of its subcontractors). While no customer information was exposed, this does underscore the need to institute due care for all sensitive identity information. Individuals, legislators, and the medical community should ask very serious questions about the efficacy of these programs before a more damaging breach involving a huge segment of the population comes to pass.

Blogger: Kevin Kampman

Last week was an identity theft week for me. First, I was contacted by a local news reporter for background on who was most vulnerable to identity theft. In the same period, I received a mailing from the US Postal Service with an insert from the Federal Trade Commission on preventing identity theft. I then received a solicitation from a financial institution offering to sell me identity theft insurance. I guess if the fox has to watch the henhouse, it might be worth asking you to pay for the inconvenience…

To top it off, I took notice of the seven-year-old boy in Illinois who was notified by the IRS that he owed $60,000 in back taxes. It appears that a 29-year-old stole the child’s information not long after he was born, then used his identity for jobs, goods, and services. The perpetrator was subsequently charged with felony identity theft. The article does not say if the IRS backed off from trying to collect from the seven-year-old. One can only hope.

It will be really unfortunate if this child bears the stigma and the associated costs of this incident. The truly guilty parties are those who failed to properly vet the stolen identity information in the first place. When business starts to accept their responsibility for accepting stolen identities, we won’t be made to pay for their lassitude, and the chickens will truly be safer.

I am concerned that business and government may both be aligned to blame the individual, when in fact they own the responsibility for the failure to protecting the individual’s interest. Accepting stolen credentials is really their problem. Until we recognize this fundamental characteristic, and the associated changes that need to occur in business and government, stories like this will continue to make headlines.