This recent article provides a somewhat sensationalized description of the ‘e-hijacking‘ of 3.9 million consumer credit records. What is interesting about this theft (and it was an actual physical theft, not simply a copy like most supposed data ‘thefts’) is the extraordinary sophistication of the attackers:

“Spoonamore, a veteran of the intelligence community, said in his analysis of this e-hijacking, upwards of 15 to 20 people needed to be involved to hack five different computer systems simultaneously to breach the electronic safeguards on the electronic manifest. The manifest was reset from “secure” to “standard” while in transit, so it could be delivered without the required three signatures, he said. Afterward the manifest was put back to “secure” and three signatures were uploaded into the system to appear as if proper procedures had been followed.”

This case has several interesting aspects. For one, this was apparently a very well-planned and well-funded attack. Clearly, the culprits had a reasonably precise estimate of the value of the data they were appropriating, which puts them one up on the people who are ostensibly in charge of protecting the data (UPS?? UPS?!?!?!). Second, the attack was performed on backend infrastructure, completely out of the hands of the individuals whose information was lost and whose personal financial lives are at risk. The victims have no idea what was obtained, what they could have done to prevent it, or even if they are a victim. Do you shred your credit statements? Avoid buying things over the internet? Doesn’t matter. Unless you work for Citigroup, Experian, or UPS corporate security, nothing you could have done would have prevented this event.

The corporations responsible for the failure of this link in the chain are more or less completely without exposure. So now we have unaccountable third parties collecting material for their own reward that exposes millions of individuals to enormous personal risk. Yet they take no risk themselves. Your identity is being bought and sold (and stolen and abused), and you have no say in the transaction. This is an untenable situation.

More to come.

Related Posts:

• to whom does our identifying data belong? (October, 2005)
• franchisers over enfranchisement (January, 2006)
• Blizzard Breaks and Enters Onto Customer Private Property (October, 2005)
• TED Talks: Humanity’s Violent History, Developing Rwanda, Redefining “Bioenergy” (December, 2007)
• Where are They Now? (January, 2008)

This entry was posted on Friday, December 9th, 2005 at 8:25 pm and is filed under economics, privacy, profit, society, technology. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.