Largest Data Breaches – Seeing is Understanding

June 26, 2011

Check out FlowingData’s visual version of the largest data breaches of all time. The website and content is the work of Nathan Yau, a Ph.D. candidate in statistics. In his own words “I live and breathe data… I want to make data available and useful to those who aren’t necessarily data experts; I think visualization plays a major role in this”.

(To understand the visualization, it helps to know that each square = 1 million records, and that Green = Hacked, Blue = lost, Grey = stolen, and Pink = Fraud.

Pulling Sony breaches out uniquely, Yau illustrates an abysmal 3-month mess.



That harmless post could be a gold mine for criminals

September 27, 2010

What information you share online, and with whom you share it will significantly impact your level of personal privacy and safety.

Interviewed this week for the Komo TV story titled That harmless post could be a gold mine for criminals, Linda Criddle answered questions about several recent news articles linking online comments to home burglaries.

Here is an excerpt from that interview:

Criddle says criminals find potential targets by searching for individuals or searching for specific groups. They look for information most people think is safe like where you are, and what you’re doing.

“Sharing that information, where you are, is some of the most sensitive information that you can share,” Criddle cautioned.

Criminals also scour baby registries, bridal registries, and memorial and wedding sites to find when people will be away from home.

“Once you’ve shared it you no longer control it,” she said. “Those people now control how that piece of information gets shared.”

Criddle says the Internet and social network sites are great tools for consumers, you just have to be aware. Before you post a picture, consider what the photo says about where you live, what you own, and who you know.

Regularly update your privacy settings — some policies can change without notice. Weed-out friends you don’t really know or rarely connect with. And consider opting out of location features that tell where you are all the time.

Finally, be extremely careful about entering posts online that tell the world you’re not going to be at home. Criddle says posting even something as seeming harmless as a daily latte at your favorite coffee shop can expose your daily routine and alert thieves to when you’re likely to be away.

To learn more about how to protect online information, watch this video Protecting Kids on Social Networks made by us here at LOOKBOTHWAYS.


Kids and Financial ID Theft; a Growing Issue

September 11, 2010

Stealing children’s social security numbers (SSNs) to use or sell is not new, but it is becoming more widespread. The problem is expected to get worse before it gets better, according to the Associated Press.

Financial identity theft has grown into a multibillion-dollar problem, and at least 7% of the cases that are reported target children’s identities. The actual number of child victims may actually be much higher, as the theft of a child’s financial identity is often not discovered until the child applies for credit.

It is precisely because kids aren’t seeking credit that make theft of their Social Security numbers so lucrative. The allure of an untainted SSNs (one with no credit problems) is in the opportunity it represents for creating fake lines of credit and charge up high debts.

How kids financial ID theft happens

There are two primary threats to kids’ financial identities. The first comes from family members looking for a new line of credit. They steal their children’s, nieces’ or nephews’, even younger siblings’ identities, primarily to use themselves to create new lines of credit.

The second threat comes from criminal businesses that use computers and publicly available information to find Social Security numbers for which no line of credit has been established. You may wonder how criminals steal numbers that aren’t in any system, but that’s the beauty of it. They don’t have to know whose SSN they’re stealing, they just have to find SSNs that are legitimate and have no credit history.

The way these criminals collect the SSNs is tied to the antiquated method by which SSNs are generated.

SSN’s have three sections; the first three numbers represent the state in which the SSN was issued (after 1972 they represent the zip code). Anything between 001-003 and before 1972 for example, is issued in New Hampshire.

The second set of numbers in the social security string represents a specific window of time during which the number was generated, quickly identifying the age of the legitimate SSN recipient.

The last four digits are the only random numbers – and ironically those are the ones you’re asked to provide most frequently.  Knowing how SSNs are created, criminals can use a computer program anticipate the next set of numbers to be generated, then they can test these to find which are legitimate.

Criminals then take these SSNs and sell them to people who want credit they can use to accumulate huge debts they won’t have to repay. These numbers sell for anywhere between a few hundred to several thousand dollars apiece.

“When a creditor gets a request in with a valid SSN, one that they can confirm has been issued, they don’t get information telling them to whom the number was issued,” says Linda Foley, of the Identity Theft Resource Center (ITRC), an organization that offers counseling and resources to identity theft victims.

“That’s not information Social Security gives out.  Nor is it information that the three credit reporting agencies have access to.”

From that point, it is easy for the thief to put down his name, a date of birth, and a reasonable excuse for why he his Social Security number had been issued recently.

Once the purchaser of the stolen SSN defaults on their loans, the credit line is shut down and that SSN is no longer of use – but serial SSN thieves simply buy a new SSN and continue running up debt. Assistant US Attorney Linda Marshall from Kansas City states, “If people are obtaining enough credit by fraud, we’re back to another financial collapse. We tend to talk about it [identity theft fraud] as the next wave.”

Because SSNs with no credit line often come from young children who have no money of their own, these numbers are ideal candidates for opening a new, unblemished line of credit. Add to that the low likelihood that anyone is monitoring that child’s financial identity, and crooks have a winning combination.

Julia Jensen, an FBI agent in Kansas City, recently discovered a ring of criminals using public searches to identify SSNs without credit lines while investigating a mortgage-fraud case. “The back door is wide open,” she said, comparing the businesses that sell the numbers to drug dealers.

“There’s good stuff and bad stuff,” she said, referring to the value of a stolen SSN. “Bad stuff is a dead person’s Social Security number. High-quality is buying a number the service has checked to make sure no one else is using it.”

Unfortunately, experts say, it’s nearly impossible to prevent the fraud because it’s so easily concealed and targets such vulnerable people.  “There’s no way to protect your child completely,” says Foley.

The difficulty in protecting children’s SSNs and financial identity is multifaceted:

  1. Financial ID thieves are using sophisticated programs to search for dormant SSNs through databases kept by schools, doctors, and insurance companies, which typically require children’s Social Security numbers be provided.  Rapidly evolving methods used for selling the numbers make tracking this kind of theft particularly difficult.
  2. Credit issuers typically do not keep track of the age of Social Security number holders, so they cannot alert families when a child’s number is being used – something Foley’s organization has been trying to change since 2005, and a protection she considers vital for preventing child identity theft on a large scale.\
  3. Even parents who routinely check their own credit information rarely think to check reports for their children, particularly if the children have not yet begun to work. But if a SSN is compromised, criminals can run up tremendous charges in a child’s name.
  4. The methods and locations used to sell SSNs change frequently, and may be camouflaged under legal transactions. Some of these sketchy companies have impressive, high-tech websites. Others advertise on sites like Craigslist.

The impact of financial ID theft on a child

It takes time and a lot of work to restore a financial reputation, and the repercussions of a damaged credit score can impact a child for life. As they seek loans for college, cars, and homes, they may struggle to qualify and be permanently subject to  higher interest and mortgage rates.

Someone has to pay the debts accrued against that SSN. Sometimes it’s the victim or the victim’s family that pays. More often it’s the businesses that sold whatever goods were purchased that get stuck with the costs, which of course get passed on in the form of higher prices for all their customers.

Reduce your child’s risk of financial ID theft

  • Keep Social Security cards locked up. These don’t belong in wallets or loose in your home where others may come across them.
  • Tightly restrict sharing your child’s social security number. You may be asked to provide your child’s SSN in many circumstances like to enroll them for a sports team, or at your doctors office.  However, you do not need to give their SSN, you can show other evidence of age or information that your health care provider needs for billing.
  • Teach your child not to share their SSN. When applying for a job, make sure the employer and company are legitimate so the risk of resale is low.
  • When creating a bank account for your child, only set up a savings account and make sure there is no overdraft protection included.
  • Monitor your child’s credit as you do your own. If you wait until you see a red flag, a lot of damage may have occurred, and often you’ll see no red flag at all until your child seeks credit. Running a credit report does introduce some risk, but you can mitigate this by freezing their credit. This way, if the very act of checking your child’s credit history generated a credit file you have squashed the chances for abuse. Unfreeze their credit when they do seek out a loan.

Red flags that your child’s financial ID has been stolen

There is no silver bullet to protect your child from ID theft, but there are some red flags:

  • Be suspicious if your child receives any unsolicited credit offers in your child’s name, or notices from debt collectors.
  • Or Someone who has access to the child’s SSN has sudden prosperity
  • Or if you get a  notice from the IRS saying the SSN number you used on your tax return (or on their tax return) is a duplicate number.
  • Or your insurance company denies a claim for your child because they have already covered the procedure.
  • Or the bank notifies you when you go to establish a savings account for your child, that an account using that SSN already exists.
  • Or you receive a warrant for a traffic violation for a child without a drivers license.
  • Or your child is denied government assistance because records show they are already receiving benefits
  • You get a request for a job verification when your child has never had a job

If your child’s credit has been compromised, take immediate action

Report any suspected theft of your child’s financial identity. Use the Federal Trade Commission’s Web site to find and follow the steps needed to report fraud. Or call their toll-free identity theft hotline at 1-877-ID-THEFT (438-4338). THEN call Social Security. You may also want to visit the ITRC’s website for facts and information, or call its hotline at (888) 400-5530.

What’s happening to reduce the risks

The non-profit Identity Theft Resource Center has proposed a solution to the growing problem of illegal use of children’s SSNs: the creation of a Minors 17-10 Database, which would include not only the Social Security numbers, but also first and last names and birth month and year to credit organizations, departments of motor vehicles, and other institutions that require a Social Security number for background checks. The information would be kept on until the child is 17 years, 10 months old. This age was chosen, Foley said, because this is the time when teenagers are putting in paperwork for student loans and other credit forms.


How to Use the New Facebook Privacy Settings

December 16, 2009

Facebook has taken a laudable step forward in helping consumers maintain their privacy when using the service. These much-anticipated updates in their privacy settings allow users to determine on a post-by-post basis exactly who they are sharing with.

Understanding Facebook’s expanded privacy settings and knowing how to apply them is critical to ensuring your safety and the safety of your children should you, or they, be among the now 350 million Facebook users.

Fortunately, a fantastic instruction guide – replete with screenshots – has been created by Zack Whittaker for ZDNet. This guide includes:

  • Changing exactly who can see what on your profile
  • Changing who can contact you on Facebook
  • Changing application and website privacy settings
  • Changing who can search for you on Facebook
  • Completely blocking people, how and what it does

Other resources you can turn to for understanding and using the new Facebook privacy settings include: Facebook’s explanation video, and Patrick Miller, of PC World, has this created tutorial.

To learn more about what motivated these changes, read Facebook Founder Mark Zuckerberg’s An Open Letter from Facebook blog.

Take the time to review your settings and leverage these new options today.


1.5 Million Unencrypted Medical Records “Lost”

November 29, 2009

Medical insurance giant Health Net apparently waited 6 months to notify authorities of the breach of 1.5 million consumer and physician’s medical records.

The breach occurred in a Health Net office in Connecticut, but consumers in Connecticut are not the only group exposed; HealthNet also provides services in Arizona, California, New Jersey, New York, Oregon, and Washington State.

According to an article by the Health Information Trust Alliance Connecticut Attorney General Richard Blumenthal reaction to the belated notification was severe, “I am outraged and appalled by Health Net’s huge loss of personal financial and medical information and its failure to swiftly inform authorities and consumers. This information vanished six months ago, but Health Net is only now informing authorities and consumers, an inexcusable and inexplicable delay. Health Net’s incomprehensible foot-dragging demonstrates shocking disregard for patients’ financial security, as well as loss of their highly sensitive and confidential personal health information.”

Blumenthal went on to say “Another day, another data breach, but companies still don’t get it: personal information is like cash and should be guarded with equal care. Casual and cavalier attitudes toward data protection and breaches are intolerable and must stop. I will fight to compel companies to fully safeguard personal information, quickly inform consumers of breaches and properly protect them when losses occur.”

Health Net’s inaction is inexcusable… and far too common. Personal health records have become a hot new and lucrative target for hackers and ID thieves as more medical data has been dumped online without appropriate security precautions.

Learn more about the scope of personal data record theft and why the notification rules for personal health record breaches aren’t going to work by reading my blogs:

Stay vigilant.


220 Million Personal Data Records Exposed So Far This Year

November 27, 2009

A new article by Andy Greenberg for Forbes reports a shocking 220 million personal data records containing highly sensitive information have been exposed by hackers so far this year.

Add to this the (reported) personal data records breached in security breaches in the US since Jan. 2005 and over 341,742,628 sensitive personal data records have now been compromised according to the Privacy Rights Clearinghouse that tracks breaches. The data exposed includes Social Security numbers, medical records, and credit card/banking information, as well as addresses, phone numbers, etc.

NOTE: Though the total US population today is roughly 310 million, it does not mean everyone’s records – and then some – have been exposed. Some people may have had their records breached multiple times, while others may not have been exposed. However, the likelihood that your data has been compromised is now staggering.

What does this mean to you?

  1. Be diligent in monitoring your financial and medical identities. This information has significant value to criminals and they will exploit any information they acquire. Learn how to protect your identity, get free credit reports, freeze your credit, and more in my blogs:
    1. Protect your credit: one free step towards peace of mind
    2. Stay Safer – Place a Security Freeze on Your Credit
    3. ShieldSafe: ID Theft Protection Reminder Service
  2. Understand the scope of the problem by reading these blogs:
    1. 130 Million Credit and Debit Card Numbers Stolen – Is Yours Secure?
    2. 11 Things an Online Criminal Will Never Tell You
  3. Be wary of allowing additional information about yourself be placed online before better security standards are in place. Your medical records are perhaps your biggest new threat area, learn how in these blogs;
    1. HHS Issue Notification Rules for Personal Health Record Breaches – But What Prevents Breaches?
    2. Online Medical Fraud: New Tools for Old Scams
    3. Risks of Placing Medical Records Online
  4. Demand better security and accountability of the companies, institutions, and government agencies holding your records.
    1. Internal security measures need to be in place to:
      1. Block dishonest employees from making off with records
      2. Prohibit employees to take records away from the secure facility – in laptops, flash drives, etc. that can be stolen, “lost” or otherwise compromised.
      3. Train employees in security measures – and continually test that these are upheld
      4. Ensure all sensitive information is encrypted rendering it useless to those without the necessary key
      5. Increase defenses against hackers, with stronger security measures and multi-tiered layers
    2. National security standards need to be strengthened to:
      1. Increase penalties to companies with data breaches
      2. Increase speed of notification to consumers affected by data breaches
      3. Increase assistance to consumers affected by data breaches

Stay diligent,


T-Mobile Confirms Biggest Data Breach; Affords Glimpse of Internet’s Financial Underbelly

November 17, 2009

Thousands of personal record details of British T-Mobile customers were stolen and sold by an employee for “substantial sums” to rival carriers putting a spotlight on the unlawful trade in personal data in the UK.

According to an article in the Guardian, the employee allegedly sold the account information to a number of “brokers”, who then resold the data to competing mobile services so they could target T-Mobile customers.

“The number of records involved runs into the millions, and it appears that substantial amounts of money changed hands,” according to Christopher Graham, the UK’s Information Commissioner. “We are considering the evidence with a view to prosecuting those responsible and I am keen to go much further and close down the entire unlawful industry in personal data.”

Pressing for change, Graham said “More and more personal information is being collected and held by government, public authorities and businesses. In the future, as new systems are developed and there is more and more interconnection of these systems, the risks of unlawful obtaining and disclosure become even greater. If public trust and confidence in the proper handling of personal information, whether by government or by others, is to be maintained, effective sanctions are essential.”

Why this matters

It is not just Social Security numbers, account numbers, and driver’s license numbers that have value to criminals and legitimate corporations alike. In the data age, you are a commodity. Every piece of your personal information, your preferences, your relationships to others, your financial value, information about services you currently use, your location, even your emotions has significant economic value.

Given the value of the data the temptation to steal and sell it is huge – there’s a reason that over 340 million personal data records have been breached in the US alone since Jan. 2005.

Companies and criminals purchase this information to help in the design products (including malware), shape and target advertising (and fake ads), even help build socially engineered scams tailored to you.

The Information commissioner is right. Slapping small fines on those who steal and sell consumers private information offers little deterrent when the data sellers can collect premium prices. When the only consequence is a fine, it’s nothing more than another cost of doing business.

In the T-Mobile case, not only should the T-Mobile employee who stole the information receive a strong punishment, the competitors bought the data to poach customers should be charged with purchasing stolen goods.

Without punishing every piece of the “entire unlawful industry in personal data” it will be difficult to make headway against the crimes and protect consumers.