Have you met your colleagues in media relations? They’re the people who take telephone calls from journalists. If your organization ever suffers a ‘”data spill”, or unintentional release of confidential information, you’ll learn a lot about what they do in a very short time.
The job of media relations staff is to gather all the relevant information and then help to decide how much can be released when your department confronts the press. No matter who is standing in front of the cameras – spokesperson, minister, department head or mayor – reporters will want to know everything: When, why and how it happened, who is affected and, perhaps most importantly, who is responsible.
In recent years, IT managers in the private sector have had to learn about the care and feeding of the press because data spills seem to be getting larger and more frequent. Computers are ubiquitous because they can process large amounts of data quickly, store it on a variety of media and connect with networks to move it around. One mistake, however, and huge amounts of data can be in the hands of criminals almost instantly.
The most important factor is scale. Files and documents can escape in trickles, but they make headlines when they flood out in torrents. In 2003, a hard drive with personal information on 700,000 Canadians was stolen from ISM Canada, a Regina-based services company. As it turned out, an employee confessed to taking the drive for personal use and claimed the data had all been erased. It is impossible to know. In May of this year, thieves took at least one computer from Winnipeg’s Prudent Benefits Administration Services with personal information about thousands of Canadians, including their names, addresses and social insurance numbers.
Earlier this year, in the United States, information about 40 million accounts was stolen from CardSystems Solutions Inc., which processes credit card transactions. Visa and MasterCard, two of its major accounts, have stopped doing business with CardSystems, but the theft could have an impact on hundreds of thousands of Canadian credit card users.The numbers went off the chart in August, however, when a Florida man was convicted of looting 1.6 billion items of personal information from database company Axciom, whose clients include auto manufacturers, major banks and 14 of the 15 largest credit card companies.
Clearly, data can get loose in a variety of ways, from zealous employees who put gigabytes of data on flash drives, so they can work at home on insecure computers, to unknown software vulnerabilities, to sophisticated criminal gangs using blended attacks. In early August, Sunbelt Software called in the FBI when it found that a Trojan keystroke logger distributed with CoolWebSearch spyware was stealing personal and financial information whenever users of infected PCs visited one of about 50 banking sites. Encryption was useless because the data was captured as it was keyed in, not when it was sent over the Internet.
In a recent report, Gartner Consulting said concerns about Internet security are driving consumers away, and they backed that up with numbers. In the years ahead, the growth in sales from businesses to consumers is expected to slow by as much as 3 per cent. Gartner said identity theft was the public’s greatest fear because of potential damage to credit ratings. Two people out of five have changed their online purchasing behaviour, and one in three buys less. More than a quarter of those surveyed have changed their online banking habits and some have abandoned the service completely.
Public sector data spills are different in degree and kind from the private sector. People who are concerned about the privacy of their data know they can protect themselves in the private realm by changing their behaviour and making tradeoffs between convenience and security. If offended, they can take their business elsewhere and even file suit for the most egregious violations. But they do not have a choice when it comes to their governments. As consumers, we can punish failure to protect our information, immediately and effectively. But as citizens, we must be more patient and wait for the next election.
Creating and exploiting false identities for profit is a growth industry, but the financial services industry has been profiting more than it has been losing. Here and there, among the banks and credit card companies, stronger authentication and better security is papering over the worst cracks. But until the red ink flows, consumers and merchants will bear the pain. In the meantime, of course, the business case for governments’ online transactional services can only be getting worse. 057152
Richard Bray ([email protected]) is an Ottawa freelance journalist specializing in high technology and security issues.