Ya'll left out one biggie
Remember when a Veterans Administration programmer got his laptop which had the health and PII for every veteran?
American health insurer Centene Corp says it has lost 950,000 sensitive customer records stored on six hard drives. The drives hold customers' name and address, date of birth, Social Security numbers, and health information. Centene Corp boss Michael Neidorff says the company does not know if the information has been …
Even misplaced in someone's desk drawer would be incompatible with "Centene takes the privacy and security of our members' information seriously".
In a properly run system they would only be stored in a designated secure place, not some random desk drawer.
Having tried the "designated secure place" method before I know it will always fail.
I would prefer the ban of all external storage devices but ultimately everyone wants them (Even though they will likely have a laptop, they have vpn, its just laziness.) and expects computers to encrypt everything for them.
I wasn't suggesting leaving drives in desk drawers was a smart practice, but misplacing it in their own offices versus knowing it was lost outside their offices, and that's different than knowing it was stolen.
Knowing it was misplaced inside their offices = lack of care common to 98% of enterprises and 99.9% of governments, it very likely won't result in data compromise (only if it was stolen by an insider)
Knowing it was lost outside their offices = concern over why it was outside their offices but at least if someone finds it they probably won't realize what they have so data is unlikely to be compromised
Knowing it was stolen = red alert concern since someone clearly knew what they were taking and your data WILL be compromised the only question is how badly you'll be screwed
"We take your security very seriously"..... maybe, maybe not, but telling me that when you announce how you've failed is not reassuring in any way. Just leave it out of security announcements.
Not from this story, but ...
"There will be lessons learned" ... again, maybe, maybe not, but i don't care about the future, i care about now and why you f*cked up today!
Why do the media let them get away with this. The obvious rejoinders are:
Prove it
Who do you think is stupid enough to believe that?
How much data would you have lost if you weren't taking it seriously?
Has anybody in the media tried any of these?
"How much data would you have lost if you weren't taking it seriously?"
This. Should be the first question asked, not only by the press, but by law enforcement investigating the loss, and every client whose data was lost, loudly and publicly!
Because you know nothing's going to change security-wise otherwise.
The problem is that they are primarly and pretty much ONLY focused on health care. Thats a pretty good thing, but it does mean the focus on other important aspects is lost. And even when they bring in outside experts, things like data security will take a back seat to improving the health care.
"... take a back seat to improving the health care."
I think you mean, "take a back seat to increasing the profits."
See this:
http://www.theregister.co.uk/2016/01/26/hackers_can_take_full_control_of_car_os/
It mentions how Fiat Chrysler 'saw the light' regarding vehicle systems security.
No. The people focussing on health care are still working within a system. And one that has to be got right in the planning stage. It's too late to think about these things during implementation.
If data security wasn't planned in this is either due to incompetence or cost cutting. Or both.
So all the glib gibberish about taking this that and the other seriously is pure PR company arse-covering bullshit.
Healthcare came long before IT, and was never very computerized until the big EMR and insurance-for-all push of the last decade or so. Take away the profiteering and you still have a computer-illiterate culture.
I would also point the finger at governments, for A) monopolizing funding, B) collecting everyone's personal data, and C) the war on encryption (together with their toadies Oracle, Microsoft, et al). This wouldn't happen if OS vendors made it easy for terrorists, criminals, and doctors to encrypt stuff.
If there are no consequences to this crime, it will just continue unabated.
IMHO, my personal data with SSN is worth $100,000 dollars to me. It is MY data and I get to say what it's value is.
If you have it, better keep it safe. Let's see, 950,000 stolen identities at $100,000 apiece....that might make a beancounter fund the security of their system.
Doesn't really work like that though. Bean counters only care about the here and now. Tomorrow only matters, if you can show them how you are going to save costs then.
Costs related to possible security breaches is something they refuse to hear, because it's - in their minds - hypothetical. "Won't happen to us," is still a very common mind set, not only among bean counters. Costs related to improving security therefore are just that... costs.
The *only* way to change this attitude is to impose hefty fines or criminal proceedings against individuals (somewhere at or close to C-level, or comparable position in the public sector).
As seen here with Talk Talk and other companies, the prospect of losing money is a minor concern. Shares take a short dip (only if a lot of publicity is involved), then recover and it's back to business as usual. In the public sector there are no shareholders. Somebody *might* be in charge, but nobody seems to be accountable.
With that attitude nothing is ever going to change, no matter what kind of figures you come up with.
Prison is the only thing that will fix this - and it needs to be boardroom level, not some lowly developer or architect.
As many others have said, companies are banking on the fact that there is ZERO financial or personal cost to them for losing this info. If there's a real chance that the CEO or CFO will go to prison for six months for every data breach this problem will disappear completely. They can let out a few of the kids imprisoned for possession of two joints to make room for the suits.
I am so tired of replacing my credit card three times a year. Getting useless "credit monitoring" notices, etc. etc. I can't change my name, date of birth, place of birth, social security / NI number, etc. and all these fuckwits have required this information, used it as primary keys, and then lost it.
Something needs to change and change very soon.
Oh, that's ok then. Why do companies think this is the most important thing to state. A lot of people would be covered for fraud done with data like this and the company would be expected be made to cover any costs involved.
However, personal and health info once released there is no way to undo
Right - I can change my bank account number, close my credit card.
I can't change my name, date of birth, social security or NI number, place of birth, mother's maiden name, etc etc. That data is, in fact, far more valuable
"Prison is the only thing that will fix this - and it needs to be boardroom level, not some lowly developer or architect."
"Criminally negligent data loss"... or "Depraved indifference identity theft"... make them felonies, which once on one's record won't even allow for more than a minimum wage gig. Also the parole time should be spent like a convicted black hatter's... only limited/supervised internet access (if any).
The hired assassin goes to jail as does the person ordering the hit.
It really should be the equivalent of an "assault" charge.