Theory and Reality

Nine billion dollars. That's the theoretical cost of settling a privacy lawsuit against TransUnion, the Chicago-based credit reporting bureau. TransUnion won't actually spend $9 billion, of course; it will offer free credit monitoring (retail price: $59.75) to some 150 million Americans.

Meanwhile, back here in reality, 155 students have actually lost their very real tax refunds because of another data breach.

They're among 1,132 graduate students at the University of California, Irvine, who participated in a university health insurance program in 2006. That program was run by United Healthcare, which admits that some students' personal data "may have been accessed without authorization."

Whoever grabbed the information apparently used it to file phony tax returns. Result: When the students tried to file their legitimate returns, the IRS told them that returns had already been filed using their Social Security numbers.

No one is talking about specifics of the data breach at United Healthcare. The IRS won't talk about its investigation or how much the crooks got away with, though it probably comes to a few hundred thousand dollars at most. The university says it's arranging emergency loans for students who need their tax refunds to pay their bills, but it isn't divulging many details either.

That's OK. We already know enough to say this:

We've got to stop using Social Security numbers as a single-factor identifier. And allowing access to Social Security numbers on anything but a need-to-know basis. And storing unencrypted personal information.

That's no longer theory. It's just reality.

Look, we all love hearing impossibly big numbers like the ones in the TransUnion settlement. Billions of dollars? Hundreds of millions of people? Those stratospheric numbers don't seem real.

Our reality comes at a smaller scale, hundreds or thousands of data records at a time. Names. Addresses. Birth dates. Social Security numbers. Credit card numbers. Bank account information. We tell ourselves that it's safe — that our employees are trustworthy, our security is good enough, our piddling collection of data too small to worry about.

But that's exactly what's being stolen, as those 1,132 students have painfully learned.

And week by week, year by year, the number of data breaches grows — and thieves grow ever more efficient at converting stolen information into stolen money.

They're getting better at this. We're not.

We know what we need to do. We need to abandon the use of Social Security numbers for customer identification and authentication — this means you too, IRS.

We need to treat Social Security numbers and other personal information like the highly valuable, easily stolen commodities they are, and make them much harder to access in our systems.

And we need to encrypt, encrypt, encrypt.

None of this is rocket science for corporate IT shops. None of it will be cheap, either. At a time when business is down and belts are being tightened yet again, it'll be a hard sell to the CEO.

But it's time to budget money for it. Not money for theoretically perfect data security — but for a realistic response to a real threat.

Because there's nothing theoretical about this: If thieves can steal 1,132 students' information and convert it into $100,000, they can do it again and again — and they will.

And that $9 billion is getting closer to reality every day.

Frank Hayes is Computerworld's senior news columnist. Contact him at frank_hayes@computerworld.com.

Copyright © 2008 IDG Communications, Inc.

  
Shop Tech Products at Amazon