Another week, another huge breach of personal data.
Dallas-based
Hotels.com announced last week that credit-card numbers and other
personal information on about 243,000 of its customers were on a laptop
computer stolen from a car in February.
Last
month, the Veterans Affairs Department announced that personal
information of 26.5 million veterans was compromised after a laptop and
disks were stolen from the home of a data analyst. Information on 1.3
million more people who borrowed money through the Texas Guaranteed
Student Loan Corp. was lost in May while in possession of a contractor.
Despite
the growing list of blunders, most companies still aren't doing enough
to protect their customers' data, according to security experts. The
reasons are largely the prohibitive costs of securing mobile devices
and a lack of public concern.
"Until
businesses are held accountable ... legally, financially and by
customer demand for protecting that information, they're not in any
strong hurry to make it happen," said Rick Fleming, chief technology
officer with Digital Defense, a San Antonio-based network security firm.
The
Hotels.com data breach stems from an audit of the company's
transactions performed by Ernst & Young. The laptop was stolen from
the car of an analyst with the accounting firm. Hotels.com spokesman
Paul Kranhold said the incident occurred in Texas but would not say
where. He would not confirm nor deny news reports that indicated that
the theft occurred in the Dallas area.
The
laptop required a password to use it. A file on the computer has
information mostly on customer transactions from 2004, although some
are from 2003 and 2002. The information on the file may have included
customers' names, addresses and some credit- or debit-card information,
according to a statement released by Ernst & Young.
Hotels.com
is sending letters to every customer whose data may have been on the
laptop. Ernst & Young has set up a call center to address questions
or concerns involving the incident. The accounting firm has also
arranged for those affected to sign up for a credit-monitoring service
for a full year for free.
The
information on the laptop was not encrypted, a practice of protecting
information by transforming it into an unreadable code. Ernst &
Young spokesman Charlie Perkins said the company had begun installing
encryption systems on all of the company's laptops earlier this year,
but the one with the Hotels.com data did not have the system yet.
Ernst
& Young has promised Hotels.com that it will take extra steps to
protect the company's data in the future, including encrypting
sensitive information. It has set up a toll-free phone number to help
those who may be in danger of identity theft: 866-387-2242.
Encryption
is one of the most effective and efficient ways of securing information
on a laptop, said Mike Stute, chief technology officer for Global
DataGuard, a security risk-management company in Dallas.
Companies, especially larger ones, are hesitant to spend up to several hundred dollars per laptop to encrypt data, Stute said.
"The
truth is, the $1,000 laptop is trivial compared to the data on the
machine," Fleming said. "I don't understand why every company doesn't
do it."
Even
a good encryption program is only as safe as the person operating it. A
hacker can easily overcome an encryption system that's protected by a
password if the user picked an easy one to guess, Fleming said.
A
more secure system includes an encryption token, a small object that
must be plugged into the laptop's USB port to decrypt the information.
That type of system can be extremely effective -- as long as the laptop
and the token are kept apart.
Fleming
recalled seeing a man in an airport with an encryption token taped to
his laptop, thereby defeating the purpose of having the token at all.
A
slew of large data breaches have surfaced in the past year mainly
because laws passed in several states now require companies to report
these embarrassing mistakes.
California
started the trend of data-breach laws in 2003. The Texas Breach of
Computer Security Statute went into effect in September. "There's no
question that the states are taking the lead on identity theft," said
Ed Mierzwinski, consumer program director for the Texas Public Interest
Research Group.
A
handful of bills working their way through Congress would make
data-breach notification a national law. Depending on which bill
passes, companies may be required to report any data breaches where
there's a chance for identity theft or fraud, or only when there's a
good chance of misuse of the data.
No
matter what laws are passed, Stute doubts that companies will get more
serious about protecting sensitive data until the technology becomes
cheaper and easier to use. He noted that they have little motivation,
considering that most of the major data breaches over the last year
have not appeared to impose any lasting damage to the image of the
company at fault.
"It never seems to stop consumers anyway," Stute said. "It's bad press, but it doesn't seem to hit home with anybody."
