Shostack + Friends Blog Archive

 

Other comments on the GAO Report

  • [Added July 21] Roger Grimes, “Identity theft? What identity theft:” [link to http://www.infoworld.com/article/07/07/20/29OPsecadvise_1.html no longer works]

    Here’s my long-held feeling: If even one customer record is compromised, it should be immediately disclosed to the consumer. None of this, “You need 10,000 or more records stolen before it is reported” or “Only report if likely to be used in financial theft.” Forget that! Banks and merchants are privileged to be entrusted with our important financial data. If they don’t protect our information properly, they, not us, should pay the price.

  • Information Week, “Secret Service Busts Four Fraudsters With Ties To T.J. Maxx Attack:” [link to http://www.informationweek.com/news/showArticle.jhtml?articleID=201001100 no longer works]

    A recent Government Accountability Office report noted the difficulty of linking data theft to identity theft, but the U.S. Secret Service is having no such problems. The agency earlier this week said it has arrested and indicted four members of an organized fraud ring in South Florida, charging each of them with aggravated identity theft, counterfeit credit-card trafficking, and conspiracy.

  • Anton Chuvakin, “Nobody Is That Dumb … Oh, Wait! – III:”

    But you know what? Data theft (as well as, mind you, a negligent data loss!) is a crime even if whoever took off with the data didn’t use it for nefarious purposes. To me it sounds akin to “the bank robber who didn’t spend the money on more crimes” or (more remote …) “a carjacker who didn’t cause a traffic incident.” Mandatory notifications are a means to reduce data loss/theft, and are thus needed with no regards to how the stolen data is used!

  • SANS Newsbytes (with some detailed analysis, including the n=24 problem)
    [link to http://www.sans.org/newsletters/newsbites/newsbites.php?vol=9&issue=53&portal=e1c561924c27a4ef0efbe8a09b6fe8b4 no longer works]

    The GAO Report that leads off this issue is deeply flawed and does not meet that agency’s high standards for excellence in analysis or independence. We learned that the report was done by a group at GAO that doesn’t usually work in this area, so their flawed analysis is understandable, but still potentially damaging to GAO’s reputation and to the nation’s cybersecurity. We have included an analysis of the report in this issue for readers who didn’t immediately see the flaws.

  • Dissent, “Did the data breach chronologies backfire:” [link to http://www.pogowasright.org/blogs/dissent/?p=520#more-520 no longer works]

    Looking through it, it is clear that they relied heavily on data and statistics provided by Attrition.org, the Privacy Rights Clearinghouse, the Identity Theft Resource Center, and reports obtained from NY and NC under FOIA by Chris Walsh.

    Although it is encouraging that that the government is actually using the data that these organizations and individuals have worked so hard to compile, some of the implications suggested by the GAO report are troubling from the perspective of a privacy advocate.

2 comments on "Other comments on the GAO Report"

  • ed dickson says:

    Great point that the Secret Service seems to have no problem tracking the information in the TJX case.
    I would imagine there is a lot of pressure to have some resolution on the TJX issue given the amount of publicity.
    Maybe if more effort was spent going after some of these issues, we might see more resolution?

  • Adam says:

    Ed,
    I’m not sure what sort of resolution you’d be seeking?

Comments are closed.