Skip Tags

Popular Tags

Decorative icon

The Resource Center Online Security Issues & Protection | post

Not All Data Breaches Are Created Equal

by Joe Mason on

It seems that virtually every day I see a new report that some entity has exposed the names, Social Security numbers and other personal information of its employees, customers or, in the case of a governmental agency — federal, state or local — of citizens like you and me.

Two quick recent examples: The Minnesota Department of Commerce announced that a breach at Nationwide Insurance Company exposed the personal information of 98,191 Minnesota taxpayers. This was apparently part of a larger data loss by the Columbus, Ohio-based insurer that has affected 1.1 million customers of Nationwide Insurance and Allied Insurance, both owned by Nationwide Mutual Insurance.

California's Department of Health Care Services (DHCS) accidentally published online Social Security numbers and identifying information for some 14,000 Medi-Cal providers. There they remained accessible for nine days, from Nov. 5 through Nov. 14, according to a letter sent by DHCS.

Both of these incidents, and many more we are seeing these days — whether it is a huge computer invasion like the one that struck the South Carolina Department of Revenue or a simple clerical error that saw appointment cards mailed out from a dental practice that contained the Social Security numbers of patients — all tend to be lumped together under the general heading of "data breach."

This might be convenient but the reality is there is a very big difference between types of data leaks and the potential danger of identity theft they pose.

The biggest danger, of course, are the cases of computer hacking where strangers force their way into a computer system specifically to access databases containing personal information. Both the South Carolina and Nationwide cases appear to be incidents where foreign-based hackers got into their systems for the specific purpose of stealing personal data. In these cases, the danger of identity theft is very high.

Then there is the case of the inadvertent exposure. The patient Social Security numbers sent out on postcard appointment reminders, or in another case I am familiar with, a database of employee personal information accidentally posted to a public website.

In these cases, the danger of identity theft is possible, but much less so, than a database hack specifically conducted to get that information. It can happen; there are cases where it has apparently happened, but the probability is much lower.

Finally there are cases of even more inadvertent potential data loss. For instance, a California state agency sent a magnetic computer tape containing personal information to the wrong subcontractor. Or something I see with surprising frequency: a computer — almost always a notebook computer — containing a personal information database is lost or stolen. You would likely be shocked at how often these are left at a security checkpoint at an airport and gone by the time the owner returns.

These are all very different events. In the case of the mis-addressed computer tape, it was quickly retrieved without ever being accessed. In the case of a lost computer, more often than not there are levels of password protection before reaching the data and then the data itself is encrypted.

In the case of the postcards or inadvertent posting of a list, the possibility of someone with fraudulent intentions coming across the data and then acting upon it are not high.

Even in the cases of computer incursions, while those seeking personal information databases pose a high risk, other times computer hacking is for a different reason — to change grades on a school system database or just to show that the hack can be done, pose a much lower risk.

My point in this is to say if you find yourself a potential victim of a "data breach," you need to evaluate the potential danger before you panic and then, if you deem your risk to be high, you need to take action.