IT Confidential: Who's Got My Data? 'Cause It's Not Me!
When data privacy issues hit home, the effect can be eye-opening.
I'm not feeling too good these days. I graduated from Ohio University in 1978. Normally, I don't anticipate an audible gasp when I tell people this. But if you've been following the news about data theft, the name Ohio University should have a familiar ring. Earlier this month, the university said several of its servers had been compromised in a series of break-ins involving personal data on more than 300,000 individuals. The most serious break-in involved records on 137,000 alumni and dated back more than a year. I read about it in the Cleveland Plain Dealer. It didn't make me feel very good.
Then I got a letter from Ohio University informing me that I--my data--was indeed involved in the data compromises. According to the letter, "The record associated with the database ID# in the return address above DOES CONTAIN [emphasis theirs] a Social Security Number." That didn't make me feel very good.
I'm pretty familiar by now with these types of incidents, which are getting numbingly common. The most recent involves the theft of a laptop from a Department of Veterans Affairs data analyst containing personal data on 26.5 million veterans and their spouses. I knew it was possible, even likely, that the hackers involved in the Ohio University incident weren't looking for personal data, that they probably were using the servers for something else, as zombies. But the fact that, according to the letter, "the security breach dates to March 1, 2005, OR PRIOR [emphasis mine] but wasn't discovered until April 24, 2006," and that my personal data had been in play for that long, didn't make me feel very good.
The letter also pointed out that "computer intruders have targeted servers at colleges and universities across the United States," including Boston College, California State University, Iowa State University, Stanford University, the University of Connecticut, and the University of Texas at Austin. If that was supposed to make me feel better, it didn't.
I called the toll-free number. A young woman named Elisa recommended that I call one of the three credit-reporting agencies and put a "fraud alert" on my credit report. She told me to stay away from Equifax, about which they'd been fielding numerous complaints. I called Experian. The automated-response system directed Veterans Affairs' victims to a special number, which I took to mean the Ohio University incident had been pushed down the priority list. To order my credit report, I had to enter my Social Security number, date of birth, the numerical portion of my address, and my ZIP code. This sure didn't make me feel good.
Then I realized I'd made a mistake: I didn't want a copy of my credit report, I wanted to place a fraud alert. So I called TransUnion. Its automated response also had a special Veterans Affairs number. To serve me better, I first needed to enter my ZIP code. Then, to place a fraud alert on my credit report, I had to enter ... see above.
Now I'm waiting to get a copy of my credit report. And I'm waiting to hear if anyone applies for credit in my name. And I'm waiting to see if any of my credit cards have been compromised. And there's more of my data floating around in the ether than ever before. Do you have any idea how that makes me feel?
You know what would make me feel better? An industry tip. Send it to firstname.lastname@example.org or call 516-562-5326.
The News Show will make you feel good--or not, it really doesn't care. Watch it at noon EDT every weekday, at TheNewsShow.tv.
To discuss this column with other readers, please visit John Soat's forum.
To find out more about John Soat, please visit his page.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.