IT Confidential: 'Eventually, Everyone's Data Will Be Compromised'

Last week I wasn't feeling well because my personal data--name, Social Security number, address--had been compromised by a hacker break-in at my undergraduate alma mater. Many people wrote to try and make me feel better by sharing their experiences with their own personal data losses. While I certainly appreciate their efforts, they didn't really make me feel better.

One respondent summed it up this way: "Eventually, everyone's data will be compromised, and the security companies will be making a lot of money out of this sad situation." This person is a fellow alum of Ohio University who had her Social Security number compromised by the same break-in. "The only good news is that, as an employee of Hewlett-Packard (one of the 2,000 Procter & Gamble IT employees who were sold to HP in August 2003, whether we wanted to go or not), my data was already compromised in March by the theft of a Fidelity laptop containing personal information on HP employees. So I had turned on a security alert last month." Now, that's what I call cold comfort.

There were more than a few horror stories. A lawyer "specializing in information security matters" wrote that he represented a client who had a drug conviction inadvertently and incorrectly added to his credit report and then spent years trying to get it expunged. The lawyer had this warning: "Unfortunately, if the treasure trove of your SSN and name, together with other unique ID data points, is recognized for what it's worth, you may wind up battling a hydra-headed monster for a long time."

More than one person pointed out that hacker break-ins aren't the only, or even most common, way personal data is compromised. One person said the HR director at her "Fortune 150" company sent an E-mail, by accident, "containing a dozen names, [their] performance review grades, salaries, and Social Security numbers, to every single person in our location (350-plus people)." One of those names, etc., was hers. Another respondent pointed out that when top executives walked out the door of his company recently--the fallout of a corporate merger--they did so with their laptops intact, "without being reimaged or wiped. They left with who knows how much, and what, data on them."

And the situation isn't going to get better any time soon, according to one database veteran: "Most of the DBAs I work with try to implement good security, yet have little knowledge of ID theft and how it occurs."

Another OU alum, frustrated and angry, sent a personal data manifesto in the form of a list of demands, such as free credit-monitoring services for data theft victims and an audit trail for personal data. This is demand No. 3: "I must have total control over my information, and it will not be disseminated or used in any way without my case-by-case prior express permission, which would be provided as a separate document and not included in or contingent on any other conditions or agreements."

Amen, brother. Thanks for sharing. I'm feeling better now.

So, who do we E-mail our demands to? President Bush? Secretary Rice? Howard Stern? Or you could just send me an industry tip, to [email protected], or phone 516-562-5326.

The News Show would never compromise your personal data--just your ethics and your taste. Watch it at noon EDT every weekday at TheNewsShow.tv or on InformationWeek.com.

To discuss this column with other readers, please visit John Soat's forum.

To find out more about John Soat, please visit his page.