The High Cost Of Data Loss - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

07:15 PM

The High Cost Of Data Loss

Sensitive personal data has been misplaced, lost, printed on mailing labels, posted online, and just left around for anyone to see. The situation has become untenable. Here's the ugly truth about how it keeps happening, who's been affected, and what's being done about it.

The Goods
Hackers and careless package delivery services grab the headlines when sensitive data is lost or pilfered, but often all that's needed to steal an identity are a Web browser and a search engine. Government agencies, educational institutions, and businesses digitize paper records and post them to Web sites but too often don't scrub documents of sensitive information.

No one seems to know how often Social Security numbers and other personal information are carelessly posted on the Web, but government agencies from the Department of Justice to village clerks have slipped up. In December, InformationWeek reported that certain pages on the Justice Department's Web site included the names and Social Security numbers of people involved in department-related legal actions.

Justice acknowledged the personal information shouldn't have been publically available, and the documents are now blocked from view. The Social Security numbers, however, still can be accessed using general-purpose search engines. Other tricks for bypassing controls include clicking on cached or HTML links and copying text from Adobe PDF files into Microsoft Word.

Levine turned limited access to Acxiom systems into major theft

Levine turned limited access to Acxiom systems into major theft.

The list of government entities and businesses that have made sensitive data available to the public is long. The Web site for Florida's Palm Beach County Clerk and Comptroller lets people access deeds, military records, and other documents containing personal information. A programming error last year in the University of Southern California's online system that accepts entrance applications left the personal information of as many as 280,000 prospective students accessible. The Suffolk County, N.Y., clerk's office posted property records with thousands of homeowners' Social Security numbers on its Web site.

"Having someone's Social Security number is having the key to that person's identity," says Dana Lesemann, VP and deputy general counsel at Stroz Friedberg, a consulting firm specializing in computer forensics. Thieves use a name and Social Security number to get other information and then order credit cards, take out mortgages, and apply for other services using the victim's identity.

There aren't any laws prohibiting the collection and use of Social Security numbers, though people who use them for identity theft can be prosecuted for fraud. Bills were introduced in Congress last year to establish criminal penalties for buying and selling Social Security numbers and are now in committee (see story, "The Law").

When sensitive information is freely available to the public on the Web, it's often the result of carelessness and rarely a technology problem. As with most aspects of security, training in the proper use of technology and data-handling policies is essential, says Lesemann, who has studied the ways PDF files in particular can be exploited to gain access to sensitive information. "Everyone uses PDF files, but no one understands the pitfalls."

Businesses create PDF files using scanned images, digital photos, and text documents. It's possible to restrict the way PDFs are viewed, printed, and edited, and a common way to block PDF content from view is to place a black box over a portion of the image. However, the black box is actually a layer within the PDF, so the sensitive information is still there-and still at risk. A U.S. military report issued last year on the topic of an investigation into the fatal shooting of an Italian agent escorting a freed hostage through a checkpoint in Iraq included several black boxes blocking sensitive information. A PDF of the document was posted on the Web but was pulled when the military realized visitors could remove the black boxes by copying the text into a Word document, Lesemann says.

A better understanding among business and government employees of how to properly scrub documents would go a long way toward resolving the problem.

An industry has formed around the search for sensitive information. Sites, including Identity Crawler, People-Search, Records Registry, and, make public data revealed by errors, lapses in privacy and security policy, and carelessness. These sites, which are used by private investigators and others, collect Social Security numbers and other personally identifiable information in any number of ways, including trolling the Web for unsecured documents.

--Larry Greenemeier

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
4 of 6
Comment  | 
Print  | 
More Insights
IT Spending Forecast: Unfortunately, It's Going to Hurt
Jessica Davis, Senior Editor, Enterprise Apps,  5/15/2020
Helping Developers and Enterprises Answer the Skills Dilemma
Joao-Pierre S. Ruth, Senior Writer,  5/19/2020
Top 10 Programming Languages in Demand Right Now
Cynthia Harvey, Freelance Journalist, InformationWeek,  4/28/2020
White Papers
Register for InformationWeek Newsletters
The State of IT & Cybersecurity Operations 2020
The State of IT & Cybersecurity Operations 2020
Download this report from InformationWeek, in partnership with Dark Reading, to learn more about how today's IT operations teams work with cybersecurity operations, what technologies they are using, and how they communicate and share responsibility--or create risk by failing to do so. Get it now!
Current Issue
Key to Cloud Success: The Right Management
This IT Trend highlights some of the steps IT teams can take to keep their cloud environments running in a safe, efficient manner.
Flash Poll