Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Breaches Exposed 22.8 Million Personal Records of New Yorkers

Unknown Lamer posted about two weeks ago | from the what-is-security dept.

Security 41

An anonymous reader writes Attorney General Eric T. Schneiderman issued a new report examining the growing number, complexity, and costs of data breaches in the New York State. The report reveals that the number of reported data security breaches in New York more than tripled between 2006 and 2013. In that same period, 22.8 million personal records of New Yorkers have been exposed in nearly 5,000 data breaches, which have cost the public and private sectors in New York upward of $1.37 billion in 2013. The demand on secondary markets for stolen information remains robust. Freshly acquired stolen credit card numbers can fetch up to $45 per record, while other types of personal information, such as Social Security numbers and online account information, can command even higher prices.

cancel ×

41 comments

Sorry! There are no comments related to the filter you selected.

In ... the New Your State? (0)

Anonymous Coward | about two weeks ago | (#47466059)

WTF?

Re:In ... the New Your State? (2)

SJHillman (1966756) | about two weeks ago | (#47466133)

It stopped being our state a long time ago.

Re:In ... the New Your State? (2)

Jason Levine (196982) | about two weeks ago | (#47466343)

This is also the state where the Commissioner of Education, John King, had a talk about New York's implementation of Common Core. The talk was overrun with parents who had issues with the implementation specifically (and some with Common Core in general). There were a lot of questions they wanted to ask and a lot of answers they wanted to get. Instead, King cut the meeting short, cancelled the rest of his tour, and said that "special interest groups" were to blame. (Parents are apparently now a special interest group.) He finally caved to pressure and re-opened his tour but made sure that each venue was structured so he wouldn't need to be confronted by opponents in that manner anymore.

New York: Where the politicians serve their constituents - themselves - and the public can go wait in the corner until they're needed to pay more taxes.

Re:In ... the New Your State? (1)

baKanale (830108) | about two weeks ago | (#47467835)

Don't forget our illustrious governor, who refuses to communicate with his staff via email, favoring phone calls and Blackberry Pin-to-Pin messaging instead, so as to sidestep records laws. I'm glad he's kept up on his promise to be the most transparent administration in state history. http://www.nydailynews.com/new... [nydailynews.com] http://www.nytimes.com/2012/07... [nytimes.com]

Re:In ... the New Your State? (1)

Jason Levine (196982) | about two weeks ago | (#47468555)

Yup. I usually vote for the Democrat candidates, but I won't vote for him again. The problem is that I don't like the Republican candidates either. So I'll likely vote for a third party candidate. I know they won't have a realistic chance of winning the election, but it will be a protest vote. If enough people protest by voting third party, maybe the two major parties will pay attention.

Re:In ... the New Your State? (1)

chfriley (160627) | about two weeks ago | (#47466163)

And the population of New York State is....19,651,127 (2013 est).

Anyone who wants to have even more centralized data storage of personal, private information just doesn't care about data security.

Data is Unsecurable (4, Insightful)

ObsessiveMathsFreak (773371) | about two weeks ago | (#47466091)

Perhaps it's time for companies to realise that they cannot keep data secure. That they will never be able to build, much less be willing to pay for, the security required to keep this information under any kind of seal.

Perhaps it's time for companies to ask themselves: "Do we really need to store this?".

Re:Data is Unsecurable (1)

ChunderDownunder (709234) | about two weeks ago | (#47466181)

Where I live, the security agency was on telly tonight calling for greater hacking powers and data retention.

(The Terrorism card)

Why spy on your own citizens when the information is, seemingly, freely available online?

Re:Data is Unsecurable (0)

Anonymous Coward | about two weeks ago | (#47469401)

Bleh, why become a terrorist when you can just join the law? The best part is you get paid vaspensions for violating people!

Re:Data is Unsecurable (2)

Jason Levine (196982) | about two weeks ago | (#47466297)

This was one big reason why, when New York said they were going to upload students' data into the Bill Gates Foundation's InBloom system, I was opposed. The data (including some very personal info like medical diagnoses) would have been upload to an Amazon cloud drive. As if "cloud drives" are never hackable.

(The other reason I was opposed was that lawmakers specifically made an exception to the data sharing laws so that data could be uploaded to InBloom whether or not parents wanted it uploaded. Not only was it not opt-in, but you couldn't even opt-out.)

Thankfully, New York backed off this plan. If they wanted to standardize the systems across the school districts, I might not have a problem with it (depending on the system), but uploading tons of personal information and trying to hand-wave security concerns away by saying "the cloud" doesn't sit will with me.

Re:Data is Unsecurable (2)

Charliemopps (1157495) | about two weeks ago | (#47466655)

Perhaps it's time for companies to realise that they cannot keep data secure. That they will never be able to build, much less be willing to pay for, the security required to keep this information under any kind of seal.

Perhaps it's time for companies to ask themselves: "Do we really need to store this?".

It's beyond that... as you said, data is unsecurable even if they don't store it. So why is it possible for someone from eastern Europe that doesn't even speak English to charge something in my name and have it shipped overseas with nothing more than the info on my Visa card?

This is entirely the fault of Visa/Mastercard and other credit agencies. They should be eating the costs of this fraud wholesale. They could end it tomorrow but in the name of getting us as far in debt to them as possible, they've thrown out pretty much every security measure you can think of and now they've found a way to get your credit card to wirelessly broadcast your number to anyone that happens to be walking by. If someone charges something fraudulently to your card, the CC company should have to pay an inconvience fee to the store and the customer. If your credit gets ruined by someone, Equifax and the others should have to pay a fine to you. This would get cleared up overnight if that happened.

Sue, sue sue ... (1)

CaptainDork (3678879) | about two weeks ago | (#47467329)

Perhaps it's time for some litigation. These breaches should fall into an area similar to product liability where the cost of shoddy work is expensive.

Re:Data is Unsecurable (0)

Anonymous Coward | about two weeks ago | (#47478881)

Well, following your reasoning, if nobody stores that information.. then it will be more secure and hard to get... so more valuable for the ones that stores them.

I see it as a lose, lose situation. beter stored unsecured than nothing at all.

Simple solution: Make those responsible pay (1)

gweihir (88907) | about two weeks ago | (#47466095)

Say, full damage caused, including $100 per hour the person affected had to spent clearing this up, with at least 10h assumed and no need to prove anything for them. With that, companies might just start to care about the security of customer data. Currently, they basically have no incentives to spend any money on secure coding, security reviews and the like.

Re:Simple solution: Make those responsible pay (1)

SJHillman (1966756) | about two weeks ago | (#47466155)

The problem is what happens when it's a government breach? Have taxpayers fine themselves?

Re:Simple solution: Make those responsible pay (0)

Anonymous Coward | about two weeks ago | (#47466197)

Fines? Jail? Firing? for anyone who is remotely responsible?

Kind of like what should be done with the banksters?

Re:Simple solution: Make those responsible pay (0)

Anonymous Coward | about two weeks ago | (#47466167)

Actually, they do. VISA and MasterCard impose security standards; the Federal Government impose standards; and, probably, The State of New York imposes standards.

Of course, creating standards and getting these passed into Lax (for the *Governments) means the standards are lax because the art of intrusion and extraction has moved passed the specific Law(s). But their are incentives and Laws which also have incentives.

Re:Simple solution: Make those responsible pay (1)

gstoddart (321705) | about two weeks ago | (#47466207)

That would require some form of privacy legislation.

And I have my doubts about the willingness of lawmakers to do that.

Not the least of which because it would limit the ability of companies to make use of your private data, put the onus on them to be competent at data security, and actually bear some responsibility.

We couldn't possibly curtail what companies do for profit.

There are barely any laws about what they're allowed to store, and what they're allowed to do with it. Nobody is going to pass laws making them legally responsible for their own terrible security.

Personal Information worth? (0)

Anonymous Coward | about two weeks ago | (#47466107)

$1.37 billion / 22.8 million.... wait are they saying my information is worth $60? Woohoo. $60! Now where do I cash out?

Identity theft (0)

Anonymous Coward | about two weeks ago | (#47466143)

And of course, the burden of cleaning up your name is on you.

Businesses and governments who are careless with our data just send out an apology and move along.

It takes a long time to straighten out, but in the meantime, you are harrassed by collectors and sometimes even arrested.

And the expense is yours.

sue? Yeah, good luck with that.

Simplest Solution (0)

drinkypoo (153816) | about two weeks ago | (#47466149)

Make debt the responsibility of the lender.

Re:Simplest Solution (0)

Anonymous Coward | about two weeks ago | (#47466253)

Make debt the responsibility of the lender.

Care to elaborate?

Re:Simplest Solution (0)

drinkypoo (153816) | about two weeks ago | (#47466279)

Make debt the responsibility of the lender.

Care to elaborate?

Are you asking for the definitions of the words "make", "debt", and so on? I did not find the sentence particularly confusing.

Re:Simplest Solution (0)

Anonymous Coward | about two weeks ago | (#47466377)

We assumed it to be confusing because we wanted to assume you knew what you meant but just didn't get the point across well. If the point was that lenders are responsible for debt and debtors don't owe anything - well that is just stupid. Can you see that we were being nice assuming that you were just not getting your point across well? A lender would have to be an idiot to loan money if the debtor wasn't responsible for paying it. If you meant something else, please, elucidate...

Re:Simplest Solution (1)

drinkypoo (153816) | about two weeks ago | (#47467591)

We assumed it to be confusing because we wanted to assume you knew what you meant but just didn't get the point across well

No, you did not understand the point, which was so simple that any idiot should be able to understand it. Apparently, I did not aim sufficiently low for my audience.

If you have a specific objection, then make it. Otherwise, admit that your entire argument is "that's stupid", which is no argument at all. Instead of argument, you are relying upon moderation to suppress mine. That's because you don't have an argument. If you had, you'd have used it.

Re:Simplest Solution (0)

gstoddart (321705) | about two weeks ago | (#47466263)

Make debt the responsibility of the lender.

Why, when it's so much more profitable to "securitize" it and sell it off to other people as if it had value?

Making companies take on their own liability sounds un-American.

Re:Simplest Solution (1)

ShieldW0lf (601553) | about two weeks ago | (#47466371)

Make debt the responsibility of the lender.

In Islamic countries, it's illegal to earn money off debt, and their civilization is growing. It's a perfectly functional way to operate. I went looking for an Islamic bank myself, but there weren't any close enough for me to do business with them.

Re:Simplest Solution (0)

Anonymous Coward | about two weeks ago | (#47466411)

I won't be looking at an Islamic country as an example of a "perfectly functional way to operate." I like my freedom, thanks.

Re:Simplest Solution (1)

ShieldW0lf (601553) | about a week ago | (#47513909)

I won't be looking at an Islamic country as an example of a "perfectly functional way to operate." I like my freedom, thanks.

Whatever you say, debt slave.

Mispelling in Headline... (0)

fellip_nectar (777092) | about two weeks ago | (#47466215)

It's actually 'Breeches' and now we finally know Step 2.

Re:Mispelling in Headline... (1)

hey! (33014) | about two weeks ago | (#47466965)

It's actually 'Breeches' and now we finally know Step 2.

Years ago, when static electricity was bad news for computers, I had the idea for a "data processing shoe" that would have a little conductive ribbon that would drag along the floor and ground out static electricity. Such a thing is of course no longer needed, but given the apparent popularity of data breeches these days maybe the concept could be resurrected as a fashion statement.

Sell your own data... (1)

tekrat (242117) | about two weeks ago | (#47466295)

Companies have proved they do not care about your data and are willing to essentially give it away via breaches. And *nothing* is ever done about preventing identity theft, because the burden of fixing it is up to the individual, not the credit card issuer, and not the large faceless corporation that saved $20 on security software, but let the hackers in to take your identity in the first place.

They then promise to fix the problem, but then never do. And government looks the other way because they are in the pocket of big business in the first place.

So, beat them to the punch: Sell your identity to the hackers. Make it a place like ebay where people get to bid on you. You get money (probably from a previously stoeln credit card); the hackers get to perform credit card fraud; and then you get new cards issued from your bank, and a week or two later, you get to start the process all over again. In the meantime, there's an "economy" at work, and believe it or not, it's on the backs of the credit issuers, who have to keep replacing your card.

Then, after a few years of that; they might actually do something about the ease of identity theft.

Sure, you've ruined your credit rating; but in the meantime, so has everyone else -- this only works if everyone does it of course -- so credit ratings become meaningless and the world, like in fight club, becomes a better place and maybe we go back to the days where companies took some responsibility and weren't just gouging everyone for every last cent.

Maybe, just maybe, we can turn this thing around on them and take our planet back.

Methodology of study (0)

Anonymous Coward | about two weeks ago | (#47466307)

Not exactly impressed with it.

Data security breaches between 2005 and 2009 were recorded in Microsoft Word documents,
while 2010-2014 breaches were recorded using Microsoft Excel Spreadsheets. After the data
were successfully combined into one spreadsheet, a significant amount of “cleaning” was
necessary to correct inconsistencies that prevented accurate analysis.
This process also included standardizing breach events into broader categories for analysis,
since some notice descriptions were often brief and/or ambiguous. Despite best efforts, some
descriptions were simply too ambiguous, and were therefore categorized as “other.” Examples
of these descriptions include other criminal acts (“extortion,”“mail tampering,” and “check
counterfeiting”) and the unexplainable (“files found outdoors” and “student chose user PIN
of another”). Breach events that were recorded without any discernable descriptions were
categorized as “unknown.”
The construction of the “hacking” category included descriptions such as “computer virus”
or “malware,” as well as “unauthorized intrusion” or “unauthorized access.” Based simply on
those descriptions, some of the unauthorized access/intrusion categories could have been
misclassified.

And the dollar amount of the damages come from a study conducted by Symantec and the Ponemon Institute, two vendors of security products and consultation, rather than from an organization with less of a potential for a conflict of interest. Also, the report makes it seems as if New Yorkers in particular are being targeted, but in reality most of the larges breaches listed have to do with retailer like TJ Max, Target, Sony, LivingSocial, etc. which affected customers from all states, not just New York.

Finally, recommendations of the report for increasing data security and protecting privacy are pretty much run of the mill: use encryption where possible, minimize data collection (if you don't need a customer's SS#, DON'T ASK FOR IT), keep software updated, etc. I'm not sure what this report is trying to accomplish, other than exaggerating the the true costs of breaches and over reporting amount of breaches made by hackers (I think insider compromises are harder to detect and more prevalent than reported).

Re:Methodology of study (0)

Anonymous Coward | about two weeks ago | (#47466851)

What really needs done are some basic practices along the lines of keeping as little info as possible, and what critical info is needed, tokenize it. Of course, after a time, expire the data. Data expired and actively removed is data not accessible to the bad guys, barring a compromise of a backup server or physical possession of tapes [1].

Just using the basic features of what comes with enterprise items will go far in security. If more is needed, firewall and use Citrix or another framework to keep the sensitive data fenced in internally.

[1]: As for tapes, if one uses LTO-4 or newer, it is retardedly simple to encrypt them, usually it boils down to setting a passphrase via the silo's web page, using the backup program, or even a utility that comes with the tape drive (assuming it supports the T10 command set.) Set a password, make sure others know what it is so tapes are recoverable, then from there on out, if a piece of media falls off the back of an Iron Maiden van, no worries about having to report to the press about a breach or other bad things due to unencrypted info leaking.

maybe I need coffee (0)

Anonymous Coward | about two weeks ago | (#47466431)

Misread that as "Beaches expose 228 million personnel of New York"

Took me a reread to realize this wasn't some commentary about a nude beach on Fire Island.

post-privacy world (1)

Connie_Lingus (317691) | about two weeks ago | (#47466439)

isn't time we just ditch the fiction that privacy as we knew it in the 20th century is gone forever and accept that everything we do and say on any digital medium will be collected?

sheesh...yes I get it already...databases compromised, hacked, sold...NSA spying, collecting...

good lord how many times do we need to be wack-a-moled before we just stop caring?

single purpose device (0)

Anonymous Coward | about two weeks ago | (#47467559)

We need a pre-designed single purpose device for sensitive information that's both hardened and designed to be secure from the ground up. There is no good reason it should take a degree in ms in computer science, 10 years on the job experience, a specialization in security, and days worth of effort to put together a reasonably secure web site (and then still not have it be really all that secure). Not to mention maintaining updates for it.

While I feel GNU/Linux distributions have had (to a greater degree) better solutions to this problem (ie security updates for all critical applications, as opposed to having to manually update everything, as is the case in ms windows to a large degree) it's far from perfect. There aren't many distributions (in fact I'd probably argue there aren't any) that are secure from the ground up.

This is another thing we need. Besides a single purpose device to store and limit access to that information (that is you can set limits so that when hacker breaks into the site they can't perform requests to dump the entire database, etc) we need a distribution designed to be secure and still relatively easy to use.

Largely irrelvant because of costs and intent (1)

gelfling (6534) | about two weeks ago | (#47467773)

The costs of attempting to BE compliant to these vague horrible laws is far higher than the cost of losing control over something. This is why HIPAA is a huge waste of time and effort. It costs millions to 'comply' with the law but the downside is near zero because, and this is important

YOU HAVE TO PROVE INTENT

So any law is going to be ineffectual on its face when it looks only at intent. And specifically, the intent to profit from it. Target didn't intend to break something. They goofed up. So the law doesn't really cover mistakes. If Target was part of this vast scheme to rob people that's a different matter.

This is why warrantless spying is a great idea! (1)

Francis Jacob Christian (3750525) | about two weeks ago | (#47468911)

Because giving people that can't be held accountable unfettered access to all of your data and records will lead to LESS identity theft, right? Right????

Look at the bright side.... (1)

Bob_Who (926234) | about two weeks ago | (#47470003)

It's a $1.37 billion dollar boost to the economy! You can't just print money for banksters without spreading it around a little bit!

When the money gets stolen, its insured by the government that just prints some more, and paper grows on trees!

Finally we have found a growth industry with real American entrepreneurship that is compatible with current fiscal policy. We can re-hypothecate futures on funny money stolen by criminals that aren't bank executives! Its a new system of cheques and balances in a brave new kleptocracy!

Eureka!

Danger to corporations (0)

Anonymous Coward | about two weeks ago | (#47470525)

... issued a new report ...

This year has seen a lot of The US versus John Doe Citizen cases, so I'm wondering if an attorney will actually hold a corporation responsible. I mean, outside of investigations by FDA/ICE/ SEC/FBI and other 3-letter branches of federal government.

In John Does cases, the government can steal their assets, choose their lawyer and lock them in prison. Government thuggery isn't so easy against a corporation.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>