Indiana Data Theft Compromises 700,000

palewook writes "A Midwest collection company, Central Collection Bureau, admits a server and eight PCs stolen contain over 700,000 individuals' personal data. Central Collection Bureau acts as a collection contractor for doctors and utility companies. The Indiana based company admits the stolen info consists of addresses, social security numbers, and medical codes."

Well this is a well timed article

[Durrok]

I happen to work in Indiana in IT for a retail store and my boss and I were just discussing how to avoid a "CNN event" just like this. Hopefully this article will be the tipping edge for the upper management to give us the time and resources to be able to properly secure our network... but somehow I doubt it.

Re:

[base3]

The "good news" is that these "CNN events" are pretty common, and people aren't so fazed by them any more. And the public's attention span is woefully short, so the damage won't last more than a couple of weeks from a PR standpoint. Now if there are contract penalties for a breach, that's a different story altogether.

Re:

[borg007]

Wow. Here in Maine 4.2 million (yes million!) credit/debit cards were compromised by Hannaford Brothers, a grocery store chain. The company knew about for months, but never told their customers. Here's the latest news: http://pressherald.mainetoday.com/story.php?id=183060&ac=PHnws [mainetoday.com]

Re:

[Ironsides]

Have HR tell tell you what the fines are for a HIPAA violation. Then have them tell you what is covered under HIPAA. I'm pretty sure at least some of your computers contain HIPAA protected information. Then arrange a presentation with Upper Management.

Re:

[Durrok]

That is very good advice, thank you. Credit card numbers, customers purchase records, addresses, telephone #, etc is all stored on our servers or registers in one way or another and I'm sure part (if not all) falls under some part of HIPPA. Thankfully we have moved to an entirely encrypted system already so that narrows down some of our risk... but this was not always the case. It amazes me how a company/programmer/management can think that storing someone's private information in a plain text file is an ac

Re:

[macdaddy]

HIPAA doesn't apply to the GP. He's a retail store and there's no reason for them to have any medical-related data which is all the HIPAA covers.

Re:

[BlitzSonik]

I happen to work in Indiana in IT for a retail store and my boss and I were just discussing how to avoid a "CNN event" just like this. Hopefully this article will be the tipping edge for the upper management to give us the time and resources to be able to properly secure our network... but somehow I doubt it.

They don't care, believe me...I know! -Blitz

Re:

[Skapare]

Take a CNN story like this, edit it to show your company as the culprit including how sales dropped dramatically, set it up on a web server somewhere, fabricate a CNN-spoofing URL to access it, and use an anonymous web email account to send it to those upper level managers along with a comment saying "do you want to avoid a situation like this?".

State-wide data theft

[Anonymous Coward]

Is it just me, or is it every week that some state has over 500k identities compromised? We may as well have a ticker that says which state this week and how many. We really need to find alternatives, otherwise by the end of the year, over half of the USA will have their identities somewhere underground...

Re:

[bazald]

Agreed. This is so common, and so problematic, that you might expect a law to be passed making it illegal to have more than (let's say) 4 identities' information including social security numbers on a storage device without (at least) trivial encryption measures in place. This really shouldn't be so hard for people.

Re:

[WaltBusterkeys]

Economists would call this a a classic "externalities" problem. It costs a company next to nothing to store vast amounts of data about you [reputation...erblog.com], but they don't pay the cost when your data gets spread around.

Right now, there's no reason why a company (or a state government) wouldn't keep as much data about you as it can. Hard drive space is all but free (especially relative to these types of transactional data) and big database engines can rapidly sort through the data when it's needed.

But, the problem is that

Re:

[pclminion]

That would be awesome. Finally everybody would be forced to abandon the SSN as a unique ID and move to a system that isn't completely fucked.

Re:

[Culture20]

It wasn't state government this time, just a collections agency.

That's what they get for outsourcing . . .

[base3]

. . . to India...na . . . oh, wait.

Re:

[hullabalucination]

I have no problem with it. I speak Hoosierati fluently.

Business should assume that SSN is public

[PIPBoy3000]

At this point, it seems like just about everyone's SSN is out there in the public domain in one form or another. What pains me is that SSN is still used like a password for many institutions. Banks will ask for SSN, birthdate, and mother's maiden name. Unfortunately all of those things can be found out with a bit of digging.

The more these breaches happen, the more apparent it is that we need a better "proof of identity" mechanism. I'm not advocating for the government to pass out universal ID cards to everyone. I think I'd rather see something along the lines of SSL certificates, where business can issue identification to people and later use that number and passphrase to do business with them. Perhaps a handful of business certificates become the "gold standard" and and are accepted by other businesses as a valid identifier.

Re:

[menace3society]

I disagree, the solution is to do away with the concept of any sort of proof-of-identity mechanism. Whatever you come up with, people will always be able to forge it or fake it or commit fraud with. Banks and things like the current situation with the SSN because it gives them someone to go after in the short-term. In the long-term, of course, they have to give you back the money they took, but to do that requires the victim of fraud/identity theft to jump through quite a few bureaucratic hoops to prove

Re:

[sjames]

EXACTLY!

For every fraudulant charge by an identity thief there is a bank that willingly handed out money to someone without actually knowing who they were.

Every time they hassle the victim of identity theft for the cash, they are shaking down an uninvolved 3rd party. Since they know very well they don't have any real proof of ID, from an ethical point of view, they might as well just shake down random pedestrians outside their office.

Ban that practice and you can bet they'll stop handing out credit ca

Re:

[jambarama]

Even easier - we should just be able to get a new SSN. Whenever a data breach occurs, you should be able to file a form with the federal government, showing your information was leaked, and get a new SSN. Better yet, any time personal information is leaked, the leaking entity must offer the victims to file with the government for new SSNs.

This identifier from cradle to grave is for the birds. It is the same for biometric stuff - once it is leaked a single time, the cat is out of the bag and you can'

Bunkum

[FranTaylor]

Your "solution" does nothing to solve the problem.

- The "trust" you place in a digital certificate is misguided and fictional. Trust is a chain, and business cannot be "trusted" any more than the least scrupulous of their employees. If you organize data like this, it will just make it easier to steal. SSL certificates are okay for encrypting data, but next to useless for identity management.

- If all were implemented as you say, this computer theft would have taken the private keys as well, rendering the

Re:

[pclminion]

The "trust" you place in a digital certificate is misguided and fictional. Trust is a chain, and business cannot be "trusted" any more than the least scrupulous of their employees. If you organize data like this, it will just make it easier to steal. SSL certificates are okay for encrypting data, but next to useless for identity management.

What are you smoking? This isn't about trust, it's about a way for the business to positively identify you as a specific customer. I don't have to trust the business,

Re:

[g0bshiTe]

At this point, it seems like just about everyone's SSN is out there in the public domain in one form or another. What pains me is that SSN is still used like a password for many institutions. Banks will ask for SSN, birthdate, and mother's maiden name. Unfortunately all of those things can be found out with a bit of digging.

Amazing for a card with the words, Not to be used for identification purposes on the back of it huh?

Re:

[Cyberax]

ID cards are fine for identification.

But you also need means for authentication. Signatures are not good, they can be easily forged.

However, there are low-tech measures, like personal seals (http://en.wikipedia.org/wiki/Inkan) which are almost impossible to forge.

Personal SSL certificates? Or even better, a small personal device like eToken? Maybe.

Personally, I like low-tech more (maybe because I'm a programmer :) ).

Re:

[What Would NPH Do]

However, there are low-tech measures, like personal seals (http://en.wikipedia.org/wiki/Inkan) which are almost impossible to forge.

How would they be in the least bit impossible to forge? You just get a copy of something that the person has sealed. Use that as a basis to build a seal yourself and bam you're forging their identity. Your notion of it being impossible to forge might have been correct hundreds of years ago, but I very much doubt it would hold up against any modern forger. BTW from the wiki article:

The increasing ease with which modern technology allows hanko fraud is beginning to cause some concern that the present system will not be able to survive.

Re:

[Cyberax]

It's impossible to make a perfect copy of a seal, which can't be distinguished using a microscope. The pattern of micro-features of a seal is unique (assuming that it's a wood or plastic seal, it's not true for metallic seals).

Besides, detecting a fake seal is fairly easy, it's almost exactly like matching a bullet to a gun using micro-grooves on bullets.

Signature expertise, on the other hand, is a highly subjective process.

Re:

[What Would NPH Do]

It's impossible to make a perfect copy of a seal, which can't be distinguished using a microscope. The pattern of micro-features of a seal is unique (assuming that it's a wood or plastic seal, it's not true for metallic seals).

And how many times do you expect someone's seal imprint is actually looked at under a microscope? Never?

Besides, detecting a fake seal is fairly easy, it's almost exactly like matching a bullet to a gun using micro-grooves on bullets.

Did you even bother to read the wiki article that you linked?

The increasing ease with which modern technology allows hanko fraud is beginning to cause some concern that the present system will not be able to survive.

Apparently it's not that easy to detect in day to day transactions if the amount of fraud with respect to seals is becoming easier and easier to carry out.
You can talk all you want how it's detectable under a microscope, but do you honestly think that anyone does that on a regular basis? You can also tell the difference between counterfeit

Re:

[Cyberax]

And how many times do you expect someone's seal imprint is actually looked at under a microscope? Never?

For example, when you appeal a $100000 mortgage.

Did you even bother to read the wiki article that you linked?

My brother works at a criminal lab :)

Your solution is about as crappy as having people write their name on an index card and using that as a basis of ID verification.

No. I don't really care about $100-$200 frauds (which form the bulk of frauds). Merchants will just absorb the cost like they do with credit card frauds.

However, if someones takes a mortgage using a fake seal I want a reliable way to appeal it. Seals provide such a way, signatures do not.

Re:

[What Would NPH Do]

For example, when you appeal a $100000 mortgage.

Do you have any actual evidence that they do this? I've read stories of people scamming hundreds of thousands of dollars when using fake hankos.

My brother works at a criminal lab :)

So that's a no that you didn't even read the article you linked? You sqawked on and on about how the fraud was easy to spot but the article you linked was saying that it was getting easier and easier to commit hanko fraud with modern technology. Did you perhaps fail at reading comprehension?

No. I don't really care about $100-$200 frauds (which form the bulk of frauds). Merchants will just absorb the cost like they do with credit card frauds.

So basically you admit that your system will have little impact when it comes to the vast majority of fraud. So then what was the point of the seal system again?

However, if someones takes a mortgage using a fake seal I want a reliable way to appeal it. Seals provide such a way, signatures do not.

You can do this right now without needing to use a seal.

Re:

[Cyberax]

Do you have any actual evidence that they do this? I've read stories of people scamming hundreds of thousands of dollars when using fake hankos.

Yes, I live in Russia and I'm the owner of a small company. Each company in Russia must have the company seal (with imprints registered in a state registry), this is a strong anti-fraud measure. I personally know about several causes of appealed fraudulent deals.

You can certainly scam hundreds thousands of dollars using fake seals, I don't doubt it. However, the victim of identity theft at least won't have to absorb the damage.

So that's a no that you didn't even read the article you linked? You sqawked on and on about how the fraud was easy to spot but the article you linked was saying that it was getting easier and easier to commit hanko fraud with modern technology. Did you perhaps fail at reading comprehension?

Yes, I've read it. I fail to see how it contradicts me.

It has also become easie

Re:

[What Would NPH Do]

Yes, I live in Russia and I'm the owner of a small company. Each company in Russia must have the company seal (with imprints registered in a state registry), this is a strong anti-fraud measure. I personally know about several causes of appealed fraudulent deals.

So if you can point to several cases of fradulent deals being carried out using forged seals, it sort of shows that this system of seals is already broken.

You can certainly scam hundreds thousands of dollars using fake seals, I don't doubt it. However, the victim of identity theft at least won't have to absorb the damage.

You wouldn't have to know once the identity theft is uncovered.

Yes, I've read it. I fail to see how it contradicts me.

You don't see how it saying that it's increasingly easy to using forged seals contradicts your statement:

Besides, detecting a fake seal is fairly easy

If it was as easy as you claim, it wouldn't be getting easier and easier to commit fraud using forged seals as the article talks about.

It has also become easier to create counterfeit money, you just print them on a laser printer! Does it spell the end of paper money? I don't think so.

No, but it would fly in the face of someone procl

Re:

[Cyberax]

So if you can point to several cases of fradulent deals being carried out using forged seals, it sort of shows that this system of seals is already broken.

Any system is either "broken" or impossible to use.

You wouldn't have to know once the identity theft is uncovered.

How? You have no way to protest the deal. I've read about people losing hundreds thousands dollars on lawsuits to protest the fraudulent loans.

No, but it would fly in the face of someone proclaiming how easy it is to spot counterfeits when billions and billions in fake currency floats around at any one time.

No, that just means it's that protection measures of paper currency are adequate for the current situation.

I don't want 100% secure system which is also unusable and/or expensive.

Re:

[What Would NPH Do]

For example, when you appeal a $100000 mortgage.

So if someone is able to get a $100,000 mortage using a forged version of your seal doesn't that sort of tell you that your system of seals has already failed?

I previously misread the post that's why I made this follow up.

Re:

[Cyberax]

So if someone is able to get a $100,000 mortage using a forged version of your seal doesn't that sort of tell you that your system of seals has already failed?

No. The system fails if you don't have means to prove that the mortgage was a result of an identity theft (I remember I've read about several such horror stories in the news).

Re:

[What Would NPH Do]

No. The system fails if you don't have means to prove that the mortgage was a result of an identity theft (I remember I've read about several such horror stories in the news).

So let me get this straight. You propose a system to prevent fraud that in the end you admit doesn't prevent fraud. So what's the point of the system again?

Re:

[Cyberax]

To serve as a cheap and easy-to-use _failsafe_.

Re:

[jambarama]

We just need to hold businesses to be liable for actual damage probably caused by their data leak. If your SSN & other personally identifiable information was leaked by X Corporation, they should have to cover the expenses you incur when you're defrauded by the data thief. Pass a law like that and you'll see firms thinking really hard, not just about *how* to secure that data, but about *what* data they really need to be keeping.

Of course you'd have to put some kind of cap on damages (but it should

What authorities are saying

[Alzheimers]

According to anonymous officials, they're calling this heist even more daring than the time he stole the Ark of the Covenant away from the Nazis. [imdb.com]

100k's compromised?

[Anonymous Coward]

The data on hundreds of thousands of people compromised by a stolen laptop somewhere? It must be Tuesday.

How does a server get stolen?

[RingDev]

Even the non-technical companies I've worked for had enough sense to keep the servers in a locked closet.

Oh wait, this is yet another completely wrong summary...

-Rick

Next, on World's Dumbest Criminals....

[Seraphim_72]

I mean they stole the data of 700,000 people that were on the roles at a Debt Collection company. I mean, these are people that can't pay their bills and have bad credit. How stupid is it to steal that data. "Uh...my SSN is...er...123-45-6789" "I am sorry sir, with your credit score we can't issue you a card." Sure it is still a bad thing for those people to have their info exposed, but sheesh what is next - "Thieves get data of soup kitchen patrons, bankrupt Campbells."? My suspicion is that they are too dumb to know what they have stolen. "Should we bring this flat one? It ain't got no screen or keyboard?" "Sure, I bet its a dvd player, grab it."

Re:

[c_oflynn]

"The collection company was hired by hundreds of doctors and some utility companies to collect on delinquent bills. Every name is a customer or a patient."

Please note: you may want to steal the SS number of a doctor, I think their credit score is a bit better.

Re:

[Anonymous Coward]

Then I guess you'd be suprised how many people with above-average or better credit have collection accounts on their credit reports.

Health care providers are notorious for making almost no effort whatsoever to track down old patients that they forgot to bill for some random lab work. It's far easier (or in some cases more profitable) for them to just call it a loss, take the tax write-off, and sell the debt to a collection agency for pennies on the dollar.

It's to the point where most creditors simply ignor

Re:

[sjames]

Of course, with all of the "opportunities" for bad credit and no credit, this may actually be perfect! It's harder to get the account, but once they do, nobody will go looking for an identity theft given the victim's history.

The entire debt collections industry is already strongly biased towards assUmeing that any debt they buy is legitimate and the associated info like phone number and address are accurate even in the face of overwhelming evidence to the contrary. I say that as someone who has answered m

Not all have bad credit....

[realsilly]

Not everyone on a list has bad credit. You need to remember that in some cases outstanding medical debt does not negatively impact credit scores.

It's just that hospitals also use credit agencies to help recoup monies that people are neglecting to pay, and not always for the reasons of bad credit.

So there is a good chance that a lot of those people will have great credit.

These Criminals may not be as stupid as many of you seem to think.