Posts Tagged ‘phishing’

h1

Who Can we Trust to Keep our Data Safe?

2008 August 28

A cursory search of the BBC website shows how much data loss is in the media at the moment. I found seven stories about data that was lost this year alone. The culprits ranged from government departments losing data affecting four million people in the period January to April, to a Royal Bank of Scotland hard disk with bank account details of millions of credit card applications turning up on e-Bay. Yet these are not the only examples of how poorly it seems government and private business is treating our private data. And this treatment potentially puts our identities at risk. We have so far been lucky, as far as we know, that criminals have not stolen identities through such negligence.

It beggars belief how sensitive data like account details, signatures, phone numbers and family details – enough to open fraudulent accounts – can be stored unencrypted. Yet time and again we hear how data like this turns up in places like trains and online auctions.

Now there’s a new low in data security. When I applied for Incapacity Benefit, I had to undergo a medical. The government contracts out this to a private company, ATOS Healthcare. Out of the blue they phoned me one Saturday afternoon. I later discovered that it was to arrange this medical. But they started out, without introduction, asking me to confirm my postcode and date of birth. Assuming it was a phishing call (to try to get personal data in order to steal my identity), I asked for proof of who they were. I even rang the police, who said I’d done the right thing (but couldn’t do anything even if it was a phishing call). Eventually, they sent me a written form.

Thinking this was a one off, I forgot about it. Then I bought an item in America, on the Internet, by credit card. This is something I do rarely, and my credit card company flagged it. Their security team then phoned my mobile, again out of the blue. This time I got an automated system claiming to be the card company. It too began asking for sensitive security data. This time I phoned the number I had for them and sorted it out that way.

It seems to me that cold calling, starting out asking for sensitive data, is dangerous. Imagine I rummage through your bin and find a letter from FictionCard. You’re careful. You shred any sensitive data. This letter had nothing more than your name, address and phone number and saying how proud they were to offer such a great customer a lower rate. I now know you’re a Fictioncard customer. I have your basic details, and a number to call you on.

“Hello, is that Mr. Smith? Hello, it’s Fred here from FictionCard. We’ve had an unusual transaction on your credit card and want to check out that it’s a genuine purchase. Can I start by confirming your postcode and date of birth please…?” Which of course I don’t offer you. After all, I’m genuinely from FictionCard so you know I know this already. Right?

Crazy. Would your granny think before giving out this information?

Here are the items I found in a five minute search (United Kingdom):-

Health board lost patients’ data: http://news.bbc.co.uk/1/hi/scotland/south_of_scotland/7584048.stm
When financial data goes missing (RBS):  http://news.bbc.co.uk/1/hi/business/7576572.stm
Firm ‘broke rules’ over data loss: http://news.bbc.co.uk/1/hi/uk_politics/7575989.stm
Extent of data losses is revealed: http://news.bbc.co.uk/1/hi/uk_politics/7570611.stm
Discs loss ‘entirely avoidable’: http://news.bbc.co.uk/1/hi/uk_politics/7472814.stm
Tougher data laws needed, say MPs: http://news.bbc.co.uk/1/hi/uk_politics/7168588.stm
‘Lax standards’ on data security: http://news.bbc.co.uk/1/hi/uk_politics/7295467.stm

Advertisements