Shostack + Friends Blog Archive

 

Published Data Empowers

There’s a story over at Bloomberg, “Experian Customers Unsafe as Hackers Steal Credit Report Data.” And much as I enjoy picking on the credit reporting agencies, what I really want to talk about is how the story came to light.

The cyberthieves broke into an employee’s computer in September 2011 and stole the password for the bank’s online account with Experian Plc, the credit reporting agency with data on more than 740 million consumers. The intruders then downloaded credit reports on 847 people, said Dana Pardee, a branch manager at the bank. They took Social Security numbers, birthdates and detailed financial data on people across the country who had never done business with Abilene Telco, which has two locations and serves a city of 117,000.

The incident is one of 86 data breaches since 2006 that expose flaws in the way credit-reporting agencies protect their databases. Instead of directly targeting Experian, Equifax Inc. and TransUnion Corp., hackers are attacking affiliated businesses, such as banks, auto dealers and even a police department that rely on reporting agencies for background credit checks.

This approach has netted more than 17,000 credit reports taken from the agencies since 2006, according to Bloomberg.com’s examination of hundreds of pages of breach notification letters sent to victims. The incidents were outlined in correspondence from the credit bureaus to victims in six states — Maine, Maryland, New Hampshire, New Jersey, North Carolina and Vermont. The letters were discovered mostly through public-records requests by a privacy advocate who goes by the online pseudonym Dissent Doe…

There are three key lessons. The first is for those who still say “anonymized, of course.” The second is for those who are ok with naming the victims, and think we’ve mined this ore, and should move on to other things.

So the first lesson is what enabled us to learn this? Obviously, it’s work by Dissent, but it’s more than that. It’s breach disclosure laws. We don’t anonymize the breaches, we report them.

These sorts of random discoveries are only possible when breaches and their details are reported. We don’t know what details are important, and so ensuring that we get descriptions of what happened is highly important. From that, we discover new things.

The second lesson is that this hard work is being done by volunteers, working with an emergent resource. (Dissent’s post on her work is here.) There’s lots of good questions about what a breach law should be. Some proposals for 24 hour notice appear to be being drafted by people who’ve never talked to anyone who’s investigated a breach. There are interesting questions of active investigations, or those few cases where revealing information about the breach could enable attackers to hurt others. But it seems reasonably obvious that the effort put into gathering data from many services is highly inefficient. That data ought to be available in one place, so that researchers like Dissent can spend their time learning new things.

The final lesson is one that we at the New School have been talking about for a while. Public data transforms our profession and our ability to protect people. If I may borrow a line, we’re not at the beginning of the end of that process, we’re at the end of the beginning, and what comes next is going to be awesome.