Data breach: If customers don't act, data will remain at risk
To make enterprises take data security seriously, customers must take control of their personally identifiable information and stop handing it out to businesses.
Behind The Firewall: A week or so after the news broke about the data theft at TJX Cos. I was standing in line at a Marshall's store in Massachusetts and the woman ahead of me was about to swipe her credit card when she paused and looked at the cashier.
|
 |
||||||||||||||||
|
|||||||||||||||||
"Are credit cards safe to use here now?" she asked.
"Oh yes. They've taken care of all of that," the cashier assured her. "Everything is fine now." And so the woman swiped her card and went on her way.
Fast forward a month and we get the news that someone—no one seems to know whether it was employees, customers or a roaming band of bored crackers—managed to remove the pinpad devices from a number of Stop & Shop grocery stores in Rhode Island and Massachusetts, modified them in some as-yet-unknown way and then returned them to the stores. Thousands of customers are now at risk for financial loss and identity theft because the folks at Stop & Shop decided to save 35 cents and not bolt the pinpads down. Of course they've rectified that now, but the horse, as they say, is definitely out of the barn.
|
||||
|
|
|||
|
||||
Actually, some people are paying very close attention, namely the senior management of major corporations around the country. And what they're seeing is that the outcry over these incidents is getting progressively less intense and shorter with each successive incident. They're taking that as a signal that consumers see these breaches and thefts as somewhat of an inevitability. That leads to a lax attitude toward information security and so we end up with massive thefts like the TJX incident and the almost comical ineptitude at Stop & Shop.
The one thing that is clear from all of this is that it's time to stop entrusting these companies with our private information. They're clearly not up to the task and are showing no signs that they regard these incidents as anything more than minor annoyances to be handled by their crisis PR teams.
Enough already. It's now up to each individual to take control of his personally identifiable information and stop handing it out to every Web site, retailer and restaurant that asks for it. There are a number of practical steps you can take right now to reduce the amount of sensitive information you expose to potential theft. Discover Card has a small applet that generates one-time-use account numbers for online shopping , allowing users to shop without revealing their actual credit card numbers. Citibank offers something similar, called Virtual Account Numbers . And IBM researchers are working on a system called Identity Mixer that will let users generate artificial identities for online use.
A key piece of this puzzle is the huge databases of customer data that companies—particularly retailers—maintain for marketing purposes. In many cases customers voluntarily give up their personal information in return for a customer loyalty card, which entitles them to some small discounts or other benefits. Most consumers see this as an acceptable trade-off, but in the current climate it's worth reconsidering whether a five percent discount on Lucky Charms is worth the potential problems down the road if that store's database is attacked. Many people have said no, and some have started projects that game these systems by swapping loyalty card numbers among members .
