Are Hackers Getting a Bum Rap?
March 20, 2007 -- Have you been a victim of identity theft? Has someone hacked your credit card number? Don't necessarily blame the hackers.
Corporations and institutions that have lost private information are usually responsible for the loss themselves, according to new research.
In most cases, it's an inside job. Mismanagement of sensitive files, lax security, lost equipment and employee theft are responsible for 60 percent of 589 reported incidents of compromised data between 1980 and 2006.
"Hackers aren't the only culprits," said Phil Howard, assistant professor of communications at the University of Washington.
Howard and Kris Erickson, a doctoral candidate at the university, combed through thousands of news reports over the last 26 years to produce a scathing indictment of companies and universities across the country.
Hackers Go to College, but Not Far Beyond
The picture is quite different for corporations and educational institutions. Hackers have zeroed in on colleges and universities, tapping into personal records of students and their families. And they aren't interested in learning about grades.
Universities have much of the same type of information on hand as do financial corporations, like Social Security numbers, date of birth, income, and all the other bits of info that can be useful to someone wanting to steal someone else's identity.
Hackers are responsible for more than 47 percent of incidents involving stolen records from colleges and universities, compared with 31 percent of all incidents, according to the new study. That suggests hackers have found schools easier picking than companies.
1.9 Billion Records Compromised
The research shows that at least 1.9 billion records have been exposed over the last 26 years, frequently through incompetence. More than 6 million records are exposed every month. And the rate of theft is climbing, so by the end of this year, the total number should top 2 billion when somebody in the United States has some personal bit of information compromised.
Hackers will be partly to blame, but the researchers say the primary blame belongs to schools and corporate America and sloppy controls over data that should remain very, very private.
Unfortunately, no one knows for sure just how much damage all that hemorrhaging of sensitive information will cause.
"We know that identity theft is on the rise, and it makes sense that having more compromised personal records will lead to more identity theft, but in a lot of cases there's no clear connection," Howard said.
That's partly because new state laws that require companies to inform people when their records have been exposed don't require the companies to follow up and determine whether the exposure led to criminal activity, like identity theft, he says.
Danger Overstated?
In the most celebrated case of all, the compromise of millions of records at an Arkansas company in 2003 did not have disastrous consequences.
Daniel Baas, a 24-year-old computer systems administrator, stumbled into a hacker's paradise when he gained access to millions of consumer records at Acxiom Corp., one of the largest companies in the world specializing in acquiring and selling personal financial data.
"He legitimately had the password to upload data to the main Acxiom server," Howard said. "And he guessed that this might be the same password for downloading data. He was right. And so he started downloading a large amount of data. He wasn't supposed to do that, and it was an unwise security decision to have the same password for uploading and downloading."
Baas pleaded guilty to "exceeding authorized access," but he apparently didn't do much with the records.
"He didn't execute any fraud with them," prosecutor Robert Behlen told reporters after Baas entered the plea. "He apparently liked to collect information."
Not all these incidents have a pleasant or at least benign ending. Loss of personal records can be a painful and expensive experience, as millions of Americans have learned over the last couple of decades. And hackers, while not the only villains, are part of the problem.
Howard says they get a "bum rap," because institutions are more at fault. Still, his own research shows that when you look at the total amount of lost data, excluding the Acxiom case, "hackers account for the largest volume of compromised records, some 45 percent."
Better management of private records by corporations and universities would make hackers' skullduggery much more difficult, but more needs to be done. Although some states have enacted laws to force companies to inform persons when their data have been exposed, that only applies to residents of each particular state.
A California company, for instance, is not required to tell a man who lives in Florida that his records have been compromised in California.
"I think this is the next logical place for federal oversight," Howard said. "It works well in quite a few states, and it makes sense to make it comprehensive for the nation."
Perhaps the financial world could learn something from the medical world. Medical records are subject to very strict controls, for obvious reasons.
Medical Records Better Protected
"We found 589 incidents over 26 years, and only a handful involved medical records," Howard said. "That's because the legislation in the medical domain is pretty strong. It punishes people who don't treat the data properly."
He also thinks it's time to refocus the responsibility for protecting personal data.
"We tend to focus the responsibility for doing something about this on individuals," he said. "It's up to you to check your credit history and make sure there are no mistakes. It's up to you to protect your passwords and make sure nobody is looking over your shoulder. But it turns out that most of the compromised records come from organizations and you don't have a lot of control over the data about you. That's where I think we should be looking."
It doesn't do much good to follow your own strict security rules if someone else leaves a laptop containing your financial records on the backseat of a car that is subsequently stolen, as happened in one recent case.
Howard and Erickson, who published their findings in the current issue of the Journal of Computer Mediated Communication, relied on news media accounts for their research, so there's some margin for error because there is no central clearinghouse for reports on compromised data. They say they are probably conservative in their findings, so the situation could be even worse.
At the very least, even if we throw all the hackers in prison, this problem is not going to be solved until corporations and universities get really serious about protecting sensitive information.