August 15, 2018

On stolen data with privacy-relevant information

I just received a first-class letter from the State of Ohio, telling me:

The State of Ohio has confirmed that your name and social security number was contained on a computer back-up device that was stolen. It is unlikely that someone can access the data contained in the device without specialized knowledge and equipment. Because we have no information to date that the data has been accessed, everything we are doing, or suggesting that you consider doing, is preventative.

The State of Ohio is doing everything possible to recover the stolen device and protect the personal information that was on the device. We regret that the loss of this sensitive data may place an undue burden of concern on you.

The letter explains how I can sign up with Debix for their identity protection services, and provides a PIN for me to use. (So, now I can spread my SSN further. Wonderful.)

The last time I set foot in Ohio was over three years ago, when I testified about electronic voting security issues, so it seems odd that they would still have my SSN on file. I don’t recall if they specifically asked me for my SSN, but it’s common for these sorts of things to ask for it as part of reimbursing travel expenses. It’s also possible that my SSN was on this backup tape for other reasons. Some news stories say that sixty Connecticut citizen’s information were present on the tape; I’m from Texas, so that shouldn’t have affected me. The State of Ohio has its own official web site to discuss the incident, which apparently happened back in June, yet they’re only telling me now.

Okay, let’s see if we can figure out what’s going on here. First, the “back-up device” in question appears to be nothing more than a backup tape. They don’t say what kind of tape it was, but there are only a handful of options these days, and it’s not exact hard to buy a tape drive, making the “specialized knowledge and equipment” line seem pretty unlikely. (As long as I’ve been doing security work, I’ve seen similar responses. The more things change…) So what actually happened? According to the official web site:

The Inspector General investigation determined that: “OAKS administrators failed to protect confidential information by authorizing state employees, including college interns, to take backup tapes containing sensitive data to their homes for overnight storage”; “OAKS, OIT (Office of Information Technology) and OBM (Office of Budget and Management) officials failed to report the theft of confidential information to state and law enforcement officials in a timely manner”; and “OAKS administrators failed to protect confidential information by allowing personnel to store sensitive data in an unsecured folder on the OAKS intranet.” The Inspector General found no evidence to suggest state agencies or employees engaged in criminal or illegal behavior surrounding these circumstances.

At its core, Ohio apparently had fantastically poor procedures along with what Jerry Saltzer refers to as the “bad news diode“, i.e., bad news never flows up the chain of command. Combine those and it shouldn’t be surprising that something would eventually go wrong. In my case, such poor procedures make it believable that nobody bothered to delete my information after it was no longer necessary to retain it. Or, maybe they have some misguided anti-terrorist accounting rule where they hang onto this data “just in case.” Needless to say, I don’t know.

It’s reasonable to presume that this sort of issue is only going to become more common over time. It’s exceptionally difficult to keep your SSN truly private, particularly if reimbursement paperwork, among other things, unnecessarily requires the disclosure of a SSN. The right answer is probably an amalgamation of data destruction policies (to limit the scope of leaks when they happen), rational data management policies (to make leaks less likely), and federal regulations making it harder to convert a SSN into cash (to make leaked SSNs less valuable).

(Sidebar: when my wife and I bought a new car in 2005, the dealer asked for my SSN. “I’m paying cash. You don’t need it,” I said. They replied that I could either wait until the funds cleared, or I could let them run a credit check on me. I grumbled and caved in. At least they didn’t ask for my fingerprint.)

Comments

  1. The stolen data was actually from an intern’s laptop. Apparently some genius thought it would be more secure if the data was stored on multiple locations, and this particular laptop happened to be taken home with the guy. It was stolen from his car.

    • Many research has shown a high percentage of data being stolen over the last 5 years. But taking the impact one step further, to the individual employee and consumer level, our survey gets to the heart of the issue – everyone is a victim. Organizations need to better protect one of their most valuable assets – customer data
      Check our current accounts and isa savings offerings. See other great offering for a Bank accounts

  2. A very similar thing recently happened to IBM:

    http://www.internetnews.com/security/article.php/3678096

    As a former IBM intern, I got an email about explaining what happened, along with an offer to sign up with ID TheftSmart.

  3. Automobile dealers have to keep records on automobile purchases of the preceding six months for FinCEN, disclosing them upon FinCEN request, as part of the USA PATRIOT Act’s anti-money laundering provisions. It was a provision that sunsetted in 2002, but has been extended repeatedly since then. I don’t see that it specifically required collecting SSNs, but it does require disclosing any SSNs that are collected upon a request from FinCEN.

    What would they have said to you if you had paid with actual currency, eliminating their “wait for it to clear” excuse?

  4. Ned Ulbricht says:

    It’s exceptionally difficult to keep your SSN truly private […]

    There’s a type of market failure occurring here.

    First, I’d agree that in today’s environment, there are sound pragmatic reasons for people wanting to keep their SSNs somewhat private. But, that said, people shouldn’t need to keep their SSNs private.

    It’s a fundamental error to use account identifiers as authentication tokens. Account identifiers need to be disclosed. Authentication tokens need to be kept confidential.

    Your SSN is an account identifier. “Identity theft” and similar problems stem in large part from the wide-spread use of SSNs as a very weak authenticator. There’s a kind of market failure occurring here. The organizations in the best position to provide reasonable security have externalized many costs of poor security. SSN account holders bear costs that they have no control over.

    All this, btw, does side-step some separate issues regarding information aggregation.

  5. Paragraph three, “effected” should read “affected”.

    Fantastic blog you have here. Always fascinated by the stories.

  6. One of the most unusual things of my experience in the US is how prevalent the SSN number is, and yet how it is also viewed as a magic secret that only the owner knows. Here in the UK, the closest equivalents are the taxpayer ID -the national insurance number- and something separate for the health service. There is no single number, at least not yet. And because of that, developer’s dont build applications that use SSNs as primary keys for entries.

    In the US, because everyone is assumed to have an SSN, too many applications are coded using it as the unique key for every entry. Even the local climbing wall in the town I lived in demanded it for their records. The best way I dealt with this was normally to say “I’m foreign, I dont have one”. Which would normally trigger the “how to handle someone without an SSN” process, which many places seem to have.

    Yes, long term the system needs to change so that SSNs are not viewed as a secret key that unlocks wealth. But shorter term, we need to convince developers to stop using SSNs as 1ary keys in databases. Because they are no good. There’s no way to deal with foreign customers, or government staff whose SSN is a secret; there’s no way to deal with the common problem -a mistyped SSN-, and, because of the way they are issued, they arent widely spread across the number space enough to make them a good hash value.

  7. Your SSN is an account identifier. “Identity theft” and similar problems stem in large part from the wide-spread use of SSNs as a very weak authenticator. There’s a kind of market failure occurring here. The organizations in the best position to provide reasonable security have externalized many costs of poor security. SSN account holders bear costs that they have no control over.

    There is no market. Consumers do not have the choice of deciding to use the SSN system or some other equivalent system provided by an alternate supplier. Where a monopoly of supply exists, the quality of the product delivered is poor. Exactly what free-market theory (and logic) predicts.

    As for vendors asking for SSNs “because it helps their database”, in this case a market does exist and the best choice is to walk away to a different vendor. You make your own decision to balance convenience against security, so when you choose convenience at least you know who is responsible for your loss of security.

  8. Damn, screwed up the quote tag…

  9. I don’t understand what you mean at the end — what funds need to clear when you’re paying cash?

  10. Mike: I think he was talking about a personal check clearing.

    Ed: When making large one-time cash purchases, a cashier’s check is usually the best way to go. If that doesn’t work, threatening to take your business elsewhere usually does wonders as well.

    I think the entire “ask for SSN” thing has become de rigeur of late… a lot of companies have implemented procedures for dealing with clients without this particular credential, and as a one of the posters mentioned above, you only need to say you don’t have the number in order to trigger those procedures. Giving them a bogus number is probably also an option, although I’m not at all sure about the legality of doing so…

  11. Indeed, I was talking about a personal check, as I don’t particularly want to drive around with a suitcase full of $100 bills. It’s possible to cancel a regular check, which could be what the dealer was trying to insure themselves against (i.e., if you’ve got a dodgy history, they might then insist on another method of payment). This contrasts with a cashier’s check, which it is not possible to cancel. Next time I buy a car, I’ll try to use that mechanism.

    The question is whether services like Debix or “freezing” my credit reports or any other mechanism could effectively deny read-permission to my credit data from the big agencies. Sure, here’s my SSN, but you can’t do anything with it.

    (Kamil: the original post was written by me, Dan Wallach, and not by Ed Felten.)

  12. My bad… after 4 years, you’d think I’d have learned that more than one person writes on this site!

  13. Cashier’s checks are nearly as problematic nowadays as personal checks. There is apparently now a growing fraud problem with counterfeit cashier’s checks, and many businesses hold transactions where the payment is in c.c. because of this.

    Dan, I hope you recognize that you sacrificed privacy and security in this situation for a small quantity of convenience. I would argue that a similar perceived convenience was the direct cause of the theft of the SSN data.

  14. My understanding of current Federal law requires that a) people who do not need your SSN cannot require it, or b) if they require it, they must state why. Even for government items like student loans, immigration request for foreign family, taxes, etc. They have to state your divulging the SSN is voluntary (as it almost always is), or why it is required (say, a background check for securty reasons–not financial reasons). True, it does add convenience and speeds things up giving it, but it still does expose you to possible fraud, as is becomming more and more common.

    But, yes, using the SSN as an authenticator is a broken system. But something more secure will take a while yet to introduce, not just because of the government, but also because ot the individuals affected–everyone.

  15. Interesting read. Almost scary.

    The last paragraph about buying the car sparked a memory of when I bought my last (used) car. After saying “No” to all the ‘extras’ that the sales agent was trying to push, He asked how long I wanted the lease. I said I was going to pay cash and so with a grumble he started filling out the paperwork on his computer. He stopped at one point and asked for my SSN. I said no and he said that he couldn’t go on without putting it into the computer. I told him to put all “111-11-1111”. Then, I watched him reach up and hit the key.

  16. Private-sector entities in the US *may* ask for your SSN, and they *may* refuse you service if you don’t provide it. The federal prohibition applies only to government agencies. Most consumers would rather do what they’re told (and then bitch about it to their friends) than put up a fight, which perpetuates this situation.

    I first refused to give out my SSN in 1980 when I registered for classes at the University of Illinois (U-C), where SSN was the default student ID number. They already had a procedure for dealing with this, and it was not at all an issue. The punch line here is that I was working for the U as a graduate assistant, so of course they already had it!