In mid-2006, the New York Times and the Associated Press revealed that a laptop containing the personal information of 26.5 million U.S. veterans had been stolen. This is about 9% of the U.S. population. The 26.5 million individuals who were affected were all living veterans who had been discharged since 1976. When the data breach was announced, much uproar occurred in the press and among veterans. The question most often asked was, how could this happen? The reality was that many other organizations of all sorts and sizes have suffered similar breaches in their information security. The organizations affected by these security breaches range from government departments to nonprofit organizations and multinational corporations. Only some states require companies to publicly disclose breaches. Reports are most prominent (or at least most visible) in the English-speaking world, so we are most able to discuss breaches that affect Americans.
TJX is an example of a company that announced a breach. TJX owns well-known brands in the U.S. such as T.J. Maxx and Marshalls, and it has retail stores in Canada and Europe. TJX announced on January 17, 2007 that its computer systems had been hacked. The personal data that was compromised included customer information related to purchases and returns, and it contained credit and debit card numbers. The number of credit and debit card numbers compromised by the attackers is unknown, but estimates (and opinions) range from about 45 million to as many as 200 million cards. According to a TJX press release, TJX believes that its systems were intruded upon from as early as July 2005 until January 2007. Eighteen months was enough time for the attackers to thoroughly ransack the TJX computer network.
Some of the data that was stolen from TJX was used to commit crimes. Police in Florida arrested six people suspected of a fraud scheme that used the stolen credit card data. Unfortunately for TJX, one of the victims was Massachusetts Attorney General Martha Coakley, whose information was used to fraudulently purchase a Dell computer. That probably contributed to the early momentum of the investigation.
Over half of all Americans have been sent notices that their personal data may have been compromised in one of the many breaches that have been disclosed. This number seems low given the vast number of databases containing personal information, the rates of reported laptop theft, and how personal information is bought, sold, and traded. One effect of these “breach notices” is that the sorry state of information security has become more visible, and people want to know why things are so bad.
Chapter 4 is devoted to breaches, so we won’t dwell on that topic here. Suffice it to say that security breaches can cause real pain to individuals whose personal data has been compromised, and one of the major causes of concern with such incidents is the threat of identity theft.