Karen Seidman reports:
McGill University has succeeded – for now – in shutting down a website that had exposed confidential and personal information about McGill donors, embarrassing the university and raising questions about the security of private information.
The information included how much donors had given in the past and how much they were being targeted to give, as well as home addresses, personal phone numbers and their connection to Mc-Gill.
The WikiLeaks approach seems to be catching on, huh? Just yesterday I posted about LindenLeaks, and now this example.
In a kind of WikiLeaks operation, an unidentified person or group put up a website on the weekend called McGill-Leaks that posted confidential documents from McGill’s Development and Alumni Relations department.
The website said it was planning to release confidential and strictly confidential documents over the next three weeks, saying its purpose was to provide a clear account of the university’s inner workings, supply accurate information on the university’s relationship with the private sector and create transparency.
Read more on Montreal Gazette.
But who is really getting hurt by these leaks? In the LindenLeaks case, the students themselves were clearly victims. In this other case, the university is more directly affected and a case could be made that more transparency on the university’s part might have obviated some problems- even though that doesn’t excuse any criminal behavior.
In 2011, right-wing extremists threatened to take up guns to change society. In 2012, extremists continue to take up keyboards to effect change locally and globally. And the middle just spectates this all and wonders where it will end.
Sadly, the amount of collateral damage in the hacking/disclosure approach seems to be contributing to the erosion of privacy online and those who demand respect for human rights or claim lofty goals need to understand that if the populace just accepts that there is no privacy, we will all be in a much worse place. I continue to hope that hackers will demonstrate some thought and restraint and NOT dump personally identifiable information on people who may not have done anything wrong. So far, a few hackers have adopted that approach (Kahuna, CabinCr3w and more recently, Th3Consortium). I hope that more join them in that policy.
If hackers wanted to send a clear message, rather than hurt the true victims, they rally on the side of the law enforcement. Send the Attorney General the information, that way any site or organizantion will have to answer to a Federal inquiry. Why do they need to “prove” the act was committed to the general public? I honestly do not see a lot of people running around with their hair on fire about these hacks. It May affect them if they are part of Wall Street, but honestly all that does is lower the stock for a little while so people can buy/sell accordingly.
If the Attorney General sees it all, they can assess the issue and levy a more strict way for these businesses to be more secure. There has to be a better way. The mode of Ecommerce to fill the coffers while leaving the PII door practically wide open is not good business practice.
This process is broken, but honestly it starts with the people. They need to be painfully aware what can happen to them if their PII is used in a manner which could cost them monetary loss, a severe hit to their credit rating and potentially spending alot of time on the phone with the bill collectors.
Once the people are well versed in what they should do, and what questions should be asked about their PII, then a smarter crowd is more dangerous to a company that knowingly is operating in a shady or non-compliant mode. Then should they be a victim of a breach/leak, they have a better idea whether or not these businesses deserve future business in the future.
Simply not understanding the critcality of PII and rolling the dice and hoping not to roll a snakebite is not good enough. This data can lay dormant for many, many years and if eventually leaked it is very hard to track back where it came from. People should be very reluctant to give up PII, there are alternate ways to do just about anything.
Those all of this is intertwined in the world of privacy, legal and a few other “clear as mud” entities out there that make changes semi difficult, they need to be for the sake of the invididual potentially at risk. Corporations in general need to accept the fact that they at times are as guilty as the person harvesting the PII data to abuse it.
Not a better way to make Corporations cringe when their hacked data is given to a high level of law enforcement. Putting PII data on Pastebin is fruitless. Victims hardly understand what PII is, let alone a site named Pastebin exists for dumping thier info. PLUS, the majority of the hacks WOULD be reported to a higher authority meaning that Corporations in general wouldn’t be able to sweep much under the rug.
I can count on a few fingers the number of state AG’s who would do anything if insecurity were reported to them and if you think Holder would do anything, I want some of what you’re smoking.
One value of proving/advertising a hack publicly is that members of Congress become more aware of how extensive and pervasive the problems are – and maybe – just maybe – they’ll do something? I don’t see where hacks have lasting damage on entities other than in a handful of cases, but I think their publicity can make the public and Congress more aware and can be used to encourage entities to invest more in better security.
Those Pre-retirees in Congress are there to plug holes in thier party line instead of doing anything good for the nation. They can’t even come to agreement on mild manners, let alone something as complex as a law, act or regulation that should last at least 5 years. Its the old SOB’s that have been sitting in there since the 1970’s or before that are truly old school and may not understand the rate at which technology is taking off.
There are more Ego’s in Congress than on a basketball court or football field, if you truly believe they are going to get something done you’ve put your trust in the wrong corner.
It doesn’t have to be the AG, it could be the secret service, FBI or other Federal agency that will look at the evidence in front of them and at least inquire. This is not brain surgery; people don’t report themselves. If you give them ample time, they will cover up a mess or better yet tamper with evidence before a professional can come in and at least look around.
I agree that people don’t report themselves if you make it optional, which is why I think we need a national notification law. Am I optimistic/hopeful about them? Hell, no. That senators can keep dusting off the same bad bill proposals and reintroducing them every year instead of coming up with a strong bill and acting in a bipartisan way, it is disgusting.
As to your alternates: under the current system, if companies do report a breach to the FBI or Secret Service, the public – including those affected – may not find out about the breach. And while Visa and Mastercard may require an entity to arrange for forensic investigation and to harden their security, I don’t see either the FBI or Secret Service doing that if a breach is reported to them. The FTC would be a good agency to report breaches to, but of course, they’d need a lot more resources and some more authority than what they currently have. And I do think there are some breaches that should be reported to the FBI or Secret Service because of their implications or risks.
In any event, I think we need to keep breaches in the news and public arena for now until Congress does something on a national basis or until all states have strong laws that include paper records. One thing I occasionally do in reporting on breaches on this blog is to ask myself – or readers – whether a particular breach would even require notification under existing laws and whether it should require notification. Sadly, there are still a lot of breaches that do not trigger reporting/notification requirements that should trigger notification in a more perfect world.