Tessa Norman reports:
The number of customer data loss incidents reported to the FCA [Financial Conduct Authority] has increased significantly in the past year.
A Freedom of Information request published by the FCA shows that in 2013, the regulator was notified of 13 incidents where firms have lost customer data or had it stolen. Some 104,100 customers were affected by six of these incidents – the FCA says numbers are not known for the other seven incidents.
Read more on Money Marketing.
The term “loss” is nonsensical when it comes to data security breaches (unless data were destroyed). And passwords are equally not “stolen”. For this problem to be overcome we need to “come to terms” with the underlying issues: a) data are breached and gleaned, and because they never go missing, a clever intruder who covers his tracks is never found out until these data are used illegally (and often not even then depending on the hackers’ ulterior motives). And even then this can be tricky to prove. When gold bullion or a truckload of computer chips is stolen, they are gone and someone else has them. When data are “stolen” they remain “safely” where they were – they are simply duplicated elsewhere and then put to illegal use. Since everyone with deep enough pockets can pay a measly paid computer security guy some money he/she can gain access to such data. Often simply the gullibility of people involved suffices (“social engineering”). b) Passwords never need to be compromised!!! They are because they are stored on servers. They need not be. To verify a password, it suffices to compare it with its own hash. This would be calculated the first time the password is negotiated (at the setting up of an account or on password renewal), then the password would immediately be “forgotten” (it WOULD NEVER even be written to non-volatile storage!!!) and whenever the user offers his/her password, that password would -“on the fly”- be re-hashed and the hash compared to the stored hash or “finger-print” of the PIN or password. So, to sum it up: the “stolen” data could be made almost worthless if passwords were never stored and b) passwords need never be stored. Simple, isn’t it? It would probably stop 90% of cyber-crime as we today know it!
I’d love to have the power to change how entities report or describe breaches. “Data leak” also makes the hairs stand up on my neck.