Hearing on “The Threat of Data Theft to American Consumers”


Testimony of Eugene H. Spafford
Professor and Executive Director, Purdue University Center For Education and Research in Information Assurance and Security (CERIAS)

Citizen concerns about disclosures of personally identifiable information (PII) held in computer databases is not surprising given the significant — and growing — number of reported breaches each year. Organizations are increasingly collecting data about various groups of people and storing that data in computing systems for their use in various business processes — or simply to warehouse for possible future use. However, those systems are often not adequately protected, and portions of the data are exposed by accident or stolen with criminal intent.

Data may be disclosed in a number of ways. Some disclosures are accidental, as a result of carelessness or flaws in the operation of underlying software (or rarely, hardware). Usually, the disclosures are a result of malicious behavior coupled with inadequate protections and policies. Malicious disclosure may come about from authorized employees (insiders) or customers who are taking or disclosing information, usually for financial gain. These disclosures may occur over a long time. These disclosures are often to confederates who commit the crimes using the information, thus making it more difficult to identify the source of the disclosure.

It may not be immediately obvious why disclosure of some of this information might be of concern. In some cases, the disclosure might only be of an account name and some password hint, or directory information that might be otherwise easily found in a public directory. However, such information in context or in combination with other information can be quite damaging. The presence of a record in a database is informative — that someone is a customer, patient, or subscriber, for instance. Combining information from several different sources may allow someone to infer much more than from any single source alone (and given the availability of information on social media sites and from other breaches, this is not difficult to do). It is then how these bits of information are used that are of concern. Certainly, any disclosure poses a privacy concern to some users, but there are additional concerns related more specifically to criminal activities:

  • Identity theft.
  • Harassment and stalking
  • Spear phishing
  • Tracking for physical crime
  • Extortion
  • Inference
  • Direct fraud

Read the entire testimony of the Hearing on “The Threat of Data Theft to American Consumers”, May 5, 2011.

Share article:
  • Facebook
  • LinkedIn
  • RSS
  • Twitter


You must login in order to reply.

Panel's Jotter

Editor Intelink says:(2012-10-02 10:49:19)

“Een kwaliteitsslag voor school, student en stagebedrijf” Het herkennen en correct behandelen van bedrijfsvertrouwelijke informatie. Het programma speelt tevens doeltreffend in op de sterk toenemende behoefte aan Social Media Integriteit van stag...

On: Stagevoorbereiding voor MBO en HBO: Bewustwording Bedrijfsgeheimen & Social Media Integriteit
Danny Lieberman says:(2011-05-09 13:35:04)

As one of the pioneers in DLP - data loss prevention and an active thought leader in the field since 2003 - it is typical for people who discover that the emperor is naked to take knee jerk reactions. IT and HR procedures are part of a set of data...

On: WikiLeaks legt menselijke factor bloot (EN)
Rachel McShelley says:(2011-03-31 10:01:15)

Blijft helaas onduidelijk waarom BitDefender dit opvallend en vooral ook een beveiligingsrisico vindt.

On: Facebook: 42% onbekende online vrienden
View all replies»

Join us on:

  • Facebook
  • LinkedIn
  • RSS
  • Twitter


Join our Research Panel!
Sign up for: Study into Information Leakage in the Netherlands 2010


News and analyses on Human Factors & Awareness

Upcoming events

No events