topic Re: Another day another data breach... in Privacy

Another day another data breach...

AppDefects — Mon, 09 Oct 2023 09:52:43 GMT

Car insurance provider Geico has suffered a data breach where threat actors stole the driver's licenses for policyholders for over a month. Geico is the second-largest car insurance company in the United States, with over 17 million policies for more than 28 million vehicles.

Switching to Geico can subject you to identity theft...

https://oag.ca.gov/system/files/DL3_IndNoticeLttr_CA_Redacted.pdf

Re: Another day another data breach...

Caute_cautim — Tue, 04 May 2021 04:12:35 GMT

@AppDefects Yet another statistic, so if media recognition and penalties do not work? What is next to ensure that organisations, individuals take heed and recognise their responsibilities to reduce, or prevent these from happening?

Regards

Caute_Cautim

Re: Another day another data breach...

denbesten — Tue, 04 May 2021 04:48:19 GMT

The current standard of "1 year of credit monitoring" and a not-an-apology letter is not a very high bar.

Maybe we ought to also require Geico pay for new license numbers for all impacted parties. Ditto for anyone that discloses national identifiers, credit card numbers, etc.

Even better would be for the DL#s to be changed every few years. Back in "the day", each drivers license renewal came with a new number. Somewhere along the line, this stopped and my new license now has the same number as the old one. Classic example of convenience vs security.

Re: Another day another data breach...

Caute_cautim — Tue, 04 May 2021 04:58:45 GMT

@denbesten But haven't you heard the word on the street? Digital Identity will save the day with the full support of government entities?

However, your response would be great, if it could be applied, so there is no wriggle room for them to worm their way out of the situation - leaving only potential door open i.e. bankruptcy or change the companies name and start again?

Regards

Caute_Cautim

Re: Another day another data breach...

tmekelburg1 — Tue, 04 May 2021 12:34:19 GMT

@denbesten wrote:
The current standard of "1 year of credit monitoring" and a not-an-apology letter is not a very high bar.

You didn't get the, "We take your security and privacy very seriously...🤢" letter? I'm shocked!

Even better would be for the DL#s to be changed every few years. Back in "the day", each drivers license renewal came with a new number. Somewhere along the line, this stopped and my new license now has the same number as the old one. Classic example of convenience vs security.

I 100% agree with this statement. Identity shouldn't be tied to any permanent number, e.g., DL #, SSN, etc. with how easy those are to steal. Is Blockchain our answer here @rslade?

Re: Another day another data breach...

CISOScott — Tue, 04 May 2021 13:33:24 GMT

But if your "proof" of identity changes, how will we know it's you?

Re: Another day another data breach...

tmekelburg1 — Tue, 04 May 2021 14:07:00 GMT

@CISOScott

And @Caute_cautim brought up another great point of a digital identity established through a company and they end up going out of business. What then happens to your digital ID at that point? I could be wrong here but it makes sense for the authoritative source for your digital ID to be kept at your State BMV (Bureau of Motor Vehicles) where you currently get your physical ID.

If they stay on schedule this year our State BMV will be rolling our digital ID's with the thought of most people will always have their phone with them. The next logical step here would be able to use that digital ID to authenticate with sites on the web and 2FA using biometrics stored on the phone.

What are your thoughts on proofing? It makes sense for the systems to do all of the proofing on the backend

Re: Another day another data breach...

rslade — Tue, 04 May 2021 16:57:23 GMT

> tmekelburg1 (Contributor II) mentioned you in a post! Join the conversation

> Is Blockchain our answer here @rslade?

It's people like you what cause unrest ... 🙂

======================
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
"If you do buy a computer, don't turn it on." - Richards' 2nd Law
"Robert Slade's Guide to Computer Viruses" 0-387-94663-2
"Viruses Revealed" 0-07-213090-3
"Software Forensics" 0-07-142804-6
"Dictionary of Information Security" Syngress 1-59749-115-2
"Cybersecurity Lessons from CoVID-19" CRC Press 978-0-367-68269-9
============= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
CISSP refs: [Base URL]mnbksccd.htm
PC Security: [Base URL]mnvrrvsc.htm
Security Dict.: [Base URL]secgloss.htm
Security Educ.: [Base URL]comseced.htm
Book reviews: [Base URL]mnbk.htm
[Base URL]review.htm
Partial/recent: http://groups.yahoo.com/group/techbooks/
http://en.wikipedia.org/wiki/Robert_Slade
https://is.gd/RotlWB http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/

Re: Another day another data breach...

rslade — Tue, 04 May 2021 17:02:23 GMT

> CISOScott (Community Champion) posted a new reply in Privacy on 05-04-2021 09:33

> But if your "proof" of identity changes, how will we know it's you?

New [social media platform or personal access device]: who dis?

======================
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
"If you do buy a computer, don't turn it on." - Richards' 2nd Law
"Robert Slade's Guide to Computer Viruses" 0-387-94663-2
"Viruses Revealed" 0-07-213090-3
"Software Forensics" 0-07-142804-6
"Dictionary of Information Security" Syngress 1-59749-115-2
"Cybersecurity Lessons from CoVID-19" CRC Press 978-0-367-68269-9
============= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
CISSP refs: [Base URL]mnbksccd.htm
PC Security: [Base URL]mnvrrvsc.htm
Security Dict.: [Base URL]secgloss.htm
Security Educ.: [Base URL]comseced.htm
Book reviews: [Base URL]mnbk.htm
[Base URL]review.htm
Partial/recent: http://groups.yahoo.com/group/techbooks/
http://en.wikipedia.org/wiki/Robert_Slade
https://is.gd/RotlWB http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/

Re: Another day another data breach...

Caute_cautim — Wed, 05 May 2021 04:50:38 GMT

@CISOScott Some great thinking here, Proofing is a good point - within New Zealand they call it a Digital Identity trust network - creating a trust network, whereby trust is manufactured:

https://www.researchgate.net/publication/337033946_A_Decentralized_Digital_Identity_Architecture

Yes, it uses Blockchain using a distributed decentralised network.

One thing to think about guaranteeing that the integrity of the individual's identity under the World Health Organisation (WHO) should last on average for 110 years. Technology needs a refresh after 5 years, so in that case, one would have had to refreshed the underlying architecture 22 times for the average lifespan of a human being in a best case scenario. Who should be in charge, and who will ensure that the backend processes are conducted correctly and audited regularly?

Regards

Caute_Cautim

Re: Another day another data breach...

Caute_cautim — Wed, 05 May 2021 05:03:30 GMT

@rslade Trust of course, everyone trusts everyone don't they? Or is this not true?

Perhaps an Apple did not land on Newton's head whilst contemplating gravity?

Regards

Caute_Cautim

Re: Another day another data breach...

tmekelburg1 — Wed, 05 May 2021 12:50:34 GMT

@Caute_cautim wrote:
Who should be in charge, and who will ensure that the backend processes are conducted correctly and audited regularly?

My guess would be as it matures in the U.S., the Federal Gov would set the required regulatory standards that each State had to follow. So the Central Gov would set the standards for the Local Gov if I understand it well enough in your area. This is only for official gov issued ID's. e.g., SSN, DLN, etc. though. It's a completely different discussion of 'who' when it's not tied to that.

EDIT: Looks like it's going to be large service providers like Amazon, Microsoft, IBM, and Google that work in conjunction with the Country. South Korea has rolled this out already:

Building a secure digital ID using Amazon Managed Blockchain | AWS Database Blog

Re: Another day another data breach...

Caute_cautim — Sat, 08 May 2021 04:28:05 GMT

@tmekelburg1 There are many issues decentralisation for one, building up a trust network, and actually trusting the Government itself. Because although they may be the entity that issues Driving Licenses, Passports, you have a different set of entities in the financial sector i.e. banks, credit cards etc. Anti Money Laundering (AML) advocates have an important say as well.

Normally, UK Government (which failed), Estonia, Australia, Singapore, Canada, even Iran has a Digital Identity regime - some have mandated and some have actually failed by making it mandatory for instance. Sweden and others are looking it from birth to death cycles. Then there is the infighting going on between vendors, and suppliers and who has a relationship with the government of the day, and exactly what information and statistics they themselves want out of the system, to make their own decisions etc.

Regards

Caute_cautim