If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Angry Customer)   Someday, someone will explain why your name, address and social security number are so important, they must be stored on laptops that people keep losing   (baddadradio.com) divider line 59
    More: Scary  
•       •       •

6421 clicks; posted to Main » on 30 Jan 2008 at 2:38 PM (6 years ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



59 Comments   (+0 »)
   

Archived thread

First | « | 1 | 2 | » | Last | Show all
 
2008-01-30 11:21:58 AM
I can't think of any reason why organizations don't mandate encryption on all laptops, no exceptions. We've had that policy in our 300K+ employee company for a while and it's never caused an issue. Prevented a few, I imagine.
 
2008-01-30 11:30:50 AM
I'm having a hard time figuring out why this data needs to be on a laptop that is leaving the office in the first place. Are they going to go door to door?
 
2008-01-30 11:33:09 AM
I would support Federal laws mandating that any corporate entity that loses control of data on its customers be fully responsible for compensating each and every customer affected, regardless of whether or not identity theft actually takes place, for three times each customer's net worth. Also, each affected customer should be able to swat the CEO no less than three times with a bamboo cane.
 
2008-01-30 12:18:00 PM
It's truly horrifying that my hard-earned 740 credit score can be wiped into oblivion in five seconds if some idiot from Wachovia or Chase or wherever is dumb enough to lose his s**t. Almost scary enough for me to pay the $19 a month for LifeLock...I said "almost."
 
2008-01-30 12:18:15 PM
DoBeDoBeDo: I'm having a hard time figuring out why this data needs to be on a laptop that is leaving the office in the first place. Are they going to go door to door?

No, they're selling it to illegal immigrants.
 
2008-01-30 12:30:16 PM
Eh, depends on the organization. If it is one of the smart ones, then there is no reason why this data should be taken off company grounds.

If it is like the organization that I currently work for, then good luck keeping that stuff confidential.

/I work for an organization where some employees INSISTED that they have acccess to that kind of data 24/7 from anywhere in the world, and almost got it until the smart people prevailed.
//George Costanza could really go far in my organization.
 
2008-01-30 02:43:46 PM
facepalm.jpg

Sensitive customer data being stored on portable, valuable-on-eBay media? Good thinking, Johnson.
 
2008-01-30 02:44:05 PM
How about not allowing the data to be kept on laptops, but instead be located on servers with RSA encryption key protection? Then you just VPN into the server from your laptop.

/How one DoD contractor handles HR.
 
2008-01-30 02:44:18 PM
eh.. data loss, and its not in the uk... strange. We must have had something to do with it.
 
2008-01-30 02:45:19 PM
You have no right to privacy, citizen.
 
2008-01-30 02:45:21 PM
The ghetto ass school district here started giving kids laptops. Each one is suppodly equipped with GPS and a method for destroying the hard drive should the laptop be lost.

Other then cutting slightly into their profit margins, why don't these assholes subscribe to the same system? If the shiat-ass school system here can do it, why not a company worth at least a few hundred mil?
 
2008-01-30 02:46:43 PM
I had to give an SS number to my dentist before he would consent to pull a tooth---and I was paying cash.

Some lady at Hollywood Video wanted my SS number before she would rent me a movie, I told her to go to hell.

Would have done the same to the dentist, but the tooth hurt too badly.
 
2008-01-30 02:46:56 PM
Said this before.

My proposal if private data is on a portable computer which is outside of the office when stolen:
1) The company owes $10,000 cash to every person affected, and must pay for credit monitoring for 5 years afterwards for every person.
2) $10,000 fine for each person's information compromised.
3) The person who had custody of the notebook PC is guilty of a misdemeanor, say about 30 days in jail, for not keeping track of it.
4) The person who required the employee in question to keep that info on a computer is likewise guilty of the same crime, same jail time. Same cell if possible.

Parts (3) and (4) do not apply when the information compromised is stolen off of a central storage system (the servers).

There's no farking reason why anybody should have that kind of data off premises in this day of VPNs. The companies need to quit asking for information that isn't 100% necessary and the employees need to be more careful when they have it.
 
2008-01-30 02:48:51 PM
I say ban all personal information!!1

\not really
\\i agree w/pocket ninja
 
2008-01-30 02:50:31 PM
What akula said. I wish there was serious enforcement of SSN requesting. A freakin' gym(bally's) does NOT need my SSN.

When I'm getting tested for an STD, they do NOT need my SSN. Yes, there's better ways to provide anonymity for results. SSN is not one of them, since it's not anonymous.

A credit check? Let's use somethign other than an SSN. How about some read-only identifier?
 
2008-01-30 02:51:13 PM
olddinosaur I always give false info when paying cash. Nobodies business what my name or ssn or anything else is.........
 
2008-01-30 02:51:20 PM
British: What akula said. I wish there was serious enforcement of SSN requesting. A freakin' gym(bally's) does NOT need my SSN.

When I'm getting tested for an STD, they do NOT need my SSN. Yes, there's better ways to provide anonymity for results. SSN is not one of them, since it's not anonymous.

A credit check? Let's use somethign other than an SSN. How about some read-only identifier?


?
 
2008-01-30 02:51:43 PM
I was a TA for a major campus. The prof gave me an excel list of the students to aid in creating a grade book, which he got from the office of the registrar in order to help learn names.

I immediately noticed the excel columns were labeled A,B,C,AA,AB,AC and wondered what happened to D-Z. Well, after unhiding them I discovered that not only did I know my students names, I knew their addresses, phone numbers, cell phone numbers, parents' addresses, birth dates, and yes, social security numbers.

I deleted all of that extra information, as it wasn't ethical to keep it and presented me with a liability should my computer get stolen, but I never decided to pick a fight with the idiots at the registrar who decided that was a secure way to transfer information. It's nice to know all of my former profs probably have my social security number and cell phone too.
 
2008-01-30 02:52:31 PM
TheNewJesus: Each one is suppodly equipped with GPS and a method for destroying the hard drive should the laptop be lost

What is this glorious tracking technology with obvious destructive capabilities and where can I get some? How do they destroy the hard drives? Thermite, black powder, C4?
 
2008-01-30 02:54:57 PM
Your use of commas baffles me.
 
2008-01-30 02:54:59 PM
(rant) I am appalled that large financial institutions reap considerable profit from trafficking in private data without thought or recompense to the owners of said information. This unwholesome practice leaves citizens to bear significant risk from identity theft should the information pass to criminal hands, or at the very least, we endure persistent and intrusive sales calls and junk mail from the organizations that purchase the data. Let me be clear that I do not begrudge legitimate profit through trade, rather I am disheartened that such conduct is allowed to persist unhindered and unregulated due to the political influence the financial institutions wield.

If legal ownership of personal data is in question, I would assert that our birth certificates, Social Security cards and other forms of identification serve as de jure titles and deeds testifying to the legitimate ownership of our personal data as personal property, let alone that such property is already being bought and sold as de facto on the open market.

I want legislation that would require corporations to receive written permission to sell, lease, share or otherwise transfer for profit private data, as well as provide fair remunerative compensation to citizens whose information is used in this manner. I imagine that regulatory measures would garner wide political support from property rights advocates on the far Right to the corporate antagonists on the far Left. (/rant)
 
2008-01-30 02:56:21 PM
British: When I'm getting tested for an STD, they do NOT need my SSN. Yes, there's better ways to provide anonymity for results. SSN is not one of them, since it's not anonymous.

Many (if not most) states do not allow for anonymous std testing, with the exception of HIV. By law positive results must be shared with the state.
 
2008-01-30 02:58:20 PM
Someone is given a stack of crisp bills every time one of these laptops or USB drives full of IDs are "accidentally lost or stolen."
 
2008-01-30 02:59:09 PM
i87.photobucket.com
 
2008-01-30 02:59:42 PM
Lamune_Baba: Someone is given a stack of crisp bills every time one of these laptops or USB drives full of IDs are "accidentally lost or stolen."

I think they prefer to deal in tacos.
 
2008-01-30 02:59:43 PM
I can only speak from the experience of the one company I worked for that attempted to institute laptop encryption, but...

the IT dept and management were slaves to the users. Users got whatever they wanted when it came to computers. Everyone had root access to their PCs and laptops just because they whined and complained every time management suggested locking things down - caused a massive spyware epidemic.

Users were scared to death of file servers for some reason, insisting that the gigabytes of data...and mp3s, pictures, ripped DVDs, and pirated software all be located on their local drive. Made backups REAL fun!

Along those lines, when mandatory encryption came down the pipe, it consisted of a single encrypted folder placed on the user's desktop that they could voluntarily use if they had any sensitive data. I have no doubt it was a completely symbolic move on management's part just so they could say they used encryption. What a joke.
 
2008-01-30 02:59:53 PM
Lamune_Baba: Someone is given a stack of crisp bills every time one of these laptops or USB drives full of IDs are "accidentally lost or stolen."

Personal info has become so pretty much valueless.

Your SSN isnt worth anything anymore.
 
2008-01-30 03:08:38 PM
While the sentiments expressed are pointful and poignant, I must say that was a thoroughly underwhelming letter. Though I see the benefit of using this enervated excuse for a screed as a point of departure for discussion of this problem, I must believe that there is something out there that both makes the same points and is entertaining. Remember, this is not news, it's Fark.

So I am shooting the messenger a little.

As for the salient points, there is only one that deserves any defense: the mere fact of this data being on a portable computer taken out of the secure workplace. To prohibit this would, admittedly, make the data more secure. It would also prevent use of this data outside of the workplace, and that would cause a drop in productivity. In the last several jobs I have had, the most productive and successful people were always plugged in at home or at work, and frequently had all the tools and data they needed to do there job wherever they were. While I think this is on the whole a bad thing, raising expectations for other employees unreasonably, it is undeniable that it lowers the cost of labor (since these people are always salaried).

That said, there is absolutely no reason that this data should not have been encrypted with a key long enough to prevent unauthorized access to the data within the maximum likely lifespan of any individual whose data was included. This stuff is cheap. Course, it's a liklihood approaching certainty the the key for the encryption would be stored with the computer regardless of any training or policies. It's just too hard to memorize 1024 hexidecimal digits.

On all other points I agree. There is no reason whatsoever that the SSN should be used by any group other than the federal government for 1) Social Security, 2) Taxation, and 3) Verification of citizenship, and I am not so sure about that last one.
 
2008-01-30 03:09:32 PM
I once had trouble with a palm pilot that I had purchased at Best Buy- apparently it had been set to work from a wireless signal rather then from the USB cord. Anyway, I brought it to the geek squad, and the guy switched the setting and did a hot sync with the computer behind the desk to make sure it worked properly. When I got home, I noticed that a few files had been transferred from their palm desk top to my palm pilot during the hot sync, and one file contained the name and social security numbers of about 5 people, whom I assume were employees.

/true story
//prolly should have told them about that
 
2008-01-30 03:11:19 PM
akula: Said this before.

My proposal if private data is on a portable computer which is outside of the office when stolen:
1) The company owes $10,000 cash to every person affected, and must pay for credit monitoring for 5 years afterwards for every person.
2) $10,000 fine for each person's information compromised.
3) The person who had custody of the notebook PC is guilty of a misdemeanor, say about 30 days in jail, for not keeping track of it.
4) The person who required the employee in question to keep that info on a computer is likewise guilty of the same crime, same jail time. Same cell if possible.

Parts (3) and (4) do not apply when the information compromised is stolen off of a central storage system (the servers).

There's no farking reason why anybody should have that kind of data off premises in this day of VPNs. The companies need to quit asking for information that isn't 100% necessary and the employees need to be more careful when they have it.


The one thing this doesn't take into account is the cases where the person with the laptop really isn't aware that they've been given sensitive information.

For instance, when a marketing weasel asks for the raw data from a survey because he wants to send thank you gifts to participants, he might not be aware that that raw data includes their social or the names of people who opted out of having any future contact.

I'm not saying there shouldn't be repercussions but I suspect that if items 1 and 2 were in place, the people responsible would learn the lesson the hard way anyway, when their company fires them for costing them millions in penalties and fines.
 
2008-01-30 03:11:27 PM
Barakku: I think they prefer to deal in tacos.

img166.imageshack.us
 
2008-01-30 03:11:47 PM
This just in....if you went to Georgetown University between 1998-2006, were a staff or faculty member there during that time, or even if you go there now, your social security number and other private information is now in the hands of thieves. We discovered this January 3. Sorry for the late notice. Our bad.
 
2008-01-30 03:18:36 PM
I can't speak for anyone else, but I buy stolen information online so my dopperganger army will be more credible. And I have fake histories to use when I sign up for naughty websites.


/Not that I use naughty websites
//Often
///Boobies
 
2008-01-30 03:20:34 PM
Well, I'm from Ohio, and I'm getting a kick out of these replies. My social was stolen because some stupid intern left a data tape in his car... who the hell uses data tapes anymore anyways?! Ohio does... asshats

/I bet there was zero encryption also. Not that anyone has a tape drive to mount it anyways.
 
2008-01-30 03:25:43 PM
akula: Said this before.

My proposal if private data is on a portable computer which is outside of the office when stolen:
1) The company owes $10,000 cash to every person affected, and must pay for credit monitoring for 5 years afterwards for every person.
2) $10,000 fine for each person's information compromised.
3) The person who had custody of the notebook PC is guilty of a misdemeanor, say about 30 days in jail, for not keeping track of it.
4) The person who required the employee in question to keep that info on a computer is likewise guilty of the same crime, same jail time. Same cell if possible.

Parts (3) and (4) do not apply when the information compromised is stolen off of a central storage system (the servers).

There's no farking reason why anybody should have that kind of data off premises in this day of VPNs. The companies need to quit asking for information that isn't 100% necessary and the employees need to be more careful when they have it.


I like it, although I don't see any reason that the offense cannot be federal one, and involve key positions in a company/government organization. If some field guy who for some reason has personal information on a laptop has it go "missing," the worker, supervisor/manager, and their information security person and/or board of directors/executives should be brought up on charges. Nail a few bastards to the wall and fine a couple companies out of existence and all of a sudden security becomes "economical." That has happened with occupational health and safety, not reason why this should be any different.

I'm in the military and I know that the MPs will feed my nuts to their dogs if I "lose" personal or sensitive information. Funny how operational security remains tight with clearly defined do's and dont's and harsh punishments that are used when rules get broken.
 
2008-01-30 03:27:08 PM
str8 cash, homey
 
2008-01-30 03:27:23 PM
When I was a temp, I had to consolidate personnel data from three old databases to one new one. The data was presented to me as Excel spreadsheets, with no unique identifiers for the employees. So I had to migrate the records based on matching first names and last names only, for about 10,000 records. What a friggin' mess.

My solution was to harvest a bunch of baby names off a Web site and use that to create a mapping of first names -> common variants. So Ed matched Eddie and Edward, etc. I wrote a perl script and matched the records that way.

The thing that really kills me is, IT had unique identifiers for these records: last four digits of the SSN + Last name. It would have been much, much easier to use this unique identifier rather than having to do this fuzzy matching perl script. But they wouldn't provide the last 4 digits of the SSN. That's confidential! It made me wonder why the hell they even bothered having a unique identifier if it couldn't be used for such an obvious application.

I can pretty well guess why this wonderful project got pawned off on a temp. The real kicker is that this completely ad hoc--and in my mind, really awful--solution to their problem that never should have haapened in the first place happened in the IT dept of one of the largest HMOs in the USA,
 
2008-01-30 03:29:10 PM
kornkob: The one thing this doesn't take into account is the cases where the person with the laptop really isn't aware that they've been given sensitive information.

For instance, when a marketing weasel asks for the raw data from a survey because he wants to send thank you gifts to participants, he might not be aware that that raw data includes their social or the names of people who opted out of having any future contact.

I'm not saying there shouldn't be repercussions but I suspect that if items 1 and 2 were in place, the people responsible would learn the lesson the hard way anyway, when their company fires them for costing them millions in penalties and fines.


That's not a bad argument, but sometimes I wonder just how hard these folks try to keep these computers protected. And it isn't just computers; an exec at a local bank had a briefcase stolen out of his car with the info of new accountholders because he wanted to strut his stuff in front of the board, and just left the crap in his car.

I think often the businesses don't worry too much about things because there's no personal repercussions. A middle manager and an analyst peon doesn't care about the company taking a million dollar fine- they probably wouldn't have seen that in a bonus anyway. However, real jail time would get them paying close attention, since it isn't just the company's money anymore. If the workers flat refused to take it home and the managers didn't insist, then everybody would be more careful.

TypoFlyspray: As for the salient points, there is only one that deserves any defense: the mere fact of this data being on a portable computer taken out of the secure workplace. To prohibit this would, admittedly, make the data more secure. It would also prevent use of this data outside of the workplace, and that would cause a drop in productivity. In the last several jobs I have had, the most productive and successful people were always plugged in at home or at work, and frequently had all the tools and data they needed to do there job wherever they were.

Three letters: VPN. If you can't log in securely, then you don't need to be screwing with it there. Most home internet connections will allow for VPN connections, and the info can stay on the server. Laptops aren't the enemy; loading it to the gills with sensitive info is.

Even without the personal jailtime, there's gotta be a way to make these companies pay some attention to the fact that when they dick around, it is our anuses that bleed.
 
2008-01-30 03:29:51 PM
footfungusamongus: Well, I'm from Ohio, and I'm getting a kick out of these replies. My social was stolen because some stupid intern left a data tape in his car... who the hell uses data tapes anymore anyways?! Ohio does... asshats

/I bet there was zero encryption also. Not that anyone has a tape drive to mount it anyways.


Didn't we just go through this a few days ago; tapes are really still the best way to backup data. And as I said the people who think hard drives are good for backing up are the same ones who look for ping times when choosing an internet connection.
 
2008-01-30 03:31:40 PM
TheNewJesus: The ghetto ass school district here started giving kids laptops. Each one is suppodly equipped with GPS and a method for destroying the hard drive should the laptop be lost.

Other then cutting slightly into their profit margins, why don't these assholes subscribe to the same system? If the shiat-ass school system here can do it, why not a company worth at least a few hundred mil?


Very easy, your school district has no interest in the massive bonus paid to the CEO and other execs of these companies. They won't spend the money on the equipment as it cuts a few thousand out of the bonus.

Every laptop in corporate America should be encrypted and all data accessed should reside on a secure server. Downloading of SSN and other PII to non secured portable devices should be a felony offence with minimum fines against the corporation of at least $100,000 ie more than the cost of implimenting the security in the first place.

For good measure, make it a sliding scale, $100,000 for a small company say under 50 employees, double it for 100, double again for 250, double again for 500, and so on so when some company like Chase screws up it costs them a shiat load of $$$.

/PII = personally identifiable information
 
2008-01-30 03:40:46 PM
You know, it's probably stupid of me to blame the technology, but I hate these farkin' "stolen laptops with my SSN on it" This has happened 3 times to me -- not really, no one's stolen my identity yet, but I did have BC/BS in NJ a while back. It also happened to some auditing firm that was auditing Fidelity, that had my 401K.

Who had this brilliant idea -- "Ooh, we can encode everyone's info one DVD-ROM! And load it on the thinnest, lightest, laptop EVAR. We can take it to teh beach or the park." What is this bullshiat? You got a job to do, do it on a desktop computer, hardwired to a mainframe, in a lockable building.

Everyone's so caught up in this craze. The ideal perk for a midlevel manager is a laptop, so they can take their work home with them. It's just plain dumb. No one wants to take their work home. No one should be forced to work at home. The whole security issue should be managed by the workplace.

Feh. More people should realize this is all about conspicuous consumption. The thinnest, highest power laptop to maintain a list of names and numbers, just great.
 
2008-01-30 03:45:46 PM
akula: Three letters: VPN. If you can't log in securely, then you don't need to be screwing with it there. Most home internet connections will allow for VPN connections, and the info can stay on the server. Laptops aren't the enemy; loading it to the gills with sensitive info is.

Absolutely. We don't keep any company data on our laptops; whoever has a laptop connects to our server via the Internet. And we don't even have anything that secret, just company proprietary data. No personal data etc.

Not only does it protect the data in case something happens to the laptop but replacing it is also a breeze. No need to worry about irrecoverable data, lost time, etc.
 
2008-01-30 03:58:48 PM
here's a question, and perhaps a revolutionary idea:

Some commenter suggested (don't know if it's true) that it's actually illegal for someone not concerned with taxes or Social Security to request your SS#, and that they can't use it for an ID#.

And, since they're not doing anything tax-related, and are [illegally] using for an ID#, can anyone see a problem with giving a _fake_ SS# to anyone who asked?

"My Social Security number? sure, it's 123-45-6789." and as long as you remember to use that number every time you deal with them, they'll always have the right person, but there will be no association with your real number (which there shouldn't be).

thoughts?
 
2008-01-30 04:01:18 PM
tweekster: Lamune_Baba: Someone is given a stack of crisp bills every time one of these laptops or USB drives full of IDs are "accidentally lost or stolen."

Personal info has become so pretty much valueless.

Your SSN isnt worth anything anymore.


Fine. What's your's?
 
2008-01-30 04:05:54 PM
They can't be that important... in the past 4 or 5 days I've had to give out all of that information numerous times. I say we get a Real ID card so we know for sure you're you.
 
2008-01-30 04:14:42 PM
fudomyoo: here's a question, and perhaps a revolutionary idea:

Some commenter suggested (don't know if it's true) that it's actually illegal for someone not concerned with taxes or Social Security to request your SS#, and that they can't use it for an ID#.

And, since they're not doing anything tax-related, and are [illegally] using for an ID#, can anyone see a problem with giving a _fake_ SS# to anyone who asked?

"My Social Security number? sure, it's 123-45-6789." and as long as you remember to use that number every time you deal with them, they'll always have the right person, but there will be no association with your real number (which there shouldn't be).

thoughts?


It's not illegal for a company to ask. It's also not illegal for you to give them another ID. HOWEVER.

The space of social's is very small. You're likely giving them someone else's real SSN. If you're doing this for financial concerns, this could land you in seriously hot water if they report weird credit activity to the police.

I wouldn't do it, personally.
 
2008-01-30 04:17:07 PM
PeeOnYou: They can't be that important... in the past 4 or 5 days I've had to give out all of that information numerous times. I say we get a Real ID card so we know for sure you're you.

I think we should be given GUID's and have them stamped into our femurs. Then again, my bar-coded ancestors might think I've lost my damn mind.
 
2008-01-30 04:22:06 PM
At this point, I'd like to divorce myself from my SS# and shiatcan it. The SS# thing is so archaic and fraud-friendly, I'm surprised our entire economic system hasn't collapsed because of it.

/Put a man on the moon 40 years ago, but can't come up with a better system. WTF?
 
2008-01-30 04:27:55 PM
Tartha De Tear: fudomyoo: here's a question, and perhaps a revolutionary idea:

Some commenter suggested (don't know if it's true) that it's actually illegal for someone not concerned with taxes or Social Security to request your SS#, and that they can't use it for an ID#.

And, since they're not doing anything tax-related, and are [illegally] using for an ID#, can anyone see a problem with giving a _fake_ SS# to anyone who asked?

"My Social Security number? sure, it's 123-45-6789." and as long as you remember to use that number every time you deal with them, they'll always have the right person, but there will be no association with your real number (which there shouldn't be).

thoughts?

It's not illegal for a company to ask. It's also not illegal for you to give them another ID. HOWEVER.

The space of social's is very small. You're likely giving them someone else's real SSN. If you're doing this for financial concerns, this could land you in seriously hot water if they report weird credit activity to the police.

I wouldn't do it, personally.


Some folks have suggested transposing two of the numbers for places that really don't need your actual SS#. That way if you get called for it, you just made an oopsie and accidentally transposed them.
 
2008-01-30 05:29:08 PM
Nick Nostril: At this point, I'd like to divorce myself from my SS# and shiatcan it. The SS# thing is so archaic and fraud-friendly, I'm surprised our entire economic system hasn't collapsed because of it.

/Put a man on the moon 40 years ago, but can't come up with a better system. WTF?


The work required to replace SSN with something larger and more secure would absolutely dwarf all other data endeavors - including Y2K. It is everywhere and used for all kinds of business processes.
 
Displayed 50 of 59 comments

First | « | 1 | 2 | » | Last | Show all



This thread is archived, and closed to new comments.

Continue Farking
Submit a Link »






Report