THE theft of computer data at an Arizona company that put as many as 40 million credit card accounts at risk for fraud may have been the largest case of stolen consumer information yet.
To Catch a Thief (June 25, 2005)
But the incident, which was revealed last week and may have occurred months ago, surely will not be the last. In fact, the theft was only the latest in a series of incidents, not all of which involved criminal activity. Earlier this month, for example, United Parcel Service lost data tapes with personal information on nearly four million customers of Citigroup.
The problem of keeping data secure "exists on lots and lots of levels," said Marc Rotenberg, executive director of the Electronic Privacy Information Center in Washington. "You begin to see that the United States has an enormous problem that is spiraling out of control."
And like seismologists who can look at smaller tremors and know that a major quake is in the offing, consultants and others who study data security and identity theft can confidently predict that more trouble is ahead.
The question, for them, is one of magnitude, whether there will be the electronic equivalent of the Big One, an incident so widespread, compromising so much personal information, that it devastates the system of financial transactions that underpins the consumer economy.
Security experts acknowledge that while there will continue to be breaks in security, such a catastrophe is unlikely. Instead, they say, the threat is more insidious and gradual and involves more than just money, as other information like medical records are digitized and stored electronically.
"The long-term danger is extraction of self," Mr. Rotenberg said. "That others know more about you than you know about yourself."
From a financial standpoint, the 40 million accounts at risk in the most recent theft may sound like the Big One. Yet officials with Visa, MasterCard and the Tucson, Ariz., company where the theft occurred, CardSystems Solutions, were quick to point out that the records known to be stolen involved about 200,000 accounts. And even 40 million is a tiny fraction of the billions of credit cards issued worldwide.
For all their high-tech nature, crimes involving electronic data can be very labor intensive. Account information may be stolen in bulk with a few efficient lines of software code, but they are sold in much smaller numbers to other criminals who withdraw money or buy goods one transaction at a time, and usually only for a short period until the fraudulent activity is detected.
"Does anybody seriously think that a group of thieves are going to steal money from 40 million accounts?" asked Clifford Stoll, a former security consultant and author of "Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage."
Instead of a single devastating event, a more likely outcome, many security experts say, is that smaller data thefts will continue, with a gradual nibbling away at confidence in the system. Some consumers may become more wary of electronic commerce.
"My guess is that there will continue to be a lot of low-level crime," said Bruce Schneier, an influential security expert. "But when grandmas start losing money, Congress will have to do something."
Specialists in data security have long thought that protections were inadequate. Edward Tenner, a columnist for Technology Review and the author of "Why Things Bite Back," recalls speaking at security conferences nearly a decade ago "where the risk of identity theft was already considered severe."
Data thefts and accidental losses have always occurred, Mr. Tenner said. What has changed is that there is now a law in California requiring companies to inform consumers when their information is breached.
Rebecca Bace, president of Infidel, a security consulting firm in Scotts Valley, Calif., said the law represented a fundamental change. "You no longer have the prerogative of hiding that you've been hacked," she said. "People knew it was bad, but no one adequately predicted the visceral impact of seeing the number and severity of cases that have occurred."
Ms. Bace said that the cumulative effect of such incidents might be that some people, particularly those who are already anxious about their financial situation, become more wary of electronic transactions. Reports of data thefts, she said, "make people a little more loath to take the chance."
Fewer transactions would have a financial impact on the industry, which functions on volume, making a small amount of money on each of a huge number of transactions. "Any appreciable drop off is going to cost people a lot of money," Ms. Bace said.
Mr. Tenner said that if security problems become overwhelming, the government could revamp the Social Security numbering system. New security measures, like retinal scans and other so-called biometric markers, are already being tested.
"Right now it is very easy to get somebody's identity," said Eugene H. Spafford, executive director of the Center for Education and Research in Information Assurance and Security at Purdue University. "Plus there is a low threshold for authentication." To use someone else's credit card, for instance, all that is needed is the number, name, expiration date and, possibly, the three-digit security code. (In the CardSystems case, all that information was stolen.)
What may be additionally required, Mr. Spafford said, are stronger authenticators like so-called digital wallets, which contain all the data needed for transactions in encrypted form.
Some experts argue that protecting personal data is a hopeless task, that the emphasis should be on making transactions more secure."Making information harder to use is the key," Mr. Schneier said. "Making it harder to steal is a dead end."
One problem is that there currently is little financial incentive to improve security for transactions. "Credit card companies are putting the cost of fraud on the merchants, who put it on us the cardholders," Mr. Spafford said. A governmental role may be necessary, he said.
Whatever the improvements, few experts envision a complete solution. "Any security measures are at best only buying time," Mr. Tenner said. "It's really like the development of antibiotics - they are always trying to stay ahead of the problem."
"For the optimist, this can go on indefinitely," he added. "For the pessimist, it's like the man who jumped out of the 20th floor of a building. As he passed the 10th floor he said, 'So far, so good.' "
