Monday, March 31, 2008

Another data breach goes nearly unnoticed.

Vague topic this week, I'm under the assumption that I can basically choose anything involving ethics in computer science for this article. Link to the original assignment.

A recent incident of personal data being unintentionally released has occurred affecting 75,000 members of the public website for The Dental Network. The information contained full names, complete addresses, dates of birth, and social security numbers. This was reported by The Baltimore Sun on March 26th, 2008, even though the security breach happened February 20th, and the affected persons were informed by letter on March 10th, nearly three weeks later. Thousands of dollars in unauthorized purchases, accounts being opened and held for use at a later date, and many other illegal activities all could have happened before anyone was informed that they were at risk.

According to the Baltimore Sun: article,

“The company says that to its knowledge, no one has misused the information.”
The company has offered those who were affected 12 months of free credit monitoring, and sent information to these people on how to contact the credit bureau's and put a fraud alert on their account.
"We moved in a timely fashion to secure the data and notify the members,"
said CareFirst spokesman Michael Sullivan, but the article also mentions that
“[The information] had been posted on its Web site for two weeks in February because of a technical error.”

The Consumerist also picked up this article and added a few interesting points. They are critical of the companies offer of free credit monitoring services for a year, saying it's too short.
“Companies, is it really that expensive to offer 5 years, or 10 years, of credit monitoring to victims of your data security incompetence? Seriously, own up to your responsibility in exposing people to the risk of financial and credit problems and give them the tools they need to protect themselves. After all, it's your fault.”

This is a valid point. The company is at fault here, and the threat of identity theft due to this will not be gone in one year.

While on the website of The Dental Network, I could find no mention of the data breach, even though it is now only 3 weeks after the affected users were informed, and only 3 days after the article was picked up by The Baltimore Sun. The home page of the site is now displaying the message that:
“New Sales of Dental HMO Products Temporarily Halted in Maryland, Due to a technical issue involving the internal restructuring of The Dental Network (TDN).”

The company seems to be taking no responsibility for what has happened, instead trying to hide it away from people to attempt to maintain a semblance of security. Take a look and judge it for yourself, the website looks like it was created 10 years ago, and their policy for data integrity probably hasn't been updated since then.

It is the responsibility of The Dental Network to inform the people affected in this case. There is a state law passed in Maryland that requires businesses to respond promptly in the case of a data breach. It is my opinion that this company did not adhere to this law. The users in this case should have been given the positive right to privacy by the company, but instead it was broken, and the data was leaked. This clearly violates the ACM Code of Ethics, specifically section 1.7:
“Respect the privacy of others.”
The Dental Network should have been more diligent in securing the personal data of it's users, and much faster at noticing the breach and notifying it's users. There was a total of two weeks before the breach was noticed, and 3 more weeks before users were notified. That's 5 weeks were a potential criminal could have had access to this data. Five weeks is completely unacceptable.

UPDATE: I found the FAQ for the data breach. The data there isn't very helpful, and would likely only confuse and cause most people to ignore it. All of the information contained is about what you should do, the company seems to be doing nothing on it's own, therefore leaving the majority of people affected without any security against identity theft.