I came across this news item http://news.yahoo.com/s/ap/20070213/ap_on_re_us/security_breach;_ylt=AmTRfUWSmPQsOMV3KG7fmoAEtbAF
about VA losing data again, not reporting it quickly and making a completely useless but misleading remark while doing so: "...it doesn't have any reason to believe anyone has misused data...The agency offered a year of free credit monitoring to anyone whose information is compromised". Useless because if the information was misused VA won't be the first to know and if they did eventually learn that the information is misused they may take another 3 weeks to report it. Perhaps the motivation behind an announcement like this is that it may deter the miscreants from mischief for a year. The other comtemporary data leak (TJ Maxx) has shown that this is not true.
Misleading because they are offering 1 year free credit reporting which may give a false sense of security to those customers who use that service. Armed with the SSN and other sensitive information the miscreants can carry out their ill intents after a year. Also some of the mischief they do may not get into the credit report at all and the part which does will take a while before it does show up and at that time it might be too late (e.g. money is transferred to Bahamas etc. and nothing can be done now)
I have blogged about the problems of using SSNs and other "permanent" and personal information for authentication here http://securetheworld.blogspot.com/2007/01/social-security-numbers-as.html
Add to Technorati Favorites