Exposure of data
The New York Times, the Washington Post, CNN, AP, ABC News, and innumerable other outlets are reporting breathlessly that credit card numbers belonging to 40 million people “may have been exposed to fraud.”
Why is this story is getting so much attention?
Look, I'm not in favor of identity fraud. But as far as I can tell this particular breach doesn't raise the risk of true identity theft. The card companies say that personally identifiable information (like SSN, address, etc.) wasn't stored in these exposed files. And these kinds of breaches happen all the time. The wheels of commerce continue to turn. Harvard Business School continues to admit students. The sun rises; the sun goes down; and if a US consumer has a false credit card charge, he/she can contest it and never lose more than $50.
In fact, my sense is that the card issuers are unbelievably good — maybe too good — at detecting fraudulent patterns of card usage. After all, pattern detection led MasterCard to suspect its vendor of having a problem, according to this CNN story.
And when I traveled to Africa in 2004, American Express promptly cancelled my card. Why? Because I had charges coming from Africa. And when I called to complain that my card number (memorized over 20 years of faithful use) had been cancelled, they said, “But we tried to call you.”
Me: “I didn't get the message. I was in Africa.”
Anyway, I wonder whether this story is getting so much play (warning, black helicopters pulsing overhead) because there's some deep legislative desire to have mandatory security standards for all internet transmissions/storage of sensitive information. After all, DOJ is rumored to be pushing for ISPs to keep their logfiles on file. Maybe larger meddling is afoot.
Or maybe 40 million is such a big number that editors figure it has to be meaningful.