Just received a letter that details a possible data breech at Best Buy.
Details are in the letter, but it comes from “Identity Guard” not Best Buy. I almost tossed it as junk but opened it when I saw the BB logo through the envelope. Be on the lookout.
Included a code for 1 year of Identity Guard ‘protection’ which includes 3 CU scores and quarterly CR from all three.
Corporate America should just pool their funds and preemptively buy a subscription to credit monitoring services for every American citizens for the rest of our lives. Should save them in the long run versus sending out mailers to tell us about the latest breech every 2-3 months…
Better yet, credit reports should be restricted from date of birth. The bureaus should have to contact the consumer before any new accounts or negative information is added to the credit report. If anyone tries to pull the credit report, the consumer should have to grant permission first. Not holding my breath though.
Until then, Credit Karma and Credit Sesame do a pretty good job of monitoring Equifax and Transunion year-round for free.
Are the breaches really generally a result of “poor” security? And how do we determine if they’re actually doing such a bad job that it rises to the level of negligence?
I honestly don’t know.
On one hand I’d be inclined to think at least some companies are doing a really crappy job of securing their systems but I could certainly believe that clever hackers worldwide are working 24/7 to find holes in systems for a huge payoff.
All the while most of us hand our card to some random minimum wage clerk 1-5 times a day and have horribly weak passwords on our online accounts… Point is that theres lots of weaknesses in the system.
From what I have seen working in IT for ~20 years, many companies don’t know the first thing about security. ie no encryption on passwords, PII, etc. It can be pretty scary!
Now I will say that security is not easy. However, many do not even cover the basics.
There are well-known, published best practices, and security professionals must know them to get the industry standard security certifications. I believe that not following best practices without reasonable mitigating factors (i.e., what I’m doing is proven to be better than “best practices”) is negligent.
If you get hacked because of a zero-day vulnerability that could not have possibly been prevented in any other way, then fine, you’re probably not negligent. But I think this is pretty rare.