A few days ago, a friend of mine received several letters dated June 24, 2011 from Morgan Stanley Smith Barney, where he has kept brokerage accounts for himself and his children for many years. It began with the now familiar, “we care about you” phrase:
“At Morgan Stanley Smith Barney, client satisfaction and information security are critical priorities.”
Then it segues into the sickeningly familiar, “but perhaps not enough” phrase:
“We are writing to inform you of a recent security incident involving the sensitive information of certain Morgan Stanley Smith Barney account holders. Morgan Stanley was recently notified by the New York State Department of Taxation and Finance that two password-protected CD ROMs included in the package received from Morgan Stanley Smith Barney were missing from the package when it was delivered to the intended recipient within the Department. The CD ROMs included sensitive information about your account that was sent as a requirement to New York State after filing annual 1099 tax forms. The sensitive information on the password-protected CD-ROMs included names, addresses, Social Security numbers, Morgan Stanley Smith Barney account numbers and income earned on tax exempt bonds or funds you hold or held in 2010.”
Melding into the “we are praying daily that this never amounts to anything, because we don’t want to be sued into the Stone Age” phrase:
“While we have no evidence that your sensitive account information has been misused as a result of this incident…”
The omitted, yet operative word here is—yet.
As I said in last week’s column, in 2011 breach sightings have rapidly evolved from the Flavor of the Month, to news reel of the week, to “News at Eleven.” And letters like this have become so common it's easy not to take them seriously. Their seemingly white noise status has begun to afford them the same recognition as the magazine marketing material and pre-approved credit card mailers we find almost every day in our snail mail box. However, this is far from junk mail. And this letter, in particular, deserves some careful parsing and thought.
Like all these “dear Vic(tim)” letters, it begins with a statement that belies the message that follows. How critical of a priority is information security if those CD-ROMs were merely password protected, not encrypted? Is it standard operating procedure at Morgan Stanley Smith Barney not to encrypt, or is the NY State Tax Department lacking the technology to decrypt? Further, note the careful phraseology which subtly implies those CD-ROMs might have been taken by anyone involved in the transportation chain, including a NYS employee, before the package was actually delivered “to the intended recipient within the Department.” Heck, maybe the dog ate ‘em.
Of course the best question is why CD-ROMs were used to transmit the data in the first place. Since reporting of this kind is done routinely every year, why shouldn’t there be a secure communications link between the sender and the recipient? And it would be cheaper, too—something state government really does care about at this particular moment.
What this letter really says is that after all the coverage of all of the breaches, all the horror stories, all the misery, all the litigation, all the heroic pronouncements by all the regulators, legislators, corporate leaders and consumer advocates, the memo still didn’t get to Wall Street where they obviously care more about intellectual property, trade secrets, inside trading, outsized profits and complaining about over-regulation than their most precious asset: their customers.
Oh, and by the way, MSSB customers, just in case you thought that your Social Security number was still secure (however unlikely that is) some bad guy is very likely to get it real soon.
Why am I so certain that foul play was involved here? Because this isn’t the personal identifying information of an un-homogenized list of individuals—this is a list of folks who have accounts at a first-tier investment bank, and who hold tax-exempt securities in those accounts. We’re not simply talking about a feast for the financially-famished, this is a top-hat dinner and a show!
There is a sophisticated and efficient market out there for personal identifying information (PII), and the prices go up when the data comes from a target-rich environment like Morgan Stanley. Now think about it: whether you’re an account executive, a messenger, or a clerk in a state bureaucracy it's easy for you to know that this market exists. You also know that the chances of getting caught are even lower than finding a front row seat to a Lady Gaga concert because the “security” around those CD-ROMs was virtually nonexistent. Most five-year olds can get around passwords, and there are literally scores of people who could have heisted the discs from the package. Best of all, you know that you never have to meet your “fence”—it's not like stealing the Rolex off of the sink in the men’s washroom—you can transmit the data with complete anonymity, and get paid for it with little, if any, risk of exposure. And you don’t have to be a computer geek; that's the real beauty of this sort of “old-fashioned” brand of identity theft. Hacking or phishing may require certain technical skills, but lifting a CD-ROM can be done by my seven-year-old neice. In a nutshell, we’ve just identified the real cause of the pandemic-like problem we are having: if you’d like to become an identity thief, you don’t need to know very much; because security measures are so lax or ineffective, it's not too difficult; and the very minimal risk is far outweighed by the very tangible and ever-growing rewards. We have managed to create the perfect environment for making crime pay.
So, perhaps you haven’t received “the letter” proclaiming your unsolicited membership in the “500 Million File Club” (now that more than 500 million files have been improperly accessed since 2005). I bet you’re probably thinking, “Hey, I’m not a rich guy.” Or, “I don’t have a brokerage account.” Or, “I don’t live in the U.S. where there is an established network of data thieves and data buyers.” “I’m OK. I am under the radar.”
On November 20, 2007, UK Chancellor of the Exchequer Alistair Darling announced:
“Two password-protected discs containing a full copy of HMRC’s [the UK equivalent of the IRS] entire data in relation to the payment of child benefit was sent to the NAO [the National Accounting Office] by HMRC’s internal post system operated by the courier TNT. The package was not recorded or registered. It appears the data has failed to reach the address in the NAO.”
Sounds familiar, doesn’t it?
The lost data involved almost half of the UK’s population—approximately 25 million people. The personal data on the missing discs was said to include names, addresses and dates of birth of children receiving Child Benefits, as well as the National Insurance account numbers and the bank account data of their parents.
The BBC detailed the magnitude of the loss as follows:
- 7.25 million adult claimants of Child Benefits for their offspring;
- 15.5 million children entitled to receive those benefits;
- 2.25 million non-parent adult claimants such as unrelated caregivers, and a few thousand others.
This was truly equal-opportunity thievery. And like every other catastrophic breach, reassurance—however meaningless—quickly followed the announcement. Mr. Darling averred that there was no indication that the details had fallen into the wrong hands, but he advised those affected to monitor their bank accounts nonetheless. He said, “If someone is the innocent victim of fraud as a result of this incident, people can be assured they have protection under the Banking Code so they will not suffer any financial loss as a result.”
Uh-huh. What about years from now when those kids grow up?
Of course, the UK being the interesting island that it is, there were some colorful reactions to the news, particularly as to the value of the loss to identity thieves. The head of the Liberal Democratic Party estimated that the names were worth approximately one hundred dollars apiece for a total value of approximately $2.5 billion. Scotland Yard unofficially speculated that it was more like four dollars apiece, amounting to a mere $100 million. Me thinks the politician was closer to it than the policeman, but prices have gone up since then anyway. Some identities can trade for several thousands of dollars, particularly if they are usable to evade immigration laws, or if the data comes with a good pedigree—like that of a Morgan Stanley investor.
Until we have better laws, stronger security procedures, and a very different attitude toward PII and its value, we will suffer in the swarm—rich or poor. No one will die, but everyone will likely be stung at least once, and possibly many times, and very harmfully. And just like a run through a swarm of bees, some of your attackers can be seen, some cannot, and even the ones who don’t know a keyboard from a keychain can deliver a nasty sting—the old-fashioned way.