Tuesday, September 1, 2009

Like Stealing Candy from a Baby

... only the candy is an identity.
... and the baby is a dead body.

I've been contemplating writing this article for a while, not knowing the impact it would bring but I just can't justify keeping my mouth shut any longer. There is too much at risk here.

A little over a year and half ago, while I was wondering what I would do for my next day-job, I engaged with an organization that basically dealt in corpses. You know, when you check that little box on the back of your license that says you'll donate your body parts when you pop off... these folks get your parts. Effectively this was a human chop-shop... and it wreaked with a stench that I can still recall vivdly. The problem wasn't exclusively in the organization's lack of security because that was an atrocity in itself - but in the absolute ignorance for identity theft and the precious information they had in their possession.

This organization, prior to my arrival, never even had a firewall on their Internet-facing DSL circuit. Everyone could get access to their MS Access database, or spreadsheets where hundreds upon hundreds of records were meticulously kept. The information gathered was an absolute what's-what in information and identity theft. Social security numbers, home address and phone number, birthdate, eye color, hair color, weight... and so on, and so one. Given that the person was deceased, they figured it wouldn't matter anymore except that they often couldn't find the right information for the right body. Yea... this is what disturbed me. When they were done parting out a body they would send it to the crematory so the family could get their family member's remains. Unfortunately, due to their absolute incompetence in record-keeping... more often than not the families didn't get the right ashes, or worse yet - the person was "lost" in their black-hole of a filing system.

I was appalled. It seemed like any kinds of controls I wanted to put into place were met with a staunch reply of "well, we don't have money for that"... and they really didn't want to hear anything about the kind of absolute atrocities they were committing. I shudder to think what's transpired there over the past 18 or so months... but the point is I suspect nothing has gotten better. So you'd have to ask yourself... how many "hackers" have stumbled upon a wide-open internet-connected server with no security controls, perused the many data files on there only to discover a trove of information about people who can't even speak for themselves!

How should organizations like this be held accountable?

For even more... read Gunter's post from back in March called "Digging up the Dead" (or in the comments below). (Thanks for the link Gunter!)

1 comment:

Gunter Ollmann said...

On a (very) related note, I blogged on the topic earlier this year. In this case I was concerned about stealing identities based upon death records.

Full blog entry for "Digging up the Dead" is at http://technicalinfodotnet.blogspot.com/2009/03/digging-up-dead.html