Information from at least 45.7 million credit and debit cards was stolen by hackers who accessed TJX’s customer information in a security breach that the discount retailer disclosed more than two months ago.

Last paragraph:

TJX shares rose 51 cents, or 1.9 percent, to $27.01 in morning trading on the New York Stock Exchange.

“Basically, you’ve given everybody a little radio-frequency doodad that silently declares ‘Hey, I’m a foreigner,’” says author and futurist Bruce Sterling, who lectures on the future of RFID technology. “If nobody bothers to listen, great. If people figure out they can listen to passport IDs, there will be a lot of strange and inventive ways to exploit that for criminal purposes.”

There are two issues. The first is that, currently, few people carry around anything with an RFID tag. By simply detecting the presence of such a tag, a bad guy could infer that the person is likely to be a foreigner. The second issue is that the tags are likely to be cracked — meaning that the personal information in the passport would be available to ID thieves.

I definitely see a market for passport holders with RF shielding.

Via Slashdot.

We logged on to the BA website, bought a ticket in [the passenger's] name and then, using the frequent flyer number on his boarding pass stub, without typing in a password, were given full access to all his personal details – including his passport number, the date it expired, his nationality (he is Dutch, living in the UK) and his date of birth. The system even allowed us to change the information.

I’m a bit surprised that this level of access was granted without typing a password. I wonder if the lack of a password is a system-wide feature or something that is configurable on a per-account basis.

The article then dives into the recent history of information gathering by the airlines/governments including the CAPPS II and subsequent Secure Flight programs. For additional background, see these weblog postings by Bruce Schneier and Ed Felten.

Even if you trust the entity with which you share your information, things can and do go wrong. The March 20, 2006, issue of InformationWeek magazine has an article, The High Cost Of Data Loss, which describes incidents of customer data-loss affecting millions of people. This cover caught my eye as it had a picture of Princeton computer science graduate student Alex Halderman; the article states:

J. Alex Halderman, a doctoral candidate in computer science at Princeton University, about a year ago received a letter from the University of California, Berkeley, where he had been accepted as a graduate student in 2003, advising him that his personal data had been compromised. A university computer had been stolen that contained files with names and Social Security numbers of applicants and others at the university.

Berkeley warned people affected by the breach to be on the lookout for scam artists who might try to contact them under the pretense of being affiliated with the school. Halderman was shocked that two years after he applied to UC Berkeley, the application remained susceptible to a data breach. “It’s amazing that data can be on file for years, even when you think you’re finished with it,” he says. “There’s no way to take it back.”

You can’t always “un-share” data

Alex’s experience illustrates that once information has been shared it is generally not possible to “un-share” it. I recently met with a representative of a company that holds some of my retirement funds to discuss my allocations. During the course of the conversation, the representative asked some questions about salary and retirement plans which was noted on a yellow pad of paper. Additionally, I answered a short questionnaire to assess my risk tolerance which was entered into an untethered laptop computer. The meeting went well but I was never told that the salary information was going any farther than the yellow pad. My mistake was not to make my wishes known that the information I provided was not to be kept on file. Sure enough, a week or so later I received a “confirmation letter” with all the information listed. It was clearly a form letter generated at the corporate office from data in a big database. I immediately returned the confirmation letter with a note asking that my profile be removed. A week or so later, I received a phone call from a customer service manager to discuss my request. The conversation was cordial and long but only partially effective. It turns out that once the data exists in the system, there is no way to remove it. The best he could offer was to set the values to obviously bogus values (like an annual salary of $1). The manager was surprised that I was sensitive about this — after all, (1) they take special measure to protect the data and (2) if I met with a different planner in the future they would need to have the information. My counter to this was (1) data gets lost/stolen/misused anyway (USA Today just reported that a Fidelity Investments laptop computer containing sensitive data on 196,000 retirement-account customers was just stolen) and (2) I could easily bring the information to each face-to-face meeting.

Other options

In addition to carefully considering whether to share personal information, you can also push back and see if the requester really needs it or if there is a way for you to get the goods or service without providing the information. Recently I renewed my family’s membership to a local swimming pool club. The application stated that proving the full birthday for all members was mandatory. After several e-mail messages I learned that the insurance company required that the club have this information on hand in the event of an emergency. In this case, I reluctantly decided that this was OK. In another case, I made a purchase at a nationwide home improvement store where my receipt indicated that I won a $10 gift certificate and could claim it by either visiting a website or by calling a phone number. I went to the website and saw that one of the required fields on the web form was birth date. Rather than using a bogus birth date, I tried the phone number. Interestingly, I was able to claim my prize without giving out this information — the system never even asked.

What to do?

Does this mean one should never share personal information? No, but it does mean that each time you do, you should think about the associated risks and benefits. What makes this trade-off tricky is that the benefits are often obvious and immediate and the risks are more nebulous. An interesting example of an unexpected use of seemingly benign information involved Farrell’s Ice Cream Parlor Restaurant customers who signed up for free ice cream on their birthday. The obvious benefit of sharing this information is that they would get free ice cream. However, in 1983, the U.S. Selective Service purchased a list of names and birthdays of boys turning 18 that year so that they could be reminded to register. Food for thought.