X

Stolen PC holds sensitive consumer data

Machine stolen in October from credit monitoring service has ID information on 3,600 consumers.

Dawn Kawamoto Former Staff writer, CNET News
Dawn Kawamoto covered enterprise security and financial news relating to technology for CNET News.
See full bio
Dawn Kawamoto
2 min read
A break-in and computer theft last month in an office of TransUnion credit monitoring service has left 3,600 consumers at risk of ID theft, the company said Tuesday.

The theft of the computer, from a California office of TransUnion, marks the latest case of consumer information being put at risk following the heist of a PC. The PC in this instance contained sensitive personal information, including Social Security numbers.

Security experts warn that the type of information that can be extracted from such computers often is used as the "keys to the vault," which enable the thieves to engage in other illicit behavior.

A small TransUnion sales office in California was burglarized and a desktop computer was stolen in October, the company noted. Consumers whose information was contained in the computer were notified of the theft and given a year of complimentary credit monitoring by the service.

TransUnion said it does not believe any fraudulent activity has occurred since the PC heist, and noted that the computer required a password to access the data.

But security analysts are critical of companies that rely on passwords as the sole source of data protection, noting such machines can be easily hacked by using any of a variety of techniques and tools, from keyloggers (which capture and store users' keystrokes on a machine) to cons that dupe employees into sharing confidential information.

"Protecting a computer with just a password is not good enough. It's easy to figure out passwords and pull the information out," said Prat Moghe, chief executive of Tizor Systems, a maker of software that audits employee access to data and applications.

Moghe added that thieves will use the sensitive information stored in a computer to inflict greater harm through identity theft.

"When a hacker gets a desktop computer, it itself is not the main source for the attack. It's like getting the keys to a bank vault. They can create identities with that information that will get them into backend systems where more damage can be done," Moghe said.

In addition to passwords, other forms of security exist from encryption to two-factor authentication.

"There are a lot of ways that data and privacy are lost and companies need to make sure they have policies in place to minimize the risk," Moghe said.

For example, more than 40 million credit card customers found they were at risk of ID theft following a security breach last summer at CardSystems Solutions. CardSystems is a third-party payment processor for MasterCard, Visa, Discovery and American Express branded cards, and for other credit card agencies.

A spokesman for TransUnion declined to comment on whether the credit monitoring company is using other forms of security, in addition to passwords, to protect consumer data.