November 9, 2005 1:53 PM PST

Stolen PC holds sensitive consumer data

A break-in and computer theft last month in an office of TransUnion credit monitoring service has left 3,600 consumers at risk of ID theft, the company said Tuesday.

The theft of the computer, from a California office of TransUnion, marks the latest case of consumer information being put at risk following the heist of a PC. The PC in this instance contained sensitive personal information, including Social Security numbers.

Security experts warn that the type of information that can be extracted from such computers often is used as the "keys to the vault," which enable the thieves to engage in other illicit behavior.

A small TransUnion sales office in California was burglarized and a desktop computer was stolen in October, the company noted. Consumers whose information was contained in the computer were notified of the theft and given a year of complimentary credit monitoring by the service.

TransUnion said it does not believe any fraudulent activity has occurred since the PC heist, and noted that the computer required a password to access the data.

But security analysts are critical of companies that rely on passwords as the sole source of data protection, noting such machines can be easily hacked by using any of a variety of techniques and tools, from keyloggers (which capture and store users' keystrokes on a machine) to cons that dupe employees into sharing confidential information.

"Protecting a computer with just a password is not good enough. It's easy to figure out passwords and pull the information out," said Prat Moghe, chief executive of Tizor Systems, a maker of software that audits employee access to data and applications.

Moghe added that thieves will use the sensitive information stored in a computer to inflict greater harm through identity theft.

"When a hacker gets a desktop computer, it itself is not the main source for the attack. It's like getting the keys to a bank vault. They can create identities with that information that will get them into backend systems where more damage can be done," Moghe said.

In addition to passwords, other forms of security exist from encryption to two-factor authentication.

"There are a lot of ways that data and privacy are lost and companies need to make sure they have policies in place to minimize the risk," Moghe said.

For example, more than 40 million credit card customers found they were at risk of ID theft following a security breach last summer at CardSystems Solutions. CardSystems is a third-party payment processor for MasterCard, Visa, Discovery and American Express branded cards, and for other credit card agencies.

A spokesman for TransUnion declined to comment on whether the credit monitoring company is using other forms of security, in addition to passwords, to protect consumer data.


Join the conversation!
Add your comment
"CardSystems is a third-party payment processor for MasterCard, Visa, Discovery and American Express branded cards, and for other credit card agencies."

Discovery? Guess we changed names, I thought we were still called Discover.
Posted by csturdivant (68 comments )
Reply Link Flag
Ha, ha, ha, ha
I am busting my gut laughing at the irony of a company that makes money off of selling my identity to others, and wants to charge me for a service to monitor the very data that they sell, that has now put those very customers at risk. This is just too rich. We are all such shills and fools. Who's running TransUnion now, Michael Brown?
Posted by Stating (869 comments )
Reply Link Flag
When you look at it like that,
. . it is just to good! Thanks for the grin!
Posted by Mister C (423 comments )
Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.