No, this isn’t a political hack job with some imaginary consequences, or a climate change warning about the end of the world. I have thoughts on both those but this isn’t them.

Recently a company you’ve never heard of and certainly didn’t give any kind of consent to store your personal data was hacked. It really is the worst possible type of hack that involved a data-broker happy to profit from collecting our data but not bothered enough to keep it secure.

Here is a gift link to the NY Times article. Note that since it’s publication the essential details have been confirmed. The data has now been released for free on an online marketplace for stolen data. Engadget has an article as well ^[1]https://www.engadget.com/cybersecurity/national-public-data-confirms-breach-that-exposed-americans-social-security-numbers-100046695.html.

I actually checked my own details ^[2]https://npdbreach.com/ and pretty much everything is there including name, address, date of birth, full social security number, marital status, phone number etc. You can do this as well, securely. My suggestion is only search using your first, last and zipcode. If not found initially try searching for variants – “M Cathcart” as well as “Mark Cathcart”, and any variations Katherine/Kate/K etc.

If you have not locked your credit files, take this very seriously and do it now.

Adam Clarke writing for Vox has a good overview and reasons why you should do this irrespective of the data hack. As Adam says, it’s probably a good idea to do the cred files for your children, no matter how young.

The NY Times article by Ron Lieber really doesn’t cover the gravity of the situation and I’m disgusted that Ron flippantly says “I take some joy in accepting compensation from companies that have messed up.” – at least in my case I’ve never had a result from a class action lawsuit that has even been enough money to cover blogging about the result. The only class action lawsuit I’ve received more than $100 for was for a defective refrigerator and that was really only in the form of a discount.

It’s far past the time that states and possibly the Federal government pass laws and enact a privacy doctrine. It doesn’t need to be a massive complex GDPR ^[3]https://gdpr-info.eu/ type structure but they must be such that data leaks require immediate termination of the businesses website and Internet communications until the full scope of the attack is understood and every possible change has been made to protect contact those that have been impacted. Yes, this could mean the end of the business, why not?

Only the law/legal industry really benefits from class action lawsuits.

Any penalty must include a payment to each and every customer whose data is leaked and the financial penalty should be staggered based on the severity of the data leaked. It should be a statutory financial penalty as soon as the hack is confirmed. The penalty should be a fixed amount, per user, and the money from the penalty should be offered directly to the user and a portion of it should go to a credit and privacy restoration service.

Yes, this would have severe consequences on the Internet operation of data broker companies, healthcare providers, financial institutions, online sellers and more. But really, if they are not prepared to keep our data safe, why should they be legally allowed to keep our data at all?

My first foray into data privacy was in 1981, I wrote a paper for Canada Life insurance on the consequences of the then proposed UK Data Protection act which was passed in 1984. It’s incredibly stupid to remember that back then pretty much every company would have used copies of real data containing real peoples information for testing purposes. But then for the most part all networks were private, there were only dumb terminals that could access systems. Security meant physical security, locking doors, restricting access, shredding documents etc.

For the remaining period of my 40-year IT career, I steadfastly refused to be drawn into security design, architecture and discussion as it is NOT the place for a one-eyed man ^[4]aphorism: In the land of the blind the one-eyed man is king. Security was always more important and required specialist knowledge.

I did do some adjacent work to the IBM acquisition of a company called SRD in 2005 ^[5]Can I See Some ID? IBM Buys SRD To Boost Analytics | CRN. SRD and more specifically their chief scientist Jeff Jonas, had invented and patented a method to allow companies to compare and exchange information on the associations of individuals and their relationships without disclosing the actual data. It’s probably time to mandate such technology be used by data broker type companies and that they do not keep data about us unencrypted at all. While this wouldn’t stop data hacks, it would require the hackers to not only acquire the data, but also acquire the private key for the data.

Whither National Public Data?

How is this impacting National Public Data? You can read for yourself here. In essence apart from whatever internal and police investigation is underway, they are still doing business today. They are of course positioning themselves as the victim of “a security incident as a result of a bad actor” – this is a completely false narrative. The only bad actor here is National Public Data. They took a risk with our most important information and it didn’t pay off. We, regular people are the victims.

Colorado State Attorney General Actions?

8/26 I wrote to the Colorado Attorney General ^[6]USPS.com® – USPS Tracking® Results demanding that the state takes up this topic. Getting (yet) another credit monitoring service offer from a company that has been hacked is simply not enough, I have five, four were given as a form of restitution for a data breach and I don’t need anymore and National Public Data shouldn’t be allowed to provide another as their only penalty.

Finally, we need to create and keep a register of the professionals involved in setting up such systems, as well as the executives that make decisions on such systems. We have the “Sex Offender and Notification Act (SORNA) which is a registry. We should have a similar registry for Security Design Architects who have Failed (SDAF). Ok maybe that’s one step too far, but given resume stuffing and employment gaps in resumes are common, we should be able to easily find out who designed these systems to question them on what they recommended, why, and who approved of it.

Update:
8/27 added date of letter to AG and minor punctuation changes.
8/27 2:30pm in my rush to post this I forgot to include the link where you can check.

8/28 12:30pm Added para about National Public Data and link, some headings, other minor details.