Recently in Identity Category

Clearly, the mortgage industry had its hands full before Friday's arrest of a Citywide Financial Corp. employee for allegedly stealing sensitive personal information for up to two million mortgage applicants.

From CyberInsecure:

The FBI on Friday arrested a former Countrywide Financial Corp. employee and another man in an alleged scheme to steal and sell sensitive personal information, including Social Security numbers, of as many as 2 million mortgage applicants. The breach in security, which occurred over a two-year period though July. Countrywide detected the breach and alerted federal authorities, according to Suzy Martin, a spokeswoman for the company. [From Countrywide Financial Insider Steals And Sells Thousands Of Private Customer Records | CyberInsecure.com]

The Identity Theft Resource Center has released the 2008 Breach List. The 117 page document identifies 377 specific breaches that expose 17,011,691 identities as of July 22. It's a very specific and interesting look into data breaches so far this year.

About the center:

Identity Theft Resource Center® (ITRC) is a nonprofit, nationally respected organization dedicated exclusively to the understanding and prevention of identity theft. The ITRC provides consumer and victim support as well as public education. The ITRC also advises governmental agencies, legislators, law enforcement, and businesses about the evolving and growing problem of identity theft. [From Identity Theft Resource Center | A Nonprofit Organization]

Here's the full report.

Verizon just had a data breach, and they can't blame the technology or attackers.

HAGERSTOWN — A mistake by Verizon that led to the printing of about 12,500 unlisted or nonpublished telephone numbers and corresponding addresses in a telephone book has prompted fear and anger in some of those affected.

One woman, who asked that her name not be used because she feared for her safety, said she began to cry when she learned that her unlisted number and address were printed in the recently released 2008-09 Washington County Phone Book.

* * *

In March, Verizon inadvertently sold the numbers to Ogden Directory Inc. for publication in the phone book, said Harry Mitchell, Verizon's director of media relations.

The phone books were in the process of being distributed by the post office, but Ogden officials last week asked that distribution be halted after the problem was discovered.

Mitchell said Verizon regrets the mistake.

[From The Herald-Mail]

There are always going to be studies that show how much data breaches cost companies, mostly because it's a factoid that security researchers think will persuade the C-level types.

The flip side is that the frequency of these data breaches among peer organizations lessen the impact when it "happens here" and that the financial downside is just a cost of doing business.

It can also promote a culture of cover-ups. If it's a common thing, then there's no reason to make a big deal of it.

From Gene Schultz over at Hightower Software:

A recent study by the Ponemon Institute shows, for example, that 55 percent of participants in this study said they had been informed of more than one security compromise involving their personal data over the last two years, and eight percent said that they have been informed of four or more of such compromises.

The Ponemon Institute's study also shows that 63 percent of the survey participants reported that the letters they received after data security compromises had occurred contained no information concerning what to do to safeguard their data afterwards. Furthermore, the majority of the respondents indicated that more than a month had transpired before they were finally informed that their personal data were compromised. At the same time, however, 98 percent of those who had fallen victim to a data security compromise actually became victims of identity theft afterwards. Most significantly, almost one out of every three individuals who were informed of a data security compromise involving their personal data have ceased doing business with the company that experienced the incident. [From High Tower Blogs > Security Insights » Blog Archive » The Business Costs of Security Compromises]

from O'Reilly Radar, Google Friend Connect Previews Tonight:

Later today Google is going to preview Friend Connect (it's not live yet at http://www.google.com/friendconnect), a product that lets any website host OpenSocial applications. These applications will enable a site's user to interact with their social network from other sites (assuming they are logged in). Initially users will be able to see their networks from Facebook (using their APIs), Google Talk, and Orkut. Future participants will include hi5 and plaxo.

Initially Google will be letting websites in slowly. Upon acceptance webmasters will be able to submit their website (URL and name) and select colors. They can then select applications for their site from a new application gallery.

The user experience is simple. When a user comes to a site in the Friend Connect program they can sign into any social network that is sharing their data. Their data is not actually shared with the site. Impressively Google is supporting OpenID and OAuth in addition to their own standard OpenSocial.

This sounds like it's expanding identity management from the authentication piece that projects such as OpenID and Shibboleth tackle to explore a richer version of identity.