The Iowa Racing and Gaming Commission is offering people an unprecedented 7 years of fraud alerts on their credit reports. That's the result of a January data breach where 80,000 people's sensitive information was potentially compromised. (There's no way the utilization of encryption software like AlertBoot would have helped in this case, since the breach was a result of an unpatched firewall).
The state started notifying employees on January 26 that their information was breached. A third-party contractor had forgotten to patch a firewall, which allowed hackers--possibly from China--to gain access to the Iowa Communications Network. There appears to be a dispute whether having had all patches would have prevented the breach: "There is nothing to show that even if all the patches had been installed, they still wouldn't have gotten in because they had already gotten through the state's firewall," said Robert Keller, chief technology officer, Ambient Consulting of Minneapolis.[SC Magazine] Huh? Maybe Keller was misquoted--that's one weird proclamation to make; "they still wouldn't have gotten in?" That makes it sound as if the hackers never made it into the network... Anyhow, hackers were able to gain access to the gaming commission's database, although it's hard to tell whether any information was downloaded. The attack compromised the information of employees, such as jockeys, trainers, card dealers, horse and greyhound owners (technically, not employees, I would imagine), etc.
The state started notifying employees on January 26 that their information was breached. A third-party contractor had forgotten to patch a firewall, which allowed hackers--possibly from China--to gain access to the Iowa Communications Network.
There appears to be a dispute whether having had all patches would have prevented the breach:
"There is nothing to show that even if all the patches had been installed, they still wouldn't have gotten in because they had already gotten through the state's firewall," said Robert Keller, chief technology officer, Ambient Consulting of Minneapolis.[SC Magazine]
Huh? Maybe Keller was misquoted--that's one weird proclamation to make; "they still wouldn't have gotten in?" That makes it sound as if the hackers never made it into the network...
Anyhow, hackers were able to gain access to the gaming commission's database, although it's hard to tell whether any information was downloaded.
The attack compromised the information of employees, such as jockeys, trainers, card dealers, horse and greyhound owners (technically, not employees, I would imagine), etc.
I don't think I've ever seen more than 3 years offered for fraud alerts when similar information was breached. Seven years! Assuming that 100% of the people take up this offer, and assuming that the Iowa Racing and Gaming Commission was able to get a deal where the annual cost, over those seven years, is $5 on average...that would end up costing $2.8 million. Potentially three million bucks for an unpatched firewall. Of course, you could say that that's the gaming commission's own doing: they could have offered two years of fraud alerts, just like everyone else. On the other hand, if one's truly concerned about people and wants to help them, seven years' worth of protection is probably much more realistic. It's not unknown for criminals to steal data and then wait a couple of years to use it. Not because most companies offer two year's worth of credit protection, fraud alert, and other forms of minimizing identity theft. Rather, the waiting period pretty much hides the criminals' traces: once people find out they've become victims, they have no idea where their information could have possibly been breached from. At least, that was the case before states started passing laws regarding data breach notifications. However, criminals would probably not extend their waiting period to seven years. Can you imagine any organization waiting seven years for a payoff? Especially when there is so much fish in the sea?
I don't think I've ever seen more than 3 years offered for fraud alerts when similar information was breached. Seven years! Assuming that 100% of the people take up this offer, and assuming that the Iowa Racing and Gaming Commission was able to get a deal where the annual cost, over those seven years, is $5 on average...that would end up costing $2.8 million.
Potentially three million bucks for an unpatched firewall. Of course, you could say that that's the gaming commission's own doing: they could have offered two years of fraud alerts, just like everyone else.
On the other hand, if one's truly concerned about people and wants to help them, seven years' worth of protection is probably much more realistic. It's not unknown for criminals to steal data and then wait a couple of years to use it. Not because most companies offer two year's worth of credit protection, fraud alert, and other forms of minimizing identity theft.
Rather, the waiting period pretty much hides the criminals' traces: once people find out they've become victims, they have no idea where their information could have possibly been breached from. At least, that was the case before states started passing laws regarding data breach notifications.
However, criminals would probably not extend their waiting period to seven years. Can you imagine any organization waiting seven years for a payoff? Especially when there is so much fish in the sea?
Related Articles and Sites:http://www.wcfcourier.com/news/local/govt-and-politics/article_8e795214-27c0-11df-b5d4-001cc4c03286.htmlhttp://www.iowa.gov/irgc/Breach.htmhttp://www.scmagazineus.com/hackers-accesses-iowa-racing-and-gaming-commission-database/article/163050/