There is a well known phrase in IT security – trust no one (often abbreviated to TNO). A couple of weeks ago, a United Kingdom government department admitted to having lost a couple of discs containing, among other things, names, addresses, dates of birth and bank account details for my family. Thanks. For nothing.
Then, yesterday, a Senior Marketing Manager at Microsoft was not having a good day. First of all, she sent a survey invitation to a list of "Microsoft Influencers" in the EMEA region but the bulk mailing tool she was using failed part way through dispatch. After preparing a second message to the remaining recipients, she hit the wrong button and mailed a bunch of people she didn’t mean to. So far, no real harm done, and an apologetic e-mail was sent to those affected. Except that somewhere along the way she attempted to recall the message, the names of the recipients went to everyone who received the recall request, and two bright sparks on the list said (in jest, I think) something to the effect of "wouldn’t it be good if I could sell the e-mail addresses of all these people that Microsoft considers influential" (all 884 of them). So that’s my e-mail address potentially compromised too.
And a few weeks back I had an e-mail from Fasthosts (through whom many of my domain names are registered) letting me know that they had experienced a security breach and that my account may have been compromised (but they couldn’t be sure)… so I could have been subject to a domain hijack if they hadn’t already locked my account for me.
Then there’s the various online and telephone-based services (including banks and credit card providers) that use ludicrously low security, with a myriad of single factors for authentication (and really, what use are my mother’s maiden name and town of birth for "security" questions as both of those items are publicly available information?).
It seems that avoiding identity theft is fighting a battle that can’t be won. I have to entrust organisations with my personal details but, based on recent history, those organisations (including my government) cannot be trusted.
Maybe it’s time for me to find a new identity?