This content is 16 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

There is a well known phrase in IT security – trust no one (often abbreviated to TNO).  A couple of weeks ago, a United Kingdom government department admitted to having lost a couple of discs containing, among other things, names, addresses, dates of birth and bank account details for my family.  Thanks.  For nothing.

Then, yesterday, a Senior Marketing Manager at Microsoft was not having a good day.  First of all, she sent a survey invitation to a list of "Microsoft Influencers" in the EMEA region but the bulk mailing tool she was using failed part way through dispatch.  After preparing a second message to the remaining recipients, she hit the wrong button and mailed a bunch of people she didn’t mean to.  So far, no real harm done, and an apologetic e-mail was sent to those affected.  Except that somewhere along the way she attempted to recall the message, the names of the recipients went to everyone who received the recall request, and two bright sparks on the list said (in jest, I think) something to the effect of "wouldn’t it be good if I could sell the e-mail addresses of all these people that Microsoft considers influential" (all 884 of them).  So that’s my e-mail address potentially compromised too.

And a few weeks back I had an e-mail from Fasthosts (through whom many of my domain names are registered) letting me know that they had experienced a security breach and that my account may have been compromised (but they couldn’t be sure)… so I could have been subject to a domain hijack if they hadn’t already locked my account for me.

Then there’s the various online and telephone-based services (including banks and credit card providers) that use ludicrously low security, with a myriad of single factors for authentication (and really, what use are my mother’s maiden name and town of birth for "security" questions as both of those items are publicly available information?).

It seems that avoiding identity theft is fighting a battle that can’t be won.  I have to entrust organisations with my personal details but, based on recent history, those organisations (including my government) cannot be trusted.

Maybe it’s time for me to find a new identity?


2 thoughts on “TNO

  1. Yep, you nailed it. The problem is getting worse and the incidences of this kind of breach seem to be growing.

    Curiously it seems to me that common stupidity is the largest single cause of data-loss and leakage. The provisions for security systems seem secure enough it’s just that we can’t be trusted to set them up or operate them safely.

    Yours sincerely,

    Mark Wilson

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.