Tuesday, November 22, 2011
I’m not upset… “these things happen” (!)
by Larry Geller
Dear APEC Host Committee member: Has the East-West Center failed to protect your personal data? You should be mad as hell. You gave your personal information as requested, with the implicit understanding that the E-W Center would take care of it, and it appears it was stored unencrypted on a computer accessible from the Internet. Later, someone, somewhere, went into the computer and there it was for the taking.
The Star-Advertiser story of the incident (Star-Advertiser, APEC committee alerted to possible data breach, 11/18/2011) made it appear that losing data is just one of those things that happens. Those pesky hackers just struck again.
But what about the argument that the East-West Center left the goodies in plain view for the taking?
For some reason, officials and often journalists resort to writing in the passive voice to describe incidents of data loss. I can understand the reluctance of responsible officials or managers to take or admit responsibility, but I don’t understand why journalists fall into line. They wouldn’t write, for example, “an elderly man in Kalihi went to visit a neighbor and got bitten by their Rottweiler,” for example. Nor would the elderly man report the incident that way to his lawyer. The S-A headline writer chose the sub-title for the above article: “Personal information collected to clear members for a meeting with President Obama is hacked.” So the passive voice is used to set the tone for the entire article.
East-West Center President Charles Morrison explained the incident in the passive voice in his letter to victims, posted as part of the Star-Advertiser article (behind their paywall):
"The East-West Center has been notified that our computer system experienced unauthorized access starting approximately from October 25, 2011…
The pull-quote the S-A ran on their editorial page on Monday 11/21 is a reflection of the same attitude. A victim of the East-West Center’s apparent neglect says “these things happen.”
Perhaps he’ll become as angry as the rabbit in the comic at the left should his credit card be compromised, for example.
The important fact not mentioned in the S-A article is that by keeping personal information in unencrypted form on a computer accessible from the Internet, the East-West Center may have exposed that data to theft. The key word here is “exposed,” and it appears also on the website set up to provide information on a class-action suit filed in reaction to repeated data breaches at the University of Hawaii:
This class action lawsuit was filed on November 18, 2010 on behalf of more than 100,000 University of Hawai'i faculty, staff, alumni, students, and guests who were victims of one of four data breaches by the University of Hawai'i in the last eighteen months. Class members' names, social security numbers, dates of birth, credit card and other personal information were exposed.
Neither the newspaper article nor the Morrison letter explicitly state that the data was not encrypted. However, if it were, then no data breach occurred, and no letter would be necessary.
The reporter might have asked about encryption, however, if for no other reason than to provide readers with a complete report.