The latest TalkTalk breach of millions of records personal information would almost be a non-story these days if not for it’s slightly larger than usual scale. The familiar scenario that playes out starts with the with fudged communications from the organisation, claiming the data was ‘secure’ yet not actually encrypted of course. This was followed up with misleading assurances that ‘only’ personal information was breached rather than full credit card information followed by the collective groans of better-informed people who once again have to point out how such personal information is routinely laundered via various credit agencies by cyber-crooks.

TalkTalk: Just another immutable personal data storage system

A former government technology adviser called for the ICO to perform more frequent audits and to levy stronger fines for organisations not meeting PCI/DSS technical and data processing security standards around financial data, something we’ve heard a million times before.

Other responses included the usual FUD:

[cybercrime is] probably the biggest threat to our economy — Hazel Blears

and presumably well-intentioned calls for structured compensation schemes:

I’m calling for a code of practice to encourage companies to take greater responsibility for data loss so that if an insurer loses your details and you get a hundred calls a week flogging PPI they have to compensate you — Chi Onwurah

Yet once again we see personal, non-changable information inevitably breached from insecure systems (e.g. typical systems). Is the information distributed between functions so that call centres, billing and technicians need see only the information they need to see? Of course not, because of bloated billing data being used as security token/payment anti-fraud/contact information — ensuring a giant honey pot of data accumulates centrally.

As I’ve written about previously, the credit card company’s dangerous use of personal information (e.g. home address) to augment horribly reused credit card numbers (so you can never tell where get breached) creates this centralisation of personal data that is so attractive to cybercrooks.

Where are the politicians demanding more modern and accountable payment standards? Where are the calls to fine companies for storing unnecessary personal information in the first place?

They appear to be looking to the US for the likes of HIPPA — which is simply a more mature compliance framework with a stronger fine-based system.

When you accept the inevitability of data breaches, and the very significant cost of complex mitigating controls, the conclusion must inevitably be to move to systems which can function without the storage of personal information in the first place.