For these malicious hackers, the goal is to break into a computer system, obtain others' vital information and open fraudulent credit card or checking accounts. With databases chock-full of valuable personal records, breaking into a system is akin to robbing a bank -- except thieves can perform their deeds from anywhere in the world.
"Identity theft is the crime of the Information Age," said Linda Foley, co-executive director of the Identity Theft Resource Center, a national nonprofit dedicated to fighting identity theft. The center provides consumer and victim support, and advises governmental agencies, legislators and companies on identity theft.
San Diego Targeted
Two servers at the San Diego County Employees Retirement Association (SDCERA) were among the latest targets, getting breached by malicious hackers in July 2005. More than 32,000 current and former San Diego County employees have been made vulnerable to identity theft, and the closely guarded addresses of 5,000 law enforcement personnel may have been exposed.
How did this happen, and what's being done to prevent future break-ins? Is government more at risk than private industry?
"The story is not being discussed due to an active investigation," said Foley, adding that she offered her agency's services to SDCERA but was denied. "This is standard operating procedure. When you are on the trail of a thief, you don't go public."
She said the San Diego Computer and Technology Crime High-Tech Response Team (CATCH) is leading the investigation, but keeping information to itself.
When the break-in was discovered, the agency issued letters to former and current county employees advising them to contact credit agencies and put a fraud alert on their credit reports. The agency's actions complied with a California state law enacted in 2003 that requires companies or agencies to notify people whose private information may have been accessed by hackers.
The San Diego County Board of Supervisors has voiced concern, but since the SDCERA's computers are independent of the county system, the board is not actively involved in the investigation.
"SDCERA serves county employees, but they are not part of our IT contract," said Mike Workman, San Diego County spokesman. "I was not briefed since the outage was not ours. I don't have details other than what was reported."
Some of those details include determining how much personal information -- if any -- the hackers obtained. Since the SDCERA is not talking, that question has not been answered. Foley said too many factors are involved to know right away if the information was viewed or copied.
Control the Information
The break-in remains a whodunit for now, but that doesn't mean the SDCERA will fall prey to hackers again.
"It's not an uncontrollable disease," Foley said. "It's a situation that can be restricted and limited if certain things were to change -- including better information control."
Information control is what guided the San Bernardino County Employees' Retirement Association when it set up protection levels for its database.
Mark Jolicoeur, the association's chief of Information Services, said he uses an array of protective measures to protect against breaches, including firewalls and wide area network and local area network (LAN) security policies and configuration. He also insists that user names and passwords are used at local machines.
"Intrusion detection software is most common and is what we use," Jolicoeur said. "It consists of reports and logs used to monitor hits and pings."
He also employs a small sub-network, known as an Internet DMZ, which sits between the association's network and the Internet. DMZ -- short for demilitarized zone -- comes from the military, meaning a buffer area between two enemies.
There are also switches, routers and firewalls with configuration settings and security policies.
"We also use SSL [Secure Socket Layer] for transfer of data across the Internet," he added. "This is a tunneling protocol and uses encryption."
Hackers might not leave fingerprints, but they are traceable by tracking the Internet protocol address of the computer the attacker used, Jolicoeur said.
"If the culprit originated from the inside, then the LAN firewall logs and system audit logs would provide the trail," he said.
Tip of the Iceberg
Other agencies and businesses have not enjoyed the same success.
Foley's Web site lists 96 computer systems that have been hacked this year. Two-thirds of those sites are government property, with colleges and universities leading the list. Boston College and the University of California, Berkeley had break-ins that may have exposed personal information of 100,000 people at each school. The University of Colorado leads the pack with three breaches being breached this year.
Public agencies of all sizes and from all regions have been hacked, including the Nevada Department of Motor Vehicles, a high school in Ohio, the Virginia Department of Criminal Justice Services and the California Department of Health Services.
These statistics might indicate that government sites are leading targets for hackers, especially since they tend to hold voluminous information and are the most likely to contain Social Security numbers. But Foley said it's difficult to determine if government computers are more vulnerable.
"We don't hear about every computer breach at a private business unless their clients tell the media and then the media reports it," Foley said. "We don't know how many private companies out there have been breached."
She said the violations her agency knows about are only the tip of the iceberg.
"These are just the high-profile cases."
