Big company, crap security

I'll tell you a secret. If you're looking for a security consultant during the day and he's not in the office, you might find him in a neighborhood coffee shop consuming large doses of caffeine, and using a laptop with wireless net access. It's nice to people watch, catch up on the news, review technical articles and yes, even work, while enjoying that magic elixir (coffee) thanks to the wonders of Wi-Fi. I find it a great way to take a break.
I wandered back to my seat, a little stunned and a little proud. People, businesses, even small coffee shops - they were finally starting to understand the value of security. I entered my randomly generated name and password, fired up my browser and began to catch up with the geek news I had fallen behind on.
Each incident is troubling for different reasons. In the case of Choicepoint, their business is quite literally in information. Yet they have continually failed to protect our personal information, as this is certainly not their first security breach. Two things about this situation terrify me. First, we have no choice in our involvement with Choicepoint. If you have a credit card, have filled out credit forms and applied for credit, or bought something on credit - you're in their system. We're not customers to them, we are merely bits of information and records in their massive database. What incentive do they have to protect us? Secondly, the only reason Choicepoint was obligated to release this information on the security breach is due to a California law that requires a company to inform California residents that their identity might have been compromised. If that law did not exist would we have ever heard about this? It's doubtful.
Bank of America's data loss is alarming too. Certainly, as a bank they have experience in fraud and obviously understand how costly it can be. Perhaps this was a logistical error and the tapes will turn up in a few weeks. But look at it like this: let's assume someone did get hold of this information, say, 10 per cent of it. And of that 10 per cent (120k records), 10 per cent of those records get used in some sort of scam for a mere thousand dollars each, a very conservative estimate. That's 1.2m dollars in fraud. Let's compare this story to one where armed robbers intercepted a bank truck and made off with more than a million dollars. You can bet it would be headline news across the nation. Now, let's factor in the manpower and time lost for the individuals and companies involved - such a sum is nothing to scoff about. Identity theft is quickly becoming the modern criminal activity, with a low risk and high reward. I can confirm first hand how devastating this can be for the individuals involved. Time, money, reputations are lost or put on hold in definitely. And in this case we have a major company that accidentally loses 1.2 million credit profiles. That is simply unacceptable.
T-Mobile has had a security problem for several months. The press got wind of three high profile breaches recently, but how many more are there? And why have the problems not been fixed? Once again, we may not be getting the full story, and perhaps these hacks were the result of some rather low-tech errors. But if they aren't, how poorly does this reflect on T-Mobile and their reaction time?
Each company above has an obligation to protect our information while it is in their possession, but too many seem to be failing. What will it take for them to resolve their security issues? Drops in revenue, class action lawsuits or congressional regulation? Security, both for a company and its customers, is a necessity and a selling point in today's economy. We see normal people taking this into account everyday. I have neighbors calling me about spyware protection, relatives recognizing what SSL enabled websites are, clients requesting more security layers, and friends shredding their private mail. Why then is it so hard for the big companies to take security seriously? When will these companies "get it?"