[hurin]

It seems like every 2 or 3 months there is data-breach in the news and a bunch of plain-text info is stolen. And ever-time I am inclined to imagine the companies storing in plain-text would think "oh we should change something about this"

But then it happens again 2 or 3 months later anyways ...

[yeukhon]

Before we go to encryption, let's talk about all the SSN you put on paper you file for bank, government, employment. That's right. They are all in clear. Whatever you sent to your employer over email (rather than fax) are still in clear.

A lot of these attacks are trojan already breached the network and insider attacker. The latter is often due to infection (e.g. USB, browsing problematic website). Encrypting file, encrypting SSN field is not a full solution but is definitely a really good solution.

[tjl]

What surprises me most is that the US doesn't seem to have the same law as here in Canada. Here, pretty much only the bank, government, or your employer can ask for your social as that's the law. Plus, they don't send it in the clear on-line. You'll get receipts either from a secure Web site or physically mailed to your address.

[hurin]

Tax and Identity Fraud are not anything new - but the way they are accomplished has changed significantly.

Sure you can physically intercept mail - but there is a huge difference in magnitude. I wager you could not in any practical way intercept millions (or even thousands) of paper records without being traced.

That's why these poorly protected digital records are such a gold mine.

[spacemanmatt]

It's of no use when it's encrypted.

Oh, right, decrypt it real quick in the app, right? How will you protect that decryption key?

[hurin]

Decryption can require several servers to participate rather than one - don't allow for a privileged user on one server to have an easy path way to access and escalate on another server.

From the way it looks, the security precautions they are failing at are so trivial that most developers probably have more secure personal servers / computers.