While we all know that successful information security efforts require the marriage of technology and process, sometimes simple controls -- such as the use of strong authentication and behavior profiling -- can make a big difference.
I also found it strange that an Experian official was quoted in the Times article as saying, "It just shows that today, even big companies can be victimized." While large companies are indeed juicy targets, in this particular case the real victims are those 13,000 people whose confidential information was stolen. While Experian may be able to cancel the stolen Ford IDs, those consumers will never be able to put their genies back into the bottle.
In the real world, you can't just reset your Social Security number and change all your bank accounts through a Web browser. This complexity brings up an additional point: Data varies not only in value and confidentiality but in usefulness over time. For example, if I'm going to steal someone's identity, chances are that the victim's Social Security number is going to be the same 10 years from now as it is today. Organizations need to take the life span of their data into consideration when examining the controls they'll want to use to protect it.
Which leads me to my final observation: As an information security consultant, I am constantly challenged when my suggestions revolve around implementing stronger security mechanisms. Our industry talks about "standard" and "best" practices, but when push comes to shove, many managers simply want to know what the other guys are doing. This might be an acceptable practice if most organizations weren't in a completely vulnerable position. But if the standard practice is to exist in a "pants down" state, which companies are going to be the first to admit that they're naked?