Unencrypted Lost Tape Affects 230 Retailers

Lucas123 tells us that a backup tape lost by Iron Mountain reportedly contains credit card information from 650,000 customers. The unencrypted tape also holds Social Security numbers for 150,000 customers. Quoting the Computerworld Article: "Although J.C. Penney was the only company that Jones would confirm as affected by the missing tape, that retailer accounts for just a small percentage of all accounts that were compromised. In total, 230 retailers are affected by the breach. 'Clearly that number includes many of the national retail organizations,' he said."

Unencrypted?

If companies want to store customers credit card numbers and social security numbers for years on their systems, could they at least use common sense? The backup tape should have at least been encrypted, and should have been behind lock and key.

Re:

If companies want to store customers credit card numbers and social security numbers for years on their systems, could they at least use common sense?

Common sense is in notorious short supply the further you go up the management chain. Nowadays, compan

Re:

Companies more and more are being run myopically for quarterly profits. Why would anyone at the higher levels care about things like long term data storage since that has nothing to do with the next quarters profits?

Re:

I'm being a bit facetious here, but why bother? I've yet to see any significant punishments handed down with any of these cases, so where's the deterrent factor when things go wrong?

Of course anybody with half a brain knows sensitive information should al

Re:

If that ever happened to my data, I would sue to recover damages plus opportunity costs from having to sort out any problems that may arise, plus the option for future damages arising from any identity theft from the lost tape. Having the credit card infor

Re:

It probably has happened to your data, if you have a credit card. How would you know. Only a small proportion of cases get reported, and even when they do, like in this case, they have only released the name of 1 retailer out of 250? So when someone steals

Common sense...

in business can reduce profits. Guess which wins?

Keyword: Unencrypted

So what's so hard about implementing encryption? Seriously. It's easy to implement and use and it can put MANY minds at easy knowing that recovery of the data is virtually impossible. I still think the UK is on the right track with the law punishing the

Re:Keyword: Unencrypted

The problem with encryption is that the news agencies still don't report it to make people feel that bit safer.

When one of our high-street banks in the UK lost details of quite a large number of customers' details then none of the major news agencies I saw reported that it was encrypted. It was all "bank loses details", "customers at risk", "think of the bank details (and children)!". It took a bit of digging to find out that company policy was that hard disks were encrypted and that this one apparently was as well.

Re:

That's the Government losing data on CDs posted internally, though, not a high street bank having a laptop stolen. You're less likely to encrypt internally posted media than you are the disk of a device that has "steal me!" written all over it.

Re:

Yet, to the best of my knowledge, most information theft happens internally.
It's a lot easier to keep quiet though.

Re:

There answer is: it's not hard at all. If we can assume GE Money is using Oracle, it has had TDE (transparent data encryption) since 10g. All they have to do is alter a column, setting the 'encrypt' option, and suddenly its contents are stored on disk as e

Re:

Same method, but the keys would be different. You'd have to get your hands on the keys in the Oracle wallet, which is in a file outside the database and should be backed up separately.

Re:

the Oracle wallet [...] should be backed up separately.

"Hey, I've just had an idea. Why are we paying for two separate backups which get handled in two different ways? Wouldn't it make a lot more sense to just consolidate everything onto one backup solu

Re:

So what's so hard about implementing encryption?

One reason I've heard for not doing it, from more than one sysadmin over the years, is that encrypted data is more susceptible to errors. In other words it's unreliable, not too hard to do. A couple of bad

Broken system

Honestly, how long until someone realizes the current system is broken? We can't hope to keep our Social Security numbers secret indefinitely. We have everything in your life tied to this one, unchangeable number. The credit system needs to be overhauled so that it doesn't matter if you have my name, address, SS# and mother's maiden name. Just off the top of my head, how about a challenge-response system. In a secure manner, I set a secret password. For more security, you could even set single-use passwords. When I go out to get credit, I tell someone on the phone my password. Someone else goes out and tries to get credit without my password and they get arrested. It's not perfect, but a hell of a lot better than what we have now. And it took me 5 minutes to think that up. I bet someone with 6 weeks and half a million dollars could come up with an even better way.

Re:Broken system

You tell someone on the phone your password. That person now knows your password. You forget to change it afterward, and that person now gets _different_ credit in your name.

I think any system in which you, the user, have to hand over your secrets to some third party to authenticate yourself, is just going to suffer from the same kind of problems. This is just like payment by credit card. You hand over the secret number to restaurants and shops whenever you use the card.

You really need to be able to authenticate yourself without handing over any secrets, i.e. by using some kind of protocol where you prove that you _have_ a secret (such as a CC# or SSN) without any requirement to reveal what it is.

Re:

Absolutely. And we've had this ability since the 70s (Diffie-Hellman, anyone?).

Re:

Chip-cards do it - for example the EMV (europay-mastercard-visa) standard credit/debit cards - the card proves it's 'realness' by being able to execute cryptographical challenge-response, but not revealing (and thus, not allowing to copy) the secret key to

Re:

You tell someone on the phone your password. That person now knows your password.

The solution to that, which is implemented by more than one company I deal with, is to only validate a randomly selected subset of the password. "Can you confirm the third

Re:

What we need is a system where the number that you provide is keyed to a specific retailer for a specific transaction of a specific monetary amount at a specific moment in time. So that even if(when) someone gets your number in the clear, they can't use i

Re:

Consider that the average consumer has to call his or her mother to ask what a maiden name is. Why do you think that these people will be able to deal with actual security?

The current system is simple enough for a five year old to deal with because that'

Re:

It's ridiculous that this system persists in its present form as it does. We need a malpractice code for the credential industry as strong as the medical and legal malpractice codes. I tagged this article "dataspill visavaldez". Of the two, I like the s

Re:

That's similar to Barclays Bank's new online banking login system.

It goes like this:
1: Enter your Surname and online banking membership number (12 digits). Both can optionally be saved after a successful login.
2: Enter the last 4 digits of one of your card

Social Security?

Okay, so I'm British and don't know how the American system works (only visited once) but social security numbers? What were people buying such that they were customers on this tape and had their SS# recorded? As close as we get is our National Insurance number (for benefits and pension contributions) and I've never known of anyone other than an employer who needs to know it.

Re:

Many people opt to get an in-store charge card in the United States (which is a line of credit), and this requires an Social Security # to open.

The horrible part is this:

After reconstructing the data that was on the missing tape, GE Money began sending out letters to those affected by the breach in December. The company has set up a toll-free number and is offering one year of free credit monitoring services to those affected by the breach.

Which is the equivalent of "We lost a number that is permanently critical for

Re:

Why isn't there a system whereby people are issued new SSNs and their old account data is migrated, and the old number invalidated? The government could charge an assload (1.7 arseloads) for it and demand there be a good reason to do such things, so peopl

Re:

Because one of the 'business rules' for SSNs is that they are permanent and no new numbers can be entered. Basically, the folks who set up the system were worried about one person getting several valid SSNs and attempting to use them all for fraudulent pu

Re:

It was probably either part of a customer registration database, or the SSNs were the primary keys for the records.

Many retailers offer convenient 10% off discounts or no-interest financing if a customer opens a branded credit card at the checkout kiosk. P

Re:Social Security?

Because you've got functioning privacy laws that require risks to personal data be addressed in advance. In the US, we wait until a situation becomes so intolerable that people are boiling pitch and collecting feathers, at which point the narrowest possible ad hoc law is drafted by lobbyists and rubber stamped by Congress.

One short number, for life

Well, it is simply a typical American fsckup. People get issued this one simple guessable number, for life, and everything uses it. Without this number, a USAsian almost doesn't exist. Since illegal immigrants don't have a SSN, the police have a hard ti

Re:

To use that kind of number isn't American Specific.

Here in Sweden you get a number at birth we call "Personal Number".

It's basically Year-Month-Day-HHYX

Where HH is the code for your hospital, Y is a number showing your gender (odd = man, even = woman) and

Re:

Like the SSN can be used to find your entry in a database, but it should not be usable to take money from your account, for that they better know a real secret like your password or sign with your signature.

That's already true. That's not the exploit under discussion. Identity theft is not about breaking an existing trust relationship between you and one of your financial associations. That's a separate class of scam (and while an SSN might help with it,

Re:

I don't know of any way to get an anonymous credit card in sweden, it might be possible though.

We have had parts of your problem in another way though with the so called "SMS Loans" where you can take a loan with your mobile phone with no actual ID or Cred

Social Insecurity Numbers

Living in the United States has given me a disturbing impression of the use of social security numbers. They are used to track all kinds of things. Many stores require an SSN for store cards. More than a few stores (mostly for higher-value goods) require S

Re:

I never understood why the american SSN needs to be kept secret, all swedish citizens have a similar number based on your date of birth (yymmdd) + four digits that makes it unique. A lot of online stores, communities and such, that wants confirmation of yo

Re:

That's the problem - no additional verification is usually asked for in addition to the SSN. It *shouldn't* be a key to unlock financial access (new accounts, acces to existing ones, etc), but that's how it has evolved.

Of course, it may simply be that

Re:

My Massachusetts license doesn't have my social security number.

It was a known scam for some time to cause an accident on purpose (swoop and squat scam http://www.fbi.gov/page2/feb05/stagedauto021805.htm [fbi.gov] ) on a very nice vehicle perceived to have a high va

Re:

My Illinois drivers license doesn't have my social security number either.

The state used to offer you the option of having your SSN printed on the license for convenience, because merchants would use it to verify checks, but the folks at the driver service

Re:

Then Massachusetts isn't in compliance with REAL ID yet. Not that they should be, of course.

Re:

even though logic says my old age benefits have absolutely nothing to do with my ability to drive a car.

Wasn't there a South Park episode about that?

Question

Why the hell don't people get put in prison when this happens? Ridiculous.

Funny guys

I'm sure John Cleese can come up with a good excuse for this mishap. See the advert he did for them [friendlyad...achine.com]

What's going on

Encryption is hard, because key management is hard. Instead of sending one file, you have to send two, through totally different channels.

Well, "have to" is relative. A huge amount of the time you see "encryption", the decryption key is right there next

Iron Mountain lost something? Small wonder!

Iron Mountain is possibly the most antiquated, ass-backwards, idiotic, incompetent company on the planet. In 2006, they were quite excited because they were about to move away from a program that ran on DOS 3.3, and required hand-entry of tape and company

Re:

I'm not sure I follow how a VTL would prevent this kind of mishap from occurring? If you still need to store the data offsite, someone could just as easily lose the drives from your VTL.

Re:

That's similar to our setup, we have an IP SAN cluster at two locations which sync over a dedicated line. We do still create tapes for archival purposes and offsite backup. IMO having replication is not a replacement for that.

Re:

They're not encrypted yet, but our company is still very young, and I just took over as the system administrator. We're definitely going to start encrypting them once I finish putting the rest of our backup solution in place.

Re:

Well, all the data we have is from our simulations, we don't keep any customer information. More specifically, we're not at all in to E-commerce or anything remotely related. If that were the case, there's no way I'd feel comfortable with things as they ar

Re:

Why does JCP have customers Social Security numbers!!!!

If someone wanted my SocSec to by linens, I'd tell 'em where to stuff the sheets.