Unencrypted Lost Tape Affects 230 Retailers 75
Lucas123 tells us that a backup tape lost by Iron Mountain reportedly contains credit card information from 650,000 customers. The unencrypted tape also holds Social Security numbers for 150,000 customers. Quoting the Computerworld Article:
"Although J.C. Penney was the only company that Jones would confirm as affected by the missing tape, that retailer accounts for just a small percentage of all accounts that were compromised. In total, 230 retailers are affected by the breach. 'Clearly that number includes many of the national retail organizations,' he said."
Broken system (Score:4, Interesting)
Re:Keyword: Unencrypted (Score:5, Interesting)
When one of our high-street banks in the UK lost details of quite a large number of customers' details then none of the major news agencies I saw reported that it was encrypted. It was all "bank loses details", "customers at risk", "think of the bank details (and children)!". It took a bit of digging to find out that company policy was that hard disks were encrypted and that this one apparently was as well.
Re:Unencrypted? (Score:3, Interesting)
MBAs are taught first and foremost to ditch "common sense" because their acute knowledge is supposedly vastly "superior" to common knowledge.
Re:Keyword: Unencrypted (Score:3, Interesting)
In this case, the stolen tape would include lots of plaintext data, but the sensitive data would be unintelligible. The only way to read the sensitive data is to retrieve the backup of the Oracle wallet also.
* as long as the encrypted columns do not require a range scan of an index (which obviously wouldn't work), but when are you range-scanning a credit card number or SSN?
Re:Broken system (Score:3, Interesting)
Re:Broken system (Score:3, Interesting)
The solution to that, which is implemented by more than one company I deal with, is to only validate a randomly selected subset of the password. "Can you confirm the third and fifth letters of your password please Sir." The person in the call centre doesn't know your entire password and an eavesdropper would need to listen to several calls to get the entire password. It's not perfect, but it requires no physical device (which anything good enough to satisfy a cryptographer surely would) and regular people can generally manage to do it just fine.