Unencrypted Lost Tape Affects 230 Retailers

Lucas123 tells us that a backup tape lost by Iron Mountain reportedly contains credit card information from 650,000 customers. The unencrypted tape also holds Social Security numbers for 150,000 customers. Quoting the Computerworld Article: "Although J.C. Penney was the only company that Jones would confirm as affected by the missing tape, that retailer accounts for just a small percentage of all accounts that were compromised. In total, 230 retailers are affected by the breach. 'Clearly that number includes many of the national retail organizations,' he said."

VTL

[jb1z]

This is one of the many reasons we're moving to a VTL. I might just use this incident as a little nudge to speed up the implementation.

Re:

[Jeremiah Cornelius]

Why does JCP have customers Social Security numbers!!!!

If someone wanted my SocSec to by linens, I'd tell 'em where to stuff the sheets.

Re:SSNs

[nullchar]

JC Penny and other retailers probably stored the SSNs when their customers signed up for a branded credit card.

Is saving 10% on a few hundred dollar purchase really worth your financial identity?

Re:

[kisielk]

I'm not sure I follow how a VTL would prevent this kind of mishap from occurring? If you still need to store the data offsite, someone could just as easily lose the drives from your VTL.

Re:

[jb1z]

Instead of backing up to tape and having the tapes sent off-site, we're replicating the data over an IPSec tunnel to another facility of ours.

Re:

[kisielk]

That's similar to our setup, we have an IP SAN cluster at two locations which sync over a dedicated line. We do still create tapes for archival purposes and offsite backup. IMO having replication is not a replacement for that.

Re:

[jb1z]

Are your tapes encrypted? Neoscale appliance or something similar?

Re:

[kisielk]

They're not encrypted yet, but our company is still very young, and I just took over as the system administrator. We're definitely going to start encrypting them once I finish putting the rest of our backup solution in place.

Re:

[kisielk]

Well, all the data we have is from our simulations, we don't keep any customer information. More specifically, we're not at all in to E-commerce or anything remotely related. If that were the case, there's no way I'd feel comfortable with things as they are now...

Unencrypted?

[Doug52392]

If companies want to store customers credit card numbers and social security numbers for years on their systems, could they at least use common sense? The backup tape should have at least been encrypted, and should have been behind lock and key.

Re:

[Pig Hogger]

If companies want to store customers credit card numbers and social security numbers for years on their systems, could they at least use common sense?

Common sense is in notorious short supply the further you go up the management chain. Nowadays, companies are run by types with a sheet of paper stamped with the magic letters "MBA", which means that the bearer has been infused with knowledge that is supposed to increase profits.

MBAs are taught first and foremost to ditch "common sense" because their acut

Re:

[riseoftheindividual]

Companies more and more are being run myopically for quarterly profits. Why would anyone at the higher levels care about things like long term data storage since that has nothing to do with the next quarters profits?

Re:

[GoodbyeBlueSky1]

I'm being a bit facetious here, but why bother? I've yet to see any significant punishments handed down with any of these cases, so where's the deterrent factor when things go wrong?

Of course anybody with half a brain knows sensitive information should always be encrypted, but these security breaches always seem to affect marketing, tracking and government agencies. You're lucky if you find someone with a quarter of a brain there.

Re:

[DeadChobi]

If that ever happened to my data, I would sue to recover damages plus opportunity costs from having to sort out any problems that may arise, plus the option for future damages arising from any identity theft from the lost tape. Having the credit card information is one thing, but Social Security Numbers? Christ, that's not a number which should be used as an identifier.

That kind of information is something for which posession should be regulated. Heavily. With enormous civil penalties for noncompliance.

Re:

[mgblst]

It probably has happened to your data, if you have a credit card. How would you know. Only a small proportion of cases get reported, and even when they do, like in this case, they have only released the name of 1 retailer out of 250? So when someone steals your money, who are you going to sue?

The fact is that you agree to these terms when you use a credit card - you agree for the information to be stored by a dozen different companies, most who couldn't care less about your data being stolen.

Common sense...

[msauve]

in business can reduce profits. Guess which wins?

Keyword: Unencrypted

[cyberjock1980]

So what's so hard about implementing encryption? Seriously. It's easy to implement and use and it can put MANY minds at easy knowing that recovery of the data is virtually impossible. I still think the UK is on the right track with the law punishing the company owners when something goes awry and they lose their tapes. Chairman would suddenly take note of yet another way the could get fired, and I'm sure they'd take steps to keep their job.

Re:Keyword: Unencrypted

[IBBoard]

The problem with encryption is that the news agencies still don't report it to make people feel that bit safer.

When one of our high-street banks in the UK lost details of quite a large number of customers' details then none of the major news agencies I saw reported that it was encrypted. It was all "bank loses details", "customers at risk", "think of the bank details (and children)!". It took a bit of digging to find out that company policy was that hard disks were encrypted and that this one apparently was as well.

Re:

[bvimo]

After two CD's containing 15 million bits of info went missing, http://news.bbc.co.uk/1/hi/uk_politics/7104115.stm/ [bbc.co.uk] I had a drink with a couple of my friends and had a chat about the loss.

They didn't know about the password protection, but they knew the data wasn't encrypted.

Re:

[IBBoard]

That's the Government losing data on CDs posted internally, though, not a high street bank having a laptop stolen. You're less likely to encrypt internally posted media than you are the disk of a device that has "steal me!" written all over it.

Re:

[mwvdlee]

Yet, to the best of my knowledge, most information theft happens internally.
It's a lot easier to keep quiet though.

Re:

[mattwarden]

There answer is: it's not hard at all. If we can assume GE Money is using Oracle, it has had TDE (transparent data encryption) since 10g. All they have to do is alter a column, setting the 'encrypt' option, and suddenly its contents are stored on disk as encrypted. No application changes are required*, because Oracle unencrypts the data transparently as it is read from disk.

In this case, the stolen tape would include lots of plaintext data, but the sensitive data would be unintelligible. The only way to rea

Re:

[bvimo]

I assume each installation of Oracle will have its own encryption method. It would be silly if I could transfer the encrypted data from system A into system B.

I am an Oracle ignoramus.

Re:

[mattwarden]

Same method, but the keys would be different. You'd have to get your hands on the keys in the Oracle wallet, which is in a file outside the database and should be backed up separately.

Re:

[Minwee]

the Oracle wallet [...] should be backed up separately.

"Hey, I've just had an idea. Why are we paying for two separate backups which get handled in two different ways? Wouldn't it make a lot more sense to just consolidate everything onto one backup solution and save a bunch of money?"

Re:

[mollymoo]

So what's so hard about implementing encryption?

One reason I've heard for not doing it, from more than one sysadmin over the years, is that encrypted data is more susceptible to errors. In other words it's unreliable, not too hard to do. A couple of bad blocks on an unencrypted tape may lose you a file or two, but could render an encrypted tape unreadable. How true this is I have no idea, I'm a coder not a sysadmin, but it strikes me that encrypting individual files rather than entire tapes would solve t

Re:

[SilentBob0727]

If I'm not mistaken, the amount of data that can be lost to a single corrupted bit with two-way encryption depends on the block size. But a well defined checksum over the encrypted data ensures that some of that data can be recovered, and redundant storage can help this issue further.

But even in the worst case, the cost of losing tons of business and tons of money in lawsuit settlements due to your customers' personal information being compromised far outweighs the cost of the same data being obliterated co

Broken system

[a_nonamiss]

Honestly, how long until someone realizes the current system is broken? We can't hope to keep our Social Security numbers secret indefinitely. We have everything in your life tied to this one, unchangeable number. The credit system needs to be overhauled so that it doesn't matter if you have my name, address, SS# and mother's maiden name. Just off the top of my head, how about a challenge-response system. In a secure manner, I set a secret password. For more security, you could even set single-use passwords. When I go out to get credit, I tell someone on the phone my password. Someone else goes out and tries to get credit without my password and they get arrested. It's not perfect, but a hell of a lot better than what we have now. And it took me 5 minutes to think that up. I bet someone with 6 weeks and half a million dollars could come up with an even better way.

Re:

[Anonymous Coward]

how long until someone realizes the current system is broken?

Everyone knows it's broken, and the credit companies are knowing it all the way to the bank. After all, equifax gets its cash whether it's you or someone else getting a loan. Visa gets its cash whether it's you or someone else using your credit card, and they probably even keep the 1% on top of the charge (if not charging the merchant even more) when someone reverses their charge. Captialism at it's finest.

Re:

[KookyMan]

Actually, some credit card companies are going one better. Now that e-Ink has been proven consumer-worthy (AmazonKindel, Sony's e-Reader) they are going to start putting a small e-paper segment on your credit card where every time you use it, you push a thumb-button on the back of the card and it will produce a new 6 digit card use authorization number. It will be similar to the way SecureID cards work. The number will be good for 1 purchase, and every time you use it, you will have to generate a new num

Re:

[TheThiefMaster]

That's similar to Barclays Bank's new online banking login system.

It goes like this:
1: Enter your Surname and online banking membership number (12 digits). Both can optionally be saved after a successful login.
2: Enter the last 4 digits of one of your cards, put that card into the provided PINsentry(TM) card reader, press "IDENTIFY" and enter your PIN. Enter the 8-digit number you are given into the website.
3: You are now logged in.

Basically someone would need your membership number, card and pin to be able

Re:Broken system

[elronxenu]

You tell someone on the phone your password. That person now knows your password. You forget to change it afterward, and that person now gets _different_ credit in your name.

I think any system in which you, the user, have to hand over your secrets to some third party to authenticate yourself, is just going to suffer from the same kind of problems. This is just like payment by credit card. You hand over the secret number to restaurants and shops whenever you use the card.

You really need to be able to authenticate yourself without handing over any secrets, i.e. by using some kind of protocol where you prove that you _have_ a secret (such as a CC# or SSN) without any requirement to reveal what it is.

Re:

[Anonymous Coward]

You really need to be able to authenticate yourself without handing over any secrets, i.e. by using some kind of protocol where you prove that you _have_ a secret (such as a CC# or SSN) without any requirement to reveal what it is.

Sounds an awful lot like why public key cryptography was invented ...

Re:

[mattwarden]

Absolutely. And we've had this ability since the 70s (Diffie-Hellman, anyone?).

Re:

[Peeteriz]

Chip-cards do it - for example the EMV (europay-mastercard-visa) standard credit/debit cards - the card proves it's 'realness' by being able to execute cryptographical challenge-response, but not revealing (and thus, not allowing to copy) the secret key to anyone in the chain - not the merchant, not the POS terminal used, not the bank that processes the merchant's transaction (and still all these parties can and do verify that the transaction was signed by the billed card, and not injected by some middleman

Re:

[mollymoo]

You tell someone on the phone your password. That person now knows your password.

The solution to that, which is implemented by more than one company I deal with, is to only validate a randomly selected subset of the password. "Can you confirm the third and fifth letters of your password please Sir." The person in the call centre doesn't know your entire password and an eavesdropper would need to listen to several calls to get the entire password. It's not perfect, but it requires no physical device (whic

Re:

[a_nonamiss]

You tell someone on the phone your password. That person now knows your password.

That's why a single-use password set on a secure site would be such a huge improvement. When I go out washing-machine shopping, I know in advance that I'm going to apply for instant credit. Before I pack up and head out to the Buy-More, I just go to a site and get a single use password. I could even get two or three if I know I'm going on a mad spending spree. It doesn't even have to be that secure, because dictionary attacks aren't very useful for a single-use password that expires in 8 hours and has to b

Re:

[xigxag]

What we need is a system where the number that you provide is keyed to a specific retailer for a specific transaction of a specific monetary amount at a specific moment in time. So that even if(when) someone gets your number in the clear, they can't use it for anything else. Even that same retailer won't be able to double bill you or charge you more than you agreed to pay. It'll mean that we'll have to use "smart cards" (or fobs or bracelets) but who cares? There's no reason, even, why you can't use a s

Re:

[Minwee]

Consider that the average consumer has to call his or her mother to ask what a maiden name is. Why do you think that these people will be able to deal with actual security?

The current system is simple enough for a five year old to deal with because that's about how smart the ideal customer is.

Re:

[epine]

It's ridiculous that this system persists in its present form as it does. We need a malpractice code for the credential industry as strong as the medical and legal malpractice codes. I tagged this article "dataspill visavaldez". Of the two, I like the second one better.

Social Security?

[IBBoard]

Okay, so I'm British and don't know how the American system works (only visited once) but social security numbers? What were people buying such that they were customers on this tape and had their SS# recorded? As close as we get is our National Insurance number (for benefits and pension contributions) and I've never known of anyone other than an employer who needs to know it.

Re:

[Coopjust]

Many people opt to get an in-store charge card in the United States (which is a line of credit), and this requires an Social Security # to open.

The horrible part is this:

After reconstructing the data that was on the missing tape, GE Money began sending out letters to those affected by the breach in December. The company has set up a toll-free number and is offering one year of free credit monitoring services to those affected by the breach.

Which is the equivalent of "We lost a number that is permanently critical for your financial future. Sorry. We'll watch your credit for a year; after that, well, good luck!". It's like a huge "Fuck you" from GE Money.

Re:

[Your.Master]

Why isn't there a system whereby people are issued new SSNs and their old account data is migrated, and the old number invalidated? The government could charge an assload (1.7 arseloads) for it and demand there be a good reason to do such things, so people didn't spuriously goof with the system, and then when companies like GE Money fuck up, it could be their responsibility to push this through for the customer.

Re:

[jeff4747]

Because one of the 'business rules' for SSNs is that they are permanent and no new numbers can be entered. Basically, the folks who set up the system were worried about one person getting several valid SSNs and attempting to use them all for fraudulent purposes. Thus it's very, very difficult to get a new SSN.

This leads to interesting problems besides compromised numbers. Several years ago there was a story on the news about a woman who got married. She filed the paperwork, and a clerk at the SS office

Re:

[Hollinger]

It was probably either part of a customer registration database, or the SSNs were the primary keys for the records.

Many retailers offer convenient 10% off discounts or no-interest financing if a customer opens a branded credit card at the checkout kiosk. Perhaps that data was part of these tapes?

Re:Social Security?

[hey!]

Because you've got functioning privacy laws that require risks to personal data be addressed in advance. In the US, we wait until a situation becomes so intolerable that people are boiling pitch and collecting feathers, at which point the narrowest possible ad hoc law is drafted by lobbyists and rubber stamped by Congress.

Re:

[R2.0]

The SSN was never intended to become a national ID number, but that's what it has evolved into. It's the only piece of identification data that is part of a nationwide system and is relatively unique. Organizations just started using the number on their own as an identifier, until it became ubiquitous. There was a small effort to halt this a few years ago, but now even the Feds have admitted defeat - per the REAL ID, ALL driver's licenses (the de-facto ID card in the US) must have the SSN on them, even t

Re:

[BosstonesOwn]

My Massachusetts license doesn't have my social security number.

It was a known scam for some time to cause an accident on purpose (swoop and squat scam http://www.fbi.gov/page2/feb05/stagedauto021805.htm [fbi.gov] ) on a very nice vehicle perceived to have a high value. They would jott down your info including the license # which was your social security # and go on spending sprees with the victims credit info, while also collecting from the insurance company.

Re:

[name_already_taken]

My Illinois drivers license doesn't have my social security number either.

The state used to offer you the option of having your SSN printed on the license for convenience, because merchants would use it to verify checks, but the folks at the driver services office no longer give you that option because of the prevalence of identity theft.

The drivers license number has been unrelated the holder's social security number in Illinois for decades.

Re:

[bigstrat2003]

Then Massachusetts isn't in compliance with REAL ID yet. Not that they should be, of course.

Re:

[antifoidulus]

even though logic says my old age benefits have absolutely nothing to do with my ability to drive a car.

Wasn't there a South Park episode about that?

One short number, for life

[flyingfsck]

Well, it is simply a typical American fsckup. People get issued this one simple guessable number, for life, and everything uses it. Without this number, a USAsian almost doesn't exist. Since illegal immigrants don't have a SSN, the police have a hard time identifying tens of millions of them, since they just don't know how.

It is almost trivial to hijack someone else's identity and obtain credit cards using that number. More enterprising thieves will sell someone else's house after a few minutes of resea

Re:

[Zironic]

To use that kind of number isn't American Specific.

Here in Sweden you get a number at birth we call "Personal Number".

It's basically Year-Month-Day-HHYX

Where HH is the code for your hospital, Y is a number showing your gender (odd = man, even = woman) and X is a control figure calculated to show that its a real number.

Anyhow, I think the problem with SSN is that you somehow think it's secret. If you worked from the opposite assumption that the SSN is as wellknown as your name and should just be used as a p

Re:

[mdfst13]

Like the SSN can be used to find your entry in a database, but it should not be usable to take money from your account, for that they better know a real secret like your password or sign with your signature.

That's already true. That's not the exploit under discussion. Identity theft is not about breaking an existing trust relationship between you and one of your financial associations. That's a separate class of scam (and while an SSN might help with it, other instruments are more beneficial, e.g. a credit card). Identity theft is about pretending to be you when establishing a new financial association in such a way that the benefit goes to the identity thief but the cost goes to you. The problem that ar

Re:

[Zironic]

I don't know of any way to get an anonymous credit card in sweden, it might be possible though.

We have had parts of your problem in another way though with the so called "SMS Loans" where you can take a loan with your mobile phone with no actual ID or Credit check.

However since the problem arose most banks have terminated their agreements with such services and the law is being changed so you can't take a loan without a proper credit check.

Anyhow, The solution should imo be that you shouldn't be able to get

Social Insecurity Numbers

[jd]

Living in the United States has given me a disturbing impression of the use of social security numbers. They are used to track all kinds of things. Many stores require an SSN for store cards. More than a few stores (mostly for higher-value goods) require SSNs for even regular purchases. Social security numbers are often included on driver's licenses and State ID cards (unless you specifically remember to ask for an anonymous number - and not everywhere allows you to do tha). The USA doesn't seem to have any

Re:

[jdjbuffalo]

I agree with almost everything you said except this "Problem was his port was bad, tried a different one and it worked." Do you have any evidence of this?

I have never been asked for my SSN when paying for something (even high dollar amounts) with Cash or Checks or even credit cards. However, I have certainly seen them ask this because they assume that I want to use their instore purchase program (e.g. no payments for 6 months or we'll finance everything for you kind of deals)

Re:

[MrSpiff]

I never understood why the american SSN needs to be kept secret, all swedish citizens have a similar number based on your date of birth (yymmdd) + four digits that makes it unique. A lot of online stores, communities and such, that wants confirmation of your age or a way to track you down if needed will require it, but since we have to use it so often and sometimes publicly, it's not considered a secret. If someone wants to positively identify you, they will mail a letter to you with a password or require y

Re:

[DigitalCrackPipe]

That's the problem - no additional verification is usually asked for in addition to the SSN. It *shouldn't* be a key to unlock financial access (new accounts, acces to existing ones, etc), but that's how it has evolved.

Of course, it may simply be that Sweden doesn't have enough criminals trying to steal identities *yet* to make that system a problem. Not considering it a secret is different from it being dangerous for others to discover the number.

What happens if 10000 people are born in one day?

Think ID theft is bad now....

[Initi]

Wait until the US Feds cram RealID down our throats. Roosevelt was warned of the dangers of a single national ID number; which he and his supporters dismissed. It only took 65-70 years for technology to catch up to this particular nightmare.

Question

[pclminion]

Why the hell don't people get put in prison when this happens? Ridiculous.

I was hoping for the latest tapes for Lost

[cylcyl]

Am I the only one who read the headline and hoped that there was more new eps of Lost despite the writer strike?

PABP from Visa

[fixer007]

http://usa.visa.com/merchants/risk_management/cisp_payment_applications.html/ [visa.com]

This is why PAPB "payment application best practices" from Visa should be mandated across the board. It ensures that all sensitive data (Primary account numbers, PINs, etc.) and other user sensitive information is not stored on the system, unless it is encrypted. This could go a long way to saving us alot of headaches!

Funny guys

[oever]

I'm sure John Cleese can come up with a good excuse for this mishap. See the advert he did for them [friendlyad...achine.com]

What's going on

[Effugas]

Encryption is hard, because key management is hard. Instead of sending one file, you have to send two, through totally different channels.

Well, "have to" is relative. A huge amount of the time you see "encryption", the decryption key is right there next to it. But, you see, the data is encrypted. So it's safe.

*sighs*

Damn you Abrams!

[cthulu_mt]

I thought this was a story about a secret episode of Lost. Damn you Abrams and your viral marketing.

Iron Mountain lost something? Small wonder!

[swordgeek]

Iron Mountain is possibly the most antiquated, ass-backwards, idiotic, incompetent company on the planet. In 2006, they were quite excited because they were about to move away from a program that ran on DOS 3.3, and required hand-entry of tape and company IDs...THREE TIMES per tape! They can get away with this because they're the only game in town.

They should be held responsible for ten times the amount of credit card fraud that they could possibly be implicated in over the past two years. That should be en