Personal information belonging to more than 650,000 US customers of J.C. Penney and other retailers is at risk after the company hired to safeguard the data lost a backup tape. The information, which was entrusted to a company called GE Money, included social security information for about 150,000 people. The data was on a …
"No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks"
I got the first one
Healthcare and personal health information
Government, hospital and doctor databases contain ID data of patients and often their next-of-kin. Is anyone out there tracking healthcare vulnerabilities?
If so, I'd welcome a contact because this is my area of research.
GE Money President Brent P. Wallace reads in part that J.C. Penney "was in no way responsible for this incident."
Except for choosing GE Money in the first place!
Well it's nice to know we only lose our stuff because we don't have any security in government.
And that fractious colony has the same problem because they do.
Imagine the fiasco that could result if we got together over the subject. We'd end up in the wrong country in the wrong war killing the wrong peopl....errr...
If you're in the U.S. , see http://www.hhs.gov/ocr/hipaa/
Other people Secure Their Stuff
I'm a physical security consultant specializing in museum and fine art security, mostly in the US but also abroad. We have firms here that advertise themselves as "museum quality" storage facilities and they store inventory from museums, commercial art galleries, auction houses and private collectors. One or two are good and the rest are frauds. Hard assets like museum collections can't be encrypted to prevent their use by thieves but computer tapes probably can be without breaking anyone's budget. When museum assets burn up in a fire or blow away in a hurricane they are lost forever but when back up tapes are lost, more can be made. But even when the loss is critical it seems that many companies won't take their responsibility seriously and provide the security they advertise so what do we expect when the assets that disappear are replaceable and lack direct intrinsic value? They're only tapes, some might say.
The only answer is to impose serious liability simply for the act of losing the data and not just if you can prove damages. Repeated convictions in civil court for carelessness in caring for assets of others in your charge should result in criminal charges against the CEO of the company responsible. Then and only then will we get their attention. Hacking publication "2600" has a letter from a hacker who stole thousands of credit card records from Target, a major US retailer, by breaking the WEP code on their wireless network used for the inventory system then entering a folder on the server that stored the week's credit card data. He claims they stored all data on the customer's credit card, not just the data they needed, making the loss more critical. When breaches like this occur, if someone was held personally accountable, more effort would be made to provide better security. Why are financial records on the same system and network as inventory? Because computer professionals feel everything on the planet should have a machine address and should be on a network--the same network. Economy and efficiency are not the primary goals of management.
The warehouses in the US that provide true museum quality security for fine arts differ from those that don't in that they employ the better consulting firms to constantly test their system, have developed standards of quality, and have gone the extra mile to provide only top quality security. The others make compromises to make more profit.
The museums in the US are now developing standards and a rating system for all off site storage facilities and insurers may not insure those who don't achieve a high rating. The standard being developed is comprehensive, from not locating a storage facility on an airport flight path or flood zone to not placing the building's access control system on the company wide network where it can be breached.
Computer security however is different from physical security. We are a paranoid lot in physical security. I know hundreds of network administrators and every one argues that his network is secure and his procedures sound. Most insist they cannot be hacked and would never get a virus. There are no standards for real security of data because all they understand is computer security and not physical security and it takes an understanding of both to provide effective security. (Perhaps that's why I'm on a computer security forum trying to learn but i rarely if ever see a computer security person on a physical security forum).
Standards are needed and safeguards developed like requiring that back up tapes be encrypted but the standards must be developed by a team with a wide range of experiences and a lot of paranoia. My identity information is VERY important whether you think so or not.
Steve, I doubt whether all those "hundreds" of admins really believe that they can't be breached, any more than the true museum quality storage people think they can't be.
All that's at issue is whether the security precuations match the value and worth of the items secured.
Now, you advocate criminal charges, but I'd disagree: statutory civil damages would be more effective, for two reasons: the first is the simple one of the standard of proof (beyond a reasonable doubt vs. preponderance of evidence), therefore it's easier to win a civil suit than a criminal trial.
The second is more important: the criminal case goes against the CEO and CIO, and if they get convicted, the company will get another. The *civil* case, though, goes against the shareholder's pockets. This means that the shareholders will be motivated to do it properly. Think Enron: was it Ken Leay who was entirely at fault, or the entire group of people who were making the money off the scam?
It's also more appropriate: as you note, your ID is worth a lot more to you than it is to the company, so having a statutory level of damages that avoids you having to prove that the company's actions caused you X amount of harm.
Well said sir, but please note that the "network administrator" is NOT, repeat NOT the company security officer!
"There are no standards for real security of data"
Of course there are. Lots. And Lots. And Lots. From high-level recommendations like ISO-17799 or those here: http://csrc.nist.gov/publications/PubsSPs.html down to detailed in-company program instructions.
"..because all they understand is computer security and not physical security and it takes an understanding of both to provide effective security."
I agree with the integration work at least. Said glibly, the problem is management who things that "they" are able to implement good company-wide security as "they" got rid of the worm that came in on the notebook last week. Wrong, wrong, wrong. Anyway, the point is - companies need personnel that is dedicated to the task of security while still being integrated in the day-to-day work to be able to make well-informed implementation decisions. They need to know about networking. They need to know about what's around networking. They need management support. And they need time.
But suddenly -- economics! It is very difficult to bill for such "additional" services - exploitation costs become too high, time for the project is too short, the learing curve too steep, management is either dismissive or becomes catatonic as security hoovers up a squalid percentage of the fixed-cost contract :-( At the end of the day, your identity information may not prove to be that important, really. :-((
"Perhaps that's why I'm on a computer security forum trying to learn but i rarely if ever see a computer security person on a physical security forum"
I don't know about that. One person hanging on a security forum does not a one-way knowledge transfer make.
And yeah, those guys goofed up when not encrypting the tapes. Maybe they wanted to do it "soon" and it's been on the to-do list for ages? I know the problem. (but I managed to encrypt our tapes with the underhand trick of 'unpaid sunday work')
Ok, I'm off, gotta check the servers.
I like how JC Penny will be offering 12 months credit monitoring for anyone that's info was "lost".
Our goverement should also be offering free credit monitoring due to the recent data losses at more than one goverment department.
Patient info lost or stolen? Nope, they just posted it on the internet and bypassed any need for hacking. To quote id thieves, "it beats working for a living."
Nothing ever vanishes into thick air any more.
In some ways the most interesting bit of the article is this...
'The disclosure comes a year after TJX Cos., owner of the T.J. Maxx and Marshalls retail chains, suffered a server breach that exposed personal information for as many as 100 million people. Despite it being the world's biggest credit card heist ever and despite revelations security measures failed to meet credit card industry requirements, there's been little measurable backlash on the company. TJX stock has lost less than 1 percent over the past year, compared with a six per cent decline in the S&P 500'
One of the most effective ways of ensuring that businesses put their hands in the pockets and pay for security controls has been has always been to appeal to their self interest and whisper 'Brand Damage' in their ears.....
And yet it appears that in spite of a pretty appalling breach in security, TJK have got off pretty much scot free (leaving aside compensation to the banks of course).
How very depressing.......
The Ultimate Fix - from the British Government
The way to prevent data loss due to negligence is not to call it "data loss".
The British Government now appears to call it "data sharing". AS in "we sent the complete records of 600,000 people on disks and due to - incorrect address labelling/the junior staff stuck the wrong postage stamps on it/ the courier driver threw the disks out of the truck window - it got "shared".
And when the disks are found - lying on a traffic island in Devon/in a garbage can behind a London hospital/on the back seat of a taxi in Leeds - and returned (some hopes) the data has been "shared" again. This also saves staff confrontations as nobody gets punished....
Anoter great British Government innovation: encrypt or code the data so it can't be read - BUT WRITE THE ENCRYPTION PASSWORD ON THE DISK COVER IN FELT TIP PEN. I mean, thieves will never make the association, will they ?
I call BS
Quote: According to the Associated Press, a letter signed by GE Money President Brent P. Wallace reads in part that J.C. Penney "was in no way responsible for this incident."
Absolute twaddle. Their choice to hand said information off to a third party does not absolve JC Penney of their responsibility to take adequate care of it.
Tape encryption is JC Penny's responsibility
Tape encryption is JC Penny's responsibility.
@Steve Keller part III
"no standards for real data security"???? Has anyone ever bothered to look at RFC2196? Google it if you aren't familiar.
The CISO must to build a team that feels empowered to make the right choices when it comes to security basics. Shifting blame from Net Admin to CISO does not make sense either though as Security is a collective function of several moving parts.
Insofar as JC Penny's culpability, they are still responsible for the data even if handed off to a third party.