Monday, July 21, 2008

University of Maryland trips up by printing SSN in a mailing

This time, a simple mistake in a data center has led to compromise of individual security. At the University of Maryland in College Park, NE of Washington DC, the university had mailed all students a brochure that contained information about on-campus parking.

Around July 8 the University discovered that the mailing label had included the student social security number. Apparently this was an inadvertent human error, and not the result of any compromise of an internal application or Internet use. This is an incident that could have happened decades ago, before the Internet.

It is certainly true that in the past, it had been common for many businesses to include social security numbers on mailing labels in lists. This practice had probably stopped by and large by the mid 1990s.

Apparently they number was not hyphenated or formatted, and a casual visitor would not have known what the number was. However, it would be harmful to have a printed document visibly displaying home address and SSN on the outside of an envelope in the postal service.

The University is offering affected students free credit monitoring with Equifax.

Again, and especially in view of the subprime crisis, it’s appropriate to ask why lenders have been so careless and shown so little diligence in making loans.

The story appears on WUSA Channel 9 (CBS) in Washington July 18, 2008, here.

Thursday, July 10, 2008

What is legitimate corporate policy regarding consumer data?

Last night, WETA (the PBS station in Washington DC) was carrying on a (radio) discussion about data privacy. One speaker said that consumers had a right to two simple expectations from companies that collect their data. One is that data collected be used only for the purpose stated to the consumer. The other is that the data be destroyed when it is no longer needed.

But, of course, sale of consumer data was big business long before the Internet. When I worked for Chilton Corporation in Dallas in the 1980s (which would be bought by TRW and be spun off as Experian, coming full circle), “promos” were the most often billed service code. Sales of customer data to marketers was bigger business even then than normal credit reports or “Alerts” (which would feed in to what is now FICO scores). None of this is new.

There was also discussion of transferring management of customer telecommunications accounts to third parties. The speaker called this practice “wiretapping.” Another speaker noted the irony that all of these problems are occurring, as an accident of history, post 9/11 and during the somewhat legitimate need for government surveillance.

Wednesday, July 09, 2008

Consumer data jeopardized when employers install file-sharing software on work computers; Justice Breyer's info compromised

Recently, the personal information of about 2000 clients of a MacLean VA investment firm, Wagner Resource Group, were exposed to the public after an employee downloaded a file-sharing network called LimeWire onto a networked work computer. Among the clients was Supreme Court Justice Stephen G. Breyer.

A company called Tiversa is often hired to help companies detect data leaks of customer data. Here is a typical discussion of the problem by the company.

Another company that has worked with Wagner is First Advantage, and there is a paper in PCI Compliance Guide that describes how to respond to a data breach here. In one case, a consumer found $9000 false charges by AT&T on a telephone bill from an overseas source; it was reversed.

Another serious danger from such employee behavior is release of trade secrets.

It would sound obvious that the danger could exist when employees take work home and load customer information onto a home computer or laptop also containing P2P software or other recreational or personal applications, or perhaps not properly secured by a firewall.

Brian Krebs has a story in The Washington Post this morning, “Justice Breyer Is Among Victims in Data Breach Caused By File Sharing,” p A1, link here.

In 1995, I had a Merrill Lynch CMA credit card rejected at a grocery store, and found out yesterday that $400 of bogus AT&T phone charges from Canada had been placed on it. The card was replaced and AT&T reversed the charges, although it took a half day away from work to clear the mess up. I have never had such an incident since.

Wednesday, July 02, 2008

Citibank has major ATM breach, very sensitive in nature

News media widely report a serious deliberate compromise of Citibank’s ATM machines inside 7-11 stores. Identifying information and PINs were taken, and three people are indicted in New York.

The breach seems to have occurred deep within Microsoft’s infrastructure, designed to allow remote repair of machines.

Citibank has apparently refunded or promised to refund any lost money from accounts. In various other kinds of breaches reported in the media in the past few years, refunds have not always occurred.

A typical story is by Jordan Robertson of the AP and appears today The original AP link (July 1) is here. and the story characterizes the “most sensitive part” of the bank’s computerized files and infrastructure as compromised.

It’s interesting to compare this with a recent story that indicates that credit card companies, but not original customers, have sometimes been notified of breaches by others databanks.

Other media briefs indicate that Visa allows customers to make small purchases on debit cards without entering pins. This could work both ways from a security viewpoint.

Tuesday, July 01, 2008

Consumers are not always told about breaches, even when their credit card companies are informed

There are media reports to the effect that the records of about 51000 customers of Montgomery Wards were exposed in a security breach.

Wards had gone out of business in 2001 (I remember shopping there when I lived in Dallas in the 1980s, particularly at the Mesquite Mall). The brand name (and trademark) were taken out of bankruptcy by a 2004 purchase by Direct Marketing Services. Citibank detected an intentional security breach in December of that year. Direct Marketing informed Visa and MasterCard but not the individual customers. Apparently 3-digit card security codes (often required by e-commerce websites), card account numbers, customer names and billing addresses had been compromised.

44 states have laws requiring that consumers be notified, but silence had been an industry norm for years. This practice might have even contributed to a sudden $600 charge on my credit report in 2000, resulting in sudden action against me by a collection agency that had bought the “vampire debt.”

The AP story appeared on AOL yesterday at this link. There was a survey that indicates that most customers do not believe credit card companies are sufficiently careful with personal information, but most AOL visitors do use credit cards anyway. Curiously, the story gets a “not found” when accessed on AP’s own site. The AOL link is here and may require subscription and become archived.