[IP] more on Bank loses tape with personal information on 90,000 customers

To: ip@xxxxxxxxxxxxxx
Subject: [IP] more on Bank loses tape with personal information on 90,000 customers
From: David Farber <dave@xxxxxxxxxx>
Date: Thu, 12 Jan 2006 16:27:21 -0500
List-help: <http://v2.listbox.com/doc/help_sub?list_name=ip@v2.listbox.com>
List-id: <ip@xxxxxxxxxxxxxx>
List-software: listbox.com v2.0
List-subscribe: <mailto:subscribe-ip@v2.listbox.com>, <http://v2.listbox.com/subscribe/?listname=ip@v2.listbox.com>
List-unsubscribe: <mailto:unsubscribe-ip@v2.listbox.com>, <http://v2.listbox.com/member/unsubscribe/?listname=ip@v2.listbox.com>
References: <efc70c360601121142h3e4468d3sd46667482a9a615b@xxxxxxxxxxxxxx>
Reply-to: dave@xxxxxxxxxx



Begin forwarded message:

From: Richard Wiggins <richard.wiggins@xxxxxxxxx>
Date: January 12, 2006 2:42:35 PM EST
To: David Farber <dave@xxxxxxxxxx>
Cc: shoop@xxxxxxxxxxx

Subject: Re: [IP] Bank loses tape with personal information on 90,000customers


> In most all cases the data is encrypted.

Dave,

This claim needs documentation, as it does not match recent newsstories. In fact, it seems to be the case that the standard practiceis to encrypt data when it goes over a network wire, but not toencrypt it when stored inside the data center or backed up to tape orsent via tape for offsite storage.

-- News coverage of the People's Bank incident does not imply thatthe tapes were encrypted; instead, the bank says that in the futurethey will use encrypted network transmission.

-- "CitiFinancial lost tapes containing data for 3.9 millioncustomers; Bank of America, 1.2 million customers; Time Warner,600,000 customers; and Ameritrade, 200,000 customers, the PrivacyRights group reported last week.Overall, almost 52 million people had their personal information putat risk as a result of data heists in 2005, the watchdog groupsaid." -- http://www.orlandosentinel.com/business/orl-banks0206jan02,0,5638345.story?coll=orl-business-headlines

-- "The Marriott time-share case came shortly after anothermysterious data-tape disappearance reported by a Michigan-basedlender.In a Dec. 18 letter to customers, ABN AMRO Mortgage Group saidthe tape went missing during shipment by DHL, the express-deliveryservice. Although there was no evidence of wrongdoing, ABN alertedauthorities and made a free credit-monitoring service available tocustomers for 90 days.About 2 million customers were at risk from the apparent securitybreach, according to an estimate from the Privacy RightsClearinghouse. A week later, however, ABN reported the tape had beenfound in the same DHL shipping facility to which it had beenpreviously traced. Employee error at DHL was blamed for the miscue.ABN reassured customers there was little chance the data had beenmisused, but it continued to offer the temporary credit-monitoringservice." [ibid.]


/rich

On 1/12/06, David Farber <dave@xxxxxxxxxx> wrote:

Begin forwarded message:

From: Dan Shoop <shoop@xxxxxxxxxxx >
Date: January 12, 2006 9:41:01 AM EST
To: dave@xxxxxxxxxx, ip@xxxxxxxxxxxxxx

Subject: Re: [IP] Bank loses tape with personal information on 90,000customers



This actually happens all the time. The bank FedEx's or otherwise
sends a tape, it get's lost. This happens. In a past life as a
datacenter manager at Citibank we used to receive palettes of tapes
by FedEx every morning from Sioux Falls, SD, where the credit card
processing center was, a truck of tapes having better bandwidth at
lower cost that any telco line.  Occassionally tapes got lost, it was
no big deal and no one thought much of it other than to request
another copy. California, IIRC, was the first state to mandate that
any lost customer records of any sort has to be reported, and other
states have followed suit. Since such laws been enacted that it must
be reported it's been getting recent press and what is actually a
common occurance is now "news". The risk from this is considered very
low. In most all cases the data is encrypted. Even if it wasn't other
policies prevent keeping say account numbers and names, or other
required pieces of information necessary to commit a fraud or
identity theft with information together in the same place at once.

Having names and Social Security numbers together is considered low
risk since this information is readily available through numerous
sources.
--

-dhan

------------------------------------------------------------------------
Dan Shoop                                                   AIM: iWiring
Systems & Networks Architect                     http://www.iwiring.net/
shoop@xxxxxxxxxxx                                 http://www.ustsvs.com/
1-646-217-4725

pgp key fingerprint: FAC0 9434 B5A5 24A8 D0AF  12B1 7840 3BE7 3736 DE0B

iWiring provides systems and networks support for Mac OS X, unix, and
Open Source application technologies at affordable rates.


-------------------------------------
You are subscribed as galler@xxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/



-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/

Prev by Date: [IP] more on Bank loses tape with personal information on 90,000 customers
Next by Date: [IP] Symantec announces Norton Public Relations Nightmare 2006
Previous by thread: [IP] more on Bank loses tape with personal information on 90,000 customers
Next by thread: [IP] more on Bank loses tape with personal information on 90,000 customers
Index(es):
- Date
- Thread