[IP] more on Bank loses tape with personal information on 90,000 customers

To: ip@xxxxxxxxxxxxxx
Subject: [IP] more on Bank loses tape with personal information on 90,000 customers
From: David Farber <dave@xxxxxxxxxx>
Date: Thu, 12 Jan 2006 17:18:49 -0500
List-help: <http://v2.listbox.com/doc/help_sub?list_name=ip@v2.listbox.com>
List-id: <ip@xxxxxxxxxxxxxx>
List-software: listbox.com v2.0
List-subscribe: <mailto:subscribe-ip@v2.listbox.com>, <http://v2.listbox.com/subscribe/?listname=ip@v2.listbox.com>
List-unsubscribe: <mailto:unsubscribe-ip@v2.listbox.com>, <http://v2.listbox.com/member/unsubscribe/?listname=ip@v2.listbox.com>
References: <200601121754.k0CHsZeX031911@xxxxxxxxxxxxxxxxx>
Reply-to: dave@xxxxxxxxxx



Begin forwarded message:

From: Lauren Weinstein <lauren@xxxxxxxxxx>
Date: January 12, 2006 12:54:35 PM EST
To: dave@xxxxxxxxxx
Cc: lauren@xxxxxxxxxx

Subject: Re: [IP] Bank loses tape with personal information on 90,000customers


Bingo.  As Dan notes, lost tapes in transit, even when the data is
unencrypted, are a very low probability vector for identity theft
problems.  In fact, the majority of identity thefts are usually
highly targeted and often are "inside jobs" based on realtime access
to running database systems -- and frequently the perpetuators are
"friends" or acquaintances of the targets.

In fact, offhand I know of no case where one of these big reported
"tape loss" stories that get so much play actually have been linked
to later problems.

All of the attention over lost tapes and proposed laws to force
encryption of the transported data simply divert attention from
where the real problems are -- the people who have realtime access
to the running data systems and the amount of data being collected
and stored in the first place.

In a way it's similar to the MPAA making such a big deal about
trying to catch people with camcorders in theaters making low
quality copies, when in reality most of the pirated versions of
movies that really give them grief are the result of prints
copied by insiders along the production or display chains.

With identity theft, as in movie piracy, the key word is *focus*.
No pun intended.

--Lauren--
Lauren Weinstein
lauren@xxxxxxxxxx or lauren@xxxxxxxx
Tel: +1 (818) 225-2800
http://www.pfir.org/lauren
Co-Founder, PFIR
   - People For Internet Responsibility - http://www.pfir.org
Co-Founder, IOIC
   - International Open Internet Coalition - http://www.ioic.net
Moderator, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com
DayThink: http://daythink.vortex.com

 - - -

Begin forwarded message:

From: Dan Shoop <shoop@xxxxxxxxxxx>
Date: January 12, 2006 9:41:01 AM EST
To: dave@xxxxxxxxxx, ip@xxxxxxxxxxxxxx
Subject: Re: [IP] Bank loses tape with personal information on 90,000
customers

This actually happens all the time. The bank FedEx's or otherwise
sends a tape, it get's lost. This happens. In a past life as a
datacenter manager at Citibank we used to receive palettes of tapes
by FedEx every morning from Sioux Falls, SD, where the credit card
processing center was, a truck of tapes having better bandwidth at
lower cost that any telco line.  Occassionally tapes got lost, it was
no big deal and no one thought much of it other than to request
another copy. California, IIRC, was the first state to mandate that
any lost customer records of any sort has to be reported, and other
states have followed suit. Since such laws been enacted that it must
be reported it's been getting recent press and what is actually a
common occurance is now "news". The risk from this is considered very
low. In most all cases the data is encrypted. Even if it wasn't other
policies prevent keeping say account numbers and names, or other
required pieces of information necessary to commit a fraud or
identity theft with information together in the same place at once.

Having names and Social Security numbers together is considered low
risk since this information is readily available through numerous
sources.
--

-dhan

------------------------------------------------------------------------Dan Shoop AIM:iWiringSystems & Networks Architect http://www.iwiring.net/shoop@xxxxxxxxxxx http://www.ustsvs.com/

1-646-217-4725

pgp key fingerprint: FAC0 9434 B5A5 24A8 D0AF 12B1 7840 3BE7 3736DE0B


iWiring provides systems and networks support for Mac OS X, unix, and
Open Source application technologies at affordable rates.


-------------------------------------
You are subscribed as lauren@xxxxxxxx
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/



-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/

Prev by Date: [IP] US army in Iraq institutionally racist, claims British officer
Next by Date: [IP] more on US army in Iraq institutionally racist, claims British officer
Previous by thread: [IP] more on Bank loses tape with personal information on 90,000 customers
Next by thread: [IP] Symantec announces Norton Public Relations Nightmare 2006
Index(es):
- Date
- Thread