Technorati Tag: Security Breach
Date Reported:
4/22/08
Organization:
Alliance Boots
Contractor/Consultant/Branch:
Boots UK Limited
Boots Dental Plan
Medisure
Unnamed "security company"
Victims:
Customers and employees
Number Affected:
34,000*
*27,000 dental plan customers and 7,000 company employees
Types of Data:
Names, addresses and bank details
Breach Description:
"The high street chemist chain has today admitted losing 27,000 customer records and 7,000 employees details related to their dental plan. The information included bank account details, as well as names and addresses."
Reference URL:
BBC News
CIO Magazine online
ITPRO
CompterWeekly
Report Credit:
BBC News
Response:
From the online sources cited above:
Personal details of thousands of customers of Boots' dental plan have been stolen after a courier car was broken into in Bristol.
The information from Boots Dental Plan included customer bank account details
officials claimed it was "highly unlikely" these could be accessed
The stolen data tapes included names, addresses and bank details of 27,000 dental plan customers, which is run by private healthcare contractor Medisure. The tapes also contained the records of 7,000 employees.
Boots and Medisure, who administer the plan for the company, said all customers had been informed.
The tapes were taken from the car of a subcontracted data security company in Bristol on 3 April, 2008.
[Evan] A data security company left backup tapes unattended in a car? I will go on to speculate that the car was probably unlocked and the tapes were probably left in plain sight.
Boots declined to name the courier company.
Avon and Somerset Police said they were investigating the theft from a car on St Thomas Street
The data is described as "technically complicated" and only accessible with specialist IT equipment and software.
[Evan] Hah! You know, specialist IT equipment like a tape drive and software like Backup Exec (or something similar). If the tape wasn't encrypted, I trust that the tape will be read, thus exposing the information. Maybe not today, maybe not tomorrow, but sometime. I would bet the rest of my half cup of coffee on it!
Boots said in a statement: "We would like to reassure our Boots Dental Plan customers that because of the type of data tape that was stolen and the way the information was stored it is highly unlikely that any personal data could be accessed or misused."
[Evan] Encrypted? No mention specifically, so I assume not. What is so special about the "way the information was stored" then?
Boots said it takes data protection "extremely seriously,"
Medisure added the information was not stored on standard software or CDs and could not be used on any home-style PC or laptop.
Medisure did not say whether the data was encrypted
"Reviewing this incident closely with the Police, they consider this to be an opportunist theft rather than a planned operation," Medisure said in the letter.
Commentary:
There is so much about this breach that we do not know, so we speculate. Often times we speculate worse case type of scenarios. It's just human nature. The fact that the tapes were left exposed in a car is bad enough. If some of our other assumptions are correct, then all the worse.
Past Breaches:
Unknown
Date Reported: 4/22/08
Organization:
Alliance Boots
Contractor/Consultant/Branch:
Boots UK Limited
Boots Dental Plan
Medisure
Unnamed "security company"
Victims:
Customers and employees
Number Affected:
34,000*
*27,000 dental plan customers and 7,000 company employees
Types of Data:
Names, addresses and bank details
Breach Description:
"The high street chemist chain has today admitted losing 27,000 customer records and 7,000 employees details related to their dental plan. The information included bank account details, as well as names and addresses."
Reference URL:
BBC News
CIO Magazine online
ITPRO
CompterWeekly
Report Credit:
BBC News
Response:
From the online sources cited above:
Personal details of thousands of customers of Boots' dental plan have been stolen after a courier car was broken into in Bristol.
The information from Boots Dental Plan included customer bank account details
officials claimed it was "highly unlikely" these could be accessed
The stolen data tapes included names, addresses and bank details of 27,000 dental plan customers, which is run by private healthcare contractor Medisure. The tapes also contained the records of 7,000 employees.
Boots and Medisure, who administer the plan for the company, said all customers had been informed.
The tapes were taken from the car of a subcontracted data security company in Bristol on 3 April, 2008.
[Evan] A data security company left backup tapes unattended in a car? I will go on to speculate that the car was probably unlocked and the tapes were probably left in plain sight.
Boots declined to name the courier company.
Avon and Somerset Police said they were investigating the theft from a car on St Thomas Street
The data is described as "technically complicated" and only accessible with specialist IT equipment and software.
[Evan] Hah! You know, specialist IT equipment like a tape drive and software like Backup Exec (or something similar). If the tape wasn't encrypted, I trust that the tape will be read, thus exposing the information. Maybe not today, maybe not tomorrow, but sometime. I would bet the rest of my half cup of coffee on it!
Boots said in a statement: "We would like to reassure our Boots Dental Plan customers that because of the type of data tape that was stolen and the way the information was stored it is highly unlikely that any personal data could be accessed or misused."
[Evan] Encrypted? No mention specifically, so I assume not. What is so special about the "way the information was stored" then?
Boots said it takes data protection "extremely seriously,"
Medisure added the information was not stored on standard software or CDs and could not be used on any home-style PC or laptop.
Medisure did not say whether the data was encrypted
"Reviewing this incident closely with the Police, they consider this to be an opportunist theft rather than a planned operation," Medisure said in the letter.
Commentary:
There is so much about this breach that we do not know, so we speculate. Often times we speculate worse case type of scenarios. It's just human nature. The fact that the tapes were left exposed in a car is bad enough. If some of our other assumptions are correct, then all the worse.
Past Breaches:
Unknown
