http://securityratty.com/tag/dhl Mon, 14 Jan 2008 09:04:35 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss http://securityratty.com/article/a7d9492053aec306cf4583b0203cb9bb http://securityratty.com/article/a7d9492053aec306cf4583b0203cb9bb Security Breach

Date Reported:
4/22/08

Organization:
Chrysler Corporation

Contractor/Consultant/Branch:
Chrysler Financial (Canada)
United Parcel Service ("UPS")

Victims:
Canadian customers

Number Affected:
"thousands"

Types of Data:
"names, addresses and social insurance numbers"

Breach Description:
"TORONTO - The lending arm of the Chrysler Corporation says the U-P-S courier service may have lost a data tape containing personal information about thousands of its Canadian customers."

Reference URL:
The Windsor Star
The Hamilton Spectator
Winnipeg Sun
Toronto Star

Report Credit:
Dave Hall, The Windsor Star

Response:
From the online sources cited above:

TORONTO - The lending arm of the Chrysler Corporation says the U-P-S courier service may have lost a data tape containing personal information about thousands of its Canadian customers.
[Evan] In this day, it baffles me that companies still send backup tapes through UPS, DHL, FedEx, etc. without encryption.  This is especially difficult for me to comprehend when the company deals with extremely sensitive personal information.  In this instance, I don't place much blame on UPS.

The lost information affects Chrysler Financial lease customers across Canada.

The Office of the Privacy Commissioner of Canada says it is "monitoring" Chrysler's lending arm

Chrysler Financial also acknowledged yesterday that it waited five weeks or longer to tell customers the tape had been lost or possibly destroyed.

Chrysler Financial acknowledged it did not inform customers for five weeks or longer about a "destroyed or lost" tape because of an internal search and investigation, noting it didn't want to alarm customers until it exhausted a search with United Parcel Service.
[Evan] This is a common excuse, but is it a valid one?

The automaker had sent a package with the mainframe data tape from Farmington Hills, Mich., via UPS to a Quebec credit agency when it disappeared in early March.

The company has not recovered the tape but it found a damaged envelope it was in.

The tape holds names, addresses and social insurance numbers of customers.

Jelena Jelich says special computer software and other equipment is needed to access the data.

"The data tape cannot be easily accessed and requires specialized software and equipment to read but it did contain some personal information that Chrysler Financial had obtained from you,"
[Evan] A person would need "specialized software" like backup software (Veritas, Commvauly, etc.) and equipment like an appropriate tape drive, I assume.  Nothing all that special.  The "cannot be easily accessed" claim could be argued.

During the past week, customers have received letters from Chrysler Financial general counsel Brian Chillman informing them of the incident.

Chillman said the company has no reason to suspect that an unauthorized person has retrieved or is using the personal information.

"Nonetheless, as a precautionary measure we are alerting you to this recent incident so that you may be watchful for signs of any possible misuse of you personal information by an unauthorized recipient,"
[Evan] How nice of Chrysler Financial.  After all, the information BELONGS to the customers, not the company.

A Chrysler Financial spokeswoman said that after the tape went missing, internal processes were changed and the information is now sent by secure electronic transmissions. UPS is no longer used.
[Evan] Welcome to 2008, or was it 1995 (the year IPsec RFCs 1825 & 1829 were published)?

"We apologize for any inconvenience or harm this may cause you."

Victim Reaction:
Chris Jovanovic, who leases a car from Chrysler, said the company was notified by United Parcel Service about the lost tape on Mar. 12 but a letter from Chrysler Financial dated Mar. 27 didn't arrive in his mailbox until Monday.

"It's the time frame of notification that's got me upset because if the tape did fall into the wrong hands, they've had six weeks to access the information and do something with it,"

Jovanovic said he wasn't convinced by Chillman's assurances because "someone who knows what they're doing could probably access the information. Nothing's that secure these days and it annoys me to think that if the tape never shows up, will we be looking over our shoulders for years waiting for the information to be used."

Jovanovic said he was seeking legal advice to determine his next steps.

Commentary:
I don't have much patience or compassion for organizations that send tapes containing gigabytes (and sometimes terabytes) of confidential information through couriers and mail without encryption.  Chrysler Financial claims that this is the first time something like this has ever happened.  Don't you think that it was just a matter of time?

Past Breaches:
Unknown

]]> Wed, 30 Apr 2008 18:04:34 +0000 chrysler chrysler financial spokeswoman chrysler financial lost tape tape chrysler financial claims data tape customers tape drive Thousands of Canadian Chrysler Financial customers at risk http://securityratty.com/article/f2ab2f0c1a2327560ebf920d9863141a http://securityratty.com/article/f2ab2f0c1a2327560ebf920d9863141a Security Breach

Date Reported:
1/11/08

Organization:
Prudential plc

Contractor/Consultant/Branch:
DHL International

Victims:
"wealthy investors"

Number Affected:
200

Types of Data:
Financial details

Breach Description:
A box containing sensitive paperwork related to 200 wealthy investors was found on the side of the road near Reading in Berkshire (UK).  The box was in transit from a Prudential building in Reading to a secure storage facility in Essex when it apparently fell out of the DHL courier van.  Among the 200 wealthy investors that were affected were three UK national lottery winners.

Reference URL:
The London Evening Standard news story
The Register Story

Report Credit:
The London Evening Standard

Response:
From the online sources cited above:

Banking details for 200 wealthy people have been found near a motorway sliproad - after apparently falling unnoticed out of a courier's van.
[Evan] Wealthy people don't like to lose money.

Among the boxful of Prudential files relating to investments worth many millions of pounds were those reportedly belonging to three National Lottery winners.

In the box were cheques and other sensitive papers which criminals could potentially have used to hack into customers' accounts.

The documents were found by a vehicle recovery driver on a roundabout near a sliproad for Junction 11 of the M4 near Reading in Berkshire.

The box was meant to have been taken by a DHL courier from a Prudential building in Reading to a secure storage facility in Essex.

"The Pru is clearly not happy at all. It has suspended all use of DHL until the investigation is concluded."

The box of files are now safely back in the hands of the Prudential.

Letters were being sent out to all of the 200 customers affected, giving assurances that they would not lose out.

"Protection of our customers' data is of paramount importance to us and we are contacting them immediately.

"It was a delivery being made on our behalf to a secure storage facility in Essex and basically the DHL van and the box parted company at some stage during that journey."

One, Karen Child, who won £8.4 million last year, told the paper after being informed of the blunder: "I feel physically ill."

Commentary:
It seems like Prudential was doing the right thing in transporting sensitive documents to a "secure storage facility".  The DHL driver appears to have made a mistake in not ensuring that the door of the van was secure.  DHL drivers are human too.

This is not a high-tech breach.

Past Breaches:
Unknown

]]> Mon, 14 Jan 2008 09:04:35 +0000 dhl van dhl dhl courier van dhl drivers dhl courier van secure secure storage facility prudential plc Wealthy investor information falls out of DHL van