http://securityratty.com/tag/dumpster Tue, 08 Apr 2008 08:47:21 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss http://securityratty.com/article/f6684ed1c67a7acb138958de524dcb1a http://securityratty.com/article/f6684ed1c67a7acb138958de524dcb1a Security Breach

Date Reported:
7/15/08

Organization:
Weber Law Firm

Contractor/Consultant/Branch:
"his wife"

Victims:
Clients

Number Affected:
"hundreds"

Types of Data:
"personal financial records, documents with Social Security numbers, people's medical files and more"

Breach Description:
"HOUSTON -- Harris County Sheriff's deputies uncovered hundreds of people's personal financial files that had been discarded in a dumpster in northwest Houston on Monday."

Reference URL:
KHOU-TV News (original)
KHOU-TV News (follow-up)

Report Credit:
Jeremy Desel, KHOU-TV

Response:
From the online sources cited above:

Harris County Sheriff's deputies uncovered hundreds of people's personal financial files that had been discarded in a dumpster in northwest Houston on Monday.

The records were mostly bankruptcy case files from a Houston attorney's office that found their way into a dumpster belonging to a Houston day care.
[Evan] There is little doubt about the sensitivity of the information found in a person's bankruptcy files.  Don't you think that an attorney should know better?

The discovery came in a trash bin in the 9100 block of Jones Road, with box after box of records including personal financial records, documents with Social Security numbers, people's medical files and more.

When the sheriff's office first arrived, the responding deputies had no idea what to do with the records.

So, they called the law office from where the records had come from. 11 News called the law offices of William Weber as well.
[Evan] Mr. Weber's bio is pretty extensive.

Weber, who eventually arrived to pick up the discarded records, told both 11 News and the sheriff's office that it was "no big deal"
[Evan] Obviously, this answer probably doesn't go over very well.  In hindsight, I am guessing that Mr. Weber wishes he could take these words back.

Still, at the insistence of the sheriff's office, Weber did arrive to pick the boxes up.

Weber had a different answer for 11 News when he showed up to retrieve the 32 boxes.

"It's a mistake," he said. "We regret it. We regret it. They weren't intended to be put here. I didn't put them here. It was a misunderstanding between me and my wife."
[Evan] Ugh.  Blaming the wife would not be a good idea in my house, even if it were my her fault.

He added it was a one-time problem.

But he also said his firm does not have a policy for disposing of sensitive documents.
"No, I do not. I don't think there is a formal disposal policy. Legally," he answered.

Don't tell that to Radio Shack or Select Medical Corporation. Both settled lawsuits with the Texas Attorney General's Office this week for violating the Texas ID Theft Law that was passed in 2005.

It requires businesses to destroy any documents that contain sensitive information. Select Medical dumped 4,000 documents in its own dumpster, but did not destroy them first.

Both companies settled this week with the state for hundreds of thousands of dollars in fines.
[Evan] Don't forget about EZMONEY, L.P. and EZPAWN L.P.  They agreed to pay $660,000 to the Texas Attorney General.  Don't mess with Texas!

However, it's not just a civil law question. It is also an ethics question.

"If a customer of Radio Shack had an interest in privacy and an interest to have their identity protected (and) not just tossed to the wind, I can assure you that a medical provider or a lawyer has a higher duty," said 11 News legal expert Gerald Treece.

The sheriff's office is looking into the possibility laws were broken by throwing away the records in that dumpster, but were unsure if anything illegal happened.

As a matter of fact, there's a good possibility no laws were broken.
[Evan] Not criminal.  This case may be ripe for a civil proceeding, however.

Weber spent several minutes loading the boxes into his car, but he also spent a lot of time avoiding the 11 News cameras as he picked up the discarded records.

Eventually, he left the scene, leaving a few boxes behind when he was confronted by 11 News cameras.

In his rush to get away, a box was left on the trunk lid of his vehicle and some of the papers inside flew out as he sped off.
[Evan] Embarrassed?

Weber told 11 News that all the documents were shredded on Wednesday morning.
[Evan] Any thought given to notifying the affected individuals?  If not, it is probably too late now.

Weber also said he has talked with an attorney at the attorney general's office and told them he would cooperate fully.

11 News also spoke with one of the clients whose file was found in the dumpster on Monday. She said she's angry and feels betrayed.

Commentary:
We have read about organizations dumping sensitive confidential information in dumpsters before, but this is the first time I have read about a lawyer being responsible (or his wife).  Mistakes do happen, but I question how much of a mistake this actually was due to Mr. Weber's initial "no big deal" reaction.

Past Breaches:
Unknown

]]> Thu, 17 Jul 2008 10:59:25 +0000 houston weber weber wishes houston attorney bankruptcy khou-tv news news bankruptcy files william weber Houston law firm threw confidential client information in the trash http://securityratty.com/article/ae2a94a41f5bdb5795784e6c6f9639b9 http://securityratty.com/article/ae2a94a41f5bdb5795784e6c6f9639b9 Security Breach

Date Reported:
6/13/08

Organization:
Texas Insurance Claims Services

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
"hundreds of files"

Types of Data:
Insurance claims and policy paperwork including "names, social security numbers and policy numbers"

Breach Description:
Files containing sensitive confidential information were discovered in a dumpster in Richardson, Texas.  The files are believed to have been thrown out by the owner of a company called Texas Insurance Claims Services.

Reference URL:
WFAA Channel 8 News

Report Credit:
Rebecca Lopez, WFAA-TV

Response:
From the online source cited above:

on Friday, hundreds of files with people's names, social security numbers and policy numbers were found in a Richardson dumpster

The files contain a lot of private information.

The people who filled out the forms probably never expected them to end up where anyone could simply walk away with them.
[Evan] There we go with expectations again.  See my comments in the "Tucson area Domino's Pizza customer information exposed" breach.

You expect when you give your private information to an insurance company, it will stay that way.

Mike McCarty was driving by a dumpster near his work in Richardson. He saw a man taking pictures of trash inside, so he stopped.
[Evan] Taking pictures?

"[The man] said he was looking for empty boxes because he was going to move but he found a bunch of these files."
[Evan] But why was the man taking pictures?  The story isn't clear on this point, so I wonder.

There were files with people's names, addresses, social security numbers and even pictures of their homes and cars.

The files were dumped here by a company called Texas Insurance Claims Services which processes people's claims.

We asked the owner why he threw them away. He wouldn't go on camera but said he was only required to keep the files five years and could then toss them.
[Evan] Oh, well then.  Sounds like a good enough explanation to me... NOT!  Where is the corporate and social responsibility?

The company says it sometimes uses commercial shredding services but decided not to do so this time.
[Evan] Let me see if I understand this correctly.  The company obviously knows the importance of shredding confidential papers in general, otherwise they wouldn't "sometimes use commercial shredding services".  What the @#$^ explains why the company chose not to use the shredding services in this instance?

Authorities say it's not unusual for criminals to dumpster dive to look for ways to get personnel information that they can use to illegally run up huge bills.
[Evan] This is very true.  There are even people who organize and belong to dumpster diving clubs, not to imply that THESE people are "criminals", but only to point out that people DO dumpster dive.

The dumpster was full of files. Most of them were taken away by garbage collectors. We are shredding the few we took for our story.
[Evan] The files were taken away by garbage collectors?  I wonder how much confidential information a person could find at the dump (landfill)?

Commentary:
It may just be the context of the owner's remarks, or it may just be me, but the owner seems to be oblivious to the risk of throwing confidential customer information out with the garbage.

Past Breaches:
Unknown

]]> Wed, 18 Jun 2008 08:41:02 +0000 information dumpster sensitive confidential information personnel information confidential customer information dumpster dive files confidential information people Insurance claims and policy information in the dumpster http://securityratty.com/article/71b6542daf7a2738ad171ba74ac33144 http://securityratty.com/article/71b6542daf7a2738ad171ba74ac33144 Security Breach

Date Reported:
6/4/08

Organization:
Wheeler's Moving Company

Contractor/Consultant/Branch:
None

Victims:
Employees, job applicants and customers

Number Affected:
Unknown

Types of Data:
"files containing driver's licenses, social security numbers, telephone numbers, addresses and birth dates"

Breach Description:
"BOCA RATON, FL (Fox29) - Piles and piles of personal files with tax information, social security numbers and license numbers, were found in a Boca Raton dumpster. These dumpsters are located between a set of warehouses here on Northwest First Avenue."

Reference URL:
WFLX Fox 29 News
WPEC Channel 12 News

Report Credit:
Chuck Weber, WFLX Fox 29 News

Response:
From the online sources cited above:

BOCA RATON, FL (Fox29) - Piles and piles of personal files with tax information, social security numbers and license numbers, were found in a Boca Raton dumpster.

Dumpsters on Northwest 1st Avenue Boca Raton were found full of files and paperwork with personal information - names, addresses, drivers licenses and some social security numbers - all out in the open for the taking.
[Evan] I think we would be surprised at how common it is for organizations to throw confidential information in the garbage (instead of shredding).  Unauthorized disclosure of confidential information including personal information, trade secrets, intellectual property, draft press releases, etc. can be very damaging.

The dumped personal records inside, apparently belonged to Wheeler's Moving Company.

containing information on employees or job applicants, and some customers

Some files even dated back as far as 20 years or more.

After contacting the Wheeler's Moving Company, they claimed to have moved out of Boca Raton and into Jupiter about a year ago and they had no idea this had happened.

Building owner Charles Wheeler, former owner of the moving company, says, "In my heart I don't think it's going to be a problem. And I didn't realize until I heard from you guys that there was something sensitive in there. And it should have never been thrown out."

Wheeler says he didn't think any sensitive documents were still inside.
[Evan] A complete lack of awareness.  Business owners and leaders (everyone really) need to be more aware of the security implications involving the information they create, collect, use, store, and discard.  Thieves are.

Police received a call Monday, and were able to clean up a majority of this dumpster.

There are currently some remnants of the files out there, but officials are doing their best to protect the people on these files so their identities are not stolen and get these files and papers shredded properly.

all the documents have since been shredded.

Wheeler says from now on, he will shred all unneeded documents.

Victim Reaction:
"I'm taken aback; I really almost shaking. The fact that records could be around for all these years,"

"It shouldn't have been available to anybody, but nobody has done anything."

"It's very frightening to think of that it was available, and that it could have happened,"

Commentary:
I feel bad for small business owners that aren't aware of or properly trained in risk management and information security.  It's easy to be angry with them, but too many of them just don't know any better. 

Obviously, I feel bad for the victims too.

Past Breaches:
Unknown

]]> Tue, 10 Jun 2008 06:24:10 +0000 information personal information boca raton dumpster boca raton dumpster confidential information files personal files owner charles wheeler Personal information found in Boca Raton dumpsters http://securityratty.com/article/25d92f598bfb284603de4aa74724a145 http://securityratty.com/article/25d92f598bfb284603de4aa74724a145 Security Breach

Date Reported:
6/3/08

Organization:
State of New Mexico

Contractor/Consultant/Branch:
Department of Workplace Solutions

Victims:
Employees and job applicants

Number Affected:
Unknown

Types of Data:
"employment records with names and Social Security numbers"

Breach Description:
"ROSWELL, N.M.—State documents with names and Social Security numbers were thrown into a trash bin behind the state Department of Workforce Solutions office in Roswell."

Reference URL:
The Associated Press via Las Cruces Sun-News
Roswell Daily Record
KRQE Channel 13 News

Report Credit:
Roswell Daily Record

Response:
From the online sources cited above:

Four boxes of manilla folders with documents containing names and social security numbers were mistakenly thrown into a trash bin Monday behind the New Mexico Department of Workforce Solutions office near Main and Bland streets.
[Evan] New Mexico does not currently have a data breach disclosure law on the books.  The state is one of eleven that do not.  The others are Alaska, South Dakota, Iowa, Missouri, Kentucky, West Virginia, Virginia, Mississippi, Alabama, and South Carolina.

Employees at Savedra's Tienda, a nearby business, contacted County Commissioner Dick Taylor and Magil Duran of the New Mexico Department of Workforce Solutions to help remove the documents from the bin.
[Evan] This is what a model citizen does.  How many people are model citizens?

papers were flying out of the Dumpster they were inside.

Duran said the Roswell office of the Department of Workforce Solutions recently moved to a new location and a janitor inadvertently threw the documents in the bin on Monday.
[Evan] Not a good excuse.

"It was a misunderstanding," Duran said.

After arriving at the scene, Duran and Taylor sifted through the bins and retrieved the files.

Duran said he would shred the files immediately.
[Evan] The files should be inventoried and their destruction should be certified.

Taylor said the files looked like employment records with hours worked along with names and social security numbers printed on them.

"That's the bad thing," Taylor said. "They should have been shredded and not dumped in the trash. The state needs to be more careful with records like that."

"We do have a standard procedure," said Carrie Moritomo of the department. "We are currently reevaluating that and making sure all of our field staff offices are aware of what that policy is."
[Evan] A "standard procedure" ain't worth the paper it's written on if nobody knows about it or follows it.

Commentary:
I doubt that this is an isolated incident and I doubt that the agency has a sound information security strategy.

Past Breaches:
Unknown

]]> Thu, 05 Jun 2008 19:32:53 +0000 bin trash bin monday mexico trash bin roswell employment records mexico department records roswell daily record Employment records in a New Mexico dumpster http://securityratty.com/article/00ff10de6ac5a9494418f28bae55cbac http://securityratty.com/article/00ff10de6ac5a9494418f28bae55cbac Security Breach

Date Reported:
5/28/08

Organization:
Hong Kong and Shanghai Banking Corporation ("HSBC")

Contractor/Consultant/Branch:
HSBC Branch at Bayview & Major Mackenzie (CA)
HSBC Branch in UK (Cheshire)

Victims:
Customers

Number Affected:
Unknown, "hundreds of bank customers" in Canada

Types of Data:
"personal information" in Canada, and "credit card applications and overdraft review dates, photocopies of a passport, driving licences, a marriage certificate, bank account sort codes and account numbers" in the UK

Breach Description:
Two breaches were reported in the past week affecting HSBC customers in Canada and the UK.  In Canada, "A Richmond Hill man was driving in his neighbourhood Saturday night when he spotted a bank bag full of cancelled cheques on the side of the road."  In the UK "papers, which relate to current bank accounts and applications, were found in a quiet road in Sale by children playing in the street."

Reference URL:
CTV News Toronto
Wigan Observer

Report Credit:
CTV News Toronto and Richard Bean at the Wigan Observer

Response:
From the online sources cited above:

In Canada:
A Richmond Hill man was driving in his neighbourhood Saturday night when he spotted a bank bag full of cancelled cheques on the side of the road.

He took the bag to a police station after a quick peek inside revealed the personal information of hundreds of bank customers.
[Evan] Information security aims to reduce the risk of unauthorized disclosure, modification, and destruction of confidential information to an "acceptable level" no matter what form the confidential information takes.  Unauthorized disclosure of confidential information on paper is just as damaging as unauthorized disclosure of confidential information on a backup tape, CD, laptop, etc.

he was in the Bayview Avenue and Major Mackenzie Drive area when he spotted the redbag at the side of the road with the HSBC bank logo emblazoned at the front.
[Evan] I presume that this bag was lost in shipment.  Was the information in the bag or the bag itself inventoried?  Do you suppose the bank would have ever noticed that the bag was missing?

the bag belonged to the HSBC branch at Bayview and Major Mackenzie

"There were about 300 of them," he told CTV Toronto Saturday night. "There were more documents in there destroyed by the rain."

he tried to contact the bank but didn't have much luck

York Regional Police are speaking with bank officials as they investigate how the sensitive information ended up on the side of a road.

In the UK:
An investigation is under way after bank details of Wigan customers were found dumped in Cheshire.
[Evan] Does "dumped" mean thrown away, like in a dumpster?

The confidential 60-page sheaf of A4 documents, featured lists of customers of high street bank HSBC.

Among the information contained in the papers were credit card applications and overdraft review dates, photocopies of a passport, driving licences, a marriage certificate, bank account sort codes and account numbers.
[Evan] Sheesh.  A bad guy (or gal) could do a helluva lot of damage with this information.

The papers, which relate to current bank accounts and applications, were found in a quiet road in Sale by children playing in the street.

Lynne Stewart, 47, whose children found the documents, has informed the police and is waiting for them to collect them

She said: "I would be extremely worried and angry if I was a customer of theirs because this is just the type of stuff that criminal gangs would love to get their hands on." She has now filled a bag with as many of the computer print-offs she could find, although fears that many more have blown away on the windiest day of the year.

The papers were initially found by her nine-year-old daughter Xxxxxx who then alerted her brother Xxxxxx, 12.
[Evan] My comment here is not related to the breach itself, but I feel a little uncomfortable using children's names publicly.

Neither understood the significance of the papers – although Mrs Stewart immediately did.

She said: "Reece had been to get his ball back after it had bounced into a sub-station and says he saw a pile on top of the transformer and they were whistling around in the gale.

"But it was Jessica who grabbed one as it blew past her in the street and showed it to me.

"I have counted at least 15 pages of lists of names and account details before you even start to talk about letters applying for credit cards and photo copies of personal documents which people have sent to the bank when they have made these applications.
"I find it very alarming that this kind of information is just blowing about in the street.
[Evan] No doubt!

"Surely in this day and age when ID fraud is all over the news the bank should be more careful about this information being printed out on paper."

A spokesman for HSBC, which has branches in Mesnes Road and Wallgate, said: "HSBC is investigating the find of documents found in Greater Manchester over the weekend.

"The security of our customers' personal information is of paramount importance and we have stringent procedures in place to guard against their loss.
[Evan] Is everyone aware of and following the "stringent procedures"?

"Without speculating on how this occurred, something has clearly gone wrong, and we are extremely disappointed to hear of these particular circumstances.

"When the cause of the incident has been determined, we will be reviewing our processes to ensure this does not happen again."
[Evan] In my opinion, promises that are made but cannot be fulfilled lead to a loss of confidence.

A UK Victim's Reaction:
"I can't believe it. The first I knew was when I was contacted by the person who found them. It is unforgivable that the bank would firstly lose such confidential details and then fail to tell its clients what had happened."

"I have been with this bank since I was a young lad and it is very disappointing indeed."

Commentary:
Let's take this from both sides for a second.  Poor information security practice led to these two breaches.  Real lives are affected when these things happen and HSBC should be more careful in the way they protect confidential personal information.  I count five publicly reported breaches from HSBC in the past six months including the two in this post.  There are likely more that weren't reported publicly as well.

Now the other side, for arguments sake.  HSBC is a huge company with ~10,000 offices in 83 countries and territories around the world.  I presume that they also have hundreds of thousands of customers (maybe millions).  Information security breaches in companies this large and diverse are bound to happen.  It isn't possible to eliminate them, so the best you can hope to do is reduce risk to a level that is "acceptable" to management and shareholders.  Information security personnel are not in the risk elimination business, we are in the risk reduction business.  This is reality.

Past Breaches:
May, 2008 - HSBC loses a server in branch renovation
April, 2008 - HSBC loses disc with 370,000 customer details
February, 2008 - Five-year-old wanders into bank branch after-hours

]]> Mon, 02 Jun 2008 05:40:52 +0000 customers bank customers bank bank officials bank bag bag bank branch after-hours street bank hsbc street Two HSBC breaches with similar circumstances http://securityratty.com/article/61e22cbbd808bee3a68e835bb0a92ca3 http://securityratty.com/article/61e22cbbd808bee3a68e835bb0a92ca3 Security Breach

Date Reported:
5/9/08

Organization:
Rent-a-Center*

*formerly RentWay

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
Unknown

Types of Data:
"photocopies of Social Security cards and driver's licenses, credit card numbers, home addresses and phone numbers"

Breach Description:
"Hundreds of RentWay customer files — including Social Security, driver's license and credit card numbers — were abandoned in a parking lot, leaving consumers at risk for identity fraud."

Reference URL:
Sarasota Herald-Tribune
Bradenton Herald
Sarasota Herald-Tribune (May 10)

Report Credit:
Anthony Cormier, Sarasota Herald-Tribune

Response:
From the online sources cited above:

Hundreds of RentWay customer files — including Social Security, driver's license and credit card numbers — were abandoned in a parking lot, leaving consumers at risk for identity fraud.

The files were discovered in a plaza off Cortez Road on Friday morning.

In the files were photocopies of Social Security cards and driver's licenses, credit card numbers, home addresses and phone numbers of people who leased furniture, TVs and appliances from RentWay.

A Manatee Sheriff's deputy arrived at about 10:30 a.m. and called workers from Rent-A-Center, which acquired RentWay in 2006, to clean up the mess.

In dress slacks and business shirts, Rent-A-Center employees crawled in a Dumpster on Friday afternoon.

it was unclear how long the files were in the lot and who may have accessed the sensitive information

Rather than shredding the documents that contained personal information of clients and taking them to their own Dumpster, the employees left the papers piled in the bottom of the Dots' store Dumpster

Kimberly Lash, manager of Dots, a women's clothing store next door to the the vacant storefront, said the mess had been out in the corner of the building for nearly a week.

She said the Rent-A-Center store manager said there were personal documents in the Dumpster.
[Evan] If I understand this correctly, the Rent-A-Center manager knew that there were personal documents being discarded in the dumpster?!  What the *&^# kind of manager would knowingly put his/her customers at risk?  I wouldn't hold the Dot's store manager ultimately responsible, but I wonder why she didn't do or say anything when she was told that there was personal information in the dumpster.

"All they did was pick it up and put it in my Dumpster," she said.

On Friday morning, a transient was seen rifling through the paperwork until he was shooed off by Don McLucas, who found the mess and called police

"Unbelievable," McLucas said. "Imagine the fraud you could commit with this stuff. And they just dump it like that? Unbelievable."

"You could open a bank account, apply for a credit card, anything. That information could be worth hundreds of thousands of dollars." - Robert Siciliano, CEO of IDTheftSecurity.com
[Evan] The bad guys certainly know this.  It seems like others either don't care or don't know.

The store manager of the Rent-A-Center store declined to comment. It's unclear what happened to the documents once they were removed from the Dots Dumpster.

Lt. William Vitaioli said it would not be a criminal violation to dispose of personal information such as Social Security numbers, credit card numbers, driver's license numbers or phone numbers.
[Evan] Should it be?  This is a hot debate.

Florida law requires companies to notify consumers if the security of their personal information has been breached.
[Evan] Are notification laws working?  Another hot debate.

Commentary:
If I had the time, I would check dumpsters on the way home one of these days.  Think I would find anything along my 25 mile ride home?

Past Breaches:
Unknown

]]> Mon, 12 May 2008 11:05:33 +0000 store manager store store dumpster rent-a-center store rent-a-center security rent-a-center store manager social security cards rent-a-center employees Did the Rent-a-Center manager knowingly expose personal information? http://securityratty.com/article/7ae56d34b365648af4041ccd173db81f http://securityratty.com/article/7ae56d34b365648af4041ccd173db81f Security Breach

Date Reported:
4/28/08

Organization:
Cove Creek Mortgage
Front Range Mortgage, LLC

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
Unknown

Types of Data:
Mortgage files, tax returns, pay stubs, Social Security numbers, and other personal information

Breach Description:
"ENGLEWOOD, Colo. -- The Arapahoe County District Attorney's Office is advising anyone who has used Cove Creek Mortgage to watch out for identity theft after hundreds of mortgage files were dumped in a public trash bin over the weekend."

Reference URL:
Denver Channel 7 News
Denver Channel 7 News (update)

Report Credit:
Denver Channel 7 News

Response:
From the online sources cited above:

ENGLEWOOD, Colo. -- The Arapahoe County District Attorney's Office is advising anyone who has used Cove Creek Mortgage to watch out for identity theft after hundreds of mortgage files were dumped in a public trash bin over the weekend.
[Evan] Cove Creek Mortgage joins the ranks of other mortgage companies reported for similar breaches on The Breach Blog.  The others are Affordable Realty and Union Mortgage Services of Cleveland, Inc..

Cove Creek's owner had abandoned his Englewood office in January, and property managers had not been able to find him
[Evan] What kind of businessman just abandons an office full of confidential files and equipment?

On Saturday, the property manager had a crew clean out his office and throw all items from the office -- including complete mortgage files -- into two Dumpsters.
[Evan] Maybe the property manager should pay a little closer attention to the things they throw in the dumpster.  Having said this, the property manager is not really at fault.

David Peters who works in the same complex found the files Monday morning.

"I was taking some other trash out to the garbage can and opened the lid and on there was a couple of laptops,"

"Directly underneath them were files with people's names on it and I was like, 'Well, this is not right.'"

"There were tax returns, pay stubs, everything in there," he said. "And as I looked at the different files I realized that it was mortgage files, which was kind of scary, because who do you disclose the most information to or all of your information? That is when you are getting a mortgage loan."
[Evan] According to the news report, Mr. Peters contacted authorities.  This could have easily been much worse for victims.

The Dumpsters were not secured and located at 88 Inverness Drive East, Bldg. F.

Sheriff's investigators finally found the owner of Cove Creek and talked him into retrieving the files, many of which had private information, including Social Security numbers and credit history.
[Evan] Mr. owner guy, will you please come get your stuff and the personal information that was entrusted to you?  According to zoominfo a guy named Charlie Cartwright is/was the president of Cove Creek Mortgage.  I have no idea if this is the same guy that is referred to in the news article.

The district aAttorney's office got a tip about numerous mortgage files and two laptop computers in a Dumpster behind offices formerly used by Cove Creek Mortgage and Front Range Mortgage.
[Evan] Now Front Range Mortgage joins the ranks.  Front Range Mortgage offers credit repair services too! Do you suppose they could have repaired the damage that could have been done?

"With a name, Social Security number and bank account number, they can clean you out before you even know," said Arapahoe County District Attorney Carol Chambers.

The files and computers contained sensitive information on many former customers of Front Range Mortgage, including names and addresses, Social Security numbers and bank, credit card and investment account information.

While there are civil laws against dumping such documentation, Chambers said it is not against the law.
[Evan] It's too bad that we have to write and enforce laws to protect us from idiots.

"I think it is a matter of legislation not catching up with the realities of identity theft," said Chambers. "And absolutely, we think recklessly disposing or negligently disposing of this kind of information should maybe carry a criminal penalty, just to get people's attention that you can't just leave this information or leave it out in a Dumpster."

"The district attorney recommends that any former customers of Front Range or Cove Creek should place a fraud alert on their credit reports and monitor any bank, credit card or investment accounts that might have been included on a mortgage application with that firm."

For further information, assistance or questions, call the District Attorney's Fraud Assistance Line at 720-874-8547.

Commentary:
What is with these mortgage companies?  The 90's and early 2000's was a wild ride for mortgage brokers, real estate agents, and investors.  The money attracted people from all walks of life and a lot of poor decisions were made.  Now that the bubble has burst, we start to see the true colors of some of these "professionals".

I don't know much if anything about the owners of these companies, but I do know that securing personal information poorly is bad business.

Past Breaches:
Unknown

]]> Wed, 07 May 2008 18:20:50 +0000 mortgage files numerous mortgage files personal information information complete mortgage files personal information poorly files cove creek mortgage cove creek Personal information from two Colorado mortgage companies found in dumpsters http://securityratty.com/article/0f0557fdc4dfeb37420b65decbea2603 http://securityratty.com/article/0f0557fdc4dfeb37420b65decbea2603 Security Breach

Date Reported:
4/30/08

Organization:
Cornerstone Fitness for Women

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
Unknown

Types of Data:
Names, addresses, phone numbers and in many instances Social Security numbers copies of checks and credit card information

Breach Description:
"EDINBURG - A local company that operates several fitness centers across the region could be fined if investigators substantiate allegations it left clients' sensitive personal information in a trash bin."

Reference URL:
KRGV-TV Newschannel 5
The Monitor
The Brownsville Herald

Report Credit:
KRGV-TV Newschannel 5

Response:
From the online sources cited above:

EDINBURG - A local company that operates several fitness centers across the region could be fined if investigators substantiate allegations it left clients' sensitive personal information in a trash bin.

This story came to our attention after NEWSCHANNEL 5's Lisa Cortez received a phone call from a complete stranger on her cell phone.

He had Lisa's contract from Cornerstone Fitness.

He knew not only her phone number, but also her address, employer, and a copy of a check used to pay her account.

He also had about 30 other contracts.

It has everything you would want to know about them. I think those people deserve to know about it, " said Zumwalt. (Sammy Zumwalt, the person that called Ms. Cortez)

All contracts list names, addresses and phone numbers. Some of them list social security numbers and have copies of checks and credit cards.

Zumwalt says his friend found a filing cabinet in a dumpster behind the former Cornerstone Fitness Center for Women in Edinburg.

The center shut down several months ago.
[Evan] This isn't the first time that we have read about an organization vacating a location and leaving sensitive information behind (unsecured).  Just in the past few months there was Affordable Realty in March, and Union Mortgage and First Magnus in February.

The paperwork was in Zumwalt's room for several weeks.

Recently, he decided to go through the stack of papers and came across the sensitive information.

Zumwalt turned the contracts over to NEWSCHANNEL 5.
[Evan] Why NEWSCHANNEL 5 and not the police or the Texas Attorney General?  Do you think somebody wanted their 15 minutes of fame?

"At this point, we don't know what happened. This is not our usual practice. We are investigating it. We've been in the business for 10 years and this is the first time we hear of something like this. " (Joseph De la garza, one of the fitness club's owners)

NEWSCHANNEL 5 sorted through the contracts and contacted several members from the pile.

Cornerstone tells NEWSCHANNEL 5 they carefully guard all sensitive client information.

State Sen. Juan "Chuy" Hinojosa, D-McAllen, urged Texas Attorney General Greg Abbott to investigate, according to Jerry Strickland, a spokesman for the attorney general's office.
[Evan] I guess this is one good thing about reporting it to the media instead of the authorities.  Mr. Hinojosa sees it on TV and pushes for an investigation.

"A lot of businesses are being very careless in the way they handle personal information," Hinojosa said. "Businesses (are required) to shred all information they no longer need."
[Evan] Oh yes, very true.

Victim Reaction:
"I mean, I don't even know how to explain how I feel, because I am so in shock," said one woman after we read her social security number.

Denise Grant told NEWSCHANNEL 5, "You never realize how important this information is until you have to try to prove that you are who you say you are." (a woman who claims to have been an victim of identity theft before)

Commentary:
Well, we all know (or should know) that this type of breach is nothing new, but I am keyed in on what Mr. Hinojosa stated, "A lot of businesses are being very careless in the way they handle personal information". 

What will urge businesses to be more careful and secure personal information better?  More laws?  More costly fines?  More laws mean more compliance.  More compliance means more cost to companies.  More cost to companies means more expensive goods and services.  Seems that the same argument holds true for fines.

Maybe we should stop using a single identifier for all things personal (i.e. Social Security numbers).  Do you think that the credit bureaus and the rest of the financial industry would go for such a radical idea?  Do you know how the credit bureaus make money (I won't go into this now)?  This would be a tough battle to fight.

An easy to implement solution does not exist.  We have walked so far down this road that I think we may have gotten a little lost. 

I have ranted long enough.  On to the next breach, right?

Past Breaches:
Unknown

]]> Mon, 05 May 2008 10:01:48 +0000 information secure personal information sensitive information handle personal information personal credit card information cornerstone fitness cornerstone tells newschannel newschannel Cornerstone Fitness for Women information found in discarded file cabinet http://securityratty.com/article/9601a978ec74f6f33023676f06cc36f8 http://securityratty.com/article/9601a978ec74f6f33023676f06cc36f8 Wed, 09 Apr 2008 20:00:00 +0000 security major security certifications security certifications expert adam gordon gordon horizons clc tricky aspects south florida real-world Security certs, vampires and dumpster diving http://securityratty.com/article/cf1c6837ab1893a2838018bc8c59378d http://securityratty.com/article/cf1c6837ab1893a2838018bc8c59378d Security Breach

Date Reported:
4/6/08

Organization:
People's United Bank

Contractor/Consultant/Branch:
Various branches

Victims:
Customers

Number Affected:
"hundreds"

Types of Data:
"confidential financial data" and "private information, including customers' Social Security numbers and account information"

Breach Description:
"For four months, James Hastings dove into Dumpsters outside People's United Bank branches throughout Fairfield County, pulling out bags of paperwork containing private information, including customers' Social Security numbers and account information."

Reference URL:
The Connecticut Post
Newsday/Associated Press

Report Credit:
The Connecticut post

Response:
From the online sources cited above:

For four months, James Hastings dove into Dumpsters outside People's United Bank branches throughout Fairfield County, pulling out bags of paperwork containing private information, including customers' Social Security numbers and account information.

Bank employees didn't know what Hastings was doing until the Fairfield resident told them and delivered a video depicting him digging through the Dumpsters and sitting in front of a wall in his home he had papered with the documents.
[Evan] People's Bank would have had no idea that confidential documents were taken from dumpsters had Mr. Hastings not approached them.  How long could the practice of discarding confidential information in the garbage have gone on before someone else noticed?  How long has this practice been accepted, and is it still occurring?

The bank got a restraining order against Hastings on March 20, and detectives from the State Police, on a search-and-seizure warrant, raided his home. He is scheduled to appear in Bridgeport Superior Court Monday and he said he could face prison for violating the order the bank secured from the court to stop Hastings from discussing or distributing any of the material.
[Evan] Judging from what I read, Mr. Hastings is appearing in court to faces charges of violating the restraining order, not for taking the documents from the dumpster.  I don't think it's against the law to rummage through dumpsters.  If it were, how could you enforce it well?

The restraining order also came into play Wednesday when Hastings tried to turn over the remaining boxes of documents to Attorney General Richard Blumenthal.

The AG's office late Wednesday refused to talk to him until lawyers there investigated the restraining order. It had not made a determination on how it can proceed.
[Evan] This is sad.  I think it is in the public's and the victims' best interests to have the Attorney General investigate fully.

In a series of interviews, Hastings says he's not an identity thief. He says he wants the bank to react to what he calls a serious lapse in security.
[Evan] The bank has reacted, but obviously not in the way Mr. Hastings had preferred.

On Tuesday, he displayed two boxes filled with documents he says he culled from bags of garbage People's United Bank threw away.

People's, however, doesn't see it that way, and said Hastings is attempting to extort money from the bank. It is also demanding the information be turned over to the bank.

Brent DiGiorgio, a People's spokesman, says the bank's primary concern is protecting the customers' information that Hastings has taken.
[Evan] If "protecting customers' information" were the bank's primary concern, then should they have done more to disallow these documents to be thrown in the garbage?  Should they address the root issue more aggressively?  The information that Mr. Hastings found does not belong to the bank, the information belongs to the victims.

"We're going to provide one year of free credit monitoring for customers whose information was taken when this gentleman rummaged through our trash," DiGiorgio said.
[Evan] Big deal.  Broken record...  Credit monitoring helps to alert a person only after they have become an identity theft victim.  A one year time frame is insufficient for information that has a life span which far exceeds this limit.

He said the bank notified police immediately when it found out what Hastings had. That notification resulted in a search of Hastings home and the seizure of documents.

Letters are being mailed out to affected customers, DiGiorgio said.

About four months ago, Hastings says he was driving out of a People's branch parking lot in Fairfield when he saw a Dumpster brimming with garbage bags. When he looked more closely, he saw the clear garbage bags were stuffed with financial documents.
[Evan] An opportunist.

Hastings says he wanted to try to determine the extent of the problem, so he says he worked nights and weekends digging into Dumpsters at People's and other financial institutions.

"I'm disgusted by what I've pulled out of those bags," Hastings says, adding that the paperwork contains information on how much money individuals have in their accounts and where they live. He's got Social Security numbers and more on customers.

"I've got a guy in here that's got $8 million in gold," Hastings says.

He turned over a lot of those documents to police during the raid, but retained some in boxes, he says, that he hoped Blumenthal's office would accept.

During trips to People's branches from Stratford to Stamford, he made a video to, he claims, to protect himself from the charge of extortion. "It needs editing," he said, before turning one of the many discs over to the Connecticut Post.

There are applications for credit cards, reports on bank deposit and account information.

Hastings says after several months he contacted People's and the bank set up a meeting with him. On March 19, he met with People's Director of Corporate Security William A Gniazdowski.

Gniazdowski's affidavit of the meeting is on file with the court.

In it, he says Hastings went to the bank's headquarters at Main Street in Bridgeport, met with executives and dropped off DVDs and toy handcuffs. In the video the bank saw, and Hastings confirms, he wears an orange jumpsuit to indicate People's employees should face criminal charges if any of this private information is made public.
[Evan] I can think of a more tactful way for Mr. Hastings to present the information.

Gniazdowski says Hastings asked People's to hire him as a "fraud consultant." When Gniazdowski asked what would happen if the bank didn't comply, Hastings allegedly said he'd take "great pleasure shoving it up their nose."
[Evan] Thus the charge of extortion.

Hastings said the bank's security chief trapped him in the room and wouldn't let him leave, so Hastings got mad and told the security officer to take the DVDs and shove them up his nose.
[Evan] Thus the defense.

As for the charge of extortion, Hastings says, that's the bank trying to protect its reputation.

The fact that the police didn't arrest him when they searched his house shows that it's clear he wasn't trying to extort anything, he says. He adds that if he were a criminal he would have never gone to the bank because he could be living off the information he found. He noted the bank didn't know he was out there until he came to People's.
[Evan] More defense.

Hastings, who admits he's concerned about his freedom and reputation, says he wishes he'd never started this, but now that he has he's not going to just roll over.

He volunteered that he has a record. He was arrested and served a two-year probation for trying to secure drugs from a pharmacy by impersonating a doctor, but that was for a painkiller he needed, and he was convicted of drunken driving. The Post confirmed he has a small criminal record.

As for what he offered the bank, Hastings says, "What I said is you need a consultant. You don't need to hire me."

The bank disagrees, and a law professor says he would tend to side with the bank.
[Evan] Interesting choice of words.  I assume that the professor is basing his assumptions on past experiences and not necessarily on the detailed facts of this case.

Jeffrey Meyer, a Quinnipiac University Law School associate professor and former assistant U.S. attorney, says he's heard of situations like this, but they usually involve computer hackers.

In those scenarios, a hacker finds a weakness in a corporation's Web site, exploits it and sabotages the site. The hacker will do it several times, Meyer says, before contacting the company to suggest it hire him or her as a consultant.

This has resulted in prosecution for extortion, Meyer says.

"It's the quid pro quo," Meyer said, which makes it a problem.

If the person demands payment not to damage the company, "it certainly crosses the legal line," he said.

This is not the first time Hastings says he's investigated a company's procedures and asked to be hired as a consultant. He says he found a problem with a cell phone company and it paid him $10,000 as a consultant in the late 1990s.

Hastings said the bank's Dumpsters aren't properly secured and it isn't shredding documents, he says.
[Evan] Yes, the ROOT of the problem.  We shouldn't lose sight of the fact that the bank did not adequately secure the personal information of some of it's customers.  If the documents had been destroyed appropriately, we would have no story, no search warrant, no restraining order, no court case, no victims, etc., etc.  This is all a waste of valuable resources due to poor security (business) practices.

"We believe this is an isolated incident to the greater Bridgeport and greater Stamford," DiGiorgio said. "It's unfortunate."
[Evan] It is more than "unfortunate"!

DiGiorgio says the bank has training on how to safeguard customer information and takes that obligation very seriously. It is reviewing its policies, he said when asked if People's will still throw documents into Dumpsters.

"We do have a policy of how to dispose of customer information," DiGiorgio says, but security reasons prevented him from revealing what those policies are.
[Evan] Why do people state that they cannot disclose a security policy for "security reasons"?  There is no "confidential" information in any one of the security policies I write for companies.  Maybe "internal" information on occasion.  Sometimes there is "confidential" information and processes in procedures, but never in policies.  I share my information security policies openly with colleagues and partners.

DiGiorgio says that since Hastings went to the bank it has posted "no trespassing" signs and has installed locks on the Dumpsters it controls. But some of those receptacles, the bank shares with other companies and therefore cannot lock
[Evan] No trespassing signs and locks are a deterrent to the casual opportunist, but do not stop criminals.  I'm not saying it is or is not a good practice (I don't have enough detail), but proper shredding is optimal.

While the bank is reviewing its procedures, DiGiorgio said it does not believe that Hastings has a right to take the documents to "extort money from the bank."
[Evan] The question is his motive I suppose.  I don't think he broke the law by taking the documents out of the garbage, but the legal questions surround what he intended to do with the information.

Blumenthal said Thursday his office is still investigating the matter and attempting to verify Hastings' story.

But he said in an earlier interview banks have a legal responsibility to secure customers' financial information.
[Evan] Amen.

Blumenthal questioned how People's could be securing customers' information by throwing it away unshredded or even shredded in a state that could be pieced together.
[Evan] Wait.  Now, Amen.

The bank "might have an explanation," Blumenthal says. "But then again it might want to change its current practices or buy a new shredder."

Commentary:
Another interesting story.  The circumstances and drama that surround this breach should not take away from the original cause.  It seems as though the bank broke the law by not adequately securing customer information and Mr. Hastings may or may not have broken the law in the way he handled the disclosure.  I guess the lawyers will have to haggle and the court will ultimately have to decide.

Past Breaches:
Unknown

]]> Tue, 08 Apr 2008 08:47:21 +0000 bank financial information information confidential information people bank deposit hastings james hastings dove bank set Drama surrounds People's United Bank breach