http://securityratty.com/tag/interbank Tue, 15 Apr 2008 19:57:04 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss http://securityratty.com/article/184d08544bae8b30426de5caac87fb7a http://securityratty.com/article/184d08544bae8b30426de5caac87fb7a Security Breach

Date Reported:
4/9/08

Organization:
Interbank FX, LLC ("IBFX")

Contractor/Consultant/Branch:
None

Victims:
Customers and prospective customers prior to April 2, 2007

Number Affected:
Unknown

Types of Data:
"social security number, driver's license, and passport information, and may also include your Interbank FX account information"

Breach Description:
In April, 2007 an employee posted a file to an insecure server that was accessible via the Internet.  The file contained personal information belonging to certain persons who applied for an Interbank FX account prior to April, 2007.  Interbank FX became aware of the exposure on March 28th, 2008.

Reference URL:
The New Hampshire State Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

The letter to victims is signed by Todd B. Crosland, CEO and President of Interbank FX
[Evan] This fact is important to note.  I admire corporate leaders who step up and respond to an incident.  Mr. Crosland seems to understand his role very well as it pertains to information security.  Business leaders are the people that are ultimately responsible for the security of the organizations they run.

We are writing to inform you of a matter that may affect you. The security of some personal information you provided as you considered our service was inadvertently compromised.

Interbank FX has thoroughly investigated the matter, has taken immediate steps to protect your information, and is taking the additional precautions outlined in this letter to assist you in monitoring and guarding the security of your personal information.

The incident involved an electronic file dated April 2, 2007, which contained personal information provided by certain individuals who had applied for an Interbank FX account prior to that date.

Around that time, an employee uploaded the file to a computer server accessible via the internet.
[Evan] So, sometime around April, 2007 is the date of the actual exposure.

The employee's action - placing the file outside of the Company's development lab, firewalls and secure computing environment - was contrary to Interbank FX policies and procedures and compromised the security of the information in the file.
[Evan] I understand what the meaning of this statement is, but I also want to make it clear that a "development lab, firewalls, and secure computing environment" do not ensure security.  There is a lot of room for interpretation.

The file contained the information you provided to us when you opened or considered opening an account with us. This may include your social security number, driver's license, and passport information, and may also include your Interbank FX account information.

Upon learning on March 28, 2008 that this information was available outside our secured computing envirornnent, the Company took immediate steps to secure the information.
[Evan] The breach was discovered (by Interbank FX) almost a year later.  The window of exposure was pretty long.

Within hours of that discovery, all files containing sensitive personal information were removed from the server and brought within the Company's firewalls and electronic security controls.

We also terminated the employee's access to all personal information in Interbank FX 's files.

You are receiving this letter because your application information was provided prior to April 2, 2007.

The incident does not affect anyone who applied for an Interbank FX account after April 2, 2007.

Interbank FX is committed to protecting your personal information. Thus, we are offering you the opportunity to enroll, at no cost to you, in Equifax Credit Watch(TM) Gold with 3-in-l Monitoring for a one-year period.
[Evan] Although one-year has become a sort of de-facto standard in breach responses, it is not long enough.  A Social Security number is valuable for a much longer period of time.

We also will reimburse you for the direct cost of any freeze you choose to put on your credit file as a result of this issue.
[Evan] I though that this statement was interesting.  Maybe I don't read breach notifications thoroughly enough, but I don't think I have seen this offer before.

As an additional precaution, we also encourage you to change any password you created for your Interbank FX account prior to April 2, 2007.

We have established a toll-free hotline (800-550-1571) to answer your questions and assist you in signing up for the Equifax Credit WatchTM program. We ask you to notify us immediately if you notice (or have noticed) any unusual activity in any of your accounts.

We regret this incident and apologize for any inconvenience.

Commentary:
One year of exposure is a very long time for confidential information.  I wonder how the company finally learned about the presence of the file(s).  What do you suppose are the chances that the employee who uploaded the file:

1. Was not aware of the "Interbank FX policies and procedures" that pertained to his/her actions?
2. Was not aware that the file contained sensitive personal information?
3. Was not aware that the server was insecure and accessible publicly?
4. All of the above?

Personnel that handle sensitive information must be trained and re-trained.  These personnel must also be reminded regularly through an ongoing awareness program.

Past Breaches:
Unknown

]]> Tue, 15 Apr 2008 19:57:04 +0000 information sensitive personal information personal information application information handle sensitive information information security interbank file confidential information File containing Interbank FX customer information exposed for almost a year