http://securityratty.com/tag/penney Fri, 18 Jan 2008 07:24:59 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss http://securityratty.com/article/90d7c103965563fa195dd3b59e703de2 http://securityratty.com/article/90d7c103965563fa195dd3b59e703de2 "Data of 650,000 customers at risk." Now this situation appears completely different then TJX. The data, and I assume the protection of that data, were outsourced.

So this begs the question - should it be a requirement for vendors providing services to enterprises that would include sensitive data be certified against ISO 27001?

Here is a great write-up, case study I came across of a vendor doing this. Just like we expect vendors to achieve specific Service Level Agreements on availability, performance...shouldn't we be doing the same things around security and risk?]]> Mon, 21 Jan 2008 10:51:00 +0000 include sensitive data data situation appears completely expect vendors vendors security risk protection assume Another security breach, but this one is different... http://securityratty.com/article/a9d0b61384b46c14779a139d682145cf http://securityratty.com/article/a9d0b61384b46c14779a139d682145cf Security Breach

Date Reported:
1/18/08*

*Update to " GE Money and Iron Mountain unable to locate tape"

Organization:
J.C. Penney

Contractor/Consultant/Branch:
GE Money
Iron Mountain

Victims:
J.C. Penney customers and the customers of "up to 100 other retailers" which include "many of the large retail organizations"

Number Affected:
650,000

Types of Data:
Names, addresses, account numbers, Social Security numbers, and other information

Breach Description:
GE Money and it's backup storage vendor, Iron Mountain are unable to locate a backup tape.  The unencrypted tape contained sensitive personal information belonging to GE Money, J.C. Penney, and up to 100 other retail store customers.  The tape was lost in October, 2007.

Reference URL:
Associated Press Story
State of New Hampshire Breach notification dated December 28, 2007
Original Breach Blog Report

Report Credit:
The Associated Press

Response:
From the online sources cited above:

Personal information on about 650,000 customers of J.C. Penney and up to 100 other retailers could be compromised after a computer tape went missing.

GE Money, which handles credit card operations for Penney and many other retailers, said Thursday night that the missing information includes Social Security numbers for about 150,000 people.

The information was on a backup computer tape that was discovered missing last October. It was being stored at a warehouse run by Iron Mountain Inc., a data storage company, and was never checked out but can't be found either

This unencrypted tape, which was being retained at a secure, offsite storage facility, included your name, address, and Social Security number, as well as your [CLIENT1] credit card account number

It was checked into their secure facility and never checked out, and a search of their premises and ours has been unable to locate it.

there was "no indication of theft or anything of that sort," and no evidence of fraudulent activity on the accounts involved

Iron Mountain spokesman Dan O'Neill said it would take specialized skills for someone to glean the personal data from the tape.
[Evan] It also takes specialized skills to walk upright on two feet.  If the information on  the tape is not encrypted, accessing it is a trivial task.

the company regretted losing the tape, "but because of the volume of information we handle and the fact people are involved, we have occasionally made mistakes."
[Evan] Mr. O'Neill makes a valid point.  Iron Mountain handles millions of tapes.  According to their web site, they handle data storage (and protection) for over 90,000 organizations in 26 countries.  Eventually a tape will go missing.  I don't place much blame on Iron Mountain as I do on GE Money.

declined to identify the other retailers whose customers' information is missing but said "it includes many of the large retail organizations."

It took GE Money two months to reconstruct the missing tape and identify the people whose information was lost.
[Evan] Two months is a long time, but I suppose you want to be sure you get it right.

Since December, the company has been notifying consumers in batches of several thousand and telling them to phone a call center set up to deal with the breach. The notification is expected to be completed next week.

Penney's card holder Elizabeth Rich of Everett, Wash., got one of the GE Money letters saying her name, address and account number may have been compromised. She was told her Social Security number was not on the tape.

The letter, signed by GE Money President Brent P. Wallace, read in part, "We have no reason to believe that anyone has accessed or misused your information. The pieces of information on the tape would not be enough to open new accounts in your name, and we have implemented internal monitoring to protect your account number from misuse due to this incident."
[Evan] The "would not be enough to open new accounts in your name" part is because Elizabeth Rich was one of the fortunate persons that did not have her Social Security number on the tape.

Wallace said in the letter that Penney "was in no way responsible for this incident."
[Evan] I respectfully disagree with this statement.  J.C. Penney collected the information from the owner.  This puts J.C. Penney into a "data custodian" role.  As a data custodian, they have the duty to ensure that the data is protected throughout its lifecycle.  J.C. Penney needs to ensure that their partners and vendors adequately secure information.

The Penney name didn't appear on the envelope Rich received, and she thought it was a credit solicitation when she saw the GE Money return address.

"I think the average consumer has thrown away that GE Money letter because they don't know it's about J.C. Penney," Rich said. "Not everybody opens junk mail."
[Evan] Do you suppose this was on purpose?  Who knows.

Rich said she canceled her Penney card immediately.
[Evan] This is an EXCELLENT suggestion for all affected customers.  Cancelling your card does three things (at least), it protects from credit card fraud (on this card anyway), sends a message to J.C. Penney that they should do more to monitor partners' and vendors' business and security practices, and sends a message to GE Money that they must encrypt confidential data at rest (potentially among other things).

Commentary:
We originally reported this breach on the Breach Blog a few weeks ago based on information we gleaned from the New Hampshire State Attorney General.  This new information helps to clarify some of the missing information.  I am sure there will be more to come.

As I stated earlier in my comments, I don't fault Iron Mountain much for their role in this breach granted they lost the tape.  I would expect a certain amount of loss given the nature of their business, the number of tapes they handle, and the fact that people make mistakes.  I don't know what kind of excuse GE Money has for not encrypting confidential data at rest.  This is a well-known best practice that is preached by most good information security personnel.  The fact that the breach notifications sent to customers are not clearly marked as such (according to Elizabeth Rich) only adds insult to injury.

Contrary to what J.C. Penney may think and what GE Money has stated, J.C. Penney does have responsibility in this breach.  To state that J.C. Penney "was in no way responsible for this incident" is false.  They have the responsibility to ensure that the information given to them from the owner is handled appropriately.  Do they audit their partners' information security practices?  Did they know or care that sensitive information belonging to their customers on backup tapes was not encrypted?

Past Breaches:
October, 2007 - Iron Mountain driver does not follow company procedures
]]> Fri, 18 Jan 2008 07:24:59 +0000 penney penney customers tape backup tape money sensitive personal information personal information penney card immediately information security practices J.C. Penney customers affected by lost GE Money backup tape