http://securityratty.com/tag/petroleum Sun, 22 Jun 2008 17:58:23 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss http://securityratty.com/article/1e0eee4c18853dda51b902995e1d952a http://securityratty.com/article/1e0eee4c18853dda51b902995e1d952a Security Breach

Date Reported:
6/19/08

Organization:
Petroleum Wholesale, L. P.

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
Unknown

Types of Data:
"sensitive personal information, including Social Security numbers, bank account numbers, and credit or debit card information"

Breach Description:
”HOUSTON -- Petroleum Wholesale, which operated Sunmart Travel Centers and Convenience Stores in 10 states, was charged by the Texas Attorney General of improperly disposing of customer records"

Reference URL:
The Pasadena Citizen
KHOU-TV Channel 11 News
Convenience Store News

Report Credit:
The Pasadena Citizen

Response:
From the online sources cited above:

HOUSTON - Texas Attorney General Greg Abbott today charged Houston-based Petroleum Wholesale, L.P., which operates Sunmart Travel Centers & Convenience Stores in 10 states, for exposing its customers to identity theft.

According to the state's enforcement action, Petroleum Wholesale improperly discarded customer records containing sensitive personal information, including Social Security numbers, bank account numbers, and credit or debit card information.

"This defendant is charged with failing to protect its customers' sensitive information," Attorney General Abbott said.

"With more than 20,000 Texas victims each year, identity theft remains one of the nation's fastest-growing crimes. The Office of the Attorney General will continue working to protect Texans from identity theft."

Investigators with the Office of the Attorney General (OAG) discovered that the company improperly discarded hundreds of customer records in a publicly-accessible trash container outside its former headquarters.
[Evan] According to information posted on the Petroleum Wholesale web site, "Petroleum Wholesale services more than 350 retail locations throughout ten states."  This breach has the potential to affect many, many people.

According to investigators, the records included sales receipts with customers' names and full credit or debit card numbers with expiration dates.

The records also included returned checks, along with forms listing customers' names, banking routing numbers, driver's license and Social Security numbers.

The defendant is charged with violating the 2005 Identity Theft Enforcement and Protection Act, which requires the safeguarding and proper destruction of clients' sensitive personal information.

State law establishes penalties of up to $50,000 per violation of the Act.
[Evan] This could add up quick.  What's a better business decision, a few hundred bucks for a cross-cut shredder and accompanying procedures, or fifty grand per incident?  Although, I am not sure that a shredder and procedures are not all that is needed in Petroleum Wholesale's information security program (assuming one exists).

The OAG also charged the company with violating Chapter 35 of the Business and Commerce Code, which requires businesses to develop retention and disposal procedures for their clients' personal information.

The law provides for civil penalties of up to $500 for each abandoned record.

For more information about preventing identity theft, contact the Office of the Attorney General at (800) 252-8011 or visit the agency's Web site at www.texasattorneygeneral.gov.

style="font-weight: bold;">Commentary:
One question that isn't clear from the news reports is whether or not this was a common practice at Petroleum Wholesale.  Organizations should take heed of this case.  I think actions taken by Mr. Abbott and other State Attorney Generals will only become more frequent.

I look forward to more information in the future about this case.

Past Breaches:
Unknown

]]> Sun, 22 Jun 2008 17:58:23 +0000 sensitive personal information personal information petroleum wholesale information company company improperly improperly debit card information debit card Petroleum Wholesale charged with exposing customers