[SecurityRatty] tag: plaza

Did the Rent-a-Center manager knowingly expose personal information?

Mon, 12 May 2008 11:05:33 +0000

Technorati Tag: Security Breach

Date Reported:
5/9/08

Organization:
Rent-a-Center*

*formerly RentWay

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
Unknown

Types of Data:
"photocopies of Social Security cards and driver's licenses, credit card numbers, home addresses and phone numbers"

Breach Description:
"Hundreds of RentWay customer files — including Social Security, driver's license and credit card numbers — were abandoned in a parking lot, leaving consumers at risk for identity fraud."

Reference URL:
Sarasota Herald-Tribune
Bradenton Herald
Sarasota Herald-Tribune (May 10)

Report Credit:
Anthony Cormier, Sarasota Herald-Tribune

Response:
From the online sources cited above:

Hundreds of RentWay customer files — including Social Security, driver's license and credit card numbers — were abandoned in a parking lot, leaving consumers at risk for identity fraud.

The files were discovered in a plaza off Cortez Road on Friday morning.

In the files were photocopies of Social Security cards and driver's licenses, credit card numbers, home addresses and phone numbers of people who leased furniture, TVs and appliances from RentWay.

A Manatee Sheriff's deputy arrived at about 10:30 a.m. and called workers from Rent-A-Center, which acquired RentWay in 2006, to clean up the mess.

In dress slacks and business shirts, Rent-A-Center employees crawled in a Dumpster on Friday afternoon.

it was unclear how long the files were in the lot and who may have accessed the sensitive information

Rather than shredding the documents that contained personal information of clients and taking them to their own Dumpster, the employees left the papers piled in the bottom of the Dots' store Dumpster

Kimberly Lash, manager of Dots, a women's clothing store next door to the the vacant storefront, said the mess had been out in the corner of the building for nearly a week.

She said the Rent-A-Center store manager said there were personal documents in the Dumpster.
[Evan] If I understand this correctly, the Rent-A-Center manager knew that there were personal documents being discarded in the dumpster?! What the *&^# kind of manager would knowingly put his/her customers at risk? I wouldn't hold the Dot's store manager ultimately responsible, but I wonder why she didn't do or say anything when she was told that there was personal information in the dumpster.

"All they did was pick it up and put it in my Dumpster," she said.

On Friday morning, a transient was seen rifling through the paperwork until he was shooed off by Don McLucas, who found the mess and called police

"Unbelievable," McLucas said. "Imagine the fraud you could commit with this stuff. And they just dump it like that? Unbelievable."

"You could open a bank account, apply for a credit card, anything. That information could be worth hundreds of thousands of dollars." - Robert Siciliano, CEO of IDTheftSecurity.com
[Evan] The bad guys certainly know this. It seems like others either don't care or don't know.

The store manager of the Rent-A-Center store declined to comment. It's unclear what happened to the documents once they were removed from the Dots Dumpster.

Lt. William Vitaioli said it would not be a criminal violation to dispose of personal information such as Social Security numbers, credit card numbers, driver's license numbers or phone numbers.
[Evan] Should it be? This is a hot debate.

Florida law requires companies to notify consumers if the security of their personal information has been breached.
[Evan] Are notification laws working? Another hot debate.

Commentary:
If I had the time, I would check dumpsters on the way home one of these days. Think I would find anything along my 25 mile ride home?

Past Breaches:
Unknown

Staten Island University Hospital notifies patients of December theft

Thu, 01 May 2008 11:09:25 +0000

Technorati Tag: Security Breach

Date Reported:
5/1/08

Organization:
Staten Island University Hospital

Contractor/Consultant/Branch:
None

Victims:
Patients

Number Affected:
88,000

Types of Data:
"names, Social Security and health insurance numbers"

Breach Description:
"STATEN ISLAND, N.Y. -- Computer equipment stolen from an administrative office in Rosebank in December contained personal information about 88,000 patients who have been treated at Staten Island University Hospital."

Reference URL:
Staten Island Advance
Staten Island Advance (Video)

Report Credit:
Glenn Nyback, Staten Island Advance

Response:
From the online sources cited above:

STATEN ISLAND, N.Y. -- Computer equipment stolen from an administrative office in Rosebank in December contained personal information about 88,000 patients who have been treated at Staten Island University Hospital.
[Evan] Wow, December?!

After four months with no arrests, hospital administrators are just now beginning the process of sending letters to patients whose names, Social Security and health insurance numbers were contained in computer files on a desktop computer and a backup hard drive stolen Dec. 29 from one of the hospital's finance offices at 1 Edgewater Plaza.
[Evan] A desktop computer and backup hard drive, likely without encryption and containing sensitive personal information is generally poor information security practice. There was no mention of encryption in the news report, so I will assume that it was not present.

"The hospital is in the process of issuing a letter of information to each patient involved in which one year of free credit monitoring is being offered,"
[Evan] As stated in numerous Breach Blog postings, true credit monitoring only alerts an individual AFTER fraud has already taken place. A Social Security number and other personal information does not expire or become ineffective after a year, so how good is one year of protection?

Ms. Ryback said no medical records were included in the files

wouldn't speculate why SIUH waited so long to notify people. "I'm not going to get into that," she said.

Police described the suspect -- caught on a surveillance camera -- as a black man between 30 and 40 years old. The man is seen walking out carrying the computer equipment in a cardboard box.
[Evan] The video of the theft is here. Its almost surreal to watch someone walk away with something that is very valuable to many people.

"at this time, there is no reason to believe that patient information from the stolen computer has been misused."
[Evan] Nope. The thief has not called the hospital to inform them that he is misusing the information.

Ms. Ryback said that, while the motive for the theft is open to question, it appears that it might have been purely for the value of the equipment.

"We take this opportunity to offer our apologies to the patients who are affected by the theft,"

"We reassure our patients and community that, as always, we regard patient confidentiality as one of our highest priorities, and in this regard, we are working to take additional steps to protect patient information and to reduce the possibility of computer theft in the future."
[Evan] Like what? Provide some details. Tell your customers/patients specifically what you plan to do in order to protect the information that belongs to them.

Without elaborating, Ms. Ryback said that "all you can do is be more security-conscious."
[Evan] Uh, no. This is not all you can do. Being security-conscious is important, but it is far, far, far from all you can do. How much weight should we put behind a statement like this? It's obvious that Ms. Ryback is not qualified to quantify "all you can do".

Police are asking for the public's help in catching a thief who made off with computer equipment from a Staten Island administrative building occupied by Staten Island University Hospital.

Police ask that anyone with information about the theft call NYPD's Crimestopper Hotline at 800-577-TIPS.

Citizen/Victim Reaction:
"After 4 months? Why did it take so long, Ms. Ryback? and now your going to offer to watch peoples credit ? I hope they sue your pants off," one reader, goaway12, posted yesterday.

averagedude, asked, "where was security?"

youbetchabar, joked, "4 months is about the same amount of time it takes to get called in the ER," poking fun at the waiting time for emergency patients.

Commentary:
On the one hand I enjoy doing research, albeit brief research about information security breaches. On the other hand I get really offended by organizations that demonstrate a lack of due care in the handling of personal information. No organization is going to state ""We reassure our patients and community that, as always, we regard patient confidentiality as one of our lowest priorities, and in this regard, we are working to take additional steps to disclose patient information and to increase the possibility of computer theft in the future." In the end, what really matters? It's not what the organization claims, it is what it demonstrates.

I am miffed by SIUH's apparent lack of risk, information security, and incident response management.

Past Breaches:
Unknown

Hundreds of WiseBuys customers are victims of credit card fraud

Sat, 26 Apr 2008 17:01:56 +0000

Technorati Tag: Security Breach

Date Reported:
4/24/08

Organization:
WiseBuys Stores, Inc.

Contractor/Consultant/Branch:
WiseBuys of Canton

WiseBuys Plaza, 5533 US Highway 11, Canton, NY 13617, 315.379.0456

Victims:
Customers

Number Affected:
"hundreds"

Types of Data:
"credit and debit card numbers"

Breach Description:
"Hundreds of credit and debit card numbers were stolen in December at the Canton Wisebuys store, according to Canton Village Police."

Reference URL:
Watertown Daily News
WWTI Channel 50 News
TWEAN News Channel of Syracuse

Report Credit:
WWTI Channel 50 News

Response:
From the online sources cited above:

CANTON — Police are investigating hundreds of reports of thefts of credit and debit card numbers belonging to customers who shopped at WiseBuys department store in December.

"We have had hundreds of victims and thousands of thefts. We have had amounts as high as $3,000 and as low as $10," said Sgt. Lori A. McDougal of the village police department. "I would say at this point they total upwards of $100,000."

Victims are all believed to have shopped at the Canton WiseBuys store between Dec. 5 and 20

Since then, stolen credit card numbers have been used to create fake cards in New York City.

The fraudulent cards were used to pay for taxi rides, to buy food at a Wendy's Restaurant and to make purchases at New York City drug stores and other locations.

"We had the New York City police call us about one of our cards that was picked up in a sting," said Scott A. Wilson, president and chief executive officer of SeaComm Federal Credit Union, which has a branch in Canton.

Complaints about the thefts began to come in early in March as victims received their monthly bank and credit card statements

"At this point we are not sure how the numbers were obtained. It may be an employee or it may be somebody who hacked into their system," Ms. McDougal said.

Hannaford Bros., which operates supermarkets in the Northeast including stores in Watertown and Massena, reported the theft of up to 4.2 million credit and debit card numbers from 300 of its stores in March.
[Evan] I think Watertown, NY is ~60 miles from Canton, and Massena is ~30 miles away.

It is unknown if there is any similarity between the Hannaford thefts and the WiseBuys thefts.
[Evan] I certainly don't know enough to speculate (but I will later ).

"We have people working on it," said Norman V. Garrelts, chief executive officer of Hacketts, which took over operation of WiseBuys after a November merger.

"We had no inkling it was going on. The police notified us," he said. "How anybody could have hacked into the system, I am not a big enough geek to know. It happened over a day or two."
[Evan] I think there are many organizations that have "no inkling". CEOs like Mr. Garrelts don't need to be "a big enough geek" to know how the companies they run are managing information security. CEOs are the ones that are ultimately responsible. Information security should be governed in such a way that it has visibility with the CEO. Information security is an organizational issue, NOT an IT (or geek) issue.

"We have rechecked all of our safeguards and everything seems to be in order," Mr. Garrelts said. "It should not have been able to happen."
[Evan] This incident is proof of the contrary. I agree that it should not have been able to happen, but it DID happen. The question is what is the "it"?

The Canton store was the only one in the WiseBuys and Hacketts chain that was affected by the number thefts. The stores use the credit card processing system used by nearly every True Value hardware store in the nation, Mr. Garrelts said.

WiseBuys changed its computer system in December and investigators are attempting to determine whether that was when the numbers were stolen

Village police have begun interviewing about 30 WiseBuys employees but so far have not identified any as suspects.

District Attorney Nicole M. Duvé, who learned of the thefts Thursday, said she takes the thefts seriously.

"This is starting to eat up a lot of law enforcement time and a lot of our time. I intend to take a very dim view of anybody caught doing it," she said.
[Evan] I wonder what the ultimate cost of incidents like this really is. Law enforcement time, employee time, bank and credit issuer time, victim time, actual fraud dollar amounts, prosecutorial time, etc. etc. It all ends up, and somebody has to pay for it all, right?

Debit and credit card issuers believed to have been affected by the thefts to date include Community Bank N.A., SeaComm Federal Credit Union, Key Bank, Discover Card, Capital One and NBT Bank, Ms. McDougal said.

"As far as I know, all of the banks have been cooperating with their customers and all have been reimbursed by their banks or credit card companies," she said.

"We have a zero loss policy," said Mr. Wilson, of SeaComm Federal in Massena. Under the policy, the credit union absorbs any losses caused by fraud.

In all, 42 credit union members were among those whose numbers were stolen. All were issued new numbers and cards.

Commentary:
I don't get a good feeling about this one. Too many unanswered questions. Nobody seems to know very much. There has been no official public response by WiseBuys.

NOT FACT, only speculation:
I like to speculate, so what the heck I'll throw something out there. I'm going to say that full magnetic stripe data was captured during data transmission and that this is not an inside job. I am also going to say that this was not related to the Hannaford breach. I didn't exactly go out on a limb with my speculation, but I did speculate nonetheless.

Past Breaches:
Unknown

The Amazing Alpine Golf Club, Bangkok - Thank You Starwood!

Mon, 28 Jan 2008 09:15:08 +0000

Wow! Sometimes we are reminded why they say “Amazing Thailand!”

Today I was a guest of Starwood Hotels and Resorts to play in a special Starwood golf event at the Alpine Golf and Sports Club just outside of Bangkok. Thank you Starwood and the General Manager of the Royal Orchid Sheraton, Mr. Charles Jack, who was very kind to invite me as his guest.

This is one of the finest golf courses in Thailand (and Thailand has many fine golf course!)

The Starwood folks were fantastic! Everyone was amazing. Some holes had professional golfers offering tips to help my game. Other holes had delicious Chinese and Thai food. One hole had supurb freezing cold champagne waiting to refresh us from the hot Thai sun!!

The Alpine Golf Course was really challenging, so the champagne was needed as much as appreciated. There was large water hazards on almost every hole; and some of the holes had so many large bunkers I thought I was on the beach! You could not miss a shot, because it you did, it was either in the water, the sand, on rolling hills covered with green trees - and believe me, that where I played most of the day!!

Everything was great, an amazing experience with a touch of class you can only find in Thailand, plus the added luxury of being the guest of Starwood, which is a also an unbelievable class act as well.

Being a loyal Starwood customer has great privileges, not to mention some of the finest hotel and resort properties in the world, so please, take my advice and become a Starwood member if you are not already.

By the way, I am currently staying at another exceptional Starwood property, the Plaza Athenee Le Meridian. This is a fantastic property. I highly recommend you stay at the Plaza Athenee Le Meridian if you are in Bangkok for business or leisure.

Also, when the current renovation is complete, the Royal Orchid Sheraton, where I often spends weeks at a time, is also highly recommended if you enjoy life on the busy Chao Phraya River.