http://securityratty.com/tag/saks Sun, 11 May 2008 17:28:38 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss http://securityratty.com/article/93d97ba2583b32143ad38008c44b1d57 http://securityratty.com/article/93d97ba2583b32143ad38008c44b1d57 Security Breach

Date Reported:
4/30/08

Organization:
Saks Incorporated

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
Unknown*

*According to the New Hampshire State Attorney General breach notification there were 163 persons affected who reside in the state of New Hampshire

Types of Data:
Name, address, Saks Fifth Avenue credit card account number, and/or Saks Fifth Avenue/MasterCard co-branded credit card account number.

Breach Description:
"In mid-April 2008, Saks learned that four company laptops were stolen.  Two of the stolen laptops contained several files that included customer names, addresses, Saks Fifth Avenue credit card account numbers, and/or Saks Fifth Avenue/MasterCard co-branded credit card account numbers."

Reference URL:
New Hampshire State Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

In mid-April 2008, Saks learned that four company laptops were stolen.  Two of the stolen laptops contained several files that included customer names, addresses, Saks Fifth Avenue credit card account numbers, and/or Saks Fifth Avenue/MasterCard co-branded credit card account numbers.

Based on our investigation, we have confirmed that these files did not include Social Security numbers, the credit cards' expiration dates, pin numbers, codes, or passwords, or any other types of sensitive data.
[Evan] Thank God for that!

Given the very limited type of personal information on these files and that it was stored on password-protected laptops, we believe there is a very low risk of identity theft or credit card fraud as a result of this event.
[Evan] I agree with the limited type of information argument, but could care less about password-protected laptops.  Password-protected laptops are little more than nothing to stop someone for accessing the information.

We have no indication that this personal information has been accessed or misused, or even that the laptops are in the hands of someone seeking to misuse the information.

Nor was this a breach of our network, website, or database (as is typical in many company breaches covered by the news).
[Evan] I think laptop thefts and losses are more typical that network, website or database breaches.

The company has drafted a written notice of the breach that it will be sending to the affected individuals imminently.

Saks takes its customers' privacy very seriously, and we have exercised utmost caution and diligence in our response following the discovery of the theft.

Within hours of learning of the theft, we initiated our own investigation into the incident and notified law enforcement.

Finally, if you have additional questions related to this situation, you can contact us between the hours of 9:00 a.m. ET through 6:00 p.m. ET on Monday though Saturday through our dedicated toll-free information helpline at 1-888-724-2455.

We deeply regret any inconvenience or concern that this matter may cause you.

Commentary:
The letter sent to the affected individuals is signed by Stephen I. Sadove, Chairman and Chief Executive Office of Saks Incorporated.  I respect Mr. Sadove for addressing this situation in person (so to speak).  It demonstrates his understanding that information security is a corporate issue for which he is ultimately responsible.

Past Breaches:
Unknown

]]> Sun, 11 May 2008 17:28:38 +0000 saks laptops information andor saks company laptops personal information breach description breach credit card account Two stolen Saks Incorporated laptops contained sensitive information