http://securityratty.com/tag/tucson Wed, 18 Jun 2008 06:43:34 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss http://securityratty.com/article/ae2a94a41f5bdb5795784e6c6f9639b9 http://securityratty.com/article/ae2a94a41f5bdb5795784e6c6f9639b9 Security Breach

Date Reported:
6/13/08

Organization:
Texas Insurance Claims Services

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
"hundreds of files"

Types of Data:
Insurance claims and policy paperwork including "names, social security numbers and policy numbers"

Breach Description:
Files containing sensitive confidential information were discovered in a dumpster in Richardson, Texas.  The files are believed to have been thrown out by the owner of a company called Texas Insurance Claims Services.

Reference URL:
WFAA Channel 8 News

Report Credit:
Rebecca Lopez, WFAA-TV

Response:
From the online source cited above:

on Friday, hundreds of files with people's names, social security numbers and policy numbers were found in a Richardson dumpster

The files contain a lot of private information.

The people who filled out the forms probably never expected them to end up where anyone could simply walk away with them.
[Evan] There we go with expectations again.  See my comments in the "Tucson area Domino's Pizza customer information exposed" breach.

You expect when you give your private information to an insurance company, it will stay that way.

Mike McCarty was driving by a dumpster near his work in Richardson. He saw a man taking pictures of trash inside, so he stopped.
[Evan] Taking pictures?

"[The man] said he was looking for empty boxes because he was going to move but he found a bunch of these files."
[Evan] But why was the man taking pictures?  The story isn't clear on this point, so I wonder.

There were files with people's names, addresses, social security numbers and even pictures of their homes and cars.

The files were dumped here by a company called Texas Insurance Claims Services which processes people's claims.

We asked the owner why he threw them away. He wouldn't go on camera but said he was only required to keep the files five years and could then toss them.
[Evan] Oh, well then.  Sounds like a good enough explanation to me... NOT!  Where is the corporate and social responsibility?

The company says it sometimes uses commercial shredding services but decided not to do so this time.
[Evan] Let me see if I understand this correctly.  The company obviously knows the importance of shredding confidential papers in general, otherwise they wouldn't "sometimes use commercial shredding services".  What the @#$^ explains why the company chose not to use the shredding services in this instance?

Authorities say it's not unusual for criminals to dumpster dive to look for ways to get personnel information that they can use to illegally run up huge bills.
[Evan] This is very true.  There are even people who organize and belong to dumpster diving clubs, not to imply that THESE people are "criminals", but only to point out that people DO dumpster dive.

The dumpster was full of files. Most of them were taken away by garbage collectors. We are shredding the few we took for our story.
[Evan] The files were taken away by garbage collectors?  I wonder how much confidential information a person could find at the dump (landfill)?

Commentary:
It may just be the context of the owner's remarks, or it may just be me, but the owner seems to be oblivious to the risk of throwing confidential customer information out with the garbage.

Past Breaches:
Unknown

]]> Wed, 18 Jun 2008 08:41:02 +0000 information dumpster sensitive confidential information personnel information confidential customer information dumpster dive files confidential information people Insurance claims and policy information in the dumpster http://securityratty.com/article/8a47859f1eed2fddfeb4d9a0979c73fb http://securityratty.com/article/8a47859f1eed2fddfeb4d9a0979c73fb Security Breach

Date Reported:
6/18/08

Organization:
Domino's Pizza

Contractor/Consultant/Branch:
Unnamed former owner of 24 Tucson area locations    

Victims:
Customers

Number Affected:
Unknown

Types of Data:
Names and credit card numbers

Breach Description:
Hundreds of credit card receipts dating back as many as five years were found "blowing in the wind" after a former owner of 24 Domino's Pizza stores in the Tucson, Arizona area was found to have been discarding boxes of old records near her home.

Reference URL:
KVOA Channel 4 News

Report Credit:
Tom McNamara, KVOA Channel 4 News

Response:
From the online source cited above:

Investigators found credit card numbers blowing in the wind for anyone to see.

These piles and papers strewn across the alley contain hundreds of old receipts from Domino's Pizza stores.

When we got a call about this, we went down to University Avenue and Euclid and saw these receipts were three, four, and even five years old.
[Evan] Is there any business reason to keep credit card receipts for this period of time?  I suppose a case could be made that these should be kept for up to seven years for tax purposes.

We contacted the former owner of 24 Domino's Pizza stores in Tucson.
[Evan] This could have been a very risky breach in terms of overall potential impact considering the number of affected persons.  24 stores, x number of credit card transactions per year, and 5 years could add up to a pretty significant number.

She won't talk with us on-camera, but told us she'd been discarding boxes of old records near her home and somehow all those receipts got loose.
[Evan] Incidents like this tear me up.  I very much doubt that this lady had any malicious intention behind her actions, but nonetheless her actions could have caused considerable inconvenience (and possible loss) to a number of individuals.  I presume that she just didn't know any better.

We found Scott Brumage's name and credit card number on one of those receipts in the alley.

Tom McNamara asks him, "See that? Recognize that name? Recognize the number?" Scotts nods, "Uh huh."

Tom asks, "Well how'd you feel when we called you out of the blue and told you what we'd found? What went through your mind?"

"It was just kind of surreal at first because I like to think I can trust using my card [because of] the convenience and everything of course."

Scott was startled to see his name and card numbers on our screen.

He says he's ordered a lot of pizzas over the years and expects privacy and protection when he pays for his pepperoni pie.
[Evan] Is this an unreasonable expectation?  Maybe it is an unreasonable expectation, given the current environment and considering the bigger picture (merchants, processors, banks, "the system", etc.).  I don't think that it is an unreasonable requirement, but requirements, expectations and practices are not in alignment.

Scotts tells us, "I don't know. [I'm] just dumbfounded, other than they need to figure a better way of disposing."
[Evan] It is dumbfounding, isn't it.  I often wonder what people are thinking when they do some of the things they do.

The Investigators contacted the Federal Trade Commission in Washington and they say thieves could potentially use discarded credit card numbers even if the card has expired. The numbers on the card in many cases are still the same.

They say there could be enough information on the receipt to help a thief reveal more information about you, such as your social security number.

It's small comfort for Scott. He says, "I'm hoping this is a one time only [situation]. They might have just lost a loyal customer."
[Evan] The impact to the victim is usually pretty clear and easy to quantify.  The impact to the business (or organization) is not usually as easy to measure.  In a competitive business like pizza sales, companies need to identify and communicate differentiators like ingredient quality, service, taste, price, location, etc.  Maybe if customers viewed information security practices as an important differentiator, businesses would put more time and effort into securing information.  Pipe dream?

In this case, the Investigators contacted Tucson Police and several officers came to collect the records we found and have them destroyed.

Commentary:
This breach reminds me of a recent discussion I had online with Benjamin Wright in the comments section of the "Cotton Traders confirms that their website was compromised" breach.  He makes a very good argument regarding accountability in credit card breaches.  My responses to him are included.

Past Breaches:
Unknown

]]> Wed, 18 Jun 2008 06:43:34 +0000 credit card transactions credit card credit card receipts credit card breaches card pizza receipts information tucson Tucson area Domino's Pizza customer information exposed