BreachExchange mailing list archives
Re: Self-storage outfit exposes 13K
From: George Toft <george () myitaz com>
Date: Wed, 28 Jun 2006 23:40:57 -0700
This is a Windows-based application issue and the owners might not know where the logs are, nor how to read them. Also, the logging might not have audit points like "who logged in" - don't laugh - I've seen exactly this on many applications. George Toft, CISSP, MSIS My IT Department www.myITaz.com 480-544-1067 Confidential data protection experts for the financial industry. Chris Walsh wrote:
[A "devil's advocate" comment: If I owned this company, I would only notify those persons for whom my web logs showed inquiries having been made. This outfit is ignorant, and is "overcompying". Perhaps the ISP doesn't save web logs reaching back long enough. ] http://cbs5.com/topstories/local_story_178210503.html (CBS 5) A CBS 5 investigation has confirmed a security breach at a popular self-storage company that may have exposed customers' private information on its website. AAAAA Rent-A-Space has taken its online payment system offline and is notifying thousands of customers to check for identity theft after CBS 5 told the company about a flaw on their website. Howard Fortner describes the security at AAAAA Rent-A-Space in Colma as tighter than Fort Knox. So he was surprised when the cyber gate was left wide open on the storage facility's website. While trying to make an online payment, Fortner says he accidently typed in someone else's storage unit number along with his password, which is his phone number. Up popped another customer's private information, including a name, address, credit card, and Social Security number. "I thought about mine's as vulnerable as that one," Fortner said. "I tried it with a different number, and several accounts opened up." His password opened at least five other customer profiles. After CBS 5 alerted AAAAA Rent-A-Space to the problem, the company worked with the Arizona software developer who created the site's account-based program called "Web-Expres." By late Tuesday afternoon, they found the glitch and have taken the payment system offline until it is patched. AAAAA Rent-A-Space says its online payment system has been up for a year with no other incidents reported. The company says it plans to mail out 13,000 letters about the discovery to custmers in California and Hawaii, including those who have items stored at the 10 Bay Area facilities. _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/errata/dataloss/
_______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/errata/dataloss/
Current thread:
- Self-storage outfit exposes 13K Chris Walsh (Jun 28)
- Re: Self-storage outfit exposes 13K George Toft (Jun 29)
- <Possible follow-ups>
- Re: Self-storage outfit exposes 13K DAIL, ANDY (Jun 29)