Re: Federal loan Web site left unprotected

["DAIL, ANDY" <ADAIL () sunocoinc com>]

Far too many organizations think it's acceptable to shortcut that
requirement by taking information that was "formerly known as production
data" and using it for test because it's already in the production
format, and, "Well, the data is no longer current enough to be
considered 'live' or 'production'."

There is a great deal of pressure on IT groups to save time and money.
> From a strictly time management and book keeping perspective it seems
like a logical idea. But, developers don't seem to remember the fact
that even though the data is no longer of use to the company, the
consumers aren't quite finished using those numbers yet.  You know,
Social Security Numbers, Drivers License Numbers, dates of birth. 

Their managers seem willing to gamble that it won't happen to them, and
are willing to take the risk to save the time and cost of developing
mock data.  The cost of addressing one incident would change their minds
if the money to remediate came from their cost centers.



Andy Dail
Sunoco PCI Project Manager


        -----Original Message-----
        From: dataloss-bounces () attrition org
[mailto:dataloss-bounces () attrition org] On Behalf Of blitz
        Sent: Sunday, September 17, 2006 7:59 PM
        To: Dissent
        Cc: dataloss () attrition org
        Subject: Re: [Dataloss] Federal loan Web site left unprotected


        What part of "DON'T USE PRODUCTION DATA" do they not understand?
Sheesh!

        At 09:40 9/17/2006, you wrote:


                Complications from a computer software upgrade caused a
security
                breach that left loan borrowers' private information,
such as their
                Social Security numbers, unprotected online.
        
                The problem occurred from the evening of Aug. 20 to the
morning of
                Aug. 22 on the Web site of Direct Loans. Direct Loans is
part of the
                William D. Ford Federal Direct Loan Program within the
Dept. of
                Education and Federal Student Aid.
        
                Anyone who used the Web site and performed the same
transaction at
                the same time in the same part of the system as another
user could
                have had his or her data exposed, Bushman said.
        
                ...  She estimated that 21,000 accounts of the more than
six million
                on the system could have been affected. All those
potentially
                affected already would have been notified, she said.
        
                [...]
        

http://www.press-citizen.com/apps/pbcs.dll/article?AID=/20060917/NEWS01/
609170310/1079/NEWS01
        
        
                --
                No virus found in this outgoing message.
                Checked by AVG Free Edition.
                Version: 7.1.405 / Virus Database: 268.12.4/449 -
Release Date: 9/15/2006
        
        
                _______________________________________________
                Dataloss Mailing List (dataloss () attrition org)
                http://attrition.org/dataloss
                Tracking more than 146 million compromised records in
349 incidents over 6 years.


        --
        This message has been scanned for viruses and
        dangerous content by MailScanner <http://www.mailscanner.info/>
, and is
        believed to be clean.



This message and any files transmitted with it is intended solely for the designated recipient and may contain 
privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in 
whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and 
delete the original and any attachments.

_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss
Tracking more than 146 million compromised records in 349 incidents over 6 years.