BreachExchange mailing list archives
Re: Federal loan Web site left unprotected
From: "DAIL, ANDY" <ADAIL () sunocoinc com>
Date: Mon, 18 Sep 2006 12:54:08 -0400
Far too many organizations think it's acceptable to shortcut that requirement by taking information that was "formerly known as production data" and using it for test because it's already in the production format, and, "Well, the data is no longer current enough to be considered 'live' or 'production'." There is a great deal of pressure on IT groups to save time and money.
From a strictly time management and book keeping perspective it seems
like a logical idea. But, developers don't seem to remember the fact that even though the data is no longer of use to the company, the consumers aren't quite finished using those numbers yet. You know, Social Security Numbers, Drivers License Numbers, dates of birth. Their managers seem willing to gamble that it won't happen to them, and are willing to take the risk to save the time and cost of developing mock data. The cost of addressing one incident would change their minds if the money to remediate came from their cost centers. Andy Dail Sunoco PCI Project Manager -----Original Message----- From: dataloss-bounces () attrition org [mailto:dataloss-bounces () attrition org] On Behalf Of blitz Sent: Sunday, September 17, 2006 7:59 PM To: Dissent Cc: dataloss () attrition org Subject: Re: [Dataloss] Federal loan Web site left unprotected What part of "DON'T USE PRODUCTION DATA" do they not understand? Sheesh! At 09:40 9/17/2006, you wrote: Complications from a computer software upgrade caused a security breach that left loan borrowers' private information, such as their Social Security numbers, unprotected online. The problem occurred from the evening of Aug. 20 to the morning of Aug. 22 on the Web site of Direct Loans. Direct Loans is part of the William D. Ford Federal Direct Loan Program within the Dept. of Education and Federal Student Aid. Anyone who used the Web site and performed the same transaction at the same time in the same part of the system as another user could have had his or her data exposed, Bushman said. ... She estimated that 21,000 accounts of the more than six million on the system could have been affected. All those potentially affected already would have been notified, she said. [...] http://www.press-citizen.com/apps/pbcs.dll/article?AID=/20060917/NEWS01/ 609170310/1079/NEWS01 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.405 / Virus Database: 268.12.4/449 - Release Date: 9/15/2006 _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tracking more than 146 million compromised records in 349 incidents over 6 years. -- This message has been scanned for viruses and dangerous content by MailScanner <http://www.mailscanner.info/> , and is believed to be clean. This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments.
_______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tracking more than 146 million compromised records in 349 incidents over 6 years.
Current thread:
- Federal loan Web site left unprotected Dissent (Sep 17)
- Re: Federal loan Web site left unprotected blitz (Sep 17)
- <Possible follow-ups>
- Re: Federal loan Web site left unprotected DAIL, ANDY (Sep 18)
- Re: Federal loan Web site left unprotected Chris Walsh (Sep 18)