Re: Wis. mailing sent with personal info

["Steve Hamburg" <shamburg () eclipsec com>]

I think there is another point to consider, which is the security practices of external parties to whom various aspects 
of business operations are outsourced.  What contractual provisions are in place regarding security standards that must 
be addressed when outsourcing services to a firm?  Further, what provisions are in place regarding financial recovery 
of loss should a security breach result from poor security practices of an outsourced firm? Many other questions / 
considerations come to mind. 

Steve.
--
Steve Hamburg, President
Eclipsecurity, LLC
www.eclipsec.com
312.373.9382


-----Original Message-----
From: "James Childers" <james () iqbio net>
To: "Tracy Blackmore" <tblackmore () tslad com>; "Chris Walsh" <chris () cwalsh org>; "Adam Shostack" <adam () homeport 
org>
Cc: "dataloss () attrition org" <dataloss () attrition org>
Sent: 1/11/2008 11:25 AM
Subject: Re: [Dataloss] Wis. mailing sent with personal info

This is also a PERFECT example of how a monolithic database with vast
amounts of data in the Government arena can and ultimately WILL always
be abused/misused.  

 

My assumption is that some WI State employee was told by their boss to
get the information to EDS so they could mail a letter.  The employee
probably did not care about or even stop to think about the implications
of sending the entire database to the contractor.   Heck, they probably
even sent it by email!

 

EDS on the other hand probably provides these services for WI after
being awarded a contract for services.  These contracts are "put out for
bid" and ultimately the lowest cost provider won.  Price is usually the
only determining factor in Government Contracting.

 

We are dealing with the lowest common denominator here... which
ultimately is the component between the chair and the keyboard.  

 

The employee probably said, "I'll just send the entire database to the
contractor" and let them figure it out, instead of spending the money
and taking the time to figure out exactly what data they actually need. 

 

This employee should have asked "Do you want fries with that?" - which
is probably the only training this employee ever had.

 

You can encrypt the data, attempt to limit access, enact secure
policies, but when one apathetic employee has access to vast amounts of
data with little or no oversight ... ultimately you WILL have a breach.

 

You GET WHAT YOU PAY FOR. 

 

James (Jim) Childers

President & CEO

Artemis Solutions Group (USA)

BioCert(r) - iQBio(tm) - BioSaf(r)

www.biometricsdirect.com 

 

From: dataloss-bounces () attrition org
[mailto:dataloss-bounces () attrition org] On Behalf Of Tracy Blackmore
Sent: Friday, January 11, 2008 8:34 AM
To: Chris Walsh; Adam Shostack
Cc: dataloss () attrition org
Subject: Re: [Dataloss] Wis. mailing sent with personal info

 

This is a GREAT example of 'out of sight out of mind'!  Many companies
know that they do not absolve themselves of the risks when they
outsource but since they have outsourced they get busy concentrating on
more local problems.

 

I hope that someone investigates this and gets to the bottom of the
questions of whether EDS made the decision to add this field into a
mass-mailing or if the State passed a bunch of data and asked EDS to run
it.

 

Make no mistake though - the State of Wisconsin is ultimately
responsible since they were the 'owners' of the data.

 

________________________________

From: dataloss-bounces () attrition org on behalf of Chris Walsh
Sent: Thu 1/10/2008 8:43 PM
To: Adam Shostack
Cc: dataloss () attrition org
Subject: Re: [Dataloss] Wis. mailing sent with personal info

EDS is a major provider of outsourced IT.  They may well have a more 
general contract and, in effect, made this decision themselves.  The 
SSNs would have been given as part of the larger scope of work, and 
then improperly used.

<RUMSFELD>
Is this a risk firms take when they outsource?  Heavens to Betsy, yes.
Should Wisconsin have anticipated this?  Great Caesar's ghost they 
should have.
Does Wisconsin not have an information classification policy to which 
3rd parties must adhere?  By jiminy, I would hope so.
</RUMSFELD>

On Jan 10, 2008, at 2:57 PM, Adam Shostack wrote:

> Appalled experts elsewhere are asking why Wisconsin gave SSNs to EDS
> as part of mailing informational brochures.
>
> You don't have to select * from row.  You could have selected name,
> address from row.

_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor
your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml


-- 
This message has been scanned for viruses and 
dangerous content by MailScanner <http://www.mailscanner.info/> , and is

believed to be clean. 

 

No virus found in this incoming message.
Checked by AVG.
Version: 7.5.516 / Virus Database: 269.19.1/1219 - Release Date:
1/11/2008 10:19 AM


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml