BreachExchange mailing list archives
Re: Wis. mailing sent with personal info
From: "Steve Hamburg" <shamburg () eclipsec com>
Date: Fri, 11 Jan 2008 11:41:31 -0600
I think there is another point to consider, which is the security practices of external parties to whom various aspects of business operations are outsourced. What contractual provisions are in place regarding security standards that must be addressed when outsourcing services to a firm? Further, what provisions are in place regarding financial recovery of loss should a security breach result from poor security practices of an outsourced firm? Many other questions / considerations come to mind. Steve. -- Steve Hamburg, President Eclipsecurity, LLC www.eclipsec.com 312.373.9382 -----Original Message----- From: "James Childers" <james () iqbio net> To: "Tracy Blackmore" <tblackmore () tslad com>; "Chris Walsh" <chris () cwalsh org>; "Adam Shostack" <adam () homeport org> Cc: "dataloss () attrition org" <dataloss () attrition org> Sent: 1/11/2008 11:25 AM Subject: Re: [Dataloss] Wis. mailing sent with personal info This is also a PERFECT example of how a monolithic database with vast amounts of data in the Government arena can and ultimately WILL always be abused/misused. My assumption is that some WI State employee was told by their boss to get the information to EDS so they could mail a letter. The employee probably did not care about or even stop to think about the implications of sending the entire database to the contractor. Heck, they probably even sent it by email! EDS on the other hand probably provides these services for WI after being awarded a contract for services. These contracts are "put out for bid" and ultimately the lowest cost provider won. Price is usually the only determining factor in Government Contracting. We are dealing with the lowest common denominator here... which ultimately is the component between the chair and the keyboard. The employee probably said, "I'll just send the entire database to the contractor" and let them figure it out, instead of spending the money and taking the time to figure out exactly what data they actually need. This employee should have asked "Do you want fries with that?" - which is probably the only training this employee ever had. You can encrypt the data, attempt to limit access, enact secure policies, but when one apathetic employee has access to vast amounts of data with little or no oversight ... ultimately you WILL have a breach. You GET WHAT YOU PAY FOR. James (Jim) Childers President & CEO Artemis Solutions Group (USA) BioCert(r) - iQBio(tm) - BioSaf(r) www.biometricsdirect.com From: dataloss-bounces () attrition org [mailto:dataloss-bounces () attrition org] On Behalf Of Tracy Blackmore Sent: Friday, January 11, 2008 8:34 AM To: Chris Walsh; Adam Shostack Cc: dataloss () attrition org Subject: Re: [Dataloss] Wis. mailing sent with personal info This is a GREAT example of 'out of sight out of mind'! Many companies know that they do not absolve themselves of the risks when they outsource but since they have outsourced they get busy concentrating on more local problems. I hope that someone investigates this and gets to the bottom of the questions of whether EDS made the decision to add this field into a mass-mailing or if the State passed a bunch of data and asked EDS to run it. Make no mistake though - the State of Wisconsin is ultimately responsible since they were the 'owners' of the data. ________________________________ From: dataloss-bounces () attrition org on behalf of Chris Walsh Sent: Thu 1/10/2008 8:43 PM To: Adam Shostack Cc: dataloss () attrition org Subject: Re: [Dataloss] Wis. mailing sent with personal info EDS is a major provider of outsourced IT. They may well have a more general contract and, in effect, made this decision themselves. The SSNs would have been given as part of the larger scope of work, and then improperly used. <RUMSFELD> Is this a risk firms take when they outsource? Heavens to Betsy, yes. Should Wisconsin have anticipated this? Great Caesar's ghost they should have. Does Wisconsin not have an information classification policy to which 3rd parties must adhere? By jiminy, I would hope so. </RUMSFELD> On Jan 10, 2008, at 2:57 PM, Adam Shostack wrote:
Appalled experts elsewhere are asking why Wisconsin gave SSNs to EDS as part of mailing informational brochures. You don't have to select * from row. You could have selected name, address from row.
_______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml -- This message has been scanned for viruses and dangerous content by MailScanner <http://www.mailscanner.info/> , and is believed to be clean. No virus found in this incoming message. Checked by AVG. Version: 7.5.516 / Virus Database: 269.19.1/1219 - Release Date: 1/11/2008 10:19 AM -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml
Current thread:
- Wis. mailing sent with personal info lyger (Jan 08)
- Re: Wis. mailing sent with personal info Henry Brown (Jan 10)
- Re: Wis. mailing sent with personal info Adam Shostack (Jan 10)
- Re: Wis. mailing sent with personal info Chris Walsh (Jan 10)
- Re: Wis. mailing sent with personal info Tracy Blackmore (Jan 11)
- Re: Wis. mailing sent with personal info James Childers (Jan 11)
- Re: Wis. mailing sent with personal info Adam Shostack (Jan 10)
- Re: Wis. mailing sent with personal info Henry Brown (Jan 10)
- <Possible follow-ups>
- Re: Wis. mailing sent with personal info Steve Hamburg (Jan 11)