Re: [Dataloss] Best Buy Suffers Second EmailBreach

["Al" <macwheel99 () wowway com>]

1. security curmudgeon jericho () attrition org wrote:
                > Best Buy had already parted ways with that provider
                > prior to the discovery of the breach, he said, due to a
                > "strategic business decision."
2.Jeffrey Walton noloader () gmail com asked
                Again begs the question: why is the unnamed firm retaining
the data
                which belongs to another [who severed the relationship]?
3. Al Mac Wheel speculates:

In my experience working in a firm where relationships get severed, and we
are storing data regarding that relationship, there are several related
issues:

When a relationship is severed, communicating that fact is not something
that companies are good at doing.  Frequently a relationship has been
severed, and one party is oblivious to that fact.

Severed relationships are often rejoined.  Companies perpetually shop around
to get best combination of price, delivery, quality, responsiveness, so some
companies change suppliers, more often than I change my underwear (yes, I
sometimes wear the same T-shirt until it gets noticeably unclean).  It is
not unusual to sever a relationship, then resume it a few months later (the
replacement supplier turned out to be unsatisfactory).

Often two enterprises have a collection of relationships, associated with
different services, where one of the service relationships are severed, but
not others.  It is often entirely unclear which data should be dropped,
because of which severing.

Some software systems are real good at supporting the addition of data, but
practically brain dead when it comes to identifying true owners of the data,
and managing the removal of data no longer needed.

The auditing profession has yet to be tasked with the duty of inspecting all
the places where a company might deliver sensitive data, and making sure
that places, outside of the company's control, are in fact following the
relevant rules.

For example, an employer shops around for a health insurance provider, and
HMO for the employees.  To get a quote, the employer needs to send all kinds
of sensitive data on all the employees.  Now a whole bunch of insurance
companies have this info.  One of them gets breached, years after the
request for quote.  It is news to the employees that their info even went to
that company, because the only thing the employer told them was what HMO was
selected for company health insurance.

Al Macintyre

<<attachment: winmail.dat>>

_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Learn encryption strategies that manage risk and shore up compliance.
Download Article 1 of CREDANT Technologies' The Essentials Series:
Endpoint Data Encryption That Actually Works
http://credant.com/campaigns/realtime2/gap-LP1/