Re: Blood bank fears laptop heist ID theft

[InfoSec News <isn () c4i org>]

Forwarded from: Eric Hacker <myself () erichacker com>

One has to wonder how much more valuable that laptop is on the black
market now that it is known to contain names and SSNs. We have ID
counts and valuable configuration information being distributed in the
news. Even is this was stolen by an addict, his fence probably keeps
up with the news.

On Wed, 22 Dec 2004 01:35:08 -0600 (CST), InfoSec News wrote:
> http://news.com.com/Blood+bank+fears+laptop+heist+ID+theft/2100-1029_3-5500114.html

[...]

> Delta's director of human resources, John O'Neill, said two layers
> of security could still protect the personal information despite the
> computer's theft. The first is Microsoft's standard Windows password
> required to launch the operating system, and the second is the
> series of steps required to launch what O'Neill described as an
> "esoteric, unique" database, created by a software provider he
> declined to name.

Now this spells out exactly what one needs to know in order to extract
the information. Certainly makes putting a value on the laptop that
much easier for someone who thinks they can get at the information
inside.

Now, I am not saying that this is a bad law. I think it has a lot of
benefits for the consumer. What I am saying is that there are
consequences to this law, especially the disclosure of details to the
press by stressed out executives, that do not help protect the
confidentiality of the stolen information.

Obviously, one needs to have a personal information disclosure
incident response plan in place before a disclosure occurs to prevent
this issue. Obviously, an organization that well organized would
probably be doing a better job of protecting the data in the first
place....

Peace,
Eric Hacker




_________________________________________
Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/