BreachExchange mailing list archives
Re: Self-storage outfit exposes 13K
From: "DAIL, ANDY" <ADAIL () sunocoinc com>
Date: Thu, 29 Jun 2006 10:19:27 -0400
Notification is a particularly touchy subject, especially with the lawyers who advise the decision makers. This whole arena is new to most corporate attorneys, and corporate attorneys do not like wading in unfamiliar legal waters. By default, when a lawyer is uncomfortable, they usually recommend the most conservative approach that will cover every base possible. Once a recommendation to notify everyone is made by the attorney, very few executives will disregard legal advice they have paid for, and do something else. California wrote the original law on customer notification, and everyone seems to be using their law as the basis for the own set of standards. The confusion, in my personal opinion, originates with the number of jurisdictions that feel empowered to pass laws regarding data security (Westchester County, NY passed their own encryption standards: http://www.msnbc.msn.com/id/12412271/). Until the Feds step in and codify uniform standards, you'll continue to see States, Counties, and even individual cities pass their own regulations, sometimes with differing standards (for instance, Visa requires all be the last 4 numbers of a credit card be masked on a sales ticket, North Carolina has set 5 numbers as a standard, by law). In the example of Sarbanes-Oxley, the cure may well be more expensive than the disease. Additionally, "Data Security" has mostly (functionally at least) been pushed out by the card companies, but as an effort to preempt the Feds from passing aforementioned regulation. Many Class 1 Merchants did not even find out about PCI, for instance, until a month before their original compliance deadline. Even then, the monitoring requirement buck was passed down to the settlement providers, who are passing their own set of standards. For instance, Paymentech has made Visa / MasterCard's PAPB (Payment Application Best Practices) mandatory for any retailer who hooks a payment system to their network. Currently, the whole environment is very reminiscent of the era when each State, and even bank was allowed to print its own money, or perhaps when there were no uniform hardware standards between computer manufacturers. Everyone understands there is a problem and most people want to do the right thing, but not everyone agrees on what the right thing is, or which standards or methodologies should be employed. We're using a dozen different guidelines to secure a single monetary processing system. Andy Dail Sunoco PCI Project Manager (918) 586-6360 -----Original Message----- From: dataloss-bounces () attrition org [mailto:dataloss-bounces () attrition org] On Behalf Of George Toft Sent: Thursday, June 29, 2006 1:41 AM To: dataloss () attrition org Subject: Re: [Dataloss] Self-storage outfit exposes 13K This is a Windows-based application issue and the owners might not know where the logs are, nor how to read them. Also, the logging might not have audit points like "who logged in" - don't laugh - I've seen exactly this on many applications. George Toft, CISSP, MSIS My IT Department www.myITaz.com 480-544-1067 Confidential data protection experts for the financial industry. Chris Walsh wrote:
[A "devil's advocate" comment: If I owned this company, I would only notify those persons for whom my
web logs showed inquiries having been made. This outfit is ignorant, and is "overcompying". Perhaps the ISP doesn't save web logs reaching
back long enough. ] http://cbs5.com/topstories/local_story_178210503.html (CBS 5) A CBS 5 investigation has confirmed a security breach at a popular self-storage company that may have exposed customers' private information on its website. AAAAA Rent-A-Space has taken its online payment system offline and is notifying thousands of customers to check for identity theft after CBS
5 told the company about a flaw on their website. Howard Fortner describes the security at AAAAA Rent-A-Space in Colma as tighter than Fort Knox. So he was surprised when the cyber gate was
left wide open on the storage facility's website. While trying to make an online payment, Fortner says he accidently typed in someone else's storage unit number along with his password, which is his phone number. Up popped another customer's private information, including a name, address, credit card, and Social Security number. "I thought about mine's as vulnerable as that one," Fortner said. "I tried it with a different number, and several accounts opened up." His password opened at least five other customer profiles. After CBS 5 alerted AAAAA Rent-A-Space to the problem, the company worked with the Arizona software developer who created the site's account-based program called "Web-Expres." By late Tuesday afternoon, they found the glitch and have taken the payment system offline until it is patched. AAAAA Rent-A-Space says its online payment system has been up for a year with no other incidents reported. The company says it plans to mail out 13,000 letters about the discovery to custmers in California and Hawaii, including those who have items stored at the 10 Bay Area facilities.
_______________________________________________
Dataloss Mailing List (dataloss () attrition org) http://attrition.org/errata/dataloss/
_______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/errata/dataloss/ This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments. _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/errata/dataloss/
Current thread:
- Self-storage outfit exposes 13K Chris Walsh (Jun 28)
- Re: Self-storage outfit exposes 13K George Toft (Jun 29)
- <Possible follow-ups>
- Re: Self-storage outfit exposes 13K DAIL, ANDY (Jun 29)