BreachExchange mailing list archives
Re: followup: ACS Breach Warning Letter
From: "Bruce.Forestal" <Bruce.Forestal () target com>
Date: Wed, 8 Nov 2006 09:08:41 -0600
Good Day, The claim of "password protected" is a joke as most all of these laptops are Windows OS with only a logon password which is easily bypassed. This is somehow supposed to make the public have a warm fuzzy feeling that their data is safe. Once in a while we hear that the data is encrypted and password or pass-phrase protected. Someone had commented previously that at least some of the current disclosure laws don't require notification if the data is encrypted. I'm curious as to how many incidents of data loss are occurring but not reported because the data is encrypted? Speaking of encrypting personal information, has this technology not been taught in college, or banned from use by anyone outside of the DOD? Most all of these incidents of data loss could have been mitigated by just simple encryption. Encryption is both easy and cheap; actually it can be had for free. Laptops are a target for thieves, this is not going to change although one can surely reduce the chance of theft by teaching employees some user awareness but it won't be eliminated. I'm personally a fan of PGP Desk, all of my client data is saved on a PGP encrypted partition and all emails that even hint of sensitive data are encrypted. Most Non Disclosure Agreements require me as consultant to protect client data, using anything short of a reliable encryption scheme would put my client data at risk and leave my butt hanging in the wind. I would not be happy if my laptop was stolen or lost but at least I could state with confidence that the client data was very secure. Other than the NSA or like entities I don't know of anyone that would even have a chance of breaking the encryption. It's obvious in many of these data loss incidents that an encryption policy was not in place or not followed. Roughly two-thirds of the states have a disclosure laws but that does not mean they are always followed and then there is the government side. Does anyone know the disclosure laws for government? Does anyone have an idea of the percentage of data loss that is not-disclosed? Bruce Forestal, CISSP AmbironTrustwave -----Original Message----- From: dataloss-bounces () attrition org [mailto:dataloss-bounces () attrition org] On Behalf Of security curmudgeon Sent: Wednesday, November 08, 2006 1:24 AM To: dataloss () attrition org Subject: Re: [Dataloss] followup: ACS Breach Warning Letter And now my own comments. : [Customer Name] [Bar Code] : [Customer Address] [Number] The number below the bar code is 8 digits, starting with 0065. Not sure if this is an indication of how many affected, a tracking number, or something else. : This letter is to inform you of an incident involving the theft of a : computer that may contain your personal information. A : password-protected computer was stolen from a secure facility operated : by ACS State and Local Solutions, Inc. on behalf of the Colorado State : Directory of New Hires (SDNH). Employers are required by law to report : information to the SDNH regarding newly hired employees. First, we know password protected computers mean absolutely nothing. Yanking a drive and mirroring content is trivial for even moderately skilled computer users. Second, ACS needs to look up the definition of secure. 1. To make safe; to relieve from apprehensions of, or exposure to, danger; to guard; to protect. So this should be worded "relatively" secure or "formerly" secure. : ACS takes the protection of your personal information very seriously. We : have established a toll-free number to assit with any questions. This : number is 1-800-350-0399. We regret this incident occured. So seriously, this line is not answered outside of standard business hours and asks that you call back then. : Very truly yours, : : [scribble] : : ACS Representative The signature doesn't look like 'ACS Representative', so who's name is this and why wasn't it printed? No one stepping up to be accountable for questions? _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tracking more than 140 million compromised records in 465 incidents over 6 years. _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tracking more than 140 million compromised records in 465 incidents over 6 years.
Current thread:
- followup: ACS Breach Warning Letter security curmudgeon (Nov 07)
- Re: followup: ACS Breach Warning Letter security curmudgeon (Nov 07)
- Re: followup: ACS Breach Warning Letter Bruce.Forestal (Nov 08)
- Message not available
- Re: followup: ACS Breach Warning Letter Al Mac (Nov 08)
- Re: followup: ACS Breach Warning Letter Bruce.Forestal (Nov 08)
- Re: followup: ACS Breach Warning Letter George Toft (Nov 08)
- Re: followup: ACS Breach Warning Letter security curmudgeon (Nov 07)