BreachExchange mailing list archives
Re: Wis. mailing sent with personal info
From: "Tracy Blackmore" <tblackmore () tslad com>
Date: Fri, 11 Jan 2008 09:33:55 -0700
This is a GREAT example of 'out of sight out of mind'! Many companies know that they do not absolve themselves of the risks when they outsource but since they have outsourced they get busy concentrating on more local problems. I hope that someone investigates this and gets to the bottom of the questions of whether EDS made the decision to add this field into a mass-mailing or if the State passed a bunch of data and asked EDS to run it. Make no mistake though - the State of Wisconsin is ultimately responsible since they were the 'owners' of the data. ________________________________ From: dataloss-bounces () attrition org on behalf of Chris Walsh Sent: Thu 1/10/2008 8:43 PM To: Adam Shostack Cc: dataloss () attrition org Subject: Re: [Dataloss] Wis. mailing sent with personal info EDS is a major provider of outsourced IT. They may well have a more general contract and, in effect, made this decision themselves. The SSNs would have been given as part of the larger scope of work, and then improperly used. <RUMSFELD> Is this a risk firms take when they outsource? Heavens to Betsy, yes. Should Wisconsin have anticipated this? Great Caesar's ghost they should have. Does Wisconsin not have an information classification policy to which 3rd parties must adhere? By jiminy, I would hope so. </RUMSFELD> On Jan 10, 2008, at 2:57 PM, Adam Shostack wrote:
Appalled experts elsewhere are asking why Wisconsin gave SSNs to EDS as part of mailing informational brochures. You don't have to select * from row. You could have selected name, address from row.
_______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml
_______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml
Current thread:
- Wis. mailing sent with personal info lyger (Jan 08)
- Re: Wis. mailing sent with personal info Henry Brown (Jan 10)
- Re: Wis. mailing sent with personal info Adam Shostack (Jan 10)
- Re: Wis. mailing sent with personal info Chris Walsh (Jan 10)
- Re: Wis. mailing sent with personal info Tracy Blackmore (Jan 11)
- Re: Wis. mailing sent with personal info James Childers (Jan 11)
- Re: Wis. mailing sent with personal info Adam Shostack (Jan 10)
- Re: Wis. mailing sent with personal info Henry Brown (Jan 10)
- <Possible follow-ups>
- Re: Wis. mailing sent with personal info Steve Hamburg (Jan 11)