Venetian customers and the "now-former" employee upload
Technorati Tag: Security Breach
Date Reported:
9/14/07
Organization:
Las Vegas Sands Corporation
Contractor/Consultant:
The Venetian Resort Hotel Casino
Victims:
Venetian Resort Hotel patrons from the year 2005
Number Affected:
Unknown
Types of Data:
Name, address, credit card number
Breach Description:
A former employee of The Venetian Resort Hotel Casino uploaded a file containing confidential information to a personal file storage website. The file contained personal information about patrons to the hotel in 2005.
Reference URL:
New Hampshire Attorney General Report
Report Credit:
New Hampshire Attorney General
Response:
From the official New Hampshire disclosure letter and letter sent to victims:
"Venetian recently learned that, while employed by Venetian and working from home, a now-former employee uploaded to a personal file storage website both her own personal files and also some files belonging to Venetian."
[Comfyllama] Key word "now-former" implies that person involved lost her job over this matter. Key words to employees of every organization dealing with confidential data "pay attention" to what you are doing!
"The data included the personal information of individuals who had stayed at The Venetian Resort Hotel in 2005"
[Comfyllama] According to the letter, there were 14 residents of New Hampshire involved, so the number world-wide could be significant.
"the former employee's actions violated company policy"
"Venetian has taken all necessary steps to ensure that the information had been permanently removed from the website and deleted from the former employee's computer"
[Comfyllama] The employee's computer?
"One of the files that was uploaded included your name, address and a credit card number that you provided to us in connection with your 2005 stay"
[Comfyllama] The question that immediately comes to mind is why does The Venetian Resort Hotel keep/store credit card information?
"The name of the file that included your information did not indicate the contents"
"We believe that the files were not intended to be viewed by the general public, but they were not secured when they were found."
[Comfyllama] I am wondering how the confidential file was found and who reported it.
"We deeply regret this incident."
"We can not tell if your information was actually viewed and/or inappropriately used by others"
[Comfyllama] I like this statement much better than the old "we have no evidence to prove …"
The Venetian Resort Hotel Casino is offering a one year free subscription to Equifax Credit Watch Gold 3-in-1 Monitoring.
[Comfyllama] The credit card information is really the key piece that was compromised. Victims should cancel these cards and get re-issued ones as a precaution.
Commentary:
This reminds me of the knucklehead Wall Street Journal article titled "Ten Things Your IT Department Won't Tell You" written by Vauhini Vara. In this brilliant article, there is a section titled "HOW TO STORE WORK FILES ONLINE" in which Ms. Vara gives users "The Trick". Obviously NOT a good idea without checking with your information security personnel (even if they do giggle). The consequences could be unemployment and me writing about it.
I like Venetian's response to this breach and I like how they appear to be very serious about protecting confidential, personally-identifiable information. The one question that still remains is; Why do they store credit card information in the first place? After the transaction(s) are complete, there really is no reason to hang on to that data.
Past Breaches:
Unknown
Date Reported:9/14/07
Organization:
Las Vegas Sands Corporation
Contractor/Consultant:
The Venetian Resort Hotel Casino
Victims:
Venetian Resort Hotel patrons from the year 2005
Number Affected:
Unknown
Types of Data:
Name, address, credit card number
Breach Description:
A former employee of The Venetian Resort Hotel Casino uploaded a file containing confidential information to a personal file storage website. The file contained personal information about patrons to the hotel in 2005.
Reference URL:
New Hampshire Attorney General Report
Report Credit:
New Hampshire Attorney General
Response:
From the official New Hampshire disclosure letter and letter sent to victims:
"Venetian recently learned that, while employed by Venetian and working from home, a now-former employee uploaded to a personal file storage website both her own personal files and also some files belonging to Venetian."
[Comfyllama] Key word "now-former" implies that person involved lost her job over this matter. Key words to employees of every organization dealing with confidential data "pay attention" to what you are doing!
"The data included the personal information of individuals who had stayed at The Venetian Resort Hotel in 2005"
[Comfyllama] According to the letter, there were 14 residents of New Hampshire involved, so the number world-wide could be significant.
"the former employee's actions violated company policy"
"Venetian has taken all necessary steps to ensure that the information had been permanently removed from the website and deleted from the former employee's computer"
[Comfyllama] The employee's computer?
"One of the files that was uploaded included your name, address and a credit card number that you provided to us in connection with your 2005 stay"
[Comfyllama] The question that immediately comes to mind is why does The Venetian Resort Hotel keep/store credit card information?
"The name of the file that included your information did not indicate the contents"
"We believe that the files were not intended to be viewed by the general public, but they were not secured when they were found."
[Comfyllama] I am wondering how the confidential file was found and who reported it.
"We deeply regret this incident."
"We can not tell if your information was actually viewed and/or inappropriately used by others"
[Comfyllama] I like this statement much better than the old "we have no evidence to prove …"
The Venetian Resort Hotel Casino is offering a one year free subscription to Equifax Credit Watch Gold 3-in-1 Monitoring.
[Comfyllama] The credit card information is really the key piece that was compromised. Victims should cancel these cards and get re-issued ones as a precaution.
Commentary:
This reminds me of the knucklehead Wall Street Journal article titled "Ten Things Your IT Department Won't Tell You" written by Vauhini Vara. In this brilliant article, there is a section titled "HOW TO STORE WORK FILES ONLINE" in which Ms. Vara gives users "The Trick". Obviously NOT a good idea without checking with your information security personnel (even if they do giggle). The consequences could be unemployment and me writing about it.
I like Venetian's response to this breach and I like how they appear to be very serious about protecting confidential, personally-identifiable information. The one question that still remains is; Why do they store credit card information in the first place? After the transaction(s) are complete, there really is no reason to hang on to that data.
Past Breaches:
Unknown
Posted by Evan Francen at 10/1/2007 11:29 AM 
Categories: The Venetian Resort Hotel Casino, Employee Mistake
Categories: The Venetian Resort Hotel Casino, Employee Mistake
Posts Atom 1.0
Comments