Dumpster diving for dollars in North Carolina (unconfirmed and disputed)
UPDATE:
The Breach Blog has received conflicting information regarding this breach. In fairness, we have included the following information received via email:
"Unfortunately in this case the news media did NOT do a good job reporting and ABC Phones got the raw end of the deal. All of the customer information in the box was from ACC Communications, NOT ABC Phones. The man who found the box tried to extort ABC Phones and the police had to get involved to retrieve the box. The man, who claimed to be a good samaritan, most likely got the box from his PARENTS who previously worked at ACC communications.(ACC is out of business) The ONLY documents from ABC Phones, which were located ON TOP of the box, were NOT customer documents, but were non-secure documents such as a company handbook. ONE completed employment application with the ABC Phones logo was in the box, but we speculate that the "good samaritan" added this for show. The applicant involved was not in our database. In addition, PRIOR to this incident ABC Phones had stopped maintaining paper records and had a professional shredding company properely dispose of all paper records at all locations.
The news station involved still denies any wrongdoings because they claim ABC Phones can not prove the documents did not come from ABC Phones, even though the police detective confirmed they were from ACC Communications.
We kindly request that you remove this false information from your website or update it to state clearly that the customer documents were from ACC Communications, NOT ABC Phones. We appreciate your assistance with this matter." - ABC Phones Representative
Original Posting:
Technorati Tag: Security Breach
Date Reported:
10/29/07
Organization:
ABC Phones Inc.
Contractor/Consultant/Branch:
None
Victims:
ABC Phones customers and job applicants*
*"ABC Phones and ACC Communications are listed on the documents"
Number Affected:
Unknown
Types of Data:
Name, home address, work address, birth date, phone number, Social Security number, credit card number, credit card expiration date, and driver's license number
Breach Description:
Two men found sensitive and personal information contained in a box, in a dumpster behind a store that was recently vacated by a cellular phone company. ABC Phones is the suspected company based on the information found.
Reference URL:
News 14 Carolina Story
Report Credit:
Jennifer Moxley, News 14 Carolina
Response:
From the online article cited above:
"Two men found a box in a dumpster full of the ingredients for identity theft. It appeared to be year’s worth of cell phone customers' applications from all over the area."
"The cell phone business recently moved and behind it was a dumpster full of furniture and other things from inside."
“We've got a lady's driver's license number, her Bank of America credit card number and we've got her work address, home address, we've got every bit of information that somebody would use for identity theft,”
[Comfyllama] This does sound like "ingredients for identity theft" and a recipe for disaster had this information fallen into the wrong hands.
"There is so much private financial information on the documents that it was hard finding papers that could be televised."
“It's the application, where they print driver's license, method of payment and the Social Security number,”
"From job applications with addresses, birth dates and Social Security numbers to copies of driver's licenses, Mastercards, and Visas"
[Comfyllama] Think this might be a VISA CISP violation?
“They cleaned out the store and apparently they didn't handle records like they should have. Somebody's going to answer why people's information is out there that anybody can have,”
[Comfyllama] Somebody SHOULD answer why, but will they? There has been no formal acceptance of responsibility on the part of ABC Phones, as far as I can tell.
"ABC Phones and ACC Communications are listed on the documents."
"A representative with ABC phones, based out Greenville, said they just found out about the situation late Monday afternoon. The representative said the company is concerned about this and is taking steps to review what was found. The company representative added that first they had to confirm the documents did indeed belong to its customers."
Commentary:
This is very disappointing, but in all effects reality in retail. Companies with retail stores typically don't train the store employees all that well when it comes to information security. They are trained pretty well with in-store security like spotting someone stealing and how to approach that type of situation, but information is another story. Many times people worry more about online shopping, but it is important to remember that brick and mortar shopping can be just as (if not more) risky.
Retail stores must do a better job of controlling the confidential information that they receive everyday and train their employees better with regards to the INFORMATION security not just physical security.
Thank God that this information was found by two honest citizens that reported it instead of using it.
Interesting quotations from ABC Phones Privacy Policy:
Past Breaches:
Unknown
The Breach Blog has received conflicting information regarding this breach. In fairness, we have included the following information received via email:
"Unfortunately in this case the news media did NOT do a good job reporting and ABC Phones got the raw end of the deal. All of the customer information in the box was from ACC Communications, NOT ABC Phones. The man who found the box tried to extort ABC Phones and the police had to get involved to retrieve the box. The man, who claimed to be a good samaritan, most likely got the box from his PARENTS who previously worked at ACC communications.(ACC is out of business) The ONLY documents from ABC Phones, which were located ON TOP of the box, were NOT customer documents, but were non-secure documents such as a company handbook. ONE completed employment application with the ABC Phones logo was in the box, but we speculate that the "good samaritan" added this for show. The applicant involved was not in our database. In addition, PRIOR to this incident ABC Phones had stopped maintaining paper records and had a professional shredding company properely dispose of all paper records at all locations.
The news station involved still denies any wrongdoings because they claim ABC Phones can not prove the documents did not come from ABC Phones, even though the police detective confirmed they were from ACC Communications.
We kindly request that you remove this false information from your website or update it to state clearly that the customer documents were from ACC Communications, NOT ABC Phones. We appreciate your assistance with this matter." - ABC Phones Representative
Original Posting:
Technorati Tag: Security Breach
Date Reported:
10/29/07
Organization:
ABC Phones Inc.
Contractor/Consultant/Branch:
None
Victims:
ABC Phones customers and job applicants*
*"ABC Phones and ACC Communications are listed on the documents"
Number Affected:
Unknown
Types of Data:
Name, home address, work address, birth date, phone number, Social Security number, credit card number, credit card expiration date, and driver's license number
Breach Description:
Two men found sensitive and personal information contained in a box, in a dumpster behind a store that was recently vacated by a cellular phone company. ABC Phones is the suspected company based on the information found.
Reference URL:
News 14 Carolina Story
Report Credit:
Jennifer Moxley, News 14 Carolina
Response:
From the online article cited above:
"Two men found a box in a dumpster full of the ingredients for identity theft. It appeared to be year’s worth of cell phone customers' applications from all over the area."
"The cell phone business recently moved and behind it was a dumpster full of furniture and other things from inside."
“We've got a lady's driver's license number, her Bank of America credit card number and we've got her work address, home address, we've got every bit of information that somebody would use for identity theft,”
[Comfyllama] This does sound like "ingredients for identity theft" and a recipe for disaster had this information fallen into the wrong hands.
"There is so much private financial information on the documents that it was hard finding papers that could be televised."
“It's the application, where they print driver's license, method of payment and the Social Security number,”
"From job applications with addresses, birth dates and Social Security numbers to copies of driver's licenses, Mastercards, and Visas"
[Comfyllama] Think this might be a VISA CISP violation?
“They cleaned out the store and apparently they didn't handle records like they should have. Somebody's going to answer why people's information is out there that anybody can have,”
[Comfyllama] Somebody SHOULD answer why, but will they? There has been no formal acceptance of responsibility on the part of ABC Phones, as far as I can tell.
"ABC Phones and ACC Communications are listed on the documents."
"A representative with ABC phones, based out Greenville, said they just found out about the situation late Monday afternoon. The representative said the company is concerned about this and is taking steps to review what was found. The company representative added that first they had to confirm the documents did indeed belong to its customers."
Commentary:
This is very disappointing, but in all effects reality in retail. Companies with retail stores typically don't train the store employees all that well when it comes to information security. They are trained pretty well with in-store security like spotting someone stealing and how to approach that type of situation, but information is another story. Many times people worry more about online shopping, but it is important to remember that brick and mortar shopping can be just as (if not more) risky.
Retail stores must do a better job of controlling the confidential information that they receive everyday and train their employees better with regards to the INFORMATION security not just physical security.
Thank God that this information was found by two honest citizens that reported it instead of using it.
Interesting quotations from ABC Phones Privacy Policy:
How secure is my information?
ABC Phones maintains a variety of physical, technical, and procedural safeguards to guard your personal information. We have security measures in place to protect against the loss, misuse, and alteration of information under our control.
We limit access to personal information to those employees, contractors, consultants, and other parties who require such information to assist us with establishing, maintaining, and managing our business relationship with our customers. These parties may provide services to us or on our behalf or they may collaborate with ABC Phones in providing services to our customers.
Will my personal information be disclosed?
ABC Phones does NOT sell personal information and we disclose personal information only in the following way:
We disclose personal information to third parties as necessary to complete transactions or perform services on our behalf. ABC Phones must share some private information with our contractors, consultants, and other parties who require such information to assist us to establish, maintain, and manage our business relationships with customers
ABC Phones maintains a variety of physical, technical, and procedural safeguards to guard your personal information. We have security measures in place to protect against the loss, misuse, and alteration of information under our control.
We limit access to personal information to those employees, contractors, consultants, and other parties who require such information to assist us with establishing, maintaining, and managing our business relationship with our customers. These parties may provide services to us or on our behalf or they may collaborate with ABC Phones in providing services to our customers.
Will my personal information be disclosed?
ABC Phones does NOT sell personal information and we disclose personal information only in the following way:
We disclose personal information to third parties as necessary to complete transactions or perform services on our behalf. ABC Phones must share some private information with our contractors, consultants, and other parties who require such information to assist us to establish, maintain, and manage our business relationships with customers
Past Breaches:
Unknown
Posts Atom 1.0
The customer documents found were NOT from ABC Phones. The documents were from ACC Communications. The "honest citizens" you refer to in your blog attempted to extort ABC Phones prior to allowing us to review the documents. The police had to get involved for 2 days before the documents were finally retrieved from the "honest citizens". Upon retrieval it was verified that the customer documents were from ACC Communications who is out of business. The only documents from ABC Phones were NOT secure documents, but an old employee handbook and such. This appears to have been an extortion scheme from the start. The "good citizens" parents previously worked at ACC Communications. ABC Phones does NOT maintain ANY paper customer records and had instituted this policy months prior to this incident. All ABC Phones paper customer records were properly destroyed by a professional shredding company prior to this incident.
Unfortunately the news reporter did NOT give ABC Phones time to inspect the records prior to the story airing and stands by her story claiming that ABC Phones has not proved that all the records were from ACC even though the police verified that the customer information was from ACC.
ABC Phones is innocent and NONE of ABC Phones customer information was breached.
Reply to this