Democratic donor data temporarily exposed
Technorati Tag: Security Breach
Date Reported:
11/05/07
Organization:
Nevada State Democratic Party
Contractor/Consultant/Branch:
Geary Internet Strategies
Victims:
Certain online donors from the year 2004
Number Affected:
~200 transactions, a "handful" of victims
Types of Data:
Names, addresses and credit card numbers
Breach Description:
A database containing details pertaining to roughly 200 transactions from donors to the Nevada State Democratic Party was temporarily backed up to an insecure file during a server upgrade.
Reference URL:
News Story at the Nevada Appeal
Inside Nevada Politics at RGJ.com
Report Credit:
Anjeanette Damon, Inside Nevada Politics
and brought to the attention of The Breach Blog by an informed reader
Response:
From the online articles cited above:
"The Nevada Democratic Party reported a security protocol breach by its Web vendor Geary Internet Strategies that left the personal information of some of its donors temporarily vulnerable."
"A database of about 200 transactions was backed up to a non-secure file during a system upgrade, according to Dan Geary."
"The vulnerable information for "a handful" of 2004 online donors to the state party included names, addresses and credit card numbers."
[Comfyllama] Why is it necessary to store credit card numbers in the first place. Once the transaction has been processed, the information should be discarded securely. If credit card numbers (or other sensitive information) MUST be stored, then they MUST be stored encrypted.
"There is no evidence the information was actually obtained by anyone and it no longer exists, Geary said."
"There have been no reports to indicate the information has been compromised and the file no longer exists"
[Comfyllama] If information confidentiality, integrity AND/OR availability cannot be assured, then it has been "compromised".
"Although the database contained 200 transactions, many of them were incomplete or represented tests by the party or his staff. He did not know the exact number of actual donors whose information was vulnerable, characterizing it as "a handful.""
[Comfyllama] Running tests on production systems is never, ever a good thing.
"All affected parties have been notified. Geary Internet Strategies, at the direction of the Nevada State Democratic Party, sent e-mails to all affected donors and is now following up with phone calls to each person."
"The company is also offering free credit monitoring for the group of online donors and is also providing each with information on the steps they should take to prevent identity theft."
If you made an online donation to the Nevada Democratic Party in 2004 and are worried about it, you can call Geary Internet Strategies: .
Commentary:
People make mistakes and this was a mistake on the part of Geary Internet Strategies. There a few things that come to mind about this story though.
For a list of Visa U.S.A. Cardholder Information Security Program (CISP) compliant service providers, visit here.
Visa's "Steps for compromised entities" gives pretty good guidance for times when bad things happen too.
Past Breaches:
Unknown
Date Reported:11/05/07
Organization:
Nevada State Democratic Party
Contractor/Consultant/Branch:
Geary Internet Strategies
Victims:
Certain online donors from the year 2004
Number Affected:
~200 transactions, a "handful" of victims
Types of Data:
Names, addresses and credit card numbers
Breach Description:
A database containing details pertaining to roughly 200 transactions from donors to the Nevada State Democratic Party was temporarily backed up to an insecure file during a server upgrade.
Reference URL:
News Story at the Nevada Appeal
Inside Nevada Politics at RGJ.com
Report Credit:
Anjeanette Damon, Inside Nevada Politics
and brought to the attention of The Breach Blog by an informed reader
Response:
From the online articles cited above:
"The Nevada Democratic Party reported a security protocol breach by its Web vendor Geary Internet Strategies that left the personal information of some of its donors temporarily vulnerable."
"A database of about 200 transactions was backed up to a non-secure file during a system upgrade, according to Dan Geary."
"The vulnerable information for "a handful" of 2004 online donors to the state party included names, addresses and credit card numbers."
[Comfyllama] Why is it necessary to store credit card numbers in the first place. Once the transaction has been processed, the information should be discarded securely. If credit card numbers (or other sensitive information) MUST be stored, then they MUST be stored encrypted.
"There is no evidence the information was actually obtained by anyone and it no longer exists, Geary said."
"There have been no reports to indicate the information has been compromised and the file no longer exists"
[Comfyllama] If information confidentiality, integrity AND/OR availability cannot be assured, then it has been "compromised".
"Although the database contained 200 transactions, many of them were incomplete or represented tests by the party or his staff. He did not know the exact number of actual donors whose information was vulnerable, characterizing it as "a handful.""
[Comfyllama] Running tests on production systems is never, ever a good thing.
"All affected parties have been notified. Geary Internet Strategies, at the direction of the Nevada State Democratic Party, sent e-mails to all affected donors and is now following up with phone calls to each person."
"The company is also offering free credit monitoring for the group of online donors and is also providing each with information on the steps they should take to prevent identity theft."
If you made an online donation to the Nevada Democratic Party in 2004 and are worried about it, you can call Geary Internet Strategies: .
Commentary:
People make mistakes and this was a mistake on the part of Geary Internet Strategies. There a few things that come to mind about this story though.
- Are we to believe that the test and production donor databases are one in the same? This is a pretty big "no-no" and Geary should know better.
- Maybe proper change/add/move procedures and planning would help prevent a similar breach in the future.
- Why must Geary and/or the Nevada State Democratic Party store credit card data beyond the time it takes to process a transaction? If they must then why do they not properly encrypt it?
For a list of Visa U.S.A. Cardholder Information Security Program (CISP) compliant service providers, visit here.
Visa's "Steps for compromised entities" gives pretty good guidance for times when bad things happen too.
Past Breaches:
Unknown
Posted by Evan Francen at 11/7/2007 8:41 AM 
Categories: Employee Mistake, Nevada State Democratic Party
Categories: Employee Mistake, Nevada State Democratic Party
Posts Atom 1.0
Comments