GE Money and Iron Mountain unable to locate tape
Technorati Tag: Security Breach
Date Reported:
12/28/07
*Updated in " J.C. Penney customers affected by lost GE Money backup tape" dated 1/18/08
Organization:
GE Money
Contractor/Consultant/Branch:
Iron Mountain
Victims:
GE Money Bank customers
Number Affected:
Not disclosed*
*"found 1,851 instances where of active account number tied to a New Hampshire resident's name and ~20 cases where a SSN was included" This is New Hampshire information ONLY as stated in the breach notification.
Types of Data:
Names, addresses, Social Security numbers, and credit card numbers.
Breach Description:
GE Money and it's backup storage vendor, Iron Mountain are unable to locate a backup tape. The unencrypted tape contained sensitive personal information belonging to GE Money customers and is one out of a set of nine that were sent to Iron Mountain sometime last year.
Reference URL:
State of New Hampshire Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the official New Hampshire breach notification and letter sent to affected persons:
Our storage vendor, Iron Mountain, has been unable to locate a single backup tape from a set of 9 that we delivered to them last year.
[Evan] I am a little surprised. In my dealings with Iron Mountain they have done an excellent of inventory control.
This unencrypted tape, which was being retained at a secure, offsite storage facility, included your name, address, and Social Security number, as well as your [CLIENT1] credit card account number
[Evan] Unencrypted backup tapes containing confidential information is bad karma. Just ask IBM, Kraft, The Hartford, HMRC, etc.
It was checked into their secure facility and never checked out, and a search of their premises and ours has been unable to locate it.
There is no record of the tape being removed from the facility and we have no indication that your personal information has been or will be used inappropriately
We have restored the contents of that tape from the next full set and have nearly completed a search for any sensitive consumer information.
Although we believe the chance for misuse is very low, we are notifying individuals via first class mail, and providing a toll-free number for them to contact us with any questions.
We have found 1,851 instances where of active account number tied to a New Hampshire resident's name and ~20 cases where a SSN was included.
GE Money regrets this incident and is committed to protecting its' customers and their information. Prior to learning of this incident we had already instituted additional security measure that will prevent any future occurrences.
[Evan] Let's hope this means that they are now encrypting sensitive data at rest, including that which resides on backup tapes. If in fact they are now encrypting this information, why not just say so?
We take our responsibility to safeguard your personal information seriously and regret any inconvenience this incident may have caused. We appreciate your understanding and thank you for being a GE Money Bank customer. If you have any questions about this situation, please do not hesitate to contact us at 1-, we are available Monday through Friday, 9:00 am to 7:00 pm EST.
Commentary:
GE Money is also offering 12 months of credit monitoring for those persons that had Social Security numbers on the lost tape. My thoughts on 12 months of credit monitoring are pretty well-known now. Personally identifiable information is good for a lifetime (and sometimes beyond) so 12 months is very limited, and "credit monitoring" alerts a victim after the fact.
It's hard to blame Iron Mountain too much for this breach, although they did lose the tape. Iron Mountain must handle millions and millions of tapes, maybe they should be allowed to lose one (or maybe two). GE Money handles some very sensitive personal information for their customers and encrypting backup tapes in not a new concept.
Past Breaches:
October, 2007 - Iron Mountain driver does not follow company procedures
Date Reported:12/28/07
*Updated in " J.C. Penney customers affected by lost GE Money backup tape" dated 1/18/08
Organization:
GE Money
Contractor/Consultant/Branch:
Iron Mountain
Victims:
GE Money Bank customers
Number Affected:
Not disclosed*
*"found 1,851 instances where of active account number tied to a New Hampshire resident's name and ~20 cases where a SSN was included" This is New Hampshire information ONLY as stated in the breach notification.
Types of Data:
Names, addresses, Social Security numbers, and credit card numbers.
Breach Description:
GE Money and it's backup storage vendor, Iron Mountain are unable to locate a backup tape. The unencrypted tape contained sensitive personal information belonging to GE Money customers and is one out of a set of nine that were sent to Iron Mountain sometime last year.
Reference URL:
State of New Hampshire Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the official New Hampshire breach notification and letter sent to affected persons:
Our storage vendor, Iron Mountain, has been unable to locate a single backup tape from a set of 9 that we delivered to them last year.
[Evan] I am a little surprised. In my dealings with Iron Mountain they have done an excellent of inventory control.
This unencrypted tape, which was being retained at a secure, offsite storage facility, included your name, address, and Social Security number, as well as your [CLIENT1] credit card account number
[Evan] Unencrypted backup tapes containing confidential information is bad karma. Just ask IBM, Kraft, The Hartford, HMRC, etc.
It was checked into their secure facility and never checked out, and a search of their premises and ours has been unable to locate it.
There is no record of the tape being removed from the facility and we have no indication that your personal information has been or will be used inappropriately
We have restored the contents of that tape from the next full set and have nearly completed a search for any sensitive consumer information.
Although we believe the chance for misuse is very low, we are notifying individuals via first class mail, and providing a toll-free number for them to contact us with any questions.
We have found 1,851 instances where of active account number tied to a New Hampshire resident's name and ~20 cases where a SSN was included.
GE Money regrets this incident and is committed to protecting its' customers and their information. Prior to learning of this incident we had already instituted additional security measure that will prevent any future occurrences.
[Evan] Let's hope this means that they are now encrypting sensitive data at rest, including that which resides on backup tapes. If in fact they are now encrypting this information, why not just say so?
We take our responsibility to safeguard your personal information seriously and regret any inconvenience this incident may have caused. We appreciate your understanding and thank you for being a GE Money Bank customer. If you have any questions about this situation, please do not hesitate to contact us at 1-, we are available Monday through Friday, 9:00 am to 7:00 pm EST.
Commentary:
GE Money is also offering 12 months of credit monitoring for those persons that had Social Security numbers on the lost tape. My thoughts on 12 months of credit monitoring are pretty well-known now. Personally identifiable information is good for a lifetime (and sometimes beyond) so 12 months is very limited, and "credit monitoring" alerts a victim after the fact.
It's hard to blame Iron Mountain too much for this breach, although they did lose the tape. Iron Mountain must handle millions and millions of tapes, maybe they should be allowed to lose one (or maybe two). GE Money handles some very sensitive personal information for their customers and encrypting backup tapes in not a new concept.
Past Breaches:
October, 2007 - Iron Mountain driver does not follow company procedures
Posts Atom 1.0
Considering Iron Mountain has a long history of doing this......why is anyone still with them?
Reply to this
Backup tape encryption should be a must if its confidential or sensitive information
Reply to this