J.C. Penney customers affected by lost GE Money backup tape
Technorati Tag: Security Breach
Date Reported:
1/18/08*
*Update to " GE Money and Iron Mountain unable to locate tape"
Organization:
J.C. Penney
Contractor/Consultant/Branch:
GE Money
Iron Mountain
Victims:
J.C. Penney customers and the customers of "up to 100 other retailers" which include "many of the large retail organizations"
Number Affected:
650,000
Types of Data:
Names, addresses, account numbers, Social Security numbers, and other information
Breach Description:
GE Money and it's backup storage vendor, Iron Mountain are unable to locate a backup tape. The unencrypted tape contained sensitive personal information belonging to GE Money, J.C. Penney, and up to 100 other retail store customers. The tape was lost in October, 2007.
Reference URL:
State of New Hampshire Breach notification dated December 28, 2007
Original Breach Blog Report
Report Credit:
The Associated Press
Response:
From the online sources cited above:
Personal information on about 650,000 customers of J.C. Penney and up to 100 other retailers could be compromised after a computer tape went missing.
GE Money, which handles credit card operations for Penney and many other retailers, said Thursday night that the missing information includes Social Security numbers for about 150,000 people.
The information was on a backup computer tape that was discovered missing last October. It was being stored at a warehouse run by Iron Mountain Inc., a data storage company, and was never checked out but can't be found either
This unencrypted tape, which was being retained at a secure, offsite storage facility, included your name, address, and Social Security number, as well as your [CLIENT1] credit card account number
It was checked into their secure facility and never checked out, and a search of their premises and ours has been unable to locate it.
there was "no indication of theft or anything of that sort," and no evidence of fraudulent activity on the accounts involved
Iron Mountain spokesman Dan O'Neill said it would take specialized skills for someone to glean the personal data from the tape.
[Evan] It also takes specialized skills to walk upright on two feet. If the information on the tape is not encrypted, accessing it is a trivial task.
the company regretted losing the tape, "but because of the volume of information we handle and the fact people are involved, we have occasionally made mistakes."
[Evan] Mr. O'Neill makes a valid point. Iron Mountain handles millions of tapes. According to their web site, they handle data storage (and protection) for over 90,000 organizations in 26 countries. Eventually a tape will go missing. I don't place much blame on Iron Mountain as I do on GE Money.
declined to identify the other retailers whose customers' information is missing but said "it includes many of the large retail organizations."
It took GE Money two months to reconstruct the missing tape and identify the people whose information was lost.
[Evan] Two months is a long time, but I suppose you want to be sure you get it right.
Since December, the company has been notifying consumers in batches of several thousand and telling them to phone a call center set up to deal with the breach. The notification is expected to be completed next week.
Penney's card holder Elizabeth Rich of Everett, Wash., got one of the GE Money letters saying her name, address and account number may have been compromised. She was told her Social Security number was not on the tape.
The letter, signed by GE Money President Brent P. Wallace, read in part, "We have no reason to believe that anyone has accessed or misused your information. The pieces of information on the tape would not be enough to open new accounts in your name, and we have implemented internal monitoring to protect your account number from misuse due to this incident."
[Evan] The "would not be enough to open new accounts in your name" part is because Elizabeth Rich was one of the fortunate persons that did not have her Social Security number on the tape.
Wallace said in the letter that Penney "was in no way responsible for this incident."
[Evan] I respectfully disagree with this statement. J.C. Penney collected the information from the owner. This puts J.C. Penney into a "data custodian" role. As a data custodian, they have the duty to ensure that the data is protected throughout its lifecycle. J.C. Penney needs to ensure that their partners and vendors adequately secure information.
The Penney name didn't appear on the envelope Rich received, and she thought it was a credit solicitation when she saw the GE Money return address.
"I think the average consumer has thrown away that GE Money letter because they don't know it's about J.C. Penney," Rich said. "Not everybody opens junk mail."
[Evan] Do you suppose this was on purpose? Who knows.
Rich said she canceled her Penney card immediately.
[Evan] This is an EXCELLENT suggestion for all affected customers. Cancelling your card does three things (at least), it protects from credit card fraud (on this card anyway), sends a message to J.C. Penney that they should do more to monitor partners' and vendors' business and security practices, and sends a message to GE Money that they must encrypt confidential data at rest (potentially among other things).
Commentary:
We originally reported this breach on the Breach Blog a few weeks ago based on information we gleaned from the New Hampshire State Attorney General. This new information helps to clarify some of the missing information. I am sure there will be more to come.
As I stated earlier in my comments, I don't fault Iron Mountain much for their role in this breach granted they lost the tape. I would expect a certain amount of loss given the nature of their business, the number of tapes they handle, and the fact that people make mistakes. I don't know what kind of excuse GE Money has for not encrypting confidential data at rest. This is a well-known best practice that is preached by most good information security personnel. The fact that the breach notifications sent to customers are not clearly marked as such (according to Elizabeth Rich) only adds insult to injury.
Contrary to what J.C. Penney may think and what GE Money has stated, J.C. Penney does have responsibility in this breach. To state that J.C. Penney "was in no way responsible for this incident" is false. They have the responsibility to ensure that the information given to them from the owner is handled appropriately. Do they audit their partners' information security practices? Did they know or care that sensitive information belonging to their customers on backup tapes was not encrypted?
Past Breaches:
October, 2007 - Iron Mountain driver does not follow company procedures

1/18/08*
*Update to " GE Money and Iron Mountain unable to locate tape"
Organization:
J.C. Penney
Contractor/Consultant/Branch:
GE Money
Iron Mountain
Victims:
J.C. Penney customers and the customers of "up to 100 other retailers" which include "many of the large retail organizations"
Number Affected:
650,000
Types of Data:
Names, addresses, account numbers, Social Security numbers, and other information
Breach Description:
GE Money and it's backup storage vendor, Iron Mountain are unable to locate a backup tape. The unencrypted tape contained sensitive personal information belonging to GE Money, J.C. Penney, and up to 100 other retail store customers. The tape was lost in October, 2007.
Reference URL:
State of New Hampshire Breach notification dated December 28, 2007
Original Breach Blog Report
Report Credit:
The Associated Press
Response:
From the online sources cited above:
Personal information on about 650,000 customers of J.C. Penney and up to 100 other retailers could be compromised after a computer tape went missing.
GE Money, which handles credit card operations for Penney and many other retailers, said Thursday night that the missing information includes Social Security numbers for about 150,000 people.
The information was on a backup computer tape that was discovered missing last October. It was being stored at a warehouse run by Iron Mountain Inc., a data storage company, and was never checked out but can't be found either
This unencrypted tape, which was being retained at a secure, offsite storage facility, included your name, address, and Social Security number, as well as your [CLIENT1] credit card account number
It was checked into their secure facility and never checked out, and a search of their premises and ours has been unable to locate it.
there was "no indication of theft or anything of that sort," and no evidence of fraudulent activity on the accounts involved
Iron Mountain spokesman Dan O'Neill said it would take specialized skills for someone to glean the personal data from the tape.
[Evan] It also takes specialized skills to walk upright on two feet. If the information on the tape is not encrypted, accessing it is a trivial task.
the company regretted losing the tape, "but because of the volume of information we handle and the fact people are involved, we have occasionally made mistakes."
[Evan] Mr. O'Neill makes a valid point. Iron Mountain handles millions of tapes. According to their web site, they handle data storage (and protection) for over 90,000 organizations in 26 countries. Eventually a tape will go missing. I don't place much blame on Iron Mountain as I do on GE Money.
declined to identify the other retailers whose customers' information is missing but said "it includes many of the large retail organizations."
It took GE Money two months to reconstruct the missing tape and identify the people whose information was lost.
[Evan] Two months is a long time, but I suppose you want to be sure you get it right.
Since December, the company has been notifying consumers in batches of several thousand and telling them to phone a call center set up to deal with the breach. The notification is expected to be completed next week.
Penney's card holder Elizabeth Rich of Everett, Wash., got one of the GE Money letters saying her name, address and account number may have been compromised. She was told her Social Security number was not on the tape.
The letter, signed by GE Money President Brent P. Wallace, read in part, "We have no reason to believe that anyone has accessed or misused your information. The pieces of information on the tape would not be enough to open new accounts in your name, and we have implemented internal monitoring to protect your account number from misuse due to this incident."
[Evan] The "would not be enough to open new accounts in your name" part is because Elizabeth Rich was one of the fortunate persons that did not have her Social Security number on the tape.
Wallace said in the letter that Penney "was in no way responsible for this incident."
[Evan] I respectfully disagree with this statement. J.C. Penney collected the information from the owner. This puts J.C. Penney into a "data custodian" role. As a data custodian, they have the duty to ensure that the data is protected throughout its lifecycle. J.C. Penney needs to ensure that their partners and vendors adequately secure information.
The Penney name didn't appear on the envelope Rich received, and she thought it was a credit solicitation when she saw the GE Money return address.
"I think the average consumer has thrown away that GE Money letter because they don't know it's about J.C. Penney," Rich said. "Not everybody opens junk mail."
[Evan] Do you suppose this was on purpose? Who knows.
Rich said she canceled her Penney card immediately.
[Evan] This is an EXCELLENT suggestion for all affected customers. Cancelling your card does three things (at least), it protects from credit card fraud (on this card anyway), sends a message to J.C. Penney that they should do more to monitor partners' and vendors' business and security practices, and sends a message to GE Money that they must encrypt confidential data at rest (potentially among other things).
Commentary:
We originally reported this breach on the Breach Blog a few weeks ago based on information we gleaned from the New Hampshire State Attorney General. This new information helps to clarify some of the missing information. I am sure there will be more to come.
As I stated earlier in my comments, I don't fault Iron Mountain much for their role in this breach granted they lost the tape. I would expect a certain amount of loss given the nature of their business, the number of tapes they handle, and the fact that people make mistakes. I don't know what kind of excuse GE Money has for not encrypting confidential data at rest. This is a well-known best practice that is preached by most good information security personnel. The fact that the breach notifications sent to customers are not clearly marked as such (according to Elizabeth Rich) only adds insult to injury.
Contrary to what J.C. Penney may think and what GE Money has stated, J.C. Penney does have responsibility in this breach. To state that J.C. Penney "was in no way responsible for this incident" is false. They have the responsibility to ensure that the information given to them from the owner is handled appropriately. Do they audit their partners' information security practices? Did they know or care that sensitive information belonging to their customers on backup tapes was not encrypted?
Past Breaches:
October, 2007 - Iron Mountain driver does not follow company procedures
It is often irrational to treat the mere loss of a tape as a legal security breach. --Ben
Reply to this
I have received a request from GE MONEY to send them certain specific financial information from my past credit account with JC Penney, but they did not provide a statement of their reason for requesting it or what they intended to do with it once I gave it to them. I may be one of the former JC Penney customers who has been compromised. A word to the wise, never respond to any request for personal financial information until you positively identify who is requesting it, and what legal authority they have to do so. I will not be duped into disclosing information like that. They get nothing from me until I am able to make contact with a real GE Money representative that I initiate a call to. Their company contact info is available on the web and through the phone company. Good luck to any others out there getting similar letters.
Reply to this