Visa Services Northwest caught throwing info in dumpster
Technorati Tag: Security Breach
Date Reported:
1/25/08
Organization:
International Market Place
Contractor/Consultant/Branch:
Visa Services Northwest
Victims:
Visa Services Northwest customers
Number Affected:
Unknown
Types of Data:
Name, Social Security number, credit card information, and other personal details
Breach Description:
Sensitive personal information belonging to Visa Services Northwest customers was found on documents discarded in a dumpster located in downtown Seattle alley. It is reported that the company has been discarding sensitive materials in this manner for "the last ten years".
Reference URL:
KOMOTV.com News Story
Report Credit:
KOMO TV
Response:
From the online source cited above:
Steve Gillett of Seattle said Visa Services Northwest threw out the sensitive documents instead of shredding them.
The documents, which ended up in a downtown alley, included papers with Gillett's name, social security number, credit card information and even a copy of his signature.
Gillett's private information, as well as that of dozens of others, had been dumped by the travel services company.
Xiaoli Ding, the owner of the company, claims what Gillett found was the result of an isolated incident.
[Evan] This is unlikely.
He says he keeps his clients' personal information for year, then destroys the files properly. Then he shreds the sensitive documents and recycles the rest.
"Obviously, we accidentally dumped that particular file in the recycle bin," he said.
Even so, Ding said, the documents are safe in the bin since the business is located on an upper floor of the building where the public doesn't typically visit
[Evan] Does anyone else see the hole(s) in this logic, or is it just me? Is this the way you would want your personal information secured?
Everything in that recycle bin on the upper floor eventually ends up in an alley way nearby; it's brought to another dumpster in a very public place.
Gillett turned to the state attorney general for help.
[Evan] Good work, Mr. Gillett!
In a letter, state officials warned Visa Services Northwest that it is required to destroy customers' personal information it does not plan to retain. Anything short of that is a violation of state law.
[Evan] Good work by the attorney general too!
Ding said his company has changed its policy to comply.
"We moved from shredding only sensitive information to shredding everything," he said.
Ding also sent an apology letter and the Attorney General's Office now considers the matter closed.
Gillett hasn't seen any suspicious activity on his accounts so far. Several of Ding's clients reportedly had issues with strangers applying for credit under their names, but none of the incidents were proven to be linked to the sensitive documents that were thrown out in the trash.
Victim Response:
"This firm was throwing away in a public bin more information than my wife knows about me," Gillett said.
[Evan] OK. Either Mr. Gillett needs to talk to his wife more, or he gave way too much information to Visa Services Northwest
"They said they had been doing this for the last ten years," Gillett said.
[Evan] This statement goes against the earlier claim by Mr. Ding in which he states that this is "an isolated incident".
Commentary:
What do you suppose the case is in the breach? Was Mr. Ding disposing of confidential information in the trash for the past 10 years hoping nobody would notice, or is this actually an isolated incident? I wonder how many small businesses take the security of personal information seriously, and of these how many know how to properly secure it.
Every company that uses personal and/or confidential information in any manner must have data destruction standards that clearly define all of the acceptable methods for destroying data on all media types (paper, CD, DVD. Flash, hard drives, etc.).
Past Breaches:
Unknown
Date Reported:1/25/08
Organization:
International Market Place
Contractor/Consultant/Branch:
Visa Services Northwest
Victims:
Visa Services Northwest customers
Number Affected:
Unknown
Types of Data:
Name, Social Security number, credit card information, and other personal details
Breach Description:
Sensitive personal information belonging to Visa Services Northwest customers was found on documents discarded in a dumpster located in downtown Seattle alley. It is reported that the company has been discarding sensitive materials in this manner for "the last ten years".
Reference URL:
KOMOTV.com News Story
Report Credit:
KOMO TV
Response:
From the online source cited above:
Steve Gillett of Seattle said Visa Services Northwest threw out the sensitive documents instead of shredding them.
The documents, which ended up in a downtown alley, included papers with Gillett's name, social security number, credit card information and even a copy of his signature.
Gillett's private information, as well as that of dozens of others, had been dumped by the travel services company.
Xiaoli Ding, the owner of the company, claims what Gillett found was the result of an isolated incident.
[Evan] This is unlikely.
He says he keeps his clients' personal information for year, then destroys the files properly. Then he shreds the sensitive documents and recycles the rest.
"Obviously, we accidentally dumped that particular file in the recycle bin," he said.
Even so, Ding said, the documents are safe in the bin since the business is located on an upper floor of the building where the public doesn't typically visit
[Evan] Does anyone else see the hole(s) in this logic, or is it just me? Is this the way you would want your personal information secured?
Everything in that recycle bin on the upper floor eventually ends up in an alley way nearby; it's brought to another dumpster in a very public place.
Gillett turned to the state attorney general for help.
[Evan] Good work, Mr. Gillett!
In a letter, state officials warned Visa Services Northwest that it is required to destroy customers' personal information it does not plan to retain. Anything short of that is a violation of state law.
[Evan] Good work by the attorney general too!
Ding said his company has changed its policy to comply.
"We moved from shredding only sensitive information to shredding everything," he said.
Ding also sent an apology letter and the Attorney General's Office now considers the matter closed.
Gillett hasn't seen any suspicious activity on his accounts so far. Several of Ding's clients reportedly had issues with strangers applying for credit under their names, but none of the incidents were proven to be linked to the sensitive documents that were thrown out in the trash.
Victim Response:
"This firm was throwing away in a public bin more information than my wife knows about me," Gillett said.
[Evan] OK. Either Mr. Gillett needs to talk to his wife more, or he gave way too much information to Visa Services Northwest
"They said they had been doing this for the last ten years," Gillett said.
[Evan] This statement goes against the earlier claim by Mr. Ding in which he states that this is "an isolated incident".
Commentary:
What do you suppose the case is in the breach? Was Mr. Ding disposing of confidential information in the trash for the past 10 years hoping nobody would notice, or is this actually an isolated incident? I wonder how many small businesses take the security of personal information seriously, and of these how many know how to properly secure it.
Every company that uses personal and/or confidential information in any manner must have data destruction standards that clearly define all of the acceptable methods for destroying data on all media types (paper, CD, DVD. Flash, hard drives, etc.).
Past Breaches:
Unknown
Posted by Evan Francen at 1/28/2008 4:17 PM 
Categories: Visa Services Northwest, Insecure Discard, International Market Place
Categories: Visa Services Northwest, Insecure Discard, International Market Place
Posts Atom 1.0
Comments