Thousands of Canadian Chrysler Financial customers at risk
Technorati Tag: Security Breach
Date Reported:
4/22/08
Organization:
Chrysler Corporation
Contractor/Consultant/Branch:
Chrysler Financial (Canada)
United Parcel Service ("UPS")
Victims:
Canadian customers
Number Affected:
"thousands"
Types of Data:
"names, addresses and social insurance numbers"
Breach Description:
"TORONTO - The lending arm of the Chrysler Corporation says the U-P-S courier service may have lost a data tape containing personal information about thousands of its Canadian customers."
Reference URL:
The Windsor Star
The Hamilton Spectator
Winnipeg Sun
Toronto Star
Report Credit:
Dave Hall, The Windsor Star
Response:
From the online sources cited above:
TORONTO - The lending arm of the Chrysler Corporation says the U-P-S courier service may have lost a data tape containing personal information about thousands of its Canadian customers.
[Evan] In this day, it baffles me that companies still send backup tapes through UPS, DHL, FedEx, etc. without encryption. This is especially difficult for me to comprehend when the company deals with extremely sensitive personal information. In this instance, I don't place much blame on UPS.
The lost information affects Chrysler Financial lease customers across Canada.
The Office of the Privacy Commissioner of Canada says it is "monitoring" Chrysler's lending arm
Chrysler Financial also acknowledged yesterday that it waited five weeks or longer to tell customers the tape had been lost or possibly destroyed.
Chrysler Financial acknowledged it did not inform customers for five weeks or longer about a "destroyed or lost" tape because of an internal search and investigation, noting it didn't want to alarm customers until it exhausted a search with United Parcel Service.
[Evan] This is a common excuse, but is it a valid one?
The automaker had sent a package with the mainframe data tape from Farmington Hills, Mich., via UPS to a Quebec credit agency when it disappeared in early March.
The company has not recovered the tape but it found a damaged envelope it was in.
The tape holds names, addresses and social insurance numbers of customers.
Jelena Jelich says special computer software and other equipment is needed to access the data.
"The data tape cannot be easily accessed and requires specialized software and equipment to read but it did contain some personal information that Chrysler Financial had obtained from you,"
[Evan] A person would need "specialized software" like backup software (Veritas, Commvauly, etc.) and equipment like an appropriate tape drive, I assume. Nothing all that special. The "cannot be easily accessed" claim could be argued.
During the past week, customers have received letters from Chrysler Financial general counsel Brian Chillman informing them of the incident.
Chillman said the company has no reason to suspect that an unauthorized person has retrieved or is using the personal information.
"Nonetheless, as a precautionary measure we are alerting you to this recent incident so that you may be watchful for signs of any possible misuse of you personal information by an unauthorized recipient,"
[Evan] How nice of Chrysler Financial. After all, the information BELONGS to the customers, not the company.
A Chrysler Financial spokeswoman said that after the tape went missing, internal processes were changed and the information is now sent by secure electronic transmissions. UPS is no longer used.
[Evan] Welcome to 2008, or was it 1995 (the year IPsec RFCs 1825 & 1829 were published)?
"We apologize for any inconvenience or harm this may cause you."
Victim Reaction:
Chris Jovanovic, who leases a car from Chrysler, said the company was notified by United Parcel Service about the lost tape on Mar. 12 but a letter from Chrysler Financial dated Mar. 27 didn't arrive in his mailbox until Monday.
"It's the time frame of notification that's got me upset because if the tape did fall into the wrong hands, they've had six weeks to access the information and do something with it,"
Jovanovic said he wasn't convinced by Chillman's assurances because "someone who knows what they're doing could probably access the information. Nothing's that secure these days and it annoys me to think that if the tape never shows up, will we be looking over our shoulders for years waiting for the information to be used."
Jovanovic said he was seeking legal advice to determine his next steps.
Commentary:
I don't have much patience or compassion for organizations that send tapes containing gigabytes (and sometimes terabytes) of confidential information through couriers and mail without encryption. Chrysler Financial claims that this is the first time something like this has ever happened. Don't you think that it was just a matter of time?
Past Breaches:
Unknown
Date Reported:4/22/08
Organization:
Chrysler Corporation
Contractor/Consultant/Branch:
Chrysler Financial (Canada)
United Parcel Service ("UPS")
Victims:
Canadian customers
Number Affected:
"thousands"
Types of Data:
"names, addresses and social insurance numbers"
Breach Description:
"TORONTO - The lending arm of the Chrysler Corporation says the U-P-S courier service may have lost a data tape containing personal information about thousands of its Canadian customers."
Reference URL:
The Windsor Star
The Hamilton Spectator
Winnipeg Sun
Toronto Star
Report Credit:
Dave Hall, The Windsor Star
Response:
From the online sources cited above:
TORONTO - The lending arm of the Chrysler Corporation says the U-P-S courier service may have lost a data tape containing personal information about thousands of its Canadian customers.
[Evan] In this day, it baffles me that companies still send backup tapes through UPS, DHL, FedEx, etc. without encryption. This is especially difficult for me to comprehend when the company deals with extremely sensitive personal information. In this instance, I don't place much blame on UPS.
The lost information affects Chrysler Financial lease customers across Canada.
The Office of the Privacy Commissioner of Canada says it is "monitoring" Chrysler's lending arm
Chrysler Financial also acknowledged yesterday that it waited five weeks or longer to tell customers the tape had been lost or possibly destroyed.
Chrysler Financial acknowledged it did not inform customers for five weeks or longer about a "destroyed or lost" tape because of an internal search and investigation, noting it didn't want to alarm customers until it exhausted a search with United Parcel Service.
[Evan] This is a common excuse, but is it a valid one?
The automaker had sent a package with the mainframe data tape from Farmington Hills, Mich., via UPS to a Quebec credit agency when it disappeared in early March.
The company has not recovered the tape but it found a damaged envelope it was in.
The tape holds names, addresses and social insurance numbers of customers.
Jelena Jelich says special computer software and other equipment is needed to access the data.
"The data tape cannot be easily accessed and requires specialized software and equipment to read but it did contain some personal information that Chrysler Financial had obtained from you,"
[Evan] A person would need "specialized software" like backup software (Veritas, Commvauly, etc.) and equipment like an appropriate tape drive, I assume. Nothing all that special. The "cannot be easily accessed" claim could be argued.
During the past week, customers have received letters from Chrysler Financial general counsel Brian Chillman informing them of the incident.
Chillman said the company has no reason to suspect that an unauthorized person has retrieved or is using the personal information.
"Nonetheless, as a precautionary measure we are alerting you to this recent incident so that you may be watchful for signs of any possible misuse of you personal information by an unauthorized recipient,"
[Evan] How nice of Chrysler Financial. After all, the information BELONGS to the customers, not the company.
A Chrysler Financial spokeswoman said that after the tape went missing, internal processes were changed and the information is now sent by secure electronic transmissions. UPS is no longer used.
[Evan] Welcome to 2008, or was it 1995 (the year IPsec RFCs 1825 & 1829 were published)?
"We apologize for any inconvenience or harm this may cause you."
Victim Reaction:
Chris Jovanovic, who leases a car from Chrysler, said the company was notified by United Parcel Service about the lost tape on Mar. 12 but a letter from Chrysler Financial dated Mar. 27 didn't arrive in his mailbox until Monday.
"It's the time frame of notification that's got me upset because if the tape did fall into the wrong hands, they've had six weeks to access the information and do something with it,"
Jovanovic said he wasn't convinced by Chillman's assurances because "someone who knows what they're doing could probably access the information. Nothing's that secure these days and it annoys me to think that if the tape never shows up, will we be looking over our shoulders for years waiting for the information to be used."
Jovanovic said he was seeking legal advice to determine his next steps.
Commentary:
I don't have much patience or compassion for organizations that send tapes containing gigabytes (and sometimes terabytes) of confidential information through couriers and mail without encryption. Chrysler Financial claims that this is the first time something like this has ever happened. Don't you think that it was just a matter of time?
Past Breaches:
Unknown
Posted by Evan Francen at 4/30/2008 9:55 PM 
Categories: Chrysler Financial, Lost Tape, Chrysler Corporation
Categories: Chrysler Financial, Lost Tape, Chrysler Corporation
Posts Atom 1.0
How can a company like this not use an information management service to rotate their tapes? There are plenty of companies out there that do somehting like this as their core busienss. This is not what UPS is suppose to be doing....NUTS!
Reply to this
There may not be any similar previous breaches involving Chrysler Financia, but a quick Google reveals that UPS has been affected more than a few times by "data loss" during shipping.
The weeks between the tapes going missing and the notification of the customers affected is shocking. My friend received the letter from Chillman 3 hours before a bank in a neighbouring city called her to inform her that a $10,000 loan had been taken out using her recently-stolen identity. By the end of the next day, she uncovered over $24,000 worth of fraudulent purchases and credit. How are we supposed to believe that tape with its sensitive data didn't fall into the hands of people whose express purpose for acquiring it was for criminal activity?
UPS refuses to answer questions. Chrysler Financial keeps assuring her that the data would be very difficult to access, but with the timing of her recent identity theft, it's hard not to imagine that the 2 incidents are connected.
Just my 2 cents.
Reply to this
If you're interested in joining a class-action against Chrysler Financial, contact for more information.
Reply to this
Is there any possibility of people returning their leased vehicle without penalty because of Chrysler Financial's blunder?
Reply to this
I would LOVE to see an answer to this question. We too want out of our lease now and have nothing to do with Chrysler anymore after recieving our "letter", and also have our deposit back.
Reply to this