92,095 InterActive Financial Marketing Group customers exposed
Technorati Tag: Security Breach
Date Reported:
8/18/08
Organization:
Dominion Enterprises
Contractor/Consultant/Branch:
InterActive Financial Marketing Group (IFMG)
Victims:
Credit applicants
Number Affected:
92,095
Types of Data:
"personal information, including the names, addresses, birth dates, and social security numbers"
Breach Description:
"NORFOLK, Va., August 18, 2008 - Dominion Enterprises today announced that a computer server within InterActive Financial Marketing Group (IFMG), a division of Dominion Enterprises located in Richmond, Virginia, was hacked into and illegally accessed by an unknown and unauthorized third party between November 2007 and February 2008."
Reference URL:
Dominion Enterprises News Release
InterActive Financial Marketing Group Customer Alert
Business Wire via MarketWatch
Report Credit:
Dominion Enterprises
Response:
From the online sources cited above:
NORFOLK, Va., August 18, 2008 - Dominion Enterprises today announced that a computer server within InterActive Financial Marketing Group (IFMG), a division of Dominion Enterprises located in Richmond, Virginia, was hacked into and illegally accessed by an unknown and unauthorized third party between November 2007 and February 2008.
[Evan] I often wonder how much "hacking" really goes into a breach like this. I would guess that the intrusion was not all that sophisticated. The fact that the intrusion took place between November 2007 and February 2008 (~ 3 months) is telling and in most cases unacceptable. We can speculate that detective controls like host and network intrusion detection and prevention were either not present or ineffective.
The data intrusion resulted in the potential exposure of personal information, including the names, addresses, birth dates, and social security numbers of 92,095 applicants who submitted credit applications to IFMG’s family of special finance Web sites.
[Evan] The information WAS subject to exposure. There is the "potential" that the confidentiality of information was compromised. Minor word changes, but changes nonetheless. This is a very significant breach.
Dominion Enterprises is mailing letters to the individuals whose personal information it can determine was illegally accessed.
The company is offering one full year of free credit monitoring services to all affected parties, and has provided information about additional resources where consumers can learn how to help protect themselves from identity theft.
[Evan] How much do you think the mailings, credit monitoring subscriptions, attorneys fees, consulting fees, and other support related costs will total? More than prevention?
"We deeply regret this incident and apologize for the concern and inconvenience it has caused," said Dominion Enterprises President and CEO Conrad M. Hall. "We are committed to helping those who were affected and strongly encourage them to sign up for the complimentary credit monitoring and to take the action steps outlined in our letter."
[Evan] I respect corporate leaders that address information security matters. There may come a day when corporate leader begin to held personally accountable for the protection of sensitive information.
With the help of experts in data and network security, the company has taken immediate steps to enhance the security of IFMG’s systems and to protect the personal information that applicants submit on IFMG Web sites.
[Evan] If I were a customer, I would demand more detail. Words are only words. Who are the "experts", what "immediate steps" have been taken, and what will IFMG do to ensure that a similar breach does not happen again?
Dominion Enterprises has alerted law enforcement and will work with authorities on the criminal investigation into the security breach.
Commentary:
We could speculate all day about IFMG's information security program, its strengths and deficiencies. The one fact about this breach that concerns me the most was the three month timeframe. This fact is very hard to justify.
Past Breaches:
Unknown
Date Reported:8/18/08
Organization:
Dominion Enterprises
Contractor/Consultant/Branch:
InterActive Financial Marketing Group (IFMG)
Victims:
Credit applicants
Number Affected:
92,095
Types of Data:
"personal information, including the names, addresses, birth dates, and social security numbers"
Breach Description:
"NORFOLK, Va., August 18, 2008 - Dominion Enterprises today announced that a computer server within InterActive Financial Marketing Group (IFMG), a division of Dominion Enterprises located in Richmond, Virginia, was hacked into and illegally accessed by an unknown and unauthorized third party between November 2007 and February 2008."
Reference URL:
Dominion Enterprises News Release
InterActive Financial Marketing Group Customer Alert
Business Wire via MarketWatch
Report Credit:
Dominion Enterprises
Response:
From the online sources cited above:
NORFOLK, Va., August 18, 2008 - Dominion Enterprises today announced that a computer server within InterActive Financial Marketing Group (IFMG), a division of Dominion Enterprises located in Richmond, Virginia, was hacked into and illegally accessed by an unknown and unauthorized third party between November 2007 and February 2008.
[Evan] I often wonder how much "hacking" really goes into a breach like this. I would guess that the intrusion was not all that sophisticated. The fact that the intrusion took place between November 2007 and February 2008 (~ 3 months) is telling and in most cases unacceptable. We can speculate that detective controls like host and network intrusion detection and prevention were either not present or ineffective.
The data intrusion resulted in the potential exposure of personal information, including the names, addresses, birth dates, and social security numbers of 92,095 applicants who submitted credit applications to IFMG’s family of special finance Web sites.
[Evan] The information WAS subject to exposure. There is the "potential" that the confidentiality of information was compromised. Minor word changes, but changes nonetheless. This is a very significant breach.
Dominion Enterprises is mailing letters to the individuals whose personal information it can determine was illegally accessed.
The company is offering one full year of free credit monitoring services to all affected parties, and has provided information about additional resources where consumers can learn how to help protect themselves from identity theft.
[Evan] How much do you think the mailings, credit monitoring subscriptions, attorneys fees, consulting fees, and other support related costs will total? More than prevention?
"We deeply regret this incident and apologize for the concern and inconvenience it has caused," said Dominion Enterprises President and CEO Conrad M. Hall. "We are committed to helping those who were affected and strongly encourage them to sign up for the complimentary credit monitoring and to take the action steps outlined in our letter."
[Evan] I respect corporate leaders that address information security matters. There may come a day when corporate leader begin to held personally accountable for the protection of sensitive information.
With the help of experts in data and network security, the company has taken immediate steps to enhance the security of IFMG’s systems and to protect the personal information that applicants submit on IFMG Web sites.
[Evan] If I were a customer, I would demand more detail. Words are only words. Who are the "experts", what "immediate steps" have been taken, and what will IFMG do to ensure that a similar breach does not happen again?
Dominion Enterprises has alerted law enforcement and will work with authorities on the criminal investigation into the security breach.
Commentary:
We could speculate all day about IFMG's information security program, its strengths and deficiencies. The one fact about this breach that concerns me the most was the three month timeframe. This fact is very hard to justify.
Past Breaches:
Unknown
Posted by Evan Francen at 8/19/2008 10:07 PM 
Categories: Intrusion, InterActive Financial Marketing Group, Dominion Enterprises
Categories: Intrusion, InterActive Financial Marketing Group, Dominion Enterprises
Posts Atom 1.0
Comments