Things Remembered, Inc. employee information exposed
Technorati Tag: Security Breach
Date Reported:
10/14/08
Organization:
Luxottica Group
Contractor/Consultant/Branch:
Cole National Group, Inc.
Things Remembered, Inc.
Location:
Mason, Ohio
Victims:
Employees of the "Things Remembered brand" between 1998 and March, 2005
Number Affected:
Unknown*
*There are an estimated 4,000 Things Remembered employees in 46 states according to Zoom Information. Although this provides little indication as to how many people are affected by this breach it does give you some perspective.
Types of Data:
"name, address, Social Security Number, date of birth, and other information used for processing payroll"
Breach Description:
Cole National Group, Inc. (a Luxottica Group Company) and parent of Things Remembered, Inc. has issued a breach notification to employees between 1998 and March, 2005 informing them that an "unknown, unauthorized person accessed a file" containing their personal information.
Reference URL:
Wisconsin Office of Privacy Protection copy of the breach notification
The breach was also reported previously at PogoWasRight
Report Credit:
Wisconsin Office of Privacy Protection
Response:
From the online source cited above:
Cole National Group, Inc. (a Luxottica Group Company) is contacting you because you were an employee of the Things Remembered brand at some point between 1998 and March 2005.
We recently discovered that an unknown unauthorized person accessed a file from a company server in April 2008.
[Evan] This statement is troubling for me. I am assuming that investigators have more information available to them than this. I wonder if the company server was internal (meaning on the corporate LAN) on a DMZ (i.e. website backend), or publicly accessible (i.e. web server). I particularly feel uncomfortable with the inclusion of "unknown unauthorized person" in the statement. This may sound like common sense, but highly-sensitive information requires more preventative, detective and corrective control than less sensitive information. Understanding that we (information security personnel) cannot eliminate the risk of compromise, we should be able to identify a compromise, find the cause, and locate a source quickly. The information was compromised in April, 2008, when was it detected? What explains the gap between April 2008 and the date of notification (October 14th)?
This file contained information used for processing payroll for Things Remembered employees during that time span noted above.
At this time, we have no evidence that the compromised data has been misused.
We have carefully reviewed the security of the server on which this file was located, and believe this was an isolated and unusual incident.
[Evan] Was the "security of the server" itself at the root of the compromise? Poorly secured configuration? Unpatched? Secure server build standards and patch management procedures are critical for servers collecting, storing, transferring, or processing sensitive information.
Nonetheless, we want to provide you with details to detect and prevent misuse of your personal information.
Your name, address, Social Security Number, date of birth and other information used for processing payroll were included in the file that was accessed.
We deeply regret that this has occurred and have taken action to ensure the security of this file going forward and to lessen the potential for harm.
[Evan] What action? The letter doesn't disclose what happened in the first place, at least not with any detail.
We have notified law enforcement of this incident, are conducting a full investigation, and will support prosecution of those involved.
One year of credit monitoring is being offered by Cole National Group. Those affected have 90 days from the date on their letter to enroll.
We have also advised the three major U.S. credit reporting companies about this incident.
We encourage you to take preventative measures now to help prevent and detect any misuse of your information.
We recommend that you place a fraud alert on your credit file.
If you believe your information is being misused, you also should file a complaint with the FTC at www.ftc.giv/idtheft or at 1-877-ID-THEFT ().
Finally, we also recommend you visit the FTC website which provides a comprehensive guide to help you with security of your personal information and guard against its misuse by others at www.ftc.gov/bcp/edu/pubs/consumer/idtheft/idto4.shtm.
Again, we sincerely apologize that this incident has occurred.
If you have any questions about this incident, please call us at 1- (Monday through Friday, 8:00 a.m. - 5:00 p.m. ET)
Commentary:
We can appreciate that Cole National is notifying affected persons, but there are some troubling facts. Six months passed between the time that the breach allegedly occurred and the date of the notification letter. It is not clear when the breach was detected exactly, nor is it clear how. Some of the information on the compromised server was 10 years old. There is no real detail surrounding how the information was compromised, so we are left to speculate.
At least the affected people are being offered one year of credit monitoring, but how effective is credit monitoring anyway? With credit monitoring, a person only becomes aware after fraud has occurred. How does credit monitoring help against someone using your identity to rent an apartment, get a job, or obtain something of value from an organization that doesn't report to a credit bureau? How much value is one year, when the information has value for a much longer period of time? Confidential information can be easily disclosed, but we can't make disclosed information confidential.
Past Breaches:
Unknown
Date Reported:10/14/08
Organization:
Luxottica Group
Contractor/Consultant/Branch:
Cole National Group, Inc.
Things Remembered, Inc.
Location:
Mason, Ohio
Victims:
Employees of the "Things Remembered brand" between 1998 and March, 2005
Number Affected:
Unknown*
*There are an estimated 4,000 Things Remembered employees in 46 states according to Zoom Information. Although this provides little indication as to how many people are affected by this breach it does give you some perspective.
Types of Data:
"name, address, Social Security Number, date of birth, and other information used for processing payroll"
Breach Description:
Cole National Group, Inc. (a Luxottica Group Company) and parent of Things Remembered, Inc. has issued a breach notification to employees between 1998 and March, 2005 informing them that an "unknown, unauthorized person accessed a file" containing their personal information.
Reference URL:
Wisconsin Office of Privacy Protection copy of the breach notification
The breach was also reported previously at PogoWasRight
Report Credit:
Wisconsin Office of Privacy Protection
Response:
From the online source cited above:
Cole National Group, Inc. (a Luxottica Group Company) is contacting you because you were an employee of the Things Remembered brand at some point between 1998 and March 2005.
We recently discovered that an unknown unauthorized person accessed a file from a company server in April 2008.
[Evan] This statement is troubling for me. I am assuming that investigators have more information available to them than this. I wonder if the company server was internal (meaning on the corporate LAN) on a DMZ (i.e. website backend), or publicly accessible (i.e. web server). I particularly feel uncomfortable with the inclusion of "unknown unauthorized person" in the statement. This may sound like common sense, but highly-sensitive information requires more preventative, detective and corrective control than less sensitive information. Understanding that we (information security personnel) cannot eliminate the risk of compromise, we should be able to identify a compromise, find the cause, and locate a source quickly. The information was compromised in April, 2008, when was it detected? What explains the gap between April 2008 and the date of notification (October 14th)?
This file contained information used for processing payroll for Things Remembered employees during that time span noted above.
At this time, we have no evidence that the compromised data has been misused.
We have carefully reviewed the security of the server on which this file was located, and believe this was an isolated and unusual incident.
[Evan] Was the "security of the server" itself at the root of the compromise? Poorly secured configuration? Unpatched? Secure server build standards and patch management procedures are critical for servers collecting, storing, transferring, or processing sensitive information.
Nonetheless, we want to provide you with details to detect and prevent misuse of your personal information.
Your name, address, Social Security Number, date of birth and other information used for processing payroll were included in the file that was accessed.
We deeply regret that this has occurred and have taken action to ensure the security of this file going forward and to lessen the potential for harm.
[Evan] What action? The letter doesn't disclose what happened in the first place, at least not with any detail.
We have notified law enforcement of this incident, are conducting a full investigation, and will support prosecution of those involved.
One year of credit monitoring is being offered by Cole National Group. Those affected have 90 days from the date on their letter to enroll.
We have also advised the three major U.S. credit reporting companies about this incident.
We encourage you to take preventative measures now to help prevent and detect any misuse of your information.
We recommend that you place a fraud alert on your credit file.
If you believe your information is being misused, you also should file a complaint with the FTC at www.ftc.giv/idtheft or at 1-877-ID-THEFT ().
Finally, we also recommend you visit the FTC website which provides a comprehensive guide to help you with security of your personal information and guard against its misuse by others at www.ftc.gov/bcp/edu/pubs/consumer/idtheft/idto4.shtm.
Again, we sincerely apologize that this incident has occurred.
If you have any questions about this incident, please call us at 1- (Monday through Friday, 8:00 a.m. - 5:00 p.m. ET)
Commentary:
We can appreciate that Cole National is notifying affected persons, but there are some troubling facts. Six months passed between the time that the breach allegedly occurred and the date of the notification letter. It is not clear when the breach was detected exactly, nor is it clear how. Some of the information on the compromised server was 10 years old. There is no real detail surrounding how the information was compromised, so we are left to speculate.
At least the affected people are being offered one year of credit monitoring, but how effective is credit monitoring anyway? With credit monitoring, a person only becomes aware after fraud has occurred. How does credit monitoring help against someone using your identity to rent an apartment, get a job, or obtain something of value from an organization that doesn't report to a credit bureau? How much value is one year, when the information has value for a much longer period of time? Confidential information can be easily disclosed, but we can't make disclosed information confidential.
Past Breaches:
Unknown
Posted by Evan Francen at 10/26/2008 7:49 PM 
Categories: Things Remembered, Luxottica Group, Intrusion
Categories: Things Remembered, Luxottica Group, Intrusion
Posts Atom 1.0
Comments