Again, sensitive information found on resold hard drives
Technorati Tag: Security Breach
Date Reported:
11/19/08
Organization:
Sears Holdings Corporation (and Sears, Roebuck and Co.)
Giant Food LLC
Contractor/Consultant/Branch:
eBay, Inc.
Victims:
Customers
Number Affected:
Unknown
Types of Data:
"personal information; like bank accounts, credit cards, social security numbers, even pharmacy prescriptions"
Breach Description:
"A CALL FOR ACTION investigation showed you how with $50 dollars and a little computer savvy, thieves could steal your identity. Two months later, we wanted to know if anything changed."
Reference URL:
WINK News
Report Credit:
Melissa Yeager, WINK News
Response:
From the online source cited above:
FORT MYERS, Fla. - WINK News showed you just how easy it was to find personal information like bank account numbers, credit card numbers, and prescription drug information.
Our investigation uncovered one way thieves might get your information.
For just $50 dollars, CALL FOR ACTION purchased ten used hard drives on eBay. We then took them to computer expert, John Benkert with CPR Tools.
[Evan] WINK took the drives to a "computer expert", but you don't even need to be a computer expert to access much of this information. Many of these drives will work after not much more than connecting them to a computer. Check the current lots of used drives on eBay. If you refine your search even more and look for auctions listing the drives "as-is" or "not sure if these work", your odds of getting drives that haven't been wiped might be even better.
"Were you surprised when you looked at these how readily available that information was available on these drives?" asked CALL FOR ACTION Reporter Melissa Yeager during our initial story.
"Shocked is probably more the term," Benkert replied.
[Evan] I don't know why Mr. Benkert would be shocked. This is a well-known method of obtaining sensitive information of all sorts, not just personal information.
The drives held all kinds of personal information; like bank accounts, credit cards, social security numbers, even pharmacy prescriptions.
We traced the information back to major companies.
Two companies, Sears and Giant Foods of Maryland sent technicians to Fort Myers to examine the drives.
Neither company could tell us how their customers personal information ended up on hard drives for sale on eBay.
Sears told us, "The data on these hard drives appears to be from accounts which expired between 1999 and 2004."
They admitted at least 40 instances of credit card numbers with enough information to identify the customer.
[Evan] Does Sears (or Giant Foods) intend to notify customers?
"It upsets me and it should upset everybody that any..if your data is stolen if you information is out there, whether it's one person or 230 million," said Benkert.
[Evan] It upsets me. This is just one of my motivations for creating The Breach Blog.
Senator Bill Nelson wants to protect your identity because he's a victim of identity theft himself.
"Two days ago, American Express called and said we notice some suspicious purchases and sure enough they caught it. Someone was using the number from my card and they picked it up from someplace," Nelson told CALL FOR ACTION.
His proposed legislation targets any company or agency that has your personal information. It will require companies to have a written plan for successfully destroying those records.
[Evan] On the one hand, this is a good thing because it should force more companies to destroy unneeded data. On the other hand, this is sad. It is sad that far too many companies (and people) fail to do the right thing. It is sad that far too many companies (and people) fail to recognize the importance of information security. It is sad that far too many companies (and people) don't realize that a majority of their assets are intangible of which information makes up a significant portion. It is sad that far too companies manage information security in order to be compliant with laws and regulations then consider themselves to be "secure". There. That's my rant for the day. ;)
"Because you all did that, and thank you for doing that, you have pointed out another invasion of the privacy," said Nelson.
If a company has your information, you don't have a lot of control over what they do with it. Benkert wants to change that. He's now working with state lawmakers in Tallahassee to draft legislation that would tell companies exactly how to get rid of data. His advice: make sure you clear all your personal hard drives and take them to a reputable company who will clear them and provide you written documentation that they did it.
[Evan] FRSecure LLC (my company) will also destroy data and provide certification. There. That's my plug for the day.
After our story aired, eBay contacted CALL FOR ACTION with this statement from spokeswoman Nichola Sharpe: "eBay urges consumers to take appropriate steps to ensure that personal information is removed from the PC or hard drive prior to the sale. There are programs and companies that can aid in this process."
[Evan] I don't place much blame on eBay for this breach. It just isn't feasible for them to ensure that all of their customers certify data destruction.
Commentary:
Although this one news article is relatively obscure, meaning its content isn't pasted on the front page of every newspaper, this type of breach is much more common than most people would like to admit. Every organization that has information worth securing should have and follow data destruction/re-use procedures.
Past Breaches:
eBay:
October, 2008 - eBay account details found online, phished?
September, 2007 - eBay customer information exposed, but how?
Date Reported:11/19/08
Organization:
Sears Holdings Corporation (and Sears, Roebuck and Co.)
Giant Food LLC
Contractor/Consultant/Branch:
eBay, Inc.
Victims:
Customers
Number Affected:
Unknown
Types of Data:
"personal information; like bank accounts, credit cards, social security numbers, even pharmacy prescriptions"
Breach Description:
"A CALL FOR ACTION investigation showed you how with $50 dollars and a little computer savvy, thieves could steal your identity. Two months later, we wanted to know if anything changed."
Reference URL:
WINK News
Report Credit:
Melissa Yeager, WINK News
Response:
From the online source cited above:
FORT MYERS, Fla. - WINK News showed you just how easy it was to find personal information like bank account numbers, credit card numbers, and prescription drug information.
Our investigation uncovered one way thieves might get your information.
For just $50 dollars, CALL FOR ACTION purchased ten used hard drives on eBay. We then took them to computer expert, John Benkert with CPR Tools.
[Evan] WINK took the drives to a "computer expert", but you don't even need to be a computer expert to access much of this information. Many of these drives will work after not much more than connecting them to a computer. Check the current lots of used drives on eBay. If you refine your search even more and look for auctions listing the drives "as-is" or "not sure if these work", your odds of getting drives that haven't been wiped might be even better.
"Were you surprised when you looked at these how readily available that information was available on these drives?" asked CALL FOR ACTION Reporter Melissa Yeager during our initial story.
"Shocked is probably more the term," Benkert replied.
[Evan] I don't know why Mr. Benkert would be shocked. This is a well-known method of obtaining sensitive information of all sorts, not just personal information.
The drives held all kinds of personal information; like bank accounts, credit cards, social security numbers, even pharmacy prescriptions.
We traced the information back to major companies.
Two companies, Sears and Giant Foods of Maryland sent technicians to Fort Myers to examine the drives.
Neither company could tell us how their customers personal information ended up on hard drives for sale on eBay.
Sears told us, "The data on these hard drives appears to be from accounts which expired between 1999 and 2004."
They admitted at least 40 instances of credit card numbers with enough information to identify the customer.
[Evan] Does Sears (or Giant Foods) intend to notify customers?
"It upsets me and it should upset everybody that any..if your data is stolen if you information is out there, whether it's one person or 230 million," said Benkert.
[Evan] It upsets me. This is just one of my motivations for creating The Breach Blog.
Senator Bill Nelson wants to protect your identity because he's a victim of identity theft himself.
"Two days ago, American Express called and said we notice some suspicious purchases and sure enough they caught it. Someone was using the number from my card and they picked it up from someplace," Nelson told CALL FOR ACTION.
His proposed legislation targets any company or agency that has your personal information. It will require companies to have a written plan for successfully destroying those records.
[Evan] On the one hand, this is a good thing because it should force more companies to destroy unneeded data. On the other hand, this is sad. It is sad that far too many companies (and people) fail to do the right thing. It is sad that far too many companies (and people) fail to recognize the importance of information security. It is sad that far too many companies (and people) don't realize that a majority of their assets are intangible of which information makes up a significant portion. It is sad that far too companies manage information security in order to be compliant with laws and regulations then consider themselves to be "secure". There. That's my rant for the day. ;)
"Because you all did that, and thank you for doing that, you have pointed out another invasion of the privacy," said Nelson.
If a company has your information, you don't have a lot of control over what they do with it. Benkert wants to change that. He's now working with state lawmakers in Tallahassee to draft legislation that would tell companies exactly how to get rid of data. His advice: make sure you clear all your personal hard drives and take them to a reputable company who will clear them and provide you written documentation that they did it.
[Evan] FRSecure LLC (my company) will also destroy data and provide certification. There. That's my plug for the day.
After our story aired, eBay contacted CALL FOR ACTION with this statement from spokeswoman Nichola Sharpe: "eBay urges consumers to take appropriate steps to ensure that personal information is removed from the PC or hard drive prior to the sale. There are programs and companies that can aid in this process."
[Evan] I don't place much blame on eBay for this breach. It just isn't feasible for them to ensure that all of their customers certify data destruction.
Commentary:
Although this one news article is relatively obscure, meaning its content isn't pasted on the front page of every newspaper, this type of breach is much more common than most people would like to admit. Every organization that has information worth securing should have and follow data destruction/re-use procedures.
Past Breaches:
eBay:
October, 2008 - eBay account details found online, phished?
September, 2007 - eBay customer information exposed, but how?
Posted by Evan Francen at 11/20/2008 1:04 PM 
Categories: Ebay, Giant Foods LLC, Sears Holdings Corporation
Categories: Ebay, Giant Foods LLC, Sears Holdings Corporation
Posts Atom 1.0
Comments