VP of IT accused of stealing millions of customer records
Technorati Tag: Security Breach
Date Reported:
11/27/08
Organization:
C-W Group
Contractor/Consultant/Branch:
Nick Belmonte (ex-employee)
Location:
Vancouver, British Columbia (Canada)
Victims:
Customers
Number Affected:
3.2 million, including "credit card and bank account information of more than 800,000 customers"
Types of Data:
"highly confidential" customer information
Breach Description:
Nick Belmonte, the former VP of information technology with C-W Group has been accused of stealing a backup tape containing sensitive personal information belonging to customers of the company. News reports claim that as many as 3.2 million C-W Group customers may be affected.
Reference URL:
The Vancouver Sun
InformationWeek's Security Weblog
The Register
DarkReading
Report Credit:
Neal Hall, Vancouver Sun and a special thanks to the Chronicles of Dissent
Response:
From the online sources cited above:
VANCOUVER - When Nick Belmonte left his $150,000-a-year job at C-W Agencies in Vancouver earlier this month, the owners of the company accused him of taking a computer backup tape containing names and information about 3.2 million customers, potentially worth more than $10 million.
[Evan] It is important to remember two things about what has been reported about this alleged breach. One, Mr. Belmonte has been accused, not found guilty. And two, we are getting information from the company and affidavit not Mr. Belmonte. We have yet to hear his side of this story.
The company said the tape also contained credit card and bank account information of more than 800,000 customers.
Although the information was in encrypted form, the tape contained information and programs to decrypt the data, according to a company executive.
[Evan] The program to decrypt the data won't allow access to the data without the decryption key (usually a password). Is the key stored with the program or tape? Does Mr. Belmonte know the decryption key? Encrypting information doesn't do much to prevent disclosure if the key is not secret. Kind of a waste if this is the case here.
"The information in the customer library is highly confidential to the plaintiff and its clients," said an affidavit filed in B.C. Supreme Court by Gloria Evans, chief executive of C-W, a direct-marketing firm.
"The customer library could also potentially be marketed as a discrete asset with a value in the tens of millions of dollars," the affidavit said.
[Evan] The financial rewards for stealing and selling sensitive information are real. This underground economy is thriving. So what can corporate leaders and information security personnel do to prevent these types of breaches? A combination of controls such as segregation of duties, mandatory training/awareness, job rotation, pre-employment and post-hire background checks, and more are needed to minimize risk, but we can't eliminate the possibility of it happening anyway.
"If the customer library data is sold, it could have a devastating effect on CW's business and that of CW's clients worldwide."
Evans said she couldn't comment, but said later in an e-mail: "I can confirm C-W Agencies Inc. experienced a theft of data from its premises. We immediately launched a civil action and the matter has also been reported to the Vancouver police."
Evans recalled she became extremely concerned while driving home from work on Nov. 4 when she learned from her son, Keith Evans, the company's network administrator, that Belmonte had recently ordered another employee to bring three backup tapes to his office, where he made copies.
[Evan] Why would a VP of information technology need access to backup tapes? Imagine if a request like this was made and you were the backup administrator. Would you have the guts to say no? Would give him access then report it later? If so, to whom would you report it? It is also interesting that "he made copies". If he made copies then why would he steal the original?
Only two tapes were found on Belmonte's desk. "The tape containing the customer library data was missing."
The CEO and a C-W director, Brian Page, then phoned Belmonte at home.
Belmonte, the company's vice-president of information technology, was asked how many tapes there should be and he replied "two," the CEO's affidavit said.
"Both Brian and I repeatedly told Belmonte that we knew that there had been three tapes on his desk and Belmonte repeatedly stated he did not know what we were talking about it," Evans said in her affidavit.
[Evan] He said, she said. See note below.
The CEO then changed the locks on the computer room and terminated off-site access to the company's computer system.
The CEO's affidavit said Belmonte was a "problem employee" whose office attendance was irregular, who charged lunches with his friends to the company, and had informed employees he would be leaving soon.
[Evan] How was this "problem employee" dealt with prior to this alleged breach?
Belmonte sent an e-mail at 1:05 a.m. on Nov. 5, saying he was on stress leave because he had been wrongly accused of theft.
"This accusation along with the recent death of my friend and president of this company, Randall Thiemer, and all the events leading up to his death have just worn me down," said the e-mail, contained in the court file.
Thiemer, who died in August 2008, founded the company in 1981. He had bought out his former C-W business partner, Ray Ginnetti, for $5 million in 1989.
Ginnetti, a former Vancouver stockbroker and associate of the Hells Angels, was shot to death in 1990.
[Evan] This information isn't really directly related to this breach, but it is an interesting twist.
Jose Raul Perez-Valdez, a Cuban national, eventually pleaded guilty to the $30,000 contract murder, which was arranged by former Hells Angels enforcer Roger Daggitt.
It's unclear how many CW customers have been notified that their data has gone missing.
Commentary:
I just want to provide a couple of quick opinions/recommendations surrounding backup tape security. A list should be maintained that outlines who is authorized to access backup tapes. If a name isn't on the list, no access. Of course there needs to be an exception procedure to address occurrences when a person not listed can be granted access given certain approvals (plural). Chances are fairly good that a VP of information technology would not be listed.
Additionally, all tape access must be logged and a chain of custody maintained throughout the entire lifecycle of the tape (creation through to destruction). This second recommendation trumps the "he said, she said" mentioned prior.
UPDATE RECEIVED FROM "Gloria Evans, CEO, C-W Agencies Inc." LESS THAN 2 HOURS AFTER ORIGINAL POST:
Unknown
Date Reported:11/27/08
Organization:
C-W Group
Contractor/Consultant/Branch:
Nick Belmonte (ex-employee)
Location:
Vancouver, British Columbia (Canada)
Victims:
Customers
Number Affected:
3.2 million, including "credit card and bank account information of more than 800,000 customers"
Types of Data:
"highly confidential" customer information
Breach Description:
Nick Belmonte, the former VP of information technology with C-W Group has been accused of stealing a backup tape containing sensitive personal information belonging to customers of the company. News reports claim that as many as 3.2 million C-W Group customers may be affected.
Reference URL:
The Vancouver Sun
InformationWeek's Security Weblog
The Register
DarkReading
Report Credit:
Neal Hall, Vancouver Sun and a special thanks to the Chronicles of Dissent
Response:
From the online sources cited above:
VANCOUVER - When Nick Belmonte left his $150,000-a-year job at C-W Agencies in Vancouver earlier this month, the owners of the company accused him of taking a computer backup tape containing names and information about 3.2 million customers, potentially worth more than $10 million.
[Evan] It is important to remember two things about what has been reported about this alleged breach. One, Mr. Belmonte has been accused, not found guilty. And two, we are getting information from the company and affidavit not Mr. Belmonte. We have yet to hear his side of this story.
The company said the tape also contained credit card and bank account information of more than 800,000 customers.
Although the information was in encrypted form, the tape contained information and programs to decrypt the data, according to a company executive.
[Evan] The program to decrypt the data won't allow access to the data without the decryption key (usually a password). Is the key stored with the program or tape? Does Mr. Belmonte know the decryption key? Encrypting information doesn't do much to prevent disclosure if the key is not secret. Kind of a waste if this is the case here.
"The information in the customer library is highly confidential to the plaintiff and its clients," said an affidavit filed in B.C. Supreme Court by Gloria Evans, chief executive of C-W, a direct-marketing firm.
"The customer library could also potentially be marketed as a discrete asset with a value in the tens of millions of dollars," the affidavit said.
[Evan] The financial rewards for stealing and selling sensitive information are real. This underground economy is thriving. So what can corporate leaders and information security personnel do to prevent these types of breaches? A combination of controls such as segregation of duties, mandatory training/awareness, job rotation, pre-employment and post-hire background checks, and more are needed to minimize risk, but we can't eliminate the possibility of it happening anyway.
"If the customer library data is sold, it could have a devastating effect on CW's business and that of CW's clients worldwide."
Evans said she couldn't comment, but said later in an e-mail: "I can confirm C-W Agencies Inc. experienced a theft of data from its premises. We immediately launched a civil action and the matter has also been reported to the Vancouver police."
Evans recalled she became extremely concerned while driving home from work on Nov. 4 when she learned from her son, Keith Evans, the company's network administrator, that Belmonte had recently ordered another employee to bring three backup tapes to his office, where he made copies.
[Evan] Why would a VP of information technology need access to backup tapes? Imagine if a request like this was made and you were the backup administrator. Would you have the guts to say no? Would give him access then report it later? If so, to whom would you report it? It is also interesting that "he made copies". If he made copies then why would he steal the original?
Only two tapes were found on Belmonte's desk. "The tape containing the customer library data was missing."
The CEO and a C-W director, Brian Page, then phoned Belmonte at home.
Belmonte, the company's vice-president of information technology, was asked how many tapes there should be and he replied "two," the CEO's affidavit said.
"Both Brian and I repeatedly told Belmonte that we knew that there had been three tapes on his desk and Belmonte repeatedly stated he did not know what we were talking about it," Evans said in her affidavit.
[Evan] He said, she said. See note below.
The CEO then changed the locks on the computer room and terminated off-site access to the company's computer system.
The CEO's affidavit said Belmonte was a "problem employee" whose office attendance was irregular, who charged lunches with his friends to the company, and had informed employees he would be leaving soon.
[Evan] How was this "problem employee" dealt with prior to this alleged breach?
Belmonte sent an e-mail at 1:05 a.m. on Nov. 5, saying he was on stress leave because he had been wrongly accused of theft.
"This accusation along with the recent death of my friend and president of this company, Randall Thiemer, and all the events leading up to his death have just worn me down," said the e-mail, contained in the court file.
Thiemer, who died in August 2008, founded the company in 1981. He had bought out his former C-W business partner, Ray Ginnetti, for $5 million in 1989.
Ginnetti, a former Vancouver stockbroker and associate of the Hells Angels, was shot to death in 1990.
[Evan] This information isn't really directly related to this breach, but it is an interesting twist.
Jose Raul Perez-Valdez, a Cuban national, eventually pleaded guilty to the $30,000 contract murder, which was arranged by former Hells Angels enforcer Roger Daggitt.
It's unclear how many CW customers have been notified that their data has gone missing.
Commentary:
I just want to provide a couple of quick opinions/recommendations surrounding backup tape security. A list should be maintained that outlines who is authorized to access backup tapes. If a name isn't on the list, no access. Of course there needs to be an exception procedure to address occurrences when a person not listed can be granted access given certain approvals (plural). Chances are fairly good that a VP of information technology would not be listed.
Additionally, all tape access must be logged and a chain of custody maintained throughout the entire lifecycle of the tape (creation through to destruction). This second recommendation trumps the "he said, she said" mentioned prior.
UPDATE RECEIVED FROM "Gloria Evans, CEO, C-W Agencies Inc." LESS THAN 2 HOURS AFTER ORIGINAL POST:
Past Breaches:December 10, 2008
TO: Evan Francen, The Breach Blog
FROM: Gloria Evans, CEO, C-W Agencies Inc.
RE: Your recent story
We noted your interest in recent events at our company and wanted to provide the correct facts:
· The tape stolen from our premises on Nov. 4 has been recovered.
· The recovered tape is being examined by forensic experts who will determine whether the information has been accessed.
· Because of encryption, the requirements for specialized equipment, knowledge and facilities, it is our hope that the data has not been compromised.
· We informed our customers of the theft immediately.
· The criminal and civil matters that have arisen from this situation are before the courts and we cannot comment further.
We are determined to protect our data and are very confident we are taking all reasonable measures to ensure the security of our customers. Our ability to protect our customer data is at the core of our ability to sustain our company.
We appreciate the opportunity to ‘set the record straight.’
Posts Atom 1.0
Some follow-up:
I got a tantalizingly vague email from C-W that the tape had been recovered, which I reported here.
Reply to this
Interesting. The response from Gloria Evans still leaves some serious questions. I like how you put it, "tantalizingly vague".
Reply to this
That didn't take long. I also received an email from "". I will update the post accordingly.
Reply to this
Heh. Interestingly, mainstream media do not seem to have really covered this story -- or the follow-up notification that the tape was recovered. Another reason for people to read your blog and PogoWasRight.org! :)
But speaking of vague: do check out the report on the stolen HP laptop I posted to Pogo last night. It's just begging for your comments. :)
Reply to this
It is interesting how the media is all over some breaches yet seem completely dis-interested in others. You would think that a breach with so many potential victims would garner more attention. If you ever come to understand "the media", give me some insight
I love the work that you do on PogoWasRight! I am always impressed with how many reports you make in such a short period of time. A VERY valuable resource.
I'm going to read your post from last night now and I'll post something tonight (comments and all!).
Reply to this
Why is that West Coast Canadians tend to be full of corrupt people?
All former Primiers (Governors) of BC had some kind of scandals associated with them. Unless I missed it, I don't see such rampant scandals in the rest of the country. It just tends to be peculiar in the West Coast.
Perhaps, people are not paid enough in the province or life is too expensive - whatever the reasons - some want to make it fast illegally.
Reply to this