Pulte Homes informs home buyers of stolen backup tapes
Technorati Tag: Security Breach
Date Reported:
12/25/08
Organization:
Pulte Homes, Inc.
Contractor/Consultant/Branch:
"Las Vegas Division"
Location:
Las Vegas, Nevada
Victims:
Customers (home buyers) and employees
Number Affected:
16,000
Types of Data:
"names, addresses, drivers' license numbers and financial account numbers"
Breach Description:
"Computer tapes holding private customer information including names, addresses, driver's license numbers and financial account numbers were stolen from a Pulte Homes office in Las Vegas last month"
Reference URL:
Las Vegas Sun
Associated Press via San Francisco Chronicle
Channel 8 Eyewitness News
Report Credit:
Jean Reid Norman, Las Vegas Sun
Response:
From the online sources cited above:
Computer tapes holding private customer information including names, addresses, driver's license numbers and financial account numbers were stolen from a Pulte Homes office in Las Vegas last month, and the developer is cautioning home buyers to take precautions to protect their identity.
[Evan] I wonder what "financial account numbers" were on the tape. Are these checking account numbers, savings account numbers, credit card numbers, brokerage account numbers, or all of the above?
In a letter dated Dec. 19, Pulte Homes Las Vegas Division told 16,000 customers of the Nov. 13 theft of a box containing computer backup tapes.
[Evan] Should we assume that the backup tapes were NOT encrypted?
"At this time, it is not known whether the box was stolen with the knowledge of its contents, or the intent, know-how and ability to extract and exploit the information stored in these backup tapes," the letter said.
[Evan] Why would someone steal a box of backup tapes? The tapes themselves don't fetch a lucrative price on the street, but the information could for sure.
So far, there is no indication that any of the information has been used for identity theft, Pulte spokeswoman Jacque Petroulakis said Wednesday.
Information on both home buyers and employees was on the tapes, she said.
The theft was reported to Metro Police, and the company is cooperating with the investigation, Petroulakis said.
The theft was noticed shortly after it occurred, Petroulakis said, though she added police advised the company not to discuss details.
[Evan] I can understand not disclosing details that could hinder an investigation, but what would these details be?
It took a month for Pulte's information systems team to identify the customers who were potentially affected, she said.
"We proactively informed anyone who can be potentially affected," she said. "We definitely pride ourselves in having a safe environment for our customers."
[Evan] What is so proactive in a reaction? In my mind, proactive steps are those taken to prevent the compromise of information. A letter informing people about a breach is a reactive measure, isn't it?
Pulte advised customers in the letter to take steps to protect themselves from identity theft and is providing its customers a free year of a credit monitoring service.
Among the precautions the letter suggested were closing credit card and other financial accounts and getting new PINs and passwords.
It also recommends placing a fraud alert on customers' credit files to force creditors to contact the customer before a new account is opened.
Customers have until March 31 to sign up for a free year of Experian's Triple Advantage Premium credit monitoring service at Pulte's expense, the letter said.
Petroulakis did not know how much that would cost the company.
[Evan] Probably more than it would have cost to encrypt the tapes and lock them in a secure storage facility (which will need to be done anyway).
"I know it's a significant investment on the part of the company," she said. "It's a small investment to ensure our home buyers feel we are creating a safe environment for them."
New Pulte homeowner Dave Coleman only found out about the theft after Eyewitness News informed him one of his neighbors received the letter.
When Coleman tried to contact Pulte by phone to find out if he's among the 16,000 customers affected, he got a recording telling him the the company is closed for the holidays.
He's not happy about the way Pulte is handling the incident.
"I'm a bit frightened and very disappointed because I haven't been notified. I think I should have been notified the day it happened. We've all seen the news stories about the horrors of identity theft and how expensive and time-consuming it can be," said David Coleman, a Pulte homeowner.
Commentary:
According to the Pulte Homes web site, "Pulte Homes is the nation's largest builder of active adult communities". How much sensitive information (customer records, intellectual property, etc.) do you think they are responsible for? Is the risk of not encrypting or otherwise properly securing backup tapes acceptable? Do you suppose that business leadership is/was not involved in information security at the company?
I just realized that I asked more questions than I provided answers.
We only know what we know, the rest we assume.
Past Breaches:
Unknown
Date Reported:12/25/08
Organization:
Pulte Homes, Inc.
Contractor/Consultant/Branch:
"Las Vegas Division"
Location:
Las Vegas, Nevada
Victims:
Customers (home buyers) and employees
Number Affected:
16,000
Types of Data:
"names, addresses, drivers' license numbers and financial account numbers"
Breach Description:
"Computer tapes holding private customer information including names, addresses, driver's license numbers and financial account numbers were stolen from a Pulte Homes office in Las Vegas last month"
Reference URL:
Las Vegas Sun
Associated Press via San Francisco Chronicle
Channel 8 Eyewitness News
Report Credit:
Jean Reid Norman, Las Vegas Sun
Response:
From the online sources cited above:
Computer tapes holding private customer information including names, addresses, driver's license numbers and financial account numbers were stolen from a Pulte Homes office in Las Vegas last month, and the developer is cautioning home buyers to take precautions to protect their identity.
[Evan] I wonder what "financial account numbers" were on the tape. Are these checking account numbers, savings account numbers, credit card numbers, brokerage account numbers, or all of the above?
In a letter dated Dec. 19, Pulte Homes Las Vegas Division told 16,000 customers of the Nov. 13 theft of a box containing computer backup tapes.
[Evan] Should we assume that the backup tapes were NOT encrypted?
"At this time, it is not known whether the box was stolen with the knowledge of its contents, or the intent, know-how and ability to extract and exploit the information stored in these backup tapes," the letter said.
[Evan] Why would someone steal a box of backup tapes? The tapes themselves don't fetch a lucrative price on the street, but the information could for sure.
So far, there is no indication that any of the information has been used for identity theft, Pulte spokeswoman Jacque Petroulakis said Wednesday.
Information on both home buyers and employees was on the tapes, she said.
The theft was reported to Metro Police, and the company is cooperating with the investigation, Petroulakis said.
The theft was noticed shortly after it occurred, Petroulakis said, though she added police advised the company not to discuss details.
[Evan] I can understand not disclosing details that could hinder an investigation, but what would these details be?
It took a month for Pulte's information systems team to identify the customers who were potentially affected, she said.
"We proactively informed anyone who can be potentially affected," she said. "We definitely pride ourselves in having a safe environment for our customers."
[Evan] What is so proactive in a reaction? In my mind, proactive steps are those taken to prevent the compromise of information. A letter informing people about a breach is a reactive measure, isn't it?
Pulte advised customers in the letter to take steps to protect themselves from identity theft and is providing its customers a free year of a credit monitoring service.
Among the precautions the letter suggested were closing credit card and other financial accounts and getting new PINs and passwords.
It also recommends placing a fraud alert on customers' credit files to force creditors to contact the customer before a new account is opened.
Customers have until March 31 to sign up for a free year of Experian's Triple Advantage Premium credit monitoring service at Pulte's expense, the letter said.
Petroulakis did not know how much that would cost the company.
[Evan] Probably more than it would have cost to encrypt the tapes and lock them in a secure storage facility (which will need to be done anyway).
"I know it's a significant investment on the part of the company," she said. "It's a small investment to ensure our home buyers feel we are creating a safe environment for them."
New Pulte homeowner Dave Coleman only found out about the theft after Eyewitness News informed him one of his neighbors received the letter.
When Coleman tried to contact Pulte by phone to find out if he's among the 16,000 customers affected, he got a recording telling him the the company is closed for the holidays.
He's not happy about the way Pulte is handling the incident.
"I'm a bit frightened and very disappointed because I haven't been notified. I think I should have been notified the day it happened. We've all seen the news stories about the horrors of identity theft and how expensive and time-consuming it can be," said David Coleman, a Pulte homeowner.
Commentary:
According to the Pulte Homes web site, "Pulte Homes is the nation's largest builder of active adult communities". How much sensitive information (customer records, intellectual property, etc.) do you think they are responsible for? Is the risk of not encrypting or otherwise properly securing backup tapes acceptable? Do you suppose that business leadership is/was not involved in information security at the company?
I just realized that I asked more questions than I provided answers.
Past Breaches:
Unknown
Posts Atom 1.0
An ounce of prevention is cheaper than a pound of cure. "Better" is only understood by businessmen in dollars (or Euros, etc.).
Reply to this