Stolen Nix Check Cashing computer may have contained customer information
|
Date Reported:
6/30/10
Organization:
Nix Check Cashing
Contractor/Consultant/Branch:
None
Location:
Southern California
Victims:
Customers
Number Affected:
Undisclosed*
*In the breach notification letter there are 113 New Hampshire residents mentioned
Types of Data:
"some combination of customer name, address, phone number, Social Security Number or driver's license number"
Breach Description:
A Nix Check Cashing branch was burglarized and a computer was stolen that contained sensitive personal information belonging to their customers.
Reference URL:
New Hampshire Attorney General breach notification
Report Credit:
The New Hampshire Attorney General
Response:
From the online source cited above:
From the letter to the Attorney General:
This Firm (Morgan Lewis) represents Nix Check Cashing in connection with a theft of one of its computers inside a Nix Check Cashing branch.
We are writing to notify you of the incident, as information on the stolen computer may have included personal information for a number of Nix Check Cashing customers.
[Evan] I understand that this letter was written by a lawyer, but I don't like the uncertainty. The computer "may" have contained personal information, or "did" it?
The incident occurred when a Nix Check Cashing branch was the victim of a burglary.
Among the items stolen was a computer containing personal customer information, which may have included some combination of customer name, address, phone number, Social Security Number, or driver's license number.
[Evan] So the computer did have personal information, not "may have included".
As soon as Nix Check Cashing became aware of the theft, they immediately contacted law enforcement authorities, who are currently conducting an investigation.
[Evan] This seems like the right thing to do, and in this case it probably is, but be careful of when you bring law enforcement into an incident response. Your incident response procedures should clearly document when law enforcement should be contacted and by whom.
To date, they have not been able to determine who is responsible or to recover the stolen computer.
However, we have no evidence that the information on the computer has been used for fraudulent purposes.
Nix Check Cashing has taken the following actions:
1. The theft was reported to local authorities on 5/17/2010.
2. Nix Check Cashing promptly undertook measures to determine what personal information was on the computer.
3. Nix Check Cashing is sending notification letters via first-class mail to any individual whose personal information is believed to have been on the computer.
From the notification letter sent to victims:
The security of your information is very important to us and we strive to handle it with care and discretion at all times.
[Evan] Would an organization claim anything different?
We are writing to let you know that these is a possibility some Nix Check Cashing electronic customer files, including yours, could have been compromised.
[Evan] Again, the uncertainty. If personal information was on the stolen computer, and the computer was not properly protected (beyond a username/password), then the information "is" compromised not "could have been".
Unfortunately, one of our Nix Check Cashing branches was recently the victim of a burglary.
Among the items stolen was a computer containing personal information which included some combination of customer name, address, Social Security number and/or driver's license number.
As soon as we became aware of the theft, we immediately contacted law enforcement authorities, who are currently conducting an investigation.
We are working closely with law enforcement officials to apprehend the thief and are prepared to prosecute to the fullest extent of the law.
We have no reason to believe your personal information has been accessed or misused in any way.
There is no evidence that the thief was targeting this information, knew the computer contained customer data, or had any interest other than stealing a valuable computer.
[Evan] What evidence could present itself to support that the thief was targeting the information, if in fact he/she was? There doesn't seem to be a solid way to determine motive in this theft. There is not much value in most computer equipment found in a typical check cashing establishment, so what would support the claim that the thief was targeting a "valuable computer". This statement is not meant to present facts so much as it is meant to minimize the perceived impact of the breach.
We are committed to protecting our customers' information and deeply apologize for any inconvenience of concern this theft may cause you.
We have already put new procedures into place, and are developing additional security measures to ensure that this type of situation cannot happen again.
[Evan] This would be good information to know. What are the new procedures and additional security measures that have already been put in place? Offsite centralized storage of sensitive information in a physically secured location would be good. How about full disk encryption on computers that have the ability to collect, process, store or transmit sensitive information? Nix Check Cashing must have taken some serious steps if they are ensuring "that this type of situation cannot happen again".
Nix Check Cashing is offering 12 months of credit monitoring to victims.
Commentary:
Most of my comments are included above.
One additional note that might help us to understand the scope of this breach in terms of the number of people affected. The notification letter mentions that there are approximately 113 New Hampshire residents affected. Nix Check Cashing operates forty-nine (49) branches, and all of them are located in Southern California. If this breach affects 113 people in a small state located on the other coast, how many people does this breach affect in Southern California and the rest of the country?
Past Breaches:
Unknown
Posts Atom 1.0
Comments