SanDiegoFit.com customers affected by computer theft
|
Date Reported:
9/10/10
Organization:
SanDiegoFit.com
Contractor/Consultant/Branch:
None
Location:
Victims:
Customers
Number Affected:
Undisclosed*
*There are 15 New Hampshire residents affected according to the breach notification letter.
Types of Data:
Personal information, including "name, address, phone number, and in some instances" credit card information.
Breach Description:
SanDiegoFit.com, Inc. has notified the New Hampshire Attorney General of a breach. According to the breach notification letter, a computer was stolen from their office that was not encrypted and contained personal customer information.
Reference URL:
The New Hampshire Attorney General breach notification
Report Credit:
The New Hampshire Attorney General
Response:
From the online source cited above:
We are writing to inform you that on, August 30, 2010, a computer containing information about certain SanDiegoFit.com, Inc. customers was stolen from our locked, alarm-protected offices.
[Evan] Are locks and alarms enough? I guess much of the answer is "it depends". It depends on what you are trying to protect. It depends on the area in which your office is located. It depends on how the locks are implemented. It depends on who has keys. It depends on who your neighbors are. It depends on how traffic around your building is controlled. It depends on how the building is constructed. It potentially depends on many, many factors. FRSecure helps clients answer questions like this through our information security (risk) assessments.
SanDiegoFit.com office building. How easy is it to scope out a joint now with Bing and Google Maps?
The computer had on it a file, which, unfortunately, we believe may have contained certain personal information about you, including your name, address, phone number, and in some instances your credit card information.
[Evan] I don't feel comfortable with the word "unfortunately". It doesn't have all that much to do with fortune. A little bit more proper planning and forethought could have prevented this breach. Was this a client computer or a server? We want to see systems that store sensitive information in a more secure environment than systems that do not. Here it appears as though there is only a single layer of physical security used to prevent access to this sensitive system. Not cool. A layered approach to information (including physical) security is suggested and in many cases required.
The computer was password protected, but the information it contained was not encrypted.
[Evan] In environments that are not highly secure (physically), data-at-rest encryption must be used. Encryption is so simple to implement!
The theft was promptly reported to local law enforcement, and they are investigating the incident.
As of this date, we have received no indication that you information has been or will be misused.
Nonetheless, we take this incident seriously and is committed to assuring the security of your data.
[Evan] Should we take their word for it? People who trust too much are too easily taken advantage of. At what point do people begin to question and seek assurance based on facts as opposed to words?
Out of an abundance of caution, in order to help you detect the possible misuse of your information, we are providing you with a one-year membership for credit monitoring services
[Evan] On a personal level, I can't stand the "abundance of caution" phrase.
You have until December 15, 2010 to activate the credit monitoring
Please be assured that we are taking steps to help prevent a similar occurrence, and we stand ready and willing to help you.
[Evan] What steps will be taken to prevent a similar occurrence? If I were a customer who was paying attention, I would want more information (if they ever want me to shop there again).
Should you have questions or concerns regarding this matter and/or the protections available to you, please do not hesitate to contact Beth Di Angelo or Ellen Harris via phone at 1-8 or email at
Commentary:
My comments may come off a bit more harsh that they are actually intended. At least, SanDiegoFit.com, Inc. thought about security and was not completely ignorant, as evidenced by the use of locks and alarm system. It's sad that they didn't go far enough. Sensitive data should not have been stored on a computer that was not adequately protected (both physically and technically/logically).
Posted by Evan Francen, President of FRSecure LLC.
About FRSecure LLC
Past Breaches:
Unknown
Posts Atom 1.0
Comments