The Breach Blog: Recent Comments

Comment on Thousands of customer bank details on stolen Boots backup tape

terry cutts — Thu, 15 May 2008 20:49:58 GMT

british gas engineer just been informed medisure have lost my details stolen from vehicle 03 -04-08 police say oppotunistic theft low threat because of sophisticated equipment needed to read back up disk read that somewhere before same old excuse reported to data protection privacy commisioner for what good that will do

Comment on Thousands of Canadian Chrysler Financial customers at risk

Darrin — Thu, 15 May 2008 12:21:43 GMT

There may not be any similar previous breaches involving Chrysler Financia, but a quick Google reveals that UPS has been affected more than a few times by "data loss" during shipping.

The weeks between the tapes going missing and the notification of the customers affected is shocking. My friend received the letter from Chillman 3 hours before a bank in a neighbouring city called her to inform her that a $10,000 loan had been taken out using her recently-stolen identity. By the end of the next day, she uncovered over $24,000 worth of fraudulent purchases and credit. How are we supposed to believe that tape with its sensitive data didn't fall into the hands of people whose express purpose for acquiring it was for criminal activity?

UPS refuses to answer questions. Chrysler Financial keeps assuring her that the data would be very difficult to access, but with the timing of her recent identity theft, it's hard not to imagine that the 2 incidents are connected.

Just my 2 cents.

Comment on Desktop computer stolen from Administrative Systems, Inc.

Leve — Wed, 14 May 2008 13:37:35 GMT

I've been thinking about it and I am glad I did not send my information for that 1 year credit monitoring. I will pay for it myself too. But frankly I think we will need our credit monitored for more than 1 year, since identity thieves sometimes wait longer, after you let your guard down, to hit you; so you don't see it coming.

I've never heard anything about that class action. Can we at least choose our own credit monitoring company for 5 years and have ASI pay for it. It's the least they can do. If they cannot protect our information, how can we trust them or any other company they chose with very those same information?
Anyone with me here? We need to act fast.

Comment on Confidential information sent to PinPay.net and SoftCard.biz is exposed

ian clyne — Tue, 13 May 2008 21:42:45 GMT

Thank you for drawing attention to these web forms that were copied to a marketing site in error. Mr. Long is not a principal of the company, but is evidently an outside agent who will be marketing the product when it becomes available. Compliance and regulation are the key final issues being addressed before the final (secure) site is made public. We would welcome "the Breach Blog" contributers to fully inspect and comment on SoftCard/PinPay system and its security when it is finally released.
Note: We do write our own security certificates - so the certificate will need to be installed as "trusted"

To see the current corrected (non SSL) pages please visit

http://www.pinpay.net/agent_application.php

http://www.pinpay.net/merchant_acc_application.php

http://www.softcard.biz/cardholder_registration.php

PinPay is regulated by the United States Treasury, and operates as a money service business under license and certification.

Thank you again for drawing attention to this error.

Ian Clyne,

CTO, ACAP Security Inc

Also contact

Glenn Gearhart,

CEO, ACAP Security Inc

for further information, call (714) 843 0099

Comment on BNY Mellon Shareowner Services loses backup tape

CSR — Tue, 13 May 2008 20:32:07 GMT

The letter is legit. You have to keep in mind w/a corp this large we have to send letters that look like they did. We also would have a different addr & ph# online from whats on the letter b/c duh the # listed on the ltr is a dedicated line just for this situation & the addr as well is a dedicated addr specifically for inquiries on the missing tapes. There are steps that you have to follow in order to make something like this go smoothly. We have not recvd any reports that anyones info has been misused. When you sign up for the monitoring it will date back to the date it was reported to our Co that the info was missing. The whole purpose for the credit monitoring is to stop identity theft from happening. So IF you enroll & someone actually does have this info then you will be notified BEFORE the requested credit acct will be approved. That is why Experian asks for your ph#, addr, email, & other personal info so that you can be notified BEFORE anything happens. That is why we also provided you w/ the ph# for the FTC (Federal Trade Commission) so that you could also place a fraud alert on your credit file. None of this actually affects your credit file or score, it just allows us to monitor your info. The fraud alert will also delay any requested credit accts from going through. Even if you apply for credit somewhere it will be delayed for further verification. It will not affect the outcome of the approval or denial it will just delay it for the full verification. As for the credit report. You are obligated to 1 free credit report each yr. We are NOT offering the credit report. That is why we gave you the web addr & ph#s to each credit bureau so that you can request it. If you have requested your free credit report in the last 12 months the you will have to purchase the report. AGAIN we are NOT offering the credit report, we ARE offering the credit monitoring for 12 months. if anything happens after the 12 month period, then you can always file a claim w/ our Co. You will need to send it to the address on the top of the letter. I hope I was able to clear things up for you all if not then call the # that is on the letter. That will take you directly to the dedicated individuals who can assist you.

Comment on Two stolen Saks Incorporated laptops contained sensitive information

Evan Francen — Tue, 13 May 2008 09:21:57 GMT

Thanks Dissent!

Excellent addition and another good resource at the State of Maryland.

-Evan

Comment on Two stolen Saks Incorporated laptops contained sensitive information

Dissent — Mon, 12 May 2008 15:07:09 GMT

Hi, Evan.

An additional 2,391 customers in Maryland were also affected.

Comment on Lost Bank of Ireland laptops affect roughly 30,000 (updated) customers

Evan Francen — Thu, 08 May 2008 09:07:05 GMT

My first thought is, do you think that the bank would tell you any different? It would be extremely rare for an organization to state that the risk of fraud is "very high". I also wonder who conducted the assessment and what methods were used to draw their conclusion. We have all heard words and they don't mean much to me without actions.

Do you really need "bank account passwords, PIN numbers or copies of signatures" to commit fraud? The laptops still stored medical records, bank account details, names, addresses, and dates of birth. Names and addresses can probably be considered public information, or at least semi-public. Medical records and bank account details could be damaging. In context, all of the information exposed is damaging and thieves can easily use it to perpetuate further fact finding (i.e. spear phishing).

Considering only the information I know, I don't think I would go as far as to say the risk is "very low". I also wouldn't say that risk is high. It is somewhere in the middle. The primary issue I take is no matter what the risk is now, it should have been reduced significantly if information security were managed more appropriately.

Comment on Lost Bank of Ireland laptops affect roughly 30,000 (updated) customers

Fergal — Thu, 08 May 2008 08:11:21 GMT

It appears that number has now jumped to 30,000, and what about this statement from the bank, "the bank said an assessment had concluded that the risk of fraud arising from the thefts was 'very low'", see http://www.rte.ie/business/2008/0428/boi.html Your thoughts?

Comment on Donor personal information was on Lifeblood stolen laptop

Evan Francen — Mon, 05 May 2008 08:15:05 GMT

Duly noted. I wish more lawyers (and people in general) had the same motivation you state that you do. My experience varies.

I have made an ass out of myself more times than I care to mention. If I make an ass out of myself here, then so be it.

Best Wishes to you Charles. Thank you.