Backup tape stolen from New Hampshire auto dealer, thousands affected
Date Reported:12/11/08
Organization:
Bill Dube Ford/Toyota
Contractor/Consultant/Branch:
None
Location:
Dover, New Hampshire
Victims:
Customers
Number Affected:
"thousands"
Types of Data:
"names, addresses, Social Security numbers and driver's license information"
Breach Description:
"DOVER – Personal information from thousands of people in New Hampshire and Massachusetts has been compromised after a data backup tape from Bill Dube Ford/Toyota was stolen this summer."
Reference URL:
New Hampshire Union Leader
Associate Press via WCAX-TV News
Report Credit:
Clynton Namuo, New Hampshire Union Leader
Response:
From the online sources cited above:
DOVER – Personal information from thousands of people in New Hampshire and Massachusetts has been compromised after a data backup tape from Bill Dube Ford/Toyota was stolen this summer.
[Evan] Throughout the articles, there is no mention of encryption. A strong piece of advice to people; if you are going to backup thousands of sensitive customer records onto tape, encrypt it! The ideal is to encrypt all sensitive data at rest and in transit (don't forget to securely manage keys).
The pilfered data include names, addresses, Social Security numbers and driver's license information, but no financial data such as credit card information, from customers at Bill Dube's dealerships in Dover and Wilmington, Mass.
[Evan] Who needs financial information when you have a name, an address, a Social Security number, and likely employment information. I assume that this information on tape was collected in order to process loan applications.
The data were discovered stolen on Aug. 5 and reported to police that same day.
Customers were informed of the breach in a letter dated Dec. 5.
[Evan] Four months seems entirely too long to conduct an investigation into what data was stored on the tape.
Police are investigating the breach as a theft, but so far none of the information has been used to steal anyone's identity, Dover Police Lt. David Terlemezian said.
"The investigation is active; we haven't developed evidence against any particular person at this point," he said. "Exactly what happened and how it happened isn't entirely clear."
Company officials could not say yesterday precisely how many people were affected by the breach or what time period the data covered.
[Evan] I think the word "could" should be replaced with the word would in this statement. (BTW, that's different three words that end in "ould" in one sentence!)
"It was in the thousands," said Bill Dube attorney Scott Silverman, of the Boston office of McCarter & English, about the number of people affected.
"I believe it was more than 10,000."
[Evan] That is a heckuva lot of records! I guess I wouldn't think that an automobile dealership would have so much sensitive customer information. Let's suppose that the sensitive information was collected as part of the loan application process. Once a loan application has been sent to and/or approved/declined by a lender, does the auto dealership still need to keep it? This dealership may make some its own borrowing decisions, so maybe they need to keep those. I should take some time to understand the auto dealer's business a little more.
Customers who purchased vehicles and those who had their vehicles serviced at the dealerships are affected.
The company has asked those with concerns to place fraud alerts on their credit files in case anyone tries to open new cards under their name.
A single data tape was stolen from a secure storage room at the Dover dealership on Dover Point Road in August, Silverman said.
[Evan] How secure is "secure"? If we just assume that at some point, some day, a backup tape will go missing, then we ask ourselves what additional cost-effective controls could we employ to protect the data? This type of thinking is an example of defense-in-depth, a pretty good information security concept.
He said few people knew of the storage room and whoever stole the tape accessed the room via a staircase in the back of the dealership.
Dealership officials notified authorities of the alleged theft as soon as it was learned of; the data breach triggered investigations by police and the company, Silverman said.
The attorney generals from New Hampshire and Massachusetts also had to be notified
In the case of Massachusetts, that attorney general also had to sign off on any notification letter to customers
[Evan] I have to admit, I did not know this.
Silverman said company officials also had to figure out what data were stolen.
He said it's unclear how useful the data could be to thieves, because it was kept in a format that requires specialized software to be read.
[Evan] Backup software is specialized, as in it is used for a specific purpose. I wouldn't confuse "specialized" with hard to obtain, or hard to use.
That process of investigation and notification is why customers weren't notified until this month, Silverman said.
"The dealership executives feel very strongly that whoever did this, the intent was to give them a hard time and have them have to go through a process like this," he said.
[Evan] This is always a possibility. I think we are seeing this type of motivation in some electronic discovery-related lawsuits lately. With eDiscovery, basically all someone needs to do is file a lawsuit. If the target of the suit is not well prepared, it could end up costing thousands of hours and millions of dollars.
Commentary:
This is the first auto dealership breach that I have mentioned on The Breach Blog. Almost 600 breaches, and only one concerning an auto dealership? Hmm.
How can we (information security professionals) effectively reach out to small to medium-sized businesses and offer them advice on how to manage information security more wisely? I have a feeling that the problems will get worse before they get better.
One last note. Most auto dealers have until May, 2009 to be compliant with the FTC Red Flag Rules. There seems to be increased enforcement activity at the FTC lately, see Sony BMG violation of COPPA (FTC News Release).
Past Breaches:
Unknown
Posts Atom 1.0
Comments