Category: breaches

Ameritrade, 200,000 SSNs, Backup Tape

Some days I feel like I’m playing Clue…It was Mr. Mustard, in the study with the lead pipe.ameritrade.gif

Ameritrade Inc. has advised 200,000 current and former customers that a computer backup tape containing their personal information has been lost, has learned. The tape contained information spanning the years 2000-2003, and included both current and past consumers of the online broker, according to spokeswoman Donna Kush.

Bob Sullivan reports at MSNBC. Via Volubis.

DSW, IRS Security Failures

What is it with order of magnitude errors in victim counts? DSW Shoe reports 1.4 million credit cards exposed.

In other news, the General Accounting Office reports

[The IRS] has corrected or mitigated 32 of the 53 weaknesses that GAO reported as unresolved at the time of our prior review in 2002. However, in addition to the remaining 21 previously reported weaknesses for which IRS has not completed actions, 39 newly identified information security control weaknesses impair IRS’s ability to ensure the confidentiality, integrity, and availability of its sensitive financial and taxpayer data and FinCEN’s Bank Secrecy Act data.

Andy Sullivan has some good analysis at Computerworld. We don’t yet know of any breaches at the IRS, but that doesn’t mean there haven’t been any. It seems that California’s SB 1386 covers “any agency.” I don’t see why the Federal Government would be exempted from that, any more than they’re exempted, from say, local noise ordinances. But the IRS is legendary for their willingness to ignore the law, so it could be that they’re illegally concealing information that the law in California requires them to disclose.

Polo Ralph Lauren Breach: The Rules Have Changed.

The security failure at Polo Ralph Lauren is going to be a big story. Not Choicepoint big, but big. According to ComputerWorld, in “Scope of credit card security breach expands:

[An emailed] statement also noted that Polo Ralph Lauren has been working with law enforcement officials and credit card companies since fall 2004 to determine the origin and extent of the compromise. “The company is confident that its credit card system is secure, and that our customers’ credit card information is properly protected,” it added.

According to [HSBC spokesperson] Nicholson, the retailer’s POS systems retained and stored credit card information rather than purging the data immediately after processing each transaction. The problem affected all credit card transactions at the retailer between June 2002 and December 2004, not just those involving HSBC-issued credit cards, he said.

The article also quotes Discover as acknowledging the problem.

So, what’s going to make this a big story? First is the confused and defensive way information is trickling out. Second is that the problem has apparently gone on for two years, as Chris Walsh notes in “POS Security, indeed.” Third is the apparent violation of California’s disclosure & notification law.

But most importantly, while the banks weren’t looking, the American people, our media, and our elected representatives got together and decided that we get to hear about breaches that affect us. Sorry we forgot to invite you, American Bankers Association. Our bad. But we’ve taken a vote, and it was pretty overwhelming. We don’t like it when you treat us like mushrooms. All that dark and dank doesn’t agree with us. Statements like “our customers’ credit card information is properly protected” are clearly lies. If it were true, there’d be no story to report on.

Americans are mostly forgiving. If Ralph Lauren had come out and said “Sorry, we made a mistake, here are the facts,” they’d be forgiven. People chose to shop there. People chose to do business with HSBC for their GM Mastercard; with Discover; and with all the other credit card companies. They understand there’s a risk of a breach, and are willing to accept that. (Especially because it’s credit cards, which are mostly easily changed, rather than social security numbers.)

So this story is a story not because of the breach, but because these banks didn’t get the memo: the rules have changed.

59 breaches at Lexis-Nexis

[T]he company said just 2% of those informed by the company in March of the security breach had accepted its offer of free credit monitoring and none had reported identity theft. All the others will also be offered the services it said.

(From CNN, or see the statement here.)

So, let’s review. A slew of people are trolling Lexis-Nexis’ databases. They’re not stealing identities. So what are they doing?

One thing that springs to mind is that Lexis Nexis is providing the back end data for CAPPS-II, Secure Flight, and probably ‘Trusted Traveller.’ (No Place To Hide, pp 225.) So if a terrorist got hold of this data, then they might have 5,200 or so names, addresses, social security numbers, and everything else needed to impersonate people so that they’d be seen as ‘clean’ by Secure Flight. That could be worth a lot more than the few tens of thousands of dollars you might steal.

Before the biometric cheerleading squad jumps out, please remember that we don’t know if any of those 59 accounts that were used had update or corrections privileges into the database.

Small Bits: Digitizing Art, Making Sense, Wages of Sin, Pookmail

  • Capturing the Unicorn is an article at the New Yorker about the hubris of technologists trying to capture art. (The technologists win, but the archivist in me asks: CDs?)
  • 13 things that do not make sense is a New Scientist article about, well, 13 things that don’t make sense. Some foolish people might look at it, and say, look, science doesn’t have all the answers. But that’s ok. Science doesn’t need to provide all the answers. It provides us a way to approach problems, which often involves saying “huh. I just don’t know. How could we find an answer?”
  • Financial Cryptography discusses “The Wages of Sin,” with a Forbes article on the market gap left by Paypal’s choice to apply a morality bit to transactions.
  • is a free web site to send spam to.
  • Finally, San Jose Medical Group was broken into, and two computers were stolen, with personal data about 185,000 people. Interestingly, that’s three times as many as they say they serve on their home page.

More on Nevada DMV

In working on the Choicepoint roundup for tomorrow, I found Axinar pointing to this story about the Las Vegas DMV heist. Apparently, all that encryption? Err. Never mind.

But Lewis said Friday that Digimarc Corp., the Beaverton, Ore.,-based company that provides digital driver’s licenses in Nevada, told her Thursday the information was not encrypted, and was readily accessible.


[Update: Speaking of oops, I messed up Axinar’s name, and have fixed that.]

1,700 Drivers Licenses stolen

The theft occurred early Monday in a remote industrial area, authorities said. The thieves took blank licenses and laminated covers, a digital license camera, a camera computer and a license printer.

“It’s been pondered that this has national security interests,” [police spokesman Tim] Bedwell said. “But it’s easier to pass a fake ID to a teller than to use it to get on a plane and fly internationally.”

He’s clearly right. (Actually, he’s totally off. With the possible remaining exception of Canada, you can’t fly internationally with a drivers license. But you sure can fly around the US on one.)

(From the Seattle Post Intelligencer, via Qaddisin Security Blog.)

[Update: To clarify, what was stolen was everything needed to create perfect license forgeries, not the data. Also, this Las Vegas Review Journal story is a little better.]