Slashdot Mirror
Chase Data for 2.6 Million Ends up in Landfill
svonkie writes to mention a ComputerWorld story about some bad news from some 2.6 Million Chase credit card customers. These folks are being told that tape backups with their information were mistakenly thrown away back in July. There's apparently no need to worry about possibility of compromised personal information; the company believes the tapes were destroyed at a landfill. Just the same, "To prevent similar incidents, Chase said it is strengthening its security procedures and is conducting a review of all data storage and protection processes. Chase began notifying the affected customers about the incident yesterday and said the process is expected to take two to three weeks. The company is offering one year of free credit monitoring to people whose Social Security numbers were on the tapes."
if they think the tapes were destroyed, how do they know exactly which card numbers were on the tapes? I mean they may know the bulk, but not all, right? or would they? If they got rid of the tapes, would the still have the indexes?
Is this data not encrypted!?!
Yikes! A dumpster diver's paradise!
Check out my sci-fi/humor trilogy at PatriotsBooks.
These folks are being told that tape backups with their information were mistakenly thrown away back in July.
Well, they better go Chase it!
The theory of relativity doesn't work right in Arkansas.
Company spokesman says, "Ooops. Our bad. Please, Mr. Government, whatever you do to punish us, don't give us lots of money. We hate that." Government officials are trying to determine how much money to punish them with.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
Gee, what if this was an inside job, and they
were placed in the trash to be retrieved later
before making it to the dump?
You are being MICROattacked, from various angles, in a SOFT manner.
Grab your shovels boys and watch your step on those hypodermic needles!
...thinking that the tapes were destroyed is not an acceptable answer. From a PR standpoint they should've just lied or said they were taking actions to make sure they were destroyed.
It's inconceivable that these companies can be so careless with their customer's data!
The article summary posted above fails to mention that these were Circuit City credit customers. That is a very important bit of info as many retail credit card holders often have no idea who the issuing bank is.
I say they nuke the site from orbit. It's the only way to be sure.
When our name is on the back of your car, we're behind you all the way!
Is it just me, or is the whole "pay for" credit monitoring industry a big con?
You have to PAY to find out what information may or may not be stored about you? It may be correct; it may be erroneous: you don't find out until you've stumped up the cash (and yes, I realise that the credit companies are required to make information available in the event that you are turned down for credit... but what about those who are just curious?).
And in this instance, what happens when that year is up?
I'm tired of all these people who have my social security number treating it like some useless account number or the like. We need to strengthen the laws against requiring social security numbers in the first place (and make it tougher for places to obtain the social without your providing it -- like Chase -- these people didn't give Chase their social, Chase obtained it when it did a credit search on their application). And we need a law MANDATING encryption and tough access controls on this data.
Now we know where this guy funds his science projects and student loans.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
There's a news summary on their main web page:
Circuit City Customers
Chase is notifying a segment of Circuit City credit card account holders that computer tapes containing their personal information were mistakenly discarded.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I knew they'd end up down in the dumps
Forget dumpster diving .. landfill diving's the new shiznit!
I knew there was a reason I went with Capital One...
What's in your wallet???
So what it came down to is someone not doing the proper procedure.
human stupidity will cut right through it. Why doesn't the bank just leave a few hundred thousand dollars of their customer's money in the middle of the landfill.
I worked for Chase when this happened.
The guys couldn't find the tape(s) and were SURE that they had ended up in the storage locker...
Guess they couldn't find them there...
--E--
What the summary doesn't mention but it's in the article that it affects Circuit City customers only. At least, my Amazon card is OK. (I hope...)
Maybe they should put their backups on DivX disks?
Anyway I missed the bullet by that much since my card came in August.
To prevent similar incidents, Chase said it is strengthening its security procedures and is conducting a review of all data storage and protection processes.
How in the world would they just now find out that they threw such a thing away if they weren't already conducting some kind of review like that? The truth must be that they were already conducting the review, found the prior mistake, and then used the review as a way of atoning for the mistake.
Have you ever wondered How to Take Over
Joss Whedon is now my master too.
Especially when referring to geeks and sex.
With so many companies collecting personal data about customers, and with the complexity of managing this data with the necessary protections, it seems like incompetence in managing customer data is prevalent. Customers are justified in not trusting the companies to manage their data properly.
It looks like a great opportunity for some IT company to come along and provide some standardized service. For example, the management company would provide options on encryption, accessing/sharing policies, archiving, and disposal. If these standards were widely publicized and met with public approval, then customers would be safer dealing with companies that used this service and would know exactly what they were getting (or getting into).
Is this sort of thing already going on?
I used to work at a Chase subsidiary, and no amount of IT incompetence from them surprises me. Frankly I'm shocked we were never sued into the ground with the idiotic things they did; for example, sending out tax forms for RV loans late, resulting in customers losing tax refund money; also (it was a "loan servicer") we'd call people 3x or more/day after they'd already spoken to us.
The corporate intranet webshite had a form that all employees had to agree to yearly. My section all did theirs after I did, and each time they logged in *on different machines and with different accounts* the form thought they were me.
I know I could name many more things, but it's been a couple years and I've successfully blocked out most of those memories.
Poor girl knows nothing about computers and isn't real high on technology in general but I threw her the news just in case we happen to have a Chase card stashed somewhere, or one of the kids perhaps. Anyway the first words out of her mouth was, "how can these people continuously allow this to happen?"
Indeed. This has been a hot button topic on the radar scopes for a good while now and everybody in charge of these systems should be damn well aware of the risks and implications of mishandling such data.
I'm in charge of relatively small amounts of data that doesn't contain anywhere near the risk factors of a credit card company, yet we have redoubled efforts and policy in the handling, storage and disposal of that data and everyone else I know has done the same thing. In fact I know of no one who doesn't treat these issues with all seriousness.
Can the results we see today be anything other that willfull negligence?
As a previous poster humorously commented, "that the site should be nuked from orbit", should there not be a jobs equivalent in this instance?
If I have any other comment to make it would not be to late to discuss just how much information should be necessary to obtain given any particular venue.
To clarify, many companies request far more information for their data mining operations than is required to simply conduct the transactions of business and a SSN is not a National ID card as some seem to surmise.
I have a Chase Circuit City credit card. Why am I first hearing about this on Slashdot instead of from an email from Chase?
>> the company believes the tapes were destroyed at a landfill.
Like they'd have bothered to find out for sure if it got trashed or where every item in their trash goes.
Read: we really don't know where it is but no-one seems to have used the data yet, so we're going to say some non-commital 'we beleive' bullshit to make you feel happier.
Really I am shocked that it does not happen (or at least doesn't get reported) more often. All it takes is one stupid employee, or one mis-run report and hundreds of tapes can end up anywhere.
Companies in the Fortune 500, let alone finanical institutions in the Fortune 50 have hundreds of thousands of backup tapes. These tapes do eventually wear out and need to be replaced. Typically, you would destroy the tapes onsite before discarding them, but sometimes an outside vendor (Iron Mountain for example) could be retained to destroy the tapes for you. Also, hundreds of tapes are sent offsite and recieved each day, possibly to dozens of facilities. Tracking each and every tape is a laudable goal, but eventually, any system, especially those involving people, can break down.
Companies find a balance, where they are spending a certain amount of capital to protect this data, while still being able to remain competitive. If Chase had to hire a security guard to watch each tape, their stockholders would riot and they would be sunk. On the other hand, if they are not paying attention to the security, it gets noticably lost, and this too costs the company money. Its not all or nothing, and nothing is perfect. Chase, as well as every other large company in the country is working hard, but not too hard to protect your privacy.
This is good as it provides customers with a nice balance of decent prices, good services and a respectable level of privacy. If you concentrate too much on privacy, costs increase and it becomes harder to serve your customers. While some people would pay more for extra security over their information, this is probably a small minority in todays Wal-Mart world.
The hard part is finding the place where everything balances well.
So, while I am sure heads are rolling at Chase, I am not horribly mad at them (I am a customer of theirs, but have not recieved a letter). I understand how things like this can happen.
I know this for a fact, because of all the spam I keep getting telling me to fix the particulars of a Chase bank account which I have never had in the first place. Obviously there are bit errors in the data :-)
Someone had to do it.
Missing tapes would not be detected through a review of procedures. Reviewing procedures is generally a boring process of meeings, followed by reading and altering ISO 9000-type documents. It's dry, boring, and the major accomplishment is a shiny new binder of procedures.
In this case, there could have already been a procedure in place that detected the missing tapes. They might have been detected during a review of their tape inventory. Alternately, the tapes could easily have been detected missing in a standard data storage procedure: test your backups. After all, you don't know they are backups unless they are restored and match what was backed up. If they were found missing during the 'test' that would be an indication of a broken procedure somewhere (after all, a significant part of a backup procedure must be: don't lose the tapes!).
So, they are reviewing the procedures to ensure that the mistake that produced missing tapes doesn't occur again. I don't see this anything malicious or decietful. Stupid, perhaps, but that's why they admit they have improvements to make.
Note: I am not a Chase employee, nor a customer.
They need to be held accountable for this mistake.
If more security breaches result in financial penalties, then they will finally do something about it.
They have incentive to worry about this at present, they just take a P.R. hit and carry on regardless.
Unless the P.R. hit become huge issues for them, or government takes notice or they lose $$$, they'll just not care.
Give them a break! With all the havoc that's happening at Chase HQ, I'd imagine that something like this could be overlooked.
I have had the unfortunate pleasure of dealing with Chase on both a business and a personal level. This is a classic case of Chase covering their ass once again for trying to cut corners and once again, failing their customers. Nice cover story, I am not buying it for a second.
How about something actually worthwhile? Credit monitoring should be free anyway. Give the affected people $250 each as a minimal insurance and a self-imposed fine for stupidity. Personally I'd prefer something like $5,000 each, but that's because I hate Chase.
Household Bank. And after they absolutely dicked me over on one of them 'buy now pay later' plans, I refuse to use any card backed by that bank.
paintball
So that's why they keep sending me emails to update the information on my account!
...laura
I would hope that any old tapes would be shredded according to some predefined corporate security policy...
I mean, yeah, they really should have destroyed those tapes if they meant to throw them out. But I'm having a hard time believing that any dumpster divers are actually crawling through trash cans and picking up old backup tapes just on the off-chance that there might be credit card info on them. Seems like there's probably far, far easier ways to get 2 million valid credit card numbers.
there is no need to sign your posts. this isn't usenet. your username is right there above your post. stop it.
Interesting timing. Just a moment ago I opened my mailbox and found a letter from the Department of Veterans Affairs. It seems they found the stolen hard drive that contained personal info on 26.5 million veterans. According to the letter, the FBI found the laptop and hard drive.
As a further backup, the VA has "obtained data breach analysis services as a means of further ensuring no misuse of this data occurs in the future."
Like Chase, the VA is "throughly examining every aspect" of their information security program. In the case of the VA snafu, an employee took the laptop home in violation of VA policy. The rash of these incidents makes me wonder how we can expect any sort of large organization to keep a lid on data spills like these, given that most people can't be bothered with basic security precautions even on their own computers. Even if the VA spends millions upon millions of dollars upgrading their security technology and processes (which of course will draw the wrath of opponents of government waste), I'm not sure it will make much difference.
Read the EFF's Fair Use FAQ
*Imagine you are looking at me, a masculine gentleman with a suave but geeky apperance when suddenly an effeminate voice that is not his own begins to speak, sort of like those Citi bank commericals* "Wow! This is just mah-voh-ously fabulous! I found this guy's credit card accound and I was like 'Hello shopping spree!' So me and the boys went down to the gay bar and spent all this guys money. If the fact that I took his identity is stollen doesn't shock him, the places that I spend it will."
--Bushido Hacks, victium of identity theft.
The Rapture is NOT an exit strategy.
I was helping a VERY untechnical office staff (most around 50+ years old) move to a new building and while going through the basement, we found floppy backups of their medical and insurance info and they told me they didn't need ones older than 10 years, which there were some of. Before I even said it, they suggested we destroy them somehow because of the sensitive data on them. I ended up putting a scissors blade through a couple hundred floppies, 3 at a time (that was FUN!) But if 50+ year old doctors know that they need to destroy stuff that holds customer data, who the hell would be stupid enough to just throw out tapes? Obviously someone Chase.
now stop reading and go play Dance Dance Revolution!
At least they were honest about what happened and have taken steps to
1. notify their customers.
2. reevaluate their security procedures (and quickly! only 3 weeks? unheard of from giant corporations.)
3. offer free protection for their customers.
I commend their response: they actually DID SOMETHING instead of just treating it as a PR issue. If anything, this would make me want to become a customer or investor.
You mean to say you missed this bullet. They have more. A machine gun in fact, possibly weapons of mass stupidity.
Place a curse on them for this BS
While I think that companies should be approprately punished when they do stupid things like this, what was the real risk in this case? If it was an inside job, then the risk was 100%. However, if it was just a stupid but honest mistake then I think that a number of fairly unlikely things would have to happen before the data was fully compromised:
A criminal would have to spend some quality time at the dump hoping to find something like this
He would have to find it (I'm guessing the the dump(s) for NYC are pretty big)
He would have to have the right equipment to read the data (SCSI tape drives are somewhat rare on home computers nowadays)
The data would have to be in the right format (I'm guessing that the data wasn't in tab delimited text)
The data would have to be unencrypted or very weakly encrypted (people who can break strong encryption have better ways to steal than waiting around a landfill)
I, for one, welcome our new robot overlords
After a few more of these incidents, just to get us used to the concept, they will make their move, and grab everybody's money. The big joke is that it will be played as if the banks were the ones in trouble, and we will all have to pay to get some modicum of our money back.
It'll make Enron look penny-ante.
"There's apparently no need to worry about possibility of compromised personal information; the company believes the tapes were destroyed at a landfill."
They "believed" the tapes were locked-down safe before, but they weren't. Now they "believe" the tapes were destroyed. Who cares what they "believe"? Corporations can't "believe" anything.
They need to produce evidence that these tapes were destroyed, offer proactive credit monitoring until the the personal info expires, and assume liability for any misuse of the info they exposed, indefinitely.
Or they'll just "believe" they can do it again, and just keep it better hidden next time.
--
make install -not war
It's a good first step. However, knowing that you got screwed is one thing, cleaning it up is another: a major hassle. I'd like to see one of these careless companies say that they will reimburse your costs and compensate you for time and effort if you get screwed.
then why did someone mysteriously gain access to my Chase bank account in..um...about the 3rd week of July. May just be coincidence, but it caused me quite a bit of headache as I tried to get some $900 in unauthorized charges removed from my account.
Way back in July? Hmm... let's see... oh, right! That was right about the time I saw fraudulent activity ON MY CHASE CREDIT CARD! Christ Almighty, is it soooo hard for companies in this country to not be idiotic and to take some f***ing care of their clients' private and sensitive information? I mean, really, is it that hard? "Oh, sorry, we just handed your entire life's story - bank account numbers, social security number, favorite dog's name - to that guy who walked in off the street... We thought he was the compliance officer. Ooops, our bad. Please forgive us." Ugh, this god damn country. Money, money, money, that's all anyone cares about. Wake me when someone in the corporate world finds some heart... oh, and a brain.
+1 Insightful, -1 Troll. What can I say, I'm an Insightful Troll.
The Fresh Kills Landfill in New York mysteriously dissapeared this Thursday. "We don't know who did it, but approximately 4.2mil footprints were found on the scene," said the Cheif of Police, "We don't know who to look for first."
In other other news, credit card fraud is on the rise.
Someone's going to find an angle to use the fact that people have ended up on a list for receiving extra transaction scrutiny.
I won't be surprised if it turns out that the entire list of these special cases is less protected than just about any other group.
Never thought I'd be able to say data mining and dumpster diving in the same sentence.
I am d3matt
For real, I just quit. I got nailed with some ID theft ten years or so ago, since then, *no merchants get my SS number*. I tell them no, they start to whine, I say get the manager, clerks can't deal with it. Tell them again, got nailed before, they can accept a deposit, issue me their own customer ID number, etc, but I refuse to give it out. I'll show them my drivers license, that's it, take it or leave it. Got my cell phone, ISPs, utilities, etc, all wanted that SS number, I didn't give it to them, and still got the accounts. I've had the same bank for over 20 years so that's not an issue and the theft wasn't from there anyway(I think it was from a place I worked at, can't prove it though). These companies are remarkably accomodating (so far for me anyway) if you just try, explain the situation, people are all hip to ID theft now. As soon as they start saying they are "secure" and whatnot I go "look, get real, the fbi had their email hacked for 6 months and didn't know it, so let's just cool it on the secure guarantees-you don't have one", because none of them DO have a warranty with your data, they won't automagically pay for your grief if they blow it! If they claim they are "secure", ask to see their guaranteed warranty policy and how much per infraction/loss on their part it pays...that shuts them up quick.
If you want more info, google for "personal soverignty", there's a variety of websites out there dedicated to regaining your "personhood" and privacy and dignity and to at least get somewhat of a handle on your personal data..because it is *your* data, it is not some merchants data. They just try to assume ownership over it and people are too quick to hand it over.
Since that law was passed it seems one company every 2 or 3 months ends up announcing a huge amount of SSNs, credit card numbers, or otherwise private info has been "misplaced" etc.
Makes me wonder how much crap was lost before that law and were never told about.
and my spam filter deleted it. Sorry...
Excuse me, but please get off my Pennisetum Clandestinum, eh!
the company believes the tapes were destroyed at a landfill.
Let's hope they didn't share that fate with the master Apollo 11 moon tapes.
Table-ized A.I.
The company is offering one year of free credit monitoring to people whose Social Security numbers were on the tapes.
I am not a US citizen, and I wonder why an SSN is secret information that has power w.r.t. credit.
We do have a similar number, but it essentially is public information. It is printed on all letters from the tax office and social security (related) offices, and soon will be used by all government and municipality related offices. It is on your passport, your driver's license, it is everywhere.
It would be very unwise to assume that it is somehow secret.
Why would knowing this number give you more power than knowing someone's telephone or bank account number? (similar public info)
There must be a weak security system in place, which can simply be replaced. Declare the SSN a public item and all the issues around leaking it are moot.
There is nothing new about loosing a box of paper records vs a stack of backup tapes. Just that it just seems looking back people used to have more common sense. Simple thing really, the old paper records at the local townhall were in a FUCKING SAFE. The new computer system has internet. Can you see the difference? One gets locked up every night and can only be accessed by standing in front of really big metal block right in the middle of the floor were all your collegues and all visitors can see you and the new one is accessible to the entire world 24/7 year round if only they can get past that wonderfull security delivered by companies that think Microsoft sells Operating Systems.
This incident is just the last in long line were the security of data is just not taken serious enough. Nothing to do with tech, just human nature. Put lots of valueble stuff in one place and then pay someone minimal wage to make sure it is treated properly.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
I gave them a call last week, and you are right about the odd answer. The part you missed, and the one that prompted my call because I never saw my last bill, was they were bought out by Bank of America. The sender of my bill was Bank of America, which I promptly discarded thinking it was junk mail.
I was always pleased with MBNA, especially the customer service. Never had a late fee that wasn't waived, and took care of some fraudulent charges with no hassle to me at all. Will Bank of America be that good still?
Sig-"Out beyond fields of wrongdoing and rightdoing, there is a field. I will meet you there." Jelaluddin Rumi