Chase Data for 2.6 Million Ends up in Landfill

svonkie writes to mention a ComputerWorld story about some bad news from some 2.6 Million Chase credit card customers. These folks are being told that tape backups with their information were mistakenly thrown away back in July. There's apparently no need to worry about possibility of compromised personal information; the company believes the tapes were destroyed at a landfill. Just the same, "To prevent similar incidents, Chase said it is strengthening its security procedures and is conducting a review of all data storage and protection processes. Chase began notifying the affected customers about the incident yesterday and said the process is expected to take two to three weeks. The company is offering one year of free credit monitoring to people whose Social Security numbers were on the tapes."

indexes?

[Loconut1389]

if they think the tapes were destroyed, how do they know exactly which card numbers were on the tapes? I mean they may know the bulk, but not all, right? or would they? If they got rid of the tapes, would the still have the indexes?

So THAT is why they were Suicidal...

[Efialtis]

I worked for Chase when this happened.
The guys couldn't find the tape(s) and were SURE that they had ended up in the storage locker...
Guess they couldn't find them there...

Why am I first hearing about this on Slashdot?

[mkraft]

I have a Chase Circuit City credit card. Why am I first hearing about this on Slashdot instead of from an email from Chase?

Re:If I were a Chase customer...

They could have already lied, the tapes could have been stolen and they are stating they were thrown away.

I know we all look back and say, what were they thinging with stories like this, but really, what were they thinking? Doesn't every single person that has any involvement with any type of backup media know that it contains information that anyone with that media could read? What person in the IT department would just throw them away? That does not make any sense at all. I work in a law firm of about 500 employees. I have about 500 old tapes I need to dispose of (we recently switched from DLT to LTO3). I am waiting for our security officer to provide me a vendor that meets his requirement for destruction of tapes. He wants the company we choose to certify by serial number on each tape of ours they destroy. Now we are very small compared to Chase, why do we have such strict requirements and they do not? Everyone in our IT deparment from secretary on up knows exactly what our security policies and guidelines are.

This and a letter from the VA Dept on the same day

[Infonaut]

Interesting timing. Just a moment ago I opened my mailbox and found a letter from the Department of Veterans Affairs. It seems they found the stolen hard drive that contained personal info on 26.5 million veterans. According to the letter, the FBI found the laptop and hard drive.

"Based on the results of forensic tests, the Federal Bureau of Investigation (FBI) has told us that they are highly confident the sensitive data were not accessed."

As a further backup, the VA has "obtained data breach analysis services as a means of further ensuring no misuse of this data occurs in the future."

Like Chase, the VA is "throughly examining every aspect" of their information security program. In the case of the VA snafu, an employee took the laptop home in violation of VA policy. The rash of these incidents makes me wonder how we can expect any sort of large organization to keep a lid on data spills like these, given that most people can't be bothered with basic security precautions even on their own computers. Even if the VA spends millions upon millions of dollars upgrading their security technology and processes (which of course will draw the wrath of opponents of government waste), I'm not sure it will make much difference.

I have a related story sorta

[Desolator144]

I was helping a VERY untechnical office staff (most around 50+ years old) move to a new building and while going through the basement, we found floppy backups of their medical and insurance info and they told me they didn't need ones older than 10 years, which there were some of. Before I even said it, they suggested we destroy them somehow because of the sensitive data on them. I ended up putting a scissors blade through a couple hundred floppies, 3 at a time (that was FUN!) But if 50+ year old doctors know that they need to destroy stuff that holds customer data, who the hell would be stupid enough to just throw out tapes? Obviously someone Chase.

Re:Free credit monitoring

[LifesABeach]

I have the same question as the parent above. But credit checking for only one year? The expiration dates on those cards go far longer than a year. And to think that the data is lost in some pile of trash the size of a small canyon is, to me, criminally foolish. I think a better public relations spin would be to tell Visa, or Master Card that Chase wants to know of any wrongful use of the 'trashed' credit card numbers. Chase could then look like a hero by aggressively bringing to the courts notice, those bad guys that 'found' the data. Chase could go on to say, "Stealing from the customers of Chase is great way to get on CNN, while wearing hand cuffs." Big Business may hate bad press, Bad Guys hate it even more, and the little guy likes it when Big Business gives them better service.

Re:Encryption!?!

[MECC]

I was working on a project with equifax, one of the companies that keeps a repository of consumer credit data. We were setting up a VPN to their internal network. I offered to give them my public key so they could encrypt some configuration data. They promptly sent it all in the clear, keys and everything.

*sigh*

The sad part is there doesn't appear to be an effective evolutionary mechanism to rid the gene pool of such undesirable traits. Maybe this guy should be in charge of their data security, to help make sure the clueless don't contaminate the rest of the world.