Slashdot Mirror
Chase Data for 2.6 Million Ends up in Landfill
svonkie writes to mention a ComputerWorld story about some bad news from some 2.6 Million Chase credit card customers. These folks are being told that tape backups with their information were mistakenly thrown away back in July. There's apparently no need to worry about possibility of compromised personal information; the company believes the tapes were destroyed at a landfill. Just the same, "To prevent similar incidents, Chase said it is strengthening its security procedures and is conducting a review of all data storage and protection processes. Chase began notifying the affected customers about the incident yesterday and said the process is expected to take two to three weeks. The company is offering one year of free credit monitoring to people whose Social Security numbers were on the tapes."
if they think the tapes were destroyed, how do they know exactly which card numbers were on the tapes? I mean they may know the bulk, but not all, right? or would they? If they got rid of the tapes, would the still have the indexes?
Is this data not encrypted!?!
Yikes! A dumpster diver's paradise!
Check out my sci-fi/humor trilogy at PatriotsBooks.
These folks are being told that tape backups with their information were mistakenly thrown away back in July.
Well, they better go Chase it!
The theory of relativity doesn't work right in Arkansas.
Company spokesman says, "Ooops. Our bad. Please, Mr. Government, whatever you do to punish us, don't give us lots of money. We hate that." Government officials are trying to determine how much money to punish them with.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
Gee, what if this was an inside job, and they
were placed in the trash to be retrieved later
before making it to the dump?
You are being MICROattacked, from various angles, in a SOFT manner.
Grab your shovels boys and watch your step on those hypodermic needles!
...thinking that the tapes were destroyed is not an acceptable answer. From a PR standpoint they should've just lied or said they were taking actions to make sure they were destroyed.
The article summary posted above fails to mention that these were Circuit City credit customers. That is a very important bit of info as many retail credit card holders often have no idea who the issuing bank is.
I say they nuke the site from orbit. It's the only way to be sure.
When our name is on the back of your car, we're behind you all the way!
Is it just me, or is the whole "pay for" credit monitoring industry a big con?
You have to PAY to find out what information may or may not be stored about you? It may be correct; it may be erroneous: you don't find out until you've stumped up the cash (and yes, I realise that the credit companies are required to make information available in the event that you are turned down for credit... but what about those who are just curious?).
And in this instance, what happens when that year is up?
Now we know where this guy funds his science projects and student loans.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
There's a news summary on their main web page:
Circuit City Customers
Chase is notifying a segment of Circuit City credit card account holders that computer tapes containing their personal information were mistakenly discarded.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I knew they'd end up down in the dumps
I knew there was a reason I went with Capital One...
What's in your wallet???
So what it came down to is someone not doing the proper procedure.
human stupidity will cut right through it. Why doesn't the bank just leave a few hundred thousand dollars of their customer's money in the middle of the landfill.
I worked for Chase when this happened.
The guys couldn't find the tape(s) and were SURE that they had ended up in the storage locker...
Guess they couldn't find them there...
--E--
What the summary doesn't mention but it's in the article that it affects Circuit City customers only. At least, my Amazon card is OK. (I hope...)
To prevent similar incidents, Chase said it is strengthening its security procedures and is conducting a review of all data storage and protection processes.
How in the world would they just now find out that they threw such a thing away if they weren't already conducting some kind of review like that? The truth must be that they were already conducting the review, found the prior mistake, and then used the review as a way of atoning for the mistake.
Have you ever wondered How to Take Over
Inconceivable! You keep using that word. I do not think it means what you think it means
Joss Whedon is now my master too.
With so many companies collecting personal data about customers, and with the complexity of managing this data with the necessary protections, it seems like incompetence in managing customer data is prevalent. Customers are justified in not trusting the companies to manage their data properly.
It looks like a great opportunity for some IT company to come along and provide some standardized service. For example, the management company would provide options on encryption, accessing/sharing policies, archiving, and disposal. If these standards were widely publicized and met with public approval, then customers would be safer dealing with companies that used this service and would know exactly what they were getting (or getting into).
Is this sort of thing already going on?
I used to work at a Chase subsidiary, and no amount of IT incompetence from them surprises me. Frankly I'm shocked we were never sued into the ground with the idiotic things they did; for example, sending out tax forms for RV loans late, resulting in customers losing tax refund money; also (it was a "loan servicer") we'd call people 3x or more/day after they'd already spoken to us.
The corporate intranet webshite had a form that all employees had to agree to yearly. My section all did theirs after I did, and each time they logged in *on different machines and with different accounts* the form thought they were me.
I know I could name many more things, but it's been a couple years and I've successfully blocked out most of those memories.
That suggests a limited imagination. It's easily concieved by anyone who's been following such news recently. What may be inappropriatelyconceivable is that there's a company that could never do such a thing -- if it's possible, it must be that they don't employ humans.
I have a Chase Circuit City credit card. Why am I first hearing about this on Slashdot instead of from an email from Chase?
>> the company believes the tapes were destroyed at a landfill.
Like they'd have bothered to find out for sure if it got trashed or where every item in their trash goes.
Read: we really don't know where it is but no-one seems to have used the data yet, so we're going to say some non-commital 'we beleive' bullshit to make you feel happier.
Really I am shocked that it does not happen (or at least doesn't get reported) more often. All it takes is one stupid employee, or one mis-run report and hundreds of tapes can end up anywhere.
Companies in the Fortune 500, let alone finanical institutions in the Fortune 50 have hundreds of thousands of backup tapes. These tapes do eventually wear out and need to be replaced. Typically, you would destroy the tapes onsite before discarding them, but sometimes an outside vendor (Iron Mountain for example) could be retained to destroy the tapes for you. Also, hundreds of tapes are sent offsite and recieved each day, possibly to dozens of facilities. Tracking each and every tape is a laudable goal, but eventually, any system, especially those involving people, can break down.
Companies find a balance, where they are spending a certain amount of capital to protect this data, while still being able to remain competitive. If Chase had to hire a security guard to watch each tape, their stockholders would riot and they would be sunk. On the other hand, if they are not paying attention to the security, it gets noticably lost, and this too costs the company money. Its not all or nothing, and nothing is perfect. Chase, as well as every other large company in the country is working hard, but not too hard to protect your privacy.
This is good as it provides customers with a nice balance of decent prices, good services and a respectable level of privacy. If you concentrate too much on privacy, costs increase and it becomes harder to serve your customers. While some people would pay more for extra security over their information, this is probably a small minority in todays Wal-Mart world.
The hard part is finding the place where everything balances well.
So, while I am sure heads are rolling at Chase, I am not horribly mad at them (I am a customer of theirs, but have not recieved a letter). I understand how things like this can happen.
I know this for a fact, because of all the spam I keep getting telling me to fix the particulars of a Chase bank account which I have never had in the first place. Obviously there are bit errors in the data :-)
Someone had to do it.
Give them a break! With all the havoc that's happening at Chase HQ, I'd imagine that something like this could be overlooked.
I have had the unfortunate pleasure of dealing with Chase on both a business and a personal level. This is a classic case of Chase covering their ass once again for trying to cut corners and once again, failing their customers. Nice cover story, I am not buying it for a second.
Household Bank. And after they absolutely dicked me over on one of them 'buy now pay later' plans, I refuse to use any card backed by that bank.
paintball
So that's why they keep sending me emails to update the information on my account!
...laura
I would hope that any old tapes would be shredded according to some predefined corporate security policy...
I mean, yeah, they really should have destroyed those tapes if they meant to throw them out. But I'm having a hard time believing that any dumpster divers are actually crawling through trash cans and picking up old backup tapes just on the off-chance that there might be credit card info on them. Seems like there's probably far, far easier ways to get 2 million valid credit card numbers.
there is no need to sign your posts. this isn't usenet. your username is right there above your post. stop it.
Interesting timing. Just a moment ago I opened my mailbox and found a letter from the Department of Veterans Affairs. It seems they found the stolen hard drive that contained personal info on 26.5 million veterans. According to the letter, the FBI found the laptop and hard drive.
As a further backup, the VA has "obtained data breach analysis services as a means of further ensuring no misuse of this data occurs in the future."
Like Chase, the VA is "throughly examining every aspect" of their information security program. In the case of the VA snafu, an employee took the laptop home in violation of VA policy. The rash of these incidents makes me wonder how we can expect any sort of large organization to keep a lid on data spills like these, given that most people can't be bothered with basic security precautions even on their own computers. Even if the VA spends millions upon millions of dollars upgrading their security technology and processes (which of course will draw the wrath of opponents of government waste), I'm not sure it will make much difference.
Read the EFF's Fair Use FAQ
*Imagine you are looking at me, a masculine gentleman with a suave but geeky apperance when suddenly an effeminate voice that is not his own begins to speak, sort of like those Citi bank commericals* "Wow! This is just mah-voh-ously fabulous! I found this guy's credit card accound and I was like 'Hello shopping spree!' So me and the boys went down to the gay bar and spent all this guys money. If the fact that I took his identity is stollen doesn't shock him, the places that I spend it will."
--Bushido Hacks, victium of identity theft.
The Rapture is NOT an exit strategy.
I was helping a VERY untechnical office staff (most around 50+ years old) move to a new building and while going through the basement, we found floppy backups of their medical and insurance info and they told me they didn't need ones older than 10 years, which there were some of. Before I even said it, they suggested we destroy them somehow because of the sensitive data on them. I ended up putting a scissors blade through a couple hundred floppies, 3 at a time (that was FUN!) But if 50+ year old doctors know that they need to destroy stuff that holds customer data, who the hell would be stupid enough to just throw out tapes? Obviously someone Chase.
now stop reading and go play Dance Dance Revolution!
They obviously heard of what happened to the Sharp Cereal Professor
Let's not run that refrence in to the ground like we did the old "I for one welcome our new [insert sucject] overlords" shall we? I'm particularly fond of that movie, and that line, which is why I would like to preserve it for later enjoyment.
Does this sig remind you of Agatha Christie?
You mean to say you missed this bullet. They have more. A machine gun in fact, possibly weapons of mass stupidity.
Place a curse on them for this BS
While I think that companies should be approprately punished when they do stupid things like this, what was the real risk in this case? If it was an inside job, then the risk was 100%. However, if it was just a stupid but honest mistake then I think that a number of fairly unlikely things would have to happen before the data was fully compromised:
A criminal would have to spend some quality time at the dump hoping to find something like this
He would have to find it (I'm guessing the the dump(s) for NYC are pretty big)
He would have to have the right equipment to read the data (SCSI tape drives are somewhat rare on home computers nowadays)
The data would have to be in the right format (I'm guessing that the data wasn't in tab delimited text)
The data would have to be unencrypted or very weakly encrypted (people who can break strong encryption have better ways to steal than waiting around a landfill)
I, for one, welcome our new robot overlords
"There's apparently no need to worry about possibility of compromised personal information; the company believes the tapes were destroyed at a landfill."
They "believed" the tapes were locked-down safe before, but they weren't. Now they "believe" the tapes were destroyed. Who cares what they "believe"? Corporations can't "believe" anything.
They need to produce evidence that these tapes were destroyed, offer proactive credit monitoring until the the personal info expires, and assume liability for any misuse of the info they exposed, indefinitely.
Or they'll just "believe" they can do it again, and just keep it better hidden next time.
--
make install -not war
It's a good first step. However, knowing that you got screwed is one thing, cleaning it up is another: a major hassle. I'd like to see one of these careless companies say that they will reimburse your costs and compensate you for time and effort if you get screwed.
Way back in July? Hmm... let's see... oh, right! That was right about the time I saw fraudulent activity ON MY CHASE CREDIT CARD! Christ Almighty, is it soooo hard for companies in this country to not be idiotic and to take some f***ing care of their clients' private and sensitive information? I mean, really, is it that hard? "Oh, sorry, we just handed your entire life's story - bank account numbers, social security number, favorite dog's name - to that guy who walked in off the street... We thought he was the compliance officer. Ooops, our bad. Please forgive us." Ugh, this god damn country. Money, money, money, that's all anyone cares about. Wake me when someone in the corporate world finds some heart... oh, and a brain.
+1 Insightful, -1 Troll. What can I say, I'm an Insightful Troll.
As you wish.
[duck]
--
dman123 forever!
Filtering out the -1s and 0s since 1999.
The Fresh Kills Landfill in New York mysteriously dissapeared this Thursday. "We don't know who did it, but approximately 4.2mil footprints were found on the scene," said the Cheif of Police, "We don't know who to look for first."
In other other news, credit card fraud is on the rise.
Never thought I'd be able to say data mining and dumpster diving in the same sentence.
I am d3matt
Since that law was passed it seems one company every 2 or 3 months ends up announcing a huge amount of SSNs, credit card numbers, or otherwise private info has been "misplaced" etc.
Makes me wonder how much crap was lost before that law and were never told about.
the company believes the tapes were destroyed at a landfill.
Let's hope they didn't share that fate with the master Apollo 11 moon tapes.
Table-ized A.I.
The company is offering one year of free credit monitoring to people whose Social Security numbers were on the tapes.
I am not a US citizen, and I wonder why an SSN is secret information that has power w.r.t. credit.
We do have a similar number, but it essentially is public information. It is printed on all letters from the tax office and social security (related) offices, and soon will be used by all government and municipality related offices. It is on your passport, your driver's license, it is everywhere.
It would be very unwise to assume that it is somehow secret.
Why would knowing this number give you more power than knowing someone's telephone or bank account number? (similar public info)
There must be a weak security system in place, which can simply be replaced. Declare the SSN a public item and all the issues around leaking it are moot.
There is nothing new about loosing a box of paper records vs a stack of backup tapes. Just that it just seems looking back people used to have more common sense. Simple thing really, the old paper records at the local townhall were in a FUCKING SAFE. The new computer system has internet. Can you see the difference? One gets locked up every night and can only be accessed by standing in front of really big metal block right in the middle of the floor were all your collegues and all visitors can see you and the new one is accessible to the entire world 24/7 year round if only they can get past that wonderfull security delivered by companies that think Microsoft sells Operating Systems.
This incident is just the last in long line were the security of data is just not taken serious enough. Nothing to do with tech, just human nature. Put lots of valueble stuff in one place and then pay someone minimal wage to make sure it is treated properly.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
I gave them a call last week, and you are right about the odd answer. The part you missed, and the one that prompted my call because I never saw my last bill, was they were bought out by Bank of America. The sender of my bill was Bank of America, which I promptly discarded thinking it was junk mail.
I was always pleased with MBNA, especially the customer service. Never had a late fee that wasn't waived, and took care of some fraudulent charges with no hassle to me at all. Will Bank of America be that good still?
Sig-"Out beyond fields of wrongdoing and rightdoing, there is a field. I will meet you there." Jelaluddin Rumi