Unencrypted Lost Tape Affects 230 Retailers

Lucas123 tells us that a backup tape lost by Iron Mountain reportedly contains credit card information from 650,000 customers. The unencrypted tape also holds Social Security numbers for 150,000 customers. Quoting the Computerworld Article: "Although J.C. Penney was the only company that Jones would confirm as affected by the missing tape, that retailer accounts for just a small percentage of all accounts that were compromised. In total, 230 retailers are affected by the breach. 'Clearly that number includes many of the national retail organizations,' he said."

VTL

[jb1z]

This is one of the many reasons we're moving to a VTL. I might just use this incident as a little nudge to speed up the implementation.

Re:VTL

Why, does VTL only accept cash?

Re:VTL

[kisielk]

I'm not sure I follow how a VTL would prevent this kind of mishap from occurring? If you still need to store the data offsite, someone could just as easily lose the drives from your VTL.

Re:VTL

[jb1z]

Instead of backing up to tape and having the tapes sent off-site, we're replicating the data over an IPSec tunnel to another facility of ours.

Re:VTL

[kisielk]

That's similar to our setup, we have an IP SAN cluster at two locations which sync over a dedicated line. We do still create tapes for archival purposes and offsite backup. IMO having replication is not a replacement for that.

Re:VTL

[jb1z]

Are your tapes encrypted? Neoscale appliance or something similar?

Re:VTL

[kisielk]

They're not encrypted yet, but our company is still very young, and I just took over as the system administrator. We're definitely going to start encrypting them once I finish putting the rest of our backup solution in place.

Re:VTL

[Jeremiah+Cornelius]

Why does JCP have customers Social Security numbers!!!!

If someone wanted my SocSec to by linens, I'd tell 'em where to stuff the sheets.

Re:VTL

[Goldberg's+Pants]

our company is still very young

I'm sure that'll be a comfort to customers who lose their data:)

Re:VTL

[kisielk]

Well, all the data we have is from our simulations, we don't keep any customer information. More specifically, we're not at all in to E-commerce or anything remotely related. If that were the case, there's no way I'd feel comfortable with things as they are now...

Unencrypted?

[Doug52392]

If companies want to store customers credit card numbers and social security numbers for years on their systems, could they at least use common sense? The backup tape should have at least been encrypted, and should have been behind lock and key.

Re:Unencrypted?

[Pig+Hogger]

If companies want to store customers credit card numbers and social security numbers for years on their systems, could they at least use common sense?

Common sense is in notorious short supply the further you go up the management chain. Nowadays, companies are run by types with a sheet of paper stamped with the magic letters "MBA", which means that the bearer has been infused with knowledge that is supposed to increase profits.

MBAs are taught first and foremost to ditch "common sense" because their acute knowledge is supposedly vastly "superior" to common knowledge.

Re:Unencrypted?

[GoodbyeBlueSky1]

I'm being a bit facetious here, but why bother? I've yet to see any significant punishments handed down with any of these cases, so where's the deterrent factor when things go wrong?

Of course anybody with half a brain knows sensitive information should always be encrypted, but these security breaches always seem to affect marketing, tracking and government agencies. You're lucky if you find someone with a quarter of a brain there.

Re:Unencrypted?

[riseoftheindividual]

Companies more and more are being run myopically for quarterly profits. Why would anyone at the higher levels care about things like long term data storage since that has nothing to do with the next quarters profits?

Re:Unencrypted?

[DeadChobi]

If that ever happened to my data, I would sue to recover damages plus opportunity costs from having to sort out any problems that may arise, plus the option for future damages arising from any identity theft from the lost tape. Having the credit card information is one thing, but Social Security Numbers? Christ, that's not a number which should be used as an identifier.

That kind of information is something for which posession should be regulated. Heavily. With enormous civil penalties for noncompliance.

Re:Unencrypted?

[mgblst]

It probably has happened to your data, if you have a credit card. How would you know. Only a small proportion of cases get reported, and even when they do, like in this case, they have only released the name of 1 retailer out of 250? So when someone steals your money, who are you going to sue?

The fact is that you agree to these terms when you use a credit card - you agree for the information to be stored by a dozen different companies, most who couldn't care less about your data being stolen.

Iron Monkey

This is the firm known as Iron Monkey by the network staff at two *huge* firms yet management keep giving them the contract, probably because they're cheap (pay peanuts, etc). After the volume of behind-the-scenes tales I've heard about these idiots I wouldn't trust them with a crayon.

Keyword: Unencrypted

[cyberjock1980]

So what's so hard about implementing encryption? Seriously. It's easy to implement and use and it can put MANY minds at easy knowing that recovery of the data is virtually impossible. I still think the UK is on the right track with the law punishing the company owners when something goes awry and they lose their tapes. Chairman would suddenly take note of yet another way the could get fired, and I'm sure they'd take steps to keep their job.

Broken system

[a_nonamiss]

Honestly, how long until someone realizes the current system is broken? We can't hope to keep our Social Security numbers secret indefinitely. We have everything in your life tied to this one, unchangeable number. The credit system needs to be overhauled so that it doesn't matter if you have my name, address, SS# and mother's maiden name. Just off the top of my head, how about a challenge-response system. In a secure manner, I set a secret password. For more security, you could even set single-use passwords. When I go out to get credit, I tell someone on the phone my password. Someone else goes out and tries to get credit without my password and they get arrested. It's not perfect, but a hell of a lot better than what we have now. And it took me 5 minutes to think that up. I bet someone with 6 weeks and half a million dollars could come up with an even better way.

Re:Broken system

how long until someone realizes the current system is broken?

Everyone knows it's broken, and the credit companies are knowing it all the way to the bank. After all, equifax gets its cash whether it's you or someone else getting a loan. Visa gets its cash whether it's you or someone else using your credit card, and they probably even keep the 1% on top of the charge (if not charging the merchant even more) when someone reverses their charge. Captialism at it's finest.

Re:Broken system

[KookyMan]

Actually, some credit card companies are going one better. Now that e-Ink has been proven consumer-worthy (AmazonKindel, Sony's e-Reader) they are going to start putting a small e-paper segment on your credit card where every time you use it, you push a thumb-button on the back of the card and it will produce a new 6 digit card use authorization number. It will be similar to the way SecureID cards work. The number will be good for 1 purchase, and every time you use it, you will have to generate a new number to enter into the purchasing terminal / give over the phone. And since its 1 use, even if someone gets your card number and that generated number, its no good outside its usage window. (which is a minute or so.)

I can't remember where I read the article, but it definitely will make your card more secure. Of course, it does nothing to help you if your card is stolen, but then that is no different than IT security. If you have secured information, and someone steals the box, the battle is half-over.

Re:Broken system

[elronxenu]

You tell someone on the phone your password. That person now knows your password. You forget to change it afterward, and that person now gets _different_ credit in your name.

I think any system in which you, the user, have to hand over your secrets to some third party to authenticate yourself, is just going to suffer from the same kind of problems. This is just like payment by credit card. You hand over the secret number to restaurants and shops whenever you use the card.

You really need to be able to authenticate yourself without handing over any secrets, i.e. by using some kind of protocol where you prove that you _have_ a secret (such as a CC# or SSN) without any requirement to reveal what it is.

Re:Broken system

You really need to be able to authenticate yourself without handing over any secrets, i.e. by using some kind of protocol where you prove that you _have_ a secret (such as a CC# or SSN) without any requirement to reveal what it is.

Sounds an awful lot like why public key cryptography was invented ...

Re:Broken system

[xigxag]

What we need is a system where the number that you provide is keyed to a specific retailer for a specific transaction of a specific monetary amount at a specific moment in time. So that even if(when) someone gets your number in the clear, they can't use it for anything else. Even that same retailer won't be able to double bill you or charge you more than you agreed to pay. It'll mean that we'll have to use "smart cards" (or fobs or bracelets) but who cares? There's no reason, even, why you can't use a single password-protected smart card to authenticate multiple sources of credit.

Re:Broken system

[mattwarden]

Absolutely. And we've had this ability since the 70s (Diffie-Hellman, anyone?).

Re:Broken system

[Minwee]

Consider that the average consumer has to call his or her mother to ask what a maiden name is. Why do you think that these people will be able to deal with actual security?

The current system is simple enough for a five year old to deal with because that's about how smart the ideal customer is.

Re:Broken system

[epine]

It's ridiculous that this system persists in its present form as it does. We need a malpractice code for the credential industry as strong as the medical and legal malpractice codes. I tagged this article "dataspill visavaldez". Of the two, I like the second one better.

Re:Broken system

[TheThiefMaster]

That's similar to Barclays Bank's new online banking login system.

It goes like this:
1: Enter your Surname and online banking membership number (12 digits). Both can optionally be saved after a successful login.
2: Enter the last 4 digits of one of your cards, put that card into the provided PINsentry(TM) card reader, press "IDENTIFY" and enter your PIN. Enter the 8-digit number you are given into the website.
3: You are now logged in.

Basically someone would need your membership number, card and pin to be able to log into your account online and steal your money. Just sniffing the typed info isn't good enough, because the ID given by the card reader can only be used once.

It's probably still vulnerable to a man-in-the-middle attack though, but that's pretty difficult to pull off.

Re:Broken system

[Peeteriz]

Chip-cards do it - for example the EMV (europay-mastercard-visa) standard credit/debit cards - the card proves it's 'realness' by being able to execute cryptographical challenge-response, but not revealing (and thus, not allowing to copy) the secret key to anyone in the chain - not the merchant, not the POS terminal used, not the bank that processes the merchant's transaction (and still all these parties can and do verify that the transaction was signed by the billed card, and not injected by some middleman).

Re:Broken system

[mollymoo]

You tell someone on the phone your password. That person now knows your password.

The solution to that, which is implemented by more than one company I deal with, is to only validate a randomly selected subset of the password. "Can you confirm the third and fifth letters of your password please Sir." The person in the call centre doesn't know your entire password and an eavesdropper would need to listen to several calls to get the entire password. It's not perfect, but it requires no physical device (which anything good enough to satisfy a cryptographer surely would) and regular people can generally manage to do it just fine.

Re:Broken system

Heh, that wouldn't work so well for me.

"Sir, can you please verify the 18th, 26th and 33rd letters of your passphrase please".

(mumbles to self ...)

Re:Broken system

[a_nonamiss]

You tell someone on the phone your password. That person now knows your password. That's why a single-use password set on a secure site would be such a huge improvement. When I go out washing-machine shopping, I know in advance that I'm going to apply for instant credit. Before I pack up and head out to the Buy-More, I just go to a site and get a single use password. I could even get two or three if I know I'm going on a mad spending spree. It doesn't even have to be that secure, because dictionary attacks aren't very useful for a single-use password that expires in 8 hours and has to be validated by a person rather than a machine that accepts 1.4 million passwords per second. Granted, there are weaknesses in this system. Someone could hack into my 'secure' account when I set my password to 'Password123' and generate passwords all day. However, at least it gives me the power to protect my own information, rather than trusting some 19 year old intern who keeps an unencrypted backup tape in the back seat of his car.

Also note here that I'm talking about ID theft and applying for credit, not credit card authentication. That's a whole 'nother ball of yarn.

Re:Keyword: Unencrypted

[IBBoard]

The problem with encryption is that the news agencies still don't report it to make people feel that bit safer.

When one of our high-street banks in the UK lost details of quite a large number of customers' details then none of the major news agencies I saw reported that it was encrypted. It was all "bank loses details", "customers at risk", "think of the bank details (and children)!". It took a bit of digging to find out that company policy was that hard disks were encrypted and that this one apparently was as well.

Social Security?

[IBBoard]

Okay, so I'm British and don't know how the American system works (only visited once) but social security numbers? What were people buying such that they were customers on this tape and had their SS# recorded? As close as we get is our National Insurance number (for benefits and pension contributions) and I've never known of anyone other than an employer who needs to know it.

Re:Social Security?

[Coopjust]

Many people opt to get an in-store charge card in the United States (which is a line of credit), and this requires an Social Security # to open.

The horrible part is this:

After reconstructing the data that was on the missing tape, GE Money began sending out letters to those affected by the breach in December. The company has set up a toll-free number and is offering one year of free credit monitoring services to those affected by the breach.

Which is the equivalent of "We lost a number that is permanently critical for your financial future. Sorry. We'll watch your credit for a year; after that, well, good luck!". It's like a huge "Fuck you" from GE Money.

Re:Social Security?

[Hollinger]

It was probably either part of a customer registration database, or the SSNs were the primary keys for the records.

Many retailers offer convenient 10% off discounts or no-interest financing if a customer opens a branded credit card at the checkout kiosk. Perhaps that data was part of these tapes?

Re:Social Security?

[hey!]

Because you've got functioning privacy laws that require risks to personal data be addressed in advance. In the US, we wait until a situation becomes so intolerable that people are boiling pitch and collecting feathers, at which point the narrowest possible ad hoc law is drafted by lobbyists and rubber stamped by Congress.

Re:Social Security?

[R2.0]

The SSN was never intended to become a national ID number, but that's what it has evolved into. It's the only piece of identification data that is part of a nationwide system and is relatively unique. Organizations just started using the number on their own as an identifier, until it became ubiquitous. There was a small effort to halt this a few years ago, but now even the Feds have admitted defeat - per the REAL ID, ALL driver's licenses (the de-facto ID card in the US) must have the SSN on them, even though logic says my old age benefits have absolutely nothing to do with my ability to drive a car.

Re:Social Security?

[BosstonesOwn]

My Massachusetts license doesn't have my social security number.

It was a known scam for some time to cause an accident on purpose (swoop and squat scam http://www.fbi.gov/page2/feb05/stagedauto021805.htm ) on a very nice vehicle perceived to have a high value. They would jott down your info including the license # which was your social security # and go on spending sprees with the victims credit info, while also collecting from the insurance company.

Re:Social Security?

[antifoidulus]

even though logic says my old age benefits have absolutely nothing to do with my ability to drive a car.

Wasn't there a South Park episode about that?

Re:Social Security?

[name_already_taken]

My Illinois drivers license doesn't have my social security number either.

The state used to offer you the option of having your SSN printed on the license for convenience, because merchants would use it to verify checks, but the folks at the driver services office no longer give you that option because of the prevalence of identity theft.

The drivers license number has been unrelated the holder's social security number in Illinois for decades.

Re:Social Security?

[Your.Master]

Why isn't there a system whereby people are issued new SSNs and their old account data is migrated, and the old number invalidated? The government could charge an assload (1.7 arseloads) for it and demand there be a good reason to do such things, so people didn't spuriously goof with the system, and then when companies like GE Money fuck up, it could be their responsibility to push this through for the customer.

Re:Social Security?

[bigstrat2003]

Then Massachusetts isn't in compliance with REAL ID yet. Not that they should be, of course.

Re:Social Security?

I hope that you're at least hitting froogle.google.com for cheap sources of pitch and feathers, because I suspect you're not boiling anything at the moment.

Re:Social Security?

[MrSpiff]

I never understood why the american SSN needs to be kept secret, all swedish citizens have a similar number based on your date of birth (yymmdd) + four digits that makes it unique. A lot of online stores, communities and such, that wants confirmation of your age or a way to track you down if needed will require it, but since we have to use it so often and sometimes publicly, it's not considered a secret. If someone wants to positively identify you, they will mail a letter to you with a password or require your signature.

Re:Social Security?

[DigitalCrackPipe]

That's the problem - no additional verification is usually asked for in addition to the SSN. It *shouldn't* be a key to unlock financial access (new accounts, acces to existing ones, etc), but that's how it has evolved.

Of course, it may simply be that Sweden doesn't have enough criminals trying to steal identities *yet* to make that system a problem. Not considering it a secret is different from it being dangerous for others to discover the number.

What happens if 10000 people are born in one day? Do you have an ID doppleganger?

Re:Social Security?

[jeff4747]

Because one of the 'business rules' for SSNs is that they are permanent and no new numbers can be entered. Basically, the folks who set up the system were worried about one person getting several valid SSNs and attempting to use them all for fraudulent purposes. Thus it's very, very difficult to get a new SSN.

This leads to interesting problems besides compromised numbers. Several years ago there was a story on the news about a woman who got married. She filed the paperwork, and a clerk at the SS office accidentally marked her as "Dead" instead of "Married". It only took her several years to fix the problem.

Now it is possible to contact the 3 credit reporting companies and instruct them to deny all instant credit requests, and force the company to contact you at home for any attempts to get credit. It's a rather large hassle, since you have to do it 3 times. It also means you can't apply for on-the-spot credit, such as a car loan at a dealership.

Think ID theft is bad now....

[Initi]

Wait until the US Feds cram RealID down our throats. Roosevelt was warned of the dangers of a single national ID number; which he and his supporters dismissed. It only took 65-70 years for technology to catch up to this particular nightmare.

One short number, for life

[flyingfsck]

Well, it is simply a typical American fsckup. People get issued this one simple guessable number, for life, and everything uses it. Without this number, a USAsian almost doesn't exist. Since illegal immigrants don't have a SSN, the police have a hard time identifying tens of millions of them, since they just don't know how.

It is almost trivial to hijack someone else's identity and obtain credit cards using that number. More enterprising thieves will sell someone else's house after a few minutes of research at the local land titles offices.

Re:One short number, for life

[Zironic]

To use that kind of number isn't American Specific.

Here in Sweden you get a number at birth we call "Personal Number".

It's basically Year-Month-Day-HHYX

Where HH is the code for your hospital, Y is a number showing your gender (odd = man, even = woman) and X is a control figure calculated to show that its a real number.

Anyhow, I think the problem with SSN is that you somehow think it's secret. If you worked from the opposite assumption that the SSN is as wellknown as your name and should just be used as a personal identifier I think it would be more usefull.

Like the SSN can be used to find your entry in a database, but it should not be usable to take money from your account, for that they better know a real secret like your password or sign with your signature.

Re:One short number, for life

[mdfst13]

Like the SSN can be used to find your entry in a database, but it should not be usable to take money from your account, for that they better know a real secret like your password or sign with your signature. That's already true. That's not the exploit under discussion. Identity theft is not about breaking an existing trust relationship between you and one of your financial associations. That's a separate class of scam (and while an SSN might help with it, other instruments are more beneficial, e.g. a credit card). Identity theft is about pretending to be you when establishing a new financial association in such a way that the benefit goes to the identity thief but the cost goes to you. The problem that arises typically goes like this:

1. The identity thief requests credit in your name, with your SSN.

2. The thief uses a variety of scams to transfer money or goods to them. The money comes from the new credit instrument.

3. The issuer of the credit now tries to collect from you. You are then responsible for proving that you did not request or use the credit instrument.

It's not that the SSN is really seen as that secret. It's just the piece that associates two entries for "John Doe" as referring to the same John Doe rather than two separate people who happen to have the same name.

If this same problem is less prevalent in Sweden, I suspect that one of two things is true. Either it is more difficult to get anonymous credit (over the phone or internet or through the mail) in Sweden than in the US, or this problem simply hasn't quite made it there yet.

Re:One short number, for life

[Zironic]

I don't know of any way to get an anonymous credit card in sweden, it might be possible though.

We have had parts of your problem in another way though with the so called "SMS Loans" where you can take a loan with your mobile phone with no actual ID or Credit check.

However since the problem arose most banks have terminated their agreements with such services and the law is being changed so you can't take a loan without a proper credit check.

Anyhow, The solution should imo be that you shouldn't be able to get credit without proper identification.

I'm always rather appaled by how easy it is to pay with my debit card, most of the time the clerk doesn't even look at my ID and when it comes to online transactions it's just scary, someone could rob me blind by just taking a photo of my card.

Re:One short number, for life

Here in Sweden you get a number at birth we call "Personal Number".

It's basically Year-Month-Day-HHYX

Where HH is the code for your hospital, Y is a number showing your gender (odd = man, even = woman) and X is a control figure calculated to show that its a real number.

More than a handful of births per day per hospital and this numbering scheme will break...

Question

[pclminion]

Why the hell don't people get put in prison when this happens? Ridiculous.

Re:Keyword: Unencrypted

[mattwarden]

There answer is: it's not hard at all. If we can assume GE Money is using Oracle, it has had TDE (transparent data encryption) since 10g. All they have to do is alter a column, setting the 'encrypt' option, and suddenly its contents are stored on disk as encrypted. No application changes are required*, because Oracle unencrypts the data transparently as it is read from disk.

In this case, the stolen tape would include lots of plaintext data, but the sensitive data would be unintelligible. The only way to read the sensitive data is to retrieve the backup of the Oracle wallet also.

* as long as the encrypted columns do not require a range scan of an index (which obviously wouldn't work), but when are you range-scanning a credit card number or SSN?

Re:Keyword: Unencrypted

[bvimo]

After two CD's containing 15 million bits of info went missing, http://news.bbc.co.uk/1/hi/uk_politics/7104115.stm/ I had a drink with a couple of my friends and had a chat about the loss.

They didn't know about the password protection, but they knew the data wasn't encrypted.

Re:Keyword: Unencrypted

[bvimo]

I assume each installation of Oracle will have its own encryption method. It would be silly if I could transfer the encrypted data from system A into system B.

I am an Oracle ignoramus.

Re:Keyword: Unencrypted

[mattwarden]

Same method, but the keys would be different. You'd have to get your hands on the keys in the Oracle wallet, which is in a file outside the database and should be backed up separately.

Re:Keyword: Unencrypted

[IBBoard]

That's the Government losing data on CDs posted internally, though, not a high street bank having a laptop stolen. You're less likely to encrypt internally posted media than you are the disk of a device that has "steal me!" written all over it.

Common sense...

[msauve]

in business can reduce profits. Guess which wins?

Re:Keyword: Unencrypted

[Minwee]

the Oracle wallet [...] should be backed up separately.

"Hey, I've just had an idea. Why are we paying for two separate backups which get handled in two different ways? Wouldn't it make a lot more sense to just consolidate everything onto one backup solution and save a bunch of money?"

I was hoping for the latest tapes for Lost

[cylcyl]

Am I the only one who read the headline and hoped that there was more new eps of Lost despite the writer strike?

PABP from Visa

[fixer007]

http://usa.visa.com/merchants/risk_management/cisp_payment_applications.html/

This is why PAPB "payment application best practices" from Visa should be mandated across the board. It ensures that all sensitive data (Primary account numbers, PINs, etc.) and other user sensitive information is not stored on the system, unless it is encrypted. This could go a long way to saving us alot of headaches!

Funny guys

[oever]

I'm sure John Cleese can come up with a good excuse for this mishap. See the advert he did for them

Re:SSNs

[nullchar]

JC Penny and other retailers probably stored the SSNs when their customers signed up for a branded credit card.

Is saving 10% on a few hundred dollar purchase really worth your financial identity?

What's going on

[Effugas]

Encryption is hard, because key management is hard. Instead of sending one file, you have to send two, through totally different channels.

Well, "have to" is relative. A huge amount of the time you see "encryption", the decryption key is right there next to it. But, you see, the data is encrypted. So it's safe.

*sighs*

Re:What's going on

Encryption is hard, because key management is hard. Instead of sending one file, you have to send two, through totally different channels.

Ummm, no. For backup tapes, you encrypt the backups, then hand off the tapes for offsite storage. You keep the keys.

That being said, Iron Mountain does have a pretty good rep in data storage. Until now...

Re:Keyword: Unencrypted

[mollymoo]

So what's so hard about implementing encryption?

One reason I've heard for not doing it, from more than one sysadmin over the years, is that encrypted data is more susceptible to errors. In other words it's unreliable, not too hard to do. A couple of bad blocks on an unencrypted tape may lose you a file or two, but could render an encrypted tape unreadable. How true this is I have no idea, I'm a coder not a sysadmin, but it strikes me that encrypting individual files rather than entire tapes would solve this problem (though it would leak some information about file sizes etc.).

Re:Keyword: Unencrypted

[SilentBob0727]

If I'm not mistaken, the amount of data that can be lost to a single corrupted bit with two-way encryption depends on the block size. But a well defined checksum over the encrypted data ensures that some of that data can be recovered, and redundant storage can help this issue further.

But even in the worst case, the cost of losing tons of business and tons of money in lawsuit settlements due to your customers' personal information being compromised far outweighs the cost of the same data being obliterated completely. There is no reason not to encrypt, and smart sysadmins know this.

Damn you Abrams!

[cthulu_mt]

I thought this was a story about a secret episode of Lost. Damn you Abrams and your viral marketing.

Social Insecurity Numbers

[jd]

Living in the United States has given me a disturbing impression of the use of social security numbers. They are used to track all kinds of things. Many stores require an SSN for store cards. More than a few stores (mostly for higher-value goods) require SSNs for even regular purchases. Social security numbers are often included on driver's licenses and State ID cards (unless you specifically remember to ask for an anonymous number - and not everywhere allows you to do tha). The USA doesn't seem to have anything similar to the UK's bank guarantee card, and they use driver's license or State ID instead - exposing your SSN.

(I'm dual-national, which makes things easier for me. I work in the US because the UK has been totally incompetent in the IT arena for many decades now and the pay is pathetic. The usual brain-drain reasons. I do not consider America to have any credible notion of privacy, security or welfare, but realism has to apply. Those three don't pay bills.)

Re:Social Insecurity Numbers

[jdjbuffalo]

I agree with almost everything you said except this "Problem was his port was bad, tried a different one and it worked." Do you have any evidence of this?

I have never been asked for my SSN when paying for something (even high dollar amounts) with Cash or Checks or even credit cards. However, I have certainly seen them ask this because they assume that I want to use their instore purchase program (e.g. no payments for 6 months or we'll finance everything for you kind of deals)

Iron Mountain lost something? Small wonder!

[swordgeek]

Iron Mountain is possibly the most antiquated, ass-backwards, idiotic, incompetent company on the planet. In 2006, they were quite excited because they were about to move away from a program that ran on DOS 3.3, and required hand-entry of tape and company IDs...THREE TIMES per tape! They can get away with this because they're the only game in town.

They should be held responsible for ten times the amount of credit card fraud that they could possibly be implicated in over the past two years. That should be enough to bankrupt them.

Re:Keyword: Unencrypted

[mwvdlee]

Yet, to the best of my knowledge, most information theft happens internally.
It's a lot easier to keep quiet though.