Slashdot Mirror

← Back to Stories (view on slashdot.org)

Unencrypted Lost Tape Affects 230 Retailers

Posted by Soulskill on from the keep-an-eye-out dept.

Lucas123 tells us that a backup tape lost by Iron Mountain reportedly contains credit card information from 650,000 customers. The unencrypted tape also holds Social Security numbers for 150,000 customers. Quoting the Computerworld Article: "Although J.C. Penney was the only company that Jones would confirm as affected by the missing tape, that retailer accounts for just a small percentage of all accounts that were compromised. In total, 230 retailers are affected by the breach. 'Clearly that number includes many of the national retail organizations,' he said."

13 of 75 comments (clear)

  1. Unencrypted? by Doug52392 · · Score: 2, Insightful

    If companies want to store customers credit card numbers and social security numbers for years on their systems, could they at least use common sense? The backup tape should have at least been encrypted, and should have been behind lock and key.

    1. Re:Unencrypted? by Pig+Hogger · · Score: 2, Interesting

      If companies want to store customers credit card numbers and social security numbers for years on their systems, could they at least use common sense?
      Common sense is in notorious short supply the further you go up the management chain. Nowadays, companies are run by types with a sheet of paper stamped with the magic letters "MBA", which means that the bearer has been infused with knowledge that is supposed to increase profits.

      MBAs are taught first and foremost to ditch "common sense" because their acute knowledge is supposedly vastly "superior" to common knowledge.

  2. Keyword: Unencrypted by cyberjock1980 · · Score: 2, Insightful

    So what's so hard about implementing encryption? Seriously. It's easy to implement and use and it can put MANY minds at easy knowing that recovery of the data is virtually impossible. I still think the UK is on the right track with the law punishing the company owners when something goes awry and they lose their tapes. Chairman would suddenly take note of yet another way the could get fired, and I'm sure they'd take steps to keep their job.

  3. Broken system by a_nonamiss · · Score: 3, Interesting

    Honestly, how long until someone realizes the current system is broken? We can't hope to keep our Social Security numbers secret indefinitely. We have everything in your life tied to this one, unchangeable number. The credit system needs to be overhauled so that it doesn't matter if you have my name, address, SS# and mother's maiden name. Just off the top of my head, how about a challenge-response system. In a secure manner, I set a secret password. For more security, you could even set single-use passwords. When I go out to get credit, I tell someone on the phone my password. Someone else goes out and tries to get credit without my password and they get arrested. It's not perfect, but a hell of a lot better than what we have now. And it took me 5 minutes to think that up. I bet someone with 6 weeks and half a million dollars could come up with an even better way.

    --
    -Arthur
    Cave ne ante ullas catapultas ambules
    1. Re:Broken system by elronxenu · · Score: 3, Insightful
      You tell someone on the phone your password. That person now knows your password. You forget to change it afterward, and that person now gets _different_ credit in your name.

      I think any system in which you, the user, have to hand over your secrets to some third party to authenticate yourself, is just going to suffer from the same kind of problems. This is just like payment by credit card. You hand over the secret number to restaurants and shops whenever you use the card.

      You really need to be able to authenticate yourself without handing over any secrets, i.e. by using some kind of protocol where you prove that you _have_ a secret (such as a CC# or SSN) without any requirement to reveal what it is.

    2. Re:Broken system by mattwarden · · Score: 2, Interesting

      Absolutely. And we've had this ability since the 70s (Diffie-Hellman, anyone?).

    3. Re:Broken system by Peeteriz · · Score: 2, Informative

      Chip-cards do it - for example the EMV (europay-mastercard-visa) standard credit/debit cards - the card proves it's 'realness' by being able to execute cryptographical challenge-response, but not revealing (and thus, not allowing to copy) the secret key to anyone in the chain - not the merchant, not the POS terminal used, not the bank that processes the merchant's transaction (and still all these parties can and do verify that the transaction was signed by the billed card, and not injected by some middleman).

    4. Re:Broken system by mollymoo · · Score: 2, Interesting

      You tell someone on the phone your password. That person now knows your password.

      The solution to that, which is implemented by more than one company I deal with, is to only validate a randomly selected subset of the password. "Can you confirm the third and fifth letters of your password please Sir." The person in the call centre doesn't know your entire password and an eavesdropper would need to listen to several calls to get the entire password. It's not perfect, but it requires no physical device (which anything good enough to satisfy a cryptographer surely would) and regular people can generally manage to do it just fine.

      --
      Chernobyl 'not a wildlife haven' - BBC News
  4. Re:Keyword: Unencrypted by IBBoard · · Score: 4, Interesting

    The problem with encryption is that the news agencies still don't report it to make people feel that bit safer.

    When one of our high-street banks in the UK lost details of quite a large number of customers' details then none of the major news agencies I saw reported that it was encrypted. It was all "bank loses details", "customers at risk", "think of the bank details (and children)!". It took a bit of digging to find out that company policy was that hard disks were encrypted and that this one apparently was as well.

  5. Social Security? by IBBoard · · Score: 5, Insightful

    Okay, so I'm British and don't know how the American system works (only visited once) but social security numbers? What were people buying such that they were customers on this tape and had their SS# recorded? As close as we get is our National Insurance number (for benefits and pension contributions) and I've never known of anyone other than an employer who needs to know it.

    1. Re:Social Security? by hey! · · Score: 3, Insightful

      Because you've got functioning privacy laws that require risks to personal data be addressed in advance. In the US, we wait until a situation becomes so intolerable that people are boiling pitch and collecting feathers, at which point the narrowest possible ad hoc law is drafted by lobbyists and rubber stamped by Congress.

      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
    2. Re:Social Security? by BosstonesOwn · · Score: 2, Informative

      My Massachusetts license doesn't have my social security number.

      It was a known scam for some time to cause an accident on purpose (swoop and squat scam http://www.fbi.gov/page2/feb05/stagedauto021805.htm ) on a very nice vehicle perceived to have a high value. They would jott down your info including the license # which was your social security # and go on spending sprees with the victims credit info, while also collecting from the insurance company.

      --
      This package Does Not Contain a Winner
  6. Re:Keyword: Unencrypted by mattwarden · · Score: 2, Interesting

    There answer is: it's not hard at all. If we can assume GE Money is using Oracle, it has had TDE (transparent data encryption) since 10g. All they have to do is alter a column, setting the 'encrypt' option, and suddenly its contents are stored on disk as encrypted. No application changes are required*, because Oracle unencrypts the data transparently as it is read from disk.

    In this case, the stolen tape would include lots of plaintext data, but the sensitive data would be unintelligible. The only way to read the sensitive data is to retrieve the backup of the Oracle wallet also.

    * as long as the encrypted columns do not require a range scan of an index (which obviously wouldn't work), but when are you range-scanning a credit card number or SSN?