Unencrypted Lost Tape Affects 230 Retailers

Lucas123 tells us that a backup tape lost by Iron Mountain reportedly contains credit card information from 650,000 customers. The unencrypted tape also holds Social Security numbers for 150,000 customers. Quoting the Computerworld Article: "Although J.C. Penney was the only company that Jones would confirm as affected by the missing tape, that retailer accounts for just a small percentage of all accounts that were compromised. In total, 230 retailers are affected by the breach. 'Clearly that number includes many of the national retail organizations,' he said."

Broken system

[a_nonamiss]

Honestly, how long until someone realizes the current system is broken? We can't hope to keep our Social Security numbers secret indefinitely. We have everything in your life tied to this one, unchangeable number. The credit system needs to be overhauled so that it doesn't matter if you have my name, address, SS# and mother's maiden name. Just off the top of my head, how about a challenge-response system. In a secure manner, I set a secret password. For more security, you could even set single-use passwords. When I go out to get credit, I tell someone on the phone my password. Someone else goes out and tries to get credit without my password and they get arrested. It's not perfect, but a hell of a lot better than what we have now. And it took me 5 minutes to think that up. I bet someone with 6 weeks and half a million dollars could come up with an even better way.

Re:Broken system

[elronxenu]

You tell someone on the phone your password. That person now knows your password. You forget to change it afterward, and that person now gets _different_ credit in your name.

I think any system in which you, the user, have to hand over your secrets to some third party to authenticate yourself, is just going to suffer from the same kind of problems. This is just like payment by credit card. You hand over the secret number to restaurants and shops whenever you use the card.

You really need to be able to authenticate yourself without handing over any secrets, i.e. by using some kind of protocol where you prove that you _have_ a secret (such as a CC# or SSN) without any requirement to reveal what it is.

Re:Keyword: Unencrypted

[IBBoard]

The problem with encryption is that the news agencies still don't report it to make people feel that bit safer.

When one of our high-street banks in the UK lost details of quite a large number of customers' details then none of the major news agencies I saw reported that it was encrypted. It was all "bank loses details", "customers at risk", "think of the bank details (and children)!". It took a bit of digging to find out that company policy was that hard disks were encrypted and that this one apparently was as well.

Social Security?

[IBBoard]

Okay, so I'm British and don't know how the American system works (only visited once) but social security numbers? What were people buying such that they were customers on this tape and had their SS# recorded? As close as we get is our National Insurance number (for benefits and pension contributions) and I've never known of anyone other than an employer who needs to know it.

Re:Social Security?

[hey!]

Because you've got functioning privacy laws that require risks to personal data be addressed in advance. In the US, we wait until a situation becomes so intolerable that people are boiling pitch and collecting feathers, at which point the narrowest possible ad hoc law is drafted by lobbyists and rubber stamped by Congress.