Blog

Posts Tagged ‘credit card data’

Free Credit Monitoring Is the Least You Can Do…Literally

Saturday, June 25th, 2011

Free credit monitoring is the de facto response in the case of a data breach incident. The organization that was entrusted with sensitive, personal information that can be used to steal the customers’ money or identity (or both) generally picks up the tab for a year of free credit monitoring to keep an eye on things and make sure no suspicious activity occurs. With the rate and scope of data breaches these days, probably just about every American with a bank account or credit card already has free credit monitoring from at least one data breach–but not Citigroup.

Following a data breach that exposed information from as many as 360,000 credit card accounts, Citigroup sent letters to the affected customers with some helpful tips to follow, but it stopped short of offering any actual assistance. That translates roughly to “hey, sorry we didn’t take better care of your data–sucks being you.”

It’s the least you can do Citigroup. No, really–it is literally the least you can do. It is the bare minimum you can offer loyal customers as some feeble apology for violating the trust of your customers and allowing sensitive data to be compromised or exposed. Honestly, the credit monitoring even seems like a paltry apology–but it is better than nothing, and it seems like the most logical course of action for the organization because there is no way of knowing up front which accounts will actually be impacted. Free credit monitoring at least lets customers know you care enough about having exposed their data to offer to keep a proactive eye on things rather than placing the burden on the customers to monitor for suspicious activity themselves.

Citigroup should be examining how the data breach occurred and putting tools and controls in place to ensure it doesn’t happen again. In the meantime, though, Citigroup should step up and offer free credit monitoring.

Tags: , , , , ,
Posted in Security Breaches & Data Loss Incidents | No Comments »

Laptop Stolen, But Security Measures Make Data Compromise Unlikely

Thursday, December 17th, 2009

A story from CNN today reports that a laptop containing personal information on approximately 42,000 Fort Belvoir Morale, Welfare and Recreation (MWR) patrons was stolen over the Thanksgiving holiday weekend. The focus of the CNN story seems to center on the fact that it took two weeks for the military to respond and alert those whose information may be compromised by the theft. It goes on to exclaim that this is not the first time the military has had a laptop stolen, but assures us that there is a bill currently in the Senate which would call for greater protection for mobile data.

What seems to be somewhat glossed over in the CNN story is the fact that this data was protected. CNN does mention it when it says “information security experts for the Army say it’s unlikely that the information will be compromised because the data are guarded by three layers of security and encryption passwords.” But, somehow that part seems buried under the rest of the story as if we’re not supposed to care about it.

I am not sure we can ask much more. Portable computers like laptops and netbooks are trending up in sales, and portable storage like USB flash drives and external hard drives are relatively cheap.  The convenient and portable size of the computers also makes them easy and convenient to steal. The bottom line is that there is a lot of sensitive information being carried around on these devices.

Companies and individuals need to operate under the assumption that a laptop will be stolen. I am not suggesting that laptop theft is so rampant that there is no way to avoid it, I am just suggesting that the data on the laptop be treated as if its theft were a sure thing. If you knew, for a fact, that your laptop would be stolen tomorrow, what kind of security would you have on it to protect the information it contains? Which data is so sensitive that you would add extra layers of security and encryption to virtually guarantee that it can’t be compromised?

In this case, perhaps the military should have notified individuals sooner. It can also be argued that, because of the security controls and encryption in place, the military didn’t need to notify anyone at all. By placing adequate protection on the laptop the military essentially ensured that the thief might be able to use or sell the laptop, but they won’t be accessing any of the data it contains.

Tags: , , , , ,
Posted in Security Breaches & Data Loss Incidents | 1 Comment »