Hannaford Data Breach

The Hannaford Brothers grocery chain has received a lot of attention during the last week. On March 18, the Boston Globe reported:

"Hannaford Bros. supermarket chain yesterday said a breach of its computer system potentially exposed 4.2 million credit and debit card numbers and has led to about 1,800 fraud cases to date. The data breach affected customer cards used at more than 270 stores in states including Maine, Massachusetts, New Hampshire, New York, and Vermont, Hannaford said, and lasted from December until early March. The Secret Service is investigating, said spokesmen for Hannaford and the federal agency."

There's no getting around the fact that 4.2 million debit card and credit card numbers are a lot. Not as much as the TJX/TJ Maxx breach and data security debacle, but a lot nonetheless. Hannaford's response:

"A Hannaford spokeswoman, Carol Eleazer, said the company is still investigating the specifics of how data was taken..." In a statement posted to Hannaford's website, chief executive Ronald C. Hodge wrote that the data "was illegally accessed from our computer systems during transmission of card authorization."

During the transmission? An MSNBC report on March 20 seemed to best explain this:

"While thieves have commonly pilfered payment card data sitting in databases maintained by merchants or card processors, the Hannaford episode appears to represent a new line of attack: the first large-scale piracy of card data while the information was in transit. "Catching data on the move is a bit more challenging," said Aaron Bills, chief operating officer at 3Delta Systems Inc., a transaction processing firm in Chantilly, Va. He compared it to robbing a truckload of merchandise: It's easier when the vehicle is parked than when it's zooming down a highway."

Okay, I get it: identity criminals are computer-savvy and smart enough to find holes in computer systems to hack into. The criminals are also fast: within a month they generated at least 1,800 reports of identity and credit card fraud. The MSNBC article also highlighted two important points about the Hannaford data breach. First:

"But the specifics of the crime, revealed this week, included some troubling twists that might expose big holes in the payment industry's security standards. For one thing, Hannaford said this sensitive data were exposed when shoppers swiped their cards at checkout line machines and the information was transmitted to banks for approval."

Second:

"... that Hannaford was found — while the hack was still going on last month — to be in compliance with the security standards required by the Payment Card Industry, a coalition founded by credit card companies. The PCI group sets rules governing such issues as how employees should be screened and precautions against hackers, but it does not audit companies like Hannaford to ensure compliance. That is performed by outside assessors. The identity of Hannaford's auditor was not disclosed.

This is important because:

"The fact that Hannaford could be considered up to snuff and yet still be vulnerable to a big heist raised questions about whether other merchants — and by extension, their customers — are falsely confident about their security."

The MSNBC article added:

"... the [PCI] standards require companies to encrypt data that travels over computer networks "that are easy and common for a hacker to intercept." Whether certain internal networks are "easy and common" to crack is a matter of judgment... Hannaford would not discuss specifics of its security system, so it was unclear to what extent its stores encrypted payment data throughout the transmission process."

That's just peachy. First, the rules aren't strong enough to guarantee compliance. Second, the rules are loose enough to allow retailers to cut corners and not encrypt our sensitive personal data throughout the retailers' entire data transmission process. Why?

"But in practice, encryption often goes unused at certain points in a data-processing chain because the computing power it requires can slow down transactions, especially on older hardware."

One industry expert emphasized as a solution:

"... the biggest lesson is that the banking industry needs to make it harder for thieves to put stolen credit card data to use. Requiring PINs on credit card transactions would remove 75 to 90 percent of the fraud in the system."

InformationWeek reported:

"A retailer's [PCI] compliance status matters: The penalties for noncompliance are significant, and the card brands can fine the retailer while also raising the transaction fees levied for each credit or debit card transaction. A finding of noncompliance also will be potent ammunition for inevitable lawsuits. The big loser: consumers."

Yes, we consumers are the big loser. We consumers end up paying:

• Higher credit card fees and/or higher interest rates from credit card issuers to cover their expenses to issue replacement cards and accounts. While identity theft victims enjoy the $50 credit card liability limit, credit card issuers cover their identity theft expenses by charging higher fees and rates to all credit card holders
• Higher banking fees, because banks must issue replacement debit cards and accounts. A few generous banks may also replace the stolen monies. Banks charge higher fees, and fees on a wider range of transactions, to cover their identity theft expenses, too.

In my opinion, the consequences and fines to retailers still aren't severe enough. In both scenarios above, the companies pass along their increased costs to consumers. While replacement credit cards with $50 maximum liability is great, one year of free credit monitoring for identity theft victims isn't enough.

The good news just kept coming. More stores were affected by the Hannaford breach. Also on March 20, the Albany Times Union reported:

"Independent stores in Ravena and Schaghticoke affiliated with Hannaford were also affected by the recent hacking of customer credit card numbers, the Scarborough, Maine-based supermarket chain said today. The company’s Web site lists more than 20 independents around the Northeast that had credit card information stolen as a result of the security breach. Hannaford supplies the Ravena and Schaghticoke stores, which operate under the Shop ‘n Save name, but does not own them. In September, Hannaford purchased formerly independent stores in West Sand Lake and Voorheesville."

Several class-action lawsuits have already been filed against Hannaford in New Hampshire, Maine and Pennsylvania. What's a consumer to do?

1. Contact your bank and credit card issuer, if you shopped and paid with plastic at Hannaford between Dec. 7, 2007 and March 10, 2008.
2. If you continue to shop at Hannaford, use your credit card and not a debit card to get the best protections. Or use cash.
3. If you are a Hannaford identity theft victim, read closely any correspondence you receive from the company. File a police report for any monies stolen or abuse of your financial accounts. Place a Fraud Alert on your credit reports. Monitor your credit reports closely for abuse, since criminals may use your stolen personal data to try to take out new credit in your name. If Hannaford offers free credit monitoring, accept their offer if you don't already have a credit monitoring service. Watch the news to see if you qualify for any of the class-action lawsuits.
4. Read the I've Been Mugged blog. During the coming weeks, I will post on this blog reviews of several credit monitoring services. There is a link in the top of the right column to sign up for alerts via e-mail.

California Senate Approves Two Measures To Strengthen Identity Theft Laws

California has always led the way with strong identity-theft laws to help consumers. Recently, SC Magazine reported:

"The State Senate in California has passed by wide margins measures that require more extensive notification to consumers of data breaches, establish a central reporting center for breaches, and permit local prosecution of identity theft."

California legislators are trying to make it much clearer what the contents of a breach notification letter must contain. SB364 requires:

"... that consumers receive a clear, informative notification letter when their personal data kept by a business or public agency has been stolen. It also requires the state to establish a central reporting site to catalog security breaches... a security breach notification must contain the toll-free telephone numbers of the major credit reporting agencies – to allow consumers to put a hold on their credit – and the name and contact information of the business that has experienced a breach. The notice also must include the type of information, such as names and Social Security numbers, that might have been taken; the date of the breach and of its discovery; a general description of the breach; and the estimated number of persons affected."

This is great news! When IBM notified me of the IBM data breach, their notification didn't disclose the number of persons affected, nor did it disclose much describing the breach. After I called and spoke with IBM, they didn't disclose much more. The above law in my state would have been a big help.

California's legislators went even further with a second proposed law:

"... SB612, would allow identity theft to be prosecuted in the county in which the victim lives, which is not always the case now... The current California law permits prosecution in the county in which the theft occurred or the county in which the information was illegally used, both of which may be hundreds of miles away from the victim's home."

This too is great news, since it facilitates prosecution of the identity thief, who usually doesn't live in the same town or jurisdiction as the identity-theft victim.

However, these two bills are not law yet. Both bills must be acted upon by the California State Assembly. If you are a California resident, I encourage you to call your California State representatives and ask them to pass these two new laws. If you live elsewhere,  you should contact your state representatives and ask them why your state doesn't have strong laws like the ones California is considering.

Capital One: What's In Your Database? (Part 2)

I wrote a December 20, 2007 post about Capital One database corruption reported by Justin James in his TechRepublic Programming and Development blog. Since that post, I checked my Capital One credit card statements for erroneous charges. Fortunately I didn't see any.

To be safe, i wrote a letter to Capital One asking for clarification. It seemed to me that their database corruption could have resulted from a data breach. And, since I live in a state where data breach notification is required by law, I would have expect a notice from Capital One. My e-mail message to Capital One:

To: <webinfo@capitalone.com>
Sent: Thursday, December 20, 2007 7:26 PM
Subject: Capital One's credit card database corruption

Dear Sir/Miss:
Please see this TechRepublic blog which reported database corruption within your company's customers' credit card files:
Capital One: What's In Your Database?

This is very scary given the current identity theft situation in the USA. I am a Capital One Visa credit card customer. I am wondering why I have not received a breach notification from Capital One due to this database corruption. Data corruption like this just doesn't happen by itself. I look forward to a prompt reply and explanation from your company. If I do not hear from you soon, I will likely cancel my Visa card with you and do business elsewhere.

Sincerely,
George Jenkins

The first e-mail reply I received from Capital One was a form letter which confirmed receipt of my inquiry, provided a Case ID number, and explained that Capital One tries to reply to e-mail inquiries within 3 days (72 hours). So far, okay. Not great, but okay. To me, it's important to communicate in writing about very important issues, and Capital One's database corruption seemed to be one of those issues.

Capital One finally replied on January 4, 2008 -- far after the 3-day promise. The content of the reply was quite a disappointment:

From: "Capital One Web Information" <webinfo@capitalone.com>

Sent: Friday, January 04, 2008 12:10 PM

Subject: Re: Capital One's credit card database corruption

Hello George Jenkins,
Thanks for your message regarding our online security practices. Protecting customers’ credit and personal information is a top priority for Capital One. For this reason, account information is displayed on secured pages. A secured page is any Web document sent from a server to a browser in an encrypted form.

Encryption is a process for turning plain text or other information into an unrecognizable pattern of data. The type of encryption used by Capital One is 128-bit encryption, which is the strongest form commonly available for use on the Internet. It provides a high level of security and privacy for our customers when they use our Online Account Service. Capital One requires that our customers use 128-bit encryption when using our site.

Please visit our security pages on our Web site at http://www.capitalone.com/protection, for additional information about the steps we take to protect customers’ privacy and the security of their account.

Since regular electronic correspondence is not a secure method of contacting us and we wish to protect the integrity of account information, Capital One prefers to discuss personal and account-specific questions by telephone rather than by e-mail. We assure you that all other electronic contact with us such as viewing statements and making payments is secure.

Thank you for contacting Capital One.

Regards,
Capital One Online Banking

Wow! A lot of words but nothing related to my question. Encryption is not database corruption. Is their customer database corrupt? Was that the result of a data breach? The letter seems to suggest that there was no problem since all data is encrypted. That seems to me to be a gross over-simplification.

It seems that Capital One prefers phone correspondence and considers their database corruption to be an account-specific problem. And, nobody at Capital One had the courtesy to sign the letter making follow-up easy.

Capital One: What's In Your Database?

This is news I really didn't want to read just before the Christmas holiday.

In the TechRepublic Programming and Development blog, Justin James recently reported on some pretty scary stuff about Capital One Bank. This caught my eye since I am also a customer:

"A few weeks ago, I received a paper bill from Capitol One instead of the usual e-mail notifying me that my statement was posted online. When I went to pay my bill, I didn’t notice anything unusual — although, in retrospect, I should have. I paid my bill a few days before the due date and went on my merry way. This Saturday (after the due date), I received a letter in the mail informing me that my payment was rejected due to an invalid bank account number used for payment. Huh? My checking account has not changed in well over five years."

Apparently, Capital One's database had become corrupted. Capital One was trying to use an obsolete and 5-year-old checking account number Justin had closed long ago. That Capital One was using this obsolete checking account number when he knew the company had his current checking account number, was a clear signal that Capital One's database was severely corrupted... and that the company was unable to restore the database properly from any backup files. Not good. Not good at all.

Justin's blog post was quite unsettling as I haven't heard anything about this in the news. As Justin wrote:

"Data corruption is the silent killer of databases and the source (and often the result of) security breaches, system failures, and programming mistakes. I hit the panic button, big time."

If this database corruption is due to a data breach, I expect Capital One to have notified me promptly. I live in a state where breach notification is mandatory. So far, I haven't received any notices from Capital One. Justin has summarized well Capital One's poor customer service:

"Capitol One committed more than one of the top 10 “thou shall not’s” in IT with this incident.

• It allowed data to be severely corrupted.
• It deployed code without an appropriate rollback or backout plan or path.
• It did not notify its customers despite that the mistake is costing its customers to have late payments, resulting in fees and credit history problems if uncorrected.
• It did not properly prepare the customer service team to handle the situation.
• It allowed the user to see that data had been corrupted, which has destroyed all trust in the system."

I visited Capital One's web site to see what database corruption notices were posted. The Press Releases site section didn't contain any database corruption notices. Neither did the site's Online Protection or Fraud site sections contain any database corruption notices.

The Tangled Web of Data Breach Notification Laws

I recently read this in a post by Mark Tordoff at the Compliance and Security Connection blog:

"The issue is the variation between the different state consumer notification laws. Of the 38 states who currently have a law on the books, 18 require notification of any breach, while 20 require notification only when risk of harm is present. All 38 provide exemptions if the compromised data was encrypted. Finally, 24 states require that, in addition to the affected consumers, certain government officers or agencies must be included in their notification."

"Another variable is when the consumer must be notified. “Some states require that consumers be notified when their information is lost. Other states will allow the breached entity to perform some analysis to determine the degree of risk to consumers,” says Jorge Rey, information security and audit manager at independent accounting firm Kaufman Rossin Co. in Miami."

A good statement of the situation, but a narrow definition of the problem.

The problem is more extensive. As a nation we seem to be in our infancy regarding data breach notification and identity theft. A year ago, far fewer states had any type of identity theft laws. Before California in 2003, there were none. We still don't have a good profile of the typical identity thief. We still don't have a good profile of the number of companies that employ effective data security processes. (See the TJX debacle.)

Even with the above laws, some states have exceptions where the company is not required to notify identity-theft victims of its data breach. In Massachusetts' new identity theft law, there is one notification exception called "Substitute notification." If notification is too expensive for a company, they can opt for a more general notification approach (e.g., print or online ads) instead of notifying each identity theft victim individually via postal mail.

While a federal breach notification law seems tempting, I don't see it as an effective solution. Too many companies have business units in other countries or employ offshore outsourcing subcontractors -- methods to avoid the laws. Some companies (like IBM) archive employee and former employee data forever -- increasing the risks to the company and to its former employees. And the existing notification laws don't seem to cover the full scope of companies that trade consumers' sensitive personal data, like C.L.U.E. insurance reports from Choicepoint.

Working Asset or Working Liability?

Earlier this week, a former coworker, Diane, shared with me the following breach notification she received via e-mail:

From: "Working Assets" <workingassets@act.actforchange.com>
Date: November 4, 2007 12:26:55 AM EDT
Subject: Important Notice: Security Breach

Dear Working Assets Customer,
We regret to inform you that the company we contract with to provide online services, Convio, has identified a breach of one of their internet security systems. There was no breach of personally-identifiable information or credit card data, but your email address and password for managing your Act For Change and Working For Change subscriptions were obtained by an unauthorized third party. Please note that the database holding account information related to Working Assets long distance, wireless and credit card accounts was not affected.

There is potential for misuse of this information however, should you use the same email address and password on other personal accounts, whether Working Assets products, banking, PayPal, Amazon, etc. Convio would like to advise you of important steps that you can and should take to prevent misuse of your personal information:

- If this email address and password are used together on any other accounts, it is recommended that you change your password on those accounts and sites immediately. We recognize that this is an enormous inconvenience, but this step will minimize your security risk.

- Pay careful attention to emails you may receive requesting personal and financial information, and only provide it when you can confidently confirm that it has come from a trusted organization.

- Report any suspicious activity immediately to the account provider (bank, credit card, etc.) and to credit bureaus. We take your privacy seriously, and as a protective step have immediately deleted all passwords from the Act For Change and Working For Change website and subscriptions. This will not affect your subscriptions or site usage, and you will simply be prompted to create a new password when you go to manage your account.

Our vendor Convio has asked us to convey their deepest apology and assurance that security has been restored. If you have any questions or concerns, please feel free to call (800) 788-0898 or to email customerservice@wafs.com.

Stephen Gunn
Vice President, Operations
Working Assets

While I like the social causes that Working Assets (WA) supports, I can't ignore the problems with this breach notification. First, the notification relies on a single channel: e-mail. Users often view e-mail breach notification as spam. While e-mail notification is definitely cheaper and faster than snail-mail notification, the savings and speed must be balanced against customers' trust. Better to inform identity-theft victims both by e-mail and snail-mail.

Second, the notification's content gives the impression that WA's goal is to avoid responsibility for the breach. Most of the e-mail letter covers what the consumer should do, and not what WA is doing. The letter does not explain what WA is doing to:

• prevent future data breaches by Working Assets and/or its subcontracts,
• closely monitor and demand data security upgrades by subcontractor (Convio),
• closely monitor other subcontractors it hires,
• offer credit monitoring and/or credit restoration to identity theft victims already affected

Moreover, WA's notification seems to be a copy with few changes to Convio's breach notification. This makes me wonder what value WA adds to their notification, if any. This notification also does not promote feelings of trust with WA.

Third, while WA's data breach didn't disclose any sensitive data (e.g., SS#, driver's license number, credit card number, banking account numbers), it did disclose the sign-in information (e.g., e-mail address and password pair) thieves could use to access sensitive data in Working Assets or other accounts. I doubt many consumers will see a difference between having their sign-in information stolen versus having their sensitive personal data stolen directly. The end result for identity-theft victims is the same: their sensitive data has been put at risk.

Fourth, the communication doesn't mention a WA web site for the ID-theft victim to obtain updates about the breach, answers to frequently asked questions, WA's data security, WA's investigation, Convio's data security, and Convio's investigation. This gives me the impression of a lax and somewhat disorganized response by WA to their data breach. (To the good, WA does provide a simple Security Notice page in its web site.) Basically, the e-mail notification seems to be one big, "we're sorry and best of luck to you" kiss-off.

I'd grade Working Assets' breach notification as a D- in terms of completeness and corporate responsibility. I wonder if the company has studied and learned from prior breaches and corporate responses, like the TJX debacle and Don Imus' blunder. WA customers should also learn more about security problems at Convio.

In The Blogosphere: Chronicles of Dissent

A tip of the hat to the folks at Chronicles of Dissent blog for their coverage of my posts about correspondence with Attorney General Coakley's office about online breach notification. If you are a Massachusetts resident and you feel as I do, I hope that you'll contact Mass. Attorney General Coakley's office and tell them you want corporate breach notifications posted online.

Reply From Attorney General Coakley's Office

A few days ago, I sent an e-mail letter to Massachusetts Attorney General Martha Coakley's office. Yesterday, I received this e-mail reply:

From: Email Correspondence (AGO)

Thank you for contacting the office of Attorney General Martha Coakley. I have forwarded your e-mail along to the member of our staff who is handling this office’s compliance with the new breach notification laws which took effect on October 31, 2007. Although, there are currently no plans to post breach notifications online, due to your correspondence, this idea is currently being considered by our Consumer Protection Division. Thank you for taking the time to contact us. It is important that we hear from constituents about important issues such as this.

Sincerely,

Community Information and Education Division

It's nice to receive a quick reply. I'm glad that the state is considering the posting of breach notifications online. We'll see what they finally decide to do. If you are a Massachusetts resident, I hope that you'll write to them also, and tell them you want breach notifications published online.

Letter to Massachusetts Attorney General Coakley

As a consumer affected by a corporation's data breach and identity theft, I am quite excited about Massachusetts' new identity theft law which will be implemented during the next few months. On Sunday evening, I sent the following e-mail letter to Massachusetts Attorney General Martha Coakley:

To:   The Office of the Attorney General
        One Ashburton Place
        Boston, MA 02108

Dear Attorney General Coakley:

 

I am resident of Boston and I am writing to you about Massachusetts' new identity theft law (St 2007, c.82: Security Freezes and Notification of Data Breaches). I look forward to the implementation of this new law since I have been the victim of identity theft. Specifically, a prior employer lost my most sensitive personal data. So, as soon as the Security Freeze option is available in Massachusetts, i will sign up to better protect my identity and finances.

 

My letter to you today is about the notification part of the new state law, specifically the portions about "Breach Notification" and "Substitute Notification" by companies. When IBM Corporation lost my data in February 2007, the company finally notified me in May 2007. This delay was unacceptable to me since identity thieves could have done much damage during the interim. So, while IBM's written notification to me was helpful, speedy notification is also important to me since media coverage wasn't immediate.

Since then, I have researched identity theft. During my research, I have found that New Hampshire posts on its Department of Justice web site the breach notifications N.H. received from corporations.

My question to your office is this: when will Massachusetts post online the breach notification letters it receives? The online posting of breach notifications by your office would be a huge benefit to consumers for several reasons:

1. Consumers can access a reputable, reliable site for the full content of breach notifications
2. Online postings can solve the speed concern other consumers like me have
3. In the situations defined by St. 2007, c.82, the online posting of breach notifications would also solve the requirement of "Substitute Notification."
4. The online posting of breach notifications by Massachusetts would be comparable to another New England state.
5. The online posting of breach notifications would be a positive signal that Massachusetts is serious about being a leadership state when it comes to identity theft

I look forward to hearing from your office soon. Thank you in advance for your attention to this and reply to my letter.

I sent this letter to the Mass. AG since the comparable office in New Hampshire posts breach notifications online. It is critical for consumers (e.g., customers, employees, and former employees) to receive prompt notification from companies which suffer a data breach. And, since Massachusetts' new law provides for "Substitute Notification" instead of a personal letter to each consumer, I want to know exactly how my state plans to provide "Substitute Notification."

I also sent copies of this letter to my federal and state representatives via the Congress.org web site. If you are a Massachusetts resident who feels as I do about identity theft, I encourage you to contact your state representatives.

The Data Security Risks with Offshore Outsourcing

We've all read news articles about how companies, in order to remain competitive, have moved jobs and work to other companies (outsourcing), and/or have moved jobs and work to companies in other countries (offshore outsourcing). Philip Alexander has written an excellent article in SearchCIO.com about the risks with offshore outsourcing... which can expose the sensitive personal data of customers, employees, and former employees.

Mr. Alexander gets right to the point:

"... there is more to consider than just the lower labor costs of employees in India verses their domestic counterparts... it's important to make sure that in addition to going after cheap labor, you're not buying yourself a slew of security exposures as well. The decision on whether or not to outsource should not rest solely with the CFO. The chief security and compliance officers should also be involved because of the many security- and regulatory-related issues involved with offshore outsourcing."

If you live in a state where consumer notification is required when the company has a data breach, it is important to remember that:

"With the rash of highly publicized data breaches, 36 states now have their own disclosure laws mandating that companies inform customers in the event of either an actual or suspected security breach. This applies to data breaches that occur overseas if you send sensitive customer data offshore."

I applaud Mr. Alexander for challenging CIOs (Chief Information Officers) CSOs (Chief Security Officers) to consider the risk and not just the financial benefits. Mr. Alexander lists two major issues regarding offshore data security and risk:

The first is granting offshore engineers access to computer systems located within your company's network. Are you monitoring the activities of the overseas engineers? If the work that's being sent offshore is project-based, are you ensuring that access is removed when the project is completed? Do you have security professionals monitoring the activities of the offshore engineers?

The second issue and most importantly:

"... review what type of work is safe to send offshore. For instance, outsourcing production support overseas entails a high degree of risk...  You should consider projects that don't entail sending sensitive customer information offshore, or granting remote access to your internal network. Software development doesn't require providing sensitive customer data offshore. The development work can be performed offshore, then the code can be securely transmitted to your company."

The only issue I have with Mr. Alexander's article is his focus on CIOs and CSOs. I believe that general management, human resources, and customer service senior managers should be challenged also, to consider the risks of offshore-outsourcing decision. All departments handle sensitive data and all departments need training in effective data security practices. All of this becomes even more critical as companies headquartered in other countries acquire or merge with US-based companies.

For some background, read this GAO report about Medicare and Medicaid.or this article about data breaches at outsourcing firms in India. I'd love to see an consultancy or accounting firm independently audit the major brokerages against the criteria Mr. Alexander stated in his article. What do you think?

Governator Terminates New California Identity-Theft Bill

From the Sunday Oct. 14 Orange County Register:

"An ID theft protection bill that would have made businesses that take credit cards for purchases more accountable to consumers and card issuers was vetoed Saturday by Gov. Arnold Schwarzenegger. In a message explaining his veto of AB779, the governor claimed the marketplace already provides the necessary protections for consumers and that the state bill might conflict with private security standards."

This is sad news, since:

"The bill would have required businesses to follow new guidelines for the handling and storage of sensitive material; to notify consumers with a detailed protocol of how to address identity theft; and to incur out-of-pocket costs to provide restitution to consumers and share the burden of card issuers. Currently, when a security breach is suspected or detected, businesses only must notify card issuers, but have no liability themselves. AB779 would have made the business (or any other entity that utilized cards for payment) share responsibility."

According to the news report, the California Governor's reasons included the bill was vague and conflicted with existing identity=theft laws. To learn more, see my prior post and the California Progress Report.

Governator To Decide On California's New Identity Theft Bill

From the October 2, 2007 Los Angeles Times:

"The bill, recently approved by lawmakers on bipartisan votes, now goes to Gov. Arnold Schwarzenegger for his signature or veto. The bill would require banks, credit unions and credit card companies to tell people the name of the retailer where the hackers grabbed their confidential information, including Social Security numbers, account numbers and personal identification numbers, or PINs."

Assemblyman Dave Jones (D-Sacramento), author of the new bill, asserts that, "about 40% of retailers and other organizations that accept credit card payments were complying with security guidelines developed by major credit card companies."

The new bill, Jones' AB 779, also allows:

"... banks and credit card companies to sue allegedly negligent retailers for the cost of closing accounts and issuing new cards. Schwarzenegger, who is being lobbied heavily on the identity theft issue, has not taken a position and has until Oct. 14 to make up his mind."

It's important to watch California, which was the first state with a bill requiring data breach notification and a credit report freeze option (often called a Security Free).This newest bill is good because it affirms the need for all companies to get serious about data security. It is good if it also ensures that accountability lies with the company with the lax data security, regardless if that company is the credit card issuer or the retailer. This is bad if it encourages credit card issuers to push all liability to retailers.

According to the newspaper article, credit unions support the bill and large business trade groups oppose it. I look forward to hearing what Governor Schwarzenegger says during the coming days.

New Hampshire Does It Right

To determine how well my state helps protect me against identity theft, I look at what other states have done. New Hampshire is one of the few states that are leading the way on identity theft protection for consumers. According to the Security Bytes blog:

"There are a few states that demand that organizations that suffer security breaches that compromise customer data report those incidents to the state as well as the affected individuals. One of those forward-thinking states is New Hampshire, and the state has gone a step further and decided to post to its Department of Justice Web site all of the notification letters it receives. The archive only goes back to November 2006 right now and includes a few dozen entries, but that will grow as more companies are breached."

At the NH site, you can view IBM's data breach notification dated April 26, 2007; more than two months after the February 2007 data breach incident. I received IBM's notification in May 2007, and my letter didn't even have a date printed on it. Is that how a world-class computing and software company operates?

Congrats to New Hampshire and to its citizens! I look forward to similar efforts by Massachusetts and other states. Does your state post data breach notification letters online? If so, tell us below. I've Been Mugged readers want to know.

Next entry: Opt-out Resources for Consumers

A Conversation with IBM (Part 1)

A prior blog entry discussed the letter I sent to Barbara Brickmeier, IBM's Vice President of Human Resources, since Mrs. Brickmeier's office sent the data breach notification. On July 16, Windall White, a representative at IBM's North Carolina facility called me. During a 75 minute phone conversation on July 18, Mr. White and I discussed my letter, question by question. Mr. White described himself as an IBM retiree, now working in IBM's Human Resources department, as part of IBM's focus on the data breach. IBM's answers to each of my questions are listed below:

How exactly did IBM verify that I was the correct person in their records?

I asked this question since IBM's letter was a surprise, because I have never worked for IBM. Mr. White verified that IBM acquired my personal data when IBM purchased Lotus Development Corporation in 1995. So, Lotus kept my personal data for about 4 years; and IBM kept my personal data for another 12 years. (For nostalgia, visit the Lotus Museum.)

I also asked this question because I was curious exactly how IBM located me, since I moved my residence twice since I worked at Lotus 16 years ago. Mr. White explained that IBM hired the Kroll risk consulting company both for IBM's corporate investigation needs and as a credit-monitoring service for former IBM employees affected by its data breach. Mr. White explained that Kroll searched through public records databases to find former employees like me. He added that since the "lost" data tapes were backup tapes, IBM had to reconstruct the list of affected former employees. I asked whether Kroll used my SS# to do this search. Mr. White never answered that question. I interpreted his silence as a "yes."

While I appreciate IBM's diligence to locate and notify former employees affected by their data breach, I can't ignore the implications. First, IBM pursued an internal policy where it archived my personal data for at least 12 years. The data IBM had about me was 16 years old; old address information. Second, IBM pursued a data breach notification process where IBM updated its files with the current personal data for former employees. So now IBM had my current address information.

Third, both IBM and Kroll have my current personal data. In its efforts to protect itself from risk, IBM shared my personal data with another company without my knowledge or consent. If I hadn't asked IBM, I would have known any of this. I wonder how many other former IBM employees affected by IBM's data breach know where IBM shares their personal data. I do know that some former IBM employees are hesitant to trust Kroll since they were reccomended by IBM, who lost the data tapes which caused the problem. Fourth, if I use Kroll's credit monitoring service, will Kroll acting in my best interests? Consider: IBM pays Kroll for one year of free credit monitoring services for former employees who choose this option; and IBM pays Kroll for investigation projects. How objective can Kroll be?

What is the current status of IBM's investigation into the data tape "loss?"

I received IBM's data breach notification in May. It's now July... 2+ months later. I hadn't received any more correspondence from IBM since the data breach notification. Perhaps the tapes were found or the thieves caught; especially since IBM offered a reward for return of the "lost" data tapes. Or maybe IBM was now ready to disclose details about how the data tapes were "lost."

Mr. White was quite clear and unhelpful. According to Mr. White, IBM's position is still not to disclose details about the investigation, since it is an on-going investigation. He consistently referred to the incident as a "data tape loss." When I challenged Mr. White about "lost" versus "stolen," he mentioned two items, a) the vendor did not know the tapes' contents, and b) he didn't want to speculate as there wasn't any evidence that the tapes were stolen or the personal information was used by ID theft thieves.

Hmmmmmm.

IBM's response is very frustrating and unhelpful because it will likely be us former IBM employees and ID-theft victims who bear the ID-theft risk and bear the burden to continually check our credit reports. It will be us, not IBM, who will notice first on our credit reports the attempts by identity thieves to abuse our personal data. I guess then, when we tell IBM, IBM will know that the data tapes were "stolen" and not "lost."

Sounds to me like we are doing a job IBM should be doing.

Mr. White added that IBM did not disclose the details mentioned in the Computerworld article; that the Computerworld article was based on an Associated Press reporter's story, not information supplied by IBM. I found that I had to listen very closely to Mr. White's words. It was like talking with a lawyer. Mr. White didn't dispute the story as inaccurate. Mr. White just emphasized that IBM didn't release any details about the data tape "loss." To me, when I hear a statement like that it's an in-direct implication that the Computerworld news article was inaccurate.

Well, clear it up IBM! Release some details about the data breach incident. A good start would be the number of employee records stolen. Almost all other companies with data breaches release information about the number of records stolen. A good start would be the status of the vendor and some detail about the status of the investigation.

I also reminded Mr. White that since IBM has my personal data, I need to feel confident that IBM is doing everything IBM can to protect my data and retrieve the data tapes. Again, Mr. White didn't offer any details about IBM's data breach or IBM's investigation. He did confirm that IBM reported the incident to law enforcement. It felt like I was talking to a brick wall. This was frustrating, since IBM's "loss" of the data tapes created the problem which was now inconveniencing me. Mr. White was very polite about acknowledging my concerns, but at the same time unhelpful with providing any kind of details.

Does IBM still do business with the vendor that "lost" the data tapes?

An answer here was important to me for several reasons. First, you lose an umbrella or a hat. You don't "lose" data tapes with thousands of records with sensitive employee personal data. Second, the details have implications. You hire a transportation vendor to deliver items from one location to another. A trustworthy vendor should be able to explain in detail any problems; but there shouldn't be any delivery problems. A trustworthy vendor should do criminal background checks on its employees. There are one set of implications if IBM's vendor didn't follow established IBM data security policies. There are a different set of implications if the vendor followed established IBM data security policies (meaning IBM's data security policies are deficient in some manner).

Third, news items which reported that the data tapes "fell off the back of the truck..." didn't inspire confidence in IBM's ability to protect my personal data. Mr. White explained that the vendor did not know the contents of the "lost" data tapes. Again, Mr. White didn't offer any details (e.g., vendor's name, whether or not IBM still uses this vendor, etc.) except vague, general statements that IBM has dedicated lots of resources to the problem and IBM doesn't want this to happen again.

In my view, vague statements aren't enough. Mr. White did confirm that the data tapes were backup tapes in transit from IBM's headquarters in Armonk, New York to an undisclosed location as part of IBM's data archive and disaster recovery process. Mr. White said IBM would never disclose the location of IBM's remote data backup facility. I didn't expect that, but I did expect some details about the status of the investigation about the vendor.

Based on these vague assurances, I still have no confidence that IBM will sufficiently protect my personal data. During the phone call, I felt that Mr. White was assigned to the data breach incident to "handle" callers like me. Mr. White kept a calm voice, acknowledged my concerns, but rarely offered in details. I guess IBM hopes that former employees like me will just go away and be happy with vague assurances.

What procedures has IBM put in place so that a data tape "loss" during transit doesn't happen again?

Assuming IBM decides to continue to archive my personal data, I need to know that IBM has made some type of effort so this incident doesn't happen again. Once again, I heard vague statements from Mr. White about IBM devoting lots of resources to the data breach incident. No details... no amounts... no numbers of employees assigned.

And unfortunately this gets worse. An upcoming blog entry will cover more about my questions and IBM's answers.

Next entry: How to destroy a hard drive in 5 seconds

Questions for IBM

On July 5, 2007 I sent a letter to Barbara Brickmeier, VP of Human Resources at IBM, seeking clarification and answers about IBM's data breach incident. IBM's notification letter and FAQ page lacked detailed answers in several areas. My questions for IBM:

• How exactly did IBM verify that I was the correct person in their records? IBM's letter was  a surprise since I never worked for IBM. I did work for Lotus Development (until 1991), which IBM bought in 1995. Maybe this was the answer, but I'd changed jobs and residence several times since I'd left Lotus.
• What is the current status of IBM's investigation into the data tape "loss?" It's been over 2 months since IBM first contacted me in May 2007. A lot could have happened since: the tapes found, the thieves caught, or IBM explained exactly how it "lost" their data tapes.
• Does IBM still do business with the vendor that "lost" the data tapes? IBM refers to the incident as, "data tapes were lost while being transported by a vendor" and didn't identify their vendor. You lose an umbrella or a hat. You don't "lose" data tapes with thousands of records with sensitive employee personal data. News items which reported that the data tapes "fell off the back of the truck...," didn't inspire confidence in IBM's ability to protect the personal data of employees and former employees.
• Does IBM still maintain archived data tapes with my personal data? After this data breach, I need to know whether or not IBM plans to continue to archive my personal data.
• What processes is IBM using to protect my personal data? Assuming IBM continues to archive my personal data, I need to feel confident that my personal data is safe at IBM. Given the nature of IBM's data breach, I don't feel confident in IBM protecting my data.
• What procedures has IBM put in place so that a data tape "loss" during transit doesn't happen again? Assuming IBM continues to archive my personal data, I need to know that IBM has made some type of effort so this incident doesn't happen again.
• How long does IBM plan to archive my personal data? Assuming IBM continues to archive my personal data, there seems to be a point of diminishing usefulness. My data is 16+ years old and largely inaccurate. Destroying the data seems ideal, since it would eliminate the risk to IBM of future data breaches, and would reduce the risk to me.
• Why does IBM archive records with personal data of former employees? It seemed odd for IBM to archive my personal data since I do not have a pension plan or retirement account with IBM. Nor am I on IBM's payroll, so there aren't any tax reasons to archive my personal data. The reasons IBM stated in their FAQ sheet ("...retains records of past employees for a variety of legal, tax, and other reasons, as well as to verify IBM employment when needed.") seemed vague and irrelevant to my situation. Plus, 16+ year-old data can't be very useful (or accurate) to verify employment.
• Why did it take IBM 2.5+ months to notify me of their data breach? The data breach occurred in February 2007. IBM notified me in May. The 2+ month period was plenty of time for identity thieves to cause damage. I'd like to feel confident that in the future IBM will notify me in a timely and prompt manner.

Maybe readers of I've Been Mugged have questions for IBM. If so, it'd be great to hear your questions. If you have already discussed your questions with IBM, I'd love to hear both your questions and the answers you received from IBM.

Next entry: to shred or not to shred

IBM, me, and identity theft

About May 2, 2007, I received a letter from IBM Corporation. It read in part:

We are writing because of an incident that has resulted in the loss of information relating to your IBM employment, as we wanted to inform you about what happened and explain steps IBM is taking to help protect you.

This letter was startling because technically, I never worked for IBM. During the late 1980’s, I’d worked for a company, Lotus Development Corporation, which IBM later bought during the mid 1990’s after I’d left Lotus. So, before reading the letter I was wondering why IBM’s Vice President of Human Resources had written to me.

The letter also read:

Recently, data tapes were lost while being transported by a vendor. Those tapes contained primarily archival IBM employment-related information, including Social Security numbers.

Yikes! The letter sent a chill through my spine. IBM had lost my most sensitive and valuable information including my social security number! I hadn’t heard anything about this in the news on TV or online. Now, despite my best efforts somebody else had lost my personal information, which was lost out there available to thieves!

Was I angry? You bet! The feeling is that I am now inconvenienced due to nothing I did, but due to the carelessness of somebody else. My attitude was (and still is), “You lost my data. Find it! And if you can’t, make it right somehow.”

After I calmed down, I continued to read the rest of the materials in the package IBM had sent. There was an application for pre-paid credit monitoring. (More about that in a future blog entry.) The package alson contained a list of questions and answers. One item in particular stuck out:

When were the tapes lost? February 23, 2007.

Why did it take IBM more than two months to contact me? the letter didn't say anything specific beyond a vague description about "taking several weeks to investigate the incident." I can't imagine why it took IBM about 2 and a half months to investigate the theft and to notify me. My personal information could have been used during this long period. IBM's slowness with communicating affected my ability to protect myself against identity theft.

More questions for IBM. When I receive an answer I will post it on this blog.

Next entry: what's the big deal about identity theft?