Hannaford Issues An Apology

I recently read this Associated Press news story:

"Hannaford supermarket shoppers are getting an apology in their shopping bags for a security breach that was announced two weeks ago. CEO Ron Hodge sent a message to customers online and through leaflets left in grocery bags. In the note, he apologizes for the "concern and inconvenience" that was created when 4.2 million credit and debit cards were potentially compromised. At least 1,800 cases of fraud have been reported. He says Hannaford stopped the theft and brought in top security experts to help us guard against any further attacks."

Since I don't shop at Hannaford, I read Hodge's apology at the company's web site. ""Concern and inconvenience?" That seems to be an attempt to minimize a major data breach... to make it sound non-threatening or insignificant.

If your credit card number was stolen, then you probably got it replaced by your credit card issuer. Little problem there for consumers, but a major expense for credit card issuers.

If your debit card number was stolen, your bank probably issued a new checking account. There's the direct expense to the bank to issue a new checking account and debit card. There's also the time and work impact, since consumers have to set up their online banking with their new checking account. Plus, their bank may or may not have replaced any monies stolen from their checking account. I wouldn't describe that as "concern and inconvenience." And I doubt the identity theft victims view the incident as only a "concern and inconvenience."

At least Hodge had the good sense not to use in his statement the typical corporate double-speak (e.g., a lie) of "we have no indication that the personal data has been used for any improper purpose." There's no way to spin 1,800 fraud cases. Plus... theft is theft, and criminals will always attempt to use (or resell) stolen identity data.

The apology is nice but not enough. I understand a retailer's desire to do anything to get shoppers to continue shopping at their store. How about free credit monitoring and credit resolution for 10 years for identity theft victims? How about publication of Hannaford's revised data security processes so customers can feel confident about data security improvements so this doesn't happen again?

What a company does is more important than their words.

Apparantly, several consumers agree. There are several class-action lawsuits claiming Hannaford didn't do enough to protect consumers' personal data. From the Times Hearald-Record:

"Lawyers are seeking to consolidate about nine lawsuits into one federal class-action suit against Hannaford Bros... The motion to consolidate, which was filed in U.S. District Court in Bangor, Maine, on behalf of Greg Doherty and 'all others similarly situated,' charges Hannaford was negligent in not providing adequate data security and did not inform customers of the breach quickly enough. It seeks credit monitoring or similar protection, unspecified damages and attorneys' fees. Attorneys will have a better idea of the scope of damages when they nail down exactly how many card numbers were stolen, which may take some time, said Jon Lambiras, an attorney with the Philadelphia-based law firm Berger & Montague, one of several plaintiffs' firms involved in the lawsuit."

And, there are parallels to the TJ Maxx data breach:

"Hannaford's lack of proactivity is not unusual. Framingham, Mass.-based TJX, which owns stores such as TJ Maxx and Marshalls, offered no credit monitoring after a data breach exposed the personal information of some 45 million customers. It took a class-action lawsuit, filed by the same firm now suing Hannaford, to get credit monitoring."

TJX Companies Agrees To A Settlement With MasterCard

The financial consequences for TJX Companies after its data breach still keep mounting. Recently, CNN Money reported:

"Discount retailer TJX Cos. could pay as much as $24 million in a settlement Wednesday with MasterCard Inc. over a massive breach that exposed tens of millions of payment card numbers to hackers... The TJX agreement, which follows a similar $40.9 million pact in November with Visa Inc., hinges on banks that issue MasterCards agreeing to waive rights to sue TJX in exchange for being paid for breach-related costs.

It isn't over for TJX/TJ Maxx:

"Issuers of at least 90% of the MasterCard accounts identified as possibly being compromised in the breach must approve the agreement by May 2 for the settlement to take effect, Purchase, N.Y.-based MasterCard and Framingham, Mass.-based TJX said in separate news releases."

This should be a clear reminder to other retailers: adequately protect the personal data you collect about consumers!

20 Ways Wal-Mart Clinics Will Affect Health Care

In case you didn't notice, Wal-Mart recently entered the health care field by opening medical clinics. The company plans to open about 400 clinics by 2010 and 2,000 clinics by 2014. The company currently has about 60 in-store clinics.

I know that a lot of people really like Wal-Mart due to their low prices. However, it's interesting to read what nurses -- health care professionals -- have to say about how Walmart clinics will impact healthcare:

1. More immunizations
2. Cheaper fees and flat-fee visits
3. Faster care
4. Automated health care: "At Wal-Mart clinics, practitioners check out patients with the aid of a proprietary computer program that diagnoses illnesses. This sort of automation can help make diagnosis more accurate and efficient, while still allowing for human expert guidance when needed."
5. No insurance necessary
6. Race to the bottom: "Wal-Mart tends to have this effect on local businesses, creating a situation where quality must be sacrificed for price. In the healthcare world, cheaper isn't always better, and competing with Wal-Mart clinics could result in decreased quality of care."
7. One-stop shopping
8. Primary care providers can narrow their focus: "As Wal-Mart takes on all of the sniffles and scratches, doctors can spend more time working with patients who need more professional help. They'll be able to use their time more effectively and appropriately."
9. Automated health care could be problematic: "Although automation increases efficiency and reduces human error, that doesn't mean that a computer program is the best way to diagnose a patient. Critics are worried that this type of diagnosis will cause important intricacies to be missed."
10. Eased emergency room crunches at hospitals
11. More retail pricing information: "To compete with Wal-Mart, physicians will start sharing information about how much specific visits and procedures will cost. This can make health care more competitive and consumer-friendly."
12. Better rural medical access
13. Increased medical awareness
14. Increased office hours
15. Health clinics mean easier access to medical care
16. Traditional medical offices will feel the crunch: "As Wal-Mart's clinics tackle the easy patients, regular health practitioners will be left with more complicated patients that take more time and money. These patients are generally less profitable, and could cause monetary problems for these offices."
17. More referrals: Primary care physicans and specialists will see more referrals as Wal-Mart and others like it determine that some cases are too difficult to be handled by the clinic. This would include finding doctors and sharing medical records.
18. Increased utilization of nurse practitioners
19. Less red tape for known illnesses
20. Decreased continuity of care

I've provided explanations selected items above. The article contains full detail for all items. You'll quickly notice that not all of the impacts are positive.

Me? When it comes to my health, I am more interested in quality than the lowest cost provider. While Wal-Mart hasn't had any publicized data breaches (yet), I'll be looking. When a retailer leads the "race to the bottom" to lower costs, inevitably employees cut corners. I just hope for their customers' privacy, Wal-Mart doesn't cut corners on data security.

Top Five Data Security Risks For Healthcare Organizations

ComplianceHome reported the results of a study by Absolute Software Corporation, a provider of computer theft recovery, data protection, and hardware tracking solutions. Absolute identified the five computer security risks health care facilities most often encounter that produce data breaches.

If you are a new I've Been Mugged reader, a data breach is when a person accesses the personal data they are not authorized to access. Data breaches lead to identity theft and identity fraud. According to the article:

"Identity theft as a result of stolen or misplaced computers that contain sensitive information is an escalating problem. According to privacyrights.org, there were at least 46 US data breaches involving 62 stolen or lost computers at healthcare facilities in 2007, resulting in almost five million compromised identities."

That means that health care facilities (e.g., hospitals, health clinics, etc.) in 2007 alone, exposed the personal data for about five million consumers (e.g., patients, employees, former employees, contractors, etc.), making it easy for criminals to commit identity fraud. Absolute found these five computer security risks:

1. "Failure to Protect Sensitive Data Beyond Encryption: According to the 2003 Health Insurance Portability and Accountability Act (HIPAA) Security Rule, healthcare organizations must encrypt electronic protected health information (EPHI) stored on open networks such as laptops... lost or stolen mobile computers cited as the cause of nearly 50% of data breaches..."
2. "Inability to Accurately Manage Mobile Computer Assets: In order to achieve HIPAA compliance, healthcare organizations must be able to audit how many computers they have in their inventory, where they are assigned, who is logging into them, what software is installed and where the computer is physically located. However, recent studies show that most organizations are able to locate only 60% of their mobile computer assets."
3. "Sensitive Information on Public Terminals: Many healthcare facilities allow public information to be accessed on open-air terminals, such as nursing stations, public information terminals and help stations."
4. "Difficulty Implementing a Comprehensive Data Security Plan: Healthcare facilities need to institute a comprehensive data security plan to secure computing assets and sensitive information. Asset tracking and recovery software should be part of a comprehensive approach, which also includes cable locks, encryption software and secure passwords."
5. "Reluctance to Create a Data Breach Policy: Few healthcare facilities have 'nightmare scenario' policies in place should a data breach occur. In the event of a data breach, there should be a standard procedure in place for timely notification of supervisors, law enforcement, patients and the media."

If I had to sum up this situation, it seems that too many health care facilities are in denial about protecting the sensitive data they archive, including tracking who has what equipment and a process to resolve things when a data breach happens. What a pathetic state of security! Something to keep inmind the next time you visit a hospital as a patient or as a job applicant.

Hannaford Data Breach

The Hannaford Brothers grocery chain has received a lot of attention during the last week. On March 18, the Boston Globe reported:

"Hannaford Bros. supermarket chain yesterday said a breach of its computer system potentially exposed 4.2 million credit and debit card numbers and has led to about 1,800 fraud cases to date. The data breach affected customer cards used at more than 270 stores in states including Maine, Massachusetts, New Hampshire, New York, and Vermont, Hannaford said, and lasted from December until early March. The Secret Service is investigating, said spokesmen for Hannaford and the federal agency."

There's no getting around the fact that 4.2 million debit card and credit card numbers are a lot. Not as much as the TJX/TJ Maxx breach and data security debacle, but a lot nonetheless. Hannaford's response:

"A Hannaford spokeswoman, Carol Eleazer, said the company is still investigating the specifics of how data was taken..." In a statement posted to Hannaford's website, chief executive Ronald C. Hodge wrote that the data "was illegally accessed from our computer systems during transmission of card authorization."

During the transmission? An MSNBC report on March 20 seemed to best explain this:

"While thieves have commonly pilfered payment card data sitting in databases maintained by merchants or card processors, the Hannaford episode appears to represent a new line of attack: the first large-scale piracy of card data while the information was in transit. "Catching data on the move is a bit more challenging," said Aaron Bills, chief operating officer at 3Delta Systems Inc., a transaction processing firm in Chantilly, Va. He compared it to robbing a truckload of merchandise: It's easier when the vehicle is parked than when it's zooming down a highway."

Okay, I get it: identity criminals are computer-savvy and smart enough to find holes in computer systems to hack into. The criminals are also fast: within a month they generated at least 1,800 reports of identity and credit card fraud. The MSNBC article also highlighted two important points about the Hannaford data breach. First:

"But the specifics of the crime, revealed this week, included some troubling twists that might expose big holes in the payment industry's security standards. For one thing, Hannaford said this sensitive data were exposed when shoppers swiped their cards at checkout line machines and the information was transmitted to banks for approval."

Second:

"... that Hannaford was found — while the hack was still going on last month — to be in compliance with the security standards required by the Payment Card Industry, a coalition founded by credit card companies. The PCI group sets rules governing such issues as how employees should be screened and precautions against hackers, but it does not audit companies like Hannaford to ensure compliance. That is performed by outside assessors. The identity of Hannaford's auditor was not disclosed.

This is important because:

"The fact that Hannaford could be considered up to snuff and yet still be vulnerable to a big heist raised questions about whether other merchants — and by extension, their customers — are falsely confident about their security."

The MSNBC article added:

"... the [PCI] standards require companies to encrypt data that travels over computer networks "that are easy and common for a hacker to intercept." Whether certain internal networks are "easy and common" to crack is a matter of judgment... Hannaford would not discuss specifics of its security system, so it was unclear to what extent its stores encrypted payment data throughout the transmission process."

That's just peachy. First, the rules aren't strong enough to guarantee compliance. Second, the rules are loose enough to allow retailers to cut corners and not encrypt our sensitive personal data throughout the retailers' entire data transmission process. Why?

"But in practice, encryption often goes unused at certain points in a data-processing chain because the computing power it requires can slow down transactions, especially on older hardware."

One industry expert emphasized as a solution:

"... the biggest lesson is that the banking industry needs to make it harder for thieves to put stolen credit card data to use. Requiring PINs on credit card transactions would remove 75 to 90 percent of the fraud in the system."

InformationWeek reported:

"A retailer's [PCI] compliance status matters: The penalties for noncompliance are significant, and the card brands can fine the retailer while also raising the transaction fees levied for each credit or debit card transaction. A finding of noncompliance also will be potent ammunition for inevitable lawsuits. The big loser: consumers."

Yes, we consumers are the big loser. We consumers end up paying:

• Higher credit card fees and/or higher interest rates from credit card issuers to cover their expenses to issue replacement cards and accounts. While identity theft victims enjoy the $50 credit card liability limit, credit card issuers cover their identity theft expenses by charging higher fees and rates to all credit card holders
• Higher banking fees, because banks must issue replacement debit cards and accounts. A few generous banks may also replace the stolen monies. Banks charge higher fees, and fees on a wider range of transactions, to cover their identity theft expenses, too.

In my opinion, the consequences and fines to retailers still aren't severe enough. In both scenarios above, the companies pass along their increased costs to consumers. While replacement credit cards with $50 maximum liability is great, one year of free credit monitoring for identity theft victims isn't enough.

The good news just kept coming. More stores were affected by the Hannaford breach. Also on March 20, the Albany Times Union reported:

"Independent stores in Ravena and Schaghticoke affiliated with Hannaford were also affected by the recent hacking of customer credit card numbers, the Scarborough, Maine-based supermarket chain said today. The company’s Web site lists more than 20 independents around the Northeast that had credit card information stolen as a result of the security breach. Hannaford supplies the Ravena and Schaghticoke stores, which operate under the Shop ‘n Save name, but does not own them. In September, Hannaford purchased formerly independent stores in West Sand Lake and Voorheesville."

Several class-action lawsuits have already been filed against Hannaford in New Hampshire, Maine and Pennsylvania. What's a consumer to do?

1. Contact your bank and credit card issuer, if you shopped and paid with plastic at Hannaford between Dec. 7, 2007 and March 10, 2008.
2. If you continue to shop at Hannaford, use your credit card and not a debit card to get the best protections. Or use cash.
3. If you are a Hannaford identity theft victim, read closely any correspondence you receive from the company. File a police report for any monies stolen or abuse of your financial accounts. Place a Fraud Alert on your credit reports. Monitor your credit reports closely for abuse, since criminals may use your stolen personal data to try to take out new credit in your name. If Hannaford offers free credit monitoring, accept their offer if you don't already have a credit monitoring service. Watch the news to see if you qualify for any of the class-action lawsuits.
4. Read the I've Been Mugged blog. During the coming weeks, I will post on this blog reviews of several credit monitoring services. There is a link in the top of the right column to sign up for alerts via e-mail.

'Amazing Amount Of Sensitive Data' Stolen During Pentagon Data Breach

In case you have been distracted by what passes as news: Britney Spears, Lindsay Lohan, the Mills-McCartney divorce, which celebs' have a baby bump, American Idol, college basketball, and/or the Spitzer sex scandal -- you should know that the Pentagon, perhaps the most important U.S. military facility, suffered a data breach. On March 6, London-based The Register reported:

"A network intrusion at the Pentagon nine months ago resulted in the theft of an "amazing amount of data" that continues to pose a threat to national security, the CIO of the Defense Department said earlier this week... Over the course of two months leading up to the attack, malicious code infiltrated several systems belonging to the Pentagon's network and culminated in an exploit of a known Microsoft Windows vulnerability, Clem said. That allowed attackers to send spoofed emails that appeared to come from Pentagon personnel in Clem's division."

In the war on terror, the Pentagon is one facility you know our enemies will attack... repeatedly. And it's one facility you definitely don't want to have a data breach. So you plan on that. Dennis Clem, the CIO of the Office of the Secretary of Defense (OSD), said:

"This was a very bad day... "We don't know when they'll use the information they stole, [which was] an amazing amount."

The Government Executive publication reported:

"A June 2007 network intrusion at the Pentagon resulted in the theft of an "amazing amount" of data, and the incident remains a national security concern, a top Defense Department technology official said this week. The Office of the Secretary of Defense detected malicious code in various portions of its network infrastructure while consolidating information technology resources in the middle of last year. Over the course of two months, the code infiltrated multiple systems, culminating in an intrusion that created havoc by exploiting a vulnerability in Microsoft Windows... spoofed e-mails containing recognizable names were sent to OSD employees. When they opened the messages, user IDs and passwords that unlocked the entire network were stolen; as a result, sensitive data housed on Defense systems was accessed, copied and sent back to the intruder."

The government's response to the cyber attack:

"The portion of the network infrastructure under assault was shut down soon after the attack was detected. Recovery, which took three weeks and cost $4 million, involved the introduction of a new process of "checking out" temporary IDs and passwords for access to the network, stricter requirements about the use of common access cards for identity verification, and introduction of digital signatures to ensure that information comes from a valid source."

Interestingly, about a week later the Wall Street Journal reported:

"The top U.S. commander in charge of cyberspace said that American military networks are coming under increasing attack from hackers seeking to steal classified information, and that many of the incidents appear linked to China. Gen. Kevin Chilton, who heads the military's Strategic Command here, stopped short of formally accusing Beijing of responsibility for the attacks. But he said there was significant evidence to suggest that China was behind many of the incidents... In a report released earlier this month, the Pentagon said that the Chinese People's Liberation Army was expanding its military power from 'the land, air and sea dimensions of the traditional battlefield into the space and cyber-space domains.' "

Meanwhile, this ad has appeared on network television:

Data Breach At Harvard University

Several news sources have reported a data breach at Harvard University. From ABC News:

"... at least one hacker launched an attack on a computer server at Harvard University, potentially viewing the personal information of up to 10,000 graduate students and applicants to the Graduate School of Arts and Sciences and posting some of the information on the Web. Harvard officials began notifying thousands of students and applicants this week... According to Harvard chief information officer Dan Moriarty, an attack was launched Feb. 16 on a server that contained summary information from applications for prospective students as well as the housing information of current students. About 6,600 of those applications included Social Security numbers. Some of the information on the server was copied and ultimately posted on The Pirate Bay, a well-known bit torrent Web site where people can download movies and music.

The Chronicle Of Higher Education reported:

"Harvard has sent notices to all affected people and is offering, at the university’s expense, to help them obtain credit reports, set up credit-monitoring services and fraud alerts, and take other steps to guard against identity thieves."

If that's all Harvard is offering, then Harvard's identity theft victims are getting much. First, free credit reports are already available online for consumers. Second, the credit bureaus already provide free Fraud Alerts for consumers. There is some value in free credit monitoring services, provided the services include flexible and timely alerts, access to credit reports throughout the year, two or more years of free services, and credit restoration services.

Since news stories don't provide much detail about the credit monitoring services offered, I checked the Harvard news release:

"In situations where applicants’ Social Security numbers or Harvard University ID numbers may have been accessed, the notifications provide contact information for free use of the services provided by Kroll Inc. At Harvard’s expense, Kroll is helping potentially affected persons obtain copies of their credit reports, set up credit-monitoring services and fraud alerts, and take other steps to protect themselves."

That is good news. Harvard is offering its identity theft victims credit restoration services from Kroll. the restoration service helps identity theft victims clean up accounts that have been taken over or new accounts established by criminals. The monitoring services helps identity theft victims check their credit repors frequently to discover abuse as soon as possible. I hope that all of harvard's identity theft victims take advantage of both services.

While 10,000 records is a sizable data breach, other colleges and universities have had far larger data breaches:

• George Mason University: January 2005: 32,000 records
• University of California at Berkeley: March 2005: 98,400
• Boston College: March 2005: 120,000
• Tufts University: April 2005: 106,000
• University of Hawaii: June 2005: 150,000
• University of Connecticut: June 2005: 72,000
• University of Utah: August 2005: 100,000
• University of Colorado: August 2005: 49,000
• Kent State University: September 2005: 100,000
• Metropolitan State College (Denver): March 2006: 93,000
• Georgetown University: March 2006: 41,000
• University of Texas McCombs School of Business: April 2006: 197,000
• Ohio State University: April 2006: 300,000
• Western Illinois University: June 2006: 180,000
• University of Tennessee: July 2006: 36,000
• University of California at Los Angeles: December 2006: 800,000
• University of Idaho: January 2007: 70,000
• East Carolina University: February 2007: 65,000
• Community College of Southern Nevada: May 2007: 197,000
• University of Colorado at Boulder: May 2007: 45,000
• Georgetown University: January 2008: 38,000

There are many more smaller data breaches at colleges and universities. Some schools don't announce the number of total records exposed. In my opinion, academia as a whole still does a poor job with data security. It'll be interesting to see if the number of records exposed in Harvard's data breach remains at 10,000 or goes up.

[Editor's note: in the interest of full disclosure, from 1992 to 1997 I worked in Baker Library at the Harvard Business School as a business analyst researching business and economics topics.]

Woman Claims Salem Clinic Mishandled Patient Records

Portland, Oregon-based KATU reported the following about the Salem Clinic:

"The records of some patients were apparently included in an employee handbook, according to an ex-employee. A former worker, who wishes to remain anonymous, told KATU News that everything from actual Social Security numbers to records revealing patient's ailments were part of the clinic's training binder. She also said employees were allowed to take the handbooks home. The woman said she was fired after pointing out the problem on Wednesday."

If true, this is a big data breach. It just shouldn't happen in a well-managed company. It is wrong in several ways.

First, the whistle blower should not lose their job after a company's data breach. Second, it's better to insert fake or dummy patient records in an employee training handbook that the company knows will be taken into homes.

I hope that the Salem Clinic gives all of the data breach victims at least 5 years of free credit monitoring services. I'm sure an enterprising lawyer will represent the former employee.

Clients Should Be Informed By Companies of Data Breaches

From the Charleston Daily Mail:

"A survey of AARP members in West Virginia shows that a majority of them want laws requiring companies to notify clients of security breaches on their personal information. Under existing law, businesses do not have to contact clients if they lose or compromise any of their personal data."

The survey by AARP West Virginia included 1,000 members, of which 90% participated in the survey. Additional survey results:

"... 70 percent of members would be likely to vote for a candidate supporting such a measure, said Ginger Thompson McDaniel, associate state director of AARP West Virginia."

About 40 states have data breach notification laws requiring companies to notify consumers. Many feel there should be a national law requiring both breach notification and penalties. This makes sense to me, since state laws vary regarding penalities.

Verizon FiOS Lax On Consumers' Data Security

How would you feel if every time you accessed your account profile from your Internet Service Provider, you saw somebody else's sensitive personal data? And how would you feel if that person saw your sensitive personal data, at the same time?

The Consumerist blog reported that this happened with a Verizon FiOS customer. FiOS is Verizon's new fiber high-speed Internet service:

"Andru had this problem where whenever he logged into his Verizon FiOS account, he saw the personal information on some other guy's account. When he contacted the guy, the other guy said he saw Andru's info as well. Over eight months of broken promises by Verizon and the problem wasn't solved. So Andru blogged it. Once it started getting internet attention, Andru got two calls and several emails from Verizon people and a Verizon exec ended up having a tech stay on the line with Andru for an hour getting it fixed."

Wow! What sloppy and shoddy customer service! Events like this reinforce the perception that companies don't take consumers' data security seriously enough. Yes, Verizon finally fixed the problem, but it took them eight (8) months. Yeah, you read that correctly. 8 months, not 8 weeks, and definitely not 8 days.

Yes, Verizon finally compensated Andru for his troubles with 10 months of free FiOS service (worth about $1,500), but a consumer should not have to go to this much effort to get a company to fix a data security problem.

Credit Monitoring Service Arranged By Horizon BCBS of New Jersey Covers Minors

An I've Been Mugged reader sent me this notice from Horizon Blue Cross-Blues Shield of New Jersey. While there seems to be a corporate data breach every month involving laptop computers, this notice caught my attention because it is the first credit monitoring service I've seen after a corporate data breach which covers minors.

Recently, there have been several high-profile data breaches where the sensitive data of minors was stolen or exposed, along with the sensitive data of the adult employees, former employees, and/or customers. In  January 2008, InformationWeek magazine reported the data breach at Horizon BCBS of New Jersey involving yet another stolen laptop computer:

"Horizon Blue Cross Blue Shield of New Jersey has notified its members that an employee laptop computer containing personal information -- including Social Security numbers -- for about 300,000 individuals was stolen in early January... On its Web site, the company says a "security feature was initiated" on Jan. 28 that "destroys all the data on the stolen computer." Horizon Blue Cross Blue Shield of New Jersey says the personal information contained on the computer also included names and addresses of members, but no medical data."

Why do employees insist on placing such large amounts of sensitive data on laptops? This is not a good data security habit. I can't imagine what application requires 300,000 customer records on a single laptop. 30 records sounds reasonable. 300 records sounds like a stretch. 300,000 records is just ridiculous. It gives the impression that Horizon does not (and has not) train its employees on effective data security practices.

The good news here is that Horizon notified its members promptly, within 30 days. (Contrast that with IBM, which took over 2 months to notify me and others.) And parents can monitor their children's credit reports. Sadly, identity thieves abuse minors' sensitive personal data in the same ways as adults'.

However, like most other companies, Horizon offered its ID-theft victims, including minors, only one year of free credit monitoring service. Horizon arranged its credit monitoring service offer with the Family Secure service, operated by the Experian credit bureau.

While Horizon is free to arrange credit monitoring service with whichever provider it chooses, some may consider one year of free credit monitoring service an example of good corporate responsibility, I do not.

The risk period where identity thieves can abuse this personal information is far longer than one year. Regardless of what Horizon says in its data breach letter, the ID-theft victims have to plan for the worse and monitor their credit reports indefinitely... far longer than one year.

Horizon's ID-theft victims should also place a Security Freeze on their credit reports. (Not a Fraud Alert, but a Security Freeze. There is a huge difference.) With only one year of free credit monitoring, Horizon has shifted the risk and financial burdens from itself to its members.

That's an example of not being a responsible corporate citizen.

No Updates From IBM At Its Web Site About Its February 2007 Data Breach

Every few weeks, I check IBM's employee web site for any updates about the company's February 2007 data breach. So far, IBM has not updated the site page. It contains the same content it did when I first visited the site in May 2007 -- eight months ago.

I had hoped that the site would have included updates about the status of the breach and data tape investigation. Maybe IBM will have recovered some or all of the "lost" data tapes by now? Or maybe the investigation might have uncovered some corrupt employees or vendor employees? I had hoped that IBM would have communicated more frequently with the identity-theft victims its breach created.

I am still hoping that during the next few months IBM will update the site with information about extending the credit monitoring service with Kroll after the year of free credit monitoring ends. Who knows, maybe the term of free credit monitoring will be extended.

It's hard to know what's going on with IBM since the page displays the same stale information it did in May 2007. Various news reports have reported that IBM cut the base pay of many employees by 15% after settling various class-action lawsuits which claimed that the company denied the workers overtime pay by illegally classifying them as exempt instead of hourly. Apparently, the pay cuts extend beyond the original group of employees identified in the class-action lawsuits.

Sounds like an attempt by IBM to play hard-ball.

Top 10 Technology Flops of 2007

Now that 2007 has come and gone, the TechRepublic blog listed the Sanity check: The 10 biggest technology belly flops of 2007. The highlight is that a company's data breach was number one on the list. Guess which company? Before you rush out and buy your favorite DVD movie on the Blu-Ray format, see number 10 in the list.

Treat Consumers Personal Data Like "Nuclear Fuel"

Since I started this blog in July 2007, I've consistently argued that the risk period for consumers is very long after their personal data has been exposed, especially after a corporate data breach. This includes breaches of birthdate and SS#, not credit card accounts. According to an article in the Guardian Unlimited:

"We should treat personal electronic data with the same care and respect as weapons-grade plutonium - it is dangerous, long-lasting and once it has leaked there's no getting it back."

While this description sounds extreme, I have to agree with it. When IBM lost my personal data in February 2007, the personal data of mine and all of the other identity-theft victims is just as valuable today as it was a year ago. Identity thieves can open accounts, get loans, or get government identification with it. This is why I also lobby for far longer periods than one or two years of free credit monitoring services from companies that have a data breach. The risk period is long.

In the article, Corey Doctorow write not just about the descriptive data (name, birthdate, SSN), but all of the usage data attached to it:

"Data is acquired at all times, everywhere. For example, you now must buy an Oyster Card if you wish to buy a monthly travelcard for London Underground, and you are required to complete a form giving your name, home address, phone number, email and so on in order to do so. This means that Transport for London is amassing a radioactive mountain of data plutonium, personal information whose limited value is far outstripped by the potential risks from retaining it... All these people could potentially be identified, located and contacted through the LU data. We may say we've nothing to hide, but all of us have private details we'd prefer not to see on the cover of tomorrow's paper."

You're probably wondering how long entities should be allowed to keep this personal data private. When should it be destroyed? Given the increasing capacity for digital storage, that seems to be a worthwhile conversation to have in the USA, too. Regarding privacy, Doctorow, argues:

"A century is probably a good start, though if it's the kind of information that our immediate descendants would prefer to be kept secret, 150 years is more like it. Call it two centuries, just to be on the safe side. If we are going to contain every heap of data plutonium for 200 years, that means that every single person who will ever be in a position to see, copy, handle, store, or manipulate that data will have to be vetted and trained every bit as carefully as the folks in the rubber suits down at the local fast-breeder reactor... And what's worse is that we, as a society, are asked to shoulder the cost of the long-term care of business and government's personal data stockpiles. When a database melts down, we absorb the crime, the personal misery, the chaos and terror. The best answer is to make businesses and governments responsible for the total cost of their data collection."

The last sentence above is key. Entities, corporations or government agencies, decide to store personal data for long periods of time because it benefits them -- financially or otherwise. If they are going to enjoy those benefits, then it's fair for them to also accept the risks and costs. And the cost includes credit monitoring for consumers after their data has been exposed during a data breach.

Free credit monitoring for one year is not acceptance of the cost, in my view. Not even close. 15 or 20 years of free credit monitoring is far closer to the goal.

IronMountain Can't Find A GE Money Data Tape With Records For 650,000 Consumers

Stuff like this isn't supposed to happen to a company whose core business is data security and storage. InformationWeek reported last week:

"Iron Mountain can't find a backup tape belonging to GE Money that contains the personal information of some 650,000 customers of J.C. Penney and about 100 other retailers. GE Money handles credit card processing for the affected retailers. The missing data includes about 150,000 social security numbers, according to an Associated Press report. GE Money requested the backup tape from an Iron Mountain vault in October, according to a statement issued by Iron Mountain. When the tape could not be located, Iron Mountain personnel began looking for it. The tape remains unaccounted for."

I've seen this play before. In February 2007, IBM exposed my personal data when its transportation vendor lost backup data tapes. IBM refused to disclose the number of records exposed, and never fired the transportation vendor. We'll see what GE Money does. At least GE Money disclosed the number of records exposed.

When things like this happen, I wonder if it's an inside job. The tape has been missing since at least October 2007. Data protection is supposedly Iron Mountain's core business. From Iron Mountain's web site:

"With over 30 years of experience, Iron Mountain delivers the most reliable, battle-tested, data protection and recovery solutions available - from offsite tape vaulting and archiving to server and PC data backup, email continuity, and disaster recovery."

A disaster? Yes. Reliable? Apparently not. Backup data tapes shouldn't go missing. Senior management heads at Iron Mountain need to roll. If you received a breach notification letter about this, let us know in the Comments section below what the breach notification letter said. I've Been Mugged readers want to know.

TSA Web Site Puts Travelers At Risk of Identity Theft

If you fly on commercial airlines, then you are aware of the constantly changing security rules. If you have a complaint about a travel  experience, you can submit it to the airline or to the Transportation Security Administration (TSA). According to the Washington Post newspaper:

"A government Web site designed to help travelers remove their names from aviation watch lists was so riddled with security holes that hackers could easily have stolen personal information from scores of passengers, a congressional report concluded yesterday. Thousands of people used the Web site, and as many as 247 submitted detailed personal information between October 2006 and last February, the report says."

And, it gets worse. It looks like the fix was in:

"Congressional investigators raised concerns about a conflict of interest in how the no-bid contract to create the Web site was awarded. The TSA employee who framed many of the contract's requirements and was in charge of overseeing the site was once employed by the firm that was awarded the contract -- Desyne Web Services, a small firm in Boston, Va. -- and socialized with members of the company... The TSA continues to use Desyne on various projects, the report said, and has awarded the company no-bid contracts worth about $500,000."

You can download the House Oversight report. I spent some time at Desyne's web site. I've seen better designed web sites with better designed navigation elements. I found the current TSA web site difficult to use and poorly organized. (Note: An an Information Designer in my day job, my role is to architect clients' web sites so they are easy to use from a user's point-of-view.)

The TSA has a history of producing less-than-optimal web sites. In his Surveillance State blog, Chris Soghoian described his experience with the TSA site:

"This site had a number of security vulnerabilities: it was not hosted on a government domain; its home page was not encrypted; one of its data submission pages was not encrypted; and its encrypted pages were not properly certified. Furthermore, the site was filled with typos and other errors, causing some to wonder whether TSA's site had been taken over by phishers... The site was only taken down after I discovered it in February 2007 and posted something to my blog. Shortly after, Wired and a number of other sites picked up the story, and TSA was shamed into pulling down the site."

No matter how the TSA representative tries to spin an answer, a no-bid contract isn't right. It doesn't smell right, either. We citizens aren't getting the best value for our dollars, either.

Sears Is Sued for Data Breach

After news reports documented how Sears' ManageMyHome.com site exposed customer purchase data to the public (e.g., any web-site visitor who requested it), a New Jersey resident has filed a $5 million class action lawsuit against the retailer. According to the InformationWeek article:

"In a complaint filed on Friday in Cook County, Ill., where Sears has its headquarters, plaintiff Christine Desantis alleges that the company's exposure of customer data represents a breach of contract and a violation of the Consumer Fraud Act. The $5 million sought is to cover payments to affected consumers and attorneys, and the cost of injunctive relief; no individual is seeking more than $75,000, according to the legal filing."

The lawsuit argues that Sears failed to take reasonable steps to protect consumers' private data.

Visa Fines Ohio Bank $880 Thousand

[Author's note: title has been corrected and "Million" replaced with to "Thousand."]

From the Boston Globe newspaper:

"Fifth Third Bancorp, the Ohio bank that was fined $880,000 by Visa for its role in the customer data security breach at TJX Cos., the largest ever, also paid fines and compensation totaling $1.4 million following the loss of data from BJ's Wholesale Club Inc. several years ago, a court filing shows."

This news story is interesting because banks, retailers, and credit-card firms (e.g., Visa and MasterCard) have recently fought about data security issues and who pays the costs when credit cards must be re-issued to consumers after a retailer's data breach:

"Visa had threatened to levy fines when merchants didn't meet a Sept. 30 deadline to upgrade their systems to current security standards that spell out requirements like keeping data behind firewalls and using robust encryption systems for their wireless networks. By Visa's most recent count in October more than a third of the largest US stores didn't meet the requirements."

What makes these fines even more interesting:

"Technically, Visa and MasterCard can't fine merchants directly but rather levy penalties on banks the merchants pay to process transactions when customers pay with plastic... That Fifth Third was previously fined suggests the bank should have known better than to tolerate the issues at TJX..."

What caught my attention in this news story was a certain computing company mentioned:

"Details of the fine against Fifth Third in the BJ's case came in previous litigation in Pennsylvania filed against the bank, BJ's, and IBM Corp. by a Pennsylvania credit union seeking to recover the costs of replacing compromised cards."

Reportedly, Fifth Third was the fifth-largest processor of bank card transactions for merchants. That's about 2.5 billion bank credit card and debit transactions worth about $137 billion in 2006. Fifth Third operates more than 1,150 bank branches in the Midwest and Florida.

TJX Settles Visa Suit About Data Breach

According to Consumer Affairs:

""TJX Companies Inc., the corporate parent of retail chains T.J. Maxx and Marshalls, has reportedly agreed to a $41 million settlement with Visa in connection with a massive data security breach."

You can read more about this at Reuters, the Boston Globe, and CNN Money. According to CNN:

"In return, Visa will suspend and rescind a portion of the data breach fines it levied on the retailer's U.S. acquirer that remain eligible for appeal. At least 80 percent of the eligible Visa issuers must accept by Dec. 19 for the settlement to finalize."

You may remember, the TJX breach happened in 2006 (some say 2005) and wasn't reported until the end of 2006. First, some 45 million records were stolen, but the number was increased to about 90 million records. According to the news report, the credit-card-issuer companies incurred about $65 to $80 million in expenses to replace the stolen consumers' credit cards. Obviously, the card issuers want to be reimbursed by TJX for those expenses since TJX was lax about its data security. If the banks and card issuers have to absorb this expense, then everyone else will effectively pay for TJX's lax data security through higher credit card fees and rates.

When Heads Must Roll (UK Data Breach)

Last week, and the BBC News reported:

"Two computer discs holding the personal details of all families in the UK with a child under 16 have gone missing. The Child Benefit data on them includes name, address, date of birth, National Insurance number and, where relevant, bank details of 25 million people."

Yes, you read that correctly. Not some families, but all families with children under 16. The missing (probably stolen) data covers sensitive details about 7.25 million families. The disks were lost during transport from HM Revenue and Customs (HMRC) to the National Audit Office (NAO). According to the New York Times:

"... the disks lost in Britain contained detailed personal information on 40 percent of the population: in addition to the bank account numbers, there were names, addresses and national insurance numbers, the British equivalent of Social Security numbers. They also held data on almost every child under 16."

While this data breach was not as big as the TJX/TJ Maxx breach, it was still a catastrophic data security lapse. The delivery package was not recorded nor registered. The data was password protected but not encrypted. The timeline reported by the BBC:

"The data was sent on 18 October and senior management at HMRC were told it was missing on 8 November and the chancellor on 10 November. Mr Darling said banks were adamant that they wanted as much time to prepare for his announcement as possible."

It would seem that both companies and government agencies in the United Kingdom are slow to inform their identity theft victims, just like in the United States. Gil Sever, the CEO of Safend, described clearly the HMRC data breach:

"This is a glaring and unfortunate example of what happens when organizational policy is not followed and enforced and adequate technological safeguards are not utilized...HMRCs data security issue was twofold: first the information was stored on a vulnerable medium with inadequate protection. Secondly, there was no monitoring procedure to track or record where the data was going or how it was being accessed.

Gee, that sounds a lot like IBM's data breach. Appropriately enough, heads began to roll at the HMRC:

"HMRC chairman Paul Gray resigned earlier after the latest incident came to light."

To my knowledge, nobody at IBM lost their job after IBM's data breach. Not even the delivery vendor that lost IBM's data tapes was fired. Where's the accountability? The consequences?