[Dataloss] Rogers data on clients found in lot

Dianne Murray murray.dianne at gmail.com
Mon Apr 9 21:02:48 UTC 2007 

http://www.theglobeandmail.com/servlet/story/RTGAM.20070409.wgtrogers09/BNStory/Technology/?cid=al_gam_nletter_dtechal

Rogers blames outside employee after client data found unsecured
Hundreds of customer order forms containing sensitive personal
information discovered in Toronto parking lot

JEFF GRAY

Globe and Mail Update

Rogers Communications Inc. was blaming a rogue employee at a company
it hired to sell cable TV and high-speed Internet access after
hundreds of customer order forms containing sensitive personal
information turned up in a downtown Toronto parking lot.

"We are investigating this internally," Taanta Gupta, the company's
vice-president of communications, said yesterday after reports of the
breach and concerns about the danger of identity theft surfaced in the
media.

She said as many as 300 or 400 forms, containing names, addresses,
phone numbers, social insurance numbers and driver's licence numbers
-- but no credit card numbers, she insisted -- were found by a
passerby in a parking lot on Mutual Street, south of Ryerson
University.

Normally, she said, the forms, which are up to five years old, would
have been kept and eventually destroyed by the third-party company,
which she declined to name.

But in this case, the forms were traced to a single employee, whom she
also would not identify.

She said the worker was no longer with the third-party company, and
had been contacted by Rogers. Police have not been called in, she
said.

"It appears to be an isolated incident, but we are continuing to
complete the investigation," Ms. Gupta said.

The mishap raises questions about the risks major companies -- and
their customers -- take when sales or other functions are outsourced
to smaller firms, which may or may not have the same level of privacy
controls.

John Simke, founder of the Toronto-based Centre for Outsourcing
Research and Education, said large firms such as Rogers usually insist
on strict language in outsourcing contracts, as well as sanctions, to
protect customer privacy.

"These are big companies that live or die on their ability to protect
customer data," said Mr. Simke, who has advised banks, corporations
and governments on outsourcing.

"They wouldn't sacrifice those protections for efficiencies."

He said that if outsourcing is done correctly, customer data would be
at no more risk than it would be with possible rogue internal
employees.

"Clearly if you don't do your homework, don't have a good contract,
don't do your due diligence, your risk will increase."

Missing customer data and fears of identity theft have made headlines
in recent months.

Hackers reportedly stole 47.5 million credit-card numbers from U.S.
retail giant TJX Cos., which operates Winners and HomeSense in Canada.

The Canadian Imperial Bank of Commerce and fashion retailer Club
Monaco have also acknowledged recent data breaches.

Rogers has also been caught in an identity-theft controversy before,
with none other than Ted Rogers himself as the victim.

In 2005, The Globe revealed that a group linked to the Lebanese
militant group Hezbollah "cloned" Mr. Rogers's cellphone, and those of
other senior Rogers executives, by duplicating the phones' numbers and
their encrypted security codes.

The cloned phones were used to make long-distance calls in the Middle East.



On 4/8/07, Dissent <Dissent at pogowasright.org> wrote:
> http://www.thestar.com/News/article/200727
>
> A Toronto resident found hundreds of Rogers order forms – complete
> with names, addresses, phone numbers, driver's licence numbers and,
> in a few cases, what appear to be credit card and SIN numbers –
> tucked behind a coffee shop and strewn across a parking lot and park
> on Mutual St. in downtown Toronto yesterday.
>
> A random check of some names and numbers on work orders for both
> cable and Internet services found that some clients had had the work
> done a number of years ago. In some cases they no longer lived at the address.
>
> Some order forms were dated March 2002. One order dated back seven or
> eight years, according to one of the clients reached at home.
>
> [...]
>
>
> Main site: http://www.pogowasright.org
> Main RSS feed: http://www.pogowasright.org/backend/pogowasright.rss
> Breaches RSS feed: http://www.pogowasright.org/backend/breaches.rss
>
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
> Tracking more than 204 million compromised records in 615 incidents over 7 years.
>


-- 
Subscribe to Let X = X.   Science... with an edge:
http://let-x-equal-x.blogspot.com

More information about the Dataloss mailing list