<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>Message</TITLE>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2800.1561" name=GENERATOR></HEAD>
<BODY>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=464544516-18092006>Far
too many organizations think it's acceptable to shortcut that requirement by
taking information that was "formerly known as production data" and using it for
test because it's already in the production format, and, "Well, the data is no
longer current enough to be considered 'live' or
'production'."</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=464544516-18092006></SPAN></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=464544516-18092006>There
is a great deal of pressure on IT groups to save time and money. From a
strictly time management and book keeping perspective it seems like a
logical idea. But, developers don't seem to remember the fact that
even though the data is no longer of use to the company, the consumers aren't
quite finished using those numbers yet. You know, Social Security Numbers,
Drivers License Numbers, dates of birth. </SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN
class=464544516-18092006></SPAN></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=464544516-18092006>Their
managers seem willing to gamble that it won't happen to them, and are willing to
take the risk to save the time and cost of developing mock data. The cost
of addressing one incident would change their minds if the money to remediate
came from their cost centers.</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV><!-- Converted from text/rtf format -->
<P><SPAN lang=en-us><FONT face=Arial size=2>Andy Dail</FONT></SPAN> <BR><SPAN
lang=en-us><FONT face=Arial size=2>Sunoco</FONT> <FONT face=Arial size=2>PCI
Project Manager</FONT></SPAN> <BR></P>
<BLOCKQUOTE style="MARGIN-RIGHT: 0px">
<DIV></DIV>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left><FONT
face=Tahoma size=2>-----Original Message-----<BR><B>From:</B>
dataloss-bounces@attrition.org [mailto:dataloss-bounces@attrition.org] <B>On
Behalf Of </B>blitz<BR><B>Sent:</B> Sunday, September 17, 2006 7:59
PM<BR><B>To:</B> Dissent<BR><B>Cc:</B>
dataloss@attrition.org<BR><B>Subject:</B> Re: [Dataloss] Federal loan Web site
left unprotected<BR><BR></FONT></DIV><FONT size=3>What part of "DON'T USE
PRODUCTION DATA" do they <I>not</I> understand? Sheesh!<BR><BR>At 09:40
9/17/2006, you wrote:<BR>
<BLOCKQUOTE class=cite cite="" type="cite">Complications from a computer
software upgrade caused a security <BR>breach that left loan borrowers'
private information, such as their <BR>Social Security numbers, unprotected
online.<BR><BR>The problem occurred from the evening of Aug. 20 to the
morning of <BR>Aug. 22 on the Web site of Direct Loans. Direct Loans is part
of the <BR>William D. Ford Federal Direct Loan Program within the Dept. of
<BR>Education and Federal Student Aid.<BR><BR>Anyone who used the Web site
and performed the same transaction at <BR>the same time in the same part of
the system as another user could <BR>have had his or her data exposed,
Bushman said.<BR><BR>... She estimated that 21,000 accounts of the
more than six million <BR>on the system could have been affected. All those
potentially <BR>affected already would have been notified, she
said.<BR><BR>[...]<BR><BR><A
href="http://www.press-citizen.com/apps/pbcs.dll/article?AID=/20060917/NEWS01/609170310/1079/NEWS01">http://www.press-citizen.com/apps/pbcs.dll/article?AID=/20060917/NEWS01/609170310/1079/NEWS01</A>
<BR><BR><BR>-- <BR>No virus found in this outgoing message.<BR>Checked by
AVG Free Edition.<BR>Version: 7.1.405 / Virus Database: 268.12.4/449 -
Release Date:
9/15/2006<BR><BR><BR>_______________________________________________<BR>Dataloss
Mailing List (dataloss@attrition.org)<BR><A
href="http://attrition.org/dataloss">http://attrition.org/dataloss</A><BR>Tracking
more than 146 million compromised records in 349 incidents over 6
years.</FONT></BLOCKQUOTE><BR>-- <BR>This message has been scanned for viruses
and <BR>dangerous content by <A
href="http://www.mailscanner.info/"><B>MailScanner</B></A>, and is
<BR>believed to be clean. </BLOCKQUOTE></BODY></HTML>
<table><tr><td bgcolor=#ffffff><font color=#000000>This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments.<br>
</font></td></tr></table>