[Dataloss] Self-storage outfit exposes 13K

DAIL, ANDY ADAIL at sunocoinc.com
Thu Jun 29 10:19:27 EDT 2006


Notification is a particularly touchy subject, especially with the
lawyers who advise the decision makers.  This whole arena is new to most
corporate attorneys, and corporate attorneys do not like wading in
unfamiliar legal waters.  By default, when a lawyer is uncomfortable,
they usually recommend the most conservative approach that will cover
every base possible.  Once a recommendation to notify everyone is made
by the attorney, very few executives will disregard legal advice they
have paid for, and do something else.

California wrote the original law on customer notification, and everyone
seems to be using their law as the basis for the own set of standards.
The confusion, in my personal opinion, originates with the number of
jurisdictions that feel empowered to pass laws regarding data security
(Westchester County, NY passed their own encryption standards:
http://www.msnbc.msn.com/id/12412271/).  Until the Feds step in and
codify uniform standards, you'll continue to see States, Counties, and
even individual cities pass their own regulations, sometimes with
differing standards (for instance, Visa requires all be the last 4
numbers of a credit card be masked on a sales ticket, North Carolina has
set 5 numbers as a standard, by law). In the example of Sarbanes-Oxley,
the cure may well be more expensive than the disease.

Additionally, "Data Security" has mostly (functionally at least) been
pushed out by the card companies, but as an effort to preempt the Feds
from passing aforementioned regulation.  Many Class 1 Merchants did not
even find out about PCI, for instance, until a month before their
original compliance deadline.  Even then, the monitoring requirement
buck was passed down to the settlement providers, who are passing their
own set of standards.  For instance, Paymentech has made Visa /
MasterCard's PAPB (Payment Application Best Practices) mandatory for any
retailer who hooks a payment system to their network.

Currently, the whole environment is very reminiscent of the era when
each State, and even bank was allowed to print its own money, or perhaps
when there were no uniform hardware standards between computer
manufacturers.  Everyone understands there is a problem and most people
want to do the right thing, but not everyone agrees on what the right
thing is, or which standards or methodologies should be employed.  We're
using a dozen different guidelines to secure a single monetary
processing system.

Andy Dail
Sunoco PCI Project Manager
(918) 586-6360


-----Original Message-----
From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of George Toft
Sent: Thursday, June 29, 2006 1:41 AM
To: dataloss at attrition.org
Subject: Re: [Dataloss] Self-storage outfit exposes 13K


This is a Windows-based application issue and the owners might not know
where the logs are, nor how to read them.  Also, the logging might not
have audit points like "who logged in" - don't laugh - I've seen exactly

this on many applications.

George Toft, CISSP, MSIS
My IT Department
www.myITaz.com
480-544-1067

Confidential data protection experts for the financial industry.


Chris Walsh wrote:
> [A "devil's advocate" comment:
>
> If I owned this company, I would only notify those persons for whom my

> web logs showed inquiries having been made.  This outfit is ignorant,
> and is "overcompying".  Perhaps the ISP doesn't save web logs reaching

> back long enough. ]
>
> http://cbs5.com/topstories/local_story_178210503.html
>
> (CBS 5) A CBS 5 investigation has confirmed a security breach at a
> popular self-storage company that may have exposed customers' private
> information on its website.
>
> AAAAA Rent-A-Space has taken its online payment system offline and is
> notifying thousands of customers to check for identity theft after CBS

> 5 told the company about a flaw on their website.
>
> Howard Fortner describes the security at AAAAA Rent-A-Space in Colma
> as tighter than Fort Knox. So he was surprised when the cyber gate was

> left wide open on the storage facility's website.
>
> While trying to make an online payment, Fortner says he accidently
> typed in someone else's storage unit number along with his password,
> which is his phone number.
>
> Up popped another customer's private information, including a name,
> address, credit card, and Social Security number.
>
> "I thought about mine's as vulnerable as that one," Fortner said. "I
> tried it with a different number, and several accounts opened up."
>
> His password opened at least five other customer profiles.
>
> After CBS 5 alerted AAAAA Rent-A-Space to the problem, the company
> worked with the Arizona software developer who created the site's
> account-based program called "Web-Expres." By late Tuesday afternoon,
> they found the glitch and have taken the payment system offline until
> it is patched.
>
> AAAAA Rent-A-Space says its online payment system has been up for a
> year with no other incidents reported.
>
> The company says it plans to mail out 13,000 letters about the
> discovery to custmers in California and Hawaii, including those who
> have items stored at the 10 Bay Area facilities.
_______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/errata/dataloss/
>
>
>
_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/errata/dataloss/


This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments.


More information about the Dataloss mailing list