[Dataloss] followup: ACS Breach Warning Letter

security curmudgeon jericho at attrition.org
Wed Nov 8 02:24:00 EST 2006


And now my own comments.

: [Customer Name]						[Bar Code]
: [Customer Address]					[Number]

The number below the bar code is 8 digits, starting with 0065. Not sure if 
this is an indication of how many affected, a tracking number, or 
something else.

: This letter is to inform you of an incident involving the theft of a 
: computer that may contain your personal information.  A 
: password-protected computer was stolen from a secure facility operated 
: by ACS State and Local Solutions, Inc. on behalf of the Colorado State 
: Directory of New Hires (SDNH). Employers are required by law to report 
: information to the SDNH regarding newly hired employees.

First, we know password protected computers mean absolutely nothing. 
Yanking a drive and mirroring content is trivial for even moderately 
skilled computer users.

Second, ACS needs to look up the definition of secure.

   1. To make safe; to relieve from apprehensions of, or
      exposure to, danger; to guard; to protect.

So this should be worded "relatively" secure or "formerly" secure.

: ACS takes the protection of your personal information very seriously. We 
: have established a toll-free number to assit with any questions. This 
: number is 1-800-350-0399. We regret this incident occured.

So seriously, this line is not answered outside of standard business hours 
and asks that you call back then.

: Very truly yours,
: 
: [scribble]
: 
: ACS Representative

The signature doesn't look like 'ACS Representative', so who's name is 
this and why wasn't it printed? No one stepping up to be accountable for 
questions?


More information about the Dataloss mailing list