[Dataloss] Federal loan Web site left unprotected

DAIL, ANDY ADAIL at sunocoinc.com
Mon Sep 18 12:54:08 EDT 2006 

Far too many organizations think it's acceptable to shortcut that
requirement by taking information that was "formerly known as production
data" and using it for test because it's already in the production
format, and, "Well, the data is no longer current enough to be
considered 'live' or 'production'."

There is a great deal of pressure on IT groups to save time and money.
>From a strictly time management and book keeping perspective it seems
like a logical idea. But, developers don't seem to remember the fact
that even though the data is no longer of use to the company, the
consumers aren't quite finished using those numbers yet.  You know,
Social Security Numbers, Drivers License Numbers, dates of birth. 

Their managers seem willing to gamble that it won't happen to them, and
are willing to take the risk to save the time and cost of developing
mock data.  The cost of addressing one incident would change their minds
if the money to remediate came from their cost centers.



Andy Dail
Sunoco PCI Project Manager


	-----Original Message-----
	From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of blitz
	Sent: Sunday, September 17, 2006 7:59 PM
	To: Dissent
	Cc: dataloss at attrition.org
	Subject: Re: [Dataloss] Federal loan Web site left unprotected


	What part of "DON'T USE PRODUCTION DATA" do they not understand?
Sheesh!

	At 09:40 9/17/2006, you wrote:


		Complications from a computer software upgrade caused a
security
		breach that left loan borrowers' private information,
such as their
		Social Security numbers, unprotected online.
	
		The problem occurred from the evening of Aug. 20 to the
morning of
		Aug. 22 on the Web site of Direct Loans. Direct Loans is
part of the
		William D. Ford Federal Direct Loan Program within the
Dept. of
		Education and Federal Student Aid.
	
		Anyone who used the Web site and performed the same
transaction at
		the same time in the same part of the system as another
user could
		have had his or her data exposed, Bushman said.
	
		...  She estimated that 21,000 accounts of the more than
six million
		on the system could have been affected. All those
potentially
		affected already would have been notified, she said.
	
		[...]
	

http://www.press-citizen.com/apps/pbcs.dll/article?AID=/20060917/NEWS01/
609170310/1079/NEWS01
	
	
		--
		No virus found in this outgoing message.
		Checked by AVG Free Edition.
		Version: 7.1.405 / Virus Database: 268.12.4/449 -
Release Date: 9/15/2006
	
	
		_______________________________________________
		Dataloss Mailing List (dataloss at attrition.org)
		http://attrition.org/dataloss
		Tracking more than 146 million compromised records in
349 incidents over 6 years.


	--
	This message has been scanned for viruses and
	dangerous content by MailScanner <http://www.mailscanner.info/>
, and is
	believed to be clean.



This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20060918/0f8da32d/attachment.html

More information about the Dataloss mailing list