[Dataloss] follow-up: Firm Hired After Security Breach FacesState Probe (fwd)

Jamie C. Pole jpole at jcpa.com
Tue Aug 26 12:08:34 UTC 2008


I believe that's an absolutely realistic scenario - I'm dealing with a  
client right now that seems to be experiencing it.

They were breached 14 months ago, and provided credit monitoring for  
the victims.  The monitoring ran out, and several of the victims have  
since contacted the client to ascertain whether or not another breach  
had taken place.  Several of them have recently found new credit  
cards, new lines of credit, and a few other types of unauthorized  
transactions on their credit reports.

As for the consumers electing not to continue the monitoring coverage,  
this is a double-edged sword.  On the one hand, the credit reporting  
bureaus should not be permitted to sell monitoring services.  If they  
spent a little time developing mechanisms to verify the accuracy of  
the information they reported, it might be slightly more difficult to  
commit identity/credit fraud.  On the other hand, once your personal  
data has been disclosed, I would think it's in your best interest to  
continue the monitoring for several years, at the very least.

Of course, none of this would be an issue if these companies were  
forced to spend a reasonable amount of money on prevention.  Then  
again, with PCI being the (bad) joke that it is, a lot of these  
companies and agencies actually believe that they are safe.

Jamie



On Aug 25, 2008, at 10:42 PM, Michael Hill, CITRMS wrote:

>> The state received complaints after those people received letters  
>> from
>> | Experian, one of the three credit bureaus, asking for confidential
>> | information in order to continue the monitoring, Rell said.
>> |
>
>
> This will not be the first time we see this.  A company has a data  
> breach,
> offers free credit monitoring for a year, then when that year is up,  
> the
> credit monitoring company will be asking the consumer for confidential
> information (ex. credit card info) in order to continue the  
> monitoring.  A
> good percentage of the consumers involved in this breach will not  
> continue
> the monitoring.  The smart thieves will know this, and now will  
> start using
> the PII they stole or bought.  Is this a realistic scenario?
>
>
> Michael Hill
> Certified Identity Theft Risk Management Specialist
> www.idtheft101.net
> 404-216-3751
>
> INFORMATION SECURITY | RISK MANAGEMENT | COMPLIANCE | FORENSICS |  
> TRAINING
>
>
> "If You Think You're Not At Risk, Think Again!"
>
>
> NOTICE:
> This email and any attachment to it is confidential and protected by  
> law and
> intended for the use of the individual(s) or entity named on the  
> email.
> This information and all email information from the sender is not  
> legal
> advice nor legal representation and should not be construed as legal  
> advice
> nor legal representation. Check with your attorney in your State for  
> legal
> advice. If the reader of this message is not the intended recipient,  
> you are
> hereby notified that any dissemination or distribution of this  
> communication
> is prohibited.  If you have received this communication in error,  
> please
> notify the sender via return email and delete it completely from  
> your email
> system.  If you have printed a copy of the email, please destroy it
> immediately.
>
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
>
> Tenable Network Security offers data leakage and compliance monitoring
> solutions for large and small networks. Scan your network and  
> monitor your
> traffic to find the data needing protection before it leaks out!
> http://www.tenablesecurity.com/products/compliance.shtml



More information about the Dataloss mailing list