[Dataloss] Wis. mailing sent with personal info
Tracy Blackmore
tblackmore at tslad.com
Fri Jan 11 16:33:55 UTC 2008
This is a GREAT example of 'out of sight out of mind'! Many companies know that they do not absolve themselves of the risks when they outsource but since they have outsourced they get busy concentrating on more local problems.
I hope that someone investigates this and gets to the bottom of the questions of whether EDS made the decision to add this field into a mass-mailing or if the State passed a bunch of data and asked EDS to run it.
Make no mistake though - the State of Wisconsin is ultimately responsible since they were the 'owners' of the data.
________________________________
From: dataloss-bounces at attrition.org on behalf of Chris Walsh
Sent: Thu 1/10/2008 8:43 PM
To: Adam Shostack
Cc: dataloss at attrition.org
Subject: Re: [Dataloss] Wis. mailing sent with personal info
EDS is a major provider of outsourced IT. They may well have a more
general contract and, in effect, made this decision themselves. The
SSNs would have been given as part of the larger scope of work, and
then improperly used.
<RUMSFELD>
Is this a risk firms take when they outsource? Heavens to Betsy, yes.
Should Wisconsin have anticipated this? Great Caesar's ghost they
should have.
Does Wisconsin not have an information classification policy to which
3rd parties must adhere? By jiminy, I would hope so.
</RUMSFELD>
On Jan 10, 2008, at 2:57 PM, Adam Shostack wrote:
> Appalled experts elsewhere are asking why Wisconsin gave SSNs to EDS
> as part of mailing informational brochures.
>
> You don't have to select * from row. You could have selected name,
> address from row.
_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss
Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20080111/013444ca/attachment.html
More information about the Dataloss
mailing list