[Dataloss] Wis. mailing sent with personal info

Tracy Blackmore tblackmore at tslad.com
Fri Jan 11 16:33:55 UTC 2008


This is a GREAT example of 'out of sight out of mind'!  Many companies know that they do not absolve themselves of the risks when they outsource but since they have outsourced they get busy concentrating on more local problems.
 
I hope that someone investigates this and gets to the bottom of the questions of whether EDS made the decision to add this field into a mass-mailing or if the State passed a bunch of data and asked EDS to run it.
 
Make no mistake though - the State of Wisconsin is ultimately responsible since they were the 'owners' of the data.

________________________________

From: dataloss-bounces at attrition.org on behalf of Chris Walsh
Sent: Thu 1/10/2008 8:43 PM
To: Adam Shostack
Cc: dataloss at attrition.org
Subject: Re: [Dataloss] Wis. mailing sent with personal info



EDS is a major provider of outsourced IT.  They may well have a more 
general contract and, in effect, made this decision themselves.  The 
SSNs would have been given as part of the larger scope of work, and 
then improperly used.

<RUMSFELD>
Is this a risk firms take when they outsource?  Heavens to Betsy, yes.
Should Wisconsin have anticipated this?  Great Caesar's ghost they 
should have.
Does Wisconsin not have an information classification policy to which 
3rd parties must adhere?  By jiminy, I would hope so.
</RUMSFELD>

On Jan 10, 2008, at 2:57 PM, Adam Shostack wrote:

> Appalled experts elsewhere are asking why Wisconsin gave SSNs to EDS
> as part of mailing informational brochures.
>
> You don't have to select * from row.  You could have selected name,
> address from row.

_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20080111/013444ca/attachment.html 


More information about the Dataloss mailing list