« Previous Post | Blog Home | Next Post »
GE Money Loses Data on 650,000 JC Penney Credit Card Holders
Posted on Jan 18, 2008 by Tom Fragala
As a former IT professional, something particularly disturbing about this is that the data breach occurred because of an apparent lost backup tape at the well-known data storage company, Iron Mountain. This just should not happen--this company specializes in data protection. It is all they do.
Personal information on about 650,000 customers of J.C. Penney and up to 100 other retailers could be compromised after a computer tape went missing.
GE Money, which handles credit card operations for Penney and many other retailers, said Thursday night that the missing information includes Social Security numbers for about 150,000 people.
The information was on a backup computer tape that was discovered missing last October. It was being stored at a warehouse run by Iron Mountain Inc., a data storage company, and was never checked out but can't be found either, said Richard C. Jones, a spokesman for GE Money, part of General Electric Capital Corp.
More from The Associated Press.
Filed under: Data Breach, Identity Theft
Comments
S.B. Davis on Jan 19, 2008
That is all they do, but remember that they also achive paper. Here is a post that I put on another blog and opted to not bother with editing it: To me, the only newsworthy aspect of this story is the magnitude of the heist. I’m also surprised to not see similar headlines daily. Here’s why. I install pallet rack systems in these record management establishments and have been doing so for the past 14 years. I’ve installed at Bradford Systems, Chicago Records Management (CRM), and Iron Mountain (formally Pickfords), to name a few. Security in verturally nonexistant except for a few cameras. But cameras or personal are not located in the miles of aisles between 30-50 foot tall racking systems. I, or anyone else, can easily reach into any book and pull out whatever is desired. Paper or a small disc fits rather nicely in a pocket. But I’m not the threat. Nor any other vendors. No! It’s the employees of these establishments, in my opinion. You better be setting down for this next piece of information. The makeup of the employees at all the Record Management places that I have (and currently still do) installed pallet rack systems, employ–here it comes–90% Nigerians, 5% Hispanics, and the other 5% is made up of various other nationalities. Therein lies the rub (again, in my opinion). This does include the lower management in these massive warehouses. Now the percentages that I just gave, of course, are only estimates, but rest assure that they are pretty close. The reason being is cost. A majority do not speak english. You may ask how are they able to perform their jobs. Easy. The number system (the universal language)–coupled with a hand-held computing devise. Please do not take my word on any of these truisms. Do a little homework yourself or simply come back to this post and see what others may contribute in this comment section. I believe there will be some concurrence. I also believe that this is only the tip of the iceberg. One more thing. This is the very first time that I have ever made a comment in this type of forum. I hope I did it correctly. It’s just that I happen to be in a position to pass valuable information since I work in this field. Thank you.
Benjamin Wright on Jan 21, 2008
It is often irrational to treat the mere loss of a tape as a legally-meaninful breach of security. --Ben
ed dickson on Jan 22, 2008
Great post and I agree. Ranted a little about this in a post. Scary thing is I know a lot of companies that use Iron Mountain and my best estimate is that most information is sent there (to meet compliance standards) then never accessed again. This might mean we'll never know - if you know what I mean.
There are also a lot of other players in this business. Iron Mountain is probably the most secure of all of them.
Tony on Jan 27, 2008
I have extensive experience investigating company practices and standards for Iron Mountain and other data storage/destruction services throughout the US.
Comments that 'this company is better' or 'that company is safer' are dangerous generalizations about the real threats from identification theft.
Criminal home invasions are only one set of crimes unleashed with the assist of stolen identification. Others may not be violent, but their financial impact can be devestating under the worst of circumstances.
Instead of misleading generalizations, it would be more beneficial to list some appropriate standards to look for in this area.
1) Does the company conduct appropriate background screening for all job candidates? Does the interview process utilize the information obtained legally and to the company's best advantage?
How does the company insure this process happens consistently?
2) Does the company have a Loss Prevention Department? Do they adhere to, or exceed, all applicable industry standards related to physical security devices (camera systems-access/egress systems-lighting/fencing, etc.) and practices (LP Training-Auditing- Internal Investigations)? Are their activities monitored by an independent party?
3) Does the company commit to you, as a potential customer, that they will not release, or allow the release of, your information under any circumstance except those required by law (subpoena). Many companies have silently begun to 'cooperate with government requests' instead of demand subpoenas for otherwise confidential information.
Tony on Jan 27, 2008
Ben,
It may seem to some that treating it as a security breach is irrational, but I contend that until it is found, not informing those at potential risk of that fact is unethical and selfserving. Its a matter of perspective.
Post a Comment