Jan 18 2008
I’d say this looks like another case of a box falling of the back of a truck somewhere: Iron Mountain has lost a backup tape belonging to GE Money with approximately 650,000 JC Penney customer records on it, and 150,000 of those records include customer social security numbers. There’s the usual patter about requiring specialized equipment to read the tape, but I’d feel more secure if they said it was encrypted. We all know that a tape backup drive isn’t that hard to get, especially if you’re targeting a specific merchant and have any sort of intelligence on them. We’re being told the number of JC Penney records that have been lost and that as many as 100 merchants could have been affected, so what is the total number of records on the tape? It could add up to be quite a number when all is said and done.
A representative from JC Penney was interviewed for the Fortify documentary last night, and this is one of the dangers of the information age he didn’t bring up. Not only do you have to worry about all of the bad guys attacking you directly, you have to worry about your partners, how they’re protecting your data and how their partners are protecting your data. I’m willing to think this is simply a case of human error and the tape in question fell under a floor panel or something, but it isn’t far outside the realm of possibility that someone took the tape purposefuly. In a lot of companies, it’d only take a conspiracy of two or three to get the tape, a drive for it and the encryption keys to unlock everything.
I agree that JC Penney isn’t responsible for the incident, but I get tired of reading the “We have no reason to believe …” statement. They also have no reason to believe it isn’t being used; there’s no reliable way to correlate a data breach of this sort and the repercussions. Even most of the people that have been caught in the TJ Maxx case have been the flunkies who were doing the in-person fraud using compromised data. If someone knows of a statistically significant way the credit card companies can track the affects of this breach, I’d like to hear about it.
We’d never have heard about this before California’s SB1386 and the other state laws that have followed. And in all likelihood, this probably is just a case of a lost tape, with no nefarious intent involved. We’re at a stage of the game where I’d rather hear about a couple of false alarms than miss one real event.