Here is one of my pet peeves when it comes to reporting data breaches: The company reporting the data breach states “there is no evidence the data was used for malicious purposes” blah blah blah. This one really makes me grumpy. I am going to go off on a tirade here and a well known sporting goods retailer is going to feel the brunt of it as this case pushed me over the edge when it happened. I am not holding back any punches on this one.
Two years ago, well known sporting goods retailer, Gander Mountain, had a cash register “lost or stolen” from a store near my house. Read about it here: http://www.thepittsburghchannel.com/news/14092404/detail.html and here: http://breach.scmagazineblogs.com/2007/09/14/outdoor-retailer-exposes-customer-info/
From the SC Magazine Article above:
“Gander Mountain, a retail chain for hunting, fishing, camping and other outdoor lifestyle products, said a computer was either lost or stolen. The machine contained the credit card information for anyone who has shopped at the Greensburg outlet from July 2002 to June 2007.”
“The company said the missing computer was not taken from its Greensburg store but from an undisclosed location.
The computer had credit card transaction records for that store only though, ranging from July 2002 through June of this year .
Also possibly affected are customers who paid by check or who returned items.
In a prepared statement, the company’s CEO wrote, ‘We have no evidence that any of this information has been misused or that the missing equipment was stolen with intent to steal data.'”
Okay, now I am grumpy. Let me list what has set me off:
- A CASH REGISTER had credit card data, return data (read: PII), and/or check information
- Five years of information compromised
- Asset Management, or lack thereof
- Declaring something you cannot possibly prove: “We have no evidence that any of this information has been misused…”
First off, why does a cash register store this information? Why is it not on a central server somewhere? If I recall correctly, PCI rules state you are not allowed to store this information unless encrypted. In today’s day and age, there is no reason for a cash register in a store (read: open to heaven knows who) this information. Credit card numbers should not be stored. Transactions should be sent to a secure, remote server for processing. When I say secure, I mean a server heavily protected by technical and physical security measures. Cash registers have open access to just about anyone. Sure, the store may protect it by a password and/or key, but how secure are these methods? I know of stores that have a generic log on or employees that do not log out. We simply don’t know how extensive these security measure are, nor should we have to worry ourselves with something that should not be done to begin with.
Five years of data? Really? Why does a STORE client machine need to store this information for this long? The answer: it doesn’t. Transactions should be sent to a remote server for processing. If communications are offline with the remote server, transactions should be encrypted and stored only until a synchronization can occur successfully. Once synched, the data must be securely deleted (read: overwritten using secure methods such as a DoD wipe.) This is just a joke.
I know someone who needs a few classes in Asset Management. “…the computer was lost or stolen.” , “…the missing computer was not taken from its Greensburg store but from an undisclosed location.” Wow, this sends up red flag like you would not believe. How do you misplace a big honking cash register that is used constantly? Undisclosed location? Hmm, this sounds good. Companies must have policies, procedures, and methods in place to know what assets they have and where they are at any given time. I am sure you know exactly where your TV is, where your money is, and I am guessing you know where your computer is. Yes, this is simple since we are not a big corporation. However, if you lend someone something, you may note who you lent what. Companies need a similar system to prevent losses and be able to report on incidents at any time.
“We have no evidence that any of this information has been misused or that the missing equipment was stolen with intent to steal data.” Really? How can you back that up? Joe Blow, the thief, has just stolen a cash register. He has taken the register to his crime cave and busted out a copy of hard drive duplicating software, you know, the same kind the police department uses to make forensic copies of hard drives. The register is later returned or found abandoned in a dumpster. Uhhhh, you said what? The criminal now has a copy of the register’s hard drive. The company the register was stolen from can’t prove the data was not accessed. If done correctly, a forensic image of a machine leaves no trace. I do not know if this happened with Gander Mountain. This could happen to any given company in any line of business. By analyzing the information above, we could theorize that all 5 years of information on the hard drive of that register was at least copied. You cannot prove it wasn’t if you only have the register back in possession. Additionally, the news release indicates that the register was taken not from the store, but from an undisclosed location. Say again? Yup, the register could have been found anywhere. Apparently it was not taken from the store at all (read: bad asset management). So where was it? Good question. Was it found in an untrusted, insecure environment? If so, you can bet that if I was the CEO, I would not be making such bold statements as “We have no evidence that any of this information has been misused or that the missing equipment was stolen with intent to steal data.” If you do not have positive control over assets or know who had them, then you have no idea if your data, or should I say, your customer’s data is safe. As a philosophical note: Do you really know the intent of people? Do you know what a thief will do?
This case of possible data compromise pushed me over the edge because I was a customer at this store. They essentially say in their press release that they have no idea who was affected and only sent 5750 letters to customers with known addresses. 112,000 records total, with 10,000 containing credit card information (according to the SC Magazine listing above)….some of the most sensitive information. What record set did they use to send out these notices? Were these 5750 letters even a subset of the compromised credit cards? What about the rest? Did I mention this store sells guns? Gun applications contain all kinds of additional PII. Was any of this information compromised? Can you be sure?
I could go on forever, but I must bring this to an end. Companies must do more to protect our data. They must do more to notify people when it is compromised. Companies must be more forthcoming with information when it comes to data theft. Yes, they will take a stock and/or loss of customers hit, but in the long run, they will look better in the public eye. Concealing information makes you look like you have something to hide, possibly a bigger problem that needs addressed. I am surprised that a customer in the article wasn’t really upset about it. People have become use to this carelessness and just carry on until it affects them, then they cry foul. Customers need to be careful with their data and stand up for themselves when their personal information is compromised.
I am sick and tired of hearing some of the lame excuses for security or lack thereof that companies spew upon the unknowing customer. This retailer just pushed me over the edge. There have been others in the past that have done similar things and have given similar excuses. Let this be a lesson and let it beef up your security before something similar happens to you. Security professional see through the smoke screens and dog & pony shows you put on for the average consumer. Just know that security professionals will call you on the carpet when make a mistake and some will be there to bail you out when things go sour.
I am sure some have thoughts on this. Lets hear it in the comments.