Re: followup: ACS Breach Warning Letter

[security curmudgeon <jericho () attrition org>]

And now my own comments.

: [Customer Name]                                               [Bar Code]
: [Customer Address]                                    [Number]

The number below the bar code is 8 digits, starting with 0065. Not sure if 
this is an indication of how many affected, a tracking number, or 
something else.

: This letter is to inform you of an incident involving the theft of a 
: computer that may contain your personal information.  A 
: password-protected computer was stolen from a secure facility operated 
: by ACS State and Local Solutions, Inc. on behalf of the Colorado State 
: Directory of New Hires (SDNH). Employers are required by law to report 
: information to the SDNH regarding newly hired employees.

First, we know password protected computers mean absolutely nothing. 
Yanking a drive and mirroring content is trivial for even moderately 
skilled computer users.

Second, ACS needs to look up the definition of secure.

   1. To make safe; to relieve from apprehensions of, or
      exposure to, danger; to guard; to protect.

So this should be worded "relatively" secure or "formerly" secure.

: ACS takes the protection of your personal information very seriously. We 
: have established a toll-free number to assit with any questions. This 
: number is 1-800-350-0399. We regret this incident occured.

So seriously, this line is not answered outside of standard business hours 
and asks that you call back then.

: Very truly yours,
: 
: [scribble]
: 
: ACS Representative

The signature doesn't look like 'ACS Representative', so who's name is 
this and why wasn't it printed? No one stepping up to be accountable for 
questions?
_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss
Tracking more than 140 million compromised records in 465 incidents over 6 years.