BreachExchange mailing list archives

Re: follow-up: Firm Hired After Security Breach FacesState Probe (fwd)

From: "Jamie C. Pole" <jpole () jcpa com>
Date: Tue, 26 Aug 2008 08:08:34 -0400


I believe that's an absolutely realistic scenario - I'm dealing with a  
client right now that seems to be experiencing it.

They were breached 14 months ago, and provided credit monitoring for  
the victims.  The monitoring ran out, and several of the victims have  
since contacted the client to ascertain whether or not another breach  
had taken place.  Several of them have recently found new credit  
cards, new lines of credit, and a few other types of unauthorized  
transactions on their credit reports.

As for the consumers electing not to continue the monitoring coverage,  
this is a double-edged sword.  On the one hand, the credit reporting  
bureaus should not be permitted to sell monitoring services.  If they  
spent a little time developing mechanisms to verify the accuracy of  
the information they reported, it might be slightly more difficult to  
commit identity/credit fraud.  On the other hand, once your personal  
data has been disclosed, I would think it's in your best interest to  
continue the monitoring for several years, at the very least.

Of course, none of this would be an issue if these companies were  
forced to spend a reasonable amount of money on prevention.  Then  
again, with PCI being the (bad) joke that it is, a lot of these  
companies and agencies actually believe that they are safe.

Jamie



On Aug 25, 2008, at 10:42 PM, Michael Hill, CITRMS wrote:

The state received complaints after those people received letters  
from
| Experian, one of the three credit bureaus, asking for confidential
| information in order to continue the monitoring, Rell said.
|



This will not be the first time we see this.  A company has a data  
breach,
offers free credit monitoring for a year, then when that year is up,  
the
credit monitoring company will be asking the consumer for confidential
information (ex. credit card info) in order to continue the  
monitoring.  A
good percentage of the consumers involved in this breach will not  
continue
the monitoring.  The smart thieves will know this, and now will  
start using
the PII they stole or bought.  Is this a realistic scenario?


Michael Hill
Certified Identity Theft Risk Management Specialist
www.idtheft101.net
404-216-3751

INFORMATION SECURITY | RISK MANAGEMENT | COMPLIANCE | FORENSICS |  
TRAINING


"If You Think You're Not At Risk, Think Again!"


NOTICE:
This email and any attachment to it is confidential and protected by  
law and
intended for the use of the individual(s) or entity named on the  
email.
This information and all email information from the sender is not  
legal
advice nor legal representation and should not be construed as legal  
advice
nor legal representation. Check with your attorney in your State for  
legal
advice. If the reader of this message is not the intended recipient,  
you are
hereby notified that any dissemination or distribution of this  
communication
is prohibited.  If you have received this communication in error,  
please
notify the sender via return email and delete it completely from  
your email
system.  If you have printed a copy of the email, please destroy it
immediately.

_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and  
monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml


_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml

Current thread:

follow-up: Firm Hired After Security Breach Faces State Probe (fwd) security curmudgeon (Aug 25)
- Re: follow-up: Firm Hired After Security Breach Faces State Probe (fwd) Adam Shostack (Aug 25)
  - Re: follow-up: Firm Hired After Security Breach FacesState Probe (fwd) Michael Hill, CITRMS (Aug 26)
    - Re: follow-up: Firm Hired After Security Breach FacesState Probe (fwd) Jamie C. Pole (Aug 26)