Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

8/6/2007
07:25 PM
Michael Singer
Michael Singer
Commentary
50%
50%

IBM Lost His Data... A Follow Up Story

George is an ID theft victim whose personal data was potentially exposed after an incident involving IBM. While IBM has graciously extended its hand to help fix the problem, George hasn't been completely happy with how things are turning out. His story may have lessons for the rest of us.

George is an ID theft victim whose personal data was potentially exposed after an incident involving IBM. While IBM has graciously extended its hand to help fix the problem, George hasn't been completely happy with how things are turning out. His story may have lessons for the rest of us.Back in May, we reported a contractor working for IBM lost at least one mainframe tape containing identifying information on current and former IBM employees. The contractor was in Westchester County, N.Y, when at the intersection of Interstates 287 and 684, he realizes that he's missing some data tapes that were being delivered to a long-term storage facility.

Police search the area. Nothing turns up. IBM issues an apology and offers a year's worth of free credit monitoring. That should be the end of the story, right?

At the time I was very cynical of IBM and any other company that tried to fix a mistake of this magnitude with a reactive service like credit monitoring. It seems like an unbalanced compensation. And it appears as though I'm not alone.

Enter George -- who is not revealing his last name. George received notification from IBM in May about the data breach, which was a surprise for George because he said he never worked for IBM. He looked into the offer but figured that it may not be worth it to him since he already pays for credit monitoring.

George e-mailed me to say he recently had a 75-minute detailed conversation with IBM about their data breach. "IBM insists on calling it "lost" data tapes," he said. Of course, George said he had several questions about the investigation status and IBM's records retention policy. He had heard very little about whether someone found the tapes and what authorities were doing about it.

But George's bigger beef is that "there are problems with the way IBM is handling their data breach."

As a result, George ends up starting a blog entitled "I've Been Mugged... One person's experience with identity theft and corporate responsibility". The blog covers his experiences with dealing with the IBM mess and issues related to data breaches of employee records. To date, he has two months of postings with a blog roll chocked with resources and information on pending legislation.

You can read along with George's exploits, but suffice to say, IBM had 16-year old information on George. And that IBM hired the same consulting company (Kroll) both for IBM's corporate investigation needs and as a credit-monitoring service for former IBM employees, which George thought was a potential conflict of interest.

As a follow up, I asked the company how exactly IBM verified that George was the correct person in their records, especially if he never worked for the company?

I also asked if IBM still does business with the vendor that "lost" the data tapes? And finally, "What procedures has IBM put in place so that a data tape 'loss' during transit doesn't happen again?"

IBM spokesman Fred McNeese was generous enough to answer that George previously worked for Lotus Development Corp. prior to IBM purchasing it. IBM's human resource records would have come over to IBM as part of the purchase.

Fred also said that "Yes, IBM is still doing business with the vendor involved in the incident," but declined to go further.

"Steps have been taken to prevent recurrence of this event," Fred said. "I am not going into detail concerning those steps since it is IBM's practice not to discuss the specifics of any aspect of its security operations."

Fair enough. Security is precious to a massive company like IBM. But what have we learned by George's experience?

First off, even if you no longer work for a company, it is very likely that your data will. And even if you've long forgotten the secretary's name or the phone number for your old supervisor, your permanent record could wind up in the hands of another corporation and it may be months before you hear about your information being compromised. Does this mean that we all need to be diligent on how even our former companies are faring? That could be problematic in an environment where workers change jobs frequently and consolidation of companies has become commonplace.

Secondly, hiring the same consulting company both for IBM's corporate investigation needs and as a credit-monitoring service is not illegal or unethical, but it may raise some eyebrows with the people you are trying to help.

Finally, credit monitoring is strongly recommended. IBM and George agree on that. However, paying for a credit monitoring service isn't for everyone. George was one of those types who invested in a monitoring service for himself. Some services cost as much as $200 per year.

Hopefully, IBM and George find common ground on other types of protection and compensation. We'll keep you updated on how this story resolves.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-29040
PUBLISHED: 2021-05-16
The JSON web services in Liferay Portal 7.3.4 and earlier, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 20 and 7.2 before fix pack 10 may provide overly verbose error messages, which allows remote attackers to use the contents of error messages to help launch another, more focused att...
CVE-2021-29041
PUBLISHED: 2021-05-16
Denial-of-service (DoS) vulnerability in the Multi-Factor Authentication module in Liferay DXP 7.3 before fix pack 1 allows remote authenticated attackers to prevent any user from authenticating by (1) enabling Time-based One-time password (TOTP) on behalf of the other user or (2) modifying the othe...
CVE-2021-29047
PUBLISHED: 2021-05-16
The SimpleCaptcha implementation in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.3 before fix pack 1 does not invalidate CAPTCHA answers after it is used, which allows remote attackers to repeatedly perform actions protected by a CAPTCHA challenge by reusing the same CAPTCHA answer.
CVE-2021-22668
PUBLISHED: 2021-05-16
Delta Industrial Automation CNCSoft ScreenEditor Versions 1.01.28 (with ScreenEditor Version 1.01.2) and prior are vulnerable to an out-of-bounds read while processing project files, which may allow an attacker to execute arbitrary code.
CVE-2021-29039
PUBLISHED: 2021-05-16
Cross-site scripting (XSS) vulnerability in the Asset module's categories administration page in Liferay Portal 7.3.4 allows remote attackers to inject arbitrary web script or HTML via the site name.