Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

8/6/2007
07:25 PM
Michael Singer
Michael Singer
Commentary
50%
50%

IBM Lost His Data... A Follow Up Story

George is an ID theft victim whose personal data was potentially exposed after an incident involving IBM. While IBM has graciously extended its hand to help fix the problem, George hasn't been completely happy with how things are turning out. His story may have lessons for the rest of us.

George is an ID theft victim whose personal data was potentially exposed after an incident involving IBM. While IBM has graciously extended its hand to help fix the problem, George hasn't been completely happy with how things are turning out. His story may have lessons for the rest of us.Back in May, we reported a contractor working for IBM lost at least one mainframe tape containing identifying information on current and former IBM employees. The contractor was in Westchester County, N.Y, when at the intersection of Interstates 287 and 684, he realizes that he's missing some data tapes that were being delivered to a long-term storage facility.

Police search the area. Nothing turns up. IBM issues an apology and offers a year's worth of free credit monitoring. That should be the end of the story, right?

At the time I was very cynical of IBM and any other company that tried to fix a mistake of this magnitude with a reactive service like credit monitoring. It seems like an unbalanced compensation. And it appears as though I'm not alone.

Enter George -- who is not revealing his last name. George received notification from IBM in May about the data breach, which was a surprise for George because he said he never worked for IBM. He looked into the offer but figured that it may not be worth it to him since he already pays for credit monitoring.

George e-mailed me to say he recently had a 75-minute detailed conversation with IBM about their data breach. "IBM insists on calling it "lost" data tapes," he said. Of course, George said he had several questions about the investigation status and IBM's records retention policy. He had heard very little about whether someone found the tapes and what authorities were doing about it.

But George's bigger beef is that "there are problems with the way IBM is handling their data breach."

As a result, George ends up starting a blog entitled "I've Been Mugged... One person's experience with identity theft and corporate responsibility". The blog covers his experiences with dealing with the IBM mess and issues related to data breaches of employee records. To date, he has two months of postings with a blog roll chocked with resources and information on pending legislation.

You can read along with George's exploits, but suffice to say, IBM had 16-year old information on George. And that IBM hired the same consulting company (Kroll) both for IBM's corporate investigation needs and as a credit-monitoring service for former IBM employees, which George thought was a potential conflict of interest.

As a follow up, I asked the company how exactly IBM verified that George was the correct person in their records, especially if he never worked for the company?

I also asked if IBM still does business with the vendor that "lost" the data tapes? And finally, "What procedures has IBM put in place so that a data tape 'loss' during transit doesn't happen again?"

IBM spokesman Fred McNeese was generous enough to answer that George previously worked for Lotus Development Corp. prior to IBM purchasing it. IBM's human resource records would have come over to IBM as part of the purchase.

Fred also said that "Yes, IBM is still doing business with the vendor involved in the incident," but declined to go further.

"Steps have been taken to prevent recurrence of this event," Fred said. "I am not going into detail concerning those steps since it is IBM's practice not to discuss the specifics of any aspect of its security operations."

Fair enough. Security is precious to a massive company like IBM. But what have we learned by George's experience?

First off, even if you no longer work for a company, it is very likely that your data will. And even if you've long forgotten the secretary's name or the phone number for your old supervisor, your permanent record could wind up in the hands of another corporation and it may be months before you hear about your information being compromised. Does this mean that we all need to be diligent on how even our former companies are faring? That could be problematic in an environment where workers change jobs frequently and consolidation of companies has become commonplace.

Secondly, hiring the same consulting company both for IBM's corporate investigation needs and as a credit-monitoring service is not illegal or unethical, but it may raise some eyebrows with the people you are trying to help.

Finally, credit monitoring is strongly recommended. IBM and George agree on that. However, paying for a credit monitoring service isn't for everyone. George was one of those types who invested in a monitoring service for himself. Some services cost as much as $200 per year.

Hopefully, IBM and George find common ground on other types of protection and compensation. We'll keep you updated on how this story resolves.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31755
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31756
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
CVE-2021-31757
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31758
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31458
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...