Happy Holidays: We've Lost All Your Critical Data
from the how-nice dept
It’s been one of the big themes this year, so perhaps it’s not surprising at all to find out that the year is closing out with yet another big data breach. In this case, it’s Marriott, who conveniently lost unencrypted backup tapes of an “identity theft’s special” set of info on over 200,000 employees, time share owners and customers. Included in the data were every identity thief’s dream starter kit: names, social security numbers, bank account numbers and credit card numbers. To apologize, Marriott has agreed to spend the $100 or whatever to give everyone impacted a free credit monitoring service — which seems like the very least they could do.
Comments on “Happy Holidays: We've Lost All Your Critical Data”
Liability
The ONLY thing that will help to staunch this is for the companies that lose sensitive data to be held liable for $$$. It’s sad that companies understand nothing else but, since most of the CEOs are amoral scum, the only thing that hurts them is big $$$ judgements or fines.
No Subject Given
Marriott has agreed to spend the $100 or whatever to give everyone impacted a free credit monitoring service
This is a nice start, but not good enough. They should be paying damages along the lines of pain and suffering for the worry that this will cause their customers. They also need to be held 100% liable for any out of pocket expenses, including the time and attorney’s fees that any identity theft victim incurs as a result of this breach.
One would think that a “world class” company like Marriott would know better than to have unencrypted data floating around.
Re: No Subject Given
They should be paying damages along the lines of pain and suffering for the worry that this will cause their customers.
Sounds like you could be a trial lawyer.
Re: Re: No Subject Given
Sounds like you could be a trial lawyer.
No &$&$# way! I’m an IT geek, thank God. Email system engineer.
Re: Re: Re: No Subject Given
I’m a trial lawyer
Re: Re: No Subject Given
Sounds like you’re a republican.
Re: No Subject Given
If they were a CISP Complaint company then it wouldn’t have been lying around. Also, it should be everyones due dillegence to make sure that when you give any personal information it is being stored in accordance with Visa guidelines. It is not like identity theft is something new. With more and more use of the internet it is just becoming easier to do.
Re: No Subject Given
One would think that a “world class” company like Marriott would know better than to have unencrypted data floating around. I would think Mariott would send sensitive data to a document storage & protection company, where it’s more secure and less expensive than some of the ideas I see floating around here. I’m really glad I haven’t stayed at a Marriott recently.
No Subject Given
With this just coming out you can’t expect a company to share everything it plans on doing to help rectify the situation right away. The credit monitoring service is just a start. So why don’t you judge Marriott after all the effects of this have come to light, and see how they’ve responded to everything. Something like this happenning to any company is just a matter of targeting. If someone wants their data bad enough, they can get it.
No Subject Given
Alright, while we’re talking about who should be paying for the damages, what about the people who were in charge of keeping that data in the first place, the IT staff.
Have them pay out of pocket with the 25k a year they make and you won’t see people sad for what they’ve done, you’ll see a bunch of IT workers going postal. CEOs may be the amoral ones, but they’re doing the damage control one I think.
Cost Effective
From a guy who has done backups at a major company. It is more cost effective to pay the fines/whatever then it is to pay for encryption/data security on your back up tapes. Making backups for that amount of data is a VERY EXPENSIVE operation we are talking millions of dollars a year if not billions for the fortune 500. Encryption and/or security is anywhere from 4 to 20 times the backup cost in dollars. Excluding the time each night while it all encrypts. The guy who talked about amoral CEOs just doesnt get it. Its the IT manager who wont make the call to the CIO and say HEY I want another couple million for a backup system. And even if he did the CIO would say hell no your not blowing my budget like that. The CEO doesnt even hear about it until its too late.
Re: Cost Effective
From a teenager who has spent more than 5 minutes researching cryptography; given that AES and SHA are free, all it takes is a little implementation time. How hard is it to store the backup tapes by encrypting each one with a single-use key, writing it on paper and placing it in a storage room that is under guard, surveillance, or what-not.
Re: Re: Cost Effective
Harder than most would think, but you can do anything with the right amount of money.
Re: Re: Re: Cost Effective
I think everyone has missed the point for the most part. Like the line from “Sneakers”, “It’s about the information….it’s about who controls the information. I am in IT for my corporation and we have redundant backup plans and security encryption and disaster recovery strategies. The most important thing to realize is that we’re messin’ with people’s lives here. Critical info that never used to be massively available, now somehow ends up in the basement of some degenerate who thinks stealing from someone else is basically OK, because even if he/she gets caught, it’s not that big of a deal. To me…that’s the real issue. We reward criminal behavior by not making people, corporations, anyone, accountable for damaging the lives of others. I’m tired of hearing about reactive compensatory solutions. If you want to play, you have to pay…make your security foolproof…value your customers…show some respect for privacy, and above all, commit your self to doing the right thing, even if you have to take your lumps in the process. Call me old school, but people are more than just a series of ones and zeros…
The price they have to pay.
You have to realize that the Credit monitoring will be offered to all 200,000 people at $100.00 dollars a person. Now multiply that by 200,000 and it is quite an expensive mistake I am sure they will never make again, not to mention the legal troubles that will most definately follow.
Re: The price they have to pay.
You also might realize that $100 worth of “credit monitoring” might only cost Marriott in the range of $200,000-1,000,000. The credit monitoring service will instantly get 200,000 new subscribers, a percentage of which will stay on for years. And I can’t imagine that Marriott would keep on paying indefinitley.
They won’t be out millions on this one unless someone can show actual damages.
Knock knock
Whos there?
Sarbaines-Oxley.