Personal data for 650,000 customers vanishes into thin air
Bad timing for J.C. Penney CEO
Regcast training : Hyper-V 3.0, VM high availability and disaster recovery
Personal information belonging to more than 650,000 US customers of J.C. Penney and other retailers is at risk after the company hired to safeguard the data lost a backup tape.
The information, which was entrusted to a company called GE Money, included social security information for about 150,000 people. The data was on a backup tape that was discovered missing in October from a warehouse maintained by storage company Iron Mountain. While there is no indication the tape was stolen, company officials have been unable to locate it, either.
In a twist of irony, the revelation of the missing information coincided with the debut of a mini documentary on cyber crime in which the chairman and CEO of J.C. Penney, Mike Ullman, speaks about the growing risk posed by online thieves.
At one point in the 20 minute-film, which was produced by security provider Fortify Software, he acknowledges that criminals are actively probing server code for mistakes that will allow them to access J.C. Penney information. He makes no mention of vulnerabilities relating to physical security or business partners.
The disclosure comes a year after TJX Cos., owner of the T.J. Maxx and Marshalls retail chains, suffered a server breach that exposed personal information for as many as 100 million people. Despite it being the world's biggest credit card heist ever and despite revelations security measures failed to meet credit card industry requirements, there's been little measurable backlash on the company. TJX stock has lost less than 1 percent over the past year, compared with a six per cent decline in the S&P 500.
GE Money has offered to pay for 12 months of credit monitoring for anyone whose social security number was lost.
According to the Associated Press, a letter signed by GE Money President Brent P. Wallace reads in part that J.C. Penney "was in no way responsible for this incident." ®
COMMENTS
@Steve Keller part III
"no standards for real data security"???? Has anyone ever bothered to look at RFC2196? Google it if you aren't familiar.
The CISO must to build a team that feels empowered to make the right choices when it comes to security basics. Shifting blame from Net Admin to CISO does not make sense either though as Security is a collective function of several moving parts.
Insofar as JC Penny's culpability, they are still responsible for the data even if handed off to a third party.
I call BS
Quote: According to the Associated Press, a letter signed by GE Money President Brent P. Wallace reads in part that J.C. Penney "was in no way responsible for this incident."
Absolute twaddle. Their choice to hand said information off to a third party does not absolve JC Penney of their responsibility to take adequate care of it.
Tape encryption is JC Penny's responsibility
Tape encryption is JC Penny's responsibility.
IT infrastructure monitoring strategies
Agentless Backup is Not a Myth
Top 10 SIEM implementer’s checklist
Steps to Take Before Choosing a Business Continuity Partner
Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider
