Newspapers' Exposure of Data Points Out Hidden Risks

Computerworld - Incidents such as the data security breach disclosed last week by The Boston Globe and the Worcester Telegram & Gazette—which inadvertently attached the credit card numbers of more than 200,000 subscribers to newspaper bundles—highlight the unexpected ways in which sensitive information can leak out of companies.

The data exposure by the two newspapers hammered home yet again the need for businesses to implement comprehensive policies for securing their information assets and then apply the appropriate controls to mitigate the risk of accidental compromises, according to security analysts. Ways to Lose Data

"Given the infinite number of ways business processes are implemented in firms, there are potentially an infinite number of ways in which data can be lost," said Arshad Noor, CEO of StrongAuth Inc., a compliance management services firm in Sunnyvale, Calif.

As a result, IT and security managers need to start thinking beyond network and system defenses, Noor said. "We have to go back to the core of our systems where the data sits and start securing it outward from there," he said.

The Globe and the Telegram & Gazette, a sister publication in Worcester, Mass., announced that discarded internal reports containing the full credit card numbers of as many as 240,000 subscribers were reused to produce more than 9,000 routing slips for bundles of the Jan. 29 Worcester Sunday Telegram. The bank-routing information of about 1,100 Telegram & Gazette subscribers who pay by check may also have been exposed when the newspaper bundles were sent to retailers and carriers.

The two newspapers are owned by The New York Times Co. and use a shared computer system. According to officials at the Globe, customer data was mistakenly printed out twice in recent weeks by business office workers at the Telegram & Gazette. The reports were then put aside so that the clean side of the paper could be used for other purposes, leading to the security gaffe.

The Globe managed to recover about 1,000 of the routing slips after it was alerted to the problem by a store employee, said Alfred Larkin, the newspaper's senior vice president of general administration and external affairs. Most of the other slips are believed to have been discarded, he said.

After the breach was discovered, the newspapers modified their business system so it prints only the last four digits of credit and debit card numbers. In addition, the Telegram & Gazette stopped its practice of reusing internal reports as routing slips, Larkin said, adding that the Globe hadn't done that to begin with.