The Kindness of Strangers

It has not been a good month for data security news. First, the California Public Employees Retirement System (Calpers) exposed the Social Security numbers of 445,000 retirees. Then the Federal Trade Commission revealed trade secrets from an antitrust lawsuit. And last week, security experts said Monster.com has leaked the personal data of hundreds of thousands of job seekers.

As it happens, the first two incidents were almost prevented, thanks to the kindness of strangers.

Well, OK, not strangers business partners.

In the Calpers case, an employee sent a disk containing Social Security numbers along with names and addresses to the company responsible for printing and mailing 445,000 brochures. Fortunately, the printer had software designed to detect SSNs and keep them from being printed. That would have saved the day.

Unfortunately, many of the Calpers SSNs had leading zeroes, which fooled the software. As a result, full or partial SSNs were printed on many of the address labels.

At the FTC, the problem was with a legal document that was part of the commissions lawsuit to block the buyout of organic grocery chain Wild Oats by a competitor, Whole Foods. The document was posted on a federal courts online database, and the FTC was supposed to redact it for public viewing with confidential information blacked out, including tac­tics Whole Foods uses with suppliers to keep from being undercut by Wal-Mart.

But the blacked out information was easy to retrieve with a simple cut and paste. Fortunately, court employees spotted the problem and pulled down the filing but unfortunately not before it was downloaded by the Associated Press and the trade secrets were distributed to newspapers.

(Since then, a federal judge has OKd the buyout, the FTC has appealed that decision, and Whole Foods says it is considering a lawsuit against the FTC for revealing its trade secrets.)

Those partners werent able to save Calpers and the FTC from breaching confidentiality. But they tried, and thats good. Defense in depth shouldnt stop at an organizations borders. The more business partners can help guard against improper disclosures, the better off every organization and its customers will be.

Of course, thats no replacement for basic data security inside the organization. Thats why the FTC is investigating how an employee failed to properly black things out, while Calpers says it is now looking at ways to eliminate its use of Social Security numbers.

Then theres Monster. This time, the partners recruiters and HR people who use Monster to look for employees were the ones whose PCs were penetrated first. Using their stolen Monster log-ins, attackers collected job seekers resumes to harvest names, addresses, phone numbers and e-mail addresses. All in all, 1.6 million records about several hundred thousand people were stolen, according to Symantec security analyst Amado Hidalgo.

Then that data was used to trick job seekers into downloading malware.

Monster says it does its best to watch out for improper activity. But thats hard to do when your partners are the ones who open the door for attackers.

And anyhow, we cant rely on the kindness of strangers for our security.

But we dont have to. We can talk with our business partners. We can find out how theyre backstopping our security efforts and encourage them to do more. We can include them in our postmortems of breaches, disclosures and near misses.

By including those partners in our security efforts, we add just a little more depth to our defense. It wont always save us, as Calpers and the FTC learned. But it could help.

And when it comes to staying out of the data security headlines, we need all the help we can get. •

Frank Hayes is Computerworlds senior news columnist. Contact him at frank_hayes@computerworld.com.

Copyright © 2007 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
 
Shop Tech Products at Amazon