Saturday, June 07, 2014
Differences in Star-Advertiser data breach stories raise more questions
The Dept. of Commerce and Consumer Affairs says by law, businesses that encounter a security breach are required to alert authorities and customers. If more than 1,000 customers are affected, businesses need to alert DCCA.—from KHON story
by Larry Geller
So far, coverage of the Star-Advertiser security breach in other media has been skimpy. KHON reporter Linda Dela Cruz is on it, though. Here is an update to her earlier story posted on the KHON website (snip):
The Dept. of Commerce and Consumer Affairs says by law, businesses that encounter a security breach are required to alert authorities and customers. If more than 1,000 customers are affected, businesses need to alert DCCA.
Right now, there are bills before Congress that would require businesses to do more to protect customer information.
“It would impose certain requirements and restrictions on businesses so that they would have to protect your personal information and maintain that protection as long as they maintain that information,” said Bruce Kim, DCCA consumer protector.
[KHON, Two people arrested in Star-Advertiser ID theft case, 6/6/2014 as updated 7:11 pm]
For their part, I have not seen a direct response from the newspaper on the issue of their data breach. Instead, a second article appeared today by reporter Rob Shikana. Here is Shikana’s version of the same information related by KHON:
Brent Suyama, spokesman for the state Department of Commerce and Consumer Affairs, said if the personal information of more than 1,000 people is stolen from a business, state law requires the company to notify the department and the affected individuals. The department will also inform the affected people.
Suyama said the department does not have any current data breach incidents requiring it to make notifications.
[Star-Advertiser p. B2, 2 accused of stealing Star-Advertiser data, 6/7/2014]
The two are not necessarily in contradiction. The KHON story notes that the business experiencing the data breach must notify customers, the Star-Advertiser story does not report that.
Neither story reports whether the Star-Advertiser notified anyone potentially affected by the data breach. Had they done so, it would have been possible for those notified to take measures such as changing the credit card numbers to prevent their misuse.
The Star-Advertiser story is protected by a firewall, so that if you do not subscribe, you’ll have to buy or find a copy of the paper to read it. A second firewall is their choice to report statements by publisher Dennis Francis through the filter of interviews by his own reporter Rob Shikana. Shikana reported today that Francis said (snip):
Dennis Francis, president and publisher of the Star-Advertiser, said the newspaper is not aware of any subscriber information being obtained or used fraudulently, and that a small number of advertising accounts using a credit card to pay bills may be involved.
Contrast this with:
Police sources say the two [arrested] women are part of a large theft ring that has targeted subscribers of the Star Advertiser.
The paper's storage unit was burglarized and at least one banker box was taken. The box contained account information for hundreds of customers.
Police say the information was used to make fake credit cards.
[Hawaii News Now, Honolulu Star-Advertiser victim of thieves, customer accounts stolen, 6/5/2014]
It’s not clear how much it matters whether one’s ID is stolen from a personal or business account—it’s a real person’s name on the card. Certainly, theft of personal credit card numbers would have a more severe impact.
The police are reported to have said that at least one banker box was taken. “At least.” Francis, through the filter of Shikana’s story, seems to differ.
Which is correct?
There’s also the matter of that large theft ring. What data do they have? Perhaps at least a boxful?
Speculation: Could it be that the Star-Advertiser can’t notify those whose records were taken at this point because it doesn’t have the records? The theft ring does. Not that this takes anyone off the hook, of course.
When Target’s data was stolen during the critical Christmas shopping season last year, the company reassured all of its customers that they wouldn’t be responsible for any fraudulent charges. They also announced an overhaul of their information security procedures. Although there is a clear difference of scale involved, in the end, Target attempted to react constructively to prevent further damage.
The University of Hawaii’s IT department (under now president David Lassner, incidentally) did not move to protect students after repeated data breaches, and it took a class-action lawsuit to ultimately extract an agreement to provide two years of free credit monitoring services to those potentially affected.
If there’s a box of data in possession of an ID theft ring, is it ok to just let those who trusted their data would be kept safe to continue to be preyed upon by those thieves, or should the publishers be doing more?