Friday, June 06, 2014
KHON and Hawaii News Now post info on Star-Advertiser data breach
by Larry Geller
I had to wait my turn to search the records at Circuit Court this afternoon—professional reporters were ahead of me scouring the X-Files for an X-Copy of court papers on the two ID thieves arrested in connection with the Star-Advertiser data breach. It turns out that most of the records are in a banker’s box somewhere between the judge’s chambers and the records room.
Yes, everything is on paper, in random order in a single pile. They really are called X-Copies. That’s how technically advanced we are here, but nevermind.
I learned that there are now two people charged with using the Star-Advertiser subscriber data--Sadie Groy and Tori Samiere. Papers for Samiere are also unavailable because she is to appear in court at 8:30 on Monday to face charges of identity theft and credit card fraud.
Meanwhile, KHON and Hawaii News Now websites have more information on the apparent failure of the Star-Advertiser to adequately protect its customers’ data. Some snips:
Police sources say the two women are part of a large theft ring that has targeted subscribers of the Star Advertiser.
The paper's storage unit was burglarized and at least one banker box was taken. The box contained account information for hundreds of customers.
Police say the information was used to make fake credit cards.
[Hawaii News Now, Honolulu Star-Advertiser victim of thieves, customer accounts stolen, 6/5/2014]
According to police sources on April 4, a worker at a self-storage business found boxes left outside a locker rented by the paper.
At least one of the boxes had paper records on customers including credit card information.
On April 29, police got their first report of ID theft from those records.
[KHON, Two people arrested in Star-Advertiser ID theft case, 6/6/2014]
The KHON report is especially significant. The exposure of unprotected (by which I mean unencrypted, plainly readable) customer data occurred two months ago.
I am a subscriber. I did not receive a notice from the paper that my data had been compromised—perhaps it wasn’t, but we now have a question of whether the S-A notified at least the subscribers who could have been affected.
Compare this to the University of Hawaii and Department of Health data breaches. In the case of the University of Hawaii data breaches, it took a lawsuit to get the University to do the right thing and provide credit monitoring services free of charge to those affected.
Until more information is available, it is not known how many of the Star-Advertiser subscribers were affected. And so far, the only information visible from the paper itself was a paragraph in today’s story, itself 21 pages deep inside the paper. It’s possible that both I and Google missed something earlier, of course. More likely we’ll have to learn details of the breach elsewhere.
We do need more information from the Star-Advertiser itself. They might explain what they did between April 4 and the present to counter the possibility of ID theft.
We also need to know that they are no longer storing paper copies of subscriber information anywhere, particularly in storage locations not under their control.
The matter isn’t closed just because two thieves are in custody.