Fiserv put out an alert recently for potentially compromised accounts. The reason code is "6" (Computer equipment stolen from a credit card processor on or about 12/30/2003. The server contained approx. one year's worth of data and included cardnumbers, cardholder name and exp. date. etc. etc..)

Does anyone have any information on this?

That's all of the information that was provided.

This happened before Christmas.

--Stolen Bank Laptop Contains Customer Data

(19 December 2003)

A laptop stolen from Bank Rhode Island's (BankRI) principal data-processing provider contains the names, addresses and social security numbers of about 43,000 customers. BankRI CEO Merrill Sherman said the bank's IT department now plans to install encryption and fraud detection software on its computers. http://www.computerworld.com/printthis/2003/0,4814,88443,00.html

[Editor's Note (Ranum): Note that the laptop was stolen from RI's service provider, Fiserv. This illustrates a big issue in information sharing: transitive trust and the question of whether ones' application service providers are handling data safely. In this case, Fiserv did the right thing and told RI. How often do such things happen and nobody is told?

(Northcutt): BankRI seems to be doing all the right things. They have written letters to the folks who may have been affected, and they are working with a credit reporting company. This appears to be a case of "death by application service provider" as you can see from this link: http://www.projo.com/business/content/projo_20031219_bankri19.df9b4.html

If your organization is considering using an ASP or other external data processor, you might want to review the steps in the "ASP Challenge": http://www.sans.org/score/asp_checklist.php

(Schultz): It's tragic how so many organizations fail to adopt appropriate security measures until after they experience a catastrophic security-related incident.]

I hate to ask a dumb question, but what was this information doing on somebody's laptop? Isn't that just asking for trouble?

The use of laptops is extremely common, especially since many are purchased as desktop replacements.

Why a vendor needed the file may or may not be an issue. If it is there, security programs should be in place to restrict access and encrypt data. This isn't the first time this sort of thing has happened and it likely will not be the last.

Add this to your vendor due diligence checklist if you use services such as this. ALSO if you have staffers with laptops, you can learn from this as well.

In a situation like this, we normally close the card (notifying the customer by phone)and immediately reissue a new card. Is there a requirement where the customer must be notified in writing in this particular case?

The information I have, if its the same thing, says it was a server with a years worth of archived and back-up data. This says this happened 12/30. It says Visa was notified the server was stolen from a third party credit card processor.

Quote:

---

Depends. Under the new California "Privacy" law, if your affected customer is a resident of California, you may need to provide written notice (consult your consel).

-g

---

Any idea what the cite is?

Try this:

http://www.privacy.ca.gov/code/cc1798.291798.82.htm

Please have your counsel interpret for applicability to your customers.

-g

Thank you - I do remember this new law however,It was my understanding that if the breach was within "your" computer system that all account holders should be notified. This is not the case. Any thoughts?

I think it is a bit more complicated than that. Since I don’t know from what state the computer or data records were stolen, the pertinent notice triggers become: 1) your customer's personal information is breached and 2) your customer is a resident of California.

But, there are other possible scenarios that could invoke the notice, such as location of the computer system, whether or not the information was encrypted and at what strength, whether or not there is an ongoing investigation, etc... I think the ink is still drying - that's why it's prudent to consult with informed counsel.

-g

You know after going back and attempting to "interpret the law", I still think that the agency who had the breach should contact the customer's, even those in California. This clearly happened somewhere else (do you think the employee at Fiserve lost their job because of not following protocal w/the laptop?) But, on the other hand, I see where it's a good idea (aka good customer service) to contact only those who's debit card numbers (as in our case) were compromised. Contact meaning following up in writing as we've already personally called our customers notifying them of the event. As stated earlier, the ink hasn't dried yet with this new law. I feel they should clearly state as an example a case similar to what happened here, and as an example where the notification requirement lies (The Company where the breach occurred, it didn't occur at our bank.)

Not being an attorney, I'm sure they will say written notice is required.

Typically, the bank is responsible for its own customers' data even if that data is the hands of a bank vendor. It is the bank's job to screen and audit their vendors, and be notified by the vendor if the vendor has a problem with vendor security breaching the bank's customers' data security. The customer surely cannot control this. IMHO, f the bank is using a third party who used Fiserve who uses ABC company, etc., it is the bank's job to track all that down and try to keep it clean. How can ABC notify a bank's customer? They don't have a relationship with that consumer.

I know nothing about this, though I just emailed Les Muma (Fiserv president) recently, about a stolen Fiserv laptop that contained personal information of up to 43,000 Bank of Rhode Island customers. The company was very forthcoming on it. That event took place in early or mid December, and made public Dec. 18 -- could this be what you refer to? If not I'd certainly like to know more.

It would have been worth my while to scroll down the posts before responding -- forgive the newbie who didn't see that there were already many responses to the original query.

But, some questions answered: Les Muma confirmed that (A) keeping a Fiserv client's customer information (let alone unencrypted) on a laptop was a policy violation and (B) the employee was reprimanded (but not fired); I am interested in any further info on the credit card server incident, such as the original source...