13,000 current and former ING employees are at risk after a laptop, which was neither password protected or encrypted, was stolen from an agent’s home.

Equifax lost the names and SSNs of 2,500 employees. "The personal data of millions of consumers who obtain credit scores from Equifax were not compromised, however it makes one wonder about their endpoint security policies if their own employee data is not safe."

In perhaps the greatest irony, two laptops containing names, addresses, SSN and financial account numbers were stolen from a government agency tasked with fighting identity theft.

Warner Vogels, CTO for Amazon.com, recently said you should guard customer data with your life.

If you are running an online business you have to guard your customer’s data with your life. Credit card information should be kept in a physical secure location separate from your other servers with armed guards in front of it (I am not kidding). The location should not only be physically isolated but also electronically. Credit card info should reach that location through end-to-end encryption from the customer. Any software that would need to operate on these credit cards should run inside secure location with a strict audited minimalist one-way API. You then employ a group of hackers whose goal in life it is to break into this facility. Credit card information should not be allowed out of the location ever, not physically, not electronically.

Obviously Warner’s advice is not limited to an online business. There is absolutely no reason this sensitive information should ever be on mobile devices that are easily lost or stolen - especially if there are no other security measures taken on the data.

It's irresponsible at the least and most likely negligent. (The same can be said for not taking proper security measures on servers - you can ask Ohio University about that one).

Tags: , , ,


blog comments powered by Disqus