Print this article | E-mail this article | Comment on this article

Data loss could affect 650,000 store credit card users

By Ed Oswald, BetaNews

January 18, 2008, 2:04 PM

Credit card company GE Money said a computer tape has disappeared which contained personal information of consumers who hold JC Penney credit cards.

In addition to JC Penney, as many as 100 other companies could be affected. GE supplies credit cards to some of the nation's biggest retailers, including Wal-Mart, IKEA, Lowe's, Lord & Taylor, and online payment service PayPal, among others.

About 150,000 of those customers on the tape would also have their Social Security numbers compromised, the company disclosed. The drive apparently first went missing in October 2007.

Data storage company Iron Mountain is being blamed for the loss, as the drive was housed there. As of yet, there have been no reports of fraudulent activity on the accounts affected, and GE said it didn't have any inclination to believe theft was involved.

Getting data off the tape would be a chore for thieves according to Iron Mountain, although it said it regretting misplacing the tape. "We occasionally make mistakes," a spokesperson told the Associated Press.

As has become standard with data losses like this, GE has agreed to pay for a year's worth of free credit monitoring for those affected. The company began notifying customers of their data loss in December.

Add a Comment (11 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

By bolaris

edited Jan 21, 2008 - 3:27 AM

Things don't go "missing". Things get "taken and not returned because they have value". So the question stands, who will be the highest bidder...

Score: 0

By DigitAl56K

posted Jan 19, 2008 - 9:16 PM

There should be a law against any business or agency physically shipping or otherwise transmitting sensitive customer information on more than 10 customers as part of a single activity without strong cryptography protecting the entirety of the customer information, and with cryptographic keys being exchanged by such means that acquisition of the encrypted information does not also provide an attacker the means to decrypt it. Passwords used in conjunction with the strong cryptography would have to meet certain defined standards. Penalties should be tripled if this law is broken and the information includes any of the following: bank account, debit, credit, or social security numbers, medical records, biometric data, or other essential information generally used to authenticate the identity of an individual.

This would make all of the following illegal, and very costly:

* Having thousands of veterans benefits data stolen from a copy left in a car (US)
* Burning thousands of records to CD and popping it in the mail (recent UK scandal)
* Losing an unprotected backup tape (case in point)
* Using weak password schemes (e.g. an xls sheet password)
* Transmitting data over an unprotected Internet connection

Heck, if these companies bothered to apply suitable cryptographic practices (including managing key exchange appropriately), none of us would even have to be concerned when tapes like these go missing.

Free credit monitoring always seems to be the "get out of jail free" card for these guys. That's nice, except when you actually become the victim of identity theft and it ruins your life for years.

Score: 0

By PatrynXX

posted Jan 18, 2008 - 11:55 PM

Wonder if thats why GE Money hass been trying to contact my brother since December. He's ignoring them because he's late on a payment. Wonder how many others are ignoring GE MOney's contacts. Not just in the possibility of a stolen tape, but what does data loss on a consumers data really mean? How would it affect the consumer. I can't imagine GE Money lost what transactions were made.

Score: 0

By Galway

posted Jan 18, 2008 - 7:00 PM

"GE has agreed to pay for a year's worth of free credit monitoring for those affected."

Why not 5 or 10 years of "free" credit monitoring ?

Score: 0

By DigitAl56K

posted Jan 19, 2008 - 9:20 PM

More to the point, what are GE going to do for you when the free credit monitoring says "hey, you may be the victim of identify theft!". Identity theft is not only about credit cards, either.

Additionally, why should *anyone* trust the agency paid by GE to perform this credit monitoring, when it's hardly in GE's interests for people to become aware that fraudulent behavior is happening?

It makes no sense.

Score: 0

By Anastasia2007

posted Jan 18, 2008 - 5:47 PM

I never understood why large companies use these guys. What is wrong with backing up over wan at night to other locations?

And then doing tape backups there if you like. Involving a third party is asking for trouble!

Score: 0

By melkor

posted Jan 18, 2008 - 7:04 PM

Because no matter how good the encryption there is always an employee who can get a copy of the encryption keys. It's much easier to physically secure data then it is electronically and it's safer. Of course the best approach is to do both.

Score: 0

By DigitAl56K

edited Jan 19, 2008 - 9:24 PM

I dispute your claim.

Virtually every time we hear of a mass data loss it's because someone lost the data on physical medium.

If you can't protect an encryption key from theft by an employee then you don't deserve to be holding sensitive data on thousands of individuals - how the hell do you protect that data if you can't protect an encryption key?

Score: 0

By FireStorm9

posted Jan 18, 2008 - 4:56 PM

Completely unacceptable.

They are PAID TO NOT MAKE MISTAKES. That's WHAT THEY DO TO EARN THEIR MONEY.

How many other "occasional mistakes" have they made?????