News
Blogs
Shark Bait
Knowledge Centers
Opinion
Webcasts
Video
Podcasts
IT Careers
White Papers
Computerworld Reports
Zones
Case Study Library
RSS Feeds
Events
Industry
This Week in Print
Print Subscriptions


Ads by TechWords

See your link here


Robert L. Mitchell's picture
Robert L. Mitchell

Reality Check

More posts | Read bio

February 1, 2006 - 10:45 A.M.

Boston newspapers deliver subscribers' personal financial data with Sunday editions

3 comments

Who needs electronic break-ins when you can just subscribe to your local newspaper to gain access to sensitive financial data?

Even in an era when embarrassing business leaks of personal financial data have become common, the failure at The Boston Globe and Worcester Telegram & Gazette is a doozy (see the Globe's story and publisher's letter to subscribers). (The Telegram & Gazette also put a notice on its Web site. Access to the site's content is restricted to paid subscribers, but you can read it if you register and give them your credit card number.)

In a mind-boggling turn of events, the paper's sister company, T&G, discarded printouts of more than 240,000 customer names that included either credit card numbers or check routing numbers without shredding them. From there the sensitive documents were recycled and somehow ended up being used used as protective wrappers on 9,000 bundles of Boston Globe and Worcester Telegram newspapers that were distributed to 2,000 retailers. T&G is owned by the parent company of both newspapers, The New York Times Company.

According to the Globe story the paper didn't realize what has transpired until it was contacted by a Cumberland Farms store.

How could this happen? As with recent backup tape fiascos, adequate policies and procedures either were not in place or were not followed. Based on what's revealed in the Globe story, it's clear that better policies were needed.

To it's credit, The Globe has opened a hotline for customers and appears to be taking steps to ensure that this type of information leak doesn't happen again. Steps cited in the story include such security 101 basics as only allowing the last four digits of a customer's credit card number to appear on printouts.

That said, the dry, factual letter from the Globe's publisher will do little to assuage outraged subscribers and looks more like a letter crafted by the company's lawyers. It falls short of accepting full responsibility, and does not offer a full and unconditional apology. It states only the paper's regret that the incident occurred and "...the inconvenience that this incident may cause" to its subscribers.

What People Are Saying

Add new comment

Same stuff, different day

Submitted by George Niece on February 1, 2006 - 6:12 P.M.

All this seems like standard operating procedure in a generation of companies that take no responsibility at the management level, with the exception of their bonus checks.

The people who did it at the worker level will be fired or permanently screwed and the management team will CYA for days to try to bury this as soon as possible.

The letter to the editor that was posted should hopefully be enough for a majority of the people subscribing to these publications to drop them and never look back. Talk about hubris. What happened to taking responsibility and showing some humility? It appears that the New York Times Co needs to review the 7 deadly sins with their management, not the 7 habits type books.

Report this comment

Did the concept of a hashing

Submitted by Anonymous on February 1, 2006 - 5:13 P.M.

Did the concept of a hashing algorithm disappear?

Report this comment

This really does beg the

Submitted by David Crooke on February 1, 2006 - 3:24 P.M.

This really does beg the question - why did the report contain card numbers in the first place?

It is a simple best practice in all credit card handling environments to mask card information and, at most, provide the first 4 and last 4 digits back out to telephone operators, reports, etc.

The full card number should ideally never be stored, but if necessary, stored in a separate vault database, where the main application can add them but never get them back out.

Report this comment

Related Posts

ACEs ace Turing test? Errr, no.
Do Railhead right or don't deploy until it IS right
Need to discover some open source enterprise apps for your business? You should have been at LinuxWorld
Surveillance video: More than just watching

Today's Top Stories

Microsoft confirms IE6, IE7 zero-day bug
iPhone worm steals online bank codes, builds botnet
PC market crash averted, says Gartner
Jolicloud eyes Chrome OS's thunder
Is federal stimulus money being used for IT hardware, not hiring?
Obama backs return to math, science, tech
About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map
CIO Computerworld CSO DEMO GamePro Games.net IDC IDG IDG Connect IDG Knowledge Hub IDG TechNetwork IDG Ventures
IDG.net InfoWorld ITwhitepapers ITworld JavaWorld LinuxWorld Macworld Network World PC World The Industry Standard
Copyright © 1994 - 2009 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of
Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.