The kindness of strangers

(This week's Frankly Speaking, now with links!)

It has not been a good month for data security news. First the California Public Employees’ Retirement System (CalPERS) exposed the Social Security numbers of 445,000 retirees. Then the U.S. Federal Trade Commission revealed trade secrets from an antitrust lawsuit. And last week, security experts said Monster.com has leaked the personal data of hundreds of thousands of job seekers.

As it happens, the first two incidents were almost prevented, thanks to the kindness of strangers.

Well, OK, not strangers — business partners.

In the CalPERS case, an employee sent a disk containing Social Security numbers along with names and addresses to the company responsible for printing and mailing 445,000 brochures. Fortunately, the printer had software designed to detect SSNs and keep them from being printed. That would have saved the day.

Unfortunately, many of the CalPERS SSNs had leading zeroes, which fooled the software. As a result, full or partial SSNs were printed on many of the address labels.

At the FTC, the problem was with a legal document that was part of the commission’s lawsuit to block the buyout of organic grocery chain Wild Oats by a competitor, Whole Foods. The document was posted on a federal court’s online database, and the FTC was supposed to redact it for public viewing — with confidential information blacked out, including tac­tics Whole Foods’ uses with suppliers to keep from being undercut by Wal-Mart.

But the “blacked out” information was easy to retrieve with a simple cut and paste. Fortunately, court employees spotted the problem and pulled down the filing — but unfortunately not before it was downloaded by the Associated Press and the trade secrets were distributed to newspapers.

(Since then, a federal judge has OK’d the buyout, the FTC has appealed that decision, and Whole Foods says it is considering a lawsuit against the FTC for revealing its trade secrets.)

Those partners weren’t able to save Calpers and the FTC from breaching confidentiality. But they tried, and that’s good. Defense in depth shouldn’t stop at an organization’s borders. The more business partners can help guard against improper disclosures, the better off every organization — and its customers — will be.

Of course, that’s no replacement for basic data security inside the organization. That’s why the FTC is investigating how an employee failed to properly black things out, while Calpers says it is now looking at ways to eliminate its use of Social Security numbers.

Then there’s Monster. This time, the partners — recruiters and HR people who use Monster to look for employees — were the ones whose PCs were penetrated first. Using their stolen Monster log-ins, attackers collected job seekers’ resumes to harvest names, addresses, phone numbers and e-mail addresses. All in all, 1.6 million records about several hundred thousand people were stolen, according to Symantec security analyst Amado Hidalgo.

Then that data was used to trick job seekers into downloading malware. (You'll find an updated FAQ with all the details here.)

Monster says it does its best to watch out for improper activity. But that’s hard to do when your partners are the ones who open the door for attackers.

And anyhow, we can’t rely on the kindness of strangers for our security.

But we don’t have to. We can talk with our business partners. We can find out how they’re backstopping our security efforts and encourage them to do more. We can include them in our postmortems of breaches, disclosures and near misses.

By including those partners in our security efforts, we add just a little more depth to our defense. It won’t always save us, as CalPERS and the FTC learned. But it could help.

And when it comes to staying out of the data security headlines, we need all the help we can get.