Paper Data Breaches Can Be Expensive…and Stupid

Has there ever been a more meaningless, patronizing, and pathetic comment made after a cardholder data security breach than: “We take patients’ information very seriously, and we’re reviewing our policy, and our training procedures to make sure this never happens again?” According to this report from the Boston Globe, St. Elizabeth’s Medical Center is currently notifying more than 6,800 people that they potentially compromised billing information, including credit card numbers and security codes. It happened when documents the hospital planned to shred were removed by a vendor from a building scheduled for demolition. Unfortunately, the papers (or at least some of them) containing the PANs and security codes (and probably names, too) were found blowing across a nearby field. Where do we even begin to go through the mistakes this institution is reported to have made, none of which is excusable?Let’s start with keeping PAN data on paper records. PCI allows you to do this, but you need to protect the data. Here, the mistake probably was keeping the data in the first place. I’m pretty sure the hospital could live with just keeping the last four digits, but they kept — and then managed to lose — the full PAN. Then, the hospital also reportedly kept the 3-digit security (continue reading…)

Article source: http://www.thesecurityblog.com/2012/04/paper-data-breaches-can-be-expensive-and-stupid/

View full post on National Cyber Security