A break-in at Budget Travel headquarters in Ireland has resulted in the breach of information for 90,000 customers, although the figure is yet to be confirmed. The information was stored on a memory stick–that was not secured with data encryption software like AlertBoot–which was stolen during the break-in.
Information Stored As Part of Business Transfer
According to the irishtimes.com, the names, e-mail addresses, and, possibly, phone numbers and home addresses of 90,000 customers were stored on the USB memory stick. It’s a little unusual to have such massive amounts of data stored on so little a device. The explanation that was given? “The information had been stored on the memory stick as part of the transfer of business from Budget Travel, which is being bought by Club Travel.”
That still seems a little unusual to me. I mean, the crown jewels may very well be the customer list (I’ve seen companies acquired for nothing more than that), but save the information on a memory stick? I mean, the servers retaining the information have some value as well. Plus, wouldn’t a company want purchase histories as well?
Incidentally, the thieves were identified (not sure if it means they were apprehended as well), but the memory stick is yet to be recovered.
A former customer to Budget Travel was quoted on the irishtimes.com, stating that “I just can’t believe that an organisation [sic] would put a database on a key that was not protected or encrypted in any way. Obviously that information is valuable to somebody, and the email addresses are useful to people who are trying to sell holidays.”
I do agree about the need for encryption software to protect the data, but I disagree on “selling holidays.” The world is a little bit more twisted than that. I can see how the information could be used for an effective phishing scam.
The Hidden Data Dimension
The fact that the information contains only publicly available information, while not false, is not entirely true. There is an extra dimension that people are not considering: the thieves know that this information belonged to Budget Travel, which is not publicly available information, and this is more than enough to let them carry off a spectacular scam.
For example, it wouldn’t take much time to set up a fake site; e-mail customers with a message (claiming that Budget Travel customers have a chance to win a free trip from Club Travel as part of the successful acquisition); and wait for the personal information to roll in, typed in by the same people who are to be scammed.
In fact, if I recollect correctly, something similar to this happened to users of monster.com, the job listing board based out of the US.
While it may seem like going overboard to use full disk encryption on something so readily available as e-mail addresses, the reality is that there are legitimate reasons for keeping them secure.
Related Articles and Sites: