The Boston Water and Sewer Commission has announced that a contractor has lost a computer hard drive with customer information. Based on the location where the breach took place, as well as the residency of those affected, it looks like data encryption software like AlertBoot was not used.
The silver lining is that there wasn’t any sensitive personal data. But, BWSC appears to understand that that is not the end of the story.
Customer Account Information
According to bostonherald.com, a contractor that was working for the BWSC upgrading meter reading software has lost a hard drive disk with account information. The information does not include SSNs, financial data, or identification numbers. However, customers’ names, addresses, and account and meter data are included.
On the surface, it doesn’t look like a big deal. And it isn’t.
However, enterprising criminal minds don’t approach certain situations like the rest of us would. If the hard drive fell into the hands of the more creatively-inclined sort, could they not use their position to craft phishing attacks based on the non-sensitive data?
Anyone who receives a call from anybody claiming to represent the Commission seeking confidential information is urged to contact their customer service department at 617-989-7800 or them directly at 617-989-7000. [bostonherald.com]
It’s all about big data. Get yourself a big enough database and the possibilities, big or small, start cropping up. I’ve described one such case previously:
Described in John Allen Paulos’ Innumeracy, the stock market scam is a game of probability (some would say certainty). You cull 10,000 names and addresses from the phone book. For half of them, you send a letter claiming the stock market is going to go up next week; for the other half that it’s going to go down. Next week, you target the 5000 names for whom your “prediction” was correct. Half of them get a second letter saying the market is going to go up; the other half, down. Rinse and repeat as needed. At the end of this process, you will get a handful of believers that think you’re the best trader since Warren Buffet and George Soros combined. You tell them they won’t get the final letter unless you get $10,000 from each one. With the impressive track record, investors send you money (they don’t know how many are in on this thing), get a second mortgage to invest its proceeds, and wait with bated breath. You disappear. Time generally tends to be on the criminal’s side, if you think about it.
Massachusetts Data Protection Law: One of the Toughest in the US
Massachusetts has one of the toughest data protection laws in the US, with corresponding penalties.
But, it also offers safe harbor from these same laws if data is protected with strong encryption prior to being lost or stolen. Otherwise, you have to report the breach to the AG’s office and also notify anyone who may be affected by the breach.
Which is why I note that the laptop must not have been encrypted. Otherwise, BWSC would not have been required to go public with the breach. Interestingly enough, the law only requires data protection when dealing with personal data, which is specifically defined by law.
I’m having some problems reconciling the above description of the lost data with what the law requires, though (in addition to first and last names, some form of ID number or financial account number is required, which BWSC denies were present).
Related Articles and Sites: