Saks, one of the premier names when it comes to shopping, has filed a letter with the Attorney General of New Hampshire (http://doj.nh.gov/consumer/breaches.html) as well as the AG of Maryland (http://www.oag.state.md.us/idtheft/breacheNotices.htm), notifying them of an information security incident, according to pogowasright.org.  In April, four company laptops were stolen, two of them with sensitive information.

The sensitive information included names, addresses, and credit card numbers.  Expiration dates, pin numbers, passwords, codes and other sensitive data were not included (as they shouldn’t have, since it would run counter to PCI-DSS rules, which states such information should not be stored, including credit card numbers).  The letter mentions the laptops had password‑protection, but there is no mention of any kind of encryption, be it hard drive encryption or file encryption.

Because the lost information is limited in its sensitivity, Saks believes that there is a very low risk of identity theft or credit card fraud.  Regardless, they have alerted their customers about the incident and asked them to be on the lookout for irregular credit card activity.  There was no offer of the standard one‑year (increasing, two‑year) credit monitoring program that other companies in similar situations tend to provide.  In many ways, this is logical but unusual: if you don’t think there’s going to be credit card fraud, why offer such services?  It sends mixed messages to customers.  If I was a customer of Saks, though, I’d feel cheated under the guise of “well, everyone else is offering it….”

But is the risk of credit card fraud or identity theft really low?  Well, yes. (And, chances are the layperson would interpret that to mean “there is no risk of any type of crime.”)  The truth is, though, that risk really depends on how astute these thieves happen to be, not on the (extremely) limited data safety precautions Saks had on those laptops.

For example, most on‑line stores, when processing payment for a purchase, now require not only the credit card number and expiration date, but the CSC code as well, which is generally not recorded (and wasn’t, in the Saks incident).  However, not all stores require it.  So, what the criminals have to do is start looking for on‑line stores not requiring CSC codes.  Also, the use of CSC codes are not as actively encouraged overseas, so another method of getting around this obstacle is to sell the information to foreign buyers of such stolen data.

The lack of expiration dates arguably poses a bigger problem, albeit not a complicated one: just try different combinations of dates and months.  The maximum “valid thru” date is usually capped at five years from the date of issuance, so there’s at most a total of sixty combinations one has to run through for each card.

And last not but least, names and addresses may appear as bits of innocuous information; they’re easily available in the white pages, for example.  Hence, the argument goes, this is not data that can be used for perpetrating crime.  However, this kind of thinking is a fallacy because one forgets to put it in context.  Names in the white pages are meaningless only if nothing else is known about the person or the address itself.  If I add more information on top of that, it exponentially increases the type of scams and different approaches to scamming people.  In the Saks case, the thieves would know the names, addresses, and the fact that these people shop at Saks.  Would it be too much of a chore to create a fake letter from Saks Fifth Avenue stationery (counterfeit as well) asking people to call a number since their credit card, as shown in the letter, has been compromised?  The courteous “customer service representative” will guide them through the process of doing…whatever it is they have to do.

Furthermore, the above example could be used to further glean information from the victims.  “To confirm that you are Bob Smith, could you please tell me your mother’s maiden name?”  Now they’ve got your mother’s maiden name, your name, and your address.  And they know you shop at Saks.  Plus, if they have caller ID, they’ve got your phone number.

Yeah, Saks is right in saying that the stolen data represents a low probability of it being used, as is, for fraud.  However, there is nothing preventing the thieves from being creative in their criminal endeavors.  And the seminal incident that could potentially lead to the above scenario?  If you guessed the theft of laptops, you’re halfway there.  If you wanted a gold star, however, you would have answered “lack of data security solutions.”

A stolen laptop is no good if information on it cannot be accessed.  Password‑protection could be a deterrent (or not), just like pepper spray could be a deterrent to a bank heist.  However, there is a reason why the Federal Reserve Banks arm their guards with automatic weapons instead of cans of pepper spray: the need for real protection.

Real protection when it comes to data at rest—as well as for data in motion, now that I think about it—comes in the form of encryption.  There are generally two different ways of encrypting such data: full disk encryption and file encryption, both available from AlertBoot.

*Update (May 22, 2008): AlertBoot has been advised that the laptops in question were recovered but Saks Fifth Company has declined to comment on the issue.