USA. Bethpage Federal Credit Union (BFCU) has informed 86,000 of its customers that their credit card information has been compromised.
The management of the credit union stated that the incident was caused by employee error. The BFCU staff member posted a file containing customer data on the Internet using a 'secure' protocol. However, a month later, another employee at BFCU reported that Google had indexed the 'unprotected' lists, and that they had been publicly available throughout that time. As a result of the incident, data belonging to 86,000 customers who hold VISA cards with the BFCU was compromised.
BFCU's management assured those affected that CVV codes, personal identification numbers, and social security numbers were not contained within the open file, and promised to replace the cards of all victims of the leak as quickly as possible. So far, around 20,000 new cards have been issued to customers, all those affected have received notification by post, and have been offered a year's worth of free monitoring of their credit history.
Commenting on the situation, InfoWatch's chief analyst, Nikolai Fedotov, said: «It is impossible to be confident in a part of an IT system solely on the basis that it is part of 'our own equipment.' Modern IT has so interwoven and muddled traditional notions of ownership and management that terms like 'my', 'our' and 'foreign' have lost their clarity, becoming blurred in cloud and fog. You cannot guarantee that Google did not visit 'your' computer yesterday and index it for the whole Internet.
To protect yourself from leaks, it is a good idea to use the white list principle.
Confidential information should only be handled in areas where it is expressly permitted to do so, according to clearly documented procedures. Any deviation from this will lead to a leak».