An attempt to recycle documents at two newspapers belonging to the New York Times has ended in the private details of 240,000 subscribers being compromised. Routing slips on 9,000 batches of newspapers were found to have readers' credit card and bank account details on the reverse side.
An innocent attempt to recycle paper at The Boston Globe and Worcester Telegram & Gazette has ended in the compromise of over 240,000 credit card numbers and bank account details of the newspapers' subscribers.
Discarded reports containing the confidential information were recycled and used as routing slips on batches of newspapers sent out for distribution. 9,000 bundles of newspapers were sent out with the offending slips and the newspaper was only alerted to the compromise when an employee at a store that sells copies noticed what was on the reverse side of the slips. A further 1,000 unused slips were discovered after the incident came to light. They have since been destroyed. However, the company is not sure exactly how long the routing slips with confidential data had been in use.
An investigation at the company has revealed two ways in which the private data ended up on recycled routing slips. In one case, an employee started to print a report, stopped the printing before it was done and discarded the paper. In the second, a different employee began printing out a report, realized it was the wrong one, aborted that job and threw the report out. In both cases the paper was sent for recycling.
The company has already contacted the relevant banks and credit card companies. Letters of notification have already started being sent out to the victims, the majority of whom were subscribers of The Boston Globe. The management are also considering offering those affected the standard services available to minimize the risks of identity theft, but what exactly that will entail, and whether it will actually happen, is still unclear. A Gartner expert, who commented on the incident, pointed out that the firm should have an effective strategy in place to protect data and a classification system for greater control over data on backup tapes, portable storage devices and on paper.
"Of course, all data must first be classified. The right of employees to use the various categories of data can then be reflected in the IT security policy of the company. At the next stage the conditions of that policy are consolidated at a technical level. As a result, the company gains full control over the use of sensitive information, and excesses like the recycling of private data documents at The New York Times are ruled out completely," says Denis Zenkin, marketing director at InfoWatch.
Source: ComputerWorld