This is page 2 of:
Data Breach At Gunpoint: Kmart Armed Robber Gets Pharmacy Files
The initial police report did not reference the missing data disk, and Little Rock Police said no updated report had been filed. Such an updated report would have been filed had Sears contacted police to update the list of what had been stolen.
There is a strong chance that the thief didn’t know what was on the disk and might have thrown it out. But if he didn’t, the HIPAA-mandated alert would likely flag its value. That might prompt him to find an associate with identify-theft experience to see whether the data could be accessed and sold.
Then again, given that it’s only one day’s worth of backups, it’s not clear how many dollars that limited amount of information would likely fetch. That would have to be weighed against the risk of discovery that the identify thief wasn’t really an undercover detective looking to solve this armed robbery.
Of all the kinds of data that IT must protect, there’s a good argument that pharmacy information is the most sensitive. Credit card information is generally protected—as far as the shoppers are concerned—by zero liability and debit card information theft losses, although light-years more damaging than credit card data, will eventually be reimbursed by most banks. Social Security numbers—which were also stolen here—are quite bad, because SS numbers are so difficult to change and because they are so widely used for identification, as Macy’s just reminded us.
Drug prescription information, though, strikes at the very heart of privacy fears. Beyond identity theft, it can be sold to marketers, divorce lawyers, databases accessed by potential employers and others. At the other extreme, it can reveal the home addresses where much-sought narcotics are housed, which creates a very frightening and potentially violent situation.
The Tribune story quoted Armstrong-Fowler as saying something curious. “Kmart officials said the chance of the perpetrators accessing customer private information is slim to none, because you would need to know what software package and have that software package to” translate the information, Armstrong-Fowler said, according to The Tribune. (Armstrong-Fowler declined to confirm the quote when we asked about it.)
Although it’s true that a specialized corporate backup system—such as the one that pharmacies such as Kmart’s would likely use—would be harder for most run-of-the-mill armed robbers to access than a consumer backup system, it would not likely be that difficult to extract much of the content. A hex dump utility could likely extract much of that content, which is why strong encryption (heck, in this case, any encryption would have been nice) is critical when dealing with sensitive data. A well-built safe is only protection until a hoodlum shows up with a poorly built gun. (The only way to stop a bad guy with a gun is a good guy with a 256-bit encryption key.)
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
