Thursday, November 10, 2005

TransUnion notifies consumers of data loss

TransUnion notifies consumers of data loss
A burglar stole a desktop computer containing sensitive data

News Story by Jaikumar Vijayan

NOVEMBER 09, 2005 (COMPUTERWORLD) - TransUnion LLC, one of the three major credit reporting companies in the U.S., today confirmed that a desktop computer containing the Social Security numbers and other sensitive information belonging to more than 3,600 consumers was stolen from one of its facilities in October.

The theft prompted the company to notify them of the breach on Oct. 21 and offer free credit monitoring services for a year.

In a statement, TransUnion said that a “small” TransUnion sales office in California was burglarized in early October. “One of the items stolen during the incident was a password-protected desktop computer, which may have contained some personal [credit] information on approximately 3,600 consumers,” the company said.

TransUnion notified local law enforcement authorities of the break-in and has assembled its own team to investigate the incident.

Since then, the credit reporting agency has been monitoring the credit reports of the affected consumers. “At this point, we do not believe there is any indication of any fraudulent activity,” it said.

However, the implications of the reported breach could go beyond the customers whose data was stolen if information stored on the missing desktop enables access to databases holding information on other consumers, said Prat Moghe, CEO of Tizor Systems Inc., a Maynard, Mass.-based vendor of activity auditing tools.

TransUnion, along with Experian North America Inc. and Equifax Credit Information Services Inc., maintains credit histories on U.S. consumers that are used by lenders and other businesses for a variety of purposes.

The TransUnion breach is the latest in a series of high-profile data compromises this year involving companies such as ChoicePoint Inc., Bank of America Corp., DSW Inc., Reed Elsevier Inc.’s LexisNexis unit, Card Systems Inc. and several universities.

The rash of disclosures has raised consumer concerns about identity theft and prompted federal lawmakers to propose several new regulations.

Just last week, for instance. a subcommittee of the House Energy and Commerce Committee approved a bill that would require companies to notify consumers when their information is stolen. It would also require information brokers to tell the Federal Trade Commission about their plans for safeguarding private data for monitoring and periodic review.

If approved, the bill would override state laws such as California’s much-touted SB 1386 Database Breach Notification Act and would serve as a national breach notification law. The proposed measure, however, requires companies to inform consumers of data breaches only if there is a “significant risk” of fraud.

That clause could provide a big loophole for companies and possibly result in incidents such as the one involving TransUnion to go unreported in the future, warned Alan Paller, director of the SANS Institute, a security research and training firm in Bethesda, Md.

“I believe that 98% of the time companies are not going to disclose breaches” if the law goes into effect, Paller said. “Only 2% are going to be good citizens and report breaches” even if there is nothing to suggest imminent fraud, he added.