Disney data thief hit Johnson & Johnson, too

A document on file with the state of New Hampshire indicates that the employee of a Disney contractor caught in a federal sting selling the credit-card information of Disney Movie Club members also victimized customers of Johnson & Johnson.

How many others he targeted is anybody's guess ... and the fact we have to guess should be considered everybody's problem.

First to draw attention to the Johnson & Johnson involvement was a staffer from the security Web site attrition.org who writes under the name "d2d." From his post (which includes non-Disney-like language):

A (now former) employee of Alta Resources allegedly stole an undisclosed number of credit cards, and subsequently attempted to sell them to undercover law enforcement, per Paul McNamara's article. ... Apparently, Alta Resources also lost data for another client: Johnson & Johnson. We didn't find this in the press, however. We found it via the Granite State (Live free or die!). The state of New Hampshire posts their data loss notification letters online, and a letter dated July 9th, 2007 blames Alta Resources for a data loss incident, and mentions the same "employee fraud" situation as the Disney breach. Unless Alta Resources has had TWO employees defect with customer data, then this could be the same breach as the aforementioned Disney breach.

As "d2d" notes, the piecemeal nature of these reporting requirements makes it virtually impossible for anyone to ascertain the scope of a given data-breach incident, which in turn may allow companies to avoid the full public-relations hit that can come when a big number gets attached to these stories.

The Johnson & Johnson disclosure involves only a handful of customers, according to the document, but this is a single incident report to a single state agency, and, of course, the population of New Hampshire can be counted on your fingers and toes. In my interview July 7 with a Disney spokesman, I asked at least three times for some indication of the number of club members involved and got nowhere as he repeatedly claimed to be prevented from disclosing that information because the case was still under investigation. ... What hogwash.

More from "d2d":

This (Johnson & Johnson revelation) might indicate that Alta Resources had a much more significant breach than has been reported (or not reported, as it were). What other companies' clients lost data through Alta's possibly rogue employee? ... Since nobody is willing to disclose anything beyond what individual states require, we can't say for sure.

Federal data loss reporting legislation anyone?

Sounds like a heck of a good idea to me.

Welcome regulars and passersby. Here are a few more recent Buzzblog items. And, if you'd like to receive Buzzblog via e-mail newsletter, here's where to sign up.

The 7 Wonders of the Internet ... A Buzzblog community creation.

Microsoft 'silently' restores root certificates that users distrust and remove.

When a cell phone goes through the washer.

Diggers dig nothing more than Digg.

Nothing says summer like a Christmas catalog on July 10.

Disney Movie Club members victimized in latest data-breach horror show

How to avoid having to hire an American: lawyerly advice.

The emoticon is turning 25: You can thank this guy :-) ... or not :-( And vote in our poll.

Even Apple doesn't know why time stands still on the iPhone.

Casino bans author of Word for being lucky.

BlackBerry owes this guy a girlfriend.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:

Copyright © 2007 IDG Communications, Inc.

IT Salary Survey: The results are in