No funnies in the Globe when customers’ credit card numbers are at stake

As an analyst I divide my time each week between a number of activities: getting briefed by vendors that have designed the latest and greatest something-or-other, talking with IT managers, working on client projects, doing general research, and so forth. And of course, I write these newsletters.

Beginning a few years ago, when time allowed, I also began tracking various bits of foolishness that were beginning to clutter up IT-related literature. And when I started mentioning them in this column, they became “Stoopid IT Tricks.” (See here and here for past Stoopid IT Tricks.) And so today we have the first of what are likely to be many columns this year on the various bits of foolishness perpetrated by IT on their companies and clients. This time, I didn’t have to look far from home.

On Feb. 1, subscribers of the Boston Globe and the Worcester (Mass.) Telegram and Gazette (both owned by the New York Times – the Globe and the Telegram and Gazette share data resources) awoke to the news that credit and bank card numbers of as many as 240,000 subscribers had been distributed, inadvertently, to subscribers on Jan. 29. It seems the Worcester paper had wrapped bundles of their Sunday edition in printouts of – well, you can guess what info was there on those printouts.

And so, that Sunday morning as I sat down to coffee, Doonsbury and a bagel, hundreds of thousands of other people in New England sat down to coffee, Doonsbury, a bagel and a printout of credit card information on Mike Karp and a quarter million of his closest friends.

Like so much in life, this might be described as a good news-bad news situation, although I’m hard-pressed to understand how this qualifies as a “good news” situation for me. Here’s the good news: The Globe acted quickly once it realized its error, alerting the public and credit companies involved, giving the story page one coverage on Wednesday, and setting up a hotline for its subscribers. This is a marked contrast to what happened last year with other such examples of data security lapses at other firms, where appropriate notifications invariably lagged the events by months (see my many columns on this topic in the archives).

Here’s the bad news: thanks to its poor understanding of the issue of data security, a Globe spokesman on Friday stated: “We are doing everything we possibly can.”

Are they really? Not likely, as the Globe is only doing those things it can think of at the moment. Fixing individual problems is a good thing, of course. Adopting data security policies that pre-empt such problems is quite a bit better.

If your responsibilities include data storage, remember that no matter what things may have been like in the past, these days you are likely to be held responsible not only for data availability, but for data security as well. This means data that is out of sight cannot be out of mind.

I discuss this topic frequently with my colleague Scott, who heads up the security practice at Enterprise Management Associates (and contributes to Network World’s Network/Systems Management newsletter), and we often shake our heads at some of the simplest (and often cost-free) precautions that managers fail to take.

Don’t just assume that off-site data, including data that lies at the end of a virtualized stub, is not still within your keeping. Come up with policies to guard the tapes, and the printouts too. The Boston Globe now, after the fact, is only printing the last four digits of customers’ credit cards. Do you even go that far? This might be a good time for you to talk with some of your associates.

One afterthought: If you are aware of anything that might qualify for a mention as a Stoopid IT Trick, let me know. Anonymity will be ensured, the innocent will be protected, and you can always count on the guilty being pilloried – but only in the nicest possible way.