Two Massachusetts newspapers owned by The New York Times Company (the Boston Globe and Worcester Telegram & Gazette) have admitted that they sent out routing slips attached to NINE THOUSAND bundles of newspapers that contained ONE QUARTER OF A MILLION customer/subscriber names and credit card numbers.
According to Money Magazine
, no reports of abuse have been received (aside from subscribers banging their heads into their coffee table as they put fraud alerts on their credit files). The information was accidentally released because the companies recycle used paper (they use both sides of every slip of paper - novel idea, bad implementation).
What failed here?
1) Inadequate information destruction / retention policy. There should be absolutely NO REASON for sensitive information like this ending up in a pile of paper to be recycled. Any paper containing potentially sensitive information should be shredded after use or placed into lockable 'destruction bins' that can be securely emptied and destroyed at a later date by authorized personnel.
2) Failure to test internal security controls. Who was watching the barn door at these two companies? Does their information security officer perform random inspections of these piles of recycle paper? Of their trash? Hell, do they even HAVE an information security officer? Now would be a good time to appoint a trained professional.
3) Failure to educate the work force. Employees should be periodically trained and reminded to look for such blunders, and given a special way to report such problems so that IMMEDIATE REMEDIATION can occur.
The Boston Globe and Worcester Telegram & Gazette now join a proud group of companies (like BofA, CardSystems, Guidance Software, etc.) who are a shining example of what can go wrong when your internal controls fail.