Saturday, July 18, 2009

Lanced by Elance

Last night Elance (a site I've used to hire website designers and builders) let me know that it had a recent data breach that compromised my contact info including:
  • Name
  • Business email
  • Business Telephone
  • City
  • and my Elance user ID
Click the image to enlarge.

In short, Elance is trying to act like the eBay for posting and selling programming jobs. Can you imagine if this email came out from eBay?

Elance is a Company Acting Badly for not hiring one of its own reviewed professionals to evaluate and secure its own site. A simple search on their site, like the one here, shows almost 2,500 different professionals with website security backgrounds, some with 100% positive rankings on over $500,000 of work. One of these folks couldn't have been hired by Elance? Isn't it ironic that Elance could have used it's own service? That's like folks at eBay not looking on their own listings for products that eBay could use at its own headquarters.

Elance posted a security alert here that gives more detail on what occurred. They've confirmed that the information the Elance didn't secure has shown up on other websites and that Elance users have received spam. Well that's great. Now my business email is going to get spam due to Elance's muck up?

Unfortunately, Elance like others who've not secured my personal information, does not:
  • say when the theft happened
  • confirm that someone at Elance will be held responsible for not safeguarding my info
Additionally, Elance focuses on resetting passwords and giving tips on picking passwords (like not to use the same one across sites). If Elance's passwords were encrypted, then this should not be an issue so why are they focused on it? Why would they whack everyone's password and force re-registration here?

Scrawlbug had also been nailed by Elance and posted a good suggestion here that all of us who were affected should set up Google Alerts to watch for our Elance ID.

Elance joins the ranks of Companies Acting Badly for losing my work information and not having hired one of their own profiled security experts to test, find and fix any architecture holes.

Friday, July 10, 2009

Data Schwab'd Update

Thanks to the folks at databreaches.net I now know more about what happened (per my Chuck I've Been Schwab'd post) as databreaches posted a notice that Charles Schwab sent to the NH attorney general.

In short:
  • The theft occurred in early May - therefore it took Chuck some six weeks to notify me that I'd been Schwab'd
  • The employee who violated policy was terminated - that saves a severance payment
  • A suspect was arrested - gotta love the police
  • The drive with my data was not recovered - did they check Craigslist?
Charles Schwab remains a Company Acting Badly for taking some six weeks to notify customers that their personal information was stolen and for not providing impacted customers with the same level of detail on the theft as they provide to an attorney general.