Shostack + Friends Blog Archive

 

Breaches in SEC Reports

Gregory Fleischer saw my Shmoo talk, and was kind enough to tell me when he found breaches in SEC reports:

At your Shmoocon talk you mentioned that you had difficulty finding SEC filings related to security breaches. I was doing some research and came across several SEC filings that discuss security breaches.

Generally, these items are going to appear in either a 10-Q or 10-K. Typically, this will be some boilerplate warning in the risk factors section such as:

A material security breach of our information systems or data could harm our reputation, cause a decrease in the number of customers, and adversely affect our financial condition or results of operations.

  • Acxiom, http://sec.edgar-online.com/2003/08/11/0000733269-03-000011/Section6.asp
  • BJ’S Wholesale, http://sec.edgar-online.com/2004/08/17/0001193125-04-142267/Section8.asp
  • JetBlue: http://sec.edgar-online.com/2004/02/11/0001047469-04-004064/Section4.asp (Covers the voluntary hand-over of their customer data to a DHS contractor, as discussed in “Secondary Screening: JetBlue FOIAs” and “Testing Airline Customers.” I’d argue that voluntary handovers do not a breach make.)
  • Polo Ralph Lauren: http://sec.edgar-online.com/2005/11/10/0000950123-05-013479/Section12.asp
  • TJX: http://sec.edgar-online.com/2007/03/28/0000950135-07-001906/Section5.asp

He’s found that this Google search against the edgar-online site works well: (“disclosure of personal information”|”security breach”) (“10-K”|”10K”|”10-Q”|”10Q”) site:edgar-online.com

I haven’t had time to read all of these, but being a fan of evidence, I wanted to share data points as I learned them.

[Update: Links to sec.edgar-online.com no longer work]

One comment on "Breaches in SEC Reports"

  • JJ says:

    I came across your website when looking for speakers who can talk about social engineering to a college campus in Washington state. Any ideas, suggestions or help would be appreciated!
    JJ

Comments are closed.