Breaches in SEC Reports
Gregory Fleischer saw my Shmoo talk, and was kind enough to tell me when he found breaches in SEC reports:
At your Shmoocon talk you mentioned that you had difficulty finding SEC filings related to security breaches. I was doing some research and came across several SEC filings that discuss security breaches.
Generally, these items are going to appear in either a 10-Q or 10-K. Typically, this will be some boilerplate warning in the risk factors section such as:
A material security breach of our information systems or data could harm our reputation, cause a decrease in the number of customers, and adversely affect our financial condition or results of operations.
- Acxiom, http://sec.edgar-online.com/2003/08/11/0000733269-03-000011/Section6.asp
- BJ’S Wholesale, http://sec.edgar-online.com/2004/08/17/0001193125-04-142267/Section8.asp
- JetBlue: http://sec.edgar-online.com/2004/02/11/0001047469-04-004064/Section4.asp (Covers the voluntary hand-over of their customer data to a DHS contractor, as discussed in “Secondary Screening: JetBlue FOIAs” and “Testing Airline Customers.” I’d argue that voluntary handovers do not a breach make.)
- Polo Ralph Lauren: http://sec.edgar-online.com/2005/11/10/0000950123-05-013479/Section12.asp
- TJX: http://sec.edgar-online.com/2007/03/28/0000950135-07-001906/Section5.asp
He’s found that this Google search against the edgar-online site works well: (“disclosure of personal information”|”security breach”) (“10-K”|”10K”|”10-Q”|”10Q”) site:edgar-online.com
I haven’t had time to read all of these, but being a fan of evidence, I wanted to share data points as I learned them.
[Update: Links to sec.edgar-online.com no longer work]
I came across your website when looking for speakers who can talk about social engineering to a college campus in Washington state. Any ideas, suggestions or help would be appreciated!
JJ