From lyger at attrition.org Thu Jun 1 20:51:28 2006 From: lyger at attrition.org (lyger) Date: Thu, 1 Jun 2006 20:51:28 -0400 (EDT) Subject: [Dataloss] Ernst & Young Laptop Loss Exposes 243, 000 Hotels.com Customers Message-ID: http://www.theregister.co.uk/2006/06/01/ey_hotels_laptop/ Ernst & Young's laptop loss unit continues to be one of the company's more productive divisions. We learn this week that the accounting firm lost a system containing data on 243,000 Hotels.com customers. Hotels.com joins the likes of Sun Microsystems, IBM, Cisco, BP and Nokia, which have all had their employees' data exposed by Ernst & Young, as revealed here in a series of exclusive stories. The Register can again exclusively confirm the loss of the Hotels.com customer information after having received a copy of a letter mailed out jointly by the web site and Ernst & Young. A Hotels.com spokesman also confirmed the data breach, saying Ernst & Young notified the company of the laptop loss on May 3. The laptop in question was stolen from an Ernst & Young worker's car in Texas and did have some basic data protection mechanisms. "Recently, Hotels.com was informed by its outside auditor, Ernst & Young, that one of Ernst & Young's employees had his laptop computer stolen," Hotels.com told its customers in the letter. [...] From lyger at attrition.org Fri Jun 2 07:07:51 2006 From: lyger at attrition.org (lyger) Date: Fri, 2 Jun 2006 07:07:51 -0400 (EDT) Subject: [Dataloss] Miami U. reports 2nd security breach Message-ID: Courtesy InfoSec News and WK: http://www.cleveland.com/news/plaindealer/index.ssf?/base/news/1149150686240780.xml&coll=2 An employee at a Miami University branch campus lost a hand-held personal computer containing private information on 851 students, but school officials said they don't believe that the data has been used unlawfully. The recent case involves a potential breach of privacy that the school takes very seriously, said Kelly Cowan, interim dean at the Middletown campus. Students affected were enrolled between July 2001 and May 2006, representing about 8 percent of the students on campus during that five-year period. [...] From lyger at attrition.org Sat Jun 3 13:19:23 2006 From: lyger at attrition.org (lyger) Date: Sat, 3 Jun 2006 13:19:23 -0400 (EDT) Subject: [Dataloss] Personal Info of Supermarket Chains' Former Workers Lost Message-ID: http://www.usatoday.com/money/industries/technology/2006-06-02-lost-grocery-data_x.htm A laptop computer containing the pension data of former employees of supermarket chains Stop & Shop, Giant and Tops, including their Social Security numbers, was lost during a commercial flight, according to the supermarkets' parent company. The U.S. subsidiary of Dutch parent company Royal Ahold and a contractor whose employee lost the computer early last month declined to say how many former supermarket employees were affected. The former employees were notified by letter last week. The letter said the missing information is used to determine benefit eligibility. It included names, Social Security numbers, birth dates, benefit amounts and related administrative information, the letter said. A spokesman for Ahold USA said Friday that there were no indications that any of the missing data had been misused, although the case remained under investigation. [...] From lyger at attrition.org Sat Jun 3 13:31:49 2006 From: lyger at attrition.org (lyger) Date: Sat, 3 Jun 2006 13:31:49 -0400 (EDT) Subject: [Dataloss] Supposedly Destroyed Hard Drive Purchased In Chicago Message-ID: (smaller scale breach, but still made news...) http://news.yahoo.com/s/wlwt/20060601/lo_wlwt/9303216 A year ago, Henry and Roma Gerbus took their computer to Best Buy in Springfield Township to have its hard drive replaced. Henry Gerbus said Best Buy assured him the computer's old hard drive -- loaded with personal information -- would be destroyed. "They said rest assured. They drill holes in it so it's useless," said Gerbus. A few months ago, Gerbus got a phone call from a man in Chicago. "He said, 'My name is Ed. I just bought your hard drive for $25 at a flea market in Chicago,'" said Gerbus. [...] From jmiller at securespace.org Sat Jun 3 14:39:55 2006 From: jmiller at securespace.org (Jon Miller) Date: Sat, 3 Jun 2006 14:39:55 -0400 Subject: [Dataloss] Supposedly Destroyed Hard Drive Purchased In Chicago In-Reply-To: References: Message-ID: The failure of Best Buy to do what they said notwithstanding, and with all due respect to the Gerbus', why didn't they simply ask for the old drive to be returned? The problem is not technology, but the use of it... On 6/3/06, lyger wrote: > > (smaller scale breach, but still made news...) > > http://news.yahoo.com/s/wlwt/20060601/lo_wlwt/9303216 > > A year ago, Henry and Roma Gerbus took their computer to Best Buy in > Springfield Township to have its hard drive replaced. Henry Gerbus said Best > Buy assured him the computer's old hard drive -- loaded with personal > information -- would be destroyed. > > "They said rest assured. They drill holes in it so it's useless," said Gerbus. > > A few months ago, Gerbus got a phone call from a man in Chicago. "He said, 'My > name is Ed. I just bought your hard drive for $25 at a flea market in > Chicago,'" said Gerbus. > > [...] > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/errata/dataloss/ > > From rforno at infowarrior.org Sat Jun 3 22:51:37 2006 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 03 Jun 2006 22:51:37 -0400 Subject: [Dataloss] Vast DNA Bank Pits Policing Vs. Privacy Message-ID: Not exactly "data loss" per se, but perhaps a relevant item for the list......rf Vast DNA Bank Pits Policing Vs. Privacy Data Stored on 3 Million Americans http://www.washingtonpost.com/wp-dyn/content/article/2006/06/02/AR2006060201 648_pf.html By Rick Weiss Washington Post Staff Writer Saturday, June 3, 2006; A01 Brimming with the genetic patterns of more than 3 million Americans, the nation's databank of DNA "fingerprints" is growing by more than 80,000 people every month, giving police an unprecedented crime-fighting tool but prompting warnings that the expansion threatens constitutional privacy protections. With little public debate, state and federal rules for cataloging DNA have broadened in recent years to include not only violent felons, as was originally the case, but also perpetrators of minor crimes and even people who have been arrested but not convicted. Now some in law enforcement are calling for a national registry of every American's DNA profile, against which police could instantly compare crime-scene specimens. Advocates say the system would dissuade many would-be criminals and help capture the rest. "This is the single best way to catch bad guys and keep them off the street," said Chris Asplen, a lawyer with the Washington firm Smith Alling Lane and former executive director of the National Commission on the Future of DNA Evidence. "When it's applied to everybody, it is fair, and frankly you wouldn't even know it was going on." But opponents say that the growing use of DNA scans is making suspects out of many law-abiding Americans and turning the "innocent until proven guilty" maxim on its head. "These databases are starting to look more like a surveillance tool than a tool for criminal investigation," said Tania Simoncelli of the American Civil Liberties Union in New York. The debate is part of a larger, post-Sept. 11 tug of war between public safety and personal privacy that has intensified amid recent revelations that the government has been collecting information on personal phone calls. In particular, it is about the limits of the Fourth Amendment, which protects people from being swept into criminal investigations unless there is good reason to suspect they have broken the law. Once someone's DNA code is in the federal database, critics say, that person is effectively treated as a suspect every time a match with a crime-scene specimen is sought -- even though there is no reason to believe that the person committed the crime. At issue is not only how many people's DNA is on file but also how the material is being used. In recent years, for example, crime fighters have initiated "DNA dragnets" in which hundreds or even thousands of people were asked to submit blood or tissue samples to help prove their innocence. Also stirring unease is the growing use of "familial searches," in which police find crime-scene DNA that is similar to the DNA of a known criminal and then pursue that criminal's family members, reasoning that only a relative could have such a similar pattern. Critics say that makes suspects out of people just for being related to a convict. Such concerns are amplified by fears that, in time, authorities will try to obtain information from stored DNA beyond the unique personal identifiers. "Genetic material is a very powerful identifier, but it also happens to carry a heck of a lot of information about you," said Jim Harper, director of information policy at the Cato Institute, a libertarian think tank in Washington concerned about DNA database trends. Law enforcement officials say they have no interest in reading people's genetic secrets. The U.S. profiling system focuses on just 13 small regions of the DNA molecule -- regions that do not code for any known biological or behavioral traits but vary enough to give everyone who is not an identical twin a unique 52-digit number. "It's like a Social Security number, but not assigned by the government," said Michael Smith, a University of Wisconsin law professor who favors a national database of every American's genetic ID with certain restrictions. Still, the blood, semen or cheek-swab specimen that yields that DNA, and which authorities almost always save, contains additional genetic information that is sensitive, including disease susceptibilities that could affect employment and health insurance prospects and, in some cases, surprises about who a child's father is. "We don't know all the potential uses of DNA, but once the state has your sample and there are not limits on how it can be used, then the potential civil liberty violations are as vast as the uses themselves," said Carol Rose, executive director of the ACLU of Massachusetts. She and others want samples destroyed once the identifying profile has been extracted, but the FBI favors preserving them. Sometimes authorities need access to those samples to make sure an old analysis was done correctly, said Thomas Callaghan, who oversees the FBI database. The agency also wants to be able to use new DNA identification methods on older samples as the science improves. Without that option, Callaghan said, "you'd be freezing the database to today's technology." Crime-Fighting Uses Over the past dozen years, the FBI-managed national database has made more than 30,000 "cold hits," or exact matches to a known person's DNA, showing its crime-fighting potential. In a recent case, a Canadian woman flew home the day after she was sexually assaulted in Mexico. Canadian authorities performed a semen DNA profile and, after finding no domestic matches, consulted the FBI database. The pattern matched that of a California man on probation, who was promptly found in the Mexican town where the woman had been staying and was charged by local authorities. Congress authorized the FBI database precisely for cases like that, on the rationale that sexual predators and other violent felons tend to be repeat offenders and are likely to leave DNA behind. In recent years, however, Congress and state legislators have vastly extended the system's reach. At least 38 states now have laws to collect DNA from people found guilty of misdemeanors, in some cases for such crimes as shoplifting and fortunetelling. At least 28 now collect from juvenile offenders, too, according to information presented last month at a Boston symposium on DNA and civil liberties, organized by the American Society of Law, Medicine and Ethics. The federal government and five states, including Virginia, go further, allowing DNA scans of people arrested. At least four other states plan to do so this year, and California will start in 2009. Opponents of the growing inclusion of people arrested note that a large proportion of charges (fully half for felony assaults) are eventually dismissed. Blood specimens are not destroyed automatically when charges are dropped, they note, and the procedures for getting them expunged are not simple. Even more controversial are DNA dragnets, which snare many people for whom there is no evidence of guilt. Given questions about whether such sweeps can be truly voluntary -- "You know that whoever doesn't participate is going to become a 'person of interest,' " said Rose of the ACLU -- some think they violate the Fourth Amendment. Civil liberties issues aside, the sweeps rarely pay off, according to a September 2004 study by Samuel Walker, a criminology professor at the University of Nebraska. Of the 18 U.S. DNA dragnets he documented since 1990, including one in which police tested 2,300 people, only one identified the offender. And that one was limited to 25 men known to have had access to the victim, who was attacked while incapacitated in a nursing home. Dragnets, Walker concluded, "are highly unproductive" and "possibly unconstitutional." Familial searches of the blood relatives of known offenders raise similar issues. The method can work: In a recent British case, police retrieved DNA from a brick that was thrown from an overpass and smashed through a windshield, killing the driver. A near-match of that DNA with someone in Britain's criminal database led police to investigate that offender's relatives, one of whom confessed when confronted with the evidence. Not investigating such leads "would be like getting a partial license plate number on a getaway car and saying, 'Well, you didn't get the whole plate so we're not going to investigate the crime,' " said Frederick Bieber, a Harvard geneticist who studies familial profiling. But such profiling stands to exacerbate already serious racial inequities in the U.S. criminal justice system, said Troy Duster, a sociologist at New York University. "Incarceration rates are eight times higher for blacks than they are for whites," he said, so any technique that focuses on relatives of people in the FBI database will just expand that trend. A Universal Database? That's a concern that many in law enforcement raise, too -- as an argument in favor of creating a universal DNA database of all Americans. The system would make everyone a suspect of sorts in every crime, they acknowledge. But every criminal, regardless of race, would be equally likely to get caught. Opponents cite a litany of potential problems, including the billions it would cost to profile so many people and the lack of lab capacity to handle the specimens. Backlogs are already severe, they note. The National Institute of Justice estimated in 2003 that more than 350,000 DNA samples from rape and homicide cases were waiting to be processed nationwide. As of the end of last year, more than 250,000 samples were backlogged in California alone. And delays can matter. In 2004, police in Indiana arrested a man after his DNA matched samples from dozens of rapes -- the last 13 of which were committed during the two years it took for the sample to get through the backlog. A big increase in tests would also generate more mistakes, said William C. Thompson, a professor of criminology, law and society at the University of California at Irvine, whose studies have found DNA lab accuracy to be "very uneven." In one of many errors documented by Thompson, a years-old crime-scene specimen was found to match the DNA from a juvenile offender, leading police to suspect the teenager until they realized he was a baby at the time of the crime. The teenager's blood, it turned out, had been processed in the lab the same day as an older specimen was being analyzed, and one contaminated the other. "A universal database will bring us more wrongful arrests and possibly more wrongful convictions," said Simoncelli of the ACLU. But Asplen of Smith Alling Lane said Congress has been helping states streamline and improve their DNA processing. And he does not think a national database would violate the Constitution. "We already take blood from every newborn to perform government-mandated tests . . . so the right to take a sample has already been decided," Asplen said. "And we have a precedent for the government to maintain an identifying number of a person." While the debate goes on, some in Congress are working to expand the database a bit more. In March, the House passed the Children's Safety and Violent Crime Reduction Act. Under the broad-ranging bill, DNA profiles provided voluntarily, for example, in a dragnet, would for the first time become a permanent part of the national database. People arrested would lose the right to expunge their samples if they were exonerated or charges were dropped. And the government could take DNA from citizens not arrested but simply detained. The bill must be reconciled with a Senate, which contains none of those provisions. ? 2006 The Washington Post Company From cwalsh at cwalsh.org Mon Jun 5 00:10:06 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Sun, 4 Jun 2006 23:10:06 -0500 Subject: [Dataloss] 19,420 HIPAA complaints, no fines: Washington Post Message-ID: <1F780ACC-5ED0-4FE4-BCDF-1A4827EF5AFD@cwalsh.org> "Our first approach to dealing with any complaint is to work for voluntary compliance. So far it's worked out pretty well," said Winston Wilkinson, who heads the Department of Health and Human Services Office of Civil Rights, which is in charge of enforcing the law. While praised by hospitals, insurance plans and doctors, the approach has drawn strong criticism from privacy advocates and some health industry analysts. http://www.washingtonpost.com/wp-dyn/content/article/2006/06/04/ AR2006060400672.html From rforno at infowarrior.org Sun Jun 4 23:09:20 2006 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 04 Jun 2006 23:09:20 -0400 Subject: [Dataloss] Medical Privacy Law Nets No Fines Message-ID: Medical Privacy Law Nets No Fines Lax Enforcement Puts Patients' Files At Risk, Critics Say http://www.washingtonpost.com/wp-dyn/content/article/2006/06/04/AR2006060400 672_pf.html By Rob Stein Washington Post Staff Writer Monday, June 5, 2006; A01 In the three years since Americans gained federal protection for their private medical information, the Bush administration has received thousands of complaints alleging violations but has not imposed a single civil fine and has prosecuted just two criminal cases. Of the 19,420 grievances lodged so far, the most common allegations have been that personal medical details were wrongly revealed, information was poorly protected, more details were disclosed than necessary, proper authorization was not obtained or patients were frustrated getting their own records. The government has "closed" more than 73 percent of the cases -- more than 14,000 -- either ruling that there was no violation, or allowing health plans, hospitals, doctors' offices or other entities simply to promise to fix whatever they had done wrong, escaping any penalty. "Our first approach to dealing with any complaint is to work for voluntary compliance. So far it's worked out pretty well," said Winston Wilkinson, who heads the Department of Health and Human Services Office of Civil Rights, which is in charge of enforcing the law. While praised by hospitals, insurance plans and doctors, the approach has drawn strong criticism from privacy advocates and some health industry analysts. They say the administration's decision not to enforce the law more aggressively has failed to safeguard sensitive medical records and made providers and insurers complacent about complying. "The law was put in place to give people some confidence that when they talk to their doctor or file a claim with their insurance company, that information isn't going to be used against them," said Janlori Goldman, a health-care privacy expert at Columbia University. "They have done almost nothing to enforce the law or make sure people are taking it seriously. I think we're dangerously close to having a law that is essentially meaningless." The debate has intensified amid a government push to computerize medical records to improve the efficiency and quality of health care. Privacy advocates say large centralized electronic databases will be especially vulnerable to invasions, making it even more crucial that existing safeguards be enforced. The highly touted Health Insurance Portability and Accountability Act -- known as HIPAA -- guaranteed for the first time beginning in 2003 that medical information be protected by a uniform national standard instead of a hodgepodge of state laws. The law gave the job of enforcement to HHS, including the authority to impose fines of $100 for each civil violation, up to a maximum of $25,000. HHS can also refer possible criminal violations to the Justice Department, which could seek penalties of up to $250,000 in fines and 10 years in jail. Wilkinson would not discuss any specific complaints but said his office has "been able to work out the problems . . . by going in and doing technical assistance and education to resolve the situation. We try to exhaust that before making a finding of a technical violation and moving to the enforcement stage. We've been able to do that." About 5,000 cases remain open, and some could result in fines, Wilkinson said. "There might be a need to use a penalty. We don't know that at this stage." His office has referred at least 309 possible criminal violations to the Justice Department. Officials there would not comment on the status of those cases other than to say they would have been sent to offices of U.S. attorneys or the FBI for investigation. Two cases have resulted in criminal charges: A Seattle man was sentenced to 16 months in prison in 2004 for stealing credit card information from a cancer patient, and a Texas woman was convicted in March of selling an FBI agent's medical records. Representatives of hospitals, insurance companies, health plans and doctors praised the administration's emphasis on voluntary compliance, saying it is the right tack, especially because the rules are complicated and relatively new. "It has been an opportunity for hospitals to understand better what their requirements are and what they need to do to come into compliance," said Lawrence Hughes of the American Hospital Association. "We're more used to the government coming down with a heavy hand where it's unnecessary," said Larry S. Fields, president of the American Academy of Family Physicians. "I applaud HHS for taking this route." But privacy advocates say the lack of civil fines has sent a clear message that health organizations have little to fear if they violate HIPAA. "It's not being enforced very vigorously," said William R. Braithwaite of the eHealth Initiative and Foundation, an independent, nonprofit research and advocacy organization based in Washington. "No one is afraid of being fined or getting bad publicity. . . . As long as they respond, they essentially get amnesty." The approach has made health-care organizations complacent about protecting records, several health-care consultants said. A recent survey by the American Health Information Management Association found that hospitals and other providers are still not fully complying, and that the level of compliance is falling. "They are saying, 'HHS really isn't doing anything, so why should I worry?' " said Chris Apgar of Apgar & Associates in Portland, Ore., a health-care industry consultant. Goldman and others also questioned why the government is not conducting more independent audits of compliance in addition to investigating complaints. "It's like when you're driving a car," said consultant Gary Christoph of Teradata Government Systems of Dayton, Ohio. "If you are speeding down the highway and no one is watching, you're much more likely to speed. The problem with voluntary compliance is, it doesn't seem to be motivating people to comply." Wilkinson's office has conducted just a "handful" of compliance reviews, an HHS spokesman said, and completed only one -- a case involving a radiology center that was dumping old files of patients into an unsecured trash bin. The center agreed to hire a company to dispose of records and no fine was levied, the spokesman said. Wilkinson said the size of his staff limits their ability to do much more than respond to complaints. "We've had challenges with our resources investigating complaints," he acknowledged, saying they are complaint-driven. Wilkinson added, "We've been successful with voluntary compliance so there's has not been a need to go out and look." But other government regulators take a different approach, privacy advocates say. "The Securities and Exchange Commission, the Federal Trade Commission -- they find significant and high-profile cases and send a message to industry about what is permitted and what isn't," said Peter Swire, an Ohio State University law professor who helped write the HIPAA regulations during the Clinton administration. Goldman and other privacy advocates point to numerous reports of health information being made public without patients' consent, such as the recent theft of millions of veterans records that included some medical information, a California health plan that left personal information about patients posted on a public Web site for years, and a Florida hospice that sold software containing personal patient information to other hospices. In the meantime, Goldman said, surveys continue to show that for fear that their medical information will be used against them, people avoid seeking treatment when they are sick, pay for care out of pocket, or withhold important details about their health from their doctors. "The law came about because there was a real problem with people having their privacy violated -- they lost jobs, they were embarrassed, they were stigmatized. People are afraid. The law was put in place so people wouldn't have to choose between their privacy and getting a job or going to the doctor," said Goldman, who also heads the Health Privacy Project, a Washington-based advocacy group. "That's still a huge problem." ? 2006 The Washington Post Company From lyger at attrition.org Mon Jun 5 16:16:56 2006 From: lyger at attrition.org (lyger) Date: Mon, 5 Jun 2006 16:16:56 -0400 (EDT) Subject: [Dataloss] University of Kentucky: personal data was accessible online Message-ID: http://www.kentucky.com/mld/heraldleader/14717374.htm By Art Jester HERALD-LEADER STAFF WRITER The University of Kentucky is notifying about 1,300 current and former employees that some of their personal information, including Social Security numbers, was created in March 2005 and inadvertently became accessible to the public May 8, 2006 creating the potential for identity theft. The UK General Counsel's Office sent out a memo Wednesday to the affected people, referring to the matter as a "sensitive issue" involving the "compromise of data." However, UK spokesman Jay Blanton said today that: "We don't know that the information of anyone has been compromised." Blanton said the information had been "inadvertently" available to the public since last month and the site had received 41 hits. [...] From lyger at attrition.org Mon Jun 5 16:19:37 2006 From: lyger at attrition.org (lyger) Date: Mon, 5 Jun 2006 16:19:37 -0400 (EDT) Subject: [Dataloss] YMCA laptop with 65,000 members' information stolen Message-ID: http://www.projo.com/digitalbulletin/content/projo-20060601-ymca.4420eea2.html By Steve Peoples and Paul Edward Parker projo.com and Journal staff writers Thursday, June 1, 2006 PROVIDENCE -- YMCA officials announced today that a laptop computer was stolen last week containing personal information for more than 65,000 members in Rhode Island, including members of the YMCA of Greater Providence and branches in Woonsocket, Smithfield and Pawtucket. The information includes names and addresses and, for some members, credit card numbers, checking account numbers, bank routing numbers, and, "for a very small minority," Social Security numbers, the Y said in a statement released this afternoon. The information on the laptop, which was one of two stolen from the YMCA's administrative offices on Richmond Street, also includes child care information such as the names and addresses of children in the company's child care program, as well as personal medical information for the children such as allergies and medications. The thefts were discovered Wednesday, May 24, according to YMCA spokeswoman Michelle A. Riendeau, noting that the company waited to announce the problem to determine exactly what information was on the computers. [...] From lyger at attrition.org Mon Jun 5 16:21:39 2006 From: lyger at attrition.org (lyger) Date: Mon, 5 Jun 2006 16:21:39 -0400 (EDT) Subject: [Dataloss] Computers stolen with data on 72, 000 Medicaid recipients Message-ID: http://story.cincinnatisun.com/p.x/ct/9/id/0739850fae5ac103/cid/d3350bca3cdaf0d1/ Last Updated: 5:20 am | Saturday, June 3, 2006 COLUMBUS, Ohio - Laptop computers with personal information on 72,000 Ohio Medicaid recipients were stolen from a private managed care agency, the state said Friday. Officials with Buckeye Community Health Plan notified authorities Thursday that four computers were stolen from their Columbus office. Two contained demographic information - including names, addresses and Social Security numbers - for all of the agency's 72,000 subscribers in Lucas, Summit and Stark counties, as well as medical information on 13,000 consumers in Stark County. Buckeye Community Health Plan contracts with the Ohio Department of Job and Family Services as a Medicaid service provider. Medicaid is a federal-state program that helps pay for health care for the needy, aged, blind and disabled, and for low-income families with children. [...] From lyger at attrition.org Mon Jun 5 16:47:44 2006 From: lyger at attrition.org (lyger) Date: Mon, 5 Jun 2006 16:47:44 -0400 (EDT) Subject: [Dataloss] IDs of Active-Duty Military Personnel on Stolen VA Laptop Message-ID: (The saga continues. As mentioned in the story, this goes beyond the initial VA report.) http://www.heraldtribune.com/apps/pbcs.dll/article?AID=/20060604/BREAKING/60604004 June 04. 2006 1:38PM By Hope Yen, Associated Press Personal data on up to 50,000 active Navy and National Guard personnel were among those stolen from a Veterans Affairs employee last month, the government said Saturday in a disclosure that goes beyond what VA initially reported. VA Secretary Jim Nicholson said in a statement that his agency discovered after an internal investigation that the names, Social Security numbers and dates of birth of up to 20,000 National Guard and Reserve personnel who were on at least their second active-duty call-up were "potentially included." In addition, the same information on up to 30,000 active-duty Navy personnel who completed their first enlistment term prior to 1991 also were believed to stored on the computer laptop and disks stolen from a VA data analyst at his Aspen Hill, Md., home on May 3. The VA has previously said the stolen data involved up to 26.5 million veterans discharged since 1975, as well as some of their spouses; veterans discharged before 1975 also were deemed at risk if they submitted claims to the agency. [...] From lyger at attrition.org Mon Jun 5 19:14:56 2006 From: lyger at attrition.org (lyger) Date: Mon, 5 Jun 2006 19:14:56 -0400 (EDT) Subject: [Dataloss] IRS Laptop Containing Employee Fingerprint Images Lost Message-ID: http://www.msnbc.msn.com/id/13152636/ By Bob Sullivan Technology correspondent, MSNBC A laptop computer containing fingerprints of Internal Revenue Service employees is missing, MSNBC.com has learned. The computer was lost during transit on an airline flight in the western United States, IRS spokesman Terry Lemon said. No taxpayer information was on the lost laptop, Lemon said. In all, the IRS believes the computer contained information on 291 employees and job applicants, including fingerprints, names, Social Security numbers, and dates of birth. The fingerprints had been collected as part of a normal background screening process. Some job applicants' information also was also on the computer. [...] From blitz at strikenet.kicks-ass.net Wed Jun 7 00:16:25 2006 From: blitz at strikenet.kicks-ass.net (blitz) Date: Wed, 07 Jun 2006 00:16:25 -0400 Subject: [Dataloss] Data on 2.2M Active Troops Stolen From VA Message-ID: <7.0.1.0.2.20060607001232.03756b68@macronet.net> Fresh update on VA losses, higher number of active troops, (up to 80%) included. http://apnews.myway.com/article/20060607/D8I32RVO1.html WASHINGTON (AP) - Personal data on about 2.2 million active-duty military, Guard and Reserve personnel - not just 50,000 as initially believed - were among those stolen from a Veterans Affairs employee last month, the government said Tuesday. Also, Veterans groups sue: http://www.breitbart.com/news/2006/06/06/D8I2PC1O1.html "VA arrogantly compounded its disregard for veterans' privacy rights by recklessly failing to make even the most rudimentary effort to safeguard this trove of the personally identifiable information from unauthorized disclosure," the complaint states. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060607/81d04771/attachment.html From cwalsh at cwalsh.org Wed Jun 7 09:48:26 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Wed, 7 Jun 2006 08:48:26 -0500 Subject: [Dataloss] Data on 2.2M Active Troops Stolen From VA In-Reply-To: <7.0.1.0.2.20060607001232.03756b68@macronet.net> References: <7.0.1.0.2.20060607001232.03756b68@macronet.net> Message-ID: <20060607134825.GB10496@cwalsh.org> Will they be notifying these people? I noticed that wasn't said. Chris On Wed, Jun 07, 2006 at 12:16:25AM -0400, blitz wrote: > Fresh update on VA losses, higher number of active troops, (up to > 80%) included. > > http://apnews.myway.com/article/20060607/D8I32RVO1.html > > WASHINGTON (AP) - Personal data on about 2.2 million active-duty > military, Guard and Reserve personnel - not just 50,000 as initially > believed - were among those stolen from a Veterans Affairs employee > last month, the government said Tuesday. > From cwalsh at cwalsh.org Wed Jun 7 22:27:07 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Wed, 7 Jun 2006 21:27:07 -0500 Subject: [Dataloss] An oldie but goodie Message-ID: <20060608022706.GB21515@cwalsh.org> I am entering data for a db of breaches. So, I look at ChoicePoint's list of breaches from 2005. They list a U of Kansas breach involving 1400 foreign students from 1/6/2005. Turns out this is either a BIG coincidence, or it was really from 2003: http://badgerherald.com/news/2003/01/28/kansas_hacker_scopes.php http://www.news.ku.edu/2003/03N/JanNews/Jan22/sevis.html From jericho at attrition.org Thu Jun 8 12:38:04 2006 From: jericho at attrition.org (security curmudgeon) Date: Thu, 8 Jun 2006 12:38:04 -0400 (EDT) Subject: [Dataloss] Data on 2.2M Active Troops Stolen From VA In-Reply-To: <7.0.1.0.2.20060607001232.03756b68@macronet.net> References: <7.0.1.0.2.20060607001232.03756b68@macronet.net> Message-ID: : Fresh update on VA losses, higher number of active troops, (up to 80%) : included. : : http://apnews.myway.com/article/20060607/D8I32RVO1.html : : WASHINGTON (AP) - Personal data on about 2.2 million active-duty : military, Guard and Reserve personnel - not just 50,000 as initially : believed - were among those stolen from a Veterans Affairs employee last : month, the government said Tuesday. http://www.fcw.com/article94816-06-07-06-Web By Bob Brewin June 7, 2006 The Defense Manpower Data Center (DMDC) worked during the past weekend to determine that a stolen Department of Veterans Affairs database, which contained sensitive personnel information on 26.5 million veterans, also contains information on as many as 1.1 million active-duty personnel, a DOD spokesman said. -- So.. 26.5 million veterans, 1.1 million active? or is it 2.2 active? So many articles, so little concrete details.. From sbesser at gmail.com Thu Jun 8 14:03:43 2006 From: sbesser at gmail.com (Sharon Besser) Date: Thu, 8 Jun 2006 11:03:43 -0700 Subject: [Dataloss] Hackers Gain Access To UTEP Social Security Numbers Message-ID: >From http://www.kfoxtv.com/news/9332307/detail.html "UTEP officials say 4,467 current and former students, as well as 252 current and former employees were affected. They will receive notice of the breach by mail this week. A university investigation is not yet over." -- Sharon -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060608/a0e50c34/attachment.html From rforno at infowarrior.org Thu Jun 8 16:45:05 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 08 Jun 2006 16:45:05 -0400 Subject: [Dataloss] Comments on VA Data Loss Article Message-ID: http://news.com.com/2102-1028_3-6081705.html?tag=st.util.print > WASHINGTON--The head of the U.S. Veterans Affairs Department told Congress on > Thursday that the massive theft of personal data at his agency signals the > need for more "teeth" in federal data security laws. Actually, the bigger question at hand is to determine exactly how bad the US Government is when it comes to protecting data -- classified or not. > Nicholson's appearance before politicians came as his agency deals with > continued revelations over news that the personal data of as many as 26.5 > million veterans and nearly 2 million active-duty military, National Guard, > and Reserve personnel was stolen. That information resided on a > government-owned laptop computer and hard drive pilfered from a VA analyst's > home in a Maryland suburb of Washington, D.C. A 34-year employee of the > agency, he had been toting the gear home for the past three years in violation > of agency policy. This analyst was breaking policy for THREE YEARS? Why didn't anyone do anything about it sooner? (See point later about accountability.) > The theft didn't come to Nicholson's attention until 13 days after the data > analyst reported the incident to superiors, the secretary said. The analyst > was fired but has been protected by not being publicly named. Two of his > bosses have since been fired, Nicholson said. 13 days is totally unacceptable. If a corporation can notify its CEO when something bad happens or a problem becomes known in their product line, there's absolutely no reason why it takes 13 days for similar "abyssmal news" to make its way to the 'CEO' of a Cabinet Agency. > With or without new legislative action, Walker urged all agencies to limit > collection of and access to personal information, to curb the amount of time > such records are retained and to consider using encryption and other > technological controls, particularly when data is stored on mobile devices Can anyone explain why the VA needed to posess a complete database on nearly 2 million active-duty military, National Guard, and Reserve personnel? If it needed access to certain data on active/reserve folks (which they probably do) couldn't the agency develop ways to query databases operated by DOD to avoid having another huge database that could, and in fact, did, get compromised? > Rep. Tom Davis, the Virginia Republican who heads the committee, said the > incident had prompted him to weigh changes to a law called the Federal > Information Security Management Act of 2002, which outlines procedures federal > agencies must undertake in order to protect their data and systems. > > That law requires agencies to notify law enforcement and internal inspectors > general when a breach occurs, but it does not require notification of > potential victims or the public. It must be updated to include penalties, > incentives and "proactive notification requirements," Davis said, adding that > he is "troubled as the number and Again, a law that doesn't foist executive-level accountability for failure will never motivate folks and organizations to change. Let the executive heads roll, already -- set an example, please! This happened on Nicholson's watch....I wonder if he, his CIO, CSO, or other senior folks will be held accountable for this fiasco other than a Congressional hearing or two. My sense is no. > To that end, the agency is reviewing its security practices and beefing up > employee training. Nicholson has also ordered that every VA laptop undergo a > review designed to ensure that all security and virus software is current, and > he prohibited future use of personal laptops or computers for official > business Does this include raising the question about why 26 million records were able to be exported onto a laptop in the first place? How about implementing some thresholds on data export, number of database-queries-per-minute-or-user, and implementing other such REAL controls to help prevent this from happening again? Updating Symantec Antivirus is not a technical control that can fix this problem. -rick Infowarrior.org From cwalsh at cwalsh.org Fri Jun 9 22:21:47 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Fri, 9 Jun 2006 21:21:47 -0500 Subject: [Dataloss] National Nuclear Security Agency hit early September, 2005. Notified victims this week. Message-ID: http://www.cbsnews.com/stories/2006/06/09/national/main1698356.shtml 1500 employees had names, DBO, SSN and security classification info revealed. "The data theft occurred in a computer system at a service center belonging to the National Nuclear Security Administration in Albuquerque, N.M. The file contained information about contract workers throughout the agency's nuclear weapons complex, a department spokesman said. NNSA Administrator Linton Brooks told a House hearing that he learned of the security break late last September, but did not inform Energy Secretary Samuel Bodman about it. The theft had occurred earlier in the month. Bodman first learned of the theft two days ago, according to his spokesman. [...] Brooks acknowledged that no attempt was made to notify the individuals until now. He declined to elaborate because of security concerns, but indicated he could tell the lawmakers more in the closed session." From rforno at infowarrior.org Fri Jun 9 22:00:49 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 09 Jun 2006 22:00:49 -0400 Subject: [Dataloss] Data on nuclear agency workers hacked: lawmaker Message-ID: Data on nuclear agency workers hacked: lawmaker Fri Jun 9, 2006 7:57 PM ET http://tinyurl.com/pvtre By Chris Baltimore WASHINGTON (Reuters) - A computer hacker got into the U.S. agency that guards the country's nuclear weapons stockpile and stole the personal records of at least 1,500 employees and contractors, a senior U.S. lawmaker said on Friday. The target of the hacker, the National Nuclear Safety Administration, is the latest agency to reveal that sensitive private information about government workers was stolen. The incident happened last September but top Energy Department officials were not told about it until this week, prompting the chairman of the House of Representatives Energy and Commerce Committee to demand the resignation of the head of the NNSA. An NNSA spokesman was not available for comment. The NNSA is a semi-autonomous arm of the Energy Department and also guards some of the U.S. military's nuclear secrets and responds to global nuclear and radiological emergencies. Committee chairman Rep. Joe Barton said NNSA Administrator Linton Brooks should be "removed from your office as expeditiously as possible" because he did not quickly notify senior Energy Department officials of the breach. "And I mean like 5 o'clock this afternoon if it's possible," Barton, a Texas Republican, said in a statement. Earlier this week the Pentagon revealed that personal information on about 2.2 million active-duty, National Guard and Reserve troops was stolen last month from a government employee's house. That comes on top of the theft of data on 26.5 million U.S. military veterans, the Department of Veterans Affairs has said. A spokesman for Energy Secretary Sam Bodman declined comment on the call for Brooks' resignation but said the secretary was "deeply disturbed about the way this was handled internally" and would make it a priority to notify workers about the lapse. The "vast majority" of those workers were contractors, not direct government employees, said the spokesman Craig Stevens. According to Barton, the NNSA chief knew about the incident soon after it happened in September but did not inform Energy Department officials, including Bodman, until Wednesday. "I don't see how you could meet with (Bodman) every day the last seven or eight months and not inform him," Barton said. He said Brooks cited "bureaucratic confusion" to explain the reporting lapse. "It appears that each side of that organization assumed that the other side had made the appropriate notification," Brooks told the House energy panel's oversight and investigations subcommittee, according to a record provided by Barton's office. "Just as the secretary just learned about this week, I learned this week that the secretary didn't know," Brooks said. "There are a number of us who in hindsight should have done things differently on informing." ? Reuters 2006. All rights reserved. Republication or redistribution of Reuters content, including by caching, framing or similar means, is expressly prohibited without the prior written consent of Reuters. Reuters and the Reuters sphere logo are registered trademarks and trademarks of the Reuters group of companies around the world. Close This Window From cwalsh at cwalsh.org Fri Jun 9 23:17:59 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Fri, 9 Jun 2006 22:17:59 -0500 Subject: [Dataloss] 4 Breaches in O-HI-O Message-ID: <4BD91B9E-76B4-4122-8192-5566D845057E@cwalsh.org> With major apologies to Neil Young. Ohio University has gone for four: ##### from http://www.onnnews.com/?sec=home&story=10tv/content/pool/ 200606/1770514625.html, post 1105 AM 6/9/2006 ###### Another Security Breach At OU Jun 09 2006 11:05AM Reported by Tino Ramos Ohio University officials are scratching their heads over another computer security breach that affects tens of thousands of people who had dealings with the university. This time, someone has again tapped into their computer system, taking private information from their files. Reports indicate that two additional electronic security breaches have been discovered. This one involves over 70,000 people, including subcontractors paid by OU over the past two years. The FBI is already investigating three prior data thefts involving research, and private information on students and alumni that included social security numbers. The university has been issuing letters to those who have been affected and they've taken drastic steps to tighten up firewalls within their computer systems that will help prevent breeches. A letter sent to the latest theft victims indicates that there is no evidence their stolen information has been used to commit fraud. Clearly there continues to be a great concern for the university and for those who have dealings with them. From jericho at attrition.org Sat Jun 10 04:18:20 2006 From: jericho at attrition.org (security curmudgeon) Date: Sat, 10 Jun 2006 04:18:20 -0400 (EDT) Subject: [Dataloss] CPA group says hard drive with data on 330, 000 members missing Message-ID: Courtesy WK/ISN: ---------- Forwarded message ---------- http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9001030 By Jaikumar Vijayan Computerworld June 07, 2006 Adding to the lengthening list of organizations reporting data compromises, the American Institute of Certified Public Accountants (AICPA) today confirmed that a computer hard drive containing the unencrypted names, addresses and Social Security numbers of nearly all of its 330,000 members has been missing since February. The hard drive had been accidentally damaged by an AICPA employee and was sent out for repair to an external data-recovery service in violation of the AICPA's policies, said Joel Allegretti, a spokesman for the New York-based organization. It was on its way back to the AICPA via FedEx but failed to arrive. Allegretti did not say when exactly the drive went missing except to note that the package containing it was due back at the AICPA "toward the end of February." It took the organization until March 31 to "re-create the drive" and determine what data it contained. The AICPA began notifying affected members of the potential compromise of their personal data on May 8 and has since completed the task, Allegretti said. Jim McClusky, a spokesman for FedEx Corp., said it is unclear what exactly happened to the drive. But he stressed that it is a mistake to characterize the package as being lost. "We did handle the shipment, and we are working closely and cooperatively with our customer to determine where the package might be," he said. "It is still being investigated. At this point, we are looking at it as a missing shipment; that doesn't mean it's lost." Based on investigations so far, it does not appear that information on the hard drive has been misused, Allegretti said. Following the loss, the AICPA is offering affected members a year's worth of free credit-monitoring services. The incident has also prompted the group to begin deleting all Social Security numbers from its member database. While a note posted on the organization's Web site says the collection of Social Security numbers has been a long-standing procedure, it added that "we will cease collecting and maintaining them, except in limited circumstances. And even for those, we are accelerating our efforts to develop other means of uniquely identifying our members." News of the AICPA breach comes amid a flurry of similar disclosures in recent days. By far, the biggest was the May 22 disclosure by the U.S. Department of Veterans Affairs that it had lost personal data on more than 26.5 million veterans discharged since 1975. Since then, the agency has admitted that the breach may have exposed personal information on about 2.2 million active-duty National Guard and Reserve troops as well (see "Personal info on 2.2M troops part of VA data theft" [1]). Since then, there have been similar disclosures elsewhere, including Texas Guaranteed Student Loan Corp., a Round Rock, Texas-based nonprofit organization. TG said that an outside contractor lost an unspecified piece of equipment containing the names and Social Security numbers of approximately 1.3 million borrowers. On May 26, Sacred Heart University in Fairfield, Conn., announced that one of its computers had been hacked into, resulting in the potential compromise of data belonging to 135,000 alumni and would-be students. And earlier this month, a password-protected laptop containing credit card information on more than a quarter-million Hotels.com LP customers was stolen from the car of an auditor at Ernst & Young LLP. [1] http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9000992 From lyger at attrition.org Sat Jun 10 21:43:45 2006 From: lyger at attrition.org (lyger) Date: Sat, 10 Jun 2006 21:43:45 -0400 (EDT) Subject: [Dataloss] VA Notification Letter Message-ID: Scanned copy of the Department of Veteran Affairs notification letter: http://attrition.org/errata/dataloss/VA_letter.jpg http://attrition.org/errata/dataloss/VA_Help_Sheet_1.jpg http://attrition.org/errata/dataloss/VA_Help_Sheet_2.jpg From lyger at attrition.org Sun Jun 11 11:34:55 2006 From: lyger at attrition.org (lyger) Date: Sun, 11 Jun 2006 11:34:55 -0400 (EDT) Subject: [Dataloss] Records for 150,000 Colo. voters missing Message-ID: http://news.yahoo.com/s/ap/20060611/ap_on_re_us/voter_records_missing Sun Jun 11, 12:12 AM ET DENVER - Records containing personal information on more than 150,000 voters are missing at city election offices, and officials are trying to determine if the files were lost, moved or stolen. The Denver Election Commission is also trying to figure out why officials didn't learn the records were missing until June 1, even though they are believed to have disappeared nearly four months earlier. "We will get to the bottom of it," commission spokesman Alton Dillard told the Rocky Mountain News in Saturday's editions. Police were notified about the missing records Saturday. The microfilmed voter registration files from 1989 to 1998 were in a 500-pound cabinet that disappeared when the commission moved to new offices in February. The files contain voters' Social Security numbers, addresses and other personal information. [...] From lyger at attrition.org Sun Jun 11 16:04:24 2006 From: lyger at attrition.org (lyger) Date: Sun, 11 Jun 2006 16:04:24 -0400 (EDT) Subject: [Dataloss] Stolen Diebold Laptop? Message-ID: Found this link/image during a typical news crawl, but I don't recall any specifics on this particular incident from August of 2005. Also, the document listed below has not been verified as authentic. Anyone? http://i12.photobucket.com/albums/a219/pseudojd/page1.jpg From jericho at attrition.org Mon Jun 12 17:51:20 2006 From: jericho at attrition.org (security curmudgeon) Date: Mon, 12 Jun 2006 17:51:20 -0400 (EDT) Subject: [Dataloss] GAO recommends that Congress sets SSN truncating standards for information resellers Message-ID: The following article is from GSN: Government Security News (May 1, 2006). Any typos are my own. -- GAO recommends that Congress sets SSN truncating standards for information resellers If you contact the right information resellers on the Internet, you may be able to obtain a range of personal information about a specific individual, including his date of birth, driver's license data, telephone records and even his social security number, or a truncated version of that SSN. The Government Accountability Office (GAO) looked into the availability of SSNs over the Internet, contacted 21 resellers and reached two interesting conclusions: SSNs are not that widely available, but when they are, there is no standardized format in which they present the entire SSN or a truncated version of the number. The GAO reported "there are few federal laws and no specific industry standards on whether to display the first five or last four digits of the SSN, and [Social Security Administration] officials told us the agency does not have the authority to regulate how public or private entities use SSNs, including how they are truncated." As a result, the GAO has recommended that Congress consider setting standards for truncating SSNs, or delegating authority to the SSA or another agency to set such standards. The SSA agreed with this recommendation, the GAO siad. When it requested SSN information from 21 different resellers, the GAO said it received one full SSN, four truncated SSNs (which displayed only the first five digits), and nothing at all from 16 of the resellers. "In one case, we also received additional unrequested personal information including truncated SSNs of the search subject's neighbor," said the GAO document issued earlier this month. From cwalsh at cwalsh.org Mon Jun 12 21:50:30 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Mon, 12 Jun 2006 20:50:30 -0500 Subject: [Dataloss] 4 Breaches in O-HI-O In-Reply-To: <4BD91B9E-76B4-4122-8192-5566D845057E@cwalsh.org> References: <4BD91B9E-76B4-4122-8192-5566D845057E@cwalsh.org> Message-ID: <20060613015005.GA10933@cwalsh.org> Make it five. I emailed Ohio U's media relations coordinator, who clarified for mew that these are the fourth *and fifth* breaches. Chris On Fri, Jun 09, 2006 at 10:17:59PM -0500, Chris Walsh wrote: > With major apologies to Neil Young. > > > Ohio University has gone for four: From cwalsh at cwalsh.org Tue Jun 13 02:09:57 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Tue, 13 Jun 2006 01:09:57 -0500 Subject: [Dataloss] Addt'l info on Ohio U 4+5 In-Reply-To: <20060613015005.GA10933@cwalsh.org> References: <4BD91B9E-76B4-4122-8192-5566D845057E@cwalsh.org> <20060613015005.GA10933@cwalsh.org> Message-ID: <20060613060956.GB8543@cwalsh.org> " A breach was discovered on a computer that housed IRS 1099 forms for 2,480 vendors and independent contractors for calendar years 2004 and 2005. There is no evidence that any of the information has been misused. Event 5: A breach was discovered on a computer that hosted a variety of Web-based forms, including some that processed on-line business transactions. Although this computer was not set up to store personal information, investigators did discover files that contained fragments of personal information, including Social Security numbers. The data is fragmentary and it is not certain if the compromised information can be traced to individuals. Also found on the computer were 12 credit card numbers that were used for event registration. There is no evidence that nay of the information has been misued. " Via http://www.ohio.edu/datasecurity/ Typos in the orginal. From lyger at attrition.org Tue Jun 13 09:58:36 2006 From: lyger at attrition.org (lyger) Date: Tue, 13 Jun 2006 09:58:36 -0400 (EDT) Subject: [Dataloss] OU has been getting an earful about huge data theft Message-ID: Courtesy InfoSec News and WK: http://www.athensnews.com/issue/article.php3?story_id=25220 By Jim Phillips Athens NEWS Senior Writer 2006-06-12 Ohio University has spent more than $77,000 sending letters to alumni and students affected by a computer security breach. It's harder to put a price tag on the blow to alumni goodwill, as the number of people affected by hacking of OU computer databases continues to rise with the discovery of new hacking incidents. "This is damaging OU's reputation far more than its drunk football coach, magazine pictorials or its #2 party-school ranking, and you can tell (OU President Roderick) McDavis that this really sucks. A lot!" wrote one incensed alum May 10. Another signed off his May 3 e-mail with, "You incompetent f---ing a--holes. I will never donate a penny to you." After announcing two computer security breaches in May, OU got hundreds of e-mails from alums regarding the issue. The Athens NEWS has examined more than 600 of them, provided by the university in response to a records request. [...] From jericho at attrition.org Tue Jun 13 15:27:23 2006 From: jericho at attrition.org (security curmudgeon) Date: Tue, 13 Jun 2006 15:27:23 -0400 (EDT) Subject: [Dataloss] Data breaches raise more questions about computer security law Message-ID: Courtesy WK/ISN: ---------- Forwarded message ---------- http://www.govexec.com/dailyfed/0606/06126p1.htm By Daniel Pulliam dpulliam at govexec.com June 12, 2006 Recently reported breaches compromising sensitive data held by four agencies have officials looking at ways to improve federal information security laws. Security experts and former government officials started pointing fingers at alleged weaknesses in the 2002 Federal Information Security Act earlier this year. In recent interviews, some said they believe that the incidents could lead to changes in the law. Alan Paller, director of research at the SANS Institute in Bethesda, Md., a nonprofit cybersecurity research organization, called the compromise of personnel records of 1,500 Energy Department employees revealed last week, combined with last month's theft of personal data on 26.5 million people from a Veterans Affairs Department employee's home, "an indictment of FISMA." In two unrelated incidents, laptop computers containing the personal information -- including Social Security numbers, birthdates and names -- of about 200 employees at the Social Security Administration and the Internal Revenue Service were lost recently. FISMA requires agencies to identity and categorize risks to their information technology systems and then implement security controls based on those risks. Paller said agencies are using their technology security funds to pay independent contractors to write FISMA-required reports as part of the certification and accreditation process, leaving little money for implementing actual security measures. A certification and accreditation process is necessary, but it should be continuous and automated, Paller said. "There was a thought that to check security, you had to check with people and talk to people, but because most attacks are done by systems, you need systems to check the security," Paller said. "The VA spent tens of millions of dollars certifying and accrediting these systems, and they are not secure." A VA spokesman said that the agency received $77 million for information security in fiscal 2006 and $78 million has been proposed for fiscal 2007. Paller and Bruce Brody, vice president for information security at the Reston, Va-based market research firm INPUT and associate deputy assistant secretary for cyber and information security at the VA from 2001 to 2004, have been critical of FISMA in the past, and both met with staffers from the House Government Reform Committee recently to discuss possible changes to the law. Brody, who also served as chief information security officer at the Energy Department until December 2005, said that the Energy security breach occurred during his tenure at the agency, but within the National Nuclear Security Administration, which is autonomous from the department under the National Nuclear Security Act. Paller said he believes that effective reform is possible, but Brody said the policy and legislative communities are unlikely to get the changes right unless information security practitioners are involved. Clay Johnson, the Office of Management and Budget's deputy director for management, said last week OMB has 95 percent of the laws and policies it needs to hold agencies accountable for locking down their information systems, but "extra teeth" may be needed. He did not specifically refer to FISMA. Johnson said in testimony before the House Government Reform Committee that the administration believes it generally has good policies and laws for protecting data, but is "prepared to take more action as necessary." In a request for comment on the matter, OMB gave no indication that changes to FISMA are being considered. OMB spokeswoman Andrea Wuebker said that FISMA was established to ensure that agencies meet consistent standards for security requirements for information systems. Agencies are responsible for ensuring that they are FISMA compliant and that their employees are trained to work with tough security measures, Wuebker said. "Sound standards and policies are in place, and OMB works with agencies to make sure practices match these policies," Wuebker said. From lyger at attrition.org Tue Jun 13 16:14:19 2006 From: lyger at attrition.org (lyger) Date: Tue, 13 Jun 2006 16:14:19 -0400 (EDT) Subject: [Dataloss] Japan - KDDI leaks data on 4 million customers Message-ID: (Not just an issue in the USA..) http://www.digitalworldtokyo.com/2006/06/kddi_leaks_data_on_4_million_c.php Personal data on almost 4 million customers of Japanese telecom carrier KDDI has been leaked, the company said Tuesday. The data includes the name, address and telephone number of 3,996,789 people who had applied for accounts with KDDI's Dion Internet provider service up to December 18, 2003, KDDI said. Additionally the gender, birthday and email addresses of some of the people was also leaked. KDDI is Japan's second largest telecommunications carrier. It operates fixed-line, dial-up Internet, broadband and cellular services through a number of different companies. [...] From lyger at attrition.org Tue Jun 13 16:17:48 2006 From: lyger at attrition.org (lyger) Date: Tue, 13 Jun 2006 16:17:48 -0400 (EDT) Subject: [Dataloss] Medicare chastises Humana Message-ID: (First mention I've seen about this one..) Patient data left on public computer http://www.courier-journal.com/apps/pbcs.dll/article?AID=/20060603/BUSINESS/606030358/1003 By Patrick Howington The Courier-Journal Saturday, June 3, 2006 A computer file containing Social Security numbers and other personal information on approximately 17,000 people enrolled in Humana Medicare plans was left unsecured in a hotel computer after a Humana employee called up the data, the Louisville insurer disclosed yesterday. There is no evidence that the information fell into the wrong hands and was misused, Medicare spokesman Peter Ashkenaz said yesterday. Still, the agency called the incident "unacceptable," ordered Humana to take corrective steps and said it was considering further action against the company. [...] From DOpacki at Covestic.com Tue Jun 13 18:03:52 2006 From: DOpacki at Covestic.com (Dennis Opacki) Date: Tue, 13 Jun 2006 15:03:52 -0700 Subject: [Dataloss] Addt'l info on Ohio U 4+5 References: <4BD91B9E-76B4-4122-8192-5566D845057E@cwalsh.org><20060613015005.GA10933@cwalsh.org> <20060613060956.GB8543@cwalsh.org> Message-ID: Is it just me, or do disclaimers like, "there is no evidence that any of the information has been misused" provide little comfort? Other than PR spin, do they serve some underlying legal purpose? -Dennis Opacki, CISSP QDSP Covestic, Inc. ________________________________ From: dataloss-bounces at attrition.org on behalf of Chris Walsh Sent: Mon 6/12/2006 11:09 PM To: dataloss at attrition.org Subject: [Dataloss] Addt'l info on Ohio U 4+5 " A breach was discovered on a computer that housed IRS 1099 forms for 2,480 vendors and independent contractors for calendar years 2004 and 2005. There is no evidence that any of the information has been misused. Event 5: A breach was discovered on a computer that hosted a variety of Web-based forms, including some that processed on-line business transactions. Although this computer was not set up to store personal information, investigators did discover files that contained fragments of personal information, including Social Security numbers. The data is fragmentary and it is not certain if the compromised information can be traced to individuals. Also found on the computer were 12 credit card numbers that were used for event registration. There is no evidence that nay of the information has been misued. " Via http://www.ohio.edu/datasecurity/ Typos in the orginal. _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/errata/dataloss/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060613/98c59314/attachment.html From Joanne_McNabb at dca.ca.gov Tue Jun 13 18:53:34 2006 From: Joanne_McNabb at dca.ca.gov (Joanne_McNabb at dca.ca.gov) Date: Tue, 13 Jun 2006 15:53:34 -0700 Subject: [Dataloss] Addt'l info on Ohio U 4+5 Message-ID: When the data compromised in a breach is SSNs, which can be used in a variety of ways at any point in time, there's no reason to expect that anyone would know whether or not they were used soon after the event. "Dennis Opacki" , om> Sent by: cc: dataloss-bounces at at Subject: Re: [Dataloss] Addt'l info on Ohio U 4+5 trition.org 06/13/2006 03:03 PM Is it just me, or do disclaimers like, "there is no evidence that any of the information has been misused" provide little comfort? Other than PR spin, do they serve some underlying legal purpose? -Dennis Opacki, CISSP QDSP Covestic, Inc. From: dataloss-bounces at attrition.org on behalf of Chris Walsh Sent: Mon 6/12/2006 11:09 PM To: dataloss at attrition.org Subject: [Dataloss] Addt'l info on Ohio U 4+5 " A breach was discovered on a computer that housed IRS 1099 forms for 2,480 vendors and independent contractors for calendar years 2004 and 2005. There is no evidence that any of the information has been misused. Event 5: A breach was discovered on a computer that hosted a variety of Web-based forms, including some that processed on-line business transactions. Although this computer was not set up to store personal information, investigators did discover files that contained fragments of personal information, including Social Security numbers. The data is fragmentary and it is not certain if the compromised information can be traced to individuals. Also found on the computer were 12 credit card numbers that were used for event registration. There is no evidence that nay of the information has been misued. " Via http://www.ohio.edu/datasecurity/ Typos in the orginal. _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/errata/dataloss/ _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/errata/dataloss/ From lyger at attrition.org Tue Jun 13 19:19:43 2006 From: lyger at attrition.org (lyger) Date: Tue, 13 Jun 2006 19:19:43 -0400 (EDT) Subject: [Dataloss] MN - 3 laptops with sensitive data missing from auditor's office Message-ID: http://www.startribune.com/462/story/490333.html Last update: June 13, 2006 . 4:27 PM St. Paul police are investigating the apparent theft of three computers from the office of State Auditor Patricia Anderson. The missing laptops might contain Social Security numbers and other personal information on some employees of local governments the auditor oversees. "We've been going through the backups to see what was on them," Deputy Auditor Tony Sutton said Tuesday. The loss was discovered late Thursday in a locked, unmarked fourth-floor area of the auditor's office near the State Capitol that is not open to the public and normally accessible only to 30 auditors and building staff members, Sutton said. [...] From lyger at attrition.org Wed Jun 14 07:45:19 2006 From: lyger at attrition.org (lyger) Date: Wed, 14 Jun 2006 07:45:19 -0400 (EDT) Subject: [Dataloss] Hanford workers warned about security breach Message-ID: Courtesy InfoSec News and WK http://seattlepi.nwsource.com/local/273650_hanfsecurity13.html By SHANNON DININNY THE ASSOCIATED PRESS June 13, 2006 The U.S. Energy Department has warned about 4,000 current and former workers at the Hanford Nuclear Reservation that their personal information may have been compromised, after police found a 1996 list with workers' names and other information in a home during an unrelated investigation. The discovery marks the second time in less than a week that the Energy Department has warned employees and its contractors' employees that their personal information may have been compromised. Police in Yakima discovered the list while investigating an unrelated criminal matter, the Energy Department said, adding that the list included the names of people who worked for a former Hanford contractor, Westinghouse Hanford, who were transferring to Fluor Hanford or companies under contract to Fluor Hanford in 1996. [...] From lyger at attrition.org Wed Jun 14 12:57:41 2006 From: lyger at attrition.org (lyger) Date: Wed, 14 Jun 2006 12:57:41 -0400 (EDT) Subject: [Dataloss] Oregon - State says taxpayer files may have been compromised Message-ID: http://www.kgw.com/sharedcontent/APStories/stories/D8I7JI4G0.html 06/13/2006 Associated Press Electronic files containing personal data of up to 2,200 Oregon taxpayers may have been compromised by an ex-employee's unauthorized use of a computer, the Oregon Department of Revenue said Tuesday. Amy McLaughlin, an information technology security officer with the state, said the incident apparently occurred when an employee downloaded a contaminated file from a porn site. The "trojan" attached to the file may have sent taxpayer information back to the source when the computer was turned on. "We're not 100 percent certain they were received by anyone," said department spokeswoman Rosemary Hardin. Hardin said the released data likely involved names or addresses or Social Security numbers, or possibly in some cases all three. It's unclear if it was damaging but said some of the data may have gotten back to the porn site. [...] From lyger at attrition.org Wed Jun 14 16:25:21 2006 From: lyger at attrition.org (lyger) Date: Wed, 14 Jun 2006 16:25:21 -0400 (EDT) Subject: [Dataloss] Bill Seeks to Limit ID Theft Law Message-ID: Via http://fergdawg.blogspot.com/ http://money.cnn.com/2006/06/14/pf/credit_bill/index.htm June 14, 2006: 9:09 AM EDT In what likely will be a prickly issue with many Americans, Congress next week is expected to vote on a bill that would limit consumers' ability to request a credit freeze, according to a published story Wednesday. USA Today reported that the proposed Financial Data Protection Act of 2006 pre-empts laws in 17 states that allow anyone to freeze their own credit and instead permits only ID theft victims to request a freeze. If it becomes a law, vets and military personnel who live in states that permit unrestricted credit freezes would lose that option, the newspaper said. Critics of the measure said the bill tramples states' rights and undermines the consumer-protection role of state attorney generals, the report said. [...] From lyger at attrition.org Wed Jun 14 18:42:53 2006 From: lyger at attrition.org (lyger) Date: Wed, 14 Jun 2006 18:42:53 -0400 (EDT) Subject: [Dataloss] 3 Out of 4 Financial Institutions Suffered External Breach in Past Year Message-ID: Via Fergie's Tech Blog: http://fergdawg.blogspot.com/ http://www.scmagazine.com/uk/news/index.cfm?fuseaction=XCK.News.Article&nNewsID=564512 More than three out of every four of the world’s largest financial institutions experienced an external security breach in the past year, a dramatic increase over 2005, a new survey has revealed. The fourth annual poll, released today by Deloitte Touche Tohmatsu, found that 78 percent of the world's top 100 financial services organizations that responded to the survey confirmed a security breach from outside the organization, up from just 26 percent in 2005. The survey also learned that nearly half of the organizations experienced at least one internal breach, up from 35 percent in 2005. Phishing and pharming were responsible for 51 percent of the external attacks, while spyware and malware accounted for 48 percent. Meanwhile, insider fraud was responsible for 28 percent of the internal breaches and customer data leaks were to blame for 18 percent. [...] From lyger at attrition.org Wed Jun 14 21:05:57 2006 From: lyger at attrition.org (lyger) Date: Wed, 14 Jun 2006 21:05:57 -0400 (EDT) Subject: [Dataloss] 3 Out of 4 Financial Institutions Suffered External Breach in Past Year Message-ID: DTT survey provided by Saundra Kae Rubel (privacylaws_at_sbcglobal.net) Original: http://www.deloitte.com/dtt/cda/doc/content/dtt_lssecuritysurvey_053006%282%29.pdf Hosted: http://attrition.org/errata/dataloss/dtt_2006-06-13.pdf From lyger at attrition.org Wed Jun 14 21:09:07 2006 From: lyger at attrition.org (lyger) Date: Wed, 14 Jun 2006 21:09:07 -0400 (EDT) Subject: [Dataloss] Stolen AIG Computer Server Sparks ID Theft Fears for Almost 1 Million Message-ID: http://www.msnbc.msn.com/id/13327187/ A thief recently stole a computer server belonging to a major U.S. insurance company, and company officials now fear that the personal data of nearly 1 million people could be at risk, insurance industry sources tell NBC News. The computer server contains personal electronic data for 930,000 Americans, including names, Social Security numbers and tens of thousands of medical records. The server was stolen on March 31, along with a camcorder and other office equipment, during a break-in at a Midwest office of American Insurance Group (AIG), company officials confirm. An AIG spokesman says that there's no evidence that the thief has accessed the personal data on the server or used it for any illicit purpose. The server is password protected, the AIG spokesman adds. [...] From rforno at infowarrior.org Fri Jun 16 07:54:05 2006 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 16 Jun 2006 07:54:05 -0400 Subject: [Dataloss] A thought on USG data protection capability Message-ID: Given the ever-worsening data security fiascos at the VA, DOE, and who-knows-where-else, if you set aside the whole "domestic surveillance" and "false positive" arguments for a minute, does anyone else here doubt the USG's ability to safeguard effectively such treasure-troves of personal information it wants to or is collecting under such "anti-terrorist" programs? What privacy oversights and protections are in place over such data? Would an unscrupulus DOD contractor be able to offload a bunch of MySpace blogs (or private LiveJournal entries) and peruse them at leisure from their laptop at home? Looking at recent data loss stories, I'm not particularly confident of the USG's demonstrated competence in protecting private information. Yet the desire for collecting it continues... Thoughts? -rick Infowarrior.org From lyger at attrition.org Fri Jun 16 11:42:36 2006 From: lyger at attrition.org (lyger) Date: Fri, 16 Jun 2006 11:42:36 -0400 (EDT) Subject: [Dataloss] Union Pacific - Data-loss disclosure falls short Message-ID: http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2006/06/16/BUG77JER911.DTL David Lazarus Friday, June 16, 2006 Another day, another data leak. Today I bring news of railroad operator Union Pacific, which can make trains run on time throughout California but apparently can't keep track of confidential info affecting its own employees and retirees. The company recently sent letters to workers acknowledging that an "employee's personal computer" was stolen on April 29. It said the computer contained data for "many" current and former Union Pacific employees, including names, birth dates and Social Security numbers. No other details were provided. Before we delve deeper into this latest case of missing info, it's worth noting (yet again) how unacceptable it is that companies believe they can get away with providing the barest minimum of disclosure when employees or customers are exposed to a potentially devastating risk of fraud and identity theft. [...] From lyger at attrition.org Fri Jun 16 16:24:13 2006 From: lyger at attrition.org (lyger) Date: Fri, 16 Jun 2006 16:24:13 -0400 (EDT) Subject: [Dataloss] A thought on USG data protection capability Message-ID: From: dan at geer.org http://www.gao.gov/highlights/d06866thigh.pdf GAO-06-866: Leadership Needed to Address Information Security Weaknesses and Privacy Issues (Testimony) June 14, Government Accountability Office The recent information security breach at the Department of Veterans Affairs (VA), in which personal data on millions of veterans were compromised, has highlighted the importance of the department's security weaknesses, as well as the ability of federal agencies to protect personal information. Robust federal security programs are critically important to properly protect this information and the privacy of individuals. The Government Accountability Office (GAO) was asked to testify on VA's information security program, ways that agencies can prevent improper disclosures of personal information, and issues concerning notifications of privacy breaches. To ensure that security and privacy issues are adequately addressed, GAO has made recommendations previously to VA and other agencies on implementing federal privacy and security laws. In addition, GAO has previously testified that in considering security breach notification legislation, the Congress should consider setting specific reporting requirements for agencies. From cwalsh at cwalsh.org Sat Jun 17 18:33:04 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Sat, 17 Jun 2006 17:33:04 -0500 Subject: [Dataloss] Western Illinois University: 240K SSNs, plus CC#s Message-ID: Associated Press MACOMB, Ill. - The names, addresses and Social Security numbers for as many as 240,000 people connected to Western Illinois University were compromised by a hacker earlier this month, school officials said. A hacker was in the system for a "relatively short period of time," and officials do not know if any records were viewed or copied, said Mitch Davidson, director of University Computer Support Services. He said the school has not had any reports of the records being used improperly. The incident occurred on June 5 when someone accessed the WIU system that stores students' personal data, Davidson said. The system also holds credit card information for anyone who used the Web to buy items from the school's bookstore or who stayed in the hotel in the school's union. "We regret any inconvenience and problems this breach may cause individuals," Davidson said Friday. "We are working diligently to ensure that the university computer systems are as secure as possible, with the goal that this type of breach does not occur again." School officials were aware of the breach on the day it happened but did not announce it publicly until this week. The school dealt quickly with the immediate breach of security, but took some time to create a plan to deal with the issue, said WIU spokesman John Maguire. The university's Office of Public Safety was also investigating, and WIU planned to begin mailing letters to those affected on Monday, Maguire said. [ The official WIU word on this is at http://www.wiu.edu/ securityalert/ ] From cwalsh at cwalsh.org Sun Jun 18 11:15:25 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Sun, 18 Jun 2006 10:15:25 -0500 Subject: [Dataloss] losING your identity Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2006/06/17/ AR2006061700966.html?referrer=email Laptop Stolen From D.C. Home Computer Had Social Security Numbers of 13,000 City Workers, Retirees By Lyndsey Layton Washington Post Staff Write Sunday, June 18, 2006; Page C06 A laptop containing personal data -- including Social Security numbers -- of 13,000 District workers and retirees was stolen Monday from the Southeast Washington home of an employee of ING U.S. Financial Services, the company said yesterday. ING, which administers the District's retirement plan, known as DCPlus, notified the city about the theft late Friday. The company is mailing a letter to all affected account holders to alert them to the risk of someone using the information to commit identity theft, spokeswoman Caroline Campbell said. The company is also telling customers that it will set up and pay for a year of credit monitoring and identity fraud protection. The laptop was not protected by a password or encryption, Campbell said. [...] From cwalsh at cwalsh.org Mon Jun 19 12:14:05 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Mon, 19 Jun 2006 11:14:05 -0500 Subject: [Dataloss] ADP misrouted FAX reveals payroll info Message-ID: <20060619161403.GA21152@cwalsh.org> Payroll data mistake exposes area workers Associated Press Posted Saturday, June 17, 2006 A national payroll company Thursday accidentally faxed personal and payroll information of at least 80 workers from Glendale Heights, Vernon Hills and elsewhere, exposing them to potential identity theft. Paul Dullea, a financial planner who lives in Nashua, N.H., received the information on 121 pages from Automatic Data Processing Inc. The pages had the names, addresses, Social Security numbers and income information for workers at Lingraph Services of Glendale Heights; Kanaflex Corp. in Vernon Hills and Los Angeles; and Fantasy of Flight in Polk City, Fla. [...] http://www.dailyherald.com/search/searchstory.asp?id=200400 From rforno at infowarrior.org Tue Jun 20 13:05:20 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 20 Jun 2006 13:05:20 -0400 Subject: [Dataloss] Data Protection - The Cost of Failure (Report) In-Reply-To: Message-ID: This is to a study done by the Ponemon Institute on the cost of data breaches. http://www.securitymanagement.com/library/Ponemon_DataStudy0106.pdf -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060620/639bd88e/attachment.html From lyger at attrition.org Tue Jun 20 14:10:57 2006 From: lyger at attrition.org (lyger) Date: Tue, 20 Jun 2006 14:10:57 -0400 (EDT) Subject: [Dataloss] Equifax: Laptop With Employee Data Stolen Message-ID: http://sfgate.com/cgi-bin/article.cgi?f=/news/archive/2006/06/20/financial/f081242D53.DTL&type=business By HARRY R. WEBER, AP Business Writer Tuesday, June 20, 2006 Equifax Inc., one of the nation's three major credit bureaus, said Tuesday a company laptop containing employee names and Social Security numbers was stolen from an employee who was traveling by train near London. The theft, which could affect as many as 2,500 of the Atlanta-based company's 4,600 employees, happened May 29 and all employees were notified June 7, spokesman David Rubinger said. Employee names and partial and full Social Security numbers were on the computer's hard drive, though Rubinger said it would be almost impossible for the thief to decipher the information because it was streamed together. [...] From lyger at attrition.org Tue Jun 20 14:36:47 2006 From: lyger at attrition.org (lyger) Date: Tue, 20 Jun 2006 14:36:47 -0400 (EDT) Subject: [Dataloss] Data on 9, 800 people missing after theft of UAB computer Message-ID: http://www.timesdaily.com/apps/pbcs.dll/article?AID=/20060620/APN/606200750&cachetime=5 The Associated Press Last Updated: June 20, 2006 12:38PM A computer stolen from the kidney transplant program at the University of Alabama at Birmingham contained confidential information on 9,800 donors, organ recipients and potential recipients. No arrests were made in the theft of the machine, which officials said could contain names, Social Security numbers and medical information on people involved in the program. [...] From cwalsh at cwalsh.org Wed Jun 21 04:55:48 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Wed, 21 Jun 2006 03:55:48 -0500 Subject: [Dataloss] Visa reveals ATM processor breach Message-ID: <2FFDA3D2-68AC-478B-8F58-B949BA4EEEC6@cwalsh.org> Visa says ATM security breach may have exposed consumer data By MICHAEL LIEDTKE The Associated Press SAN FRANCISCO Visa USA on Tuesday confirmed an ATM security breakdown has exposed more consumers to potential mischief, the latest in a long line of lapses that have illuminated the often flimsy controls over the personal information entrusted to businesses, schools and government agencies. The latest breach dates back to February when San Francisco-based Visa began notifying banks of a security problem affecting a U.S.- based contractor that processed automated teller machine transactions. Visa, one of the nation's largest issuer credit and debit cards, publicly acknowledged the trouble Tuesday in response to media inquiries prompted by Wachovia Bank's decision to replace an untold number of debit cards issued to its customers. Charlotte, N.C.-based Wachovia issued the card replacements last week as an antifraud measure, said bank spokeswoman Mary Beth Navarro. She declined to explain the circumstances that triggered the action after several months. Visa also gave out few details about the incident. Thousands of banks have issued millions of debit cards bearing the Visa logo. In a statement, Visa said it is working with its member banks and authorities "to do whatever is necessary to protect cardholders." Under Visa's policy, consumers aren't held liable for any unauthorized purchases made with their cards. Visa's security headache is hardly isolated. [...] http://www.pe.com/ap_news/California2/CA_Visa_ATM_Breach_242145CA.shtml From lyger at attrition.org Wed Jun 21 06:59:50 2006 From: lyger at attrition.org (lyger) Date: Wed, 21 Jun 2006 06:59:50 -0400 (EDT) Subject: [Dataloss] Ohio U. Suspends Two Over Hackers' Theft Message-ID: Courtesy InfoSec News and WK: http://www.phillyburbs.com/pb-dyn/news/95-06202006-673296.html The Associated Press June 20, 2006 ATHENS, Ohio - Ohio University said Tuesday it has suspended two information technology supervisors over recent breaches by hackers who may have stolen 173,000 Social Security numbers from school computers. The school did not identify the director of communications network services - identified on the school's Web site as Thomas Reid - and manager of Internet and systems. Both were suspended pending the school's investigation of the breaches, five of which have happened since March 2005. A message was left late Tuesday at a home phone listing for Reid. Citing results from an independent audit, the school also said University President Roderick McDavis will ask trustees for up to $2 million to improve computer security. McDavis said he deeply regretted the inconvenience and stress the breaches caused university employees. [...] From lyger at attrition.org Wed Jun 21 16:23:47 2006 From: lyger at attrition.org (lyger) Date: Wed, 21 Jun 2006 16:23:47 -0400 (EDT) Subject: [Dataloss] Canada: High-Tech Criminal Ring Clones Debit Cards Message-ID: Via Fergie's Tech Blog - http://fergdawg.blogspot.com/ Police say they have busted a savvy criminal ring that used wireless technology to clone the debit cards of 18,000 bank customers in the Montreal area. About $4-million was emptied from consumers' bank accounts before the scheme was stopped, said Captain Michel Forget of the Sûreté du Québec, the provincial police. Ten people were arrested as of yesterday afternoon, he said. The criminals mainly targeted convenience stores and gas stations. With the help of accomplices working for the stores, they rigged the stores' debit-card devices, according to police. When customers punched in their personal identification numbers, the information was transmitted, using Wi-Fi technology, to a nearby receiver. [...] From lyger at attrition.org Thu Jun 22 07:09:19 2006 From: lyger at attrition.org (lyger) Date: Thu, 22 Jun 2006 07:09:19 -0400 (EDT) Subject: [Dataloss] Hacker enters Agriculture dept. computers Message-ID: Courtesy InfoSec News and WK: http://seattlepi.nwsource.com/business/1700AP_Agriculture_Hacker.html By Libby Quaid AP FOOD AND FARM WRITER June 21, 2006 WASHINGTON -- A hacker broke into the Agriculture Department's computer system and may have obtained names, Social Security numbers and photos of 26,000 Washington-area employees and contractors, the department said Wednesday. Agriculture Secretary Mike Johanns said the department will provide free credit monitoring for one year to anyone who might have been affected. The break-in happened during the first weekend in June, the department said. Technology staff learned of the breach on June 5 and told Johanns the following day but believed personal information was protected by security software, the department said. [...] From lyger at attrition.org Thu Jun 22 07:15:10 2006 From: lyger at attrition.org (lyger) Date: Thu, 22 Jun 2006 07:15:10 -0400 (EDT) Subject: [Dataloss] Study: Most Technology Companies Have Data Losses Message-ID: Courtesy InfoSec News and WK: http://www.eweek.com/article2/0,1895,1979924,00.asp By Matt Hines June 21, 2006 Over half of all companies doing business in the technology, media and telecommunications sectors have experienced data breaches that potentially exposed their intellectual property or customer information, a new research report shows. According to the report, published by Deloitte Touche Tohmatsu, not only have many technology providers been hit with the same sorts of data losses that have recently plagued other industries, but a large number of the firms have also failed to make sufficient investments in security technologies aimed at preventing future incidents. Deloitte researchers said that security has long been "neglected" by technology, media and telecommunications companies despite their dependence on digital information to run their businesses. The consulting company surveyed executives at 150 such companies and found that even in the face of public embarrassment, financial losses and potential litigation linked to data breaches, many of the businesses have yet to make necessary investments to more adequately protect their information. [...] From cwalsh at cwalsh.org Thu Jun 22 12:28:19 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Thu, 22 Jun 2006 11:28:19 -0500 Subject: [Dataloss] Hacker enters Agriculture dept. computers In-Reply-To: References: Message-ID: <20060622162810.GA4149@cwalsh.org> Looks like a zombie/keylogger? http://www.firstgov.gov/usdainfo.shtml "Over the June 3, 2006, weekend, USDA cyber security staffers monitoring our systems detected some suspicious activity involving an Office of Operations *workstation and two servers* containing employee personal data. The indication was that someone from outside of USDA was attempting to gain unauthorized access to the system" (emphasis added) From rforno at infowarrior.org Thu Jun 22 13:11:18 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 22 Jun 2006 13:11:18 -0400 Subject: [Dataloss] Spike in Laptop Thefts Stirs Jitters Over Data Message-ID: Spike in Laptop Thefts Stirs Jitters Over Data http://www.washingtonpost.com/wp-dyn/content/article/2006/06/21/AR2006062101 854_pf.html By Petula Dvorak Washington Post Staff Writer Thursday, June 22, 2006; B01 It has become the police-blotter item of our age: A small-time burglar swipes a laptop and fences it for a quick $200 at a pawnshop. But increasingly, these petty crimes are causing anxiety in executive suites across the country as one corporation after another alerts customers that laptops holding troves of sensitive records have been stolen. Week after week, Americans who conscientiously shred every piece of mail and all credit card receipts learn that their personal information was stored in the laptop of a low-level employee who casually took it out of the office and that it has ended up in the hands of some penny ante crook. "We used to be worried about credit card receipts, and tearing those up. Now we have to worry about everybody's spreadsheets," said Scott Larson, a former FBI agent who used to track cyber criminals and is now managing director for Stroz Friedberg LLC, a consulting and technical services firm. In the past six weeks, laptop thieves have found themselves holding thousands of credit card numbers from Hotels.com, birthdates from District pensioners who put their retirement funds in ING, addresses of nuclear power plant employees, account numbers of Mercantile Potomac Bank customers -- or even the Social Security numbers of people who work for Equifax, the credit reporting giant. Untold millions of Americans are affected. Last month, the U.S. Department of Veterans Affairs reported that a stolen laptop and computer hard drive taken from an employee's house in Montgomery County contained personal information on 25.5 million veterans and military personnel. Montgomery police have been distributing fliers with a photograph and a description of the stolen laptop. "It is a priority of the department to find that laptop," said Lt. Eric Burnett, a police spokesman. Social Security numbers and the birthdates of 13,000 District workers and retirees were among the data contained on a laptop stolen last week from the Southeast Washington house of an employee of ING U.S. Financial Services. And Wednesday, Equifax reported that an employee's laptop was stolen on a London train, compromising the personal records of about 2,500 of the company's Atlanta-based employees. "By the time you add up a million here and 900,000 there and 4 million over there, you've covered most of the credit-holding and wage-earning population of the U.S.," said Marcus J. Ranum, a firewall designer, in an e-mail. "I'm sure my math is suspect, but I estimate that there are about 156 Americans whose personal information has not yet been compromised." The thefts are being reported in large part because many states have passed laws requiring that they disclose potential data breaches. What is striking to many people is how widespread and haphazard the spread of personal information has become in companies and government. "Quite often, you see the line worker has more data than the upper echelons of the company or agency," Larson said. "The secretary for the CEO has more data on a laptop than the CEO of the company. That's the person doing the memos, doing the spreadsheets. And that's where the sensitive information is." The ING employee whose laptop was stolen was a working-class type, fastidious enough to report that "nine cans of beer and two jars of change" were also stolen from his Southeast D.C. house, according to police. Virginia security consultant Kevin Mandia said that databases are simply no longer guarded like the "crown jewels" inside giant, blinking mainframes, and companies are opting for the cost-effectiveness of giving employees laptops rather than desktop computers. But laptops go to employees' homes, where they can be stolen. Encrypting the data would be one safeguard, but some computer experts say encryption software is cumbersome, expensive and rarely implemented. Laptop theft is clearly on the rise in the District, said Capt. Michael Reese, who heads the D.C. police department's special investigations unit. Reese said the laptops turn up in pawnshops for about $400 or on the street sold by junkies for $20. But he doesn't remember ever tracing a case of identity theft back to a stolen computer. "There are various ways that people have their identity stolen: wallet, trash, copying your name at the restaurant, looking at a credit card real quick, all different ways," Reese said. "But not the kind of 'I Spy' stuff like getting it off a stolen laptop." Mandia's laptop was stolen several years ago. He found it at a pawnshop on Lee Highway being sold for $400, but no one had opened it, turned it on or accessed the highly sensitive unencrypted data it contained, he said. That has been the case with most such thefts. If someone wants to be an identity thief, it's far easier to go on overseas-based Web sites that auction off blocks of stolen credit card numbers, eBay-style, said Michael Vatis, a lawyer and executive director of the Markle Foundation's Task Force on National Security in the Information Age. Vatis said it would be laborious, time-consuming and a gamble for identity thieves to target middle managers, follow them and steal their laptops, hoping a database would be there. "If this is your business, stealing people's identity, you're better off with a business model where you're not looking for a needle in a haystack but you're looking for hay, and there are haystacks everywhere," he said. But assuming that stolen data will remain untapped is dangerous, said Beth Givens, director of the Privacy Rights Clearinghouse, a consumer advocacy group in San Diego. Givens said it's probable that, in many cases, laptops are taken by unsophisticated burglars uninterested in what's inside. But she said the majority of identity theft cases are never traced back to the origin of the theft. "I don't want to be alarmist, but there are so many breaches being reported these days," Givens said. "We all just need to assume our personal information, especially our Social Security numbers, are at risk." Staff writer Ernesto Londo?o contributed to this report. ? 2006 The Washington Post Company From cracker at gmail.com Thu Jun 22 13:18:24 2006 From: cracker at gmail.com (cracker at gmail.com) Date: Thu, 22 Jun 2006 13:18:24 -0400 Subject: [Dataloss] Theft of FTC Laptops Exposes Consumer Data Message-ID: http://blog.washingtonpost.com/securityfix/2006/06/ftc_laptop_theft_exposes_consu.html FTC Laptop Theft Exposes Consumer Data The *Federal Trade Commission* -- an agency whose mission includes consumer protection and occasionally involves suing companies for negligence in protecting customer information -- today disclosed a recent theft of two laptop computers containing personal and financial data on consumers. In a statement, the FTC said two employee laptops were stolen from a locked vehicle. The PCs contained data on about 110 people that was "gathered in law enforcement investigations and included, variously, names, addresses, Social Security numbers, dates of birth, and in some instances, financial account numbers." The commission said it has "no reason to believe the information on the laptops, as opposed to the laptops themselves, was the target of the theft. In addition, the stolen laptops were password protected and the personal information was a very small part of several thousand files contained in one of the laptops." The agency also said it would offer affected individuals one year of free credit monitoring. The FTC's loss is just the latest in a string of laptop thefts-- including several here in the Washington area -- that exposed sensitive information on millions of consumers. Last month, the U.S. *Department of Veterans Affairs* reported that a stolen laptop and computer hard drive taken from an employee's house in Montgomery County contained personal information on 25.5 million veterans and military personnel. Social Security numbers and the birthdates of 13,000 District workers and retirees were among the data contained on a laptop stolen last week from the Southeast Washington house of an employee of *ING U.S. Financial Services*.... -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060622/40ef81cc/attachment.html From lyger at attrition.org Fri Jun 23 13:30:45 2006 From: lyger at attrition.org (lyger) Date: Fri, 23 Jun 2006 13:30:45 -0400 (EDT) Subject: [Dataloss] SFSU students' information stolen, school alerts 3,000 Message-ID: http://sfgate.com/cgi-bin/article.cgi?f=/c/a/2006/06/23/BAGQLJJ2LB1.DTL Nanette Asimov, Chronicle Staff Writer Friday, June 23, 2006 San Francisco State University officials have put students and staff on alert because a thief broke into a faculty member's car earlier this month and stole a laptop with nearly 3,000 Social Security numbers and names of former and current students. Students' phone numbers and grade-point averages were also on the stolen laptop "in some cases," according to an information sheet posted on the campus Web site. "The university employee's car was burglarized and the laptop was stolen on Thursday, June 1," the Web site says. But university officials did not learn of the theft until five days later, said Ellen Griffin, the university's spokeswoman, who declined to say what disciplinary actions, if any, had been taken against the faculty member. [...] From cwalsh at cwalsh.org Fri Jun 23 19:50:56 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Fri, 23 Jun 2006 18:50:56 -0500 Subject: [Dataloss] SSNs, names of 28K Navy personnel and family posted on web site Message-ID: <20060623235050.GA6463@cwalsh.org> Via AP: WASHINGTON (AP) - The Navy has begun a criminal investigation after Social Security numbers and other personal data for 28,000 sailors and family members were found on a civilian Web site. The Navy said Friday the information was in five documents and included people's names, birth dates and Social Security numbers. Navy spokesman Lt. Justin Cole would not identify the Web site or its owner, but said the information had been removed. He would not provide any details about how the information ended up on the site. [...] http://news.moneycentral.msn.com/provider/providerarticle.asp?feed=AP&Date=20060623&ID=5821436 From lyger at attrition.org Sat Jun 24 10:01:35 2006 From: lyger at attrition.org (lyger) Date: Sat, 24 Jun 2006 10:01:35 -0400 (EDT) Subject: [Dataloss] Florida - 619 students' secure data revealed online Message-ID: http://www.bradenton.com/mld/bradenton/news/nation/14891995.htm A number of Catawba County high school students received an unwanted adult-world graduation present: Their Social Security numbers were exposed on the Web. The mother of a graduate found the numbers along with test scores of 619 students on a school Web site this week. She found the page while looking on Google for information about a beauty pageant contestant. Catawba County Schools officials said the page was password protected and they had no idea how Google got access. Google was working to remove the page Friday night. "I wonder how long they've been there and who's got them," said Janet Weaver, a Newton mother who discovered the information, "and what damage has been done and what kind of repair can be done." [...] From lyger at attrition.org Sat Jun 24 10:11:38 2006 From: lyger at attrition.org (lyger) Date: Sat, 24 Jun 2006 10:11:38 -0400 (EDT) Subject: [Dataloss] CORRECTION: NC - 619 students' secure data revealed online In-Reply-To: References: Message-ID: Apologies for the previously incorrect subject in previous mail. The story was reported in a Florida newspaper, but the "Catawba County" referenced below is in North Carolina. On Sat, 24 Jun 2006, lyger wrote: ": " http://www.bradenton.com/mld/bradenton/news/nation/14891995.htm ": " ": " ": " A number of Catawba County high school students received an unwanted ": " adult-world graduation present: Their Social Security numbers were exposed ": " on the Web. From lyger at attrition.org Sun Jun 25 18:09:49 2006 From: lyger at attrition.org (lyger) Date: Sun, 25 Jun 2006 18:09:49 -0400 (EDT) Subject: [Dataloss] Australia: Cop bungle exposes bank files Message-ID: http://www.news.com.au/story/0,10117,19589797-29277,00.html By Natalie O'Brien and Michael McKinnon June 26, 2006 The banking details of thousands of Australians have been revealed and an international police investigation jeopardised in a bungle by Australia's peak internet crime-fighting agency. The details of 3500 customers from 18 banks, including names and account numbers, were lost when a classified computer dossier on Russian mafia "phishing" scams was misplaced by the Australian High Tech Crime Centre in April last year. Inquiries by The Australian have revealed a police officer with the AHTCC lost a memory stick - a tiny disc-like device for storing information - containing the dossier, between Sydney and London. The blunder has embarrassed the AHTCC, the law enforcement agency charged with investigating the burgeoning online crime wave in Australia. [...] From lyger at attrition.org Mon Jun 26 13:12:02 2006 From: lyger at attrition.org (lyger) Date: Mon, 26 Jun 2006 13:12:02 -0400 (EDT) Subject: [Dataloss] NC update: 600 students info listed online Message-ID: "Google broke through the password and username protected server..." ??? http://www.hickoryrecord.com/servlet/Satellite?pagename=HDR/MGArticle/HDR_BasicArticle&c=MGArticle&cid=1149188715461 BY LAUREN WILLIAMSON Record Staff Writer Saturday, June 24, 2006 [...] Q. What's on the screen? A. The names, Social Security numbers and test scores of 619 current and former students from Catawba County Schools. The students were seventh- and eighth-grade students at Jacobs Fork, River Bend, Mill Creek, Tuttle and H.M. Arndt middle schools during the 2001-02 school year. The test scores were from a keyboarding and computer applications placement test, so not every middle school student's information was in the file. Q. How did this happen? A. School system officials say Google broke through the password and username protected server the information was stored in and took a photo of the page, which it posted to the Internet. Q. What is cached? A. Cache is a snapshot of a page of information available on the Internet. Google's Web site said it takes photographs of pages as it crawls the Web. Q. What protection is there for students? A. Superintendent Tim Markley said the school system stopped using student Social Security numbers as identification numbers during the 2001-02 school year. Since then, every student is given a unique student ID number. All files in the DocuShare server that contain Social Security numbers have been or will be deleted. From lyger at attrition.org Mon Jun 26 16:58:36 2006 From: lyger at attrition.org (lyger) Date: Mon, 26 Jun 2006 16:58:36 -0400 (EDT) Subject: [Dataloss] Sensitive Info Available on King County (Washington) Web Site Message-ID: Via Fergie's Tech Blog: http://fergdawg.blogspot.com/ http://seattlepi.nwsource.com/local/275386_records26ww.html King County Elections has posted the social security numbers for potentially thousands of current and former county residents, County Council member Reagan Dunn said Monday. "Within forty-five minutes, my staff was able to retrieve online documents with the social security numbers of numerous local elected officials and other high-profile individuals," Dunn said. "If we had a criminal agenda, these people would be victims of identity-theft by now." Dunn said the problem was revealed when a constituent contacted his office to say that by performing a records search on herself, she had found her social security number on the election Web site. [...] From lyger at attrition.org Mon Jun 26 22:33:18 2006 From: lyger at attrition.org (lyger) Date: Mon, 26 Jun 2006 22:33:18 -0400 (EDT) Subject: [Dataloss] Sailors Privacy Data Found on Web has Katrina Link Message-ID: (new info, slightly higher numbers than previously reported) Via Fergie's Tech Blog: http://fergdawg.blogspot.com/ http://news.yahoo.com/s/ap/20060626/ap_on_go_ca_st_pe/navy_data Some of the Navy sailors and families whose personal data was discovered last week on a civilian Web site had been affected by Hurricane Katrina, the Navy said Monday. Navy officials also said the names, birth dates and Social Security numbers of more than 30,000 individuals had been disclosed - a bit higher than the 28,000 estimated last Friday when the breach was first revealed. The sailors involved were stationed in the Southern U.S. during the hurricane. [...] From rforno at infowarrior.org Mon Jun 26 22:39:29 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 26 Jun 2006 22:39:29 -0400 Subject: [Dataloss] Senators introduce data security legislation Message-ID: Senators introduce data security legislation By John Poirier Reuters Monday, June 26, 2006; 9:08 PM http://www.washingtonpost.com/wp-dyn/content/article/2006/06/26/AR2006062601 251_pf.html WASHINGTON (Reuters) - Two senators on Monday introduced legislation to better protect sensitive personal data held by institutions including financial services firms, retailers and government agencies. "We are not doing enough to protect consumers and businesses from identity theft and account fraud," said Sen. Bob Bennett, a Utah Republican who chairs the Senate banking subcommittee on financial institutions. Bennett and Sen. Tom Carper, a Delaware Democrat, introduced the Data Security Act of 2006, which creates a uniform national standard to safeguard data on Social Security, driver's licenses, credit cards, and account access codes and passwords. It also requires that notifications be sent to consumers when there is a likelihood that stolen identities or accounts could cause "substantial harm or inconvenience." Similar legislation has emerged from committees in the House of Representatives, but the full House has not yet voted on a final version. Personal information on 26.5 million veterans was stolen last month from the Department of Veterans Affairs. Since then, authorities have said the stolen data includes information on 2.2 million active-duty, National Guard and Reserve troops. Personal data on 28,000 U.S. sailors and their families appeared on a public Web site last week. Even Agriculture Secretary Mike Johanns and other top officials were among 26,000 people whose personal information may have been stolen by a computer hacker, the department said last week. "We used to just worry about people breaking into our homes or stealing our cars, but in the 21st century, we have to worry about people stealing our identities via computers and the Internet," Carper said. The Senate bill would cover any information that could be used to commit identity theft or account fraud at businesses and government institutions, which would be required to safeguard all paper and electronic records. The American Bankers Association said banks already have a system in place. "It makes sense to extend bank-like regulations to other industries that handle sensitive information," said ABA executive director Floyd Stoner. The bill would also charge state and federal regulatory agencies to oversee the operations and business practices of their entities, and the agencies themselves would be internally regulated. ? 2006 Reuters From rforno at infowarrior.org Tue Jun 27 14:14:48 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 27 Jun 2006 14:14:48 -0400 Subject: [Dataloss] OMB Sets Guidelines for Federal Employee Laptop Security Message-ID: OMB Sets Guidelines for Federal Employee Laptop Security By Brian Krebs washingtonpost.com Staff Writer Tuesday, June 27, 2006; 11:22 AM http://www.washingtonpost.com/wp-dyn/content/article/2006/06/27/AR2006062700 540_pf.html The Bush administration is giving federal civilian agencies 45 days to implement new measures to protect the security of personal information that agencies hold on millions of employees and citizens. The new security guidelines, issued Friday by the White House Office of Management and Budget, cap a month marked by data thefts or disclosures at five different agencies that compromised Social Security numbers and other private data on millions of people. To comply with the new policy, agencies will have to encrypt all data on laptop or handheld computers unless the data are classified as "non-sensitive" by an agency's deputy director. Agency employees also would need two-factor authentication -- a password plus a physical device such as a key card -- to reach a work database through a remote connection, which must be automatically severed after 30 minutes of inactivity. Finally, agencies would have to begin keeping detailed records of any information downloaded from databases that hold sensitive information, and verify that those records are deleted within 90 days unless their use is still required. OMB said agencies are expected to have the measures in place within 45 days, and that it would work with agency inspector generals to ensure compliance. It stopped short of calling the changes "requirements," choosing instead to label them "recommendations" that were intended "to compensate for the protections offered by the physical security controls when information is removed from, or accessed from outside of the agency location." That careful distinction indicates that the administration is under pressure to respond to the recent string of data mishaps, but that it could not quickly pull all the political and financial strings usually tied to regulatory mandates, according to James Lewis, director of technology and public policy at the Center for Strategic and International Studies. "The encryption and authentication measures mean agencies are going to have to spend money that they weren't planning to spend, and so in that way it's probably easier for [OMB] to get a recommendation out than [a] command," Lewis said. "That said, this is more of an implied threat, because you usually don't threaten agencies with their inspector general unless you intend to lean on them." "The safeguards that the White House is calling for are excellent," said Alan Paller, director of research for the SANS Institute, a security training group based in Bethesda, Md.. However, Paller said, agencies are likely to become preoccupied with a document attached to the memo that spells out nearly a dozen new "action items" devised by the National Institutes of Standards and Technology (NIST). "The sad thing is that NIST grasped defeat from jaws of victory by crafting a document that requires agencies to spend a lot of time and tens of thousands of dollars in studies to figure out what to do next." The new guidelines (viewable here as a PDF document) also drew a strong reaction from House Government Reform Committee Chairman Thomas M. Davis III (R-Va.), whose panel has awarded government-wide cyber-security efforts a grade of D-plus or worse for the past four years in a row. "I sincerely hope this action leads to both better results and better practices -- and if not, perhaps Congress will have to step in and mandate specific security requirements," Davis said in a statement. The recent string of data incidents began May 22, when the Department of Veterans Affairs disclosed that a laptop and external hard drive -- including the unencrypted names, Social Security numbers and birth dates for about 26.5 million veterans -- were stolen earlier in the month from the home of a VA employee. On June 5, the Internal Revenue Service said a missing laptop contained the Social Security numbers, fingerprints and names of 291 employees and IRS job applicants. Two weeks later the Agriculture Department revealed that a hacker had broken into its network and stolen names, Social Security numbers and photos of some 26,000 employees and contractors in the Washington area. Then on Thursday the Federal Trade Commission -- an agency whose mission includes consumer protection and occasionally involves suing companies for negligence in protecting customer information -- said it lost a pair of laptops that contained Social Security numbers and financial data related to different law enforcement investigations. That same day, the Navy said it was investigating how Social Security numbers and other personal data for 28,000 sailors and family members wound up on a civilian Web site. ? 2006 Washingtonpost.Newsweek Interactive From lyger at attrition.org Tue Jun 27 17:30:48 2006 From: lyger at attrition.org (lyger) Date: Tue, 27 Jun 2006 17:30:48 -0400 (EDT) Subject: [Dataloss] 88 million... is it really an accurate number? Message-ID: For the past few days, I've been doing more research on recent data breaches, especially including types of breaches and numbers affected. One number keeps coming up in the media: 88 million. In many cases, "88 million" is described as the number of compromised records. In other cases, it is described as "Americans" or "people": http://www.first.org/newsroom/globalsecurity/32460.html (Americans) http://biz.yahoo.com/bizwk/060623/b3991041.html (Americans) http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9001282 (records) http://www.internetnews.com/security/article.php/3615461 (people) We know that the number 88,000,000 or so has been calculated by adding the number of total people affected from all listed breaches since Choicepoint in February 2005. Looking at this total though, it seems to me that the number is inflated due to the fact that it appears to represent unique individuals. The VA breach really caused me to take a better look at the situation and rework some of the numbers. In this situation, all numbers are estimates and examples are hypothetical. Let's use 26.5 million as the estimated number of people affected in the VA breach. Because the total U.S. popluation is approaching 300 million, 26.5 million would represent one out of every eleven U.S. citizens, or roughly nine percent. For rounding purposes, let's say about ten percent of U.S. citizens were affected by the VA breach. 88,000,000 total minus 26,500,000 VA ---------------- 61,500,000 non-VA breached Assuming ten percent of the U.S. population has been in the military based on the VA numbers, it would be safe to estimate that about 6.15 million former vets were involved in all other breaches. Those 6.15 million would be duplicated in the VA total, so should be subtracted from the overall total, which would then equal about 81.85 million. But what about other duplicates? I'm sure many people were affected by more than one breach. Those with records in the Choicepoint incident may likely have been affected by the LexisNexis breach. Someone with an Ameriprise account may have been cared for by Providence Home Services. It probably goes on and on to the point that the *unique* number of people affected will probably never be accurately determined. I can understand saying 88 million "records" have been breached, but if we're judging by records and not individuals, then Acxiom would have been the worst breach of all time: http://attrition.org/errata/dataloss/2003/12/acxiom05.html More than a billion records.. but how many individuals? Did each individual have ten records per listing in Acxiom's database? Fifty? A hundred? Did Acxiom really have the records of one-sixth of the world's population in a database? Did the media bother to make this distinction, or just use the number "one billion" for shock value without digging to find the facts? I honestly believe that the media either is using the wrong terminology when referring to "number affected" or doesn't understand the complexity of quantitatively analyzing how many people are truely affected by data breaches. This may be a point for us all to consider when using overall "totals" as a statistic in the media. While the number of individual records, Americans, or people *per incident* may be relatively accurate, 88 million "people" or "Americans" seems high, and it should be the media's responsibility to make this distinction. Lyger From blitz at strikenet.kicks-ass.net Tue Jun 27 17:42:19 2006 From: blitz at strikenet.kicks-ass.net (blitz) Date: Tue, 27 Jun 2006 17:42:19 -0400 Subject: [Dataloss] 88 million... is it really an accurate number? In-Reply-To: References: Message-ID: <7.0.1.0.2.20060627173814.03b27d08@strikenet.kicks-ass.net> Note, they're now claiming the VA losses at 28.7 million, due to spousal info. http://www.newswithviews.com/Stuter/stuter94.htm At 17:30 6/27/2006, you wrote: >For the past few days, I've been doing more research on recent data breaches, >especially including types of breaches and numbers affected. One >number keeps >coming up in the media: 88 million. In many cases, "88 million" is described >as the number of compromised records. In other cases, it is described as >"Americans" or "people": > >http://www.first.org/newsroom/globalsecurity/32460.html (Americans) > >http://biz.yahoo.com/bizwk/060623/b3991041.html (Americans) > >http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9001282 > >(records) > >http://www.internetnews.com/security/article.php/3615461 (people) > >We know that the number 88,000,000 or so has been calculated by adding the >number of total people affected from all listed breaches since Choicepoint in >February 2005. Looking at this total though, it seems to me that >the number is >inflated due to the fact that it appears to represent unique >individuals. The >VA breach really caused me to take a better look at the situation and rework >some of the numbers. > >In this situation, all numbers are estimates and examples are hypothetical. >Let's use 26.5 million as the estimated number of people affected in the VA >breach. Because the total U.S. popluation is approaching 300 million, 26.5 >million would represent one out of every eleven U.S. citizens, or >roughly nine >percent. For rounding purposes, let's say about ten percent of U.S. citizens >were affected by the VA breach. > >88,000,000 total >minus >26,500,000 VA >---------------- >61,500,000 non-VA breached > >Assuming ten percent of the U.S. population has been in the military based on >the VA numbers, it would be safe to estimate that about 6.15 million former >vets were involved in all other breaches. Those 6.15 million would be >duplicated in the VA total, so should be subtracted from the overall total, >which would then equal about 81.85 million. > >But what about other duplicates? I'm sure many people were affected by more >than one breach. Those with records in the Choicepoint incident may likely >have been affected by the LexisNexis breach. Someone with an Ameriprise >account may have been cared for by Providence Home Services. It probably goes >on and on to the point that the *unique* number of people affected will >probably never be accurately determined. I can understand saying 88 million >"records" have been breached, but if we're judging by records and not >individuals, then Acxiom would have been the worst breach of all time: > >http://attrition.org/errata/dataloss/2003/12/acxiom05.html > >More than a billion records.. but how many individuals? Did each individual >have ten records per listing in Acxiom's database? Fifty? A hundred? Did >Acxiom really have the records of one-sixth of the world's population in a >database? Did the media bother to make this distinction, or just use the >number "one billion" for shock value without digging to find the facts? > >I honestly believe that the media either is using the wrong terminology when >referring to "number affected" or doesn't understand the complexity of >quantitatively analyzing how many people are truely affected by data >breaches. >This may be a point for us all to consider when using overall "totals" as a >statistic in the media. While the number of individual records, >Americans, or >people *per incident* may be relatively accurate, 88 million "people" or >"Americans" seems high, and it should be the media's responsibility to make >this distinction. > >Lyger >_______________________________________________ >Dataloss Mailing List (dataloss at attrition.org) >http://attrition.org/errata/dataloss/ -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060627/62485a4c/attachment.html From lyger at attrition.org Tue Jun 27 18:05:05 2006 From: lyger at attrition.org (lyger) Date: Tue, 27 Jun 2006 18:05:05 -0400 (EDT) Subject: [Dataloss] U.S. GAO Removes Archived Personal Data from Website Message-ID: Courtesy Fergie's Tech Blog: http://fergdawg.blogspot.com/ http://www.gcn.com/online/vol1_no1/41171-1.html The Government Accountability Office has pulled from its Web site personal information on certain government employees after discovering that the archived data had been inadvertently posted online. In a recent notice, GAO said the data came from audit reports on Defense Department travel vouchers from the 1970s and included some service members' names, Social Security numbers and addresses. GAO estimates that fewer than 1,000 people were impacted. David Walker, head of the GAO and comptroller of the U.S., ordered the agency to remove the data and directed officials to contact the Pentagon and other affected organizations and urge them to purge similar files. [...] From hobbit at avian.org Tue Jun 27 19:05:02 2006 From: hobbit at avian.org (*Hobbit*) Date: Tue, 27 Jun 2006 23:05:02 +0000 (GMT) Subject: [Dataloss] 88 million... is it really an accurate number? Message-ID: <20060627230502.A91C1C328@relayer.avian.org> And what is a "record" in this case? A single name-to-address or name-to-SSN mapping, or the whole block of name/addr/phones/ssn/ license-plate/preferred-underwear-brand/criminal-record/allergy-list? _H* From blitz at strikenet.kicks-ass.net Tue Jun 27 20:34:17 2006 From: blitz at strikenet.kicks-ass.net (blitz) Date: Tue, 27 Jun 2006 20:34:17 -0400 Subject: [Dataloss] 88 million... is it really an accurate number? In-Reply-To: <20060627230502.A91C1C328@relayer.avian.org> References: <20060627230502.A91C1C328@relayer.avian.org> Message-ID: <7.0.1.0.2.20060627203101.03bba880@strikenet.kicks-ass.net> I would imagine any combination of personally identifiable information that could be used to impersonate someone. Medical records are supposed to be protected under the HIPPA laws, but to date, NO ONE has been prosecuted/fined for violations, and they are indeed widespread. I myself have had private medical information leaked. I filed a complaint, but it falls on deaf ears. Ears that are intending to protect the wrongdoers. At 19:05 6/27/2006, you wrote: >And what is a "record" in this case? A single name-to-address or >name-to-SSN mapping, or the whole block of name/addr/phones/ssn/ >license-plate/preferred-underwear-brand/criminal-record/allergy-list? > >_H* >_______________________________________________ >Dataloss Mailing List (dataloss at attrition.org) >http://attrition.org/errata/dataloss/ -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060627/e08ea24f/attachment-0001.html From lyger at attrition.org Tue Jun 27 21:08:13 2006 From: lyger at attrition.org (lyger) Date: Tue, 27 Jun 2006 21:08:13 -0400 (EDT) Subject: [Dataloss] 88 million... is it really an accurate number? In-Reply-To: <7.0.1.0.2.20060627203101.03bba880@strikenet.kicks-ass.net> References: <20060627230502.A91C1C328@relayer.avian.org> <7.0.1.0.2.20060627203101.03bba880@strikenet.kicks-ass.net> Message-ID: On Tue, 27 Jun 2006, blitz wrote: ": " I would imagine any combination of personally identifiable information that ": " could be used to impersonate someone. ": " Medical records are supposed to be protected under the HIPPA laws, but to ": " date, NO ONE has been prosecuted/fined for violations, and they are indeed ": " widespread. I myself have had private medical information leaked. I filed a ": " complaint, but it falls on deaf ears. Ears that are intending to protect ": " the wrongdoers. ": " ": " ": " At 19:05 6/27/2006, you wrote: ": " > And what is a "record" in this case? A single name-to-address or ": " > name-to-SSN mapping, or the whole block of name/addr/phones/ssn/ ": " > license-plate/preferred-underwear-brand/criminal-record/allergy-list? ": " > ": " > _H* Hobbit's question leads to yet another question regarding uniqueness: You're an American citizen and have three credit cards. Two are VISAs, one is a MasterCard. Are you: 1. One "record" because of your name and mailing address, 2. Two "records" because you have two different brands of cards, 3. Three "records" because you have three unique card numbers, or 4. Six records because of the cross-references between your card brands and card numbers that seem to exist in various databases? I can't honestly answer that question, so any insight would be appreciated. Are combined raw numbers really useful? Example = Ohio University. In their four or five breaches, are they counting for uniques? Did one person's records live on five different breached servers? One media story says 360,000. Another says 70,000. Is the media counting "records", "names", "unique individuals", or some other criteria? (if responding, please post below for easier thread-following) From lyger at attrition.org Wed Jun 28 09:12:13 2006 From: lyger at attrition.org (lyger) Date: Wed, 28 Jun 2006 09:12:13 -0400 (EDT) Subject: [Dataloss] 88 million... is it really an accurate number? (fwd) Message-ID: ---------- Forwarded message ---------- From: blitz To: lyger Date: Wed, 28 Jun 2006 09:08:38 -0400 Subject: [Dataloss] 88 million... is it really an accurate number? >On Tue, 27 Jun 2006, lyger wrote: >Hobbit's question leads to yet another question regarding uniqueness: > >You're an American citizen and have three credit cards. Two are VISAs, >one is a MasterCard. Are you: > >1. One "record" because of your name and mailing address, >2. Two "records" because you have two different brands of cards, >3. Three "records" because you have three unique card numbers, or >4. Six records because of the cross-references between your card brands >and card numbers that seem to exist in various databases? > >I can't honestly answer that question, so any insight would be >appreciated. Are combined raw numbers really useful? Example = Ohio >University. In their four or five breaches, are they counting for >uniques? Did one person's records live on five different breached >servers? One media story says 360,000. Another says 70,000. Is the media >counting "records", "names", "unique individuals", or some other criteria? > >(if responding, please post below for easier thread-following) Hmm..I see your problem.. I'd say, every breach, at a different time, or different data, by the same or other reason/fault that allowed it to be acquired would constitute a separate incident. In other words, is XYZ company lost your personally identifiable info on Monday, but the thieves came back on Tuesday, and got either the same or different data, each would count as a separate incident. This would tend to push figures higher, as the invader might of copied A-M account data on Monday, and A-Z Tuesday, but since they were on different occasions, yes, I'd count them as separate incidents for the record. Of course, XYZ would like to say "there was a data loss", but as long as we can date the incursions, they should be separate IMHO. We ALL know the stats are being manipulated DOWN by those affected for liability reasons...so if you can document individual breaches, by all means count them as separate. From ADAIL at sunocoinc.com Wed Jun 28 11:21:17 2006 From: ADAIL at sunocoinc.com (DAIL, ANDY) Date: Wed, 28 Jun 2006 11:21:17 -0400 Subject: [Dataloss] 88 million... is it really an accurate number? (fwd) Message-ID: <8CA58E707BB1C44385FA71D02B7A1C8E237FE4@mds3aex0e.USISUNOCOINC.com> ---------- Forwarded message ---------- From: blitz To: lyger Date: Wed, 28 Jun 2006 09:08:38 -0400 Subject: [Dataloss] 88 million... is it really an accurate number? >On Tue, 27 Jun 2006, lyger wrote: >Hobbit's question leads to yet another question regarding uniqueness: > >You're an American citizen and have three credit cards. Two are VISAs, >one is a MasterCard. Are you: > >1. One "record" because of your name and mailing address, >2. Two "records" because you have two different brands of cards, 3. >Three "records" because you have three unique card numbers, or 4. Six >records because of the cross-references between your card brands and >card numbers that seem to exist in various databases? > >I can't honestly answer that question, so any insight would be >appreciated. Are combined raw numbers really useful? Example = Ohio >University. In their four or five breaches, are they counting for >uniques? Did one person's records live on five different breached >servers? One media story says 360,000. Another says 70,000. Is the >media counting "records", "names", "unique individuals", or some other >criteria? > >(if responding, please post below for easier thread-following) Hmm..I see your problem.. I'd say, every breach, at a different time, or different data, by the same or other reason/fault that allowed it to be acquired would constitute a separate incident. In other words, is XYZ company lost your personally identifiable info on Monday, but the thieves came back on Tuesday, and got either the same or different data, each would count as a separate incident. This would tend to push figures higher, as the invader might of copied A-M account data on Monday, and A-Z Tuesday, but since they were on different occasions, yes, I'd count them as separate incidents for the record. Of course, XYZ would like to say "there was a data loss", but as long as we can date the incursions, they should be separate IMHO. We ALL know the stats are being manipulated DOWN by those affected for liability reasons...so if you can document individual breaches, by all means count them as separate. _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/errata/dataloss/ In addition, many retailers do not keep customer records that allow them to cross reference a credit card number with a customer name or address (especially important in lieu of some of the notification laws being passed). So, if company A (which only stores card numbers and perhaps expiration dates) has a breach, their only method of notification would be to report the incident to their settlement provider (Such as Paymentech), who will report the incident to the card associations and the bank that issued the cards, but no agency would then cross reference to see if that "person" has been affected by another company. Visa will not check with American Express, etc. I personally have been affected 3 times this year. Once by the Veterans Administration, once by Wells Fargo Student Loans, and once by Wells Fargo Home mortgage. All three were stolen laptops. This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments. From lyger at attrition.org Wed Jun 28 13:15:01 2006 From: lyger at attrition.org (lyger) Date: Wed, 28 Jun 2006 13:15:01 -0400 (EDT) Subject: [Dataloss] Minnesota - Revenue data apparently lost in mail Message-ID: http://www.startribune.com/462/story/520906.html Heron Marquez Estrada Last update: June 28, 2006 . 12:02 PM A package containing public and private data on about 2,400 individuals and 48,000 businesses is missing, the Minnesota Department of Revenue said today. The department said the package, containing checks and a data tape, was lost in the mail and that it is working with the U.S. Postal Service to find it. ... As required by state law, the department this morning mailed letters to the 2,400 individuals affected. The letters should arrive by the end of the week. The department said it is still working to notify the affected businesses and that should be done within a week or so. ... Steve Kraatz, acting chief information officer for the Department of Revenue, said that the data on the tape contains the names, addresses, employment data, Social Security numbers of the individuals and the names and tax data for the 48,000 businesses. [...] From cwalsh at cwalsh.org Wed Jun 28 22:25:46 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Wed, 28 Jun 2006 21:25:46 -0500 Subject: [Dataloss] Self-storage outfit exposes 13K Message-ID: <20060629022537.GA32635@cwalsh.org> [A "devil's advocate" comment: If I owned this company, I would only notify those persons for whom my web logs showed inquiries having been made. This outfit is ignorant, and is "overcompying". Perhaps the ISP doesn't save web logs reaching back long enough. ] http://cbs5.com/topstories/local_story_178210503.html (CBS 5) A CBS 5 investigation has confirmed a security breach at a popular self-storage company that may have exposed customers' private information on its website. AAAAA Rent-A-Space has taken its online payment system offline and is notifying thousands of customers to check for identity theft after CBS 5 told the company about a flaw on their website. Howard Fortner describes the security at AAAAA Rent-A-Space in Colma as tighter than Fort Knox. So he was surprised when the cyber gate was left wide open on the storage facility's website. While trying to make an online payment, Fortner says he accidently typed in someone else's storage unit number along with his password, which is his phone number. Up popped another customer's private information, including a name, address, credit card, and Social Security number. "I thought about mine's as vulnerable as that one," Fortner said. "I tried it with a different number, and several accounts opened up." His password opened at least five other customer profiles. After CBS 5 alerted AAAAA Rent-A-Space to the problem, the company worked with the Arizona software developer who created the site's account-based program called "Web-Expres." By late Tuesday afternoon, they found the glitch and have taken the payment system offline until it is patched. AAAAA Rent-A-Space says its online payment system has been up for a year with no other incidents reported. The company says it plans to mail out 13,000 letters about the discovery to custmers in California and Hawaii, including those who have items stored at the 10 Bay Area facilities. From george at myitaz.com Thu Jun 29 02:40:57 2006 From: george at myitaz.com (George Toft) Date: Wed, 28 Jun 2006 23:40:57 -0700 Subject: [Dataloss] Self-storage outfit exposes 13K In-Reply-To: <20060629022537.GA32635@cwalsh.org> References: <20060629022537.GA32635@cwalsh.org> Message-ID: <44A375F9.4060908@myitaz.com> This is a Windows-based application issue and the owners might not know where the logs are, nor how to read them. Also, the logging might not have audit points like "who logged in" - don't laugh - I've seen exactly this on many applications. George Toft, CISSP, MSIS My IT Department www.myITaz.com 480-544-1067 Confidential data protection experts for the financial industry. Chris Walsh wrote: > [A "devil's advocate" comment: > > If I owned this company, I would only notify those persons for whom > my web logs showed inquiries having been made. This outfit is ignorant, > and is "overcompying". Perhaps the ISP doesn't save web logs reaching > back long enough. ] > > http://cbs5.com/topstories/local_story_178210503.html > > (CBS 5) A CBS 5 investigation has confirmed a security breach at a popular self-storage company that may have exposed customers' private information on its website. > > AAAAA Rent-A-Space has taken its online payment system offline and is notifying thousands of customers to check for identity theft after CBS 5 told the company about a flaw on their website. > > Howard Fortner describes the security at AAAAA Rent-A-Space in Colma as tighter than Fort Knox. So he was surprised when the cyber gate was left wide open on the storage facility's website. > > While trying to make an online payment, Fortner says he accidently typed in someone else's storage unit number along with his password, which is his phone number. > > Up popped another customer's private information, including a name, address, credit card, and Social Security number. > > "I thought about mine's as vulnerable as that one," Fortner said. "I tried it with a different number, and several accounts opened up." > > His password opened at least five other customer profiles. > > After CBS 5 alerted AAAAA Rent-A-Space to the problem, the company worked with the Arizona software developer who created the site's account-based program called "Web-Expres." By late Tuesday afternoon, they found the glitch and have taken the payment system offline until it is patched. > > AAAAA Rent-A-Space says its online payment system has been up for a year with no other incidents reported. > > The company says it plans to mail out 13,000 letters about the discovery to custmers in California and Hawaii, including those who have items stored at the 10 Bay Area facilities. > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/errata/dataloss/ > > > From lyger at attrition.org Thu Jun 29 07:46:57 2006 From: lyger at attrition.org (lyger) Date: Thu, 29 Jun 2006 07:46:57 -0400 (EDT) Subject: [Dataloss] Data Loss in Huntsville AL Message-ID: ---------- Forwarded message ---------- From: Henry Brown Date: Thu, 29 Jun 2006 05:14:13 -0500 http://tinyurl.com/geta4 A Huntsville branch of a major insurance company has a breach of security. A computer stolen from the office, released valuable customer information, and now it's in the hands of a criminal. The computer stolen came from an AllState office in Bailey Cove. ... More than 27,000 AllState customers in Alabama got one says AllState Agent, Craig Wiggins, "Over Memorial Day weekend we had a theft of a computer." [...] From ADAIL at sunocoinc.com Thu Jun 29 10:19:27 2006 From: ADAIL at sunocoinc.com (DAIL, ANDY) Date: Thu, 29 Jun 2006 10:19:27 -0400 Subject: [Dataloss] Self-storage outfit exposes 13K Message-ID: <8CA58E707BB1C44385FA71D02B7A1C8E237FED@mds3aex0e.USISUNOCOINC.com> Notification is a particularly touchy subject, especially with the lawyers who advise the decision makers. This whole arena is new to most corporate attorneys, and corporate attorneys do not like wading in unfamiliar legal waters. By default, when a lawyer is uncomfortable, they usually recommend the most conservative approach that will cover every base possible. Once a recommendation to notify everyone is made by the attorney, very few executives will disregard legal advice they have paid for, and do something else. California wrote the original law on customer notification, and everyone seems to be using their law as the basis for the own set of standards. The confusion, in my personal opinion, originates with the number of jurisdictions that feel empowered to pass laws regarding data security (Westchester County, NY passed their own encryption standards: http://www.msnbc.msn.com/id/12412271/). Until the Feds step in and codify uniform standards, you'll continue to see States, Counties, and even individual cities pass their own regulations, sometimes with differing standards (for instance, Visa requires all be the last 4 numbers of a credit card be masked on a sales ticket, North Carolina has set 5 numbers as a standard, by law). In the example of Sarbanes-Oxley, the cure may well be more expensive than the disease. Additionally, "Data Security" has mostly (functionally at least) been pushed out by the card companies, but as an effort to preempt the Feds from passing aforementioned regulation. Many Class 1 Merchants did not even find out about PCI, for instance, until a month before their original compliance deadline. Even then, the monitoring requirement buck was passed down to the settlement providers, who are passing their own set of standards. For instance, Paymentech has made Visa / MasterCard's PAPB (Payment Application Best Practices) mandatory for any retailer who hooks a payment system to their network. Currently, the whole environment is very reminiscent of the era when each State, and even bank was allowed to print its own money, or perhaps when there were no uniform hardware standards between computer manufacturers. Everyone understands there is a problem and most people want to do the right thing, but not everyone agrees on what the right thing is, or which standards or methodologies should be employed. We're using a dozen different guidelines to secure a single monetary processing system. Andy Dail Sunoco PCI Project Manager (918) 586-6360 -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of George Toft Sent: Thursday, June 29, 2006 1:41 AM To: dataloss at attrition.org Subject: Re: [Dataloss] Self-storage outfit exposes 13K This is a Windows-based application issue and the owners might not know where the logs are, nor how to read them. Also, the logging might not have audit points like "who logged in" - don't laugh - I've seen exactly this on many applications. George Toft, CISSP, MSIS My IT Department www.myITaz.com 480-544-1067 Confidential data protection experts for the financial industry. Chris Walsh wrote: > [A "devil's advocate" comment: > > If I owned this company, I would only notify those persons for whom my > web logs showed inquiries having been made. This outfit is ignorant, > and is "overcompying". Perhaps the ISP doesn't save web logs reaching > back long enough. ] > > http://cbs5.com/topstories/local_story_178210503.html > > (CBS 5) A CBS 5 investigation has confirmed a security breach at a > popular self-storage company that may have exposed customers' private > information on its website. > > AAAAA Rent-A-Space has taken its online payment system offline and is > notifying thousands of customers to check for identity theft after CBS > 5 told the company about a flaw on their website. > > Howard Fortner describes the security at AAAAA Rent-A-Space in Colma > as tighter than Fort Knox. So he was surprised when the cyber gate was > left wide open on the storage facility's website. > > While trying to make an online payment, Fortner says he accidently > typed in someone else's storage unit number along with his password, > which is his phone number. > > Up popped another customer's private information, including a name, > address, credit card, and Social Security number. > > "I thought about mine's as vulnerable as that one," Fortner said. "I > tried it with a different number, and several accounts opened up." > > His password opened at least five other customer profiles. > > After CBS 5 alerted AAAAA Rent-A-Space to the problem, the company > worked with the Arizona software developer who created the site's > account-based program called "Web-Expres." By late Tuesday afternoon, > they found the glitch and have taken the payment system offline until > it is patched. > > AAAAA Rent-A-Space says its online payment system has been up for a > year with no other incidents reported. > > The company says it plans to mail out 13,000 letters about the > discovery to custmers in California and Hawaii, including those who > have items stored at the 10 Bay Area facilities. _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/errata/dataloss/ > > > _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/errata/dataloss/ This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments. From rforno at infowarrior.org Thu Jun 29 10:39:26 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 29 Jun 2006 10:39:26 -0400 Subject: [Dataloss] VA Laptop Reportedly Recovered Message-ID: MSNBC reporting the stolen VA laptop with the 26 million records has been recovered.....I've not seen other reports yet, though. -rf From lyger at attrition.org Thu Jun 29 11:11:44 2006 From: lyger at attrition.org (lyger) Date: Thu, 29 Jun 2006 11:11:44 -0400 (EDT) Subject: [Dataloss] Stolen Laptop With Military Employees' Private Info Found Message-ID: (courtesy audit_at_attrition.org) To follow up on Rick's previous post: http://www.clickondetroit.com/money/9446101/detail.html?taf=det POSTED: 10:49 am EDT June 29, 2006 UPDATED: 11:02 am EDT June 29, 2006 WASHINGTON -- The missing laptop has been found. The head of the Department of Veterans Affairs said officials have recovered a laptop computer loaded with data on millions of U.S. veterans and service members. The laptop was stolen last month, stoking fears that up to 26.5 million veterans were vulnerable to identity theft. VA Secretary Jim Nicholson said there's "reason to be optimistic." He called the recovery "a very positive note in this very tragic incident." [...] From rforno at infowarrior.org Thu Jun 29 11:45:37 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 29 Jun 2006 11:45:37 -0400 Subject: [Dataloss] FBI announces VA laptop recovery Message-ID: Baltimore Division Office of Public Affairs PRESS RELEASE FOR IMMEDIATE RELEASE Contact: SA Michelle Crnkovich Thursday, June 29, 2006 410-277-6223 DEPARTMENT OF VETERANS AFFAIRS OFFICE OF INSPECTOR GENERAL (OIG), THE FEDERAL BUREAU OF INVESTIGATION, AND MONTGOMERY COUNTY POLICE DEPARTMENT ANNOUNCE THE RECOVERY OF THE STOLEN LAPTOP AND EXTERNAL HARD DRIVE Baltimore, Maryland ? The Veterans Administration OIG, the Federal Bureau of Investigation, and the Montgomery County Police Department today announce the recovery of the stolen laptop computer, and the external hard drive, taken in a burglary on May 3, 2006. The electronic equipment contained sensitive information concerning over 26 million veterans, and the recovery of the data has been of paramount concern. The protection of the sensitive data, and well being of those potentially affected, have made this investigation the number one priority for the investigating agencies. A preliminary review of the equipment by computer forensic teams has determined that the data base remains intact and has not been accessed since it was stolen. A thorough forensic examination is underway, and the results will be shared as soon as possible. The investigation is ongoing. The Veterans Administration OIG, the Federal Bureau of Investigation and the Montgomery County Police Department would like to thank the United States Park Police for their invaluable work in this case. Their efforts led to the recovery of the equipment. ###### Call Baltimore FBI for any additional information SSA Richard J. Kolko, FBI Unit Chief, National Press Office Office of Public Affairs 202.324.8785 Desk 202.324.3691 Office Switchboard Blackberry email richard.kolko at ic.fbi.gov From roy at rant-central.com Thu Jun 29 14:03:11 2006 From: roy at rant-central.com (Roy M. Silvernail) Date: Thu, 29 Jun 2006 14:03:11 -0400 (EDT) Subject: [Dataloss] FBI announces VA laptop recovery In-Reply-To: References: Message-ID: <38383.192.168.1.22.1151604191.squirrel@mesmer.rant-central.com> On Thu, June 29, 2006 11:45, Richard Forno forwarded: > DEPARTMENT OF VETERANS AFFAIRS OFFICE OF INSPECTOR GENERAL (OIG), THE > FEDERAL BUREAU OF INVESTIGATION, AND MONTGOMERY COUNTY POLICE DEPARTMENT > ANNOUNCE THE RECOVERY OF THE STOLEN LAPTOP AND EXTERNAL HARD DRIVE [...] > A preliminary review of the equipment by computer forensic teams has > determined that the data base remains intact and has not been accessed > since > it was stolen. OK, somebody has to be asking: how would they know the data haven't been accessed? Especially on an external drive. -- Roy M. Silvernail is roy at rant-central.com "Antelope freeway, one sixty-fourth of a mile." - TFT procmail->CRM114->/dev/null->bliss http://www.rant-central.com From lyger at attrition.org Thu Jun 29 16:23:00 2006 From: lyger at attrition.org (lyger) Date: Thu, 29 Jun 2006 16:23:00 -0400 (EDT) Subject: [Dataloss] Hacker Breaks In To Nebraska Child Support System Message-ID: Courtesy Fergie's Tech Blog: http://fergdawg.blogspot.com/ http://www.ktiv.com/News/index.php?ID=2162 Nebraska state officials say a hacker broke into the child-support computer system run by the Nebraska Treasurer's Office. Treasurer Ron Ross announced the breach Thursday. He says the hacker may have obtained names, Social Security numbers and other information of 300,000 people and 9,000 employers. The system helps collect and disperse child-support payments. The hacker got into a back-up computer server Wednesday morning for about 40 minutes and launched a virus, which Ross said was immediately removed. Ross says he does not believe any information was downloaded, but that the State Patrol has launched a computer forensic investigation of the incident. [...] From lyger at attrition.org Fri Jun 30 06:20:18 2006 From: lyger at attrition.org (lyger) Date: Fri, 30 Jun 2006 06:20:18 -0400 (EDT) Subject: [Dataloss] U.S. Lawmakers: Two Other VA Data Breaches Message-ID: Via Fergie's Tech Blog: http://fergdawg.blogspot.com/ http://www.infoworld.com/article/06/06/29/HNmorevadata_1.html [...] U.S. lawmakers said Thursday they have learned of two more data breaches at the U.S. Department of Veterans Affairs (VA) even as the agency announced that law enforcement agencies had recovered stolen computer hardware containing the personal information of millions of U.S. military veterans. The House of Representatives Veterans Affairs Committee has learned of a May 5 incident in which a data tape disappeared from a VA facility in Indianapolis, Indiana, and a 2005 incident in which a VA laptop was stored in the trunk of a car that was stolen in Minneapolis, Minnesota, said Representative Steve Buyer, chairman of the committee. Also on Thursday, Pedro Cadenas Jr., the VA's chief information security officer (CISO), submitted his resignation. Cadenas, at the VA since 2002, had also served as acting deputy chief information officer (CIO) at the VA in recent months. [...] From lyger at attrition.org Fri Jun 30 06:24:05 2006 From: lyger at attrition.org (lyger) Date: Fri, 30 Jun 2006 06:24:05 -0400 (EDT) Subject: [Dataloss] U.S NIH Credit Union Hit by ID Theft Scheme Message-ID: http://www.gcn.com/online/vol1_no1/41202-1.html The National Institutes of Health Federal Credit Union is investigating with law enforcement the identity theft of some of its 41,000 members. The credit union sent out a notice of the identity theft scheme last week. The credit union is aware of how the data theft was committed but did not provide details. [...] From blitz at strikenet.kicks-ass.net Fri Jun 30 12:22:50 2006 From: blitz at strikenet.kicks-ass.net (blitz) Date: Fri, 30 Jun 2006 12:22:50 -0400 Subject: [Dataloss] FBI announces VA laptop recovery In-Reply-To: <38383.192.168.1.22.1151604191.squirrel@mesmer.rant-central .com> References: <38383.192.168.1.22.1151604191.squirrel@mesmer.rant-central.com> Message-ID: <7.0.1.0.2.20060630121903.0397ac60@strikenet.kicks-ass.net> We just had this discussion on another list...he could of taken the drive out, copied/mirrored it, replaced it and returned the laptop for the reward. No files would of been changed, and the heat could die down. Next you know, the Russian credit-card mob would pay him $10-15,000 for the names, so: $25,000 for returning it $15,000 for selling the data ---------- $40,000 not a bad weeks work.... At 14:03 6/29/2006, you wrote: >On Thu, June 29, 2006 11:45, Richard Forno forwarded: > > > DEPARTMENT OF VETERANS AFFAIRS OFFICE OF INSPECTOR GENERAL (OIG), THE > > FEDERAL BUREAU OF INVESTIGATION, AND MONTGOMERY COUNTY POLICE DEPARTMENT > > ANNOUNCE THE RECOVERY OF THE STOLEN LAPTOP AND EXTERNAL HARD DRIVE >[...] > > A preliminary review of the equipment by computer forensic teams has > > determined that the data base remains intact and has not been accessed > > since > > it was stolen. > >OK, somebody has to be asking: how would they know the data haven't been >accessed? Especially on an external drive. >-- >Roy M. Silvernail is roy at rant-central.com >"Antelope freeway, one sixty-fourth of a mile." - TFT >procmail->CRM114->/dev/null->bliss >http://www.rant-central.com >_______________________________________________ >Dataloss Mailing List (dataloss at attrition.org) >http://attrition.org/errata/dataloss/ -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060630/9f1e409f/attachment.html From blitz at strikenet.kicks-ass.net Fri Jun 30 14:41:53 2006 From: blitz at strikenet.kicks-ass.net (blitz) Date: Fri, 30 Jun 2006 14:41:53 -0400 Subject: [Dataloss] FBI announces VA laptop recovery In-Reply-To: References: <7.0.1.0.2.20060630121903.0397ac60@strikenet.kicks-ass.net> Message-ID: <7.0.1.0.2.20060630143122.0388d5d0@strikenet.kicks-ass.net> Then with the mirrored disk, he has all the time in the world to operate on it, make more copies, etc. etc. and apply the forensic tools we all use daily. I see the announcement more as damage control by those irresponsible enough to allow it to happen in the first place. I'll bet they're just happy to have it back, (if that's even the case, and this is not damage control to deflect Congress from blowing their tops and calling major hearings/broilings/inquisitions.) Its not that this is uncommon, we've seen all too many reports of "So-and-so IG's office says data security policies at (insert favorite department here) resemble Swiss cheese" blah..blah... Nothing gets changed of course, a clone or two turn in their resignations, and go across the street, and in a few weeks/months, another report comes out something else is missing...all too familiar as we here see. Letsee, VA is on it's third breech, it appears.. Hell, my own personal LAN is better secured than many of these operations.... At 12:32 6/30/2006, Richard Forno wrote: >Yeah anyone who thinks the laptop is 100% not-been-accessed is >seriously misguided.....or stupid. > >-rf > > >On 6/30/06 12:22 PM, "blitz" wrote: > >We just had this discussion on another list...he could of taken the >drive out, copied/mirrored it, replaced it and returned the laptop >for the reward. No files would of been changed, and the heat could >die down. Next you know, the Russian credit-card mob would pay him >$10-15,000 for the names, so: > >$25,000 for returning it >$15,000 for selling the data >---------- >$40,000 not a bad weeks work.... > > >At 14:03 6/29/2006, you wrote: >On Thu, June 29, 2006 11:45, Richard Forno forwarded: > > > DEPARTMENT OF VETERANS AFFAIRS OFFICE OF INSPECTOR GENERAL (OIG), THE > > FEDERAL BUREAU OF INVESTIGATION, AND MONTGOMERY COUNTY POLICE DEPARTMENT > > ANNOUNCE THE RECOVERY OF THE STOLEN LAPTOP AND EXTERNAL HARD DRIVE >[...] > > A preliminary review of the equipment by computer forensic teams has > > determined that the data base remains intact and has not been accessed > > since > > it was stolen. > >OK, somebody has to be asking: how would they know the data haven't been >accessed? Especially on an external drive. > > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060630/97a02b6b/attachment.html From lyger at attrition.org Fri Jun 30 18:48:17 2006 From: lyger at attrition.org (lyger) Date: Fri, 30 Jun 2006 18:48:17 -0400 (EDT) Subject: [Dataloss] Arrests Made in '05 LexisNexis Data Breach Message-ID: Via Fergie's Tech Blog: http://fergdawg.blogspot.com/ Federal authorities last week arrested five men in connection with a 2005 database breach at LexisNexis Group that the database giant said led to the theft of personal records on more than 310,000 individuals. Some of the accused individuals, who range in age from 19 to 24, were also involved in the theft last year of revealing photos and other information from hotel heiress Paris Hilton's cell phone, and in using stolen or illegally created accounts at LexisNexis subsidiaries to look up Social Security numbers and other personal information on dozens of other Hollywood celebrities. [...] From bgivens at privacyrights.org Fri Jun 30 20:55:18 2006 From: bgivens at privacyrights.org (Beth Givens) Date: Fri, 30 Jun 2006 17:55:18 -0700 Subject: [Dataloss] Fwd: 88 million... is it really an accurate number? (fwd) Message-ID: <6.2.5.6.2.20060630175215.04cef068@privacyrights.org> I've appreciated reading the discussion about "88 million." That number most likely comes from our Chronology of Data Breaches, posted on our web site here: http://www.privacyrights.org/ar/ChronDataBreaches.htm We have revised the text to reflect number of RECORDS, rather than number of INDIVIDUALS. Thanks for your critical thinking on this matter. Beth Givens >Delivered-To: dataloss at attrition.org >Date: Wed, 28 Jun 2006 09:12:13 -0400 (EDT) >From: lyger >To: dataloss at attrition.org >Subject: [Dataloss] 88 million... is it really an accurate number? (fwd) >Precedence: list >List-Id: Incidents of Data Loss >List-Unsubscribe: , > >List-Archive: >List-Post: >List-Help: >List-Subscribe: , > >Sender: dataloss-bounces at attrition.org >Errors-To: dataloss-bounces at attrition.org > > > >---------- Forwarded message ---------- >From: blitz >To: lyger >Date: Wed, 28 Jun 2006 09:08:38 -0400 >Subject: [Dataloss] 88 million... is it really an accurate number? > > >On Tue, 27 Jun 2006, lyger wrote: > > >Hobbit's question leads to yet another question regarding uniqueness: > > > >You're an American citizen and have three credit cards. Two are VISAs, > >one is a MasterCard. Are you: > > > >1. One "record" because of your name and mailing address, > >2. Two "records" because you have two different brands of cards, > >3. Three "records" because you have three unique card numbers, or > >4. Six records because of the cross-references between your card brands > >and card numbers that seem to exist in various databases? > > > >I can't honestly answer that question, so any insight would be > >appreciated. Are combined raw numbers really useful? Example = Ohio > >University. In their four or five breaches, are they counting for > >uniques? Did one person's records live on five different breached > >servers? One media story says 360,000. Another says 70,000. Is the media > >counting "records", "names", "unique individuals", or some other criteria? > > > >(if responding, please post below for easier thread-following) > > >Hmm..I see your problem.. >I'd say, every breach, at a different time, or different data, by the >same or other reason/fault that allowed it to be acquired would >constitute a separate incident. > >In other words, is XYZ company lost your personally identifiable info >on Monday, but the thieves came back on Tuesday, and got either the >same or different data, each would count as a separate incident. This >would tend to push figures higher, as the invader might of copied A-M >account data on Monday, and A-Z Tuesday, but since they were on >different occasions, yes, I'd count them as separate incidents for >the record. Of course, XYZ would like to say "there was a data loss", >but as long as we can date the incursions, they should be separate IMHO. >We ALL know the stats are being manipulated DOWN by those affected >for liability reasons...so if you can document individual breaches, >by all means count them as separate. > >_______________________________________________ >Dataloss Mailing List (dataloss at attrition.org) >http://attrition.org/errata/dataloss/ The information, advice, and suggestions contained in this email should be used as an information source and not as legal advice. Beth Givens, Director Privacy Rights Clearinghouse 3100 - 5th Ave., Suite B San Diego, CA 92103 Voice: 619-298-3396 Fax: 619-298-5681 bgivens at privacyrights.org http://www.privacyrights.org +++++++++++++++++++++++++++++++++++++ Join our email newsletter. http://www.privacyrights.org/subscribe.html