From lyger at attrition.org Wed Nov 1 09:13:41 2006 From: lyger at attrition.org (lyger) Date: Wed, 1 Nov 2006 09:13:41 -0500 (EST) Subject: [Dataloss] Virginia: Data-rich computer stolen from Fort Monroe Message-ID: http://www.dailypress.com/news/local/dp-67405sy0nov01,0,3737661.story?coll=dp-news-local-final By Stephanie Heinatz November 1, 2006 A laptop containing personal information about 4,600 high school seniors from across the country was stolen last week from the U.S. Army Cadet Command's headquarters at Fort Monroe, a spokesman confirmed Tuesday. The students are applicants for the Army's four-year ROTC college scholarship. Their applications included their Social Security numbers, birth dates, home addresses, phone numbers, parents' names and mother's maiden names. A database containing that information was on the missing computer. [...] From lyger at attrition.org Thu Nov 2 08:04:27 2006 From: lyger at attrition.org (lyger) Date: Thu, 2 Nov 2006 08:04:27 -0500 (EST) Subject: [Dataloss] NY: Your identity may be stolen, vets are warned Message-ID: http://www.nydailynews.com/news/local/story/467417p-393369c.html The feds are warning hundreds of war veterans that they could become victims of identity theft because a computer was stolen from the Manhattan Veterans Affairs Medical Center. The computer storing veterans' personal information was snatched Sept. 6 from the E. 23rd St. hospital, according to an Oct. 20 letter sent to veterans. Rep. Carolyn Maloney (D-Manhattan) released the letter yesterday and blasted VA officials for failing to warn veterans sooner. [...] From ziplock at attrition.org Thu Nov 2 12:24:17 2006 From: ziplock at attrition.org (ziplock) Date: Thu, 2 Nov 2006 12:24:17 -0500 (EST) Subject: [Dataloss] Stolen computer may contain data on 1.4 million Coloradans Message-ID: DENVER A Dallas data processing company says personal information on as many as one-point-four (M) million Coloradans may be in the hands of thieves. A computer taken from Colorado state contractor Affiliated Computer Services contains the data at least 500-thousand people who made child support payments Colorado's state Department of Human Services. It also holds data on up to nearly a (M) million Coloradans newly hired to jobs anywhere in the state. The law requires employers check data on all new employees against a state database to make sure the employee isn't being sought for child support payments. A-C-S says it's notifying hundreds of thousands of people about the theft, but stresses that authorities don't believe a thief was after the personal data or out to commit identity theft. A state spokeswoman says the computer theft was the fault of Affiliated Computer Services. She the company's contract comes up for renewal next June and will NOT be renewed. http://www.kten.com/Global/story.asp?S=5624772 From ziplock at attrition.org Thu Nov 2 13:36:02 2006 From: ziplock at attrition.org (ziplock) Date: Thu, 2 Nov 2006 13:36:02 -0500 (EST) Subject: [Dataloss] Update - Stolen computer may contain data on 1.4 million Coloradans Message-ID: The story I posted to the mail list earlier today should have been flagged as an update. It provides additional information to a previously reported incident, revealing an additional 1M victims. The estimated total records affected by this incident is now 1.4M. From Dan.Good at evault.com Thu Nov 2 15:16:49 2006 From: Dan.Good at evault.com (Dan Good) Date: Thu, 2 Nov 2006 12:16:49 -0800 Subject: [Dataloss] Update - Stolen computer may contain data on 1.4 millionColoradans In-Reply-To: Message-ID: There seems to be a lot of information on Stolen Computers? Has anyone seen any information on lost or stolen Back/Up tapes? Most of these tapes are not encrypted and very easy to restore. -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of ziplock Sent: Thursday, November 02, 2006 1:36 PM To: dataloss at attrition.org Subject: [Dataloss] Update - Stolen computer may contain data on 1.4 millionColoradans The story I posted to the mail list earlier today should have been flagged as an update. It provides additional information to a previously reported incident, revealing an additional 1M victims. The estimated total records affected by this incident is now 1.4M. _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tracking more than 139 million compromised records in 447 incidents over 6 years. From Dissent at pogowasright.org Thu Nov 2 16:06:09 2006 From: Dissent at pogowasright.org (Dissent) Date: Thu, 2 Nov 2006 16:06:09 -0500 (EST) Subject: [Dataloss] [update] VA computer theft in NY Message-ID: http://www.scmagazine.com/uk/news/article/602715/another-va-breach-affects-1600-veterans-new-york-system/ The Department of Veterans Affairs (VA) is again warning veterans their identity may be at risk following the theft of an unencrypted laptop from the agency's New York Harbor Healthcare System. The breach affects veterans who receive pulmonary care at the hospital, according to an Oct. 20 letter to veterans, released Wednesday by U.S. Rep. Carolyn Maloney, D-N.Y. The computer, stored in a locked room at the time of the theft, contained personal information, including names, Social Security numbers and diagnosis data, the letter said. About 1,600 veterans were affected by the Sept. 6 theft, VA spokeswoman Jo Shuda told SCMagazine.com. She was unsure if the laptop was encrypted. Duplicate patient listings incorrectly placed the number of affected vetersans at 2,400 earlier in the day, according to VA officials. [...] From Dissent at pogowasright.org Thu Nov 2 16:08:06 2006 From: Dissent at pogowasright.org (Dissent) Date: Thu, 2 Nov 2006 16:08:06 -0500 (EST) Subject: [Dataloss] [update] Allina stolen laptop Message-ID: http://www.twincities.com/mld/twincities/news/15897541.htm The theft of an Allina nurse's laptop three weeks ago has not yet resulted in any cases of identity fraud, according to a health system spokesman. Allina sent written warnings in mid- to late October after learning a laptop was stolen Oct. 8 from a nurse's locked car. The laptop contained personal information for 33,000 people, including Social Security numbers for 17,000 people. Those affected included people with terminal illnesses receiving home hospice services and women receiving nursing visits both before and after they gave birth. [...] From Dissent at pogowasright.org Thu Nov 2 16:14:18 2006 From: Dissent at pogowasright.org (Dissent) Date: Thu, 2 Nov 2006 16:14:18 -0500 (EST) Subject: [Dataloss] VA Hospital in Muskogee Message-ID: http://www.ksbitv.com/home/4550826.html Three computer disks containing more than 1,400 Social Security numbers and other personal data of veterans has some Oklahoma veterans worried. The disappearance of the disks has posed a risk for identity theft for the hundreds of veterans treated at a McAlester clinic. The Veterans Affairs Hospital in Muskogee confirmed the loss in a letter mailed yesterday to patients of the McAlester clinic. The lost information includes the names, Social Security numbers and billing amounts. [...] From Dissent at pogowasright.org Thu Nov 2 16:21:18 2006 From: Dissent at pogowasright.org (Dissent) Date: Thu, 2 Nov 2006 16:21:18 -0500 (EST) Subject: [Dataloss] =?iso-8859-1?q?Radio_co=2E_employees=92_personal_data_?= =?iso-8859-1?q?stolen?= Message-ID: http://business.bostonherald.com/businessNews/view.bg?articleid=165302 Greater Media Inc. recently began alerting employees that their personal information might have landed in thieving hands. The radio broadcasting company has sent out letters warning that a laptop holding Social Security numbers of current and former staffers was stolen out of Greater Media?s Philadelphia offices, sources who have received the letter said. In the letter, Greater Media, whose Boston stations include WTKK-FM (96.9) and WBOS-FM (92.9), offers a free credit report if staffers sign up by the end of the year. The letters also state that there?s been no indication of any illegal activities so far, sources said. [...] From Dissent at pogowasright.org Thu Nov 2 18:14:24 2006 From: Dissent at pogowasright.org (Dissent) Date: Thu, 2 Nov 2006 18:14:24 -0500 (EST) Subject: [Dataloss] Villanova U. laptop stolen from Hilb, Rogal & Hobbs Message-ID: http://www.centredaily.com/mld/centredaily/news/politics/15913680.htm A laptop computer stolen from an insurance company's office contained the names, birth dates and driver's license numbers of more than 1,200 Villanova University students and staff members, the school confirmed Thursday. No Social Security numbers were involved, said Kenneth G. Valosky, Villanova's vice president for finance. The theft of the password-protected laptop in September from the insurance firm Hilb, Rogal & Hobbs in Plymouth Meeting was reported to police, company senior vice president Chris Schwyter said. Clients, including Villanova, were notified after the company determined what information was on the laptop, he said. [...] From lyger at attrition.org Thu Nov 2 19:39:43 2006 From: lyger at attrition.org (lyger) Date: Thu, 2 Nov 2006 19:39:43 -0500 (EST) Subject: [Dataloss] Office of Management and Budget: 'People are losing data' Message-ID: http://www.fcw.com/article96686-11-02-06-Web Between July and Sept. 30, agencies reported 338 separate security incidents involving personally identifiable information to the Office of Management and Budget, Karen Evans, OMB.s administrator for e-government and information technology, said today. Many of the incidents, however, are not attacks on government information from outsiders, Evans said in a speech at the IT Association of America.s annual Chief Information Security Officer Workshop in Falls Church, Va. "Primarily, people are losing data," she said. [...] From george at myitaz.com Thu Nov 2 23:13:18 2006 From: george at myitaz.com (George Toft) Date: Thu, 02 Nov 2006 21:13:18 -0700 Subject: [Dataloss] Office of Management and Budget: 'People are losing data' In-Reply-To: References: Message-ID: <454AC1DE.4080007@myitaz.com> I would like to point out the obvious - there are FAR more incidents occurring than are being reported (and it is not just in the Government). George Toft, CISSP, MSIS My IT Department www.myITaz.com 480-544-1067 Confidential data protection experts for the financial industry. lyger wrote: > http://www.fcw.com/article96686-11-02-06-Web > > Between July and Sept. 30, agencies reported 338 separate security > incidents involving personally identifiable information to the Office of > Management and Budget, Karen Evans, OMB.s administrator for e-government > and information technology, said today. > > Many of the incidents, however, are not attacks on government information > from outsiders, Evans said in a speech at the IT Association of America.s > annual Chief Information Security Officer Workshop in Falls Church, Va. > > "Primarily, people are losing data," she said. > > [...] > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 139 million compromised records in 447 incidents over 6 years. > > > > From lyger at attrition.org Thu Nov 2 23:23:03 2006 From: lyger at attrition.org (lyger) Date: Thu, 2 Nov 2006 23:23:03 -0500 (EST) Subject: [Dataloss] Office of Management and Budget: 'People are losing data' In-Reply-To: <454AC1DE.4080007@myitaz.com> References: <454AC1DE.4080007@myitaz.com> Message-ID: Of course. As I mentioned to someone earlier this week, we have over 270 events recorded on dataloss web and DLDOS for 2006 alone. If every incident that occured this year would have been reported, this would have quickly gone from a "project" to a full-time job. On Thu, 2 Nov 2006, George Toft wrote: ": " I would like to point out the obvious - there are FAR more incidents ": " occurring than are being reported (and it is not just in the Government). ": " ": " George Toft, CISSP, MSIS ": " My IT Department ": " www.myITaz.com ": " 480-544-1067 From adam at homeport.org Fri Nov 3 00:30:07 2006 From: adam at homeport.org (Adam Shostack) Date: Fri, 3 Nov 2006 00:30:07 -0500 Subject: [Dataloss] Office of Management and Budget: 'People are losing data' In-Reply-To: References: <454AC1DE.4080007@myitaz.com> Message-ID: <20061103053007.GB3475@homeport.org> So...what are the loopholes? Why are incidents not being reported? On Thu, Nov 02, 2006 at 11:23:03PM -0500, lyger wrote: | | Of course. As I mentioned to someone earlier this week, we have over 270 | events recorded on dataloss web and DLDOS for 2006 alone. If every | incident that occured this year would have been reported, this would have | quickly gone from a "project" to a full-time job. | | | On Thu, 2 Nov 2006, George Toft wrote: | | ": " I would like to point out the obvious - there are FAR more incidents | ": " occurring than are being reported (and it is not just in the Government). | ": " | ": " George Toft, CISSP, MSIS | ": " My IT Department | ": " www.myITaz.com | ": " 480-544-1067 | _______________________________________________ | Dataloss Mailing List (dataloss at attrition.org) | http://attrition.org/dataloss | Tracking more than 140 million compromised records in 455 incidents over 6 years. | From macwheel99 at sigecom.net Fri Nov 3 02:13:54 2006 From: macwheel99 at sigecom.net (Al Mac) Date: Fri, 03 Nov 2006 01:13:54 -0600 Subject: [Dataloss] Office of Management and Budget: 'People are losing data' In-Reply-To: <20061103053007.GB3475@homeport.org> References: <454AC1DE.4080007@myitaz.com> <20061103053007.GB3475@homeport.org> Message-ID: <6.2.1.2.0.20061103011013.02ed8790@mail.sigecom.net> Apparently they were reported to the OMB. Time for a FOI request there? We have seen from many past GOV reports that for many scenarios, there is no legal mandate to report the incident, except in secret to some other GOV agency. Many US states have no breach laws yet. (30 something do) Many of those that do, exempt gov agencies, non-profits, private individuals, data that was encrypted. >So...what are the loopholes? Why are incidents not being reported? From bkdelong at pobox.com Fri Nov 3 08:45:37 2006 From: bkdelong at pobox.com (B.K. DeLong) Date: Fri, 3 Nov 2006 08:45:37 -0500 Subject: [Dataloss] Office of Management and Budget: 'People are losing data' In-Reply-To: <6.2.1.2.0.20061103011013.02ed8790@mail.sigecom.net> References: <454AC1DE.4080007@myitaz.com> <20061103053007.GB3475@homeport.org> <6.2.1.2.0.20061103011013.02ed8790@mail.sigecom.net> Message-ID: Yup - time for another FOI request it sounds like. I almost feel bad for the VA though. They're getting slammed. On 11/3/06, Al Mac wrote: > Apparently they were reported to the OMB. > Time for a FOI request there? > > We have seen from many past GOV reports that for many scenarios, there is > no legal mandate to report the incident, except in secret to some other GOV > agency. > > Many US states have no breach laws yet. (30 something do) > Many of those that do, exempt gov agencies, non-profits, private > individuals, data that was encrypted. > > >So...what are the loopholes? Why are incidents not being reported? > > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 140 million compromised records in 455 incidents over 6 years. > > > > -- B.K. DeLong (K3GRN) bkdelong at pobox.com +1.617.797.8471 http://www.wkdelong.org Son. http://www.ianetsec.com Work. http://www.bostonredcross.org Volunteer. http://www.carolingia.eastkingdom.org Service. http://bkdelong.livejournal.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org From Dissent at pogowasright.org Fri Nov 3 09:35:14 2006 From: Dissent at pogowasright.org (Dissent) Date: Fri, 3 Nov 2006 09:35:14 -0500 (EST) Subject: [Dataloss] Univ. of Virginia Student Financial Services Message-ID: http://www.cavalierdaily.com/CVArticle.asp?ID=28435&pid=1507 Notifications from Student Financial Services intended for students whose registration was blocked were erroneously sent to the wrong students in emails that included others' Social Security numbers. Student Financial Services intended to send 1,264 emails to alert students of registration blocks. Only 632 e-mails were actually sent out late Tuesday evening. These e-mails contained the student IDs of the 632 other students, who never received an e-mail. The mistake was not discovered until the next morning. University spokesperson Carol Wood said that Student Financial Services discovered the error Wednesday morning and began correcting the action immediately by contacting the Information Technology and Communications Office security department, which could investigate and fix the problem. The mistake was a result of an error on the part of a computer programmer, who neglected to review the program before it was used, Wood said. [...] From cwalsh at cwalsh.org Fri Nov 3 10:46:51 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Fri, 3 Nov 2006 09:46:51 -0600 Subject: [Dataloss] Office of Management and Budget: 'People are losing data' In-Reply-To: <20061103053007.GB3475@homeport.org> References: <454AC1DE.4080007@myitaz.com> <20061103053007.GB3475@homeport.org> Message-ID: <20061103154649.GB17128@cwalsh.org> On Fri, Nov 03, 2006 at 12:30:07AM -0500, Adam Shostack wrote: > So...what are the loopholes? Why are incidents not being reported? Well, if you consider the Federal government, much of it is located in Washington, DC. No breach law, there. Chris From bkdelong at pobox.com Fri Nov 3 11:25:48 2006 From: bkdelong at pobox.com (B.K. DeLong) Date: Fri, 3 Nov 2006 11:25:48 -0500 Subject: [Dataloss] Office of Management and Budget: 'People are losing data' In-Reply-To: <20061103154649.GB17128@cwalsh.org> References: <454AC1DE.4080007@myitaz.com> <20061103053007.GB3475@homeport.org> <20061103154649.GB17128@cwalsh.org> Message-ID: Yet. and while most of the central offices are in D.C. There are a heck of a lot of branch offices all over the country. And if a breach in D.C. may effect people in a state w/ a law, go to the Federal building in that state's capital and you will inevitably find some form of that Department to issue a FOI Request to. On 11/3/06, Chris Walsh wrote: > On Fri, Nov 03, 2006 at 12:30:07AM -0500, Adam Shostack wrote: > > So...what are the loopholes? Why are incidents not being reported? > > Well, if you consider the Federal government, much of it is located in Washington, DC. > No breach law, there. > > Chris > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 140 million compromised records in 455 incidents over 6 years. > > > > -- B.K. DeLong (K3GRN) bkdelong at pobox.com +1.617.797.8471 http://www.wkdelong.org Son. http://www.ianetsec.com Work. http://www.bostonredcross.org Volunteer. http://www.carolingia.eastkingdom.org Service. http://bkdelong.livejournal.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org From Dissent at pogowasright.org Fri Nov 3 14:02:00 2006 From: Dissent at pogowasright.org (Dissent) Date: Fri, 3 Nov 2006 14:02:00 -0500 (EST) Subject: [Dataloss] About 1, 000 West Shore Bank customers notified debit cards compromised Message-ID: http://www.ludingtondailynews.com/news.php?story_id=33672 Roughly 1,000 West Shore Bank customers have been notified this week that their debit card number may have been compromised after the bank was notified of the issue by Master Card. ?Master Card said there was a security break at a common point-of-purchase provider sometime this summer,? said West Shore Bank?s Jeremy Holmes. ?It wasn?t our system ? our system wasn?t compromised. It was a third party that the customers went to. The information was accessed in their system.? Master Card would not comment on the specific incident, citing the ongoing investigation. ... Holmes didn?t know which company had the security break. ?We weren?t provided with a lot of information,? he said. ?What we know is that we were given a listing of debit card numbers that were potentially compromised.? When asked if the card issue was tied to Wesco?s announcement of a security breach, Holmes said he was only notified what happened and the timeframe of the incident, not of the company that had the problem. ?(Master Card) doesn?t tell us where only that it was somewhere in the US,? Holmes said. ?But I imagine that it could be (a major merchant in the area).? [...] From Dissent at pogowasright.org Fri Nov 3 14:15:30 2006 From: Dissent at pogowasright.org (Dissent) Date: Fri, 3 Nov 2006 14:15:30 -0500 (EST) Subject: [Dataloss] Wesco gas stations, feds investigate possible fraud Message-ID: The West Shore Bank story I posted earlier referenced a possible Wesco breach. http://www.mlive.com/newsflash/business/index.ssf?/base/news-38/116256477223140.xml&storylist=mibusiness Officials for Wesco gas stations say they are working with federal authorities and customers to investigate an apparent breach in credit card confidentiality in recent months. The Muskegon-based company, which runs about 50 Michigan gas station/convenience stores, recently posted statements on its pumps urging customers to verify credit card transactions because of possible fraud. Suspect transactions may have happened between July 25 and Sept. 7, The Muskegon Chronicle and the Grand Haven Tribune reported. It wasn't known whether cards used at pumps, inside stores or both were affected. The company said it was working with the U.S. attorney's office for the Western District of Michigan and the Secret Service. The investigation began when financial institutions reported inaccurate charges on customer statements. -- Related statement on Wesco site: http://www.gowesco.com/consumer.htm From cwalsh at cwalsh.org Fri Nov 3 15:18:09 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Fri, 3 Nov 2006 14:18:09 -0600 Subject: [Dataloss] Illinois 'ID Theft' scam busted Message-ID: <20061103201704.GA343@cwalsh.org> "Hospitality" industry insiders paid to supply guests CC#s, other info. (http://www.suntimes.com/news/metro/122699,CST-NWS-scam03.article) From Dissent at pogowasright.org Fri Nov 3 17:14:23 2006 From: Dissent at pogowasright.org (Dissent) Date: Fri, 3 Nov 2006 17:14:23 -0500 (EST) Subject: [Dataloss] Starbucks Loses Laptops With Worker Data Message-ID: http://www.centredaily.com/mld/centredaily/business/15923874.htm SEATTLE - Starbucks Corp. said Friday it had lost track of four laptop computers, two of which had private information on about 60,000 current and former U.S. employees and fewer than 80 Canadian workers and contractors. The data, which include names, addresses and Social Security numbers, is about three years old, dating prior to December 2003, said Valerie O'Neil, a spokeswoman for the Seattle-based coffee retailer. [...] http://www.starbucks.com/aboutus/pressdesc.asp?id=720 Starbucks Corporation (Nasdaq: SBUX) today announced that four retired (no longer in regular use) laptops have been identified as missing from the Starbucks Corporate Support Center in Seattle. Two of the laptops contained the private information, including names and social security numbers, of nearly 60,000 United States partners (employees) and less than 80 Canadian partners and contractors at all levels employed across the organization prior to Dec.31, 2003. At this time, there is no indication that the private information in question has been misused or that the devices are in the hands of someone intending to misuse the information. These laptops may still be in the possession of Starbucks, however we cannot currently locate them. In accordance with Starbucks standards for information security, the laptops were password protected. [...] From lyger at attrition.org Fri Nov 3 20:11:39 2006 From: lyger at attrition.org (lyger) Date: Fri, 3 Nov 2006 20:11:39 -0500 (EST) Subject: [Dataloss] 'Scrubbed' laptop had data on 30,400 Message-ID: http://deseretnews.com/dn/view/0,1249,650203974,00.html What happened when an old laptop from Intermountain's human-resources department was donated to Deseret Industries recently is a cautionary tale for employers who think they've scrubbed important information off discarded hard drives and those who still use Social Security numbers to identify employees. ... Last week, 27,000 active employees and 3,400 former employees were notified. Intermountain said it would pay for credit monitoring for anyone who was worried, human-resource director Nancy Adams said. Intermountain also set up a dedicated hotline for anyone with concerns about what was being done to protect them. Adams said they've had 79 calls. [...] From adam at homeport.org Sat Nov 4 13:53:38 2006 From: adam at homeport.org (Adam Shostack) Date: Sat, 4 Nov 2006 13:53:38 -0500 Subject: [Dataloss] More on reporting Message-ID: <20061104185338.GA12278@homeport.org> Ed Moyle has some good analysis of laptop thefts: http://www.securitycurve.com/blog/archives/000476.html From lyger at attrition.org Sun Nov 5 00:32:38 2006 From: lyger at attrition.org (lyger) Date: Sun, 5 Nov 2006 00:32:38 -0500 (EST) Subject: [Dataloss] Update: Affiliated Computer Services: Worker quizzed on stolen database Message-ID: http://origin.denverpost.com/news/ci_4599954 Police are questioning an Affiliated Computer Services employee in connection with the theft of a computer that contained state-owned databases with the personal information of about 1.4 million people. Police have not recovered the computer, a desktop model swiped from the Denver offices of ACS, but an employee of the company is a key suspect in the crime, according to a person familiar with the investigation. No charges have been filed, and police would not release the employee's name. ACS spokesman Kevin Lightfoot referred all questions about the investigation to authorities. [...] From lyger at attrition.org Mon Nov 6 17:35:44 2006 From: lyger at attrition.org (lyger) Date: Mon, 6 Nov 2006 17:35:44 -0500 (EST) Subject: [Dataloss] Ohio Police Accidently Post Personal Information Message-ID: http://redtape.msnbc.com/2006/11/cops_errant_cli.html There's a new reason to be concerned about an encounter with local police, whether you're a victim or a suspect. In Ohio last month, a police department accidentally published intimate details about every person officers encountered during a single day, including Social Security Numbers, driver's license numbers and more. A stray click led the Bowling Green, Ohio, Police Department to publish the wrong report to the agency's police blotter Web site on Oct. 21, according to operations Lt. Brad Biller. Instead of posting a sanitized blotter, with all the personal information redacted, the agency published what is known as an "end of day report." That report includes birth dates, SSNs, race descriptions, license numbers and more on each of the nearly 200 people the cops had contact with that day. It also included extended narratives about each incident, written by the responding police officer. [...] From jericho at attrition.org Wed Nov 8 02:09:58 2006 From: jericho at attrition.org (security curmudgeon) Date: Wed, 8 Nov 2006 02:09:58 -0500 (EST) Subject: [Dataloss] followup: ACS Breach Warning Letter Message-ID: Letter sent out to an unknown amount of ACS "customers" on Oct 26. Any typos are my own. -- State Directory of New Hires Operated by ACS [Customer Name] [Bar Code] [Customer Address] [Number] Dear [Customer First Name]: This letter is to inform you of an incident involving the theft of a computer that may contain your personal information. A password-protected computer was stolen from a secure facility operated by ACS State and Local Solutions, Inc. on behalf of the Colorado State Directory of New Hires (SDNH). Employers are required by law to report information to the SDNH regarding newly hired employees. Although you may reside in a state other than Colorado, your information was submitted through this channel. This information may include your name, address, and social security number. We believe it is important to notify you about this incident and to alert you to the possibility of your exposure to identity theft. In responding to the theft, ACS immediately notified law enforcement. Colorado law enforcement and ACS are vigorously investigating the theft to determine who was involved and to recover the information. As a precaution, we recommend you carefully review all credit cards and other financial account information. If you detect any unauthorized or suspicious activity in any of these accounts, you should contact your credit card company or other account issuer immediately. We further recommend that you obtain a credit report from one of the three credit bureaus -- Experian, Equifax or TransUnion. Additional information on how best to respond to a possible identity theft is available from the Federal Trade Commission at: http://www.consumer.gov/idtheft/ and Colorado residents may also see: http://www.ago.state.co.us/idtheft/IDTheft.cfm. For your convenience, we are attaching general information about identity theft protection. ACS takes the protection of your personal information very seriously. We have established a toll-free number to assit with any questions. This number is 1-800-350-0399. We regret this incident occured. Very truly yours, [scribble] ACS Representative From jericho at attrition.org Wed Nov 8 02:24:00 2006 From: jericho at attrition.org (security curmudgeon) Date: Wed, 8 Nov 2006 02:24:00 -0500 (EST) Subject: [Dataloss] followup: ACS Breach Warning Letter In-Reply-To: References: Message-ID: And now my own comments. : [Customer Name] [Bar Code] : [Customer Address] [Number] The number below the bar code is 8 digits, starting with 0065. Not sure if this is an indication of how many affected, a tracking number, or something else. : This letter is to inform you of an incident involving the theft of a : computer that may contain your personal information. A : password-protected computer was stolen from a secure facility operated : by ACS State and Local Solutions, Inc. on behalf of the Colorado State : Directory of New Hires (SDNH). Employers are required by law to report : information to the SDNH regarding newly hired employees. First, we know password protected computers mean absolutely nothing. Yanking a drive and mirroring content is trivial for even moderately skilled computer users. Second, ACS needs to look up the definition of secure. 1. To make safe; to relieve from apprehensions of, or exposure to, danger; to guard; to protect. So this should be worded "relatively" secure or "formerly" secure. : ACS takes the protection of your personal information very seriously. We : have established a toll-free number to assit with any questions. This : number is 1-800-350-0399. We regret this incident occured. So seriously, this line is not answered outside of standard business hours and asks that you call back then. : Very truly yours, : : [scribble] : : ACS Representative The signature doesn't look like 'ACS Representative', so who's name is this and why wasn't it printed? No one stepping up to be accountable for questions? From Bruce.Forestal at target.com Wed Nov 8 10:08:41 2006 From: Bruce.Forestal at target.com (Bruce.Forestal) Date: Wed, 8 Nov 2006 09:08:41 -0600 Subject: [Dataloss] followup: ACS Breach Warning Letter In-Reply-To: Message-ID: Good Day, The claim of "password protected" is a joke as most all of these laptops are Windows OS with only a logon password which is easily bypassed. This is somehow supposed to make the public have a warm fuzzy feeling that their data is safe. Once in a while we hear that the data is encrypted and password or pass-phrase protected. Someone had commented previously that at least some of the current disclosure laws don't require notification if the data is encrypted. I'm curious as to how many incidents of data loss are occurring but not reported because the data is encrypted? Speaking of encrypting personal information, has this technology not been taught in college, or banned from use by anyone outside of the DOD? Most all of these incidents of data loss could have been mitigated by just simple encryption. Encryption is both easy and cheap; actually it can be had for free. Laptops are a target for thieves, this is not going to change although one can surely reduce the chance of theft by teaching employees some user awareness but it won't be eliminated. I'm personally a fan of PGP Desk, all of my client data is saved on a PGP encrypted partition and all emails that even hint of sensitive data are encrypted. Most Non Disclosure Agreements require me as consultant to protect client data, using anything short of a reliable encryption scheme would put my client data at risk and leave my butt hanging in the wind. I would not be happy if my laptop was stolen or lost but at least I could state with confidence that the client data was very secure. Other than the NSA or like entities I don't know of anyone that would even have a chance of breaking the encryption. It's obvious in many of these data loss incidents that an encryption policy was not in place or not followed. Roughly two-thirds of the states have a disclosure laws but that does not mean they are always followed and then there is the government side. Does anyone know the disclosure laws for government? Does anyone have an idea of the percentage of data loss that is not-disclosed? Bruce Forestal, CISSP AmbironTrustwave -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of security curmudgeon Sent: Wednesday, November 08, 2006 1:24 AM To: dataloss at attrition.org Subject: Re: [Dataloss] followup: ACS Breach Warning Letter And now my own comments. : [Customer Name] [Bar Code] : [Customer Address] [Number] The number below the bar code is 8 digits, starting with 0065. Not sure if this is an indication of how many affected, a tracking number, or something else. : This letter is to inform you of an incident involving the theft of a : computer that may contain your personal information. A : password-protected computer was stolen from a secure facility operated : by ACS State and Local Solutions, Inc. on behalf of the Colorado State : Directory of New Hires (SDNH). Employers are required by law to report : information to the SDNH regarding newly hired employees. First, we know password protected computers mean absolutely nothing. Yanking a drive and mirroring content is trivial for even moderately skilled computer users. Second, ACS needs to look up the definition of secure. 1. To make safe; to relieve from apprehensions of, or exposure to, danger; to guard; to protect. So this should be worded "relatively" secure or "formerly" secure. : ACS takes the protection of your personal information very seriously. We : have established a toll-free number to assit with any questions. This : number is 1-800-350-0399. We regret this incident occured. So seriously, this line is not answered outside of standard business hours and asks that you call back then. : Very truly yours, : : [scribble] : : ACS Representative The signature doesn't look like 'ACS Representative', so who's name is this and why wasn't it printed? No one stepping up to be accountable for questions? _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tracking more than 140 million compromised records in 465 incidents over 6 years. From george at myitaz.com Wed Nov 8 11:06:39 2006 From: george at myitaz.com (George Toft) Date: Wed, 08 Nov 2006 09:06:39 -0700 Subject: [Dataloss] followup: ACS Breach Warning Letter In-Reply-To: References: Message-ID: <4552008F.4080601@myitaz.com> security curmudgeon wrote: > Yanking a drive and mirroring content is trivial for even moderately > skilled computer users. That is too much effort - there are CD images available on the Internet that will allow a complete noob to change the admin password in under 5 minutes. Someone who has used it a couple times can do it in 2 minutes. Now here's a weird one - I was handed a password-protected laptop with Windows XP. I booted it into safe mode with no password and had Admin rights. I reset the password for the user, rebooted, and logged in normally. This struck me as really odd. George Toft From macwheel99 at sigecom.net Wed Nov 8 12:42:25 2006 From: macwheel99 at sigecom.net (Al Mac) Date: Wed, 08 Nov 2006 11:42:25 -0600 Subject: [Dataloss] followup: ACS Breach Warning Letter In-Reply-To: References: Message-ID: <6.2.1.2.0.20061108111959.02efe4f0@mail.sigecom.net> The protection of password varies greatly across various OS that I have worked on. I consider passwords much more secure on IBM mainframes than on Windows and Unix, but I do not know about Linux. Companies might think their data is password protected, encrypted, other protections, but unless they have passed some kind of security audit, they really do not know for sure. Many breaches have been because of some carelessness, and lack of security verification, leading to private data posted on the web that some kind of security procedure might have prevented. I think that if security awareness training is too much of a bother for a company to be doing for all its people, at least it should be required for people with access to the sensitive data. The mass public think passwords give some measure of protection, so these notification phraseologies are intended as PR mitigation. Once upon a time certain types of communications were banned from Ham Radio, because of a rule that the FCC had to be able to digest anything over the public airways, without any effort. This may be why a lot of pager traffic, and wireless, is in plain text readable by anyone with a police scanner hooked up to a computer printer, which may be illegal, but unenforced. Once upon a time the DoD banned encryption in computer products going overseas, on the theory that the USA had some strategic advantage the military did not want exported. But that mentality has been overshadowed by mass off-shoring of all sorts of computer manufacture and software development, let alone parallel development in other places such as Europe and Asia. The illusion that we have some kind of advantage is akin to the Axis in WW II broadcasting all their secrets over communication channels that they were convinced no one could crack. Al Macintyre just a programmer, sys admin, security officer, help desk, etc. worker , Bruce.Forestal wrote: >Good Day, > >The claim of "password protected" is a joke as most all of these laptops >are Windows OS with only a logon password which is easily bypassed. >This is somehow supposed to make the public have a warm fuzzy feeling >that their data is safe. Once in a while we hear that the data is >encrypted and password or pass-phrase protected. Someone had commented >previously that at least some of the current disclosure laws don't >require notification if the data is encrypted. I'm curious as to how >many incidents of data loss are occurring but not reported because the >data is encrypted? > >Speaking of encrypting personal information, has this technology not >been taught in college, or banned from use by anyone outside of the DOD? >Most all of these incidents of data loss could have been mitigated by >just simple encryption. Encryption is both easy and cheap; actually it >can be had for free. Laptops are a target for thieves, this is not >going to change although one can surely reduce the chance of theft by >teaching employees some user awareness but it won't be eliminated. > >I'm personally a fan of PGP Desk, all of my client data is saved on a >PGP encrypted partition and all emails that even hint of sensitive data >are encrypted. Most Non Disclosure Agreements require me as consultant >to protect client data, using anything short of a reliable encryption >scheme would put my client data at risk and leave my butt hanging in the >wind. I would not be happy if my laptop was stolen or lost but at least >I could state with confidence that the client data was very secure. >Other than the NSA or like entities I don't know of anyone that would >even have a chance of breaking the encryption. > >It's obvious in many of these data loss incidents that an encryption >policy was not in place or not followed. Roughly two-thirds of the >states have a disclosure laws but that does not mean they are always >followed and then there is the government side. Does anyone know the >disclosure laws for government? Does anyone have an idea of the >percentage of data loss that is not-disclosed? > >Bruce Forestal, CISSP >AmbironTrustwave From Dissent at pogowasright.org Wed Nov 8 19:57:05 2006 From: Dissent at pogowasright.org (Dissent) Date: Wed, 8 Nov 2006 19:57:05 -0500 (EST) Subject: [Dataloss] City of Lubbock Online Job Database Experiences Security Breach Message-ID: http://www.kcbd.com/Global/story.asp?S=5647444&nav=3w6y The City of Lubbock is calling 5,800 people. That's because their social security numbers may have been stolen. The city's web site was apparently hacked into. At this point, it appears the only information affected was the online job application database, which again is about 5,800 people. [...] From Dissent at pogowasright.org Thu Nov 9 18:49:35 2006 From: Dissent at pogowasright.org (Dissent) Date: Thu, 9 Nov 2006 18:49:35 -0500 (EST) Subject: [Dataloss] Sensitive CHR laptop stolen Message-ID: http://calsun.canoe.ca/News/Alberta/2006/11/09/2290342.html Alberta?s privacy watchdog is fast-tracking a probe into the theft from a private home of a Calgary Health Region laptop holding mental health data on hundreds of child patients. On Oct. 22, the computer was taken in a break-in at the northwest home of a CHR Collaborative Mental Health staffer. The laptop was carrying contact, mental health and parental data on 1,000 Calgary-area children up to six years of age. [...] From Dissent at pogowasright.org Fri Nov 10 08:47:26 2006 From: Dissent at pogowasright.org (Dissent) Date: Fri, 10 Nov 2006 08:47:26 -0500 (EST) Subject: [Dataloss] LANL Contractor information could be at risk Message-ID: http://www.freenewmexican.com/news/51948.html As many as 1,000 contract employees who work in Los Alamos have been warned that a compact disk containing their personal information could be missing. The disk belongs to KSL Services Inc., a contractor to Los Alamos National Laboratory, lab spokesman Jeff Berger said Thursday. [...] Berger was not sure how the disk ended up missing, but said lab officials are helping KSL officials look for it. Affected employees have been notified by KSL, Berger said. [...] From lyger at attrition.org Fri Nov 10 10:35:41 2006 From: lyger at attrition.org (lyger) Date: Fri, 10 Nov 2006 10:35:41 -0500 (EST) Subject: [Dataloss] Article: Another reason for data laws Message-ID: http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2006/11/10/BUGO4M8LB148.DTL David Lazarus San Francisco Chronicle Friday, November 10, 2006 As rental-car giant Hertz prepares to go public next week, the company seems to be having an unusually difficult time keeping confidential info under wraps. In a regulatory filing on Wednesday, Hertz Global Holdings said it had dropped Deutsche Bank from its underwriting team after "several e-mails" discussing the $1.5 billion initial public offering were inadvertently sent by the bank to about 175 institutional clients. Meanwhile, the names and Social Security numbers of an undisclosed number of Hertz workers were found last month on the home computer of a former employee of the company. [...] From Dissent at pogowasright.org Fri Nov 10 11:41:42 2006 From: Dissent at pogowasright.org (Dissent) Date: Fri, 10 Nov 2006 11:41:42 -0500 (EST) Subject: [Dataloss] Bank account data swiped in gas-station scam Message-ID: http://www.ocregister.com/ocregister/homepage/abox/article_1350521.php Hundreds of people had their bank account information compromised when they paid at outside pay pumps at three gas stations in Orange County and one in Torrance, police reported Thursday. Police suspect that thieves used a device to record account numbers and pin codes onto memory chips from pay-point islands at an ARCO station in Westminster, one in Torrance and at least one in Costa Mesa, said Detective Sgt. Jim Kingsmill with the Westminster Police Department's property-crimes unit. [...] At least 16 people have told Costa Mesa police they were recent victims of identity theft on this particular case, Costa Mesa police Sgt. Marty Carver said. In Westminster, police said, at least 12 people have reported being victims of identity theft after using a pay-point island at a gas station. [...] ------------ Note: This is not the first time ARCO has had such breaches with resulting identity theft reports. In researching this item, I found these reports of a similar and earlier incident that also resulted in identity theft: http://www.ktvu.com/news/6626706/detail.html http://cbs5.com/grammy/local_story_032192737.html /Dissent From Dissent at pogowasright.org Fri Nov 10 16:04:28 2006 From: Dissent at pogowasright.org (Dissent) Date: Fri, 10 Nov 2006 16:04:28 -0500 (EST) Subject: [Dataloss] Harris Poll on notifications of improper disclosure Message-ID: http://biz.yahoo.com/prnews/061110/nyf085.html?.v=55 ROCHESTER, N.Y., Nov. 10 /PRNewswire/ -- An estimated 49 million adults in the U.S. indicate that they have been told that their personal information had been lost, stolen or improperly disclosed over the past three years. Most of this notification has come from government agencies and financial institutions. While many of these people do not believe anything has happened to them as a result of the lost information, a small but significant number do think that something may have happened. The Harris Poll? was conducted online by Harris Interactive? between October 4 and 10, 2006 among a national sample of 2,010 U.S. adults aged 18 or over. This survey was designed in collaboration with Dr. Alan F. Westin, Professor of Public Law and Government Emeritus, Columbia University, and noted authority on privacy issues. Specifically the survey found that: * Just over one in five (22%) U.S. adults claim that in the past three years a business, government agency or other organization notified them that the organization had lost, had stolen or otherwise improperly disclosed their personal information. This translates into approximately 49 million adults.(1) * Among those adults who say that they have been notified, most indicate that the notification was made by a government agency (48%), a financial company (29%) or a commercial company (12%). Other organizations that have made notifications include educational institutions (6%) and health care facilities (5%). Furthermore, eight in 10 (81%) adults who have been notified about lost or stolen personal information perceive that nothing harmful happened to them as a result. However, a significant 19 percent -- representing abut 9.3 million persons -- do believe that something harmful happened to them. Among this group who indicate that something happened to them, the following occurred: * Merchandise was charged in their name (43%) * Some kind of fraud was committed that cost them some money (35%) * Money was taken from their bank account (18%) * A credit card was taken out in their name (11%) * Someone posed to get government benefit or service (8%) When analyzing the results by the types of organizations that have notified adults about lost or stolen personal information, there are interesting differences. For those notified by either financial institutions or government agencies, most adults (by 81% to 19% for financial institutions and 86% to 14% for government agencies) think that nothing happened to them. However, for those notified by other commercial companies such as a retail company, a telephone company or a company used on the Internet, the percentage of U.S. adults who feel that something happened to them is considerably higher (38%). One should be cautious in interpreting these results as the percentage of those who think they were notified by other commercial companies is small (12%). "We know from detailed studies of ID theft that many of these harms are caused by actions of friends and family of the victims, stolen wallets or purses, pilfering identifying information from mailboxes or trash containers, and from insider theft of personal data by employees of organizations," Dr. Alan Westin commented about the findings. "However, our survey shows that almost 10 million persons out of the almost 50 million persons notified of a data breach over the past three years believe that direct harm to them resulted from the breach. This documents the importance of business, government, and other types of organizations applying stronger data security measures when handling personal information -- if they are to retain the trust of their customers, members, or citizens." TABLE 1 HAS PERSONAL INFORMATION BEEN LOST, STOLEN, OR IMPROPERLY DISCLOSED? "In the past three years, has a business, government agency, university or any other organization notified you that they had lost, had stolen, or otherwise improperly disclosed personal information about you?" Base: All adults 2006 % Yes 22 No 78 TABLE 2 WHAT ORGANIZATIONS INDICATED THAT PERSONAL INFORMATION WAS LOST, STOLEN, OR IMPROPERLY DISCLOSED "Which one of the following kinds of organization notified you?" Base: Adults who have been notified that data was lost or stolen Total % A government agency (federal, state, or local) 48 A financial company (a bank, credit card firm, investment or insurance organization) 29 Commercial Companies (Net) 12 A company you used on the Internet 4 A retail company 3 A telephone/telecommunications company 1 Other 4 A school, college or university 6 A hospital or other health care facility 5 TABLE 3 HOW LOST, STOLEN OR IMPROPERLY DISCLOSED PERSONAL INFORMATION WAS USED "Which of the following things did someone use the lost, stolen or improperly disclosed information to do?" Base: Adults who have been notified that data was lost or stolen Organizations Other Government Commercial Total Financial Agency Companies* % % % % Happened to Me (Net) 19 19 14 38 Charge merchandise in your name 8 13 6 9 Carry out some other kind of fraud that cost you money or harmed your position as a consumer 7 5 5 17 Get money from your bank account 3 3 1 4 Get a credit card in your name 2 2 1 8 Pose as you to get a government benefit or service 2 1 1 7 Other 3 * 4 7 Nothing Happened to Me 81 81 86 62 Note: Multiple-response question *Small Base (n=61) - caution should be used in interpretation TABLE 4 HOW LOST, STOLEN OR IMPROPERLY DISCLOSED PERSONAL INFORMATION WAS USED "Which of the following things did someone use the lost, stolen or improperly disclosed information to do?" Base: Adults who indicate that item happened to them* Total % Charge merchandise in your name 43 Carry out some other kind of fraud that cost you money or harmed your position as a consumer 35 Get money from your bank account 18 Get a credit card in your name 11 Pose as you to get a government benefit or service 8 Other 17 Note: Multiple-response question *Small Base - caution should be used in interpretation Methodology This Harris Poll was conducted online within the United States between October 4 and 10, 2006 among 2,010 adults (aged 18 and over), including 425 who have been notified that data has been lost or stolen, and 84 who believe that something happened to them as a result. Figures for age, sex, race/ethnicity, education, region and household income were weighted where necessary to bring them into line with their actual proportions in the population. Propensity score weighting was also used to adjust for respondents' propensity to be online. All surveys are subject to several sources of error. These include: sampling error (because only a sample of a population is interviewed); measurement error due to question wording and/or question order, deliberately or unintentionally inaccurate responses, nonresponse (including refusals), interviewer effects (when live interviewers are used) and weighting. With one exception (sampling error) the magnitude of the errors that result cannot be estimated. There is, therefore, no way to calculate a finite "margin of error" for any survey and the use of these words should be avoided. With pure probability samples, with 100 percent response rates, it is possible to calculate the probability that the sampling error (but not other sources of error) is not greater than some number. With a pure probability sample of 2,010 adults one could say with a 95 percent probability that the overall results would have a sampling error of +/-2 percentage points. Sampling error for data based on sub-samples would be higher and would vary. However that does not take other sources of error into account. This online survey is not based on a probability sample and therefore no theoretical sampling error can be calculated. These statements conform to the principles of disclosure of the National Council on Public Polls. J28939 Q 1105, 1110, 1115 The Harris Poll #81, November 10, 2006 By David Krane, Vice President, Public Affairs and Policy Research, Harris Interactive About Harris Interactive? Harris Interactive is the 12th largest and fastest-growing market research firm in the world. The company provides research-driven insights and strategic advice to help its clients make more confident decisions which lead to measurable and enduring improvements in performance. Harris Interactive is widely known for The Harris Poll, one of the longest running, independent opinion polls and for pioneering online market research methods. The company has built what it believes to be the world's largest panel of survey respondents, the Harris Poll Online. Harris Interactive serves clients worldwide through its United States, Europe and Asia offices, its wholly-owned subsidiary Novatris in France and through a global network of independent market research firms. The service bureau, HISB, provides its market research industry clients with mixed-mode data collection, panel development services as well as syndicated and tracking research consultation. More information about Harris Interactive may be obtained at www.harrisinteractive.com . To become a member of the Harris Poll Online and be invited to participate in online surveys, register at http://go.hpolsurveys.com/HarrisPoll . (1) Based on July 2005 U.S. Census estimate released January 2006 (223 million total adults aged 18 or over) Press Contact: Michelle Soto Harris Interactive 585-214-7665 From Dissent at pogowasright.org Sat Nov 11 15:57:09 2006 From: Dissent at pogowasright.org (Dissent) Date: Sat, 11 Nov 2006 15:57:09 -0500 (EST) Subject: [Dataloss] Former Hertz worker had employees' info Message-ID: http://www.app.com/apps/pbcs.dll/article?AID=/20061111/NEWS03/611110325/1007 Hertz Global Holdings Inc., owners of the world's largest rental-car company, said the FBI found a computer containing the names and Social Security numbers of most of Hertz's U.S. workers at the home of a former employee. The computer also had information including titles and dates of hire of Hertz employees as late as 2002, the Park Ridge, N.J.-based company said in an Oct. 27 filing. Hertz, which had 22,800 U.S. workers as of June, is cooperating with the FBI in the matter, it said. From rforno at infowarrior.org Sat Nov 11 21:19:38 2006 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 11 Nov 2006 21:19:38 -0500 Subject: [Dataloss] Big NYT article on many things Choicepoint Message-ID: November 12, 2006 Keeping Your Enemies Close By GARY RIVLIN IF you found yourself running a company suddenly branded one of the most reviled in the country ? if, for example, you noticed that visitors to Consumerist.com, a heavily visited consumer Web site, voted yours as the second ?worst company in America? and you had just been awarded the 2005 ?Lifetime Menace Award? by the human rights group Privacy International ? you might feel obliged to take extraordinary steps. You might even want to reach out to your most vocal critics and ask them, ?What are we doing wrong?? So it was in early 2005 that Douglas C. Curling, the president of ChoicePoint, a giant data broker that maintains digital dossiers on nearly every adult in the United States, courted two critics whom he had accused just months earlier of starting ?yet another inaccurate, misdirected and misleading attack? on his company. Mr. Curling also contacted others who had spent years calling for laws requiring better safeguarding of personal information that ChoicePoint and other data brokers assemble ? records such as Social Security numbers, birth dates, driver?s license numbers, license plate numbers, spouse names, maiden names, addresses, criminal records, civil judgments and the purchase price of every parcel of property a person has ever owned. ?It was sort of like when I talk with my wife when she?s not happy with me,? Mr. Curling said of his dealings with some of ChoicePoint?s harshest critics. ?It?s not exactly a dialogue I look forward to, but I can?t deny it?s important.? He also could not deny his motivations for engaging in these conversations: in the public?s mind, ChoicePoint had come to symbolize the cavalier manner in which corporations handled confidential data about consumers. In January, the Federal Trade Commission hit ChoicePoint with a $10 million fine, the largest civil penalty in the agency?s history, for security and record-handling procedures that violated the rights of consumers. Under the settlement, it also required ChoicePoint to set aside an additional $5 million to help those suffering financial harm because of its failure to provide adequate safeguards against data breaches. < BIG SNIP > http://www.nytimes.com/2006/11/12/business/yourmoney/12choice.html From adam at homeport.org Mon Nov 13 20:24:36 2006 From: adam at homeport.org (Adam Shostack) Date: Mon, 13 Nov 2006 20:24:36 -0500 Subject: [Dataloss] Chris Walsh says.. In-Reply-To: References: <20061113205003.GB16376@cwalsh.org> <20061113205720.GA28376@homeport.org> Message-ID: <20061114012436.GB10114@homeport.org> Chris Walsh is having trouble mailing the list because of spam blocking, and asked me to pass this on: On Mon, Nov 13, 2006 at 07:22:41PM -0600, Chris Walsh wrote: | ### snip | | I'm assisting a researcher with the Government Accountability | Office. The GAO has been asked by the House Financial Services | Committee to look into various aspects of security breaches and | identity theft. | | If anyone knows of instances of true identity theft resulting from a | data breach, could you please pass on the relevant information? This | is something the GAO folks have specifically asked about, and I | volunteered to ask the list. | | Thanks! | | ### snip | | Chris | On Nov 13, 2006, at 2:57 PM, Adam Shostack wrote: | | >Sure--could you include background etc in a message I can just forward | >on? | > From chris at cwalsh.org Mon Nov 13 23:09:21 2006 From: chris at cwalsh.org (Chris Walsh) Date: Mon, 13 Nov 2006 22:09:21 -0600 Subject: [Dataloss] Lost British laptop had data on millions Message-ID: <84531035-5BDF-4022-9A98-94302DCB383D@cwalsh.org> I need somebody to translate this British into American for me, but it looks like a laptop with millions of account numbers and names just got stolen in the UK. THE Financial Services Authority is investigating an extraordinary lapse of security at Nationwide building society after a laptop computer containing sensitive customer account information was stolen in a burglary at an employee?s home. Nationwide confirmed the computer held customer information, but insisted that this did not include ?pin numbers, passwords, or information about financial transactions?. But banking sources said last night that some reports circulating in the industry have suggested information on several million accounts may have been stored on the machine, whose user was on call. Nationwide declined to give further details, saying it was acting on the advice of the police. http://business.timesonline.co.uk/article/0,,8209-2449656,00.html P.S. Spam issue solved. W00t! From Dissent at pogowasright.org Mon Nov 13 23:46:35 2006 From: Dissent at pogowasright.org (Dissent) Date: Mon, 13 Nov 2006 23:46:35 -0500 (EST) Subject: [Dataloss] Lost British laptop had data on millions In-Reply-To: <84531035-5BDF-4022-9A98-94302DCB383D@cwalsh.org> References: <84531035-5BDF-4022-9A98-94302DCB383D@cwalsh.org> Message-ID: Chris Walsh wrote: > I need somebody to translate this British into American for me, but > it looks like a laptop with millions of account numbers and names > just got stolen in the UK. I share your confusion as to what was compromised. We had posted this story to PogoWasRight.org on Saturday, but I didn't post it here precisely because it wasn't clear what, if any, PII was involved other than names. There was a follow-up story today that we also posted to PogoWasRight, and again, I didn't post it here because it really isn't clear to me that this is PII data loss: http://news.zdnet.co.uk/security/0,1000000189,39284689,00.htm Both Nationwide and FSA have refused to say exactly what data was stolen. According to Alan Oliver, Nationwide's head of external affairs, the laptop contained "limited customer information for market research purposes". The building society is willing to say what had not been stolen. No PINs, passwords or information about financial transactions were contained on the computer, and no account details such as customer names, account numbers or sort codes were compromised, Oliver told ZDNet UK on Monday. However, there is a chance that the limited customer data stolen could be linked to other information about individuals and used for identity fraud. [...] This might be a good time to point out that although we do send a lot of items on to this list, PogoWasRight.org has a broader scope on privacy issues and we do include a number of news stories that may be of interest to people here but that are not appropriate for this mail list. In addition to the items that you see me or Ziplock post here, we also cover news stories on medical identity theft, identity theft that does not necessarily involve large breaches, dumpster stories reported by the public, and other stories that may not be within the scope of this mail list. Cheers, Dissent -- http://www.pogowasright.org http://www.pogowasright.org/backend/pogowasright.rss From george at myitaz.com Tue Nov 14 00:47:22 2006 From: george at myitaz.com (George Toft) Date: Mon, 13 Nov 2006 22:47:22 -0700 Subject: [Dataloss] Lost British laptop had data on millions In-Reply-To: <84531035-5BDF-4022-9A98-94302DCB383D@cwalsh.org> References: <84531035-5BDF-4022-9A98-94302DCB383D@cwalsh.org> Message-ID: <4559586A.5030501@myitaz.com> IIRC, a Building Society is the same as an American Credit Union and it is focused on home loans. George Toft, CISSP, MSIS My IT Department www.myITaz.com 623-203-1760 Confidential data protection experts for the financial industry. Chris Walsh wrote: > I need somebody to translate this British into American for me, but > it looks like a laptop with millions of account numbers and names > just got stolen in the UK. > > > THE Financial Services Authority is investigating an extraordinary > lapse of security at Nationwide building society after a laptop > computer containing sensitive customer account information was stolen > in a burglary at an employee?s home. > > Nationwide confirmed the computer held customer information, but > insisted that this did not include ?pin numbers, passwords, or > information about financial transactions?. > > But banking sources said last night that some reports circulating in > the industry have suggested information on several million accounts > may have been stored on the machine, whose user was on call. > Nationwide declined to give further details, saying it was acting on > the advice of the police. > > > http://business.timesonline.co.uk/article/0,,8209-2449656,00.html > > P.S. Spam issue solved. W00t! > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 141 million compromised records in 469 incidents over 6 years. > > > > From lyger at attrition.org Tue Nov 14 15:04:02 2006 From: lyger at attrition.org (lyger) Date: Tue, 14 Nov 2006 15:04:02 -0500 (EST) Subject: [Dataloss] Oklahoma - Data on thousands of college students stolen Message-ID: http://www.kten.com/Global/story.asp?S=5679797 State education officials say personal information on thousands of college students is on a laptop computer stolen from Connors State College in Warner. Connors President Donnie Nero says the laptop has been recovered and a Connors State student is under investigation. Information on the laptop included Social Security numbers and other data on students at Connors and some 22-thousand-500 students who receive Oklahoma Higher Learning Access Program _ or OHLAP _ scholarships. [...] From lyger at attrition.org Wed Nov 15 09:01:36 2006 From: lyger at attrition.org (lyger) Date: Wed, 15 Nov 2006 09:01:36 -0500 (EST) Subject: [Dataloss] IRS Latest Federal Agency to Lose Laptops Message-ID: http://www.wtopnews.com/index.php?nid=428&sid=975026 The Internal Revenue Service is the latest federal agency to acknowledge a security breach involving missing laptop computers. The breach once again puts Americans at risk of identity theft. According to documents obtained by WTOP through the Freedom of Information Act, between 2002 and 2006 year-to-date, the agency charged with collecting taxes and protecting taxpayers' personal information had 478 laptops either lost or stolen. Of those missing computers, 112 contained sensitive data including the Personal Identifiable Information, such as Social Security numbers, for some U.S. taxpayers. [...] From lyger at attrition.org Thu Nov 16 20:05:40 2006 From: lyger at attrition.org (lyger) Date: Thu, 16 Nov 2006 20:05:40 -0500 (EST) Subject: [Dataloss] Update: OU upholds firings over computer breaches Message-ID: http://www.columbusdispatch.com/news-story.php?story=227147 Two Ohio University computer-systems administrators blamed for hacking incidents will receive neither apologies nor their jobs back. Provost Kathy Krendel, rejecting a grievance committee's recommendation to reinstate the men with back pay, has upheld the dismissal of Todd Acheson and Tom Reid. William Sams, departing associate provost for information technology, blamed the pair for the theft of 367,000 files with personal information on OU alumni, students and staff. [...] From Dissent at pogowasright.org Thu Nov 16 20:19:36 2006 From: Dissent at pogowasright.org (Dissent) Date: Thu, 16 Nov 2006 20:19:36 -0500 (EST) Subject: [Dataloss] Security vendor settles charges after getting hacked Message-ID: http://www.networkworld.com/news/2006/111606-security-vendor-settles-charges-after.html Guidance Software Inc., vendor of computer forensics and security products, has settled a complaint filed by the U.S. Federal Trade Commission (FTC), which accused it of failing to take reasonable security measures to protect sensitive computer data. Guidance's lax security efforts, which allowed hackers to access sensitive credit-card information for thousands of customers, contradicted promises made on its Web site and violated U.S. law, the FTC said. [...] From lyger at attrition.org Fri Nov 17 00:15:48 2006 From: lyger at attrition.org (lyger) Date: Fri, 17 Nov 2006 00:15:48 -0500 (EST) Subject: [Dataloss] Avaya breach? Message-ID: http://attrition.org/dataloss/Avaya.tif If anyone has more information to share, please post to list or mail me privately. From lyger at attrition.org Fri Nov 17 07:59:41 2006 From: lyger at attrition.org (lyger) Date: Fri, 17 Nov 2006 07:59:41 -0500 (EST) Subject: [Dataloss] Laptop containing T-Mobile employees' ID data vanishes Message-ID: Courtesy Fergie's Tech Blog: http://fergdawg.blogspot.com/ http://seattlepi.nwsource.com/business/292527_tbrfs16.html Bellevue's T-Mobile USA Inc. on Wednesday confirmed reports that a laptop computer containing the Social Security number, salary, birth date and home address for as many as 43,000 current and former employees disappeared from an employee's checked luggage. A company spokesman couldn't say Wednesday when the presumed theft occurred, but he speculated it took place sometime after Aug. 23. He based his speculation on the fact that the laptop contained data on people employed at T-Mobile between May 25 and that date. [...] From cwalsh at cwalsh.org Fri Nov 17 10:45:26 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Fri, 17 Nov 2006 09:45:26 -0600 Subject: [Dataloss] British RFID passports cracked Message-ID: <20061117154516.GA2864@cwalsh.org> Adam Laurie has cracked British RFID passports. http://www.guardian.co.uk/idcards/story/0,,1950226,00.html Although a strong crypto algorithm is used to protect the biometric data on the passport, the encryption key used is very poor indeed. It is therefore possible to guess the key and decrypt the traffic. This means that it is possible to clone passports, and illicitly obtain biometric data on passport holders. From Dissent at pogowasright.org Fri Nov 17 11:46:38 2006 From: Dissent at pogowasright.org (Dissent) Date: Fri, 17 Nov 2006 11:46:38 -0500 (EST) Subject: [Dataloss] Students at Risk of Identity Theft Message-ID: http://www.wsls.com/servlet/Satellite?pagename=WSLS%2FMGArticle%2FSLS_BasicArticle&c=MGArticle&cid=1149191744743&path=!news!localnews With one click of the send button, 143 students are now at risk of identity theft. Kyle Bowmaster's name and social security number are among those on a list emailed by Jefferson College of Health Sciences financial aid director Debra Johnson. The email was meant only for one other employee. Instead, it went to every single one of the college's 900 students. [...] From Dissent at pogowasright.org Fri Nov 17 12:11:43 2006 From: Dissent at pogowasright.org (Dissent) Date: Fri, 17 Nov 2006 12:11:43 -0500 (EST) Subject: [Dataloss] Wesco [update] Message-ID: http://www.grandhaventribune.com/paid/287522874733787.bsp [...] The potential breach, it initially seemed, stemmed from purchases at Muskegon-based Wesco fuel stations. But federal authorities no longer are certain that the depth and breadth stops there. The federal investigation continues, at the hands of the U.S. Secret Service and the U.S. Attorney's office. According to the U.S. Attorney's office, several suspects are in custody throughout the United States. [...] Richard Murray, assistant U. S. Attorney for the Western District of West Michigan, said the potential fraud is part of an ongoing investigation. He said several suspects are in custody, although he would not say where. Murray said a suspect recently was apprehended and is being held in Ohio. "We're still analyzing the data," said Murray, who works out of the Grand Rapids-based federal office. "We don't have any information to indicate a specific data breach. We don't know for sure what happened." Murray said all Wesco fuel pumps have been inspected and it's unlikely an unwelcome card reader recorded information directly from credit card swipes at the pump. "At this point we're pursuing all avenues," Murray said. "We don't have any reason to think Western Michigan was targeted specifically. If it was an insider, which we're not saying it is, but that person knew where the data was coming from. Hackers, if they're breaking into a network, don't care where the machine is. They just care where the data is." [...] Seyferth said she's received reports and calls from consumers experiencing similar questionable fraudulent charges who say they've never shopped at Wesco. "This is happening in places where there are no Wescos," said Jill Maitzen, a manager at the Fifth Third Ferrysburg Branch, who has also received fraud complaints from people who have never shopped at Wesco. "This seems to be international and (card numbers) are being sold all over the world." The Tribune has also received similar reports from readers of potentially questionable credit card postings well beyond September. "It's possible other merchants are involved," said Murray, the federal attorney. "That's what we're trying to clarify. It seemed out of proportion to Wesco but we're a little taken aback on the scale that this seems to be reaching. We're trying to figure out if there's something bigger going on than what we thought initially. We're not quite ready for something of this scope. We don't have a squad of people to handle it." Murray said many credit card companies are reissuing new numbers and credit cards to consumers for precautionary reasons. [...] From ziplock at pogowasright.org Mon Nov 20 13:00:18 2006 From: ziplock at pogowasright.org (ziplock) Date: Mon, 20 Nov 2006 13:00:18 -0500 (EST) Subject: [Dataloss] Confidential ACS files found dumped on street Message-ID: http://www.nydailynews.com/front/story/473188p-398034c.html Confidential ACS files found dumped on street More than 200 case files filled with confidential information about the city's most at-risk children were dumped on a Manhattan streetcorner, the Daily News has found. The unshredded Administration for Children's Services files - tossed out in a ripped, clear plastic garbage bag - contained highly sensitive personal data about families, social workers and police involved in agency cases dating from 2000-2001. [...] From Dissent at pogowasright.org Tue Nov 21 15:11:20 2006 From: Dissent at pogowasright.org (Dissent) Date: Tue, 21 Nov 2006 15:11:20 -0500 (EST) Subject: [Dataloss] Stolen laptop has science centre's membership list Message-ID: http://www.towncrieronline.ca/main/main.php?direction=viewstory&storyid=5847&rootcatid=8&rootsubcatid=%23rootsubcatid Ontario Science Centre officials are urging its members to remain confident that their personal information is safe after a laptop was recently stolen from the popular city attraction. Anna Relyea, associate director, strategic communications for the OSC said the laptop that included a database with members? registration information was stolen on Sept. 18. It was taken from a locked office in the Don Mills and Eglinton area building. "This was an unfortunate incident to happen," she said. "But both the laptop and database were separately password protected so ultimate security was available (to limit the possible damage)." Bob Spence, spokesperson for the province?s information and privacy commission, said two groups of information were on the laptop, one with names and addresses and the other with credit card information. [..] From lyger at attrition.org Tue Nov 21 17:23:31 2006 From: lyger at attrition.org (lyger) Date: Tue, 21 Nov 2006 17:23:31 -0500 (EST) Subject: [Dataloss] Update: DOT says suspects in custody, no ID theft from stolen laptops Message-ID: http://www.jacksonville.com/apnews/stories/112106/D8LHN9M00.shtml MIAMI - Two suspects have been arrested in the July theft of a U.S. government laptop computer containing sensitive information about more than 130,000 people and authorities said Tuesday it appears that no data breaches have occurred. The U.S. Department of Transportation's Office of Inspector General said the suspects were arrested during a surveillance operation with the FBI and local police of a Miami-area Latin American Grill restaurant parking lot where the original DOT laptop was stolen from a government agent's vehicle on July 27. [...] From lyger at attrition.org Tue Nov 21 18:21:21 2006 From: lyger at attrition.org (lyger) Date: Tue, 21 Nov 2006 18:21:21 -0500 (EST) Subject: [Dataloss] UK: Laptop thief lands the bank details of 15, 000 policemen Message-ID: http://www.thisislondon.co.uk/news/article-23375377-details/Laptop+thief+lands+the+bank+details+of+15,000+policemen/article.do A Burglar has stolen bank account details of more than 15,000 Scotland Yard officers following a huge security blunder, it emerged last night. Sensitive financial information about high-ranking officers, thought to include Metropolitan Police Commissioner Sir Ian Blair, and anti-terrorist detectives were stored on three laptops stolen from the company responsible for the force's pay and pensions services. Last night, a major security review was under way at Britain's biggest force amid fears the thief could steal vast sums of money from officers' accounts. [...] From lyger at attrition.org Tue Nov 21 18:31:56 2006 From: lyger at attrition.org (lyger) Date: Tue, 21 Nov 2006 18:31:56 -0500 (EST) Subject: [Dataloss] Admin: Out Of Office Bounces Message-ID: Quick reminder: with the holiday season upon us, if you choose to set an "out of office" message while away, please keep in mind that anyone who posts the the Data Loss mail list during your absence will receive your automated response. All accounts bouncing "out of office" messages back to list moderators will be set to "no mail", which means you will still be subscribed to the list but will not receive list posts until you contact us to reset your account to "mail". Thanks and happy holidays, Lyger From Dissent at pogowasright.org Sat Nov 25 11:50:36 2006 From: Dissent at pogowasright.org (Dissent) Date: Sat, 25 Nov 2006 11:50:36 -0500 (EST) Subject: [Dataloss] Women alerted to ID theft risk Message-ID: http://www.courierpress.com/news/2006/nov/25/women-alerted-to-id-theft-risk/ More than 7,500 Hoosier women are at risk of identity theft after two computers containing protected health information collected for the state were stolen earlier this month. The computers were taken from a health center in Jeffersonville, Ind., that contracted with the Indiana Department of Health to manage information in the state's Breast and Cervical Cancer Program, department spokesman Erik Deckers said. The personal information of women, whose BCCP-participating health-care providers are located in the lower third of the state, is stored on the computers stolen sometime the night of Nov. 6. [...] Data stored on the computers may include a woman's name, address, birthday and Social Security number as well as some medical and billing information, Deckers said. The data is protected by two passwords: one required to log onto the computer and one to access the BCCP information. [...] From lyger at attrition.org Mon Nov 27 09:57:34 2006 From: lyger at attrition.org (lyger) Date: Mon, 27 Nov 2006 09:57:34 -0500 (EST) Subject: [Dataloss] Chicago - Personal data of former school employees mistakenly mailed Message-ID: http://www.belleville.com/mld/belleville/news/state/16107802.htm The names, Social Security numbers and home addresses of nearly 1,740 former school employees in Chicago were mailed by mistake, prompting concerns the information could be used for identity theft. All Printing & Graphics Inc., which Chicago Public Schools hired to print and mail a packet of health-insurance information to the former employees, said Sunday that it hadn't realized one document it sent contained the personal data. [...] From Dissent at pogowasright.org Mon Nov 27 18:08:47 2006 From: Dissent at pogowasright.org (Dissent) Date: Mon, 27 Nov 2006 18:08:47 -0500 (EST) Subject: [Dataloss] School district sold computers with personal information Message-ID: http://www.myrtlebeachonline.com/mld/myrtlebeachonline/news/local/16109822.htm The Greenville County School District sold computers that contained Social Security numbers and birthdates for roughly 100,000 students and at least 1,000 employees, according to a district official and the buyers' attorney. The two buyers never released the information found in computers they bought at a dozen school district auctions between 1999 and last March, but worry about other computers sold, their attorney David Gantt told The Greenville News. The businessmen went public about their findings after the district repeatedly ignored their warnings and continued to sell computers without removing the data, Gantt told the newspaper. [...] Discovered data included addresses, phone numbers, medical information, personnel evaluations, driver's license numbers and Department of Juvenile Justice records, Gantt said. [...] From Dissent at pogowasright.org Mon Nov 27 19:10:55 2006 From: Dissent at pogowasright.org (Dissent) Date: Mon, 27 Nov 2006 19:10:55 -0500 (EST) Subject: [Dataloss] County Mistakenly Posts Personal Taxpayer Info Online Message-ID: http://www.wral.com/news/10407868/detail.html SMITHFIELD, N.C. -- Johnston County officials recently posted personal information for thousands of residents, including Social Security numbers, on the county Web site by mistake. A resident discovered the information by searching his own address on the Google search engine. In addition to seeing his own Social Security number online, the man, who wanted to remain anonymous, said he found another man's name, address, Social Security number and information that he was retired. When the man clicked on a link, he said it took him to the Johnston County Web site, where tax office files contained thousands of other names and identifying information. "That contains more information that folks would want out there -- cell phone numbers, in some cases I think, Social Security numbers," County Manager Rick Hester said, adding that the information was taken off the county Web site within an hour of officials learning about it. County technology officials said the names are part of an annual list the tax office puts together for financial institutions. The personal information ended up in the file by mistake and might have been online for five or six weeks, officials said. [...] From lyger at attrition.org Tue Nov 28 12:47:40 2006 From: lyger at attrition.org (lyger) Date: Tue, 28 Nov 2006 12:47:40 -0500 (EST) Subject: [Dataloss] Kaiser laptop with patient information stolen Message-ID: http://denver.bizjournals.com/denver/stories/2006/11/27/daily13.html Kaiser Permanente Colorado is notifying about 38,000 members about a possible security breach of their private health information. The information was on a laptop that was stolen from the personal car of a national Kaiser Permanente employee in California. Information on the laptop included names, member ID numbers, date of birth, age, gender and provider/physician information. No social security information was involved. [...] From rforno at infowarrior.org Wed Nov 29 14:31:55 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 29 Nov 2006 14:31:55 -0500 Subject: [Dataloss] Citizenship Agency Lost 111,000 Files Message-ID: Citizenship Agency Lost 111,000 Files By Spencer S. Hsu Washington Post Staff Writer Wednesday, November 29, 2006; Page A21 http://www.washingtonpost.com/wp-dyn/content/article/2006/11/28/AR2006112801 402.html U.S. Citizenship and Immigration Services has lost track of 111,000 files in 14 of the agency's busiest district offices and processed as many as 30,000 citizenship applications last year without the necessary files, congressional investigators reported yesterday. The Government Accountability Office, Congress's audit arm, conducted the review at the request of Sens. Charles E. Grassley (R-Iowa) and Susan Collins (R-Maine) after U.S. authorities granted citizenship in 2002 to a man without checking his primary file. The file, which was lost, indicated ties to the militant Islamic group Hezbollah. "It only takes one missing file of somebody with links to a terrorist organization to become an American citizen," said Grassley, who is chairman of the Senate Finance Committee. "We can't afford to be handing out citizenship with blinders on." Collins, head of the Senate Homeland Security Committee, noted that some of the Sept. 11 hijackers entered the U.S. legally, disappearing until the terrorist attacks. She called it "unthinkable" that the U.S. immigration system could still grant citizenship to a potential terrorist "simply because they can't find the person's file." An agency official said workers probably checked most of the files but failed to make note of it. The GAO report, dated Oct. 27 and released by the senators yesterday, underscored long-standing problems at the agency, which was created out of the Immigration and Naturalization Service and is expected to bear the brunt of administering new rules if Congress overhauls immigration policy. The $1.8 billion agency handled 7.5 million applications for immigration benefits in 2005 but relies on paper files. The agency awarded a five-year, $150 million contract in August to begin digitizing 55 million "alien files," or A-files, but for now it still relies on paper files. The GAO found that the agency's workers failed to record A-file use in processing 30,000 of 715,000 naturalization cases last year, or 4 percent of cases. The GAO also found that as of July 27, Citizenship and Immigration Services' electronic tracking system reported that 111,000 A-files were lost in the 14 offices that manage two-thirds of naturalization cases. Steven J. Pecinovsky, an agency liaison to the GAO, said workers are not required to note that they have checked A-files but will be in the future. A 2005 internal audit found a much lower incidence of unchecked A-files than the GAO cited -- about 0.5 percent. The GAO also cited internal audits that found that 21 percent of files were not where they were supposed to be in Immigration Services' San Diego office in 2005 and that 6 percent of files could not be found in the Los Angeles office earlier this year. From lyger at attrition.org Wed Nov 29 20:35:05 2006 From: lyger at attrition.org (lyger) Date: Wed, 29 Nov 2006 20:35:05 -0500 (EST) Subject: [Dataloss] California: Stolen Drive Puts Faculty, Student Info At Risk Message-ID: Courtesy PogoWasRight.org (http://pogowasright.org): http://cbs2.com/topstories/local_story_332234121.html Personal information of 48 faculty members and more than 2,500 students and applicants of a Cal State L.A. teacher credential program was on a portable disk drive that was recently stolen, authorities said Tuesday. The university's Charter College of Education is notifying 2,534 people enrolled or who have applied to its credential program between 2003 and 2006 of the security breach. [...] From Dissent at pogowasright.org Thu Nov 30 18:04:30 2006 From: Dissent at pogowasright.org (Dissent) Date: Thu, 30 Nov 2006 18:04:30 -0500 (EST) Subject: [Dataloss] Personal data at risk after Pa. DOT robbery Message-ID: http://www.msnbc.msn.com/id/15974532/ DUNMORE, Pa. - Thieves who broke into a driver's license center stole equipment to make fraudulent licenses and got away with computers containing personal information on more than 11,000 customers, officials said Thursday. [...] They also stole two computers that contained information on nearly 11,400 customers. The information on the computers included names, addresses, dates of birth, drivers' license numbers and at least partial Social Security numbers. The data included complete Social Security numbers for 5,348 customers, officials said. From Dissent at pogowasright.org Thu Nov 30 18:45:49 2006 From: Dissent at pogowasright.org (Dissent) Date: Thu, 30 Nov 2006 18:45:49 -0500 (EST) Subject: [Dataloss] Credit Bureau Security Breached Message-ID: http://www.kxan.com/Global/story.asp?S=5752352&nav=menu73_2 TransUnion Credit Bureau is investigating who was able to get into their database and illegally download hundreds of people's personal information. [...] According to the information we have, four different scam companies across the country got more than 1,700 people's credit information after someone obtained the TransUnion log in information from a courthouse in Kingman, Arizona. With that login password, they were able to randomly get the entire credit histories and social security numbers from hundreds of people. None of those people had anything to do with Kingman, but being a government entity, all the hackers needed was one password to gain information on anyone in the country. [...]