From lyger at attrition.org Fri Feb 1 01:35:29 2008 From: lyger at attrition.org (lyger) Date: Fri, 1 Feb 2008 01:35:29 +0000 (UTC) Subject: [Dataloss] SC: Laptop with 400 state workers' Social Security numbers missing Message-ID: http://www.timesanddemocrat.com/articles/2008/01/31/ap-state-sc/d8uh6a2g1.txt A laptop containing the names and Social Security numbers of around 400 state health department employees is missing. The Department of Health and Environmental Control says the computer was inside a worker's vehicle when it was stolen last week from a Spartanburg convenience store. State officials say the password-protected computer contains personal information of state health department workers from Spartanburg, Cherokee, Union, Greenville and Pickens counties. [...] From lyger at attrition.org Fri Feb 1 04:07:37 2008 From: lyger at attrition.org (lyger) Date: Fri, 1 Feb 2008 04:07:37 +0000 (UTC) Subject: [Dataloss] MN: Doctor Loses Flash Drive With Patient Information Message-ID: http://wcco.com/health/doctor.patient.information.2.642107.html Parents with fertility problems know that it's a very private struggle. Couples often don't even tell close friends or relatives they're having trouble having a baby. That's why the loss of patient information at the University of Minnesota's Reproductive Medicine Center has leaders there especially worried. Dr. Theodore Nagel, a doctor at the fertility clinic, lost a flash drive that he used to back up his computer. The drive holds details of infertility treatments for 3,100 patients going back to 1999. [...] From mhill at idtexperts.com Fri Feb 1 13:28:49 2008 From: mhill at idtexperts.com (Michael Hill, CITRMS) Date: Fri, 1 Feb 2008 08:28:49 -0500 Subject: [Dataloss] Personal data potentially compromised Message-ID: <000a01c864d6$61cfb3c0$6501a8c0@mkevhill> http://www.okinawa.usmc.mil/Public%20Affairs%20Info/Archive%20News%20Pages/2008/080201-personal.html CAMP FOSTER, Okinawa (February 1, 2008) -- Marine Corps Bases Japan officials are investigating the Jan. 11 theft of a laptop computer, which contained personally identifiable information for as many as 4,000 clients of Marine Corps Community Services' New Parent Support Program. According to Marine Corps officials, the laptop may contain names, ranks, social security numbers, dates of birth, children's names and mailing addresses of U.S. military service members, U.S. government employees and Status of Forces Agreement personnel on Okinawa and Marine Corps Air Station Iwakuni. It does not include driver's license numbers or bank and credit card information. "The Marine Corps takes very seriously its responsibility to safeguard the personal information of its service members, their families and government employees," said 1st Lt. Garron Garn, a Marine Corps Bases Japan spokesman. "Our information systems are password protected and our users are educated on ways to protect personally identifiable information." Marine Corps Bases Japan and MCCS officials are working together with J&E Associates, a federal contractor for MCCS and owner of the computer, to notify potentially affected personnel as soon as possible, according to Garn. There is no evidence the information has been misused. Anyone concerned about their information being compromised should contact the New Parent Support Program at 645-0396. Marine Corps officials encourage service members, their families and government employees who think their information has potentially been compromised to visit www.consumer.gov/idtheft for protective actions against identity theft. Additionally, they may place a fraud alert on their credit files for up to 24 months by contacting one of the three national credit bureaus: Equifax at (800) 766-0008, Transunion at (800) 680-7289, or Experian at (888) 397-3742. A fraud alert will generate a free credit report that should be reviewed for suspicious activity. Michael Hill Certified Identity Theft Risk Management Specialist IDT Consultants 404-216-3751 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080201/a05c3b38/attachment.html From hbrown at knology.net Fri Feb 1 21:21:22 2008 From: hbrown at knology.net (Henry Brown) Date: Fri, 01 Feb 2008 15:21:22 -0600 Subject: [Dataloss] ID thiefs arrested Message-ID: <47A38D52.6060406@knology.net> From the Sherman Texas Herald Democrat http://tinyurl.com/2ypoup SHERMAN ? In what might turn out to be a multistate or national criminal operation, Sherman Police jailed four Metroplex-area residents Wednesday morning after finding them in possession of identity and financial information belonging to thousands of people. Six others are also considered suspects. [...] It was when they declined to let them into the second room that the officers, because there was marijuana found, called narcotics agents to the scene, who in turn obtained a search warrant. The search uncovered four laptop computers inside the second room, and in vehicles later determined to have been rentals, plus a color printer, several briefcases, and a two-drawer metal filing cabinet, tossed into the back seat of one of those vehicles with its keys in the lock. The file cabinet and briefcases were filled with thousands of people's personal identity, IRS tax information, banking information, credit reports, and other financial information. So much information is there, said one narcotics officer, that they will be asking other agencies for help in sorting through the evidence. [...] The police didn't want to rush with the felony charges now, Dawsey said, because they have so much information and evidence to sift through that they don't want to compromise the case. Police have determined that each of the 10 people involved are U.S. citizens, but have Nigerian connections. None could show proof of employment, so the police department, under state law, will begin civil forfeiture procedures on the cash. From jericho at attrition.org Sat Feb 2 06:56:34 2008 From: jericho at attrition.org (security curmudgeon) Date: Sat, 2 Feb 2008 06:56:34 +0000 (UTC) Subject: [Dataloss] legal: California Senate Passes Identity Theft Bill 40-0 Message-ID: ---------- Forwarded message ---------- From: Paul Ferguson Via CBS5.com. [snip] The California State Senate passed a bill Friday that would allow prosecution for identity theft cases in the county where the victim resides. State Sen. Joe Simitian, D-Palo Alto, co-authored Senate Bill 612 and praised fellow senators Friday for voting 40-0 in favor of the legislation. Current law permits prosecution in the county where the theft occurred, or where the information was illegally used, even when both locations are hundreds of miles from the victim's home, according to Simitian's office. [snip] More: http://cbs5.com/local/identity.theft.bill.2.644169.html From lyger at attrition.org Sat Feb 2 16:38:06 2008 From: lyger at attrition.org (lyger) Date: Sat, 2 Feb 2008 16:38:06 +0000 (UTC) Subject: [Dataloss] MA: Thieves remove personal information in Providence Diocese theft Message-ID: http://www.boston.com/news/local/rhode_island/articles/2008/02/02/thieves_remove_personal_information_in_providence_diocese_theft/ Thieves who broke into the Diocese of Providence stole a computer that contained a major amount of personal data on diocese employees. Diocese spokesman Michael Guilfoyle said the theft occurred last weekend between Friday night and Saturday morning. He said four computers were taken, and one had personal information on about 5,000 current and former Catholic school employees. [...] From jericho at attrition.org Tue Feb 5 10:20:14 2008 From: jericho at attrition.org (security curmudgeon) Date: Tue, 5 Feb 2008 10:20:14 +0000 (UTC) Subject: [Dataloss] Calif. Considers Expanding Data Breach Notification Rules Message-ID: ---------- Forwarded message ---------- From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" The California State Senate passed a data breach bill that requires notices to explain clearly what has happened and what people can do to protect themselves. Calif. Considers Expanding Data Breach Notification Rules -- Data Breach Notification: http://www.informationweek.com/news/showArticle.jhtml?articleID=206103872&cid=nl_IWK_daily SB 364 Senate Bill - AMENDED: http://www.leginfo.ca.gov/pub/07-08/bill/sen/sb_0351-0400/sb_364_bill_20080128_amended_sen_v96.html From chris at cwalsh.org Tue Feb 5 19:44:31 2008 From: chris at cwalsh.org (Chris Walsh) Date: Tue, 5 Feb 2008 13:44:31 -0600 Subject: [Dataloss] Calif. Considers Expanding Data Breach Notification Rules In-Reply-To: References: Message-ID: <20080205194431.GB40598@fripp.cwalsh.org> If you look at the second link, it appears that requirements to post the reports on-line were stricken from the bill. That's too bad. Chris On Tue, Feb 05, 2008 at 10:20:14AM +0000, security curmudgeon wrote: > ---------- Forwarded message ---------- > From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" > Notification: > http://www.informationweek.com/news/showArticle.jhtml?articleID=206103872&cid=nl_IWK_daily > > SB 364 Senate Bill - AMENDED: > http://www.leginfo.ca.gov/pub/07-08/bill/sen/sb_0351-0400/sb_364_bill_20080128_amended_sen_v96.html From SSteele at infolocktech.com Tue Feb 5 19:58:45 2008 From: SSteele at infolocktech.com (Sean Steele) Date: Tue, 5 Feb 2008 14:58:45 -0500 Subject: [Dataloss] FOIA request(s)? Message-ID: <90D8CEF754D7D9448BA11172BB50443207F697B0@orange.brnets.int> Hi all, I'm looking for advice regarding and experiences with FOIA requests to state/municipal government(s), for data breach and related information. Have you been able to successfully request, if so how, do you have tips, tricks, hints, strategies, etc. I can take my responses off-list if that's more appropriate. Thanks all, -- Sean Steele, CISSP, CISA Sr. Security Consultant infoLock Technologies 703.504.9000 x219 direct 202.270.8672 mobile ssteele at infolocktech.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080205/9886fdd5/attachment.html From bgivens at privacyrights.org Tue Feb 5 20:52:25 2008 From: bgivens at privacyrights.org (Beth Givens) Date: Tue, 05 Feb 2008 12:52:25 -0800 Subject: [Dataloss] Calif. Considers Expanding Data Breach Notification Rules In-Reply-To: <20080205194431.GB40598@fripp.cwalsh.org> References: <20080205194431.GB40598@fripp.cwalsh.org> Message-ID: <7.0.1.0.2.20080205125017.03454450@privacyrights.org> Yes, it is too bad. The state of California is in a serious budget crisis. Any bills that costs money -- even if only a small amount -- are likely to be vetoed. We'll need to address this incrementally. Perhaps we can try again for this provision in a few years. Beth Givens At 11:44 AM 2/5/2008, you wrote: >If you look at the second link, it appears that requirements to post >the reports on-line were >stricken from the bill. That's too bad. > >Chris > >On Tue, Feb 05, 2008 at 10:20:14AM +0000, security curmudgeon wrote: > > ---------- Forwarded message ---------- > > From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" > > > Notification: > > > http://www.informationweek.com/news/showArticle.jhtml?articleID=206103872&cid=nl_IWK_daily > > > > SB 364 Senate Bill - AMENDED: > > > http://www.leginfo.ca.gov/pub/07-08/bill/sen/sb_0351-0400/sb_364_bill_20080128_amended_sen_v96.html >_______________________________________________ >Dataloss Mailing List (dataloss at attrition.org) >http://attrition.org/dataloss > >Tenable Network Security offers data leakage and compliance monitoring >solutions for large and small networks. Scan your network and monitor your >traffic to find the data needing protection before it leaks out! >http://www.tenablesecurity.com/products/compliance.shtml The information, advice, and suggestions contained in this email should be used as an information source and not as legal advice. Beth Givens, Director Privacy Rights Clearinghouse 3100 - 5th Ave., Suite B San Diego, CA 92103 Voice: 619-298-3396 Fax: 619-298-5681 bgivens at privacyrights.org http://www.privacyrights.org +++++++++++++++++++++++++++++++++++++ Join our email newsletter. http://www.privacyrights.org/subscribe.htm From fergdawg at netzero.net Wed Feb 6 02:28:38 2008 From: fergdawg at netzero.net (Paul Ferguson) Date: Wed, 6 Feb 2008 02:28:38 GMT Subject: [Dataloss] Industry Giants Lobby to Kill Pro-Consumer Data-Breach Legislation Message-ID: <20080205.182838.13581.3@webmail15.vgs.untd.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Via the C|Net "surveill at nce st at te" Blog. [snip] In a direct slap in the face to consumers, tech industry giants including Microsoft, AT&T, and Verizon are frantically engaged in an effort to kill pro-consumer provisions in a data breach notification bill currently being considered by the Indiana State Senate. The bill would require that the state attorney general act as a single point of contact for data breaches. Any company that suffered a breach impacting one or more Indiana consumers would be required to notify the AG's office. The bill would also make Indiana the only state in the country to to require the attorney general to post a copy of each report to its Web site--so that consumers, members of the press, and academics would have a single place to go to in order to find out about data breaches. At a State Senate committee meeting this morning, lobbyist after lobbyist criticized the provision. [snip] More: http://www.cnet.com/8301-13739_1-9865076-46.html - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFHqRrpq1pz9mNUZTMRArDZAKCb8rrUwtPwn8XKDfs/MSH11v60HgCgwmij 9LMo1Fsdo0Zl5jnbAgEcQSc= =IDLo -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/ From chris at cwalsh.org Wed Feb 6 03:33:16 2008 From: chris at cwalsh.org (Chris Walsh) Date: Tue, 5 Feb 2008 21:33:16 -0600 Subject: [Dataloss] FOIA request(s)? In-Reply-To: <90D8CEF754D7D9448BA11172BB50443207F697B0@orange.brnets.int> References: <90D8CEF754D7D9448BA11172BB50443207F697B0@orange.brnets.int> Message-ID: Sean: Only a few states require breaches to be reported to any kind of state agency -- NY, NJ, NH, NC and (IIRC) ME are the ones. I FOIA'ed NJ, NC, and NY. NH publishes breach reports on a web site anyway, and I haven't tried ME yet. IN may join the club, but the law hasn't been passed as yet. Results: NY has been very forthcoming. I have every breach report they have received from the start of their law until mid-2007. Another request will go out in a week or so. NC was slower than NY, but sent me a bunch of stuff. I owe them another request. NJ says the info is exempt from disclosure because it is reported to the state police. This is debatable, IMNSHO. I am surprised a suit hasn't been filed. Drop me a line if you want a zip file of the docs I have scanned so far. cw On Feb 5, 2008, at 1:58 PM, Sean Steele wrote: > Hi all, I?m looking for advice regarding and experiences with FOIA > requests to state/municipal government(s), for data breach and > related information. Have you been able to successfully request, if > so how, do you have tips, tricks, hints, strategies, etc. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080205/c83ba1d5/attachment.html From jericho at attrition.org Wed Feb 6 08:23:24 2008 From: jericho at attrition.org (security curmudgeon) Date: Wed, 6 Feb 2008 08:23:24 +0000 (UTC) Subject: [Dataloss] follow-up: How TJX Avoided Wall Street's Wrath Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.cio.com/article/179603 By Thomas Wailgum February 05, 2008 CIO.com By the end of 2007, The TJX Companies, which owns T.J. Maxx, HomeGoods and Marshalls stores, had reported that approximately 100 million credit and debit card owners' information had been compromised by hackers, possibly dating back to 2003. The size and scope of the breach, as well as the lack of adequate security controls to mitigate the criminal activity, were breathtaking. And yet Wall Street analysts didn't seem to care. In January 2007, when TJX first announced the "unauthorized intrusions," its stock traded around $29.The price hit a low of $26 in the spring as the scope of the breach expanded, but the stock price rebounded to a high of $32 in the fall. (In early February 2008, it was still trading around $32.) In fact, the lack of financial fury by the analyst community was entirely predictable. Research from Emory University's Marketing Institute in 2006 found that when a company announces a security breach its stock price drops between 0.6 percent and 2.1 percent, which is usually not a huge hit to the bottom line. To retail analyst Paula Rosenblum, a managing partner with Retail Systems Research, the reason why TJX was able to escape unscathed is simple: TJX's customers didn't care, so why should Wall Street. [..] From lyger at attrition.org Thu Feb 7 15:05:39 2008 From: lyger at attrition.org (lyger) Date: Thu, 7 Feb 2008 15:05:39 +0000 (UTC) Subject: [Dataloss] (update) NC: Missing laptop has workers' Social Security numbers Message-ID: http://www.newsobserver.com/news/wake/story/929880.html A missing laptop computer belonging to Wake County Emergency Medical Services may contain personnel information about as many as 3,454 emergency workers. Wake County officials previously said the laptop contained names, addresses and Social Security numbers of as many as 850 patients. They have raised that estimate to 1,188. County spokesman Marshall Parrish said today that the laptop also may have the names and Social Security numbers of 3,454 emergency personnel. The number includes county paramedics, firefighters and contracted emergency medical technicians and paramedics from municipal agencies. [...] From lyger at attrition.org Fri Feb 8 00:31:29 2008 From: lyger at attrition.org (lyger) Date: Fri, 8 Feb 2008 00:31:29 +0000 (UTC) Subject: [Dataloss] (update) UK: Personnel may sue MoD over stolen laptop data Message-ID: http://www.theherald.co.uk/news/other/display.var.2028852.0.Personnel_may_sue_MoD_over_stolen_laptop_data.php A number of serving or former military personnel whose personal and financial details were on a laptop stolen in Birmingham last month are considering suing the Ministry of Defence under the Data Protection Act. More than 600,000 names of those who had either joined the RAF, Royal Navy or Royal Marines or expressed an interest in doing so since 1997 were on the unencrypted hard-drive taken from a parked car on January 9. The information also included thousands of home addresses, individuals' bank details, passport and National Insurance numbers, leading to fears of identity theft or the targeting of armed forces' personnel by terrorists. The MoD then admitted that two other laptops containing similar recruitment information dating back as far as 1969 had also gone missing in 2005 and 2006. Neither has been recovered. [...] From lyger at attrition.org Fri Feb 8 00:52:31 2008 From: lyger at attrition.org (lyger) Date: Fri, 8 Feb 2008 00:52:31 +0000 (UTC) Subject: [Dataloss] IN: Memorial Hospital loses laptop containing sensitive employee data Message-ID: http://www.wsbt.com/news/local/15408791.html Missing information at one of the area's largest employers could put thousands at risk. Memorial Hospital has notified employees that a laptop containing personal information is missing. An employee lost the laptop while traveling in November. [.] This week employees received a letter warning them that the missing computer contains their names, addresses, birth dates, ID numbers and social security numbers. It affects about 4,300 full and part-time employees and retirees. [...] From lyger at attrition.org Sat Feb 9 00:30:02 2008 From: lyger at attrition.org (lyger) Date: Sat, 9 Feb 2008 00:30:02 +0000 (UTC) Subject: [Dataloss] MLSgear.com site hit by SQL injection attacks; personal data of customers compromised Message-ID: http://computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9061858&taxonomyId=17&intsrc=kc_top A series of SQL injection attacks on servers hosted by a third-party service provider has compromised the personal data of an unspecified number of individuals who had shopped on Major League Soccer's MLSgear.com Web site. The compromised information included names, addresses, credit and debit card data, and MLSgear.com passwords, MLS President Mark Abbott said in a letter sent to affected individuals on Feb. 1. MLSgear.com is the soccer league's official online store. The incident was first reported by PogoWasRight.org, a blog that tracks data breaches. The blog site also posted a link to a notice that was sent by MLSgear.com to the office of New Hampshire's attorney general, informing the AG of the breach and saying that it affected 169 New Hampshire residents [...] From hbrown at knology.net Mon Feb 11 16:23:21 2008 From: hbrown at knology.net (Henry Brown) Date: Mon, 11 Feb 2008 10:23:21 -0600 Subject: [Dataloss] Seattle Wa. company looses laptop Message-ID: <47B07679.7010001@knology.net> http://www.pogowasright.org/article.php?story=20080210130455236 Computer stolen from Administrative Systems, Inc. contained sensitive personal information A desktop computer stolen from an Administrative Systems, Inc. (ASI) office in Seattle on December 29th contained names and sensitive information about customers or employees of several of the firm's clients: Continental American Medical, EyeMed Vision/Kelly Services Vision, and Jefferson Pilot Financial Dental. ASI provides third party administrative services to insurance and financial firms, such as processing employee applications for insurance coverage, issuing of insurance plans and employee certificates, managing premium billing and collection for insurance plans, responding to customer service requests and other record-keeping functions. Individuals who were affected by the theft were notified by letter on February 9th. According to a web site created to provide some information and resources about the incident, personal details may have included name, date of birth, mailing address, and Social Security number, depending on the service being provided. According to ASI, information on the stolen computer did not include credit card information or driver's license numbers. In its notification letter, ASI did not indicate whether the data were encrypted nor why it took over a month for individuals to be notified of the theft, but the letter signed by William J. Hill, President of Administrative Systems, Inc., noted that "We have tightened our security measures to provide greater protection for the information we maintain and are working closely with local authorities to minimize future risks." [...] From lyger at attrition.org Mon Feb 11 23:29:08 2008 From: lyger at attrition.org (lyger) Date: Mon, 11 Feb 2008 23:29:08 +0000 (UTC) Subject: [Dataloss] More Colleges Suffered Data Losses in 2007 Than in 2006, Study Finds Message-ID: http://chronicle.com/wiredcampus/index.php?id=2734 More than a million private records of students were compromised in campus-security breaches in the United States last year, and the number of colleges reporting such incidents was far higher than the previous year, according to a study that analyzed reports on computer security by the news media and computer-security organizations. [.] The study was done by Adam D. Dodge of the Educational Security Incidents Web site. The project started while Mr. Dodge was a graduate student in computer-security at Norwich University. He now works as the assistant director for information security at Eastern Illinois University, but he says his work on the report is not connected with his role there. [...] From lyger at attrition.org Mon Feb 11 23:51:55 2008 From: lyger at attrition.org (lyger) Date: Mon, 11 Feb 2008 23:51:55 +0000 (UTC) Subject: [Dataloss] CO: Student Info Stolen in Home Robbery Message-ID: http://www.myfoxcolorado.com/myfox/pages/Home/Detail;jsessionid=FD9D9CBC7B011294BC386498C0721183?contentId=5743958&version=1&locale=EN-US&layoutCode=TSTY&pageId=1.1.1&sflg=1 A Jeffco Public Schools laptop stolen from an employees home is prompting concerns by the school district that sensitive student information has fallen into the wrong hands. On Monday, Jan. 28, a special education technician had a personal laptop and jump drive stolen during a home robbery in Arvada. The jump drive may have contained the following information for as many as 2,900 special education students. * Student name and date of birth * Student ID number (this is not a Social Security number, but rather a school district identification number only) * School location If the student has received district transportation * Additional information such as parent or guardian name and contact information, may also have been on the jump drive. [...] From dbloys at door.net Tue Feb 12 01:29:45 2008 From: dbloys at door.net (David Bloys) Date: Mon, 11 Feb 2008 19:29:45 -0600 Subject: [Dataloss] County Will Charge To Alert Residents When County Breaches Their Identity In-Reply-To: Message-ID: <005501c86d16$c234afc0$0202a8c0@Office> A county in Illinois has decided to charge a fee to residents who want to be notified when the county website exposes their Social Security numbers online. http://www.davickservices.com/IL_Co_offers_ID_Service.htm No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 02/10/2008 12:21 PM From lyger at attrition.org Tue Feb 12 12:42:02 2008 From: lyger at attrition.org (lyger) Date: Tue, 12 Feb 2008 12:42:02 +0000 (UTC) Subject: [Dataloss] CA: School workers' personal data lifted Message-ID: http://www.modbee.com/local/story/208868.html A computer hard drive holding the names, addresses, birth dates and Social Security numbers of Modesto City Schools' 3,500 employees was stolen early Monday from a Southern California data processing firm, district officials said. The hard drive and three monitors were stolen at 4:30 a.m. in a "window smash" burglary, said Sgt. Linda King with the Fullerton Police Department. She had no information about witnesses or suspects. The burglary happened at Systematic Automation Inc. in Fullerton. The firm prints annual, customized statements for each district employee with a sum-mary of his or her health and other employee benefits. [...] From lyger at attrition.org Tue Feb 12 14:21:05 2008 From: lyger at attrition.org (lyger) Date: Tue, 12 Feb 2008 14:21:05 +0000 (UTC) Subject: [Dataloss] NY: LIU: Defect puts students at risk of ID theft Message-ID: (A new breach type category... "missing adhesive".) http://www.newsday.com/news/local/ny-liiden125573734feb12,0,6745463.story Long Island University has sent letters to 25,000 to 30,000 students informing them that tax forms mailed to them last week in "defective mailers" might have led to identity theft, and recommended that students put fraud alerts on their credit files. The mailers containing each student's annual 1098-T "Tuition Statement" were supposed to have adhesive on all four sides. But one side of each envelope was missing adhesive, according to LIU officials, which caused about half of the statements to be damaged by U.S. Postal Service processing machinery. A 1098-T tuition statement, which has to be sent to every student who paid tuition in the 2007 calendar year and postmarked by Jan. 31, contains the student's name, address and Social Security number. [...] From lyger at attrition.org Wed Feb 13 04:02:43 2008 From: lyger at attrition.org (lyger) Date: Wed, 13 Feb 2008 04:02:43 +0000 (UTC) Subject: [Dataloss] Canada: Bell probes theft of personal information on 3.4 million Ont., Que. clients Message-ID: (Finally, stealing the equivalent of a phone book makes headlines. It was only a matter of time...) http://canadianpress.google.com/article/ALeqM5jYxNzISSg8CH4MSvbfAo61t7ioVQ Bell Canada (TSX:BCE) is trying to determine just who has seen a limited amount personal information on some 3.4 million of its clients in Quebec and Ontario after a Montreal man was arrested Tuesday and faces charges of stealing the data. The telecommunications company said Tuesday it had recovered the stolen data at a Montreal home but that it was fairly limited and only included names, addresses, telephone numbers and a list of Bell services the client subscribed to. The company assured its customers that no financial or security information was stolen. [.] "There was no identity material beyond name, address and phone number," Langton added. "(The information is) similar to what you'd find in the white pages or a phone directory." [...] From jericho at attrition.org Wed Feb 13 04:14:30 2008 From: jericho at attrition.org (security curmudgeon) Date: Wed, 13 Feb 2008 04:14:30 +0000 (UTC) Subject: [Dataloss] Canada: Bell probes theft of personal information on 3.4 million Ont., Que. clients In-Reply-To: References: Message-ID: : (Finally, stealing the equivalent of a phone book makes headlines. It : was only a matter of time...) : : http://canadianpress.google.com/article/ALeqM5jYxNzISSg8CH4MSvbfAo61t7ioVQ : : Bell Canada (TSX:BCE) is trying to determine just who has seen a limited : amount personal information on some 3.4 million of its clients in Quebec : and Ontario after a Montreal man was arrested Tuesday and faces charges : of stealing the data. : : The telecommunications company said Tuesday it had recovered the stolen : data at a Montreal home but that it was fairly limited and only included : names, addresses, telephone numbers and a list of Bell services the : client subscribed to. This is where the telco needs to come clean. Name, address and phone number of listed customers is obviously not any real breach. That information of *unlisted* customers begins to be more of a concern. They also need to define "services" here. Does this include DSL service? Just POTS services like call waiting? : "There was no identity material beyond name, address and phone number," : Langton added. "(The information is) similar to what you'd find in the : white pages or a phone directory." *Similar*, which does not rule out the possibility of unlisted customers. From lyger at attrition.org Wed Feb 13 04:46:42 2008 From: lyger at attrition.org (lyger) Date: Wed, 13 Feb 2008 04:46:42 +0000 (UTC) Subject: [Dataloss] Canada: Bell probes theft of personal information on 3.4 million Ont., Que. clients In-Reply-To: References: Message-ID: On Wed, 13 Feb 2008, security curmudgeon wrote: ": " : The telecommunications company said Tuesday it had recovered the stolen ": " : data at a Montreal home but that it was fairly limited and only included ": " : names, addresses, telephone numbers and a list of Bell services the ": " : client subscribed to. ": " ": " This is where the telco needs to come clean. Name, address and phone ": " number of listed customers is obviously not any real breach. ": " ": " That information of *unlisted* customers begins to be more of a concern. I'm interested in knowing what percentage of residential phone numbers, at least in the U.S., are unlisted. Found an old article, which I found somewhat surprising: http://findarticles.com/p/articles/mi_m3065/is_n8_v18/ai_7812479 Folio: The Magazine for Magazine Management, August, 1989 by Elizabeth Leamy "The rate has risen nearly 27 percent in four years, from 22 percent of households in 1984 to 28 percent in 1988." ": " They also need to define "services" here. Does this include DSL service? ": " Just POTS services like call waiting? Does either service constitute either "personal" or "private" information? ": " : "There was no identity material beyond name, address and phone number," ": " : Langton added. "(The information is) similar to what you'd find in the ": " : white pages or a phone directory." ": " ": " *Similar*, which does not rule out the possibility of unlisted customers. True. But again, should an unlisted phone number be considered personal or private information? From a personal standpoint, I can see why it should be, but what about from a generally accepted standpoint? New ground here... how "private" or "personal" are unlisted phone numbers and should they be held to the same standard as Social Security (or SIN/NIN) numbers, credit card numbers, financial account numbers, or dates of birth? From jericho at attrition.org Wed Feb 13 04:51:16 2008 From: jericho at attrition.org (security curmudgeon) Date: Wed, 13 Feb 2008 04:51:16 +0000 (UTC) Subject: [Dataloss] Canada: Bell probes theft of personal information on 3.4 million Ont., Que. clients In-Reply-To: References: Message-ID: : ": " They also need to define "services" here. Does this include DSL service? : ": " Just POTS services like call waiting? : : Does either service constitute either "personal" or "private" information? No, and this incident does not qualify for inclusion in the DLDOS. But, still a good academic discussion I guess. : ": " *Similar*, which does not rule out the possibility of unlisted customers. : : True. But again, should an unlisted phone number be considered personal : or private information? From a personal standpoint, I can see why it : should be, but what about from a generally accepted standpoint? In this day and age of telemarketing, net stalkers and other creeps, this is definitely private information. If my 'unlisted' information was leaked, i would certainly raise a stink with my RBOC and ask for a refund for the money I have been paying each month for the 'service' of them NOT adding my information to the directory (which is pretty sick to begin with). : New ground here... how "private" or "personal" are unlisted phone : numbers and should they be held to the same standard as Social Security : (or SIN/NIN) numbers, credit card numbers, financial account numbers, or : dates of birth? No, that information is private/personal yes, but that is not PII / NPPI by any definition. From ssteele at infolocktech.com Wed Feb 13 04:56:19 2008 From: ssteele at infolocktech.com (Sean Steele) Date: Tue, 12 Feb 2008 23:56:19 -0500 Subject: [Dataloss] Canada: Bell probes theft of personal information on3.4 million Ont., Que. clients In-Reply-To: References: Message-ID: <47B27873.3030004@infolocktech.com> lyger wrote: > True. But again, should an unlisted phone number be considered personal > or private information? From a personal standpoint, I can see why it > should be, but what about from a generally accepted standpoint? New > ground here... how "private" or "personal" are unlisted phone numbers and > should they be held to the same standard as Social Security (or > SIN/NIN) numbers, credit card numbers, financial account numbers, or > dates > of birth? Personal, yes. Private, absolutely. Sensitive? Probably not... Does a breach of unlisted numbers rise to the same level as a breach of other data that provides actual ID theft/fraud opportunities (e.g. SSN, DOBs, CC #s, etc.)? I'm at a loss for explaining how it could. At worst you're more of a target for social engineering attacks than you were -- or an incrementally more complete record to be sold on the open market. But not much more than that. -SS From brian.honan at bhconsulting.ie Wed Feb 13 08:53:56 2008 From: brian.honan at bhconsulting.ie (Brian Honan) Date: Wed, 13 Feb 2008 08:53:56 -0000 Subject: [Dataloss] Canada: Bell probes theft of personal information on 3.4 million Ont., Que. clients In-Reply-To: References: Message-ID: <01cc01c86e1d$f75e79d0$0301a8c0@LAPTOPBH2> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Remember though that privacy laws differ from jurisdiction to jurisdiction. It is possible that if this breach occurred within the European Union that the compromised data would fall under the data protection directive. Under this directive personally identifiable information can only be gathered for a specific reason, agreed to by the customer, and protected from unauthorised access. Brian Brian Honan BH Consulting Helping You Piece IT Together T: +353-1-4404065 M: +353-868114066 E: brian.honan at bhconsulting.ie W: http://www.bhconsulting.ie B: http://www.bhconsulting.ie/blog Supporting Global Security Week http://www.globalsecurityweek.com This message is for the named person's use only. If you received this message in error, please immediately delete it and all copies and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Any views expressed in this message are those of the individual sender and not of BH Consulting. BH Consulting is a registered trade name for BH IT Consulting Limited, Company Registration Number: 393479 with registered offices at 49 Luttrelstown Drive, Castleknock, Dublin 15. - -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of security curmudgeon Sent: 13 February 2008 04:15 To: dataloss at attrition.org Subject: Re: [Dataloss] Canada: Bell probes theft of personal information on 3.4 million Ont., Que. clients : (Finally, stealing the equivalent of a phone book makes headlines. It : was only a matter of time...) : : http://canadianpress.google.com/article/ALeqM5jYxNzISSg8CH4MSvbfAo61t7 ioVQ : : Bell Canada (TSX:BCE) is trying to determine just who has seen a limited : amount personal information on some 3.4 million of its clients in Quebec : and Ontario after a Montreal man was arrested Tuesday and faces charges : of stealing the data. : : The telecommunications company said Tuesday it had recovered the stolen : data at a Montreal home but that it was fairly limited and only included : names, addresses, telephone numbers and a list of Bell services the : client subscribed to. This is where the telco needs to come clean. Name, address and phone number of listed customers is obviously not any real breach. That information of *unlisted* customers begins to be more of a concern. They also need to define "services" here. Does this include DSL service? Just POTS services like call waiting? : "There was no identity material beyond name, address and phone number," : Langton added. "(The information is) similar to what you'd find in the : white pages or a phone directory." *Similar*, which does not rule out the possibility of unlisted customers. _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQA/AwUBR7KwI4u28IDxtc99EQLGbQCZAaND2d6iynDfnyiVH/u3PYoVil0AoL8p zhRqDVen8glOC7FON50DNZu6 =KwuB -----END PGP SIGNATURE----- From hbrown at knology.net Wed Feb 13 14:47:18 2008 From: hbrown at knology.net (Henry Brown) Date: Wed, 13 Feb 2008 08:47:18 -0600 Subject: [Dataloss] "Confidential" court records posted on line Message-ID: <47B302F6.10208@knology.net> http://www.jsonline.com/story/index.aspx?id=716547 Records released in error Group posts confidential court data from county on its Web site By STEVE SCHULTZE Milwaukee County officials mistakenly released numerous confidential court records for a citizens group's Web site that detail payments for tests and other costs linked to to mental competency, paternity and guardianship cases, officials acknowledged The records obtained by Citizens for Responsible Government Network were part of a county database of 188,000 purchasing invoices for 2006 and 2007. The group put the information on its Web site Tuesday morning. Late Friday, the group agreed to remove the confidential court records at the county's request. However, a check of the group's Web site Sunday night found dozens of entries for psychiatric examinations and guardianship fees in which the clients' names were still listed, sometimes along with the court case number. Most of those listings were for 2006. [...] From lyger at attrition.org Wed Feb 13 17:19:22 2008 From: lyger at attrition.org (lyger) Date: Wed, 13 Feb 2008 17:19:22 +0000 (UTC) Subject: [Dataloss] Data Breach Notification Laws, State By State Message-ID: (For those of us who like to have a lot of information available in one place, this interactive map might be a pretty nifty tool.) http://www.csoonline.com/read/020108/ammap/ammap.html Five years after California's landmark SB 1386, our interactive map shows you which 38 states have passed laws requiring companies to notify consumers whose personal information has been compromised. Part of an in-depth series about disclosing security breaches. [...] From lyger at attrition.org Wed Feb 13 18:51:35 2008 From: lyger at attrition.org (lyger) Date: Wed, 13 Feb 2008 18:51:35 +0000 (UTC) Subject: [Dataloss] TN: Missing: Lifeblood laptops with personal info on thousands of donors Message-ID: http://www.commercialappeal.com/news/2008/feb/13/missing-lifeblood-laptops-personal-information-tho/ Laptop computers with the birth dates and other personal information of roughly 321,000 blood donors are missing and the Mid-South.s primary blood supplier is warning individuals to take steps to protect themselves. The advice is contained in letters that Lifeblood, Mid-South Regional Blood Center, is sending to anyone who donated or attempted donate blood as far back as 1990. [.] In most cases, Balink said the donor's Social Security number was also stored, along with driver's license and telephone numbers, e-mail address as well as ethnic, marital status, blood type and cholesterol levels. [...] From lyger at attrition.org Wed Feb 13 22:16:41 2008 From: lyger at attrition.org (lyger) Date: Wed, 13 Feb 2008 22:16:41 +0000 (UTC) Subject: [Dataloss] TN: MTSU: 1, 500 Social Security numbers on breached computer Message-ID: http://dnj.midsouthnews.com/apps/pbcs.dll/article?AID=/20080213/NEWS01/80213045 MTSU officials said today an unknown person accessed a computer containing the names and Social Security numbers of about 1,500 past and current students. A professor left the university computer unattended in the mass communication department about two weeks ago and an unidentified person is believed to have used the machine to send spam e-mails, MTSU spokesman Tom Tozer told The Daily News Journal. "Although we have discovered that it was technically possible to access this file containing your personal information, we have no evidence that this file was actually accessed by anyone," a letter from the university to those affected stated. "We are notifying you simply as a precaution." [...] From lyger at attrition.org Thu Feb 14 15:11:39 2008 From: lyger at attrition.org (lyger) Date: Thu, 14 Feb 2008 15:11:39 +0000 (UTC) Subject: [Dataloss] UK: Laptop with 5,000 medical records stolen Message-ID: http://www.independent.co.uk/news/uk/home-news/laptop-with-5000-medical-records-stolen-782190.html A laptop containing the medical records of more than 5,000 patients has been stolen from a hospital, it was revealed today. The computer was taken from the outpatients department at Russells Hall Hospital in Dudley, West Midlands, on January 8. It contains a database with information on 5,123 anticoagulation patients, the hospital said. Letters have been sent to those affected and police have launched an investigation. [...] From mhill at idtexperts.com Thu Feb 14 14:04:25 2008 From: mhill at idtexperts.com (Michael Hill, CITRMS) Date: Thu, 14 Feb 2008 09:04:25 -0500 Subject: [Dataloss] GA: Potential ID Theft at Two Low Country Hospitals Message-ID: <002401c86f12$82041820$6501a8c0@mkevhill> http://www.wtoctv.com/Global/story.asp?S=7868260&nav=0qq6 HILTON HEAD ISLAND, SC (WTOC) - Patients at two Low Country hospitals could be victims of identity theft. Officials say an employee with Tenet Healthcare Corporation, which owns Hilton Head Regional Medical Center and Coastal Carolina Medical Center, stole the private information of about 90 patients. Tenet has notified them, along with the 37,000 other patients whom this might have affected, giving them each steps to protect their identity and credit. Any patients who believe their personal information has been used to open credit cards or other credit accounts should call 800.553.6106. Michael Hill Certified Identity Theft Risk Management Specialist IDT Consultants 404-216-3751 "If You Think You're Not At Risk, Think Again!" NOTICE: This email and any attachment to it is confidential and protected by law and intended for the use of the individual(s) or entity named on the email. This information and all email information from the sender is not legal advice nor legal representation and should not be construed as legal advice nor legal representation. Check with your attorney in your State for legal advice. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination or distribution of this communication is prohibited. If you have received this communication in error, please notify the sender via return email and delete it completely from your email system. If you have printed a copy of the email, please destroy it immediately. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080214/57150ab5/attachment.html From lyger at attrition.org Fri Feb 15 13:51:08 2008 From: lyger at attrition.org (lyger) Date: Fri, 15 Feb 2008 13:51:08 +0000 (UTC) Subject: [Dataloss] KY: Lexmark employees notified of breach Message-ID: http://www.kentucky.com/101/story/318946.html Lexmark International told employees this week that information that would identify them personally was inadvertently posted on a company file transfer site. It's uncertain whether anyone with malicious intent accessed the files. The company will not say publicly what type of data was posted, but it did tell affected employees, said spokeswoman Barbara Leary. Lexmark also won't say publicly how many employees were affected. [...] From hbrown at knology.net Fri Feb 15 15:38:53 2008 From: hbrown at knology.net (Henry Brown) Date: Fri, 15 Feb 2008 09:38:53 -0600 Subject: [Dataloss] insider theft of information Message-ID: <47B5B20D.4090304@knology.net> MAYBE an Expansion of a previously "announced" data breech http://www.beaufortgazette.com/local/story/190720.html Identity thief had access to area information BLUFFTON -- A former employee of a locally connected national hospital chain who was convicted of identity theft had access to the personal information of about 37,000 patients, according to a company spokesman. Tenet Healthcare Corp. owns 54 hospitals in a dozen states, including Hilton Head Regional Medical Center and Coastal Carolina Medical Center. The company mailed letters last week announcing the security breach to anyone who could have been affected, said spokesman Steven Campanini. Tenet also informed victims how to set up free fraud alerts at the nation's three major credit bureaus. "There's an annoyance factor and we apologize for that," Campanini said. "We recognize consumer privacy is very important and take it very seriously." The ex-employee worked at a Frisco, Texas, billing center for less than two years, and is confirmed to have stolen the names, Social Security numbers and other personal information of about 90 patients, Campanini said. The company has paid to monitor the credit reports of those victims. Terrence Brooks, 30, had access to 37,000 other accounts, less than 1 percent of the 4 million handled at the billing center, the company said. Brooks was arrested Nov. 25 in Arlington, Texas, where he was trying to obtain a credit card using information he stole at his job, authorities said. An employee called police and Brooks was arrested on the spot on misdemeanor traffic warrants, according to a police spokesman and Tenet. He pleaded guilty last month to five counts of fraudulent use and possession of identification information and was sentenced to nine months in prison. He had passed a background check to get the Tenet job. Brooks was immediately fired when the company learned of his arrest. "What's challenging in this situation is there was an employee intent on committing fraud," Campanini said. "No company can prevent that, but we can have practices in place to immediately address it when it does occur, and that's what we did." [...] From lyger at attrition.org Fri Feb 15 22:15:22 2008 From: lyger at attrition.org (lyger) Date: Fri, 15 Feb 2008 22:15:22 +0000 (UTC) Subject: [Dataloss] MO: Burglary compromises personal information for 2, 000 families Message-ID: http://www.carthagepress.com/news/x866628075 One of the largest aid agencies in Carthage was burglarized overnight Thursday night or Friday morning and files, containing the personal information of about 2,000 families, were stolen. Carthage Police Detective Randee Kaiser said Crosslines Ministries of Carthage, 600 E. Sixth St., was burglarized sometime between 5 p.m. Thursday, and 7:57 a.m. Friday, when ministry officials called police. Kaiser said among the items stolen were paper files containing names, addresses, social security numbers and other personal information of 2,000 individuals served by Crosslines. [...] From hbrown at knology.net Sat Feb 16 11:17:26 2008 From: hbrown at knology.net (Henry Brown) Date: Sat, 16 Feb 2008 05:17:26 -0600 Subject: [Dataloss] CA: School workers' personal data lifted In-Reply-To: References: Message-ID: <47B6C646.6090101@knology.net> Perhaps much bigger breech than the article from the Modesto Bee might indicate... A quote from the Fresno Bee article "... Employee information for Clovis Unified and 15 other organizations ..." http://www.fresnobee.com/263/story/396688.html Clovis Unified School District employees were notified that a computer stolen this week from a Fullerton company contained personal information -- including Social Security numbers -- for about 4,000 district employees. While police do not believe the intent of the burglary was to steal identity information, the district has recommended that employees establish fraud alerts on their credit files, district spokeswoman Kelly Avants said. [...] Employee information for Clovis Unified and 15 other organizations was jeopardized when Systematic Automation of Fullerton was burglarized about 4:30 a.m. Monday. District employees were alerted in an e-mail about 3:30 p.m. Tuesday, which Avants said was the fastest the district could assemble accurate information on what to tell workers. The stolen computer contained Clovis Unified employee names, addresses and salaries, as well as Social Security numbers. It did not contain birth dates or other personal information. Systematic Automation handles the online benefits enrollment for Clovis Unified employees and publishes information on what benefits each employee receives, Avants said. [...] lyger wrote: > http://www.modbee.com/local/story/208868.html > > A computer hard drive holding the names, addresses, birth dates and Social > Security numbers of Modesto City Schools' 3,500 employees was stolen early > Monday from a Southern California data processing firm, district officials > said. > > The hard drive and three monitors were stolen at 4:30 a.m. in a "window > smash" burglary, said Sgt. Linda King with the Fullerton Police > Department. She had no information about witnesses or suspects. > > The burglary happened at Systematic Automation Inc. in Fullerton. The firm > prints annual, customized statements for each district employee with a > sum-mary of his or her health and other employee benefits. > > [...] > ________________ From lyger at attrition.org Sat Feb 16 13:44:08 2008 From: lyger at attrition.org (lyger) Date: Sat, 16 Feb 2008 13:44:08 +0000 (UTC) Subject: [Dataloss] TX: A&M posted 3,000 people's personal data Message-ID: http://www.theeagle.com/local/A-amp-amp-M-posted-3-000-people-s-personal-data A computer file containing the names and Social Security numbers of 3,000 current and former Texas A&M University agricultural employees was inadvertently posted online and accessible to the public for three weeks. Texas A&M administrators said the personal information could not be directly viewed on Web pages, but was obtainable through sophisticated software designed to search databases and hijack such information. Though university officials don't believe any of the information was stolen, they are encouraging employees to closely monitor their accounts for identity theft. [...] From lyger at attrition.org Sat Feb 16 13:56:57 2008 From: lyger at attrition.org (lyger) Date: Sat, 16 Feb 2008 13:56:57 +0000 (UTC) Subject: [Dataloss] CA: Employee data theft jolts DWP Message-ID: (following up on previous posts, the Systematic Automation breach (DL-0899) does indeed seem larger than previously reported...) http://www.dailynews.com/news/ci_8277304 A computer containing personal information on more than 8,300 Los Angeles Department of Water and Power employees was stolen from an outside vendor Monday, utility officials confirmed Friday. DWP General Manager H. David Nahai sent a letter to employees Wednesday informing them of the "possible security breach" and of steps being taken to safeguard them from the risk of identity theft. DWP officials said the theft occurred at Systematic Automation Inc. in Fullerton and is being investigated by Fullerton law enforcement. [...] From lyger at attrition.org Mon Feb 18 15:47:20 2008 From: lyger at attrition.org (lyger) Date: Mon, 18 Feb 2008 15:47:20 +0000 (UTC) Subject: [Dataloss] FL: Ft. Lauderdale Dumpster Becomes A Treasure Trove Message-ID: http://cbs4.com/local/Ft.Lauderdale.Trash.2.655638.html In the information age, theft has clearly taken on a new meaning, with the possession of personal info, credit cards, and social security numbers as the key for many high tech crooks to strike it rich. One Ft. Lauderdale dumpster proved to be a treasure trove of documents with such information--readily available for anyone who passed by--so the police is investigating. Outside a University of Phoenix Building in Ft. Lauderdale, files and paperwork belonging to the defunct First Magnus Financial at 550 West Cypress Creek Road were just lying inside stacked boxes inside an industrial garbage container, available for anyone to peek at. The paperwork contains some of the most sensitive information a consumer could posses: Social Security numbers, credit card information, addresses, properties, etc. [...] From lyger at attrition.org Wed Feb 20 12:28:49 2008 From: lyger at attrition.org (lyger) Date: Wed, 20 Feb 2008 12:28:49 +0000 (UTC) Subject: [Dataloss] Irish blood donor records stolen in New York Message-ID: http://www.rte.ie/news/2008/0219/blood.html A computer containing over 171,000 confidential blood donor records and other files from the Irish Blood Transfusion Service has been stolen. The data, which the Blood Service says was securly encryped, was given to the New York Blood centre in December on a computer disk. It was part of a software upgrading programme for the Irish Service. [...] From jericho at attrition.org Wed Feb 20 17:57:00 2008 From: jericho at attrition.org (security curmudgeon) Date: Wed, 20 Feb 2008 17:57:00 +0000 (UTC) Subject: [Dataloss] Auction.co.kr - Chinese hacker steals user information on 18 MILLION Message-ID: [No references for this event. No details if CC information other other NPPI/PII was stolen. - jericho] http://www.webappsec.org/projects/whid/byid_id_2008-10.shtml WHID 2008-10: Chinese hacker steals user information on 18 MILLION online shoppers at Auction.co.kr Reported: 12 February 2008 Occurred: 10 February 2008 Classifications: * Attack Method: Cross Site Request Forgery (CSRF) * Country: Korea * Origin: China * Outcome: Downtime * Outcome: Leakage of Information * Vertical: Retail A Korean e-commerce site was hacked and a staggering number of record, 18 million, where stolen. In the US this would be front news. We don't know if it was front news in Korea, but did not get to the international media. The attack description is vague but can be best described as session hijacking. This incident is a great example of the lack of sufficient international coverage at WHID. Help us by sending us non English incidents! After all, it is not English speakers only that get hacked, but rather us, the WHID maintainers that speak only this language. References: From jericho at attrition.org Thu Feb 21 01:52:52 2008 From: jericho at attrition.org (security curmudgeon) Date: Thu, 21 Feb 2008 01:52:52 +0000 (UTC) Subject: [Dataloss] Experian Sues Lifelock, Alleges Fraud Message-ID: http://redtape.msnbc.com/2008/02/experian-sues-l.html Experian sues LifeLock, alleges fraud Posted: Wednesday, February 20 at 04:01 pm CT by Bob Sullivan Credit bureau Experian is suing the identity theft prevention firm LifeLock, accusing it of deception and fraud in its familiar advertising campaign, which includes a spot in which CEO Todd Davis reveals his Social Security number and then brags about the effectiveness of the companys protections. In the lawsuit, filed in U.S. District Court on Feb. 13, Experian contends that LifeLock's advertising is misleading and that the firm is breaking federal law in the way it goes about protecting consumers. Lifelock CEO Davis, in an interview with msnbc.com on Wednesday, called the lawsuit baseless and said that Experian is simply upset that his firm is challenging its business model. "This lawsuit is not about helping consumers," he said. "They just want to make more money selling their data." LifeLocks ubiquitous marketing campaign has been stepped up in recent months, Davis said, thanks to a new infusion of investments in the company. In January, the firm announced it had raised $25.5 million in funding orchestrated by Goldman Sachs Group. The advertising has apparently paid off: Lifelock has 700,000 customers, each paying about $10 per month for the service. [..] From chris at cwalsh.org Thu Feb 21 16:54:57 2008 From: chris at cwalsh.org (Chris Walsh) Date: Thu, 21 Feb 2008 10:54:57 -0600 Subject: [Dataloss] OT: Encryption keys persist in RAM, after shutdown, enabling FDE bypass Message-ID: <20080221165457.GA49180@fripp.cwalsh.org> Ed Felten and colleagues have a paper out which shows how full disk encryption products, among them BitLocker, can be defeated by reading encryption keys from RAM chips *after the machine has been powered off*. See http://citp.princeton.edu/memory/ for more. From lyger at attrition.org Thu Feb 21 18:18:16 2008 From: lyger at attrition.org (lyger) Date: Thu, 21 Feb 2008 18:18:16 +0000 (UTC) Subject: [Dataloss] Canada: Personal data on 28,000 schoolchildren stolen Message-ID: http://www.cbc.ca/canada/newfoundland-labrador/story/2008/02/21/student-breach.html A laptop computer holding a database with personal information on thousands of Newfoundland schoolchildren was among several stolen during a robbery, school officials said Thursday. The database . with information on 28,000 students, most in the St. John's area - includes names, addresses, medicare numbers, phone numbers and the names of guardians, the Eastern School District board said in a statement. The four laptops were stolen from the district's offices in Atlantic Place, an office complex in downtown St. John's. [...] From jericho at attrition.org Thu Feb 21 20:48:47 2008 From: jericho at attrition.org (security curmudgeon) Date: Thu, 21 Feb 2008 20:48:47 +0000 (UTC) Subject: [Dataloss] fringe: Researchers: Disk Encryption Not Secure Message-ID: [Companies who suffer a data loss incident, take note. Not only is the "password" to the operating system worthless, now the encrypted drives that we never see used are too. =) -jericho] http://blog.wired.com/27bstroke6/2008/02/researchers-dis.html Researchers: Disk Encryption Not Secure By Kim Zetter February 21, 2008 | 12:13:48 PM Researchers with Princeton University and the Electronic Frontier Foundation have found a flaw that renders disk encryption systems useless if an intruder has physical access to your computer -- say in the case of a stolen laptop or when a computer is left unattended on a desktop in sleep mode or while displaying a password prompt screen. The attack takes only a few minutes to conduct and uses the disk encryption key that's stored in the computer's RAM. The attack works because content as well as encryption keys stored in RAM linger in the system, even after the machine is powered off, enabling an attacker to use the key to collect any content still in RAM after reapplying power to the machine. "We've broken disk encryption products in exactly the case when they seem to be most important these days: laptops that contain sensitive corporate data or personal information about business customers," said J. Alex Halderman, one of the researchers, in a press release. "Unlike many security problems, this isn't a minor flaw; it is a fundamental limitation in the way these systems were designed." [..] From bkdelong at pobox.com Thu Feb 21 21:03:41 2008 From: bkdelong at pobox.com (B.K. DeLong) Date: Thu, 21 Feb 2008 16:03:41 -0500 Subject: [Dataloss] fringe: Researchers: Disk Encryption Not Secure In-Reply-To: References: Message-ID: Well, if anything I think it makes a further case for using multifactor authentication in order to login to machines - a "something you have" piece. Of course, if we knew what we know now and all had robust data classification schemes allowing us to have to protect only that business critical or regulation-controlled data, we wouldn't have to boil the ocean. We could put in place RBAC and DRM/ERM might actually be doable. Now where's that Business Impact Assessment from the DR/BCP plan? Sounds like a good place to start.....if pigs could fly. ;) On Thu, Feb 21, 2008 at 3:48 PM, security curmudgeon wrote: > > [Companies who suffer a data loss incident, take note. Not only is the > "password" to the operating system worthless, now the encrypted drives > that we never see used are too. =) -jericho] > > > http://blog.wired.com/27bstroke6/2008/02/researchers-dis.html > > Researchers: Disk Encryption Not Secure > By Kim Zetter February 21, 2008 | 12:13:48 PM > > Researchers with Princeton University and the Electronic Frontier > Foundation have found a flaw that renders disk encryption systems useless > if an intruder has physical access to your computer -- say in the case of > a stolen laptop or when a computer is left unattended on a desktop in > sleep mode or while displaying a password prompt screen. > > The attack takes only a few minutes to conduct and uses the disk > encryption key that's stored in the computer's RAM. > > The attack works because content as well as encryption keys stored in RAM > linger in the system, even after the machine is powered off, enabling an > attacker to use the key to collect any content still in RAM after > reapplying power to the machine. > > "We've broken disk encryption products in exactly the case when they seem > to be most important these days: laptops that contain sensitive corporate > data or personal information about business customers," said J. Alex > Halderman, one of the researchers, in a press release. "Unlike many > security problems, this isn't a minor flaw; it is a fundamental limitation > in the way these systems were designed." > > [..] > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor your > traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml > -- B.K. DeLong (K3GRN) bkdelong at pobox.com +1.617.797.8471 http://www.wkdelong.org Son. http://www.ianetsec.com Work. http://www.bostonredcross.org Volunteer. http://www.carolingia.eastkingdom.org Service. http://bkdelong.livejournal.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org From roy at rant-central.com Thu Feb 21 21:17:23 2008 From: roy at rant-central.com (Roy M. Silvernail) Date: Thu, 21 Feb 2008 16:17:23 -0500 Subject: [Dataloss] fringe: Researchers: Disk Encryption Not Secure In-Reply-To: References: Message-ID: <20080221211722.GA31841@rant-central.com> On Thu, Feb 21, 2008 at 04:03:41PM -0500, B.K. DeLong wrote: > Well, if anything I think it makes a further case for using > multifactor authentication in order to login to machines - a > "something you have" piece. That's the wrong threat model, though. The attack described is directly against disk encryption. If the FDE key is exposed through a cold-RAM skimming attack, there is no need to login to anything. The RAM is skimmed, then the drive is imaged. Presto. Your data is toast. This can be pulled off over a lunch break, and the only evidence would be an unexpected reboot when the victim returns. -- Roy M. Silvernail is roy at rant-central.com, and you're not "A desperate disease requires a dangerous remedy." - Guy Fawkes http://www.rant-central.com From bkdelong at pobox.com Thu Feb 21 21:43:25 2008 From: bkdelong at pobox.com (B.K. DeLong) Date: Thu, 21 Feb 2008 16:43:25 -0500 Subject: [Dataloss] fringe: Researchers: Disk Encryption Not Secure In-Reply-To: References: <20080221211722.GA31841@rant-central.com> Message-ID: Or, perhaps, partial keys on the hard drive and the portable device - only the two together make a whole. On Thu, Feb 21, 2008 at 4:34 PM, Rory Wasserman wrote: > Roy, > > I agree with what you are saying, however if a portable hardware device is > used for multifactor authentication and the key is stored in a secure place > on the device, off of the hard drive, then this type of attack would be > futile. > > Rory Wasserman -- B.K. DeLong (K3GRN) bkdelong at pobox.com +1.617.797.8471 http://www.wkdelong.org Son. http://www.ianetsec.com Work. http://www.bostonredcross.org Volunteer. http://www.carolingia.eastkingdom.org Service. http://bkdelong.livejournal.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org From rwasserman at mxisecurity.com Thu Feb 21 21:34:09 2008 From: rwasserman at mxisecurity.com (Rory Wasserman) Date: Thu, 21 Feb 2008 16:34:09 -0500 Subject: [Dataloss] fringe: Researchers: Disk Encryption Not Secure In-Reply-To: <20080221211722.GA31841@rant-central.com> References: <20080221211722.GA31841@rant-central.com> Message-ID: Roy, I agree with what you are saying, however if a portable hardware device is used for multifactor authentication and the key is stored in a secure place on the device, off of the hard drive, then this type of attack would be futile. Rory Wasserman -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Roy M. Silvernail Sent: February 21, 2008 4:17 PM To: B.K. DeLong Cc: security curmudgeon; dataloss at attrition.org Subject: Re: [Dataloss] fringe: Researchers: Disk Encryption Not Secure On Thu, Feb 21, 2008 at 04:03:41PM -0500, B.K. DeLong wrote: > Well, if anything I think it makes a further case for using > multifactor authentication in order to login to machines - a > "something you have" piece. That's the wrong threat model, though. The attack described is directly against disk encryption. If the FDE key is exposed through a cold-RAM skimming attack, there is no need to login to anything. The RAM is skimmed, then the drive is imaged. Presto. Your data is toast. This can be pulled off over a lunch break, and the only evidence would be an unexpected reboot when the victim returns. -- Roy M. Silvernail is roy at rant-central.com, and you're not "A desperate disease requires a dangerous remedy." - Guy Fawkes http://www.rant-central.com _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml From roy at rant-central.com Thu Feb 21 21:49:08 2008 From: roy at rant-central.com (Roy M. Silvernail) Date: Thu, 21 Feb 2008 16:49:08 -0500 Subject: [Dataloss] fringe: Researchers: Disk Encryption Not Secure In-Reply-To: References: <20080221211722.GA31841@rant-central.com> Message-ID: <20080221214907.GA1963@rant-central.com> On Thu, Feb 21, 2008 at 04:34:09PM -0500, Rory Wasserman wrote: > Roy, > > I agree with what you are saying, however if a portable hardware device is > used for multifactor authentication and the key is stored in a secure place > on the device, off of the hard drive, then this type of attack would be > futile. I think you still misunderstand the threat model. The threat is not against authentication. That has already been done and the target machine is in a running state (though perhaps waiting at a screensaver password). In this state, the fully-encrypted disc is mounted and decrypting for its proper user. That means the FDE key *must* be in core somewhere, so that the disc drivers can use it to encrypt and decrypt the data as it is used. And once Mallory has the FDE key, he don' need no steenkin' authentication. He grabs an image of the disc and trots off to decrypt at leisure. -- Roy M. Silvernail is roy at rant-central.com, and you're not "A desperate disease requires a dangerous remedy." - Guy Fawkes http://www.rant-central.com From jericho at attrition.org Fri Feb 22 02:03:02 2008 From: jericho at attrition.org (security curmudgeon) Date: Fri, 22 Feb 2008 02:03:02 +0000 (UTC) Subject: [Dataloss] follow-up: Reed Elsevier Seeks to Acquire ChoicePoint for $4.1B Message-ID: ---------- Forwarded message ---------- From: Paul Ferguson Via The Washington Post. [snip] Reed Elsevier PLC, the owner of the LexisNexis Group, is seeking to acquire ChoicePoint Inc. in a $4.1 billion cash deal that would create a global data brokering service. By combining database giants LexisNexis and ChoicePoint, Reed Elsevier would handle information about hundreds of millions of people and sophisticated software to handle it. Both companies play key roles in law enforcement, homeland security and intelligence, as well as providing information to the private sector. Both also have been hit by identity theft and security problems. [snip] More: http://www.washingtonpost.com/wp-dyn/content/article/2008/02/21/AR2008022100809.html From jericho at attrition.org Fri Feb 22 07:27:51 2008 From: jericho at attrition.org (security curmudgeon) Date: Fri, 22 Feb 2008 07:27:51 +0000 (UTC) Subject: [Dataloss] follow-up: Insurance Company Reimburses TJX Almost $19 Million For Data Breach Message-ID: ---------- Forwarded message ---------- From: Paul Ferguson Via StorefrontBacktalk. [snip] In the middle of a better-than-expected earnings report from TJX on Wednesday, the retailer whose databreach of 100 million cards was the worst in credit card history reported that it was paid somewhat less than $19 million by its insurance company. Referring to $178 million the chain had set aside to deal with data-breach-related costs, TJX said that on Jan. 26, 2008, "TJX reduced the reserve by $19 million, primarily due to insurance proceeds with respect to the computer intrusion, which had not previously been reflected in the reserve, as well as a reduction in estimated legal and other fees as the Company has continued to resolve outstanding disputes, litigation and investigations." [snip] More: http://storefrontbacktalk.com/story/022208tjx See also: http://money.cnn.com/2008/02/20/news/companies/bc.earns.tjx.ap/index.htm So much for punishment... - - ferg From evan.francen at gmail.com Fri Feb 22 14:14:04 2008 From: evan.francen at gmail.com (Evan Francen) Date: Fri, 22 Feb 2008 08:14:04 -0600 Subject: [Dataloss] fringe: Researchers: Disk Encryption Not Secure In-Reply-To: <20080221214907.GA1963@rant-central.com> References: <20080221211722.GA31841@rant-central.com> <20080221214907.GA1963@rant-central.com> Message-ID: <530c940802220614x2ecce8a2ia6dca8c9dc952f5a@mail.gmail.com> Do you think it would be possible to patch encryption products with routines to wipe the memory address(es) where the key is stored at specific times (i.e. on lock, hibernate, sleep, and shutdown)? On 2/21/08, Roy M. Silvernail wrote: > On Thu, Feb 21, 2008 at 04:34:09PM -0500, Rory Wasserman wrote: > > Roy, > > > > I agree with what you are saying, however if a portable hardware device is > > used for multifactor authentication and the key is stored in a secure place > > on the device, off of the hard drive, then this type of attack would be > > futile. > > > I think you still misunderstand the threat model. The threat is not > against authentication. That has already been done and the > target machine is in a running state (though perhaps waiting at a > screensaver password). In this state, the fully-encrypted disc is > mounted and decrypting for its proper user. That means the FDE key > *must* be in core somewhere, so that the disc drivers can use it to > encrypt and decrypt the data as it is used. > > And once Mallory has the FDE key, he don' need no steenkin' > authentication. He grabs an image of the disc and trots off to decrypt > at leisure. > > -- > Roy M. Silvernail is roy at rant-central.com, and you're not > "A desperate disease requires a dangerous remedy." > - Guy Fawkes > http://www.rant-central.com > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor your > traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml > -- Evan Francen, CISSP CCNP MCSE email: evan.francen at gmail.com From GFRIEDL at transunion.com Fri Feb 22 14:25:32 2008 From: GFRIEDL at transunion.com (Friedlander, Gary S) Date: Fri, 22 Feb 2008 08:25:32 -0600 Subject: [Dataloss] fringe: Researchers: Disk Encryption Not Secure In-Reply-To: <530c940802220614x2ecce8a2ia6dca8c9dc952f5a@mail.gmail.com> References: <20080221211722.GA31841@rant-central.com><20080221214907.GA1963@rant-central.com> <530c940802220614x2ecce8a2ia6dca8c9dc952f5a@mail.gmail.com> Message-ID: <276A6F4116DF36418A24927C83CB897801109244@CHI4EVS03.corp.transunion.com> Maybe the software can be patched to wipe the key from memory after so many minutes of inactivity - requiring re-entering the passphrase to re-mount the drive or re-enter the folder. -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Evan Francen Sent: Friday, February 22, 2008 8:14 AM To: Roy M. Silvernail Cc: security curmudgeon; dataloss at attrition.org Subject: Re: [Dataloss] fringe: Researchers: Disk Encryption Not Secure Do you think it would be possible to patch encryption products with routines to wipe the memory address(es) where the key is stored at specific times (i.e. on lock, hibernate, sleep, and shutdown)? On 2/21/08, Roy M. Silvernail wrote: > On Thu, Feb 21, 2008 at 04:34:09PM -0500, Rory Wasserman wrote: > > Roy, > > > > I agree with what you are saying, however if a portable hardware device is > > used for multifactor authentication and the key is stored in a secure place > > on the device, off of the hard drive, then this type of attack would be > > futile. > > > I think you still misunderstand the threat model. The threat is not > against authentication. That has already been done and the > target machine is in a running state (though perhaps waiting at a > screensaver password). In this state, the fully-encrypted disc is > mounted and decrypting for its proper user. That means the FDE key > *must* be in core somewhere, so that the disc drivers can use it to > encrypt and decrypt the data as it is used. > > And once Mallory has the FDE key, he don' need no steenkin' > authentication. He grabs an image of the disc and trots off to decrypt > at leisure. > > -- > Roy M. Silvernail is roy at rant-central.com, and you're not > "A desperate disease requires a dangerous remedy." > - Guy Fawkes > http://www.rant-central.com > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor your > traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml > -- Evan Francen, CISSP CCNP MCSE email: evan.francen at gmail.com _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml From paul at nosignal.net Fri Feb 22 14:37:27 2008 From: paul at nosignal.net (Paul Stevens) Date: Fri, 22 Feb 2008 16:37:27 +0200 Subject: [Dataloss] fringe: Researchers: Disk Encryption Not Secure In-Reply-To: <276A6F4116DF36418A24927C83CB897801109244@CHI4EVS03.corp.transunion.com> References: <20080221211722.GA31841@rant-central.com><20080221214907.GA1963@rant-central.com> <530c940802220614x2ecce8a2ia6dca8c9dc952f5a@mail.gmail.com> <276A6F4116DF36418A24927C83CB897801109244@CHI4EVS03.corp.transunion.com> Message-ID: <995180C2-B9F8-4509-8571-73DCBB90227E@nosignal.net> Some FDE products already provide a feature which applies a limitation to the time your passphrase will be be held in memory. Typically though, there's a checkbox underneath which allows it to remain cached permanently. Ease of use trumps security every time. On 22 Feb 2008, at 4:25 PM, Friedlander, Gary S wrote: > Maybe the software can be patched to wipe the key from memory after so > many minutes of inactivity - requiring re-entering the passphrase to > re-mount the drive or re-enter the folder. > > -----Original Message----- > From: dataloss-bounces at attrition.org > [mailto:dataloss-bounces at attrition.org] On Behalf Of Evan Francen > Sent: Friday, February 22, 2008 8:14 AM > To: Roy M. Silvernail > Cc: security curmudgeon; dataloss at attrition.org > Subject: Re: [Dataloss] fringe: Researchers: Disk Encryption Not > Secure > > Do you think it would be possible to patch encryption products with > routines to wipe the memory address(es) where the key is stored at > specific times (i.e. on lock, hibernate, sleep, and shutdown)? > > > On 2/21/08, Roy M. Silvernail wrote: >> On Thu, Feb 21, 2008 at 04:34:09PM -0500, Rory Wasserman wrote: >>> Roy, >>> >>> I agree with what you are saying, however if a portable hardware > device is >>> used for multifactor authentication and the key is stored in a > secure place >>> on the device, off of the hard drive, then this type of attack > would be >>> futile. >> >> >> I think you still misunderstand the threat model. The threat is not >> against authentication. That has already been done and the >> target machine is in a running state (though perhaps waiting at a >> screensaver password). In this state, the fully-encrypted disc is >> mounted and decrypting for its proper user. That means the FDE key >> *must* be in core somewhere, so that the disc drivers can use it to >> encrypt and decrypt the data as it is used. >> >> And once Mallory has the FDE key, he don' need no steenkin' >> authentication. He grabs an image of the disc and trots off to > decrypt >> at leisure. >> >> -- >> Roy M. Silvernail is roy at rant-central.com, and you're not >> "A desperate disease requires a dangerous remedy." >> - Guy Fawkes >> http://www.rant-central.com >> >> _______________________________________________ >> Dataloss Mailing List (dataloss at attrition.org) >> http://attrition.org/dataloss >> >> Tenable Network Security offers data leakage and compliance > monitoring >> solutions for large and small networks. Scan your network and monitor > your >> traffic to find the data needing protection before it leaks out! >> http://www.tenablesecurity.com/products/compliance.shtml >> > > > -- > Evan Francen, CISSP CCNP MCSE > email: evan.francen at gmail.com > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor > your > traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and > monitor your > traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml From macwheel99 at wowway.com Sat Feb 23 14:49:04 2008 From: macwheel99 at wowway.com (Al Mac Wheel) Date: Sat, 23 Feb 2008 08:49:04 -0600 Subject: [Dataloss] OT: Anyone Google Anyone's Medical Records? Message-ID: <6.2.1.2.1.20080223084212.048998e0@pop3.mail.wowway.com> http://www.news.com/8301-10784_3-9875967-7.html?tag=head Google is set to announce on Thursday that it will be using the Cleveland Clinic hospital in Cleveland, Ohio as the pilot site for its new personal health records initiative. Between 1,500 and 10,000 patients at the Cleveland, Ohio, facility will participate in the project's test run, volunteering to have their medical records transferred to their Google accounts. [..] Included in the data will be prescription information, medical histories, and details about conditions and allergies. [..] third-party PHR systems that aren't covered by the Health Insurance Portability and Accountability Act (HIPPA), which has been in effect since 1996 and requires individuals to be notified when a party other than a patient's doctor wants to access confidential medical data. Not only is security an issue, the nonprofit has said, so is the likelilhood that marketers and other corporate entities will be able to exploit otherwise confidential data. The World Privacy Forum has not taken a specific stance on Google's new project or on others like Microsoft's. [..] - Al Mac From lyger at attrition.org Sat Feb 23 17:21:34 2008 From: lyger at attrition.org (lyger) Date: Sat, 23 Feb 2008 17:21:34 +0000 (UTC) Subject: [Dataloss] CA: Theft compromises Torrance school district employee data Message-ID: (more on the Systematic Automation breach) http://www.dailybreeze.com/ci_8342542 Personal information about 2,200 Torrance Unified School District staffers was housed on a hard drive recently stolen from an Orange County company that helps agencies administer employee health benefits. Names, addresses, birth dates and Social Security numbers were among the personal details stored on equipment at Systematic Automation Inc. of Fullerton, district officials confirmed Friday. Although they received letters about the theft from the company itself, some Torrance school employees are upset that their own employer has yet to officially notify them of the so-called smash-and-grab robbery that occurred Feb. 11. [...] From jericho at attrition.org Mon Feb 25 09:45:29 2008 From: jericho at attrition.org (security curmudgeon) Date: Mon, 25 Feb 2008 09:45:29 +0000 (UTC) Subject: [Dataloss] How much does a data breach cost UK companies? Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.theregister.co.uk/2008/02/25/data_breach_real_cost/ By John Oates The Register 25th February 2008 Data breaches cost UK companies an average of 47 for every record lost. This means the average cost to a company which suffers a data breach is 1.4m. The Ponemon Institute isn't pulling these figures out of the ether - it talked to 21 UK companies about how much actual data breaches cost them. >From a total of 47 per record, the cost from lost business in the wake of a data disaster is 36 per cent or 17. Financial services companies are particularly at risk - their average costs per record are 55. Customer expectations of trust mean they also suffer a higher cost of lost business. Phillip Dunkelberger, CEO at PGP Corporation, told The Reg: "Companies are increasingly waking up to the real cost of data losses, especially the cost of losing customers. It is a serious global problem with no easy answers." [..] From lyger at attrition.org Mon Feb 25 12:41:10 2008 From: lyger at attrition.org (lyger) Date: Mon, 25 Feb 2008 12:41:10 +0000 (UTC) Subject: [Dataloss] NC: Personal Information Compromised Message-ID: http://www.wbtv.com/news/topstories/15934452.html We have an important warning if you have bank drafts set up with Mecklenburg County. WBTV News has learned the bank account information of an unknown number of people in Mecklenburg County has been stolen. A letter is being sent to those affected, telling them that a County employee's car was stolen, and in that car was a printout of bank draft transactions within the Park and Recreation Department. [...] From lyger at attrition.org Mon Feb 25 12:43:26 2008 From: lyger at attrition.org (lyger) Date: Mon, 25 Feb 2008 12:43:26 +0000 (UTC) Subject: [Dataloss] Liechtenstein's LGT Records Hold Data on 1,400 People Message-ID: http://www.bloomberg.com/apps/news?pid=20601085&sid=a_LpINIqHzSY&refer=europe LGT Group, the Liechtenstein bank owned by the principality's ruling family, said records stolen and passed to German tax authorities contain data from 1,400 clients as the probe widened to the U.K. The documents, including bank information from 600 Germans, were stolen in 2002 and no later data was given to authorities, the Vaduz, Liechtenstein-based bank said in an e-mailed statement. The foundations listed in the stolen records had 4,527 beneficiaries, the bank said. The U.K.'s tax collection department confirmed that it was investigating Britons with bank accounts in Liechtenstein. The prosecutor's office in Bochum, Germany, now has records from a second Liechtenstein bank, and investigators have begun 700 individual preliminary proceedings, Sueddeutsche Zeitung reported. [...] From hbrown at knology.net Mon Feb 25 20:12:09 2008 From: hbrown at knology.net (Henry Brown) Date: Mon, 25 Feb 2008 14:12:09 -0600 Subject: [Dataloss] ID theft in Oklahoma City (jun 2007 to Aug 2007) Message-ID: <47C32119.1000303@knology.net> http://www.kten.com/global/story.asp?s=7914206 OKLAHOMA CITY (AP) - Federal prosecutors have accused an Oklahoma City woman of violating a federal health privacy law as part of an identity theft scheme. An indictment alleges Leslie A. Howell violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA). U.S. Attorney for the Western District of Oklahoma spokesman Bob Troester says the Feb. 15 indictment was the first in the district for violating HIPAA. According to the indictment, Howell disclosed "personally identifiable health information" to two people from June to August, knowing they would use it to commit "access device fraud" and identity theft. Troester said the records came from a counseling center, but he wouldn't say which one. He says all the patient information that was disclosed has been retrieved, and all the victims have been or will be notified. Howell is accused of providing more than 100 patient files to the pair, but Troester declined to identify them. From hbrown at knology.net Mon Feb 25 22:13:38 2008 From: hbrown at knology.net (Henry Brown) Date: Mon, 25 Feb 2008 16:13:38 -0600 Subject: [Dataloss] stolen desktop in brown deer WI Message-ID: <47C33D92.9040701@knology.net> http://privacy.wi.gov/databreaches/databreaches.jsp [...] the office of Kurt Bischoff Tax & Accounting, Inc. was burglarized on February 21, 2008 and had a desktop computer stolen. The computer had personally identifiable information on it, such as names, addresses, birthdates, social security numbers, and bank account numbers. There is a police report on file. [...] From lyger at attrition.org Tue Feb 26 05:34:32 2008 From: lyger at attrition.org (lyger) Date: Tue, 26 Feb 2008 05:34:32 +0000 (UTC) Subject: [Dataloss] (update) NC: Information Stolen from 400 Mecklenburg Co. Accounts Message-ID: http://www.wbtv.com/news/topstories/15940852.html This afternoon, people who let Mecklenburg County draft money from their accounts should be on alert. 400 account numbers were stolen. Any of the 400 victims should alert their banks and the credit agencies. The county sent a letter to everyone who is affected. A county official said, Charlotte Mecklenburg Police have a 17 year-old in custody, but they are looking for two more teens. [...] From jericho at attrition.org Tue Feb 26 08:54:53 2008 From: jericho at attrition.org (security curmudgeon) Date: Tue, 26 Feb 2008 08:54:53 +0000 (UTC) Subject: [Dataloss] Security of data analyzed in study Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.collegian.psu.edu/archive/2008/02/26/security_of_data_analyzed_in_s.aspx By Elizabeth Murphy Collegian Staff Writer February 26, 2008 Information security breaches at colleges and universities are on the rise, according to a report released earlier this month. The report, Educational Security Incidents (ESI) Year in Review, spotlights institutions worldwide, and Penn State was included in the report with one data breach last year. In September, the Social Security numbers of more than 10,500 marines were inadvertently posted on a Penn State Web site. The names and numbers were compiled for a research project being conducted at Penn State, according to the report. "My goal with ESI is to, hopefully, increase awareness within higher education that not only is information security a concern, but that the threats to college and university information is not as simple as network and/or computer attacks," Adam Dodge, ESI creator, wrote in an e-mail. The report indicated that there were a total 139 incidents at institutions during 2007, a 67.5 percent increase since 2006. The total number of institutions affected by data breaches also went up to 112, a 72.3 percent increase since 2006. [..] From jericho at attrition.org Tue Feb 26 08:55:25 2008 From: jericho at attrition.org (security curmudgeon) Date: Tue, 26 Feb 2008 08:55:25 +0000 (UTC) Subject: [Dataloss] Lawmakers ask agencies for data security update Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.fcw.com/online/news/151741-1.html By Jason Miller FCW.com February 25, 2008 Two high-ranking senators want to know when agencies will fully implement the Bush administrations requirements to protect personally identifiable data. Sens. Susan Collins (R-Maine), ranking member of the Homeland Security and Governmental Affairs Committee, and Norm Coleman (R-Minn.), ranking member of the Homeland Security and Governmental Affairs Committees Permanent Subcommittee on Investigations, sent letters to 24 Cabinet agencies Feb. 22 requesting a written timeline for when they will meet all four requirements laid out by the Office of Management and Budget in a June 2006 memo. In the letter, the senators told the agency secretary which of the five requirements the department needs to implement. The lawmakers also asked for status updates or compliance timelines for five other OMB memos dating as far back as 2005 that deal with data security, including designating senior officials in charge of privacy. As the federal government obtains and processes information about individuals in increasingly diverse ways, it is critically important that it ensure the privacy rights of individuals are respected and that personal information is properly secured and protected, the senators wrote. [..] From mhill at idtexperts.com Tue Feb 26 17:50:34 2008 From: mhill at idtexperts.com (Michael Hill, CITRMS) Date: Tue, 26 Feb 2008 12:50:34 -0500 Subject: [Dataloss] CBS4 Tests Credit Protection Companies Message-ID: <010401c878a0$16923440$6501a8c0@mkevhill> http://cbs4denver.com/consumer/credit.protection.identity.2.662760.html Thought this might be interesting to all that there's no identity theft protection plan that is 100%. Its what you do after it happens when it counts. [...] How well do they work? CBS4 found out, when it picked three popular companies and put them to the test. The first company is LifeLock. The CEO of LifeLock actually publishes his social security number to promote his company's ability to protect a person's identity. The second company was Loudsiren/Debix. It calls itself "... the next generation of consumer protection ...." The third company, Trusted ID, says it provides "... the strongest proactive total identity protection ..." [...] CBS4 asked some of its own employees to help test the companies by signing up. Tom signed up for Loudsiren/Debix. ..... [...] CBS4 then moved on to the actual test. With their permission, CBS4's Jim Benemann took all of Tom, Jillian and Kristine's personal information including their social security numbers and dates of birth. Using that information, Benemann applied for the same major credit card in each of their names. [...] CBS4 asked all three companies to respond to the test. Here is what LifeLock had to say: The credit card companies have a contract with the credit bureaus that say they must honor fraud alerts. The fact that they chose not to is proof that the fraud alerts are not bulletproof. The good news is that this is where the LifeLock $1 million guarantee is most effective. LifeLock is not a credit monitoring service but a protection service in the event a fraud alert proves to be ineffective. Here is what Loudsiren/Debix had to say: Placing a call to the consumer's Debix Safe Number provides a proven, multi-factor authentication of the consumer for the creditor. Unfortunately, not all creditors take advantage of this opportunity. We believe that as creditors experience the speed and security of the Debix network, we expect fewer of them to mail letters. Here is what Trusted ID had to say: The most important fact is that the TrustedID customer's identity was clearly protected from an attempted theft. The experience by this customer was an exception, not the rule. Lenders make every effort to contact individuals to confirm their identity, and a majority of the time a customer is contacted by phone to verify their information. Michael Hill Certified Identity Theft Risk Management Specialist IDT Consultants 404-216-3751 "If You Think You're Not At Risk, Think Again!" NOTICE: This email and any attachment to it is confidential and protected by law and intended for the use of the individual(s) or entity named on the email. This information and all email information from the sender is not legal advice nor legal representation and should not be construed as legal advice nor legal representation. Check with your attorney in your State for legal advice. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination or distribution of this communication is prohibited. If you have received this communication in error, please notify the sender via return email and delete it completely from your email system. If you have printed a copy of the email, please destroy it immediately. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080226/7b837968/attachment.html From lyger at attrition.org Wed Feb 27 02:14:30 2008 From: lyger at attrition.org (lyger) Date: Wed, 27 Feb 2008 02:14:30 +0000 (UTC) Subject: [Dataloss] UT: Laptop theft worries SLCC students Message-ID: (Interesting twist: the compromised data may not necessarily be considered PII, but could be leveraged into revealing Social Security numbers and financial information...) http://www.sltrib.com/news/ci_8370346 Marty Greenlief is concerned his personal information may have been compromised after a laptop disappeared at Salt Lake Community College. "I'm upset that they're not telling me everything that happened," the SLCC student said. Greenlief said the school called him early last week and instructed him to change the password he uses to access his student page on the SLCC Web site due to a possible security breach. SLCC acknowledged a laptop had been stolen, but spokesman Joy Tlou said the school is still unsure whether the laptop taken from the Continuing Community Education of SLCC's Miller campus in Sandy contained internal log-in information for about 1,000 students, faculty and staff. [.] With a user name and password, an intruder could gain access to a student's "My Page" account, which contains a Social Security number and financial aid information, among other information, students said. [...] From hbrown at knology.net Wed Feb 27 10:29:02 2008 From: hbrown at knology.net (Henry Brown) Date: Wed, 27 Feb 2008 04:29:02 -0600 Subject: [Dataloss] 18 million Korean user information lost Message-ID: <47C53B6E.2010606@knology.net> http://www.thedarkvisitor.com/?p=305 According to Hackbase.com, South Korea?s oldest and largest online shopping site (Auction.co.kr) has claimed it was attacked by a Chinese hacker who made off with the user information on 18 million members and a large amount of financial data. It is further claimed that Auction.co.kr delayed 20 hours after the attack before comfirming the loss of information. Korean users rebuked the website for being too slow to act. It was confirmed that the attack was launched through China?s internet. Auction.co.kr also confirmed that after the incident, they received a phone call offering to exchange the user information for money. The Chinese hacker did not directly attack the server, instead s/he took a roundabout strategy. The hacker sent out bulk e-mailings to the auction staff containing ?hacker procedures? (I?m guessing this means with Trojans attached). When the staff members confirmed the e-mails, the hacker was able to gain their IDs. The hacker was then able to login to the Auction server using the staffer?s ID. From lyger at attrition.org Wed Feb 27 14:52:03 2008 From: lyger at attrition.org (lyger) Date: Wed, 27 Feb 2008 14:52:03 +0000 (UTC) Subject: [Dataloss] NY laptop theft breaches no data protection rules Message-ID: http://www.siliconrepublic.com/news/news.nv?storyid=single10391 The loss of a laptop containing the files of up to 175,000 Irish blood donors, which was stolen earlier this month in New York, does not constitute a breach of the Data Protection Acts and the encryption on the laptop is sufficient to protect the files, Ireland.s Data Protection Commissioner said today. Following an investigation into the theft of the laptop from an employee of the New York Blood Centre (NYBC), the Data Protection Commissioner.s office said the NYBC had a proven track record in developing query tools for blood organisations like the Irish Blood Transfusion Service (IBTS). [.] The data contained patient names, addresses, email addresses and/or mobile phone numbers. The log files also contain numeric codes for other kinds of information such as attendance at the IBTS or blood-test results performed by the IBTS. "Importantly, the key for these codes was not on the stolen laptop or on the disks given to the NYBC for the performance of its functions," the Commission said. "It is not possible to isolate individual fields in the log files, so it would have been difficult, if not impossible, to have anonymised the files prior to their supply to the NYBC. Accordingly, the amount of personal data supplied to the NYBC for the performance of the contract entered into is not considered excessive in the circumstances," the Commission said. [...] From chris at cwalsh.org Wed Feb 27 16:00:20 2008 From: chris at cwalsh.org (Chris Walsh) Date: Wed, 27 Feb 2008 10:00:20 -0600 Subject: [Dataloss] NY laptop theft breaches no data protection rules In-Reply-To: References: Message-ID: <20080227160020.GA81636@fripp.cwalsh.org> I am interpreting "encryption", in light of what is said below, to mean "use of consistent and obscure codes". Basically, something akin to a "q code". If I understand this properly, a decoded record might look like this: Chris Walsh 123 Main St Dublin AB- HIV+ Whereas the "encrypted" variant is: Chris Walsh 123 Main St Dublin 785 432 Since the ITBS never told NY that "785" is the code for "AB-" and "432" means "HIV+", adequate protection of this sensitive information was in place. I won't argue with that conclusion, although it would be easy to. I will say that calling a simple code such as this "encryption"was unfortunate, and tends to perpetuate misunderstandings. Lastly, "It is not possible to isolate individual fields in the log files, so it would have been difficult, if not impossible, to have anonymised the files prior to their supply to the NYBC" means they could not parse their own logs. That's interesting. On Wed, Feb 27, 2008 at 02:52:03PM +0000, lyger wrote: > The loss of a laptop containing the files of up to 175,000 Irish blood > donors, which was stolen earlier this month in New York, does not > constitute a breach of the Data Protection Acts and the encryption on the > laptop is sufficient to protect the files, Ireland.s Data Protection > Commissioner said today. > [snip] > The log files also contain numeric codes for other kinds of > information such as attendance at the IBTS or blood-test results performed > by the IBTS. > > "Importantly, the key for these codes was not on the stolen laptop or on > the disks given to the NYBC for the performance of its functions," the > Commission said. > > "It is not possible to isolate individual fields in the log files, so it > would have been difficult, if not impossible, to have anonymised the files > prior to their supply to the NYBC. Accordingly, the amount of personal > data supplied to the NYBC for the performance of the contract entered into > is not considered excessive in the circumstances," the Commission said. From msimon at creationlogic.com Wed Feb 27 17:23:35 2008 From: msimon at creationlogic.com (Mike Simon) Date: Wed, 27 Feb 2008 09:23:35 -0800 Subject: [Dataloss] NY laptop theft breaches no data protection rules In-Reply-To: <20080227160020.GA81636@fripp.cwalsh.org> Message-ID: Chris is right of course. As a trivial example, it would be simple to reverse the codes for blood type from this sample. Blood type for this population is a solid statistical model and this is enough samples that one could derive which column is blood types and what the codes are by doing simple statistical analysis of the given data. Given that and the sample size, it seems likely that other disease codes could be reversed in exactly the same way, especially given the specificity of the population base. This isn't advanced statistical attacks on a cipher, just high school math. -----Original Message----- From: Chris Walsh [mailto:chris at cwalsh.org] Sent: Wednesday, February 27, 2008 8:00 AM To: lyger Cc: dataloss at attrition.org Subject: Re: [Dataloss] NY laptop theft breaches no data protection rules I am interpreting "encryption", in light of what is said below, to mean "use of consistent and obscure codes". Basically, something akin to a "q code". If I understand this properly, a decoded record might look like this: Chris Walsh 123 Main St Dublin AB- HIV+ Whereas the "encrypted" variant is: Chris Walsh 123 Main St Dublin 785 432 Since the ITBS never told NY that "785" is the code for "AB-" and "432" means "HIV+", adequate protection of this sensitive information was in place. I won't argue with that conclusion, although it would be easy to. I will say that calling a simple code such as this "encryption"was unfortunate, and tends to perpetuate misunderstandings. Lastly, "It is not possible to isolate individual fields in the log files, so it would have been difficult, if not impossible, to have anonymised the files prior to their supply to the NYBC" means they could not parse their own logs. That's interesting. On Wed, Feb 27, 2008 at 02:52:03PM +0000, lyger wrote: > The loss of a laptop containing the files of up to 175,000 Irish blood > donors, which was stolen earlier this month in New York, does not > constitute a breach of the Data Protection Acts and the encryption on the > laptop is sufficient to protect the files, Ireland.s Data Protection > Commissioner said today. > [snip] > The log files also contain numeric codes for other kinds of > information such as attendance at the IBTS or blood-test results performed > by the IBTS. > > "Importantly, the key for these codes was not on the stolen laptop or on > the disks given to the NYBC for the performance of its functions," the > Commission said. > > "It is not possible to isolate individual fields in the log files, so it > would have been difficult, if not impossible, to have anonymised the files > prior to their supply to the NYBC. Accordingly, the amount of personal > data supplied to the NYBC for the performance of the contract entered into > is not considered excessive in the circumstances," the Commission said. _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml From hbrown at knology.net Wed Feb 27 21:41:25 2008 From: hbrown at knology.net (Henry Brown) Date: Wed, 27 Feb 2008 15:41:25 -0600 Subject: [Dataloss] dumpster diving in Cleveland oh Message-ID: <47C5D905.8020302@knology.net> http://www.wkyc.com/news/news_article.aspx?storyid=83808 Channel 3 news found a garbage dumpster full of Clevelanders' personal information, including bank statements, credit reports, and tax returns. Thousands of pages of sensitive documents were thrown out in a dumpster located behind a pizza shop at East 105th and Superior in Cleveland. Confidential files were found on hundreds of people who applied for loans with a company called Union Mortgage, whose last known addresses were in Beachwood and Parma. [...] Ken Knabe, a lawyer from Lakewood, was shocked that we had his bank accounts, credit reports, tax returns and other personal information inclcuding his social security number. [...] From rforno at infowarrior.org Thu Feb 28 02:37:48 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 27 Feb 2008 21:37:48 -0500 Subject: [Dataloss] Bank of America, HSBC Most Prone to I.D. Theft, Report Says Message-ID: Bank of America, HSBC Most Prone to I.D. Theft, Report Says - Updated By Ryan Singel EmailFebruary 27, 2008 | 1:30:42 PMCategories: Sunshine and Secrecy http://blog.wired.com/27bstroke6/2008/02/bank-of-america.html In a first ever study of which companies have the most identity theft incidents, Bank of America, HSBC, and Washington Mutual were named as the companies with the most incidents per billions of dollars of deposits, according to a study released Wednesday by Berkeley Law School fellow Chris Hoofnagle. Among the nations' largest banks, ING Bank looks to be the safest, with only 0.085 identity theft complaints per billion dollars of insured deposits. In terms of sheer numbers of complaints, Bank of America, AT&T and Sprint were named most often in the complaints, followed closely by Chase, Capital One and Citibank. The study, entitled Measuring Identity Theft at Top Banks (Version 1.0), looks to be the first-ever attempt to name-and-shame companies based on their identity theft protections, or lack thereof. Hoofnagle, who started as a privacy and consumer rights advocate at the Electronic Privacy Information Center, says he did the study because he wants people to be able to choose institutions based on identity theft statistics. He used a open-government request to get more than 88,000 complaints filed by individuals to the Federal Trade Commission in January, March and September 2006. The FTC publishes statistical data about the complaints yearly, but does not publish the companies' names. "In order for the market to effectively address the ongoing identity theft epidemic, consumers need reliable information about incidence of the crime among institutions," Hoofnagle wrote in the study. "If data were available on this crime, consumers could choose safer institutions, regulators could focus attention on problem actors, and businesses themselves could compete to protect consumers from this crime." To get a rough tally of the number of incidents per customer, Hoofnagle compared the number of incidents against publicly available FDIC data on the institutions insured deposits. No similar data existed for telecoms companies, making even rough ranking per customer impossible. Hoofnagle admits the data is rough, but hopes the study will force better data to come to light in the future. He also hopes the data could force lawmakers and regulators to mandate public disclosure of identity theft statistics from banks (.pdf). While the FTC data is currently the best source of data on identity theft, it relies on individuals to complain to them. It does not count police reports filed or incidents reported to banks, cell phone companies or credit bureaus. For instance, the FTC data does not distinguish between fraud cases where an impostor establishes new accounts in a persons' name from more common cases where a person uses a stolen credit card to make purchases. The data also does not distinguish between identity theft committed online such as through phishing emails and identity theft done without the help of the internet. UPDATE: Bank of America spokeswoman Betty Riess says the company hasn't seen the study yet, but says BoA takes security seriously. "Keep in mind that if we have a customer who reports they are a victim of identity theft that doesn't correlate to security at BoA," Riess said, referring to the fact that a BoA customer experiencing identity theft could have had their mail stolen or fallen prey to a phishing attack. "Protecting customer information is a top priority at BoA and we have multiple layers of security." Riess added that BoA uses online security offerings from RSA and lets customers use one-time credit card numbers for purchases from unfamiliar online retailers. See Also: From lyger at attrition.org Thu Feb 28 05:04:21 2008 From: lyger at attrition.org (lyger) Date: Thu, 28 Feb 2008 05:04:21 +0000 (UTC) Subject: [Dataloss] WI: 103, 000 Doctor's Social Security Numbers Posted on Website by Accident Message-ID: http://www.weau.com/news/headlines/16061387.html NewsCenter 13 has learned local doctors may be at risk for identity theft. The risk involves a national health insurance company and more than 100-thousand doctors in Wisconsin and ten other states. The Vice President at Marshfield Clinic confirmed Wednesday afternoon that social security numbers for his doctors and thousands of others all over the midwest were posted on a website, accidently. Dr. Doug Reding tells us the numbers were posted to a website by a company called Health Net Federal Services based in Rancho Cordova, California. [...] From hbrown at knology.net Thu Feb 28 11:23:49 2008 From: hbrown at knology.net (Henry Brown) Date: Thu, 28 Feb 2008 05:23:49 -0600 Subject: [Dataloss] WI: 103, 000 Doctor's Social Security Numbers Posted on Website by Accident In-Reply-To: References: Message-ID: <47C699C5.7000609@knology.net> food for the conspiracy theory folks?!! Los Angeles' city attorney has sued Health Net Inc. - one of California's largest insurers - accusing the company of unlawful and deceptive business practices for canceling coverage after patients make medical claims. http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/02/22/BUIVV6HTF.DTL and then this lyger wrote: > http://www.weau.com/news/headlines/16061387.html > > NewsCenter 13 has learned local doctors may be at risk for identity theft. > > The risk involves a national health insurance company and more than > 100-thousand doctors in Wisconsin and ten other states. > > The Vice President at Marshfield Clinic confirmed Wednesday afternoon that > social security numbers for his doctors and thousands of others all over > the midwest were posted on a website, accidently. > > Dr. Doug Reding tells us the numbers were posted to a website by a company > called Health Net Federal Services based in Rancho Cordova, California. > From lyger at attrition.org Fri Feb 29 14:40:41 2008 From: lyger at attrition.org (lyger) Date: Fri, 29 Feb 2008 14:40:41 +0000 (UTC) Subject: [Dataloss] MA: Personal information of hundreds of seniors lost or stolen Message-ID: http://www.bostonherald.com/news/regional/general/view.bg?articleid=1076819&srvc=rss Personal information of nearly 500 seniors who received flu shots in Wellesley has been lost or stolen. The information was in an envelope that had been mailed earlier this month by the town's health department to a Medicare office in Boston. But officials say when the envelope arrived, it was open and the contents were missing. [.] The material included social security numbers, addresses and dates of birth for about 480 Wellesley seniors who had received flu shots from the town last fall. [...] From hbrown at knology.net Fri Feb 29 20:19:51 2008 From: hbrown at knology.net (Henry Brown) Date: Fri, 29 Feb 2008 14:19:51 -0600 Subject: [Dataloss] Theft ring broken in Canada Message-ID: <47C868E7.8080006@knology.net> An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080229/ba74889e/attachment.html