From lyger at attrition.org Thu May 1 01:22:07 2008 From: lyger at attrition.org (lyger) Date: Thu, 1 May 2008 01:22:07 +0000 (UTC) Subject: [Dataloss] SunGard Breach Compilation Message-ID: http://www.sungardhe.com/custom.aspx?id=1554 So many reports about this, they're a chore to keep up with... Would anyone happen to have a relatively current list of all entities affected by the recent SunGard incident with known/estimated totals of affected individuals? Any information would be appreciated, especially in a broken down format as described above. Thanks in advance, Lyger From hbrown at knology.net Thu May 1 10:38:38 2008 From: hbrown at knology.net (Henry Brown) Date: Thu, 01 May 2008 05:38:38 -0500 Subject: [Dataloss] Fake Card reader results in ID theft in Los Gatos Ca. Message-ID: <48199DAE.70903@knology.net> http://cbs5.com/local/supermarket.identity.theft.2.711956.html An ATM and credit card reader in a checkout aisle at the Los Gatos Lunardi's supermarket was recently switched, resulting in more than two dozen reported cases of identity theft, a Los Gatos/Monte Sereno Police Department spokesman said Tuesday. Police received the first reports from victims who said their credit or debit cards had been used fraudulently on Sunday night and additional victim reports continued on Monday and today, according to police spokesman Tam McCarty. "They started pouring in," McCarty said. Police believe the victims all had their card numbers stolen at the Los Gatos Lunardi's, 720 Blossom Hill Road, after officials from Lunardi's contacted them about a problem with one of their card readers. "It was a switched card reader at one of the aisles," McCarty said. Recent shoppers of the Los Gatos Lunardi's should check the status of their bank or credit card accounts for charges they did not make, according to police. "Specifically look for charges in the Southern California area, Pasadena, Huntington; that's where most of them seem to be," McCarty said. [...] From rchicker at etiolated.org Thu May 1 13:46:20 2008 From: rchicker at etiolated.org (rchick) Date: Thu, 1 May 2008 09:46:20 -0400 Subject: [Dataloss] 88,000 patients at risk after computer theft Message-ID: Thursday, May 01, 2008 http://www.silive.com/news/advance/index.ssf?/base/news/1209644107324690.xml&coll=1 STATEN ISLAND, N.Y. -- Computer equipment stolen from an administrative office in Rosebank in December contained personal information about 88,000 patients who have been treated at Staten Island University Hospital. After four months with no arrests, hospital administrators are just now beginning the process of sending letters to patients whose names, Social Security and health insurance numbers were contained in computer files on a desktop computer and a backup hard drive stolen Dec. 29 from one of the hospital's finance offices at 1 Edgewater Plaza. "The hospital is in the process of issuing a letter of information to each patient involved in which one year of free credit monitoring is being offered," said a hospital statement released yesterday afternoon by spokeswoman Arleen Ryback. The time frame for when patients whose information was included in the data were treated was not immediately known. [...] From lyger at attrition.org Thu May 1 14:06:17 2008 From: lyger at attrition.org (lyger) Date: Thu, 1 May 2008 14:06:17 +0000 (UTC) Subject: [Dataloss] UK: Over 600 HMRC staff disciplined for data infractions Message-ID: http://news.zdnet.co.uk/security/0,1000000189,39408914,00.htm HM Revenue & Customs has had to discipline over 600 staff since 2005 over data-protection incidents, according to Treasury financial secretary Jane Kennedy. Kennedy revealed on Wednesday in a written answer to parliamentary questions that 238 staff were disciplined at HM Revenue & Customs (HMRC) in 2005, dropping to 180 in 2006 and 192 in 2007. The figures were revealed in answer to a written parliamentary question by Conservative MP James Brokenshire. "HMRC has a strict policy forbidding staff to access customer records, unless they have a legitimate business need," she said. "Breaches of this policy are taken seriously and any breach will result in the commencement of disciplinary proceedings. Each case is treated on its merits but, in many cases, the disciplinary penalty for breach is dismissal." [...] From adam at homeport.org Thu May 1 15:23:34 2008 From: adam at homeport.org (Adam Shostack) Date: Thu, 1 May 2008 11:23:34 -0400 Subject: [Dataloss] SunGard Breach Compilation In-Reply-To: References: Message-ID: <20080501152334.GA9136@homeport.org> On Thu, May 01, 2008 at 01:22:07AM +0000, lyger wrote: | | http://www.sungardhe.com/custom.aspx?id=1554 | | So many reports about this, they're a chore to keep up with... | | Would anyone happen to have a relatively current list of all entities | affected by the recent SunGard incident with known/estimated totals of | affected individuals? Any information would be appreciated, especially in | a broken down format as described above. http://www.adamdodge.com/esi/stolen_sungard_higher_education_laptop_contained_csu_system_student_information is the best I've seen. Adam From allan_friedman at ksgphd.harvard.edu Thu May 1 21:00:53 2008 From: allan_friedman at ksgphd.harvard.edu (Allan Friedman) Date: Thu, 1 May 2008 17:00:53 -0400 Subject: [Dataloss] Italian govt posts tax return information of ALL of its citizens Message-ID: <686cc62f0805011400x622e3eb3gec263eb921d0b7e2@mail.gmail.com> This was not actually a breach, since it was intentional! Still relevant for dataloss, I think. http://news.bbc.co.uk/2/hi/europe/7376608.stm There has been outrage in Italy after the outgoing government published every Italian's declared earnings and tax contributions on the internet. The tax authority's website was inundated by people curious to know how much their neighbours, celebrities or sports stars were making. The Italian treasury suspended the website after a formal complaint from the country's privacy watchdog. The information was put on the site with no warning for nearly 24 hours. ... The release of the information was one of the last acts of the outgoing centre-left government and has shocked many tax-shy Italians, says the BBC's Mark Duff in Milan. But it was also hugely popular, and within hours the site was overwhelmed and impossible to access. The finance ministry described the move as a bid to improve transparency. Deputy Economic Minister Vincenzo Visco said he could not understand what all the fuss was about. "I can't understand what the problem is," he is quoted as telling Italy's Corriere della Sera newspaper. "This already exists all around the world, you just have to watch any American soap to see that. We had the system ready by January but we delayed publication to avoid arguments during the election campaign." But critics condemned it as an outrageous breach of privacy. From tglassey at earthlink.net Thu May 1 21:40:02 2008 From: tglassey at earthlink.net (TS Glassey) Date: Thu, 1 May 2008 14:40:02 -0700 Subject: [Dataloss] Italian govt posts tax return information of ALL of itscitizens References: <686cc62f0805011400x622e3eb3gec263eb921d0b7e2@mail.gmail.com> Message-ID: <000801c8abd3$eee7d8c0$0a01a8c0@tsg1> Alan - seems to me that this is a pretty clear violation of the EU's privacy act and that it was done by an Outgoing Politico makes it criminal in form IMHO. I would if I was those people start demanding criminal prosecution's of those responsible. But that's just my two cents. Todd Glassey ----- Original Message ----- From: "Allan Friedman" To: Sent: Thursday, May 01, 2008 2:00 PM Subject: [Dataloss] Italian govt posts tax return information of ALL of itscitizens > This was not actually a breach, since it was intentional! Still > relevant for dataloss, I think. > > http://news.bbc.co.uk/2/hi/europe/7376608.stm > > There has been outrage in Italy after the outgoing government > published every Italian's declared earnings and tax contributions on > the internet. > > The tax authority's website was inundated by people curious to know > how much their neighbours, celebrities or sports stars were making. > > The Italian treasury suspended the website after a formal complaint > from the country's privacy watchdog. > > The information was put on the site with no warning for nearly 24 hours. > > ... > > The release of the information was one of the last acts of the > outgoing centre-left government and has shocked many tax-shy Italians, > says the BBC's Mark Duff in Milan. > > But it was also hugely popular, and within hours the site was > overwhelmed and impossible to access. > > The finance ministry described the move as a bid to improve transparency. > > Deputy Economic Minister Vincenzo Visco said he could not understand > what all the fuss was about. > > "I can't understand what the problem is," he is quoted as telling > Italy's Corriere della Sera newspaper. > > "This already exists all around the world, you just have to watch any > American soap to see that. We had the system ready by January but we > delayed publication to avoid arguments during the election campaign." > > But critics condemned it as an outrageous breach of privacy. > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor your > traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml From lyger at attrition.org Thu May 1 21:49:20 2008 From: lyger at attrition.org (lyger) Date: Thu, 1 May 2008 21:49:20 +0000 (UTC) Subject: [Dataloss] Analysis Reveals No Security Breach, No Personal Data Exposed At CU-Boulder Message-ID: http://www.colorado.edu/news/r/c44664813b5b2e378a26238eafecf33a.html The University of Colorado at Boulder today announced that a forensic analysis of a computer suspected to have been compromised last week revealed no malicious software, and no exposure of student and staff private data. "The analysis by our staff, working closely with the consulting firm of Applied Trust Engineering, revealed an interaction between two incompatible software programs that mimicked behavior consistent with malicious software," said Dan Jones director of IT Security at CU-Boulder. "The functioning of the computers led us to initiate our data breach protocol, which includes providing notice to the community of a potential threat of identity theft," Jones said. Dennis Maloney, chief technology officer for CU-Boulder, said, "While the data was not compromised, this incident still reinforces the need to continue to constantly improve IT security at CU. We also intend to share our discovery of the software incompatibilities with our colleagues." [...] From macwheel99 at wowway.com Thu May 1 21:51:27 2008 From: macwheel99 at wowway.com (macwheel99 at wowway.com) Date: Thu, 1 May 2008 16:51:27 -0500 Subject: [Dataloss] Italian govt posts tax return information of ALL of itscitizens In-Reply-To: <000801c8abd3$eee7d8c0$0a01a8c0@tsg1> References: <686cc62f0805011400x622e3eb3gec263eb921d0b7e2@mail.gmail.com> <000801c8abd3$eee7d8c0$0a01a8c0@tsg1> Message-ID: <20080501214913.M559@wowway.com> Anyone who believes that the American Soaps are a reflection of real life, in America or anywhere else, is living in a fantasy world. In fact the same can be said for a lot of TV period. On Thu, 1 May 2008 14:40:02 -0700, TS Glassey wrote > Alan - seems to me that this is a pretty clear violation of the EU's > privacy act and that it was done by an Outgoing Politico makes it > criminal in form IMHO. > > I would if I was those people start demanding criminal prosecution's > of those responsible. But that's just my two cents. > > Todd Glassey > > ----- Original Message ----- > From: "Allan Friedman" > To: > Sent: Thursday, May 01, 2008 2:00 PM > Subject: [Dataloss] Italian govt posts tax return information of ALL > of itscitizens > > > This was not actually a breach, since it was intentional! Still > > relevant for dataloss, I think. > > > > http://news.bbc.co.uk/2/hi/europe/7376608.stm > > > > There has been outrage in Italy after the outgoing government > > published every Italian's declared earnings and tax contributions on > > the internet. > > > > The tax authority's website was inundated by people curious to know > > how much their neighbours, celebrities or sports stars were making. > > > > The Italian treasury suspended the website after a formal complaint > > from the country's privacy watchdog. > > > > The information was put on the site with no warning for nearly 24 hours. > > > > ... > > > > The release of the information was one of the last acts of the > > outgoing centre-left government and has shocked many tax-shy Italians, > > says the BBC's Mark Duff in Milan. > > > > But it was also hugely popular, and within hours the site was > > overwhelmed and impossible to access. > > > > The finance ministry described the move as a bid to improve transparency. > > > > Deputy Economic Minister Vincenzo Visco said he could not understand > > what all the fuss was about. > > > > "I can't understand what the problem is," he is quoted as telling > > Italy's Corriere della Sera newspaper. > > > > "This already exists all around the world, you just have to watch any > > American soap to see that. We had the system ready by January but we > > delayed publication to avoid arguments during the election campaign." > > > > But critics condemned it as an outrageous breach of privacy. > > _______________________________________________ > > Dataloss Mailing List (dataloss at attrition.org) > > http://attrition.org/dataloss > > > > Tenable Network Security offers data leakage and compliance monitoring > > solutions for large and small networks. Scan your network and monitor your > > traffic to find the data needing protection before it leaks out! > > http://www.tenablesecurity.com/products/compliance.shtml > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance > monitoring solutions for large and small networks. Scan your network > and monitor your traffic to find the data needing protection before > it leaks out! http://www.tenablesecurity.com/products/compliance.shtml -- WOW! Homepage (http://www.wowway.com) From rchicker at etiolated.org Fri May 2 01:36:28 2008 From: rchicker at etiolated.org (rchick) Date: Thu, 1 May 2008 21:36:28 -0400 Subject: [Dataloss] UCSF waited six months before telling 6, 313 patients of data breach Message-ID: http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/05/01/MNKE10DRGN.DTL&tsp=1 May 1, 2008 San Francisco -- Information on thousands of UCSF patients was accessible on the Internet for more than three months last year, a possible violation of federal privacy regulations that might have exposed the patients to medical-identity theft, The Chronicle has learned. The information accessible online included names and addresses of patients along with names of the departments where medical care was provided. Some patient medical record numbers and the names of the patients' physicians also was available online. The breach was discovered Oct. 9, but the medical institution did not send out notification letters to the 6,313 affected patients until early April, nearly six months later. The consequences of health care data breaches can be significant, said experts. Sensitive information can be used by employers, health insurers and other entities to discriminate. Additionally, thieves can use purloined information to obtain medical treatment and prescription drugs and to file false medical claims. "This is a large and very significant data breach," said Pam Dixon, executive director of the World Privacy Forum, a nonprofit public interest research and consumer education group. "To commit medical identity theft, all you need is a patient's name, address and the name of the hospital. If you have a doctor's name and the medical department where the patient was being treated, it is gold. If you add a medical record number, it is a disaster for patients." [...] From lyger at attrition.org Fri May 2 04:47:08 2008 From: lyger at attrition.org (lyger) Date: Fri, 2 May 2008 04:47:08 +0000 (UTC) Subject: [Dataloss] CO: Personal Information Found In Dumpster Message-ID: http://www.thedenverchannel.com/news/16064711/detail.html Sensitive mortgage files with people's personal information were recently found in a Dumpster, easy pickings for would-be identity thieves. The files have been secured by the Arapahoe County Sheriff's Department. Fraud expert Mason Finks said, "The district aAttorney's office got a tip about numerous mortgage files and two laptop computers in a Dumpster behind offices formerly used by Cove Creek Mortgage and Front Range Mortgage. The files and computers contained sensitive information on many former customers of Front Range Mortgage, including names and addresses, Social Security numbers and bank, credit card and investment account information. [...] From rchicker at etiolated.org Fri May 2 15:52:31 2008 From: rchicker at etiolated.org (rchick) Date: Fri, 2 May 2008 11:52:31 -0400 Subject: [Dataloss] Missing Taxpayer Information the Result of Stolen Courier Shipment Message-ID: Iredell County Issues Compromise Notice http://www.primenewswire.com/newsroom/news.html?d=141716 STATESVILLE, N.C., May 2, 2008 (PRIME NEWSWIRE) -- The Iredell County Tax Collector's Office today issued a statewide notice about a recent incident involving unauthorized access to information. On Tuesday, April 22, a courier vehicle providing services for First Citizens Bank was stolen in Charlotte. The courier was transporting a shipment containing data related to Iredell County tax payments received on April 21st. Charlotte law enforcement officials are investigating the incident, but the contents of the shipment have not been recovered. The stolen shipment contained a computer report of 468 taxpayer's check information, including account numbers, check numbers, check amounts and routing numbers from various banks on which the checks were drawn. There were also copies of tax bills that contained taxpayer names, addresses and other public information related to tax payments. [..] From hbrown at knology.net Sat May 3 11:55:23 2008 From: hbrown at knology.net (Henry Brown) Date: Sat, 03 May 2008 06:55:23 -0500 Subject: [Dataloss] near miss 17000 Texas military employees Exposed Message-ID: <481C52AB.60602@knology.net> From Infoworld com http://tinyurl.com/5wfbf2 Military computer contractor convicted of ID theft Former contractor acknowledged selling information contained in a military database to a person he believed to represent a foreign government [...] A former U.S. military contractor has pleaded guilty to exceeding authorized access to a computer and aggravated identity theft after he was accused of selling names and Social Security numbers of 17,000 military employees, the U.S. Department of Justice said. [...] A forensic examination conducted by the Naval Criminal Investigative Service determined the data was from the Marine Corps Reserve Center where Craig worked, the DOJ said. The thumb drive contained personal information of 17,000 people assigned to the Battalion of the U.S. Marine Corps in San Antonio, the DOJ said. The investigation found that none of the information obtained by Craig was sold to others or otherwise compromised. [...] From aaron at trifault.net Sat May 3 16:11:21 2008 From: aaron at trifault.net (Aaron Allen) Date: Sat, 3 May 2008 12:11:21 -0400 Subject: [Dataloss] Reporting Dataloss Message-ID: <7ad3c8b50805030911q582d74b1h95265eb86b4c0756@mail.gmail.com> Back in November 2007, I uncovered a data breach containing about 7000 partial names, addresses and full SSNs of students that graduated from the public school system from which I graduated in 2002. The data was publicly posted on a website of a vendor that the school had used. Here is an example line from the leak: *Permanent Number* *LAST NAME* *FIRST * *NAME * *Geocode Status* *Address* *ZIP* *GRADE* 401999999 XXXXX ......hia .......estown Rd 40511 D 09 Note that I changed the social security number to protect the innocent, but everything else is the same. As you can see, the data provided was full social, last three letters of the first name, partial address, full zip, the high school the student was attending in the year 2001, and the grade they were in when they attended that school. I notified both the vendor and the school district and they removed the information. They told me they would not notify the affected individuals because the amount of information contained in the leak was so small that it was useless to any potential ID theif. However, because the breach targets such a small group of individuals I was easily able to go through the information and using publicly available information fill in a lot of missing information and obtain full SSN, name, addresses, and phone numbers. I have also notified the FCC and attempted to contact other agencies, but no one seems to really care that this data loss has occurred. Now, several months later, I have found out that I am a victim of identity theft (someone filed taxes under my SSN). While there is no way to link these two incidents, it has caused me to look back into this data leak I discovered back in Nov. So, my question to the list is what is the best way and to whom do you report a data loss event that neither of the responsible parties are willing to disclose? Or, am I just being too paranoid and the amount of data that was leaked should not be a cause for concern? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080503/821a06c8/attachment.html From traef at ebasedsecurity.com Sat May 3 18:08:27 2008 From: traef at ebasedsecurity.com (Thomas Raef) Date: Sat, 3 May 2008 13:08:27 -0500 Subject: [Dataloss] Reporting Dataloss Message-ID: Depending on the state laws governing this incident, the school and the vendor don?t have the option of not notifying the ?potential? victims. Data loss is data loss. I?d start with the State Attorneys office. I believe they have jurisdiction of that. Thomas J. Raef e-Based Security, LLC http://www.ebasedsecurity.com traef at ebasedsecurity.com 1-888-251-5803 From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Aaron Allen Sent: Saturday, May 03, 2008 11:11 AM To: dataloss at attrition.org Subject: [Dataloss] Reporting Dataloss Back in November 2007, I uncovered a data breach containing about 7000 partial names, addresses and full SSNs of students that graduated from the public school system from which I graduated in 2002. The data was publicly posted on a website of a vendor that the school had used. Here is an example line from the leak: Permanent Number LAST NAME FIRST NAME Geocode Status Address ZIP GRADE 401999999 XXXXX ......hia .......estown Rd 40511 D 09 Note that I changed the social security number to protect the innocent, but everything else is the same. As you can see, the data provided was full social, last three letters of the first name, partial address, full zip, the high school the student was attending in the year 2001, and the grade they were in when they attended that school. I notified both the vendor and the school district and they removed the information. They told me they would not notify the affected individuals because the amount of information contained in the leak was so small that it was useless to any potential ID theif. However, because the breach targets such a small group of individuals I was easily able to go through the information and using publicly available information fill in a lot of missing information and obtain full SSN, name, addresses, and phone numbers. I have also notified the FCC and attempted to contact other agencies, but no one seems to really care that this data loss has occurred. Now, several months later, I have found out that I am a victim of identity theft (someone filed taxes under my SSN). While there is no way to link these two incidents, it has caused me to look back into this data leak I discovered back in Nov. So, my question to the list is what is the best way and to whom do you report a data loss event that neither of the responsible parties are willing to disclose? Or, am I just being too paranoid and the amount of data that was leaked should not be a cause for concern? No virus found in this incoming message. Checked by AVG. Version: 7.5.524 / Virus Database: 269.23.8/1412 - Release Date: 5/2/2008 4:34 PM No virus found in this outgoing message. Checked by AVG. Version: 7.5.524 / Virus Database: 269.23.8/1412 - Release Date: 5/2/2008 4:34 PM -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080503/5399c00a/attachment.html From sromanos at andrew.cmu.edu Sat May 3 22:37:17 2008 From: sromanos at andrew.cmu.edu (Sasha Romanosky) Date: Sat, 3 May 2008 18:37:17 -0400 Subject: [Dataloss] Reporting Dataloss In-Reply-To: <7ad3c8b50805030911q582d74b1h95265eb86b4c0756@mail.gmail.com> Message-ID: <002701c8ad6e$3f6ac9b0$6601a8c0@sribm> Was that the FCC or FTC that you notified? The FTC might be more interested. You could call their 800 number: 1-877-ID-THEFT (http://www.ftc.gov/bcp/conline/pubs/credit/idtheftmini.shtm). In addition to recording your complaint, you could tell them about the breach, itself. What state was this in? Different states require different notification procedures. cheers, sasha _____ From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Aaron Allen Sent: Saturday, May 03, 2008 12:11 PM To: dataloss at attrition.org Subject: [Dataloss] Reporting Dataloss Back in November 2007, I uncovered a data breach containing about 7000 partial names, addresses and full SSNs of students that graduated from the public school system from which I graduated in 2002. The data was publicly posted on a website of a vendor that the school had used. Here is an example line from the leak: Permanent Number LAST NAME FIRST NAME Geocode Status Address ZIP GRADE 401999999 XXXXX ......hia .......estown Rd 40511 D 09 Note that I changed the social security number to protect the innocent, but everything else is the same. As you can see, the data provided was full social, last three letters of the first name, partial address, full zip, the high school the student was attending in the year 2001, and the grade they were in when they attended that school. I notified both the vendor and the school district and they removed the information. They told me they would not notify the affected individuals because the amount of information contained in the leak was so small that it was useless to any potential ID theif. However, because the breach targets such a small group of individuals I was easily able to go through the information and using publicly available information fill in a lot of missing information and obtain full SSN, name, addresses, and phone numbers. I have also notified the FCC and attempted to contact other agencies, but no one seems to really care that this data loss has occurred. Now, several months later, I have found out that I am a victim of identity theft (someone filed taxes under my SSN). While there is no way to link these two incidents, it has caused me to look back into this data leak I discovered back in Nov. So, my question to the list is what is the best way and to whom do you report a data loss event that neither of the responsible parties are willing to disclose? Or, am I just being too paranoid and the amount of data that was leaked should not be a cause for concern? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080503/0b1dd738/attachment.html From chris at cwalsh.org Sat May 3 22:43:19 2008 From: chris at cwalsh.org (Chris Walsh) Date: Sat, 3 May 2008 17:43:19 -0500 Subject: [Dataloss] Reporting Dataloss In-Reply-To: <7ad3c8b50805030911q582d74b1h95265eb86b4c0756@mail.gmail.com> References: <7ad3c8b50805030911q582d74b1h95265eb86b4c0756@mail.gmail.com> Message-ID: If this happened in my school district, I would notify the Superintendent of Schools, and try to obtain in writing the reason for not notifying. I would then follow up explaining why I thought this approach was mistaken. If this was not persuasive, I would then attend the next school board meeting, and when the agenda item for all other business (or public comment) came along, I would calmly restate the facts in detail, and ask for Board comment. I would also make sure that my remarks were reflected in the minutes (FOIA the minutes after the meeting if you have to, go to the next meeting, and ask that they be corrected if your remark is not on the record). Often, even in small towns, the press attend such meetings or they are taped and played again and again on public affairs cable stations. I would reserve this level of response only for government bodies, and only as a last resort, only if I was dead certain of the facts, and only if I came upon these "publicly posted" materials entirely in good faith. I would not want to have to explain why issuing an HTTP GET on www.someschool.edu/getrecords?ID=xxxx for numerous values of 'xxxx' is not "hacking". Note that in many states the fact that the *entire* last name was not exposed would, by my reading, allow the entity not to be required to report this to those potentially impacted. I hasten to add that I am not a lawyer. One last note: Read up on the family educational records and privacy act (http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html). It is pretty strict, and may provide you with a persuasive argument to make to the powers that be. On May 3, 2008, at 11:11 AM, Aaron Allen wrote: > Back in November 2007, I uncovered a data breach containing about > 7000 partial names, addresses and full SSNs of students that > graduated from the public school system from which I graduated in > 2002. The data was publicly posted on a website of a vendor that > the school had used. > So, my question to the list is what is the best way and to whom do > you report a data loss event that neither of the responsible parties > are willing to disclose? [ From aaron at trifault.net Sat May 3 23:17:59 2008 From: aaron at trifault.net (Aaron Allen) Date: Sat, 3 May 2008 19:17:59 -0400 Subject: [Dataloss] Reporting Dataloss In-Reply-To: <002701c8ad6e$3f6ac9b0$6601a8c0@sribm> References: <7ad3c8b50805030911q582d74b1h95265eb86b4c0756@mail.gmail.com> <002701c8ad6e$3f6ac9b0$6601a8c0@sribm> Message-ID: <7ad3c8b50805031617u74cb692ey2797aa52dd43920a@mail.gmail.com> It was indeed the FTC and not the FCC. Too many TLAs in the government, sorry about that :) The state is KY. The superintendent of the school is aware of the issue, and to be fair, it was actually the vendor that leaked the information (now, whether or not the vendor should have had the information is another question entirely). I believe the vendor (and thus the location of the breach) was in MD, which complicates things a little more. The data was available in "sample reports" that were publicly available on the vendor's website (easily googled). There were certainly not hidden or obscured in anyway whatsoever. On Sat, May 3, 2008 at 6:37 PM, Sasha Romanosky wrote: > > Was that the FCC or FTC that you notified? The FTC might be more > interested. You could call their 800 number: 1-877-ID-THEFT ( > http://www.ftc.gov/bcp/conline/pubs/credit/idtheftmini.shtm). In addition > to recording your complaint, you could tell them about the breach, itself. > > What state was this in? Different states require different notification > procedures. > > cheers, > sasha > > ------------------------------ > *From:* dataloss-bounces at attrition.org [mailto: > dataloss-bounces at attrition.org] *On Behalf Of *Aaron Allen > *Sent:* Saturday, May 03, 2008 12:11 PM > *To:* dataloss at attrition.org > *Subject:* [Dataloss] Reporting Dataloss > > Back in November 2007, I uncovered a data breach containing about 7000 > partial names, addresses and full SSNs of students that graduated from the > public school system from which I graduated in 2002. The data was publicly > posted on a website of a vendor that the school had used. Here is an > example line from the leak: > > *Permanent Number* > *LAST NAME* > *FIRST * *NAME * > *Geocode Status* > > > > *Address* > *ZIP* > *GRADE* > > 401999999 XXXXX ......hia .......estown Rd > 40511 > D > 09 > Note that I changed the social security number to protect the innocent, but > everything else is the same. As you can see, the data provided was full > social, last three letters of the first name, partial address, full zip, the > high school the student was attending in the year 2001, and the grade they > were in when they attended that school. I notified both the vendor and the > school district and they removed the information. They told me they would > not notify the affected individuals because the amount of information > contained in the leak was so small that it was useless to any potential ID > theif. > > However, because the breach targets such a small group of individuals I was > easily able to go through the information and using publicly available > information fill in a lot of missing information and obtain full SSN, name, > addresses, and phone numbers. I have also notified the FCC and attempted to > contact other agencies, but no one seems to really care that this data loss > has occurred. Now, several months later, I have found out that I am a > victim of identity theft (someone filed taxes under my SSN). While there is > no way to link these two incidents, it has caused me to look back into this > data leak I discovered back in Nov. > > So, my question to the list is what is the best way and to whom do you > report a data loss event that neither of the responsible parties are willing > to disclose? > > Or, am I just being too paranoid and the amount of data that was leaked > should not be a cause for concern? > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080503/18ee8e33/attachment.html From sromanos at andrew.cmu.edu Sat May 3 23:48:39 2008 From: sromanos at andrew.cmu.edu (Sasha Romanosky) Date: Sat, 3 May 2008 19:48:39 -0400 Subject: [Dataloss] Reporting Dataloss In-Reply-To: <7ad3c8b50805031617u74cb692ey2797aa52dd43920a@mail.gmail.com> Message-ID: <003e01c8ad78$36245290$6601a8c0@sribm> By my records, and that of state legislator website, Kentucky does not have a breach law: http://www.ncsl.org/programs/lis/cip/priv/breachlaws.htm (as of may 1, 2008). That being said, Chris Walsh's suggestions seem reasonable. cheers, sasha ________________________________ From: Aaron Allen [mailto:aaron at trifault.net] Sent: Saturday, May 03, 2008 7:18 PM To: Sasha Romanosky Cc: dataloss at attrition.org Subject: Re: [Dataloss] Reporting Dataloss It was indeed the FTC and not the FCC. Too many TLAs in the government, sorry about that :) The state is KY. The superintendent of the school is aware of the issue, and to be fair, it was actually the vendor that leaked the information (now, whether or not the vendor should have had the information is another question entirely). I believe the vendor (and thus the location of the breach) was in MD, which complicates things a little more. The data was available in "sample reports" that were publicly available on the vendor's website (easily googled). There were certainly not hidden or obscured in anyway whatsoever. From hbrown at knology.net Sun May 4 00:10:22 2008 From: hbrown at knology.net (Henry Brown) Date: Sat, 03 May 2008 19:10:22 -0500 Subject: [Dataloss] Brownsville TX clinic posts medical data on line for 2 years Message-ID: <481CFEEE.8060407@knology.net> http://www.themonitor.com/articles/brownsville_11572___article.html/posts_accidently.html BROWNSVILLE ? All it took was a quick Internet search to yield private medical information on more than two dozen Rio Grande Valley children. Until Thursday, the Web site of a children's rehabilitation clinic here had a link to spreadsheets containing the full names, phone numbers and insurance status of about 25 patients. The information was in a backup folder linked to the Web site, not on the site's main page. But a link to the data pops up in a Google search. An employee at a federal health agency discovered the information during a routine Internet search, and tried to alert the clinic, as well as a reporter. Posting medical information online, unless patients have consented, is likely a violation of federal privacy protections in the Health Insurance Portability and Accountability Act of 1996, according to experts. [...] The clinic, New Beginnings Children's Therapy, removed the spreadsheets from its Web server Thursday. Office manager Claudia Flores said she didn't realize the information was posted to the site or accessible to the public. The clinic had hired a company to back up some of its files back in 2005, Flores said. "We need to fix that - we don't want to violate any (laws)," Flores said Thursday. According to a time stamp on the site, the data was posted in December 2005, meaning the data might have been accessible for more than two years. [...] From hbrown at knology.net Sun May 4 00:26:54 2008 From: hbrown at knology.net (Henry Brown) Date: Sat, 03 May 2008 19:26:54 -0500 Subject: [Dataloss] dumpster diving in Edinburg Tx Message-ID: <481D02CE.1020204@knology.net> http://www.newschannel5.tv/2008/4/30/990568/Cornerstone-Identification-Problems NEWSCHANNEL 5 investigation uncovers a breach in document security at a Valley fitness club MCALLEN - This story came to our attention after NEWSCHANNEL 5's Lisa Cortez received a phone call from a complete stranger on her cell phone. He had Lisa's contract from Cornerstone Fitness. He knew not only her phone number, but also her address, employer, and a copy of a check used to pay her account. He also had about 30 other contracts. That person is Sammy Zumwalt. He agreed to meet with NEWSCHANNEL 5. "It has everything you would want to know about them. I think those people deserve to know about it, " said Zumwalt. All contracts list names, addresses and phone numbers. Some of them list social security numbers and have copies of checks and credit cards. Zumwalt says his friend found a filing cabinet in a dumpster behind the former Cornerstone Fitness Center for Women in Edinburg. The center shut down several months ago. He says around the time the center closed, his friend took the filing cabinet from the dumpster, cleared it out and gave Zumwalt the trash inside. Zumwalt explains why he took the trash. "He actually asked me to dispose of them because he lives out in the country and he's not able to throw them the same way we would." The paperwork was in Zumwalt's room for several weeks. Recently, he decided to go through the stack of papers and came across the sensitive information. Zumwalt turned the contracts over to NEWSCHANNEL 5. NEWSCHANNEL 5 sorted through the contracts and contacted several members from the pile. "I mean, I don't even know how to explain how I feel, because I am so in shock," said one woman after we read her social security number. [...] From macwheel99 at wowway.com Sun May 4 00:51:52 2008 From: macwheel99 at wowway.com (Al Mac Wheel) Date: Sat, 03 May 2008 19:51:52 -0500 Subject: [Dataloss] Reporting Dataloss In-Reply-To: <7ad3c8b50805031617u74cb692ey2797aa52dd43920a@mail.gmail.co m> References: <7ad3c8b50805030911q582d74b1h95265eb86b4c0756@mail.gmail.com> <002701c8ad6e$3f6ac9b0$6601a8c0@sribm> <7ad3c8b50805031617u74cb692ey2797aa52dd43920a@mail.gmail.com> Message-ID: <6.2.1.2.1.20080503194719.0295c5d0@pop3.mail.wowway.com> For most of the laws, it matters not where the data was located (MD), it matters where the people located whose identities put at risk (KY), but as a practical matter, if the vendor was outside the USA, it would be more difficult to get legal action. If it is a crime in one nation, but not a crime in another nation, then extradition, enforcement, etc, can be impractical. It also matters what kind of entity was responsible for safeguarding the data. Most of the laws are directed against private corporations, not against government agencies, non-profits, private persons. According to this site http://www.pirg.org/consumer/credit/statelaws.htm in Kentucky, you have to wait until you have been victimized by ID theft, then you get some help after the fact. http://www.lrc.ky.gov/record/06RS/HB54.htm but it only applies to certain kinds of ID theft, such as credit fraud. Similarly, the people protected are customers, or credit consumers, not students. Exempting financial institutions kind of defeats the purpose of the Kentucky law. In fact, nationwiide, children in school are not considered to have the kinds of consitutional rights that adult citizens enjoy. >The state is KY. > >I believe the vendor (and thus the location of the breach) was in MD, >which complicates things a little more. From rchicker at etiolated.org Mon May 5 13:45:30 2008 From: rchicker at etiolated.org (rchick) Date: Mon, 5 May 2008 09:45:30 -0400 Subject: [Dataloss] Hospitals in Hong Kong lose data on 3, 000 patients in thefts Message-ID: http://www.monstersandcritics.com/news/health/news/article_1403455.php/Hospitals_in_Hong_Kong_lose_data_on_3000_patients_in_thefts Health News May 5, 2008, 10:23 GM Hong Kong - Data on more than 3,000 patients in Hong Kong public hospitals has been lost through the theft of computer memory sticks, officials said Monday. Nine memory sticks have been stolen from five hospitals across the city of 6.9 million in the past year, the hospital authority's chief executive Shane Solomon said. A task force headed by former privacy commissioner Stephen Lau has been set up to investigate the incidents and find ways of avoiding repeat occurrences, Solomon announced. The revelation came weeks after the hospital authority admitted medical data on almost 700 Hong Kong youngsters with developmental problems had been lost on a stolen memory stick. [..] From hbrown at knology.net Tue May 6 11:26:29 2008 From: hbrown at knology.net (Henry Brown) Date: Tue, 06 May 2008 06:26:29 -0500 Subject: [Dataloss] data thieves in Tx Message-ID: <48204065.3030904@knology.net> a "Press release" by a commercial company who provides identity theft solutions... http://www.identitytheft911.com/company/press/release.ext?sp=10467 Identity Theft 911 released a new report today that finds this problem is reaching epidemic levels in many areas of Texas, which ranks 2nd in the nation for identity theft complaints, according to the most recent Federal Trade Commission statistics. The investigation also determined that employment-related identity theft, especially when connected to illegal immigration, is the largest single use of stolen identities in the state. The findings include: Approximately 880,400 Texans became victims of identity theft in 2007. This is roughly equivalent to every citizen in Austin, Edinburg and Midland having their identities stolen in a single year In several South Texas cities, the rate of identity theft victimization is more than twice the national average Identity theft cost Texas victims an estimated $435.7 million in 2007 Texas residents spent a total of 3.5 million hours resolving identity theft issues ?Each year millions of consumers fall victim to different forms of this devastating crime and this report highlights new hot spots and potential reasons for the high numbers in Texas,? said Steve Christenson, President of Identity Theft 911. The report also highlights the leadership role Texans have played in trying to fight identity theft. From hbrown at knology.net Tue May 6 15:59:31 2008 From: hbrown at knology.net (Henry Brown) Date: Tue, 06 May 2008 10:59:31 -0500 Subject: [Dataloss] Hacker server found containing thousands of sensitive business, healthcare files Message-ID: <48208063.20307@knology.net> From SearchSecurity.com http://tinyurl.com/6mo3yo Hacker server contains thousands of sensitive business, healthcare files By Robert Westervelt, News Editor 06 May 2008 | SearchSecurity.com Researchers at security vendor Finjan uncovered a server containing the sensitive email and Web-based data of thousands of people, including healthcare information, credit card numbers and business personnel documents and other sensitive data. The server contained over 1.4GB of both email and web-based data. In all, the data consisted of more than 5,388 unique log files traced back to 5,878 distinct IP addresses. Finjan said the server was a drop site for the AdPack exploit toolkit. The hacker controlling the server did not encrypt the data and failed to protect the server from being accessed. [...] Ben-Itzhak said since the initial discovery, three other servers have been discovered with unprotected sensitive data. "This indicates that the person running it is interested in the data and the money, but probably has no clue about how to secure the server and how to protect the data from others to access it," he said. Finjan notified more than 40 major international financial institutions located in the United States, Europe and India whose customers were compromised as well as various law enforcements around the world. Ben-Itzhak said the server logs contained a mountain of healthcare information, including personal data, health data, treatment, medications, insurance details, Social Security Numbers, and healthcare providers' data, including physician's name. Due to the fact that the data was HIPAA related, Finjan informed the FBI of the discovery. [...] Other data contained personnel files and business files marked confidential. One message revealed details about an upcoming court case, while a few others contained business financial data such as invoice information. Banking data, including credit card numbers and account login numbers were also discovered on the server, Ben-Itzhak said. [...] From hbrown at knology.net Tue May 6 19:08:25 2008 From: hbrown at knology.net (Henry Brown) Date: Tue, 06 May 2008 14:08:25 -0500 Subject: [Dataloss] 1000 customers of Atlanta Ga Visa Service have had identity sold] Message-ID: <4820ACA9.20700@knology.net> Sorry bout the formatting error.... Fastest mouse in the south http://wsbradio.com/news/050608visascam3a.html Atlanta Visa Service Scam 6 May 2008 (WSB Radio) -- The FBI is in the process of notifying as many as 1,000 customers of a metro Atlanta visa service that they may been been the victims of identity theft. An employee of International Visa Service in Sandy Springs has been arrested and charged with stealing the personal information of people who were applying for a passport. Warren Fowler is accused of sending the information to his brother in Miami, who sold the identities on the black market for up to $7,500 each. Alvin Fowler is also in federal custody. The owner of International Visa Service says she is personally devastated by the betrayal of a longtime employee. 6 May 2008 From lyger at attrition.org Tue May 6 23:27:58 2008 From: lyger at attrition.org (lyger) Date: Tue, 6 May 2008 23:27:58 +0000 (UTC) Subject: [Dataloss] CT: Personal information compromised by security company Message-ID: http://www.wtnh.com/Global/story.asp?S=8279795 News Channel 8 found Social Security numbers, bank account numbers and even canceled checks inside a dumpster in West Haven. Ron Scaramozza says his family gave information to a company that installed an alarm system at his Hamden home. His wife's Social Security number and details of their new security system are among the dozen or so files found inside the dumpster. [.] The files appear to belong to Northeast Security, a subcontractor for Safe Home Security, based out of Rocky Hill. Northeast Security recently moved out of a West Haven storefront, and it seems they left their clients personal information behind. [...] From lyger at attrition.org Tue May 6 23:39:48 2008 From: lyger at attrition.org (lyger) Date: Tue, 6 May 2008 23:39:48 +0000 (UTC) Subject: [Dataloss] OH: Personal information accidentally e-mailed by OSU-Wooster Message-ID: http://www.columbusdispatch.com/live/content/local_news/stories/2008/05/06/wooster.html?sid=101 Personal information on 192 faculty and staff members of Ohio State University Agricultural Technical Institute accidentally was e-mailed to about 680 students. The April 29 e-mail contained spreadsheet information listing the names, positions, salaries and Social Security numbers on OSU-Wooster employees during 2001-02 and 2003-04. An employee sending an e-mail to students did not realize the spreadsheet information had been attached, said spokeswoman Frances Whited. [...] From lyger at attrition.org Wed May 7 11:45:47 2008 From: lyger at attrition.org (lyger) Date: Wed, 7 May 2008 11:45:47 +0000 (UTC) Subject: [Dataloss] NJ: Bank cannot find six backup tapes Message-ID: http://www.signonsandiego.com/news/business/20080507-9999-1b7saic.html More than 1,300 SAIC stockholders are at risk of identity theft after a box of magnetic backup tapes went missing in New Jersey earlier this year. The tapes owned by Bank of New York Mellon, which acts as stock transfer agent for SAIC, contained names, addresses, Social Security numbers, stock account information, transaction activity and possibly bank account numbers for 1,376 current or former shareholders, said the San Diego company also known as Science Applications International Corp. Mellon said yesterday that it has no evidence that the information has been misused. The bank said the tapes have not been found more than two months after they were lost. [...] From rchicker at etiolated.org Wed May 7 19:49:39 2008 From: rchicker at etiolated.org (rchick) Date: Wed, 7 May 2008 15:49:39 -0400 Subject: [Dataloss] Bank loses server - 159,000 accounts lost Message-ID: http://www.thestandard.com.hk/news_detail.asp?pp_cat=12&art_id=65593&sid=18831850&con_type=3 Thursday, May 08, 2008 The loss of a computer server from a Kwun Tong branch of Hongkong and Shanghai Banking Corporation could lead to the leakage of private data of 159,000 customers. The bank released a statement last night confirming one of its computer servers went missing on April 26 from the Kwun Tong branch, which has been undergoing renovation. The server held transaction data on approximately 159,000 accounts. The data held on the server include the name, account number and transactions of customers but does not contain any customer PINs, passwords or user IDs, according to the statement. The bank emphasized the risk of data leakage and fraudulent transactions is deemed to be low as the server is protected by multiple layers of security which are regularly reviewed. [..] From hbrown at knology.net Thu May 8 12:04:24 2008 From: hbrown at knology.net (Henry Brown) Date: Thu, 08 May 2008 07:04:24 -0500 Subject: [Dataloss] Hospitals in Hong Kong lose data on 3, 000 patients in thefts In-Reply-To: References: Message-ID: <4822EC48.8010201@knology.net> Follow up with additional records lost... From the Hong Kong Standard http://www.thestandard.com.hk/ http://tinyurl.com/5un6rd The Privacy Commission for Personal Data is using its statutory powers for the first time to investigate the Hospital Authority and Department of Health following the loss of yet another USB memory stick containing patients' data. The Prince of Wales Hospital in Sha Tin yesterday revealed that the personal data of 10,000 patients had been lost, bringing the total number of patients whose information has been lost or stolen to 16,000. A Prince of Wales laboratory analyst was behind the latest loss after he left a memory stick in a taxi on May 1. So far, up to 10 memory sticks containing patients' information have been lost or stolen. [...] Subject: [Dataloss] Hospitals in Hong Kong lose data on 3,000 patients in thefts From: rchick To: dataloss at attrition.org Date: 5/5/2008 8:45 AM > http://www.monstersandcritics.com/news/health/news/article_1403455.php/Hospitals_in_Hong_Kong_lose_data_on_3000_patients_in_thefts > > Health News > May 5, 2008, 10:23 GM > > Hong Kong - Data on more than 3,000 patients in Hong Kong public > hospitals has been lost through the theft of computer memory sticks, From rchicker at etiolated.org Fri May 9 01:07:54 2008 From: rchicker at etiolated.org (rchick) Date: Thu, 8 May 2008 21:07:54 -0400 Subject: [Dataloss] Dominican University warning students of breach Message-ID: May 8, 2008 http://www.nbc5.com/news/16205384/detail.html CHICAGO -- Some Dominican University students and alumni were notified this week of a breach in security that could have put their personal information at risk. The university said two students were able to access records on a staff network storage area in April. The files were three spreadsheets from 2003, 2005 and 2007. The data included the names, addresses, phone numbers, birthdays and Social Security numbers of more than 5,000 students, NBC5's Charlie Wojciechowski reported. Those students were notified by a letter advising them that at this time, the school has no reason to believe their information has been misued. One former student -- whose name NBC5 is not using because his information has been compromised -- is still concerned. "I was a little upset. I was nervous. I didn't know what to do. I knew that our family's been affected by this before, so I wanted to react right away," the student said. Dominican University released a statement on the issue but declined an invitation to speak with NBC5 on camera. The statement read: "Dominican University takes information security very seriously. In April, we discovered that two student workers had accessed Excel files containing limited student data by misusing passwords related to their work-study employment. We notified all affected parties in writing, set up a toll-free hotline, and have worked closely with both the local police and states attorney's offices. [...] From rchicker at etiolated.org Fri May 9 02:07:49 2008 From: rchicker at etiolated.org (rchick) Date: Thu, 8 May 2008 22:07:49 -0400 Subject: [Dataloss] Las Cruces Schools Data Exposed on Web Message-ID: http://www.redorbit.com/news/technology/1376607/las_cruces_schools_data_exposed_on_web/ LAS CRUCES -- A part-time computer analyst for Las Cruces Public Schools inadvertently posted personal data for 50 special education students and 1,750 district employees on the Internet, district officials said Wednesday. LCPS Superintendent Stan Rounds declined to specify what kind of information was moved from a secure, encrypted database to the Internet, or to identify the Web site it was unintentionally moved to. But he said the information could be used in identity theft. "Our school district goes to great lengths to maintain the confidentiality of student and staff records," Rounds said during a news conference. "This appears to be an isolated incident that was caused by human error. "Nonetheless, I am very concerned there was a breach of confidentiality," he said. The personal data was posted to an unsecured Web site on April 29. The error was discovered Monday, and Rounds immediately ordered the data removed from two Internet sites where it was found. [...] From jericho at attrition.org Fri May 9 15:34:19 2008 From: jericho at attrition.org (security curmudgeon) Date: Fri, 9 May 2008 15:34:19 +0000 (UTC) Subject: [Dataloss] What is your stolen data worth? Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.news.com/8301-10784_3-9939862-7.html By Elinor Mills News Blog News.com May 8, 2008 You think your personal information is priceless. But everything has a price, even your stolen bank account information. McAfee Avert Labs has discovered a price list that criminals use to buy and sell credit card numbers, bank account log-ins, and other consumer data that have been filched from unsuspecting Web surfers. "Last Friday morning in France, my investigations lead me to visit a site proposing top-quality data for a higher price than usual," writes Francois Paget of McAfee. "But when we look at this data we understand that as everywhere, you have to pay for quality." For example, a Washington Mutual Bank account in the U.S. with an available balance of $14,400 is priced at 600 euros ($924), while a Citibank UK account with an available balance of 10,044 pounds is priced at 850 euros ($1,310). [..] From lyger at attrition.org Fri May 9 17:05:30 2008 From: lyger at attrition.org (lyger) Date: Fri, 9 May 2008 17:05:30 +0000 (UTC) Subject: [Dataloss] NJ: Tower Club leaks alumni members' social security numbers Message-ID: http://www.dailyprincetonian.com/2008/05/09/21173/ Tower Club is taking steps to protect 103 of its alumni in the classes of 2006 and 2007 after a spreadsheet listing their names and social security numbers was e-mailed to current club members early Wednesday morning. The document was attached to an apparently unrelated e-mail that informed current members about a club event. The spreadsheet was attached unintentionally because of "a technical glitch," Tower graduate board chair Greg Berzolla '87 said in an interview. The e-mail was sent by Tower officers from the tower at princeton.edu account to the roughly 200 current club members. [...] From lyger at attrition.org Sat May 10 02:00:01 2008 From: lyger at attrition.org (lyger) Date: Sat, 10 May 2008 02:00:01 +0000 (UTC) Subject: [Dataloss] (follow-up) Two men linked to Lunardi's identity theft arrested in So. Cal, make bail Message-ID: http://origin.mercurynews.com/breakingnews/ci_9208178?nclick_check=1 Police say two men arrested Thursday in Southern California are connected to last month's massive identity theft scam at the Lunardi's Supermarket in Los Gatos. Just how deeply they are involved remains a mystery. The men were in possession of two of the 222 stolen bank account numbers from Lunardi's and $70,000 in cash when they were arrested by Orange County Sheriff's Deputies. But the two men made bail before Los Gatos-Monte Sereno police found out about the arrest. [...] From lyger at attrition.org Sat May 10 15:25:20 2008 From: lyger at attrition.org (lyger) Date: Sat, 10 May 2008 15:25:20 +0000 (UTC) Subject: [Dataloss] Park National vendor loses laptop with employees' personal info Message-ID: http://www.bizjournals.com/columbus/stories/2008/05/12/tidbits1.html About 2,000 past and present employees of Park National Corp. are keeping their fingers crossed that they don't become identity theft victims after their pension administrator lost a laptop computer containing their personal information. Aon Consulting Inc., which provides administration services for Newark-based Park's pension plan, lost the laptop in March. The bank has received no reports that data on the computer has been accessed and used by thieves, said Park spokeswoman Bethany White. [...] From sromanos at andrew.cmu.edu Sat May 10 18:07:36 2008 From: sromanos at andrew.cmu.edu (Sasha Romanosky) Date: Sat, 10 May 2008 14:07:36 -0400 Subject: [Dataloss] Research paper on data breaches and identity theft Message-ID: <000d01c8b2c8$bba97f30$6601a8c0@sribm> Greetings, I'd like to share a research paper that attempts to estimate the effect of data breach dislcosure laws on identity theft. I'll be presenting it at this year's workshop on the economics of information security (http://weis2008.econinfosec.org). This is somewhat work in progress as we will be augmenting it with more data and additional analysis. However, I thought the group might be interested in what we've discovered so far. Title: Do Data Breach Disclosure Laws Reduce Identity Theft? http://weis2008.econinfosec.org/papers/Romanosky.pdf Abstract: Identity theft resulted in corporate and consumer losses of $56 billion dollars in 2005, with about 30% of known identity thefts caused by corporate data breaches. Many US states have responded by adopting data breach disclosure laws that require firms to notify consumers if their personal information has been lost or stolen. While the laws are expected to reduce losses, their full effects have yet to be empirically measured. We use panel from the US Federal Trade Commission with state and time fixed-effects regression to estimate the impact of data breach disclosure laws on identity theft over the years 2002 to 2006. We find no statistically evidence that laws reduce identity theft, even after considering income, urbanization, strictness of law and interstate commerce. If the probability of becoming a victim conditional on a data breach is very small, then the law's maximum effectiveness is inherently limited. Quality of data and the possibility of reporting bias also make proper identification difficult. However, we appreciate that these laws may have other benefits such as reducing a victim's average losses and improving a firm's security and operational practices. cheers, sasha romanosky http://www.romanosky.net From lyger at attrition.org Sun May 11 04:22:27 2008 From: lyger at attrition.org (lyger) Date: Sun, 11 May 2008 04:22:27 +0000 (UTC) Subject: [Dataloss] IE: Financial watchdog's laptop computer stolen from hotel Message-ID: (So let me get this straight... the laptop was stolen about three years ago, there was no sensitive data on it, and this is news... it doesn't help that I'm watching SNL's Weekend Update at the moment. O_o ) http://www.independent.ie/business/irish/financial-watchdogs-laptop-computer-stolen-from-hotel-1372336.html A LAPTOP computer owned by the Financial Regulator was stolen from a hotel room in Cork about three years ago, the Sunday Independent has learned. The theft of the laptop, which was not encrypted, was reported to the gardai at the time. Although the Financial Regulator said no confidential information was on the laptop, only some of the watchdog's laptops are currently encrypted. Encryption protects information on laptops by disguising data so only authorised individuals can read it. Most of the banks overseen by the Regulator encrypt their laptops. AIB has encrypted its laptops since 1993. A spokeswoman for the Regulator said the laptop was "one of a number of items stolen from rooms in the same hotel at that time". "It is our policy not to store confidential data on the hard drives of laptops," said a spokeswoman for the Regulator. The stolen laptop did not contain any information, she added, because data used on the laptop was held on a separate computer disc. "There were no discs in the laptop, nor were any discs stolen," said the spokeswoman. [...] From lyger at attrition.org Sun May 11 21:11:08 2008 From: lyger at attrition.org (lyger) Date: Sun, 11 May 2008 21:11:08 +0000 (UTC) Subject: [Dataloss] CL: Hacker gets into Chilean government files, leaks personal data to Internet Message-ID: http://www.pr-inside.com/hacker-gets-into-chilean-government-files-r583004.htm A hacker who identified himself as Anonymous Coward stole personal data of 6 million Chileans _ reportedly including a daughter of the president _ and posted it briefly on the Internet, authorities said Sunday. "This is a serious and delicate issue," said presidential spokesman Francisco Vidal. Police Chief Jaime Jara confirmed that authorities were investigating the theft of the leaked data, which he said included identity card numbers, addresses, telephone numbers, e-mails and academic background. [...] From hbrown at knology.net Sun May 11 23:59:04 2008 From: hbrown at knology.net (Henry Brown) Date: Sun, 11 May 2008 18:59:04 -0500 Subject: [Dataloss] Staten Island University Hospital 88, 000 patient information stolen Message-ID: <48278848.5010804@knology.net> http://www.silive.com/news/index.ssf/2008/05/hospital_admits_error_in_handl.html Hospital admits error in handling I.D. theft by By Glenn Nyback Sunday May 11, 2008, 5:15 PM STATEN ISLAND, N.Y As tens of thousands of Staten Island University Hospital patients seethe over the decision by hospital administrators to wait four months before informing them that a computer containing their personal information was stolen, SIUH's chief executive conceded officials could have handled the situation differently. The hospital only 10 days ago began informing 88,000 patients whose names, Social Security and health insurance numbers were included on a password-protected desktop computer stolen from the hospital's Rosebank billing office in December. "In taking a look at this, could it have been done sooner? I believe perhaps it could have been done sooner," said Anthony Ferreri, SIUH president and CEO. He explained that the hospital decided that before notifying people, it chose to complete an eight-to-nine-week process to identify a credit-monitoring program for all 88,000 patients with the national credit-reporting agency Equifax. [...] Most patients affected included those who were treated at the hospital in 2007, but 29 people, treated between 2001 and 2006 who have outstanding billing accounts, are also in that database, according to hospital spokesman John Demoleas, who added that all the letters had been mailed out by May 1. From MKEVHILL at aol.com Mon May 12 01:34:12 2008 From: MKEVHILL at aol.com (MKEVHILL at aol.com) Date: Sun, 11 May 2008 21:34:12 EDT Subject: [Dataloss] Staten Island University Hospital 88, 000 patient information ... Message-ID: Here we go again. Doling out credit monitoring when there's the real possibility of Staten Island Univ patients becoming medical identity theft victims. Again, I ask what is it about someone using your medical information that would ever make a company think that it would be detected by credit monitoring? Is it just about PR or are they really trying to help these potential victims? Michael Hill Certified Identity Theft Risk Management Specialist 404-216-3751 **************Wondering what's for Dinner Tonight? Get new twists on family favorites at AOL Food. (http://food.aol.com/dinner-tonight?NCID=aolfod00030000000001) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080511/26cfd7c7/attachment.html From jericho at attrition.org Mon May 12 09:31:05 2008 From: jericho at attrition.org (security curmudgeon) Date: Mon, 12 May 2008 09:31:05 +0000 (UTC) Subject: [Dataloss] fringe: Classified Hong Kong "watch-list" leaked on internet Message-ID: [The term "travel document information" is vague. If this meant passport information, this would qualify for inclusion in DLDOS for example. - jericho] ---------- Forwarded message ---------- From: InfoSec News http://www.topnews.in/classified-hong-kong-watch-list-leaked-internet-240641 By Sahil Nagpal TopNews.in May 9th, 2008 Hong Kong - A government investigation was underway Friday after it was revealed that confidential files from the Immigration Department had been mistakenly leaked on to the internet. The list, which contained a list of the names of people for officers to watch, plus travel document information and travel records, has been available on the internet since Monday through a file-sharing programme called "Foxy." The blunder occurred after a newly-recruited immigration officer working at the Lok Ma Chau border point took home some old classified files to study without authorisation. [..] Earlier this week, banking giant HSBC was forced to apologise to customers after it admitted it had lost the data of 159,000 accounts from a Hong Kong branch. The data was held on a internet server which is understood to have gong missing in April from the Kwun Tong branch of the bank while it was undergoing renovation last month. [..] In one case, a USB flashdrive containing the files of 10,000 patients from the Prince of Wales Hospital was lost after a hospital worker who was transferring the data left it in a taxi. [..] From lyger at attrition.org Mon May 12 17:43:52 2008 From: lyger at attrition.org (lyger) Date: Mon, 12 May 2008 17:43:52 +0000 (UTC) Subject: [Dataloss] Another Laptop Stolen from Pfizer, Employee Information Compromised Message-ID: http://www.theday.com/re.aspx?re=712c0410-ee9a-47a8-b08d-c7a71a713a5e About 13,000 employees at Pfizer Inc., including about 5,000 from Connecticut, had their personal information compromised when a company laptop and flash drive were stolen, the pharmaceutical giant confirmed today. The data breach, which occurred about a month ago, was the second this year affecting Pfizer Inc. employees and the sixth made public in a one-year span dating back to May 2007. More than 65,000 data-breach notifications have been sent out by Pfizer over the past year, including more than 10,000 to employees from Connecticut [...] From jericho at attrition.org Tue May 13 08:48:43 2008 From: jericho at attrition.org (security curmudgeon) Date: Tue, 13 May 2008 08:48:43 +0000 (UTC) Subject: [Dataloss] follow-up: TJX credit card heist suspect, 2 others, accused of new scam Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.theregister.co.uk/2008/05/13/trio_accused_in_carding_scam/ By Dan Goodin in San Francisco The Register 13th May 2008 Three men - one of them suspected of playing a role in the heist of 45.6 million credit cards from retailer TJX Companies - have been accused of hacking into cash register terminals belonging to a restaurant chain and installing software that sniffed credit card numbers. According to a 27-count indictment unsealed Monday, the scheme was carried out in part by Maksym Yastremskiy. In July, the Ukrainian was arrested in a Turkish resort town for allegedly selling large quantities of credit card numbers, many of which were siphoned out of TJX's rather porous network. He remains incarcerated in Turkey, where an application for extradition to the US is pending. Yastremskiy also went by the name Maksik. The indictment also names Aleksandr Suvorov, aka JonnyHell, of Estonia, and a separate complaint names Albert Gonzales, who also went by the moniker Segvec. Together, they are accused of installing packet sniffers at 11 restaurants belonging to Dave & Buster's. The sniffers captured track 2 credit card data as it passed from the restaurants' point-of-sale terminals to servers at the chain's central headquarters. Suvorov was arrested in March by German officials while visiting that country, and an extradition request is also pending. Gonzalez was arrested this month by Secret Service agents in Miami. [..] From jericho at attrition.org Wed May 14 08:13:54 2008 From: jericho at attrition.org (security curmudgeon) Date: Wed, 14 May 2008 08:13:54 +0000 (UTC) Subject: [Dataloss] DWP sending sensitive data with passwords Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.computing.co.uk/computing/news/2216315/dwp-sending-sensitive-passwords By Tom Young Computing 09 May 2008 Government staff in the Department of Work and Pensions (DWP) have been sending out sensitive data in packages containing passwords that provide access to the information. An internal email to DWP staff outlining the poor security practices was leaked to influential political blog Dizzy Thinks. "Staff are... forwarding the data and password on together, which defeats the purpose of the security measure entirely," the email reads. After HM Revenue and Customs lost the details of 25 million families last year, civil servants were told all information sent between departments had to be password protected with passwords sent separately. [..] From lyger at attrition.org Wed May 14 11:33:39 2008 From: lyger at attrition.org (lyger) Date: Wed, 14 May 2008 11:33:39 +0000 (UTC) Subject: [Dataloss] CA: Customer data on stolen laptop Message-ID: http://calsun.canoe.ca/News/Alberta/2008/05/14/5560321-sun.html The theft of a laptop computer containing hundreds of clients' confidential information from a Calgary bank employee's vehicle has raised concerns for Alberta's privacy commissioner. In a letter sent yesterday to its customers, First Calgary Savings said a vehicle parked in a secured underground parkade was vandalized and the bank employee's laptop and cellphone stolen last month. A recipient of the letter, 14-year First Calgary client Doug Gablehaus, said he was "livid" to hear personal information would have been left in a vehicle. "It's unacceptable ... that's the way identity theft goes," said Gablehaus, adding he might now take his business elsewhere. [...] From lyger at attrition.org Wed May 14 22:36:51 2008 From: lyger at attrition.org (lyger) Date: Wed, 14 May 2008 22:36:51 +0000 (UTC) Subject: [Dataloss] OK: OSU admits computer security breach Message-ID: http://newsok.com/osu-admits-computer-security-breach/article/3243594/?tm=1210801442 A breach in an Oklahoma State University computer server exposed names, addresses and Social Security numbers of about 70,000 students, staff and faculty who bought parking and transit services permits in the past six years. OSU announced the breach and began notifying permit holders today, even though it was discovered in March. The server was shut down at that time and Social Security numbers removed from the site. [...] From jericho at attrition.org Thu May 15 08:59:23 2008 From: jericho at attrition.org (security curmudgeon) Date: Thu, 15 May 2008 08:59:23 +0000 (UTC) Subject: [Dataloss] Bank of Ireland investigates allegation of another stolen laptop Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.belfasttelegraph.co.uk/breaking-news/ireland/article3698276.ece Belfast Telegraph May 12, 2008 Bank of Ireland confirmed this evening it is investigating another allegation of a stolen laptop. It's understood the laptop was stolen in County Kildare in 2001, and contained details of several thousand life assurance customers. It's also understood that although the theft was reported to line management at the bank, customers were not informed. In a statement released this evening, Bank of Ireland said it would like to reassure customers that the risk level of any data from seven years ago being used for fraudulent purposes is extremely remote. From lyger at attrition.org Thu May 15 11:41:39 2008 From: lyger at attrition.org (lyger) Date: Thu, 15 May 2008 11:41:39 +0000 (UTC) Subject: [Dataloss] VA: Theft Of Laptop Imperils School Employees' Data Message-ID: http://www.rocktownweekly.com/news_details.php?AID=16845&CHID=1 A BB&T Insurance laptop containing the personnel information of some Harrisonburg City Schools employees was stolen May 1, according to company officials. The information came from employees enrolled in the system's dental plan, although the company does not know how many employees' information is on the computer. The laptop, used by an outside sales representative to develop an insurance proposal for the school system, was stolen from a car in Ohio. "It's a portion of the employees," said A.C. McGraw, BB&T's media relations manager, who added that several security methods are used for the laptops, including passwords. "The information contained names, dates of birth, Social Security numbers, and, in some cases, medical history." [...] From hbrown at knology.net Thu May 15 12:28:54 2008 From: hbrown at knology.net (Henry Brown) Date: Thu, 15 May 2008 07:28:54 -0500 Subject: [Dataloss] data breach at Dominican University IL Message-ID: <482C2C86.5020306@knology.net> http://www.pioneerlocal.com/riverforest/news/948729,RF-Security-051408-sl.article Dominican University was working to minimize any possible damage created by a computer security breach affecting an estimated 5,000 current and former students even before word got out that two students had broken into the secure files, school spokesman Jeff Kraft said last week. The incident occurred April 18 and those whose files may have been compromised were immediately informed in letters advising them that at this time, Dominican has no reason to suspect the data had been misused or that outside "hackers" were involved, Kraft said. That letter also advised those who may have been affected to contact any of the three credit reporting bureaus and place a fraud alert on their accounts. Kraft said the school first learned about the breach when one of the two students involved "came forward and admitted accessing those files." [...] From lyger at attrition.org Fri May 16 11:29:55 2008 From: lyger at attrition.org (lyger) Date: Fri, 16 May 2008 11:29:55 +0000 (UTC) Subject: [Dataloss] TX: Spring students' info at risk after laptop theft Message-ID: http://www.khou.com/news/local/stories/khou080515_tj_laptoptheft.1057713ee.html A laptop computer containing the personal information of about 8,000 students was stolen this week from a Spring ISD employee's car. In a letter sent to parents on Thursday, Spring ISD said a testing coordinator's car was broken into when she made a quick stop on her way home from work. The car burglars made off with her school laptop and an external flash drive. The flash drive contains students' social security numbers, personal information, schools those students attend, as well as their grade level and birthdates. The drive also contained the Texas Assessment of Knowledge and Skills test results. [...] From rchicker at etiolated.org Fri May 16 13:40:16 2008 From: rchicker at etiolated.org (rchick) Date: Fri, 16 May 2008 09:40:16 -0400 Subject: [Dataloss] Dumpster Full Of Amateur Athletes' Records Message-ID: http://www.wftv.com/news/16288839/detail.html May 16, 2008 LAKE BUENA VISTA, Fla. -- A tip from a Channel 9 viewer led to a dumpster that was filled with boxes of personal information from a national youth sports organization called the Amateur Athletic Union. The boxes were dumped off South Orange Blossom Trail near SR-417. The man who found the boxes said he was at Public Storage putting some things in his unit when he noticed a dumpster overflowing with paperwork. There was hardly any room left to put anything else in the large trash container. He took a closer look and found information on athletes and their guardians, everything from social security numbers to copies of birth certificates. The documents found indicate they're all old records from a non-profit group based in Lake Buena Vista called the Amateur Athletic Union, otherwise known as the AAU. According to its website, the AAU claims to be one of the largest non-profit volunteer organizations in the United States dedicated to the promotion and development of amateur sports. [.. ] From hbrown at knology.net Fri May 16 21:39:24 2008 From: hbrown at knology.net (Henry Brown) Date: Fri, 16 May 2008 16:39:24 -0500 Subject: [Dataloss] Las Cruces NM Public Schools posts privacy information on line Message-ID: <482DFF0C.7010900@knology.net> http://www.lcsun-news.com/news/ci_9263304 Las Cruces Public Schools probe of data leak continues LAS CRUCES ? Las Cruces Public Schools officials continue to investigate the accidental public posting online of student and employee information from a special education database. All LCPS staff members and affected students have been offered free fraud protection for one year, which could cost hundreds of thousands of dollars. One local mother, who didn't want her name used because she said her family's privacy had already been violated, said she was considering litigation in response to what she called a "ridiculously inadequate" response from the schools. The mother said her daughter's Social Security number, date of birth, her name, the nature of her disability and her caseworker's name were posted online. [...] Some former employees are thought to be among the 1,750 staff members whose information was uploaded to an unsecured Web site for a week. Current employees were notified of the breach last week and any staff member whose information was leaked was to have received notification by certified mail by Wednesday, Galv?n said. [...] From lyger at attrition.org Sat May 17 11:44:19 2008 From: lyger at attrition.org (lyger) Date: Sat, 17 May 2008 11:44:19 +0000 (UTC) Subject: [Dataloss] Pa. Student Accused Of 'Hacking' School System Message-ID: http://cbs3.com/topstories/data.theft.computer.2.725949.html Authorities are investigating the theft of personal information from a computer in a Chester County school district. Downingtown Area School District officials said that a 15-year-old student gained access to files on a computer at Downingtown West High School on May 9. Numerous files containing the personal information of 70 staff members and several thousand tax payers were apparently copied and distributed to other students. The files apparently contained salary information and social security numbers. [...] From lyger at attrition.org Sat May 17 18:08:31 2008 From: lyger at attrition.org (lyger) Date: Sat, 17 May 2008 18:08:31 +0000 (UTC) Subject: [Dataloss] AL: Patient Information "Disappears" from Montgomery Psychiatric Hospital Message-ID: http://www.wsfa.com/Global/story.asp?S=8339331&nav=0RdDAp3y It's a place where patients hope for a high standard of care and, above all, privacy. Now, Montgomery's Greil Hospital has a information leak on its hands. "Several months ago we noticed something irregular in some patient records," explained Dr. John Ziegler of the Alabama Department of Mental Health and Mental Retardation. Department staffers say index cards containing personal information--names, dates of birth, even Social Security numbers--are gone. [...] From mhill at idtexperts.com Sat May 17 19:49:37 2008 From: mhill at idtexperts.com (Michael Hill, CITRMS) Date: Sat, 17 May 2008 15:49:37 -0400 Subject: [Dataloss] KY: Employee data breached at U of L president's office Message-ID: <15B4391A8D9C4C999473D04A9F6DDB55@mkevhillpc> http://www.courier-journal.com/apps/pbcs.dll/article?AID=/20080516/NEWS01/80516030/1008 Employee data breached at U of L president's office The University of Louisville recently sent letters to about 20 employees in the president's office alerting them that a security breach may have resulted in their Social Security numbers being compromised. Spokesman John Drees said the university reported the incident, which involved documents being copied and taken from a private office in the president's office, to its Internal Audit Office and Department of Public Safety. An invesitigation is ongoing, he said. The documents contained personal information - including Social Security numbers, student and employee identification numbers and salary information - for current and recent student employees. The university learned of the theft when salary information was shared anonymously with some employees in the office. The letters were sent out April 30, and it recommended employees have a fraud alert placed on their accounts. The employees also were advised to monitor their mail and existing accounts for odd activity. Drees said no employees have reported any suspicious activity as of this morning. Reporter Nancy Rodriguez can be reached at (502) 582-7079. Michael Hill Certified Identity Theft Risk Management Specialist 404-216-3751 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080517/837112d6/attachment.html From csullo at gmail.com Mon May 19 03:01:43 2008 From: csullo at gmail.com (Sullo) Date: Sun, 18 May 2008 23:01:43 -0400 Subject: [Dataloss] LifeLock's CEO identity stolen at least once Message-ID: http://www.wvgazette.com/News/200805172662 ... 'But according to a new class-action lawsuit filed last week in Jackson County, LifeLock's identity theft protection services were so inept that Davis' personal information was stolen repeatedly. "While LifeLock has only publicly acknowledged that Davis' identity was compromised on one occasion, there are more than 20 driver's licenses that have been fraudulently obtained [using his personal information]," the suit states.' ... -- http://www.cirt.net | http://www.osvdb.org/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080518/5f9de1fc/attachment.html From jericho at attrition.org Mon May 19 09:51:44 2008 From: jericho at attrition.org (security curmudgeon) Date: Mon, 19 May 2008 09:51:44 +0000 (UTC) Subject: [Dataloss] Preparation Key to Managing Data Breaches Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.eweek.com/c/a/Security/Preparation-Key-to-Managing-Data-Breaches/ By Darryl K. Taft eWEEK.com 2008-05-14 BALTIMORE - In this era of Internet connectivity, businesses must prepare for what is becoming the almost-inevitable data breach, according to a pair of chief privacy officers for major financial institutions. At the IntrusionWorld Conference and Expo co-located with the Web Services Security & SOA Conference here May 13, Joel Tietz, chief privacy officer at AXA Financial, and Michael Drobac, chief privacy officer at Merrill Lynch, discussed the increasing risk and costs of data breaches and how enterprises can better prevent and manage them. Drobac exhorted every organization to have a plan in place for data breaches. "Failing to plan is planning to fail," he said, noting that data breaches have become almost inevitable in the connected era. Drobac provided his own top 10 list of ways to prevent and manage a data breach that could cost an organization time, money, productivity and reputation. [..] From tkoonce2000 at yahoo.com Mon May 19 22:35:56 2008 From: tkoonce2000 at yahoo.com (Todd Koonce) Date: Mon, 19 May 2008 15:35:56 -0700 (PDT) Subject: [Dataloss] LifeLock's CEO identity stolen at least once In-Reply-To: Message-ID: <750055.25079.qm@web82103.mail.mud.yahoo.com> I knew that it would be only a matter of time before Todd Davis had his identity stolen/compromised. It has obviously turned out that Mr Davis does not realize the total scope of Identity Theft, as there have been at least 20 driver's license(s) created using HIS personal information- his driving record has to be getting worse now. This article also caught my eye as it brought to light the short-coming of LifeLock, in that it does not cover Medical Identity Theft, nor ID Theft resulting from banking information, employment or government documents...in addition to those types of ID Theft LifeLock does not protect against Driver's License nor Criminal ID Theft. Oh...and there is no restoration service offered Conclusion...individuals better make sure that they give some thought to joining(or staying with) LifeLock. LifeLock obviously does not lock the doors of the DMV'(s) when someone gets a license using one of its client's information to obtain a drivers license- at least it did not do that for its founder. And now individuals are fortunately realizing that LifeLock does not 'Lock Up' your government or employment records- a big source for individuals leaving jobs, who want to retaliate against a former employer/employee. Better make sure more than just your credit report is being monitored; and know for fact that your record(s) will be restored, by your monitoring agency. Todd K prepaidlegal.com/hub/todd93 http://www.wvgazette.com/News/200805172662 ... 'But according to a new class-action lawsuit filed last week in Jackson County, LifeLock's identity theft protection services were so inept that Davis' personal information was stolen repeatedly. "While LifeLock has only publicly acknowledged that Davis' identity was compromised on one occasion, there are more than 20 driver's licenses that have been fraudulently obtained [using his personal information]," the suit states.' ... -- http://www.cirt.net | http://www.osvdb.org/ _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080519/6a9ad6ce/attachment.html From rforno at infowarrior.org Tue May 20 00:06:32 2008 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 19 May 2008 20:06:32 -0400 Subject: [Dataloss] ID theft protection firm sued Message-ID: <99AB8DFE-5C6D-4FE2-B90D-5126DBEC49AA@infowarrior.org> ID theft protection firm sued LifeLock misinformed customers, lawsuit says http://www.wvgazette.com/News/200805172662 For a time, the ads were everywhere on TV and radio, the ones with the head of a security company brazenly challenging would-be thieves to try to steal his identity. By Andrew Clevenger Staff writer For a time, the ads were everywhere on TV and radio, the ones with the head of a security company brazenly challenging would-be thieves to try to steal his identity. Richard Todd Davis, CEO of LifeLock Inc., was so confident in his company's ability to protect his identity that he publicly revealed his Social Security number: 457-55-5462. But according to a new class-action lawsuit filed last week in Jackson County, LifeLock's identity theft protection services were so inept that Davis' personal information was stolen repeatedly. "While LifeLock has only publicly acknowledged that Davis' identity was compromised on one occasion, there are more than 20 driver's licenses that have been fraudulently obtained [using his personal information]," the suit states. "Furthermore, a simple background check performed using Davis' Social Security number reveals that his entire personal profile has been compromised to the extent that the birth date associated with his Social Security number is Nov. 2, 1940, which would [inaccurately] make Davis 67 years old." The lawsuit maintains that LifeLock, which claims on its Web site to be "the industry leader in the rapidly growing field of Identity Theft Protection," made false and misleading claims in its multimillion- dollar ad campaign about the level of protection it provides. "Through its advertisements, LifeLock misrepresents and assures consumers that it can protect against all types of fraud including, without limitation, computer hacking, password theft and other noncredit-related theft," the suit reads. But LifeLock doesn't protect against many forms of identity theft, according to the lawsuit. The Arizona-headquartered company does place and renew fraud alerts on its subscribers' credit profiles. But it does nothing to combat breaches involving personal bank, employment or medical information, as well as theft pertaining to government documents and benefits, the suit alleges. "LifeLock knows, yet fails to disclose, that the services it provides do not offer the breadth of protection that it promotes through its massive advertising campaign," the suit states. The West Virginia suit follows similar suits filed in New Jersey in March and Maryland in April. It asks the judge to certify it as a class-action suit. The lawsuit was filed on behalf of Kevin Gerhold of Falling Waters, and maintains that there are numerous other state residents who were similarly misled into signing up. Gerhold was attracted by LifeLock's $1 million guarantee against any damages resulting from breaches that occur under the company's watch. But even that is misleading, according to Charleston attorney David Grubb, who is serving as the suit's local counsel. "In actuality, once you get beyond the numerous legal limitations and disclaimers, the policy really only guarantees that LifeLock will investigate how to fix its failure," Grubb said in a news release. "The subscriber receives no monetary recompense and no guarantee that their reputation and credit status will be restored." According to the suit, the company has almost 1 million subscribers who pay roughly $110 a year for LifeLock's protection. "This is a service that you pay for and it kind of lays dormant," said David Paris, an attorney with the New Jersey firm Marks & Klein who is heading the case against LifeLock. "So no one knows that they're not getting what they paid for, because they don't know what to look for." Paris said that consumers can activate for free the same safeguards that LifeLock does, but the company fails to mention that in its marketing campaign. The suit alleges that LifeLock's services can actually harm its clients because the constant placement of fraud alerts can prevent them from getting a home loan or refinancing their existing loans. In addition, the company fails to reveal that it obtains its credit reports by requesting on its clients' behalf their free annual credit report. That means consumers can't ask for their own free report for at least 12 months, according to the suit. The suit also traces what it calls the "nefarious origin" of the company, including the background of Robert J. Maynard Jr., who co- founded the company with Davis in 2005. "Upon information and belief, Maynard developed the idea for LifeLock while sitting in a jail cell after having been arrested for failure to repay a $16,000 casino marker taken out at the Mirage Hotel in Las Vegas," the suit states. Maynard was sanctioned by the Federal Trade Commission because of misleading infomercials for National Credit Foundation, a separate credit-improvement company, according to the suit. The suit also maintains that Maynard stole his father's identity by using his information to get an American Express card, which he used to rack up more than $100,000 of debt. Paris said he plans to file another suit in a fourth state soon, and he is still gathering information about LifeLock's practices. "In Wisconsin, a woman's debit card was stolen, and that thief used that card to sign up for LifeLock," he said. "If you can't provide the basic information to verify someone for subscription purposes, how can you be relied upon to protect people's identities?" To contact staff writer Andrew Clevenger, use e-mail or call 348-1723. From lyger at attrition.org Tue May 20 16:36:16 2008 From: lyger at attrition.org (lyger) Date: Tue, 20 May 2008 16:36:16 +0000 (UTC) Subject: [Dataloss] FL: UF warns patients of security breach Message-ID: http://www.bizjournals.com/jacksonville/stories/2008/05/19/daily9.html University of Florida officials will be notifying about 1,900 patients of a UF plastic surgeon that their private health information might have been breached after the information was managed and disposed of improperly. Dr. Francis D. Ong, a UF assistant professor of plastic surgery at the UF College of Medicine-Jacksonville, stored unsecured digital photographs of his patients and identifying information -- such as names, dates of birth, Social Security numbers, and Medicare numbers -- on a computer. Ong then gave the computer to a family he was friends with in late January or early February this year. [...] From lyger at attrition.org Tue May 20 20:15:15 2008 From: lyger at attrition.org (lyger) Date: Tue, 20 May 2008 20:15:15 +0000 (UTC) Subject: [Dataloss] NYU students' information on Web for months Message-ID: http://www.newsobserver.com/news/story/1079337.html Duke University's Fuqua School of Business is notifying 273 former New York University students that some of their personal information was inadvertently accessible by targeted Internet searches between July 2007 and April 2008. The NYU students were part of a 1997 class taught by a professor who now teaches at the Duke business school, according to a Duke press release. The professor is not identified in the release, and a Duke spokesman declined to identify the professor. The personal data included names and Social Security numbers and was contained in the faculty member's research records. [...] From mhill at idtexperts.com Wed May 21 19:16:36 2008 From: mhill at idtexperts.com (Michael Hill, CITRMS) Date: Wed, 21 May 2008 15:16:36 -0400 Subject: [Dataloss] OK: OKC buyer finds sensitive information on server Message-ID: <003C4302B1CC4F88ACE555EB46A6A4D7@mkevhillpc> http://www.tulsaworld.com/news/article.aspx?articleID=20080521_12_OKLAH32253 OKLAHOMA CITY -- The Oklahoma Corporation Commission is removing hard drives from all surplus computer equipment after a server containing the names and Social Security numbers of thousands of residents was sold at an auction recently. Oklahoma City resident Joe Sills discovered more than 5,000 Social Security numbers after purchasing the server and other surplus state computer equipment at an auction last month. Sills was testing the equipment recently when he found the data in a file on the server. He said he is outraged that the state didn't erase the server's memory. "People's identities are at risk," he said. The server had been used by the state Tax Commission and, most recently, the Corporation Commission. The Social Security numbers are likely tied to trucking industry data kept on the server by both agencies, Corporation Commission spokesman Matt Skinner said. Since the Corporation Commission is now removing hard drives from computer equipment it sends to state auctions, people who buy the equipment will have to provide their own hard drives, Skinner said. It will keep accidental sensitive information leaks from happening again, he said. State policy requires sensitive information to be erased from surplus equipment before it is auctioned, state Department of Central Services spokeswoman Gerry Smedley said. Erasing sensitive data is the responsibility of the agencies that owned the equipment. -------------------------------------------------------------------------------- Michael Hill Certified Identity Theft Risk Management Specialist IDT Consultants 404-216-3751 "If You Think You're Not At Risk, Think Again!" NOTICE: This email and any attachment to it is confidential and protected by law and intended for the use of the individual(s) or entity named on the email. This information and all email information from the sender is not legal advice nor legal representation and should not be construed as legal advice nor legal representation. Check with your attorney in your State for legal advice. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination or distribution of this communication is prohibited. If you have received this communication in error, please notify the sender via return email and delete it completely from your email system. If you have printed a copy of the email, please destroy it immediately. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080521/a017eac7/attachment.html From tglassey at earthlink.net Tue May 20 22:10:25 2008 From: tglassey at earthlink.net (TS Glassey) Date: Tue, 20 May 2008 15:10:25 -0700 Subject: [Dataloss] FL: UF warns patients of security breach References: Message-ID: <01a501c8bac7$8a094260$0200a8c0@tsg1> So then what should happen to this doctor for his actions? Todd ----- Original Message ----- From: "lyger" To: Sent: Tuesday, May 20, 2008 9:36 AM Subject: [Dataloss] FL: UF warns patients of security breach > > http://www.bizjournals.com/jacksonville/stories/2008/05/19/daily9.html > > University of Florida officials will be notifying about 1,900 patients of > a UF plastic surgeon that their private health information might have been > breached after the information was managed and disposed of improperly. > > Dr. Francis D. Ong, a UF assistant professor of plastic surgery at the UF > College of Medicine-Jacksonville, stored unsecured digital photographs of > his patients and identifying information -- such as names, dates of birth, > Social Security numbers, and Medicare numbers -- on a computer. Ong then > gave the computer to a family he was friends with in late January or early > February this year. > > [...] > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor your > traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml From rchicker at etiolated.org Wed May 21 20:11:30 2008 From: rchicker at etiolated.org (rchick) Date: Wed, 21 May 2008 16:11:30 -0400 Subject: [Dataloss] Data breach at New York bank possibly affecting hundreds of thousands of CT consumers Message-ID: http://www.norwalkplus.com/nwk/information/nwsnwk/publish/News_1/Data_breach_at_New_York_bank_possibly_affecting_hundreds_of_thousands_of_CT_consumers1402.shtml Attorney General Richard Blumenthal today announced that a storage company for a New York bank lost an unencrypted backup tape containing Social Security numbers and bank account information belonging to as many as hundreds of thousands of Connecticut consumers and personal information of millions more nationwide. Among the Connecticut consumers are depositors and investors of People's United Bank of Bridgeport, which gave Bank of New York Mellon the information so it could offer those consumers an investment opportunity. Blumenthal today wrote Bank of New York Mellon, which lost the information in February, demanding that it provide affected consumers with credit monitoring and other identity theft protections, as well as a full account of how the loss occurred and other information. The banks have cooperated fully thus far with Blumenthal's office. Consumers seeking information about the breach should call a toll free number set up by Bank of New York Mellon, (877) 278-3451. "I am alarmed and deeply concerned by a recent and serious data breach at The Bank of New York Mellon ('BNY') involving the loss of computer backup tapes containing sensitive information of some 4.5 million consumers, including People's United Bank account holders and shareowners," Blumenthal said in his letter. "Several hundred thousand Connecticut citizens may be affected, and possibly more, by this loss of highly significant personal information. [...] From lawyer at carpereslegalis.com Wed May 21 22:10:33 2008 From: lawyer at carpereslegalis.com (Marjorie Simmons) Date: Wed, 21 May 2008 15:10:33 -0700 Subject: [Dataloss] FL: UF warns patients of security breach In-Reply-To: <01a501c8bac7$8a094260$0200a8c0@tsg1> References: <01a501c8bac7$8a094260$0200a8c0@tsg1> Message-ID: <6631A5013A60477FB795B805E14E7923@Lakshmi> Aside from the requirements of HIPPA, the Hippocratic oath requires both trying not to do harm and to respect patient privacy. Most medical societies and organizations instead use the "Principles of Medical Ethics" as a more modern standard. The AMA requires all its member physicians to abide by the well-established "Principles of Medical Ethics", and violations of such principles are sanctionable ethics violations. Sections 2,3,4,7, and 8 read as follows: 2. A physician shall uphold the standards of professionalism, be honest in all professional interactions, and strive to report physicians deficient in character or competence, or engaging in fraud or deception, to appropriate entities. 3. A physician shall respect the law and also recognize a responsibility to seek changes in those requirements which are contrary to the best interests of the patient. 4. A physician shall respect the rights of patients, colleagues, and other health professionals, and shall safeguard patient confidences and privacy within the constraints of the law. 7. A physician shall recognize a responsibility to participate in activities contributing to the improvement of the community and the betterment of public health. 8. A physician shall, while caring for a patient, regard responsibility to the patient as paramount. _________ The physician in question violated at least 6 separate provisions of the standard: #2 "uphold the standards..."; #3 "respect the law..."; #4 "respect the rights of patients ... and shall safeguard patient confidences and privacy..."; #7 [in its entirety]; and #8 "regard responsibility to the patient as paramount" See: http://www.ama-assn.org/ama/pub/category/2512.html for the AMA's full data. ### | -----Original Message----- | From: dataloss-bounces at attrition.org | [mailto:dataloss-bounces at attrition.org] On Behalf Of TS Glassey | Sent: Tuesday, May 20, 2008 3:10 pm | To: lyger; dataloss at attrition.org | Subject: Re: [Dataloss] FL: UF warns patients of security breach | | So then what should happen to this doctor for his actions? | | Todd | | ----- Original Message ----- | From: "lyger" | To: <> | Sent: Tuesday, May 20, 2008 9:36 AM | Subject: [Dataloss] FL: UF warns patients of security breach | | http://www.bizjournals.com/jacksonville/stories/2008/05/19/daily9.html | > | > University of Florida officials will be notifying about 1,900 patients | > of a UF plastic surgeon that their private health information might ... From lyger at attrition.org Thu May 22 11:40:34 2008 From: lyger at attrition.org (lyger) Date: Thu, 22 May 2008 11:40:34 +0000 (UTC) Subject: [Dataloss] TN: HealthSpring says laptop with personal data stolen Message-ID: http://www.tennessean.com/apps/pbcs.dll/article?AID=/20080522/BUSINESS01/805220343/1003/NEWS01 Nashville-based managed care company HealthSpring Inc. said Wednesday a laptop computer containing personal information of about 450 state residents was stolen in March. The laptop, believed to contain names, dates of birth and social security numbers of about 9,000 individuals, was stolen from a HealthSpring employee's locked car on March 30 in Houston, the company said. HealthSpring said the theft was reported to police on April 1 and it does not believe any of the information on the laptop has been misused. [...] From privacy_survey at mac.com Thu May 22 13:34:24 2008 From: privacy_survey at mac.com (James Crowe) Date: Thu, 22 May 2008 14:34:24 +0100 Subject: [Dataloss] [Slightly OT]: Does a failure to address privacy in information systems design lead to the risk of uncontrolled loss of personal data? Message-ID: <20737819-956A-45AE-9DB2-DAF728B91C51@mac.com> Hi there, Inspired by the increase in examples of mass dataloss from military sources (http://news.bbc.co.uk/1/hi/uk_politics/7199658.stm) in the UK I'm researching the issue of the creation of personal activity and performance data within workplace information systems and the potential for such data to be processed into biographical information that relates to the performance of an individual. The focus of my study lies within the military, who culturally have some interesting perspectives on the concept of privacy. My study draws on the increasing tendency for integration of government and commercial information systems and the risk that this poses in regard to the potential aggregation of information about an individual, their activities and performance, potentially exposing biographical information relating to a person to an authorized user who should have have no right to examine it. I am interested in progressing a line of inquiry into the extent to which legislation (primarily European Union and UK) fails to address within the context of 'personal data' the creation of work performance data that relates directly to an individual (i.e what work he/she does and how long it takes might be used as a means of performance assessment) and the movement of such data across boundaries (e.g to industry partners), the lack of visibility that the 'data-subject' has of this information and the use to which the 'data controller' enables processing. The link here to the concept of privacy is an interesting military cultural issue that appears to indicate that whilst military personnel apparently value privacy within their 'off-duty' lives as normal citizens (i.e they have the same concerns as a member of the public for protection of their identity and 'personal' information), in their 'duty' role they have little or no concern regarding the extent or visibility of information about them generated as a result of their primary duties (i.e engineering work performance). This, I think shows an interestingly 'bi-polar' perspective taken by military personnel, and implies a significant level of trust in the organization that they work for to ensure that this information remains confidential and is used appropriately. Interestingly in the UK we have yet, to my knowledge has a case of an industry partner has undermined this trust as in this case previously reported: http://www.infoworld.com/article/08/05/02/Military-computer-contractor-convicted-on-ID-theft-charges_1.html I have found the information and opinions of the list invaluable in understanding the breadth of the dataloss issue and would be very grateful to anyone for their time to complete my survey (which would take about 4 minutes to complete). If this subject is of interest to you I'd be delighted to receive your completed survey and any additional comment you may have. http://www.surveymonkey.com/s.aspx?sm=9Eefg06dUMJN1CtqhytyQw_3d_3d Thank you very much for your time, Jim -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080522/73e5d931/attachment-0001.html From rchicker at etiolated.org Thu May 22 14:43:25 2008 From: rchicker at etiolated.org (rchick) Date: Thu, 22 May 2008 10:43:25 -0400 Subject: [Dataloss] Student Hacker Stole Personal Info Of 55,000 Message-ID: http://www.nbc10.com/news/16360457/detail.html May 22, 2008 A Chester County teenager is accused of hacking into his high school's computer system and stealing personal information from thousands of people. Police said a 15-year-old Downingtown West High School student, whose name is being withheld because he is a minor, accessed private information, including names, addresses and Social Security numbers, of more than 50,000 people. [..] From hbrown at knology.net Thu May 22 23:29:23 2008 From: hbrown at knology.net (Henry Brown) Date: Thu, 22 May 2008 18:29:23 -0500 Subject: [Dataloss] The Isle of Wight's Sandown Health Centre reports 38000 missing health records Message-ID: <483601D3.3060308@knology.net> http://news.bbc.co.uk/2/hi/uk_news/england/hampshire/7410119.stm Confidential health records lost Confidential health records of more than 38,000 patients have gone missing after a computer back-up tape was lost by a courier firm, an NHS trust said. The Isle of Wight's Sandown Health Centre sent its records to a specialist firm for its software to be checked. But the tape, containing records of patients dating back to July 1996, failed to arrive when it was sent back using courier firm City Link in March. The Isle of Wight NHS Primary Care Trust fears "it may be lost forever". A City Link spokesman said: "Naturally we are concerned about the loss of our customer's consignment and a rigorous search continues. "An investigation is under way and we are doing everything in our power to resolve this situation." A spokesman from the trust explained the back-up tape was sent away to ensure that it could be used effectively to restore information on the health centre's computer if it was damaged in a fire or other system failure. He said the back-up tapes were more secure than data stored on CD-ROM and the health centre still had a copy of all the data so patients would not be affected. "The risk of the tape being misused is extremely small," the trust spokesman added. "The tape requires specialist computer equipment to run it and the data is password-protected. "Highly advanced computer skills and/or access to a specialist programme only normally used by GPs and the data verification company are needed to make any sense of the information on the tape." The PCT and the health centre, which has been contacting patients to advise them of the loss, has set up a telephone helpline to address people's concerns. [...] From tglassey at earthlink.net Fri May 23 16:40:05 2008 From: tglassey at earthlink.net (TS Glassey) Date: Fri, 23 May 2008 09:40:05 -0700 Subject: [Dataloss] AL: Patient Information "Disappears" from Montgomery Psychiatric Hospital References: Message-ID: <00e801c8bcf3$a94deb70$0200a8c0@tsg1> The only way to stop this type of problem is to make the penalty so painful that people aren't willing to chance it for the most part. Todd ----- Original Message ----- From: "lyger" To: Sent: Saturday, May 17, 2008 11:08 AM Subject: [Dataloss] AL: Patient Information "Disappears" from Montgomery Psychiatric Hospital > > http://www.wsfa.com/Global/story.asp?S=8339331&nav=0RdDAp3y > > It's a place where patients hope for a high standard of care and, above > all, privacy. > > Now, Montgomery's Greil Hospital has a information leak on its hands. > > "Several months ago we noticed something irregular in some patient > records," explained Dr. John Ziegler of the Alabama Department of Mental > Health and Mental Retardation. > > Department staffers say index cards containing personal > information--names, dates of birth, even Social Security numbers--are > gone. > > [...] > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor your > traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml From tglassey at earthlink.net Fri May 23 16:55:17 2008 From: tglassey at earthlink.net (TS Glassey) Date: Fri, 23 May 2008 09:55:17 -0700 Subject: [Dataloss] The Isle of Wight's Sandown Health Centre reports 38000 missing health records References: <483601D3.3060308@knology.net> Message-ID: <00f801c8bcf5$c90eaa10$0200a8c0@tsg1> The solution is simple - stop accepting unencrypted media for transport... Todd Glassey ----- Original Message ----- From: "Henry Brown" To: Sent: Thursday, May 22, 2008 4:29 PM Subject: [Dataloss] The Isle of Wight's Sandown Health Centre reports 38000 missing health records > http://news.bbc.co.uk/2/hi/uk_news/england/hampshire/7410119.stm > > Confidential health records lost > > Confidential health records of more than 38,000 patients have gone > missing after a computer back-up tape was lost by a courier firm, an NHS > trust said. > The Isle of Wight's Sandown Health Centre sent its records to a > specialist firm for its software to be checked. > But the tape, containing records of patients dating back to July 1996, > failed to arrive when it was sent back using courier firm City Link in > March. > The Isle of Wight NHS Primary Care Trust fears "it may be lost forever". > A City Link spokesman said: "Naturally we are concerned about the loss > of our customer's consignment and a rigorous search continues. > "An investigation is under way and we are doing everything in our power > to resolve this situation." > > A spokesman from the trust explained the back-up tape was sent away to > ensure that it could be used effectively to restore information on the > health centre's computer if it was damaged in a fire or other system > failure. > He said the back-up tapes were more secure than data stored on CD-ROM > and the health centre still had a copy of all the data so patients would > not be affected. > "The risk of the tape being misused is extremely small," the trust > spokesman added. > "The tape requires specialist computer equipment to run it and the data > is password-protected. > "Highly advanced computer skills and/or access to a specialist programme > only normally used by GPs and the data verification company are needed > to make any sense of the information on the tape." > The PCT and the health centre, which has been contacting patients to > advise them of the loss, has set up a telephone helpline to address > people's concerns. > [...] > > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor your > traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml From mhill at idtexperts.com Sun May 25 22:07:46 2008 From: mhill at idtexperts.com (Michael Hill, CITRMS) Date: Sun, 25 May 2008 18:07:46 -0400 Subject: [Dataloss] NY: Stolen laptop contained students' personal information Message-ID: <1B8878E9F6CF4A16A405FF2E3E9B106E@mkevhillpc> http://www.uticaod.com/education/x360360504/Stolen-laptop-contained-students-personal-information Students and applicants at Herkimer County Community College should watch their credit reports carefully, especially if they received a letter from the school notifying them of a stolen laptop from a SunGard employee. The security breach was announced by the college May 1 to 6,000 people whose personal information was on the missing laptop, which has yet to be recovered. SunGard Higher Education is a technology company out of Malvern, Pa., that provides services to HCCC. The laptop was stolen March 13, and State University of New York officials were notified April 9. Students at HCCC received a letter dated May 1. [...] Kvinge said the computer belonged to a consulting employee of SunGard, and the incident occurred at a customer site. She would not disclose the name of the police agency that initially handled the case for security purposes. For the same reason, she would not release the make or model of the computer. "Naturally, we want to go public and let people know what's going on, but at the same time, when we go public, we're sending a message to the person who stole that laptop that there is personal information on there." Rebecca Ruffing, assistant director of public relations at HCCC, said after working together with SunGard to determine what data was missing, students whose information was on the computer received letters in the mail explaining the situation and advising they monitor their credit through a consumer reporting company. [...] -------------------------------------------------------------------------------- Michael Hill Certified Identity Theft Risk Management Specialist IDT Consultants 404-216-3751 "If You Think You're Not At Risk, Think Again!" NOTICE: This email and any attachment to it is confidential and protected by law and intended for the use of the individual(s) or entity named on the email. This information and all email information from the sender is not legal advice nor legal representation and should not be construed as legal advice nor legal representation. Check with your attorney in your State for legal advice. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination or distribution of this communication is prohibited. If you have received this communication in error, please notify the sender via return email and delete it completely from your email system. If you have printed a copy of the email, please destroy it immediately. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080525/8581f6ac/attachment.html From lyger at attrition.org Mon May 26 05:45:35 2008 From: lyger at attrition.org (lyger) Date: Mon, 26 May 2008 05:45:35 +0000 (UTC) Subject: [Dataloss] admin: out of office messages (summer vacation) Message-ID: Hi everyone, Just a quick note: if you will be away for vacation and turn on an automatic "out of office" response, please either unsubscribe from the list first or set your status to "no mail" during the time that you will be away. List moderators receive a bounce message for all "OOO" auto-responses, so our mailboxes will likely fill up quickly if we don't have a little help. :) Thanks in advance, Lyger From tglassey at earthlink.net Mon May 26 16:10:35 2008 From: tglassey at earthlink.net (TS Glassey) Date: Mon, 26 May 2008 09:10:35 -0700 Subject: [Dataloss] TJX is at it again... References: Message-ID: <004101c8bf4b$096474d0$6401a8c0@tsg1> By Dan Goodin in San Francisco Published Friday 23rd May 2008 22:54 GMT TJX Companies, the mammoth US retailer whose substandard security led to the world's biggest credit card heist, has fired an employee after he left posts in an online forum that made disturbing claims about security practices at the store where he worked. Security was so lax at the TJ Maxx outlet located in Lawrence, Kansas (http://www.tjx.com/contact/storemap.aspx?sid=08-624), that employees were able to log onto company servers using blank passwords, the fired employee, Nick Benson, told The Register. This policy was in effect as recently as May 8, more than 18 months after company officials learned a massive network breach had leaked the details of more than 94 million customer credit cards. Benson said he was fired on Wednesday after managers said he disclosed confidential company information online Other security issues included a store server that was running in administrator mode, making it far more susceptible to attackers. He said he brought the security issues to the attention of a district loss prevention manager name Allen in late 2006, and repeatedly discussed them with store managers. Except for a stretch when IT managers temporarily tightened password policies, the problems went unfixed. "I was basically hitting a glass wall," said Benson, a 23-year-old freshman at the University of Kansas who worked at TJ Maxx beginning in October 2005. "Not one single thing was done. My store manager even posted the password and username on a post-it note. I told her not to do that." So last August, Benson took to Sla.ckers.org, a website dedicated to web application security, and began anonymously reporting the shoddy practices in this user forum (http://sla.ckers.org/forum/read.php?13,15148,page=1). Over the next nine months, he left eight posts in which he chafed at the password policy and what he should do about it. "I am not sure if this is just an isolated incident within this specific store, but it goes to show that you can't trust a company to protect your information, especially TJX," Benson wrote under the moniker CrYpTiC_MauleR. "Today was a very sad day for me =o(" A TJX spokeswoman declined to comment for this story and turned down our request to discuss the company's policies for passwords and other security matters. Benson's May 8 posting was prompted by news that managers had changed the password for employees to access the store server. Inexplicably, it was set to blank. When Benson first began working for TJX, his password was the same as his user name, he said. Then came word in January 2007 that unknown hackers had brazenly intruded on the company's network over a 17-month period. For a time following the disclosure, TJX employees were required to use relatively strong passwords. The change to a blank password clearly represented a step backward, Benson thought. The posts eventually caught up to Benson. On Wednesday, while marking down items on the TJ Maxx retail floor, he was summoned to the store office. Inside, a regional loss prevention manager told him his critiques had come to the attention of the company hired to monitor internet postings about the retailing giant. The manager told Benson he was being fired for disclosing confidential company information. No one at Slackers.org was willing to defend TJX or the shoddy security practices it is accused of following, but some have questioned Benson's decision to speak so openly. "I would assume your disclosure of your company's inner server workings on the internet means that they can't trust employees to protect their information?" one forum participant wrote in a response to Benson's posts. But critiques like that seem to overreach. Benson's disclosures weren't specific enough to give attackers information needed to successfully breach TJX's networks. And when you consider the right of TJX's customers and employees to know that their data may be at risk, it's not unreasonable to call him a whistleblower. The account has us wondering if other TJX employees have tales similar to Benson's. If so, please contact your reporter using this link (http://forms.theregister.co.uk/mail_author/?story_url=/2008/05/23/tjx_fires _whistleblower/). (Anonymity assured.) For Benson's part, he has no regrets. "They're telling the public they're PCI compliant," he said, referring to so-called payment card industry security rules governing businesses that accept credit and debit cards. "That I think is unethical." But he says his actions were also fueled by a healthy dose of self-interest. "My information is still on that server," he continued, referring to the machine that sits in an office at the TJ Maxx where he once worked. "So if their network is insecure, then my information is insecure. I'd prefer they get it fixed." From rchicker at etiolated.org Tue May 27 15:08:16 2008 From: rchicker at etiolated.org (rchick) Date: Tue, 27 May 2008 11:08:16 -0400 Subject: [Dataloss] OK resident finds more than 5, 000 SSN after purchasing State owned server at auction Message-ID: The Oklahoman, http://www.newsok.com OKLAHOMA CITY (AP) - The Oklahoma Corporation Commission is removing hard drives from all surplus computer equipment after a server containing the names and Social Security numbers of thousands of residents was sold at an auction recently. Oklahoma City resident Joe Sills discovered more than 5,000 Social Security numbers after purchasing the server and other surplus state computer equipment at an auction last month. Sills was testing the equipment recently when he found the data in a file on the server. He said he's outraged that the state didn't erase the server's memory. "People's identities are at risk," he said. The server had been used by the state Tax Commission and, most recently, the Corporation Commission. [..] From lyger at attrition.org Wed May 28 23:23:05 2008 From: lyger at attrition.org (lyger) Date: Wed, 28 May 2008 23:23:05 +0000 (UTC) Subject: [Dataloss] CA: UCSF alerts patients about a security breach Message-ID: http://pub.ucsf.edu/newsservices/releases/200805283/ The University of California San Francisco is alerting a group of patients that it has discovered a security breach involving a computer that held personal patient information. There is no indication that any patient files were accessed. However, UCSF takes this situation very seriously and is therefore responding with the highest level of caution and concern. [.] This computer contained files with lists of patients from the UCSF pathology department.s database. The data included information such as patient names, dates of pathology service, health information and, in some cases, social security numbers. The Department of Pathology has notified 2,625 UCSF patients whose information was contained on the computer. The files also included 944 patients whose tissue samples had been referred by other health care providers to UCSF for analysis. UCSF is notifying these health care providers to coordinate communication with their patients. UCSF has established a special phone line (415) 353-7427 and a special email address PathHotline at ucsf.edu to answer questions from patients who receive the notification letters. [...] From lyger at attrition.org Thu May 29 00:58:08 2008 From: lyger at attrition.org (lyger) Date: Thu, 29 May 2008 00:58:08 +0000 (UTC) Subject: [Dataloss] India: City BPO accused of data theft Message-ID: (note: according to Wikipedia, a crore is a unit in the Indian numbering system equal to 10 million. not exactly sure what type of data was supposedly taken/stolen/compromised) http://timesofindia.indiatimes.com/Ahmedabad/City_BPO_accused_of_data_theft/articleshow/3081539.cms AHMEDABAD: It could well be one of the biggest data thefts in the country. An Ahmedabad-based BPO owner, Maulik Dave, has been accused of data theft from a Florida-based company and selling them to its rival companies in the US. Dave stole data worth Rs 1 crore from the company. With the help of his accomplice based in the US, Milan Dabhi, he sold the data to competitors of the company in the US. The nondescript office of Business Bee Solutions along the SG Road, a BPO working in the IT sector, has been closed for three months soon after Florida-based Company Noble Ventures Inc. cancelled their contract with Dave. He then shifted his operations to his home in Vejalpur. Dave had got a contract for two years for designing and maintenance of the website of Noble Ventures Inc. This company provides customer database of 1.25 crore US citizens to various marketing companies in the US and also has a client-base in other international markets. [...] From rchicker at etiolated.org Thu May 29 20:52:31 2008 From: rchicker at etiolated.org (rchick) Date: Thu, 29 May 2008 16:52:31 -0400 Subject: [Dataloss] MA: State Street Corp - Data Theft Affects More Than 45, 000 Message-ID: May 29, 2008 http://www.cnbc.com/id/24875931 Computer equipment containing personal information on more than 45,000 customers and employees of a State Street unit was stolen five months ago, the company said. The personal information included names, addresses and social security numbers. State Street said there was no evidence the data had been misused, but it declined to say if the stolen equipment had been recovered. It is working with federal and local law enforcement agencies on the matter. The company, a Boston-based provider of financial services to institutional investors, said 5,500 employees and 40,000 customers of Investors Financial Services, which it acquired last year, were affected. The computer equipment was stolen from a vendor hired by Investors Financial Services to provide legal support services. [..] From mhill at idtexperts.com Fri May 30 03:04:15 2008 From: mhill at idtexperts.com (Michael Hill, CITRMS) Date: Thu, 29 May 2008 23:04:15 -0400 Subject: [Dataloss] KY: Over 300 local court files stolen, many including personal information Message-ID: <8238B1FF529C4C02AD50AF7DAEA0B55D@mkevhillpc> http://www.whas11.com/news/local/stories/whas11_localnews_080529_courtrecords.4000adb5.html WHAS11) - Stolen court records are now apart of an ongoing police investigation. On Wednesday, Louisville Metro Police made an arrest, and during that arrest they found 312 stolen court traffic files in that person's possession. The files are all from November 2003 and were being stored in the old jail building under 24-hour surveillance, but somehow, someone managed to get them out. All of the files contain personal information of people in Louisville such as, name, address, date of birth and in some cases social security numbers and copies of drivers' licenses. Authorities say the biggest concern is to help those whose records were stolen prevent identity theft. The court is sending out letters to the 312 people affected. The letter includes information to help prevent identity theft, identify it if it has happened, and it includes information on a helpline that has been set up to help those affected by the stolen court records. Michael Hill -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080529/17375fa5/attachment.html From rchicker at etiolated.org Sat May 31 01:57:09 2008 From: rchicker at etiolated.org (rchick) Date: Fri, 30 May 2008 21:57:09 -0400 Subject: [Dataloss] Update: Bank of New York Mellon - 25 firms identified on lost tape Message-ID: http://www.courant.com/business/hc-mellon0531.artmay31,0,4423158.story 25 Firms With Data On Lost Tape Identified May 31, 2008 The missing Bank of New York Mellon computer tape reported last week contained information about nearly 500,000 Connecticut residents from a large number of companies, said state officials, who identified 25 of the companies on Friday. New York Mellon, which was responsible for the tape, has upped its fraud protection offer from one year to two years. The company has agreed to provide two years of free credit monitoring, including $25,000 in identify theft insurance and free credit freezes to people affected by either security breach. New York Mellon had been under pressure from Attorney General Richard Blumenthal and other Connecticut officials to boost its protection offer. Among the 497,333 Connecticut residents affected, 403,894 were depositors of People's United Bank, which said last week it is relying on New York Mellon to notify its depositors. Other companies affected were John Hancock Financial Services Inc., 33,586 shareholders; and The Walt Disney Co., 18,361 shareholders. The rest had fewer than 10,000 Connecticut residents. [..] Stratton said Mellon must provide "at least seven years of credit monitoring and credit insurance." The 25 companies identified Friday are: Bank of New York Mellon Corp., People's United Financial Inc., John Hancock Financial Services Inc., The Walt Disney Co., TD Bank Financial Group, Hudson United Bancorp, United Parcel Service Inc., Wachovia Corp., MetLife Inc., Hudson City Bancorp, Eastman Kodak Co., Burlington Resources, Providian Financial, Penn Fed Financial, ADESA Inc., Alcatel-Lucent, Odyssey America Reinsurance Corp., Seacoast Financials Services Corp., Viewpoint Bank, Diamond Shamrock, Sound Federal Bancorp, Big Lots Inc., Guidant Corp., New York Community Bancorp and ACE Ltd. [..] From arshad.noor at strongauth.com Sat May 31 16:01:30 2008 From: arshad.noor at strongauth.com (Arshad Noor) Date: Sat, 31 May 2008 09:01:30 -0700 Subject: [Dataloss] [Fwd: Update: Bank of New York Mellon - 25 firms identified on lost tape] Message-ID: <4841765A.8050405@strongauth.com> After nearly 5 years of breach disclosures (CA's SB-1386 went into effect on July 1, 2003), such disclosures make it painfully obvious that Breach Disclosure laws need updating. Until companies start disclosing technical and process weaknesses that led to the breach, the industry learns nothing. Arshad Noor StrongAuth, Inc. -------- Original Message -------- Subject: [Dataloss] Update: Bank of New York Mellon - 25 firms identified on lost tape Date: Fri, 30 May 2008 21:57:09 -0400 From: rchick To: dataloss at attrition.org http://www.courant.com/business/hc-mellon0531.artmay31,0,4423158.story 25 Firms With Data On Lost Tape Identified May 31, 2008 The missing Bank of New York Mellon computer tape reported last week contained information about nearly 500,000 Connecticut residents from a large number of companies, said state officials, who identified 25 of the companies on Friday. New York Mellon, which was responsible for the tape, has upped its fraud protection offer from one year to two years. The company has agreed to provide two years of free credit monitoring, including $25,000 in identify theft insurance and free credit freezes to people affected by either security breach. New York Mellon had been under pressure from Attorney General Richard Blumenthal and other Connecticut officials to boost its protection offer. Among the 497,333 Connecticut residents affected, 403,894 were depositors of People's United Bank, which said last week it is relying on New York Mellon to notify its depositors. Other companies affected were John Hancock Financial Services Inc., 33,586 shareholders; and The Walt Disney Co., 18,361 shareholders. The rest had fewer than 10,000 Connecticut residents. [..] Stratton said Mellon must provide "at least seven years of credit monitoring and credit insurance." The 25 companies identified Friday are: Bank of New York Mellon Corp., People's United Financial Inc., John Hancock Financial Services Inc., The Walt Disney Co., TD Bank Financial Group, Hudson United Bancorp, United Parcel Service Inc., Wachovia Corp., MetLife Inc., Hudson City Bancorp, Eastman Kodak Co., Burlington Resources, Providian Financial, Penn Fed Financial, ADESA Inc., Alcatel-Lucent, Odyssey America Reinsurance Corp., Seacoast Financials Services Corp., Viewpoint Bank, Diamond Shamrock, Sound Federal Bancorp, Big Lots Inc., Guidant Corp., New York Community Bancorp and ACE Ltd. [..] _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss From hbrown at knology.net Sat May 31 01:05:37 2008 From: hbrown at knology.net (Henry Brown) Date: Fri, 30 May 2008 20:05:37 -0500 Subject: [Dataloss] White paper from US Dept of Justice Message-ID: <4f9b7e300805301805t2c716682t4c080bd29a522fe0@mail.gmail.com> A news article: http://www.networkworld.com/community/node/28257 A look into the dark underbelly of data breaches Submitted by Layer 8 on Fri, 05/30/2008 - 12:28pm. The process by which large volumes of data are stolen, resold, and ultimately used by criminals to commit fraud, has evolved from the sale of a few pieces of sensitive information, such as credit card numbers and expiration dates, to full blown identity packages containing multiple types of sensitive personal information. That is but one of the disconcerting details of a Department of Justice-penned report that looks at the rapidly morphing, dark side of stolen personal information [...] The actual white paper (will require a PDF reader), which is over 30 pages long... http://www.cybercrime.gov/DataBreachesArticle.pdf "Cyber-crime has evolved significantly over the last two years, from dumpster diving and credit card skimming to full-fledged online bazaars full of stolen personal and financial information." Individuals have been at risk of having their personal information stolen and used to commit identity-related crimes long before the emergence of the Internet. What the Information Age has changed, however, is the method by which identity thieves can access and exploit the personal information of others. One method in particular leaves hundreds of thousands, and in some cases tens of millions, of individuals at risk for identity theft: large scale data breaches by skilled hackers. In this method,criminals remotely access the computer systems of government agencies, universities, merchants, financial institutions, credit card companies, and data processors, and steal large volumes of personal information on individuals. Such large scale data breaches have revolutionized the identity theft landscape, in particular as it relates to fraud on existing accounts by use of compromised credit and debit card account information. [...]