[Dataloss] Reporting Dataloss

Aaron Allen aaron at trifault.net
Sat May 3 23:17:59 UTC 2008 

It was indeed the FTC and not the FCC.  Too many TLAs in the government,
sorry about that :)

The state is KY.

The superintendent of the school is aware of the issue, and to be fair, it
was actually the vendor that leaked the information (now, whether or not the
vendor should have had the information is another question entirely).  I
believe the vendor (and thus the location of the breach) was in MD, which
complicates things a little more.  The data was available in "sample
reports" that were publicly available on the vendor's website (easily
googled).  There were certainly not hidden or obscured in anyway whatsoever.

On Sat, May 3, 2008 at 6:37 PM, Sasha Romanosky <sromanos at andrew.cmu.edu>
wrote:

>
> Was that the FCC or FTC that you notified? The FTC might be more
> interested. You could call their 800 number:  1-877-ID-THEFT (
> http://www.ftc.gov/bcp/conline/pubs/credit/idtheftmini.shtm). In addition
> to recording your complaint, you could tell them about the breach, itself.
>
> What state was this in? Different states require different notification
> procedures.
>
> cheers,
> sasha
>
>  ------------------------------
> *From:* dataloss-bounces at attrition.org [mailto:
> dataloss-bounces at attrition.org] *On Behalf Of *Aaron Allen
> *Sent:* Saturday, May 03, 2008 12:11 PM
> *To:* dataloss at attrition.org
> *Subject:* [Dataloss] Reporting Dataloss
>
> Back in November 2007, I uncovered a data breach containing about 7000
> partial names, addresses and full SSNs of students that graduated from the
> public school system from which I graduated in 2002.  The data was publicly
> posted on a website of a vendor that the school had used.  Here is an
> example line from the leak:
>
> *Permanent Number*
> *LAST NAME*
>   *FIRST * *NAME *
> *Geocode Status*
>
>
>
> *Address*
> *ZIP*
> *GRADE*
>
> 401999999 XXXXX ......hia .......estown Rd
> 40511
> D
> 09
> Note that I changed the social security number to protect the innocent, but
> everything else is the same.  As you can see, the data provided was full
> social, last three letters of the first name, partial address, full zip, the
> high school the student was attending in the year 2001, and the grade they
> were in when they attended that school.  I notified both the vendor and the
> school district and they removed the information.  They told me they would
> not notify the affected individuals because the amount of information
> contained in the leak was so small that it was useless to any potential ID
> theif.
>
> However, because the breach targets such a small group of individuals I was
> easily able to go through the information and using publicly available
> information fill in a lot of missing information and obtain full SSN, name,
> addresses, and phone numbers.  I have also notified the FCC and attempted to
> contact other agencies, but no one seems to really care that this data loss
> has occurred.  Now, several months later, I have found out that I am a
> victim of identity theft (someone filed taxes under my SSN).  While there is
> no way to link these two incidents, it has caused me to look back into this
> data leak I discovered back in Nov.
>
> So, my question to the list is what is the best way and to whom do you
> report a data loss event that neither of the responsible parties are willing
> to disclose?
>
> Or, am I just being too paranoid and the amount of data that was leaked
> should not be a cause for concern?
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20080503/18ee8e33/attachment.html

More information about the Dataloss mailing list