<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.3314" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff
size=2></FONT> </DIV>
<DIV dir=ltr align=left><SPAN class=437022622-03052008><FONT face=Arial
color=#0000ff size=2>Was that the FCC or FTC that you notified? The FTC might be
more interested. You could call their 800 number: <FONT
face="Times New Roman" color=#000000 size=3> </FONT>
<DIV class=O style="mso-line-spacing: '100 50 0'; mso-margin-left-alt: 216"
v:shape="_x0000_s1026">1-877-ID-THEFT<SPAN class=437022622-03052008> (<A
href="http://www.ftc.gov/bcp/conline/pubs/credit/idtheftmini.shtm">http://www.ftc.gov/bcp/conline/pubs/credit/idtheftmini.shtm</A>).
In addition to recording your complaint, you could tell them about the breach,
itself.</SPAN></DIV>
<DIV class=O style="mso-line-spacing: '100 50 0'; mso-margin-left-alt: 216"
v:shape="_x0000_s1026"><SPAN class=437022622-03052008></SPAN> </DIV>
<DIV class=O style="mso-line-spacing: '100 50 0'; mso-margin-left-alt: 216"
v:shape="_x0000_s1026"><SPAN class=437022622-03052008>What state was this in?
Different states require different notification procedures.</SPAN></DIV>
<DIV class=O style="mso-line-spacing: '100 50 0'; mso-margin-left-alt: 216"
v:shape="_x0000_s1026"><SPAN class=437022622-03052008></SPAN> </DIV>
<DIV class=O style="mso-line-spacing: '100 50 0'; mso-margin-left-alt: 216"
v:shape="_x0000_s1026"><SPAN class=437022622-03052008>cheers,</SPAN></DIV>
<DIV class=O style="mso-line-spacing: '100 50 0'; mso-margin-left-alt: 216"
v:shape="_x0000_s1026"><SPAN
class=437022622-03052008>sasha</SPAN></DIV></FONT></SPAN></DIV><BR>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> dataloss-bounces@attrition.org
[mailto:dataloss-bounces@attrition.org] <B>On Behalf Of </B>Aaron
Allen<BR><B>Sent:</B> Saturday, May 03, 2008 12:11 PM<BR><B>To:</B>
dataloss@attrition.org<BR><B>Subject:</B> [Dataloss] Reporting
Dataloss<BR></FONT><BR></DIV>
<DIV></DIV>Back in November 2007, I uncovered a data breach containing about
7000 partial names, addresses and full SSNs of students that graduated from
the public school system from which I graduated in 2002. The data was
publicly posted on a website of a vendor that the school had used. Here
is an example line from the leak:<BR>
<TABLE cellSpacing=0 cellPadding=0 width=1026 align=BLEEDLEFT border=0>
<TBODY>
<TR vAlign=top></TR>
<TR vAlign=top>
<TD width=30 colSpan=3><BR></TD>
<TD width=92 colSpan=7 rowSpan=2><FONT face=Arial size=2><B><U>Permanent
Number</U></B></FONT></TD>
<TD width=40 colSpan=4><BR></TD>
<TD width=53 colSpan=3 rowSpan=2><FONT face=Arial size=2><B><U>LAST
NAME</U></B></FONT></TD>
<TD width=20 colSpan=2><BR></TD>
<TD width=51 colSpan=4 rowSpan=2>
<TABLE cellSpacing=0>
<TBODY>
<TR>
<TD align=left><FONT face=Arial size=2><B><U>FIRST
</U></B></FONT></TD></TR>
<TR>
<TD align=left><FONT face=Arial size=2><B><U>NAME
</U></B></FONT></TD></TR></TBODY></TABLE></TD>
<TD width=216 colSpan=11><BR></TD>
<TD width=79 colSpan=5 rowSpan=2><FONT face=Arial size=2><B><U>Geocode
Status</U></B></FONT></TD></TR>
<TR vAlign=top>
<TD width=335 colSpan=17><BR></TD>
<TD width=40 colSpan=4><BR></TD>
<TD width=20 colSpan=2><BR></TD>
<TD width=62 colSpan=5><BR></TD>
<TD width=64><FONT face=Arial size=2><B><U>Address</U></B></FONT></TD>
<TD width=58 colSpan=3><BR></TD>
<TD width=61 colSpan=4><FONT face=Arial
size=2><B><U>ZIP</U></B></FONT></TD>
<TD width=11><BR></TD>
<TD width=59 colSpan=3><FONT face=Arial
size=2><B><U>GRADE</U></B></FONT></TD></TR>
<TR vAlign=top>
<TD width=1006 colSpan=62><BR></TD></TR>
<TR vAlign=top>
<TD width=325 colSpan=16><BR></TD>
<TD width=142 colSpan=12><FONT face=Arial size=2>401999999</FONT></TD>
<TD width=84 colSpan=6><FONT face=Arial size=2>XXXXX</FONT></TD>
<TD width=74 colSpan=6><FONT face=Arial size=2>......hia</FONT></TD>
<TD width=140 colSpan=5><FONT face=Arial size=2>.......estown
Rd</FONT></TD>
<TD width=10><BR></TD>
<TD width=48 colSpan=3><FONT face=Arial size=2>40511</FONT></TD>
<TD width=26 colSpan=2><BR></TD>
<TD width=25><FONT face=Arial size=2>D</FONT></TD>
<TD width=54 colSpan=4><BR></TD>
<TD width=28><FONT face=Arial
size=2>09</FONT></TD></TR></TBODY></TABLE><BR>Note that I changed the social
security number to protect the innocent, but everything else is the
same. As you can see, the data provided was full social, last three
letters of the first name, partial address, full zip, the high school the
student was attending in the year 2001, and the grade they were in when they
attended that school. I notified both the vendor and the school district
and they removed the information. They told me they would not notify the
affected individuals because the amount of information contained in the leak
was so small that it was useless to any potential ID theif.<BR><BR>However,
because the breach targets such a small group of individuals I was easily able
to go through the information and using publicly available information fill in
a lot of missing information and obtain full SSN, name, addresses, and phone
numbers. I have also notified the FCC and attempted to contact other
agencies, but no one seems to really care that this data loss has
occurred. Now, several months later, I have found out that I am a victim
of identity theft (someone filed taxes under my SSN). While there is no
way to link these two incidents, it has caused me to look back into this data
leak I discovered back in Nov.<BR><BR>So, my question to the list is what is
the best way and to whom do you report a data loss event that neither of the
responsible parties are willing to disclose?<BR><BR>Or, am I just being too
paranoid and the amount of data that was leaked should not be a cause for
concern?<BR></BLOCKQUOTE></BODY></HTML>