[attrition] blog: Oops! SSNBreach.org exposes students' personal info in Google

lyger lyger at attrition.org
Mon Aug 13 21:15:30 UTC 2007


http://www.pogowasright.org/blogs/dissent/?p=582

On July 18th, SSNBreach.org ("SSNB") was launched by Liberty Coalition and 
Aaron Titus. The site's stated purpose was to assist and empower those 
whose personally identifiable information had been accessible via the web 
due to the Louisiana Board of Regents. ("LBR") failure to password-protect 
over 200 files containing confidential student and employee records.

Less than three weeks after its launch, SSNB's own files on some of these 
students are being indexed by Google. Despite being notified of the 
problem on August 7, the problem isn't fixed, with more students. names 
and files appearing in Google every day.

The History of SSNBreach.org: "Finders, Keepers"

On or before June 18, Titus, a self-described "privacy advocate" and 
"privacy expert," discovered that the LBR files were accessible via search 
engines and cache. He did not inform LBR. Instead, he contacted the media. 
WDSU broke the story on July 17, after they had notified LBR.

While they left LBR in the dark about the exposure and the files 
accessible to cybercriminals, Titus and the Liberty Coalition were busy 
using the contents of those sensitive and confidential files to create 
their own database on everyone affected. When it was pointed out to them 
that they did not seek or secure permission to use information from files 
which "the reasonable man" would realize had been accidentally exposed and 
were intended to be confidential, Ostrolenk responded:

     "You are correct that we do not ask permission to retrieve online 
information. In fact, I cannot recall a single instance when I have 
contacted the proprietor of a website to ask permission to view 
information placed in the public domain."

Of course, Titus and the Liberty Coalition did much more than just view 
the information that had been unintentionally exposed. They used it. An 
identity thief might make the same statement they did.

[...]


More information about the attrition mailing list