From cwalsh at cwalsh.org Sat Apr 1 00:50:53 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Fri, 31 Mar 2006 23:50:53 -0600 Subject: [Dataloss] Police union posts PII of TV reporter on web site Message-ID: <656F7B8F-8B3F-4EBF-88A1-BBDB74FCCB31@cwalsh.org> Reporter angers cops with investigative report, gets his DOB, drivers' license number, address, and name posted to web site by police union president. Story at http://www.miami.com/mld/miamiherald/news/local/states/ florida/counties/broward_county/14218941.htm From lyger at attrition.org Sun Apr 2 11:19:21 2006 From: lyger at attrition.org (lyger) Date: Sun, 2 Apr 2006 11:19:21 -0400 (EDT) Subject: [Dataloss] Georgia Technology Authority breach Message-ID: As posted last Friday by security curmudgeon via ISN: http://www.computerworld.com/securitytopics/security/holes/story/0,10801,110094,00.html Cruising privacyrights.org today, I noticed that they had the total number of affected people at 553,000 while the lead paragraph in the story above states "more than 570,000." Reading further down the article: "Even so, the GTA is sending out letters to 180,000 affected employees for whom it has contact information, she said. The state does not have current addresses for the remaining 373,000 individuals affected and is relying on media reports and its own outreach efforts to inform them of the potential compromise of data, Goldberg said." Since 180,000 plus 373,000 does indeed add up to 553,000, is there maybe more information about another 17,000 people that the article doesn't mention, was it perhaps a simple typo, or am I missing something obvious? From lyger at attrition.org Mon Apr 3 08:35:29 2006 From: lyger at attrition.org (lyger) Date: Mon, 3 Apr 2006 08:35:29 -0400 (EDT) Subject: [Dataloss] 2004 Identity Theft Statistics Message-ID: For those interested in identity theft statistics for the year of 2004 from the U.S. Bureau of Justice: http://www.ojp.usdoj.gov/bjs/abstract/it04.htm PDF, ASCII, and CSV files are available for download. From cwalsh at cwalsh.org Tue Apr 4 20:59:24 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Tue, 4 Apr 2006 19:59:24 -0500 Subject: [Dataloss] Improperly-configured shopping cart on compromised server reveals CC#s to hackers in Viet Nam Message-ID: <02D2E26E-961F-4996-8D53-40A174F25B19@cwalsh.org> From http://roadracingworld.com/news/article/?article=25398 Internet Security Breach Affects STT Track Day Customers Apr 04, 2006 Copyright 2006, Roadracing World Publishing, Inc. An Internet security breach has led to credit card information belonging to Sportbike Track Time customers falling into the hands of criminals and some fraudulent charges being made on those cards. According to a Sportbike Track Time spokesman, security improvements have been made to the company's website, www.sportbiketracktime.com . Beginning March 23, 2006, several entries began appearing on Sportbike Track Time?s online forum (http://www.sttforum.com/sttforum/ viewtopic.php?t=272) discussing unauthorized online purchases made with the credit cards and debit cards of Sportbike Track Time participants who had registered at www.sportbiketracktime.com . As the number of instances grew, it became clear Sportbike Track Time had a problem. The source of the problem was vulnerability in the ?shopping cart? software provided by VP-ASP (a software company specializing in e- commerce solutions) to Sportbiketracktime.com, according to Monte Lutz, co-owner of Sportbike Track Time . ?Some enterprising hackers from Vietnam took over -- and I?m not a computer guy -- a Utah company?s ISP and their servers and used that to hack into, simultaneously, several of the VP(-ASP)-driven sites. And we were one of them,? Lutz told Roadracingworld.com Tuesday. ?It was only a very short window. It was only 24 hours that the hackers had access to it, but you can take a lot of stuff in 24 hours. It was March 19. Anybody who signed up (for a Sportbike Track Time event) this year before March 20 was potentially affected.? Another part of the problem was that Sportbike Track Time customers? credit card information was being stored within the ?shopping cart? system. ?We no longer store any data within the system,? said Lutz. ?We have no reason to keep that information. We do not store your credit card numbers. I do not want that responsibility. And the system was supposed to do it that way, but VP(-ASP) didn?t set it up that way in the first place.? [...] From cwalsh at cwalsh.org Tue Apr 4 22:29:01 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Tue, 4 Apr 2006 21:29:01 -0500 Subject: [Dataloss] Follow-up to my previous Message-ID: <054C652B-6633-45D9-8DE7-D52EF30919C6@cwalsh.org> Looks like the racetrack item was but a minor instance: From http://www.first.org/newsroom/globalsecurity/15436.html Online fraudsters tried to charge money to stolen credit and debit cards this past weekend using the processing service of a major online payment provider. According to CNET News.com, several Web hosting companies that use the Authorize.Net service to accept credit cards online saw a quick surge in transactions, most for $500 and $700. The charges were billed to Visa, MasterCard and American Express cards across the U.S., representatives for three Web hosts told the news site. "These hackers got their hands on high-quality data, and they used merchants of ours to run that data through the merchant's Web site, which goes through our platform," said David Schwartz, a spokesman for Authorize.Net in American Fork, Utah. The Web hosting companies came across the unusual charges through the e-mail alerts that Authorize.Net sends after each transaction. Close to 3,000 suspicious transactions were pushed through the merchant accounts of at least three companies. From rforno at infowarrior.org Wed Apr 5 11:28:45 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 05 Apr 2006 10:28:45 -0500 Subject: [Dataloss] Agencies Not Protecting Privacy Rights, GAO Says Message-ID: Agencies Not Protecting Privacy Rights, GAO Says http://www.washingtonpost.com/wp-dyn/content/article/2006/04/04/AR2006040401 727_pf.html (Report at: http://www.gao.gov/docsearch/abstract.php?rptno=GAO-06-609T) By Robert O'Harrow Jr. Washington Post Staff Writer Wednesday, April 5, 2006; A09 Government agencies that use private information services for law enforcement, counterterrorism and other investigations often do not follow federal rules to protect Americans' privacy, according to a report yesterday by the Government Accountability Office. The Justice Department, the Department of Homeland Security and two other agencies examined by the GAO spent about $30 million last year on companies that maintain billions of electronic files about adults' current and past addresses, family members and associates, buying habits, personal finances, listed and unlisted phone numbers, and much more. But those agencies often do not limit the collection and use of information about law-abiding citizens, as required by the Privacy Act of 1974 and other laws. The agencies also don't ensure the accuracy of the information they are buying, according to the GAO report. That's in part because of a lack of clear guidance from the agencies and the Office of Management and Budget on guidelines known as "fair information practices," the report said. At the same time, the contractors are not bound by those "fair information practices," and they often don't comply with all of them, the report said. Companies do not notify individuals when information is collected, for instance. They limit individuals' access to records about themselves, and they generally do not have provisions for correcting mistakes, the report said. "The nature of the information reseller business is essentially at odds with the principles," the report said. "Resellers make it their business to collect as much personal information as possible." The 83-page report, the subject of a congressional hearing yesterday, was spurred in part by massive security breaches reported last year by ChoicePoint Inc. and LexisNexis in which sensitive files involving almost 200,000 people were sold to fraud artists. It highlights a difficult truth about the government's increasing reliance on information services: By outsourcing the building of rich dossiers, the government is sidestepping checks on surveillance approved in the wake of domestic spy scandals involving the FBI, Army and other agencies in the 1960s and 1970s. The report recommends that Congress consider requiring private information contractors to "more fully adhere" to fair information practices. Information services play an important but quiet role in homeland security and criminal investigations. ChoicePoint officials last year acknowledged that they serve in effect as a private intelligence service for the government. Rep. Chris Cannon (R-Utah), chairman of the House Judiciary Committee's subcommittee on commercial and administrative law, said the hearing was held because the ability of private information services to collect information and the government's use of those services have grown far beyond existing laws and oversight. Peter Swire, a law professor at Ohio State University, said the information industry delivers information more efficiently than ever before, helping investigators in many ways. But he told the congressional panel that the government needs to ensure that the information it buys is accurate while giving people a chance to correct mistakes. "Accuracy that is good enough for marketing is not necessarily good enough to detain a suspect," said Swire, who served as the chief privacy counselor in the Clinton administration White House. ? 2006 The Washington Post Company From lyger at attrition.org Thu Apr 6 08:18:25 2006 From: lyger at attrition.org (lyger) Date: Thu, 6 Apr 2006 08:18:25 -0400 (EDT) Subject: [Dataloss] VSC narrows down personal data exposed by laptop theft (fwd) Message-ID: From: InfoSec News Date: Thu, 6 Apr 2006 03:29:37 -0500 (CDT) http://www.rutlandherald.com/apps/pbcs.dll/article?AID=/20060406/NEWS/604060353/1004/EDUCATION05 By Darren M. Allen Vermont Press Bureau April 6, 2006 MONTPELIER - A month after the theft of a laptop computer containing personal information of thousands of students and employees of the Vermont State Colleges system, officials are narrowing down the types of private information that were exposed. In a system-wide e-mail sent Monday to students, faculty, staff and alumni of the five state colleges, VSC Chancellor Robert Clarke emphasized the colleges' assertion that no personal information has been accessed or compromised from the laptop, which has not been recovered. "We have no evidence to date that personal data were actually retrieved or misused," Clarke said. "The laptop has not been recovered by law enforcement, so our ongoing information requires working with staff who may have exchanged e-mails and attachments with teams including the owner of the stolen laptop." The concealed laptop was stolen Feb. 28 from the chief information officer's car while it was parked on the streets of Montreal. The car, according to Karrin Wilks, the colleges' vice president for academic and strategic planning, was broken into by someone who also stole a pair of skis and other visible valuables. [...] From cwalsh at cwalsh.org Thu Apr 6 16:01:10 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Thu, 6 Apr 2006 15:01:10 -0500 Subject: [Dataloss] PII posted at Korean Site Message-ID: <20060406200109.GB31670@cwalsh.org> The homepage of Korea Resources Corporation has 2,142 social security numbers listed publicly, and still has the resumes of applicants from the year 2004 on its website. There is enough information to forge identification cards. On the Ministry of Gender Equality and Family homepage, the personal information of 86 applicants for ?women heads of family establishment funds? is accessible. Their names, social security numbers, cell phone numbers, incomes, property holdings, and reasons for filing for female family head status are all revealed on the website. Social security numbers have also been exposed on the homepages of the Supreme Public Prosecutor`s Office and the National Police Agency. For complete article see: http://english.donga.com/srv/service.php3?bicode=040000&biid=2006040679888 From lyger at attrition.org Fri Apr 7 07:54:44 2006 From: lyger at attrition.org (lyger) Date: Fri, 7 Apr 2006 07:54:44 -0400 (EDT) Subject: [Dataloss] Data breach at Progressive highlights insider threat (fwd) Message-ID: From: InfoSec News Date: Fri, 7 Apr 2006 00:33:56 -0500 (CDT) http://www.computerworld.com/securitytopics/security/holes/story/0,10801,110303,00.html By Jaikumar Vijayan APRIL 06, 2006 A recent case in which an employee at Progressive Casualty Insurance Co. wrongfully accessed information on foreclosure properties she was interested in buying highlights again the dangers posed to corporate security by insiders. Progressive officials today confirmed that the company sent out letters in January to 13 people informing them that confidential information, including names, Social Security numbers, birth dates and property addresses had been wrongfully accessed by an employee who has since been fired. Michael O'Connor, a spokesman for the Mayfield Village, Ohio-based company, said officials were alerted to the situation when a local woman complained about receiving calls from a Progressive agent inquiring about her house being under foreclosure. "What happened was that the former employee, who purchased foreclosure property, wrongly used the information in a real estate database," O'Connor said. Though there was no actual hacking involved to get at the data, her actions constituted a violation of Progressive's code of ethics, O'Connor said. "We investigated the situation, the employee was terminated, and we alerted the people whose data was accessed," he said, adding that the matter was resolved in January. [...] From lyger at attrition.org Fri Apr 7 13:06:20 2006 From: lyger at attrition.org (lyger) Date: Fri, 7 Apr 2006 13:06:20 -0400 (EDT) Subject: [Dataloss] Senator questions FBI on ChoicePoint contract Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,110248,00.html Senator questions FBI on ChoicePoint contract Leahy wants to know why DOJ's still doing business with breached firm News Story by Grant Gross APRIL 05, 2006 (IDG NEWS SERVICE) - A top Democrat in the U.S. Senate questioned Wednesday why the U.S. Department of Justice continues to do business with data broker ChoicePoint Inc. a year after the company announced a data breach potentially affecting 145,000 U.S. residents. Sen. Patrick Leahy (D-Vt.) blasted the DOJ and the FBI division for a recent five-year, $12 million contract for ChoicePoint to provide investigative analysis software to the FBI. In February 2005, ChoicePoint announced a data breach after criminals set up fake businesses that purchased private information from the data broker. "What in heaven's name are we doing allowing someone as careless as ChoicePoint to be in control of our data?" Leahy said at a subcommittee hearing on the DOJ's 2007 budget. "I consider them the poster child for lax security protection." [...] From lyger at attrition.org Fri Apr 7 13:28:35 2006 From: lyger at attrition.org (lyger) Date: Fri, 7 Apr 2006 13:28:35 -0400 (EDT) Subject: [Dataloss] Domain Registrar Exposes Customer Data Message-ID: http://www.infoworld.com/article/06/04/07/77238_HNregistrarexposed_1.html A database problem with a U.S. domain name registrar exposed sensitive financial and personal information relating to thousands of domain name registrations, a Dutch company said Friday. DiscountDomainRegistry.com, of New York, fixed the problem shortly after being notified Thursday, said Nico Vandendries, chief executive officer of Strongwood, a private investigation company based in the Netherlands. DiscountDomainRegistry.com Chief Executive Officer Alex Brecher said in an e-mail to the IDG News Service that the company is 100 percent positive customer data was not compromised. The "alleged vulnerability," he wrote, was patched within minutes after the company was contacted by Strongwood. [...] From jericho at attrition.org Fri Apr 7 13:30:25 2006 From: jericho at attrition.org (security curmudgeon) Date: Fri, 7 Apr 2006 13:30:25 -0400 (EDT) Subject: [Dataloss] Senator questions FBI on ChoicePoint contract In-Reply-To: References: Message-ID: : http://www.computerworld.com/securitytopics/security/story/0,10801,110248,00.html : : Senator questions FBI on ChoicePoint contract : Leahy wants to know why DOJ's still doing business with breached firm : : News Story by Grant Gross : : APRIL 05, 2006 (IDG NEWS SERVICE) - A top Democrat in the U.S. Senate : questioned Wednesday why the U.S. Department of Justice continues to do : business with data broker ChoicePoint Inc. a year after the company : announced a data breach potentially affecting 145,000 U.S. residents. : : Sen. Patrick Leahy (D-Vt.) blasted the DOJ and the FBI division for a : recent five-year, $12 million contract for ChoicePoint to provide : investigative analysis software to the FBI. In February 2005, : ChoicePoint announced a data breach after criminals set up fake : businesses that purchased private information from the data broker. : : "What in heaven's name are we doing allowing someone as careless as : ChoicePoint to be in control of our data?" Leahy said at a subcommittee : hearing on the DOJ's 2007 budget. "I consider them the poster child for : lax security protection." Which brings up the point, when do you trust these companies again? Does a significant dataloss incident destroy all trust? Is it a permanant black eye that they are likely never to recover from? Seems like such an incident would take a lot to recover from. So, for the list subscribers, what would it take for you to resume business with a company that lost your data? From cwalsh at cwalsh.org Fri Apr 7 14:34:37 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Fri, 7 Apr 2006 13:34:37 -0500 Subject: [Dataloss] Senator questions FBI on ChoicePoint contract In-Reply-To: References: Message-ID: <20060407183436.GC12776@cwalsh.org> On Fri, Apr 07, 2006 at 01:30:25PM -0400, security curmudgeon wrote: > > Seems like such an incident would take a lot to recover from. So, for the > list subscribers, what would it take for you to resume business with a > company that lost your data? "It depends". If a mom and pop operation trusted a consultant to set up their POS system, and they exposed my CC#, but fixed it fast and put in measures to detect/prevent a recurrence, I'd continue to do business. If a hospital, pharmacy, or HR benefits service provider exposed my data via a screwup on the level of CardSystems, I would (assuming I had a choice) never, ever, go back. In fact, to use the benefits provider or pharmacy examples, I would inform future employers during the negotiation/offer process that their routing my PII through these outfits was a deal killer. Especially where there is competition (Big 4, please pay attention), this is a way to effect change, IMO. In other words, could they have known, should they have known, how much was actually put at risk, and what did they do about it would all be things I would use in my decision-making. From hobbit at avian.org Fri Apr 7 16:14:56 2006 From: hobbit at avian.org (*Hobbit*) Date: Fri, 7 Apr 2006 20:14:56 +0000 (GMT) Subject: [Dataloss] Senator questions FBI on ChoicePoint contract Message-ID: <20060407201456.DE1ECC31A@relayer.avian.org> Which brings up the point, when do you trust these companies again? Does a significant dataloss incident destroy all trust? Is it a permanant black eye that they are likely never to recover from? Absolutely. It's time for organizations that allow this sort of crap to happen to step ASIDE for someone who will take one look at today's situation, say "this is all useless crap", and do it right from the ground up. It is SO high time. The incumbents deserve no better than to crumble and fall. I am seriously considering bailing out of at least one investment fund whose name I've seen go by recently, on loudly-stated grounds that they're too stupid to be trusted handling any of my money. No, that doesn't help anyone ascertain where to turn to instead.. _H* From blitz at strikenet.kicks-ass.net Sat Apr 8 08:33:04 2006 From: blitz at strikenet.kicks-ass.net (blitz) Date: Sat, 08 Apr 2006 08:33:04 -0400 Subject: [Dataloss] Senator questions FBI on ChoicePoint contract In-Reply-To: <20060407201456.DE1ECC31A@relayer.avian.org> References: <20060407201456.DE1ECC31A@relayer.avian.org> Message-ID: <7.0.1.0.2.20060408083125.03e15068@strikenet.kicks-ass.net> I agree there should be punishment for gross, negligent stupidity. Let the market dole it out. It will make other more diligent. At 16:14 4/7/2006, you wrote: > Which brings up the point, when do you trust these companies > again? Does a significant dataloss incident destroy all trust? Is > it a permanant black eye that they are likely never to recover from? > >Absolutely. It's time for organizations that allow this sort of crap >to happen to step ASIDE for someone who will take one look at today's >situation, say "this is all useless crap", and do it right from the >ground up. It is SO high time. The incumbents deserve no better >than to crumble and fall. > >I am seriously considering bailing out of at least one investment >fund whose name I've seen go by recently, on loudly-stated grounds >that they're too stupid to be trusted handling any of my money. No, >that doesn't help anyone ascertain where to turn to instead.. > >_H* >_______________________________________________ >Dataloss Mailing List (dataloss at attrition.org) >http://attrition.org/errata/dataloss/ > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060408/6873f971/attachment.html From rforno at infowarrior.org Mon Apr 10 22:01:25 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 10 Apr 2006 22:01:25 -0400 Subject: [Dataloss] Florida county posts residents' sensitive data on public Web site Message-ID: http://www.computerworld.com/printthis/2006/0,4814,110389,00.html Florida county posts residents' sensitive data on public Web site Social Security numbers, bank info on current, former residents exposed News Story by Jaikumar Vijayan APRIL 10, 2006 (COMPUTERWORLD) - The Social Security numbers, driver's license information and bank account details belonging to potentially millions of current and former residents in Florida's Broward County are available to anyone on the Internet because sensitive information has not been redacted from public records being posted on the county?s Web site. A county official said the information available on the Web is in full compliance with state statutes that require counties to post public documents on the Internet. The information has been available on the Internet for several years and poses a serious risk of identity theft and fraud, said Bruce Hogman, a county resident who informed the Broward County Records Division of the problem about two weeks ago. [View more Data Security Breaches coverage] The breach stems from the county?s failure to redact, or remove, sensitive data from images of public documents such as property records and family court documents, Hogman said. Included in the documents that are publicly available are dates of birth and Social Security numbers of minors, images of signatures, passport numbers, green card details and bank account information. ?Here is the latest treasure trove available to identity thieves, and it is free to the public, courtesy of the Florida state legislature in its great Internet savvy,? Hogman said. The easy availability of such sensitive data also poses a security threat at a time of heightened terrorist concerns, he said. Sue Baldwin, director of the Broward Count Records Division, said the county is aware of Hogman?s concerns but said that her office is in compliance with state laws requiring all state recorders to maintain a Web site for official records. As part of its statutory requirements, the public records search section of www.broward.org contains images of public records dating back to 1978, many of which are likely to contain sensitive information such as Social Security numbers, she said. According to Baldwin, certain documents recorded after June 5, 2002, such as military discharges, family court records, juvenile court records, probate law documents and death certificates are automatically blocked from the public record under current Florida law. But the same information recorded prior to the June 2002 cutoff has been posted on the county site, she said. Up to now ?recorders have no statutory authority to automatically remove Social Security, bank account and driver's license numbers,? from public records, she said. A new statute set to take effect Jan. 1, 2007, will require county recorders to remove Social Security numbers, bank account numbers and credit card and debit card numbers from public documents before posting documents online, she said. To ensure compliance with the requirement, Broward County issued a Request for Letters of Interest from vendors of redaction software in February 2005 and has already selected Aptitude Solutions Inc. for the work, Baldwin said. ?The software will be used to redact information from all images displayed on the county records Web site,? including those already posted, Baldwin said. ? I do not know how long the actual process will take, but we intend to comply with the statutory requirements, including deadline.? Until that time, individuals who want sensitive information removed from an image or a copy of a public record can individually request that in writing, she said. Such a request must specify the identification page number that contains the Social Security number or other sensitive information, she said. ?We have provided information pertaining to requesting redaction of protected information on our Web site at www.broward.org/records, since 2002,? Baldwin said. Since Hogman expressed his concerns, the county has made the redaction request information more prominent on its Web site and is also working on creating a special e-mail box for handling redaction requests. ?Aside from making the redaction request process as user-friendly and speedy as possible, I do not have the independent authority to take any additional action regarding removing material from the public records,? she said. Baldwin added that the information available on the Web is also freely available for public purchase and inspection at the county offices. ?Professional list-making companies have always purchased copies of records and data from recorders to use in the creation of specialized marketing lists, which they sell,? she said. So too have title insurance underwriters and credit reporting agencies. Hogman, who wants the records taken down until a solution is found, said he has contacted several people -- including state legislators, both of the state's U.S. senators, the FBI and the U.S. Federal Trade Commission. So far, he has not heard back from anyone except Baldwin. ?In my estimation, ?do nothing? is not a good solution because it leaves the information out there for public viewing ? he said. From lyger at attrition.org Tue Apr 11 16:04:21 2006 From: lyger at attrition.org (lyger) Date: Tue, 11 Apr 2006 16:04:21 -0400 (EDT) Subject: [Dataloss] (Semi-OT) CompTIA Press Release Regarding Security Breaches Message-ID: (not exclusive to data loss and data theft, but related) http://www.comptia.org/about/pressroom/get_pr.aspx?prid=903 Organizations Ignoring Main Culprit in Information Security Breaches, New CompTIA Research Reveals Oakbrook Terrace, IL, April 11, 2006 - Organizations are doing little to address the most serious threat to their information security and technology infrastructure, according to new research released today by the Computing Technology Industry Association (CompTIA). Human error was responsible for nearly 60 percent of information security breaches experienced by organizations over the last year, according to the fourth annual CompTIA study on information security and the workforce. That figure is significantly higher than one year ago, when 47 percent of security breaches were blamed on human error alone. Yet despite the prominent role that human behavior plays in information security breaches, just 29 percent of the 574 organizations that participated in the survey said that security training is a requirement at their company. Only 36 percent of organizations offer end-user security awareness training. "The primary cause of security breaches - human error - is not being adequately addressed," said Brian McCarthy, chief operating officer, CompTIA. "The person behind the PC continues to be the primary area where weaknesses are exposed." Over the past several years a sophisticated security infrastructure that is better able to detect and prevent attacks has emerged. The CompTIA study found that antivirus software is nearly universal (96 percent penetration); and the vast majority or organizations utilize firewalls and proxy servers (91 percent). Disaster recovery plans, intrusion detection systems and written information security policies are also popular measures. "As we get better from a technology standpoint, many organizations seem to believe that technology solutions alone are sufficient to turn back all attacks, and a level of complacency may be setting in," McCarthy said. "The fact remains that no technology on its own can be completely successful without an equally strong commitment to information security awareness and training throughout every level of the organization." For its part, CompTIA offers its CompTIA Security+. certification, a foundation-level, vendor-neutral professional certification for network security practitioners with two years. experience and who have daily 'hands-on' responsibility for information security. The certification was developed with the involvement of some 1,100 experts around the world with first-hand experience in IT security implementation. Virus, worm attacks still prevalent Virus and worm attacks were the most commonly mentioned security problem, as they have been through all four years of the CompTIA study on information security. A lack of user awareness, browser-based attacks and remote access were the next most frequently mentioned security problem areas. About 40 percent of organizations participating in the survey said they had experienced at least one security attack in the past year. The most severe security breaches were reported by large organizations (7,000 or more employees) and educational institutions. The financial impact of information security issues was vividly illustrated when survey respondents were asked to place a dollar value on the cost of their last security breach. The mean values were over $11,000 for the last security breach and just under $35,000 for breaches over the last year. Some organizations reported a financial impact above $50,000 for security breaches, showing that while a 'garden variety' breach may be little more than an inconvenience, the potential for serious harm is always present. CompTIA commissioned TNS Prognostics, a leader in market research and consulting for the IT industry, to conduct the study to identify current IT security practices and highlight security challenges confronted by organizations of varying sizes and sectors. For more information on the study please visit: http://www.comptia.org/sections/research.aspx. About CompTIA The Computing Technology Industry Association (CompTIA) represents the business interests of the information technology (IT) industry. For 24 years CompTIA has provided research, networking and partnering opportunities to its 20,000 member organizations in more than 100 countries worldwide. CompTIA initiatives extend to areas such as convergence technologies, electronic commerce, information security, IT services, public policy, skills development, and software. CompTIA helps organizations maximize the benefits they receive from their investments in technology; and assists IT workers in obtaining the skills they need for productive careers in technology. For more information, please visit: www.comptia.org. Contact: Steven Ostrowski CompTIA Phone: 630-678-8468 Email: sostrowski at comptia.org From jericho at attrition.org Wed Apr 12 02:13:13 2006 From: jericho at attrition.org (security curmudgeon) Date: Wed, 12 Apr 2006 02:13:13 -0400 (EDT) Subject: [Dataloss] Hackers Access Financial Data At UMDNJ Message-ID: Courtesy of ISN: http://wcbstv.com/topstories/local_story_099123340.html Hackers Access Financial Data At UMDNJ Apr 9, 2006 (AP) NEWARK Computer hackers were able to gain access to the Social Security numbers and other confidential financial information of almost 2,000 University of Medicine and Dentistry of New Jersey students and alumni, university officials said. UMDNJ kept the electronic break-in quiet while it investigated if the information -- including the tuition aid and loan information of about 700 students and 1,150 alumni -- could be used by the hackers. So far, officials believe the information was accessed, but initial reports suggest that no information was taken. However, computer experts are still investigating the incident. "We know it was hacked into because there were some things on it that did not belong -- pranks and games," UMDNJ interim President Bruce C. Vladeck told The Sunday Star-Ledger. The breech was discovered Feb. 24 by UMDNJ's office of Business Conduct, although officials did not disclose when the incident itself occurred. Robert Johnson, interim dean of UMDNJ's New Jersey Medical School, sent letters to students on Friday notifying them they had been "exposed to an increased risk of identity theft." This hacking incident came on the heels of another incident in February, in which hackers tried to get into the university's networks. However, officials said that attempt was unsuccessful because the payroll computer the hackers were trying to break into contained only test data and not actual payroll information. From cwalsh at cwalsh.org Wed Apr 12 08:02:56 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Wed, 12 Apr 2006 07:02:56 -0500 Subject: [Dataloss] retailer breach reveals CC application details Message-ID: NEW YORK (Reuters) - Ross-Simons, which sells specialty merchandise through retail stores and more than 60 million catalogs each year, late on Tuesday said a security breach could allow unauthorized access to its customers' confidential financial information. The company -- whose products includes jewelry, gifts and home decorative merchandise -- said the data breach has potential to harm individuals who had applied for its private label credit card. Although the security snafu has been identified and corrected and the matter is under investigation, Ross-Simons said it may have exposed the private label credit card numbers and other personal information of those that had applied for the cards. "Ross-Simons has engaged an independent third party to conduct an immediate external audit of its security procedures," the company said in a statement, as the retailer continues to notify all affected customers in order to minimize their possible risks. Via http://today.reuters.com/news/articlenews.aspx? type=businessNews&storyid=2006-04-12T074826Z_01_N12273963_RTRUKOC_0_US-R ETAIL-ROSSSIMONS.xml From lyger at attrition.org Wed Apr 12 13:05:20 2006 From: lyger at attrition.org (lyger) Date: Wed, 12 Apr 2006 13:05:20 -0400 (EDT) Subject: [Dataloss] U.S. Military Secrets for Sale at Afghan Bazaar Message-ID: Via Bruce Schneier's weblog: http://www.schneier.com/blog/ http://www.latimes.com/news/nationworld/world/la-fg-disks10apr10,0,5854905,full.story By Paul Watson, Times Staff Writer April 10, 2006 BAGRAM, Afghanistan - No more than 200 yards from the main gate of the sprawling U.S. base here, stolen computer drives containing classified military assessments of enemy targets, names of corrupt Afghan officials and descriptions of American defenses are on sale in the local bazaar. Shop owners at the bazaar say Afghan cleaners, garbage collectors and other workers from the base arrive each day offering purloined goods, including knives, watches, refrigerators, packets of Viagra and flash memory drives taken from military laptops. The drives, smaller than a pack of chewing gum, are sold as used equipment. The thefts of computer drives have the potential to expose military secrets as well as Social Security numbers and other identifying information of military personnel. ... The drives also included deployment rosters and other documents that identified nearly 700 U.S. service members and their Social Security numbers, information that identity thieves could use to open credit card accounts in soldiers' names. [...] From jericho at attrition.org Thu Apr 13 06:01:19 2006 From: jericho at attrition.org (security curmudgeon) Date: Thu, 13 Apr 2006 06:01:19 -0400 (EDT) Subject: [Dataloss] Breach Exposes Ross-Simons Credit Card Information Message-ID: Courtesy of ISN: http://www.turnto10.com/consumerunit/8649210/detail.html Breach Exposes Ross-Simons Credit Card Information April 12, 2006 Rhode Island retailer Ross-Simons said the personal information of thousands of credit card applicants may have been compromised. NBC 10 Consumer Reporter Audrey Laganas reported that about 32,000 accounts were potentially at risk. All of the accounts belong to customers who applied for a Ross-Simons credit card between October 2004 and April 4 of this year. Ross-Simons said a data breach resulted in the unauthorized access of credit card application data, including Social Security numbers, credit card numbers, expiration dates and other personal information. Ross-Simons said it is notifying all affected customers and will help them minimize any risk created by the breach. The company is offering 12 months of free credit bureau monitoring for affected customers, NBC 10 reported. The retailer said it verified the breach on April 4 and reported it to the FBI. "The cause of the external system breach has been identified and corrected. Private label customer application information is no longer being stored by Ross-Simons," a news release said. Ross-Simons did not disclose specifics of how the breach happened or how it was discovered. The company said it has hired an independent third party to conduct an immediate external audit of its security procedures. Ross-Simons customers can call (888) 838-0815 for additional information. A list of frequently asked questions is posted on the Ross-Simons Web site. From lyger at attrition.org Fri Apr 14 17:34:52 2006 From: lyger at attrition.org (lyger) Date: Fri, 14 Apr 2006 17:34:52 -0400 (EDT) Subject: [Dataloss] Wells Fargo Not Required to Encrypt Data Message-ID: http://news.com.com/2100-1030_3-6061400.html What: Wells Fargo Bank customers sue after their personal financial data was stolen from a contractor that had not encrypted the information. When: U.S. District Judge David Doty in Minnesota ruled on March 16. Outcome: Wells Fargo was found not to be negligent because the information was never misused by the thieves. What happened, according to court documents: Wells Fargo had hired Regulus Integrated Solutions to print monthly statements for certain customers who had mortgages and student loans from its subsidiaries. In October 2004, thieves stole computers from Regulus with unencrypted customer information including names, addresses, Social Security numbers and account numbers. A few weeks later, Wells Fargo alerted its customers and offered to provide identity protection services. There has never been any indication to date that thieves did anything with the data (in other words, they appear to have been after the computer hardware instead). Nevertheless, two of the bank's customers, Kristine Forbes and Morgan Koop, filed a class action suit anyway. They claimed that Wells Fargo was liable for emotional distress (including fear, anxiety and worry), negligence, breach of contract and breach of fiduciary duty. Forbes and Koop claimed that Wells Fargo owed them a cash payout because they had to spend extra time monitoring their credit reports. [...] From lyger at attrition.org Sat Apr 15 10:43:51 2006 From: lyger at attrition.org (lyger) Date: Sat, 15 Apr 2006 10:43:51 -0400 (EDT) Subject: [Dataloss] University of South Carolina Mass e-mail Compromises Student IDs Message-ID: http://www.msnbc.msn.com/id/12322162/ University of South Carolina officials are advising students to watch their credit reports after the Social Security numbers of as many as 1,400 students were mistakenly e-mailed to classmates. A department chairwoman distributing information about summer classes accidentally attached a database file to an e-mail she sent Sunday. The database included students’ Social Security numbers. So far, the school is not aware of any misuse of the information, but officials notified students of the lapse Monday and suggested they take precautions against identity theft. [...] From cwalsh at cwalsh.org Sun Apr 16 16:08:08 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Sun, 16 Apr 2006 15:08:08 -0500 Subject: [Dataloss] Stolen computer contained health data Message-ID: Data privacy breach affects FHA By Jeff Nagel Black Press Apr 16 2006 Fraser Health Authority (FHA) employees have been warned that some of them who used an ultra-confidential counselling service may have had their privacy breached as a result of a theft of a computer. The computer with a disk inside it went missing in March from the Vancouver office of the Employee and Family Assistance Program (EFAP) run by the Vancouver Coastal Health Authority. The disk contained the names, birth dates, contact information and referral reasons for thousands of Lower Mainland health workers who sought help for intensely personal problems. The service offers help with relationship counselling, drug or alcohol addictions, sexuality questions, abuse, loss and grief, and stress or emotional traumas - among other issues. "People who use the EFAP program are often going through a crisis of some kind," said Hospital Employees' Union spokesman Mike Old. "The theft of that information is of great concern to the union and its members." Fraser Health Authority spokesman Paul Harris said the authority doesn't know how many of its employees are affected. "Because it's a confidential service we have no idea who has used it," he said. Old said the HEU is troubled that health authority employees weren't notified of the theft until April 6 - 10 days after it happened. The notification from EFAP indicated the data had some degree of encryption and might not be readily viewable. "We have no reason to believe that the individual who stole the equipment is even aware or has any plans to use the information," it says. EFAP says it is reviewing its security measures. B.C.'s Information and Privacy Commissioner is investigating the theft and monitoring the response. [from http://www.theprogress.com/portals-code/list.cgi?paper=39&cat=23] From lyger at attrition.org Tue Apr 18 10:20:19 2006 From: lyger at attrition.org (lyger) Date: Tue, 18 Apr 2006 10:20:19 -0400 (EDT) Subject: [Dataloss] FBI: No credit card data breach in N.H. state server case Message-ID: http://www.computerworld.com/securitytopics/security/holes/story/0,10801,110612,00.html News Story by Todd R. Weiss APRIL 17, 2006 (COMPUTERWORLD) - An FBI investigation has concluded that no consumer credit or debit card information was stolen from a New Hampshire state computer server in February because a suspect Cain & Abel password recovery program found on the hardware had never been activated. In an announcement on Friday, New Hampshire Attorney General Kelly Ayotte said that the FBI probe determined that no data theft occurred because the program, which can be misused by hackers for malicious purposes, was never run. "As a result of this finding, the state has concluded that it is very unlikely that any credit card or debit card information was accessed by identity thieves," Ayotte said in a statement. The FBI, the U.S. Department of Justice and New Hampshire officials began investigating the potential security breach after Cain & Abel was found on a state server during a routine security check two months ago (see .N.H. Breach May Have Exposed Credit Card Data.). The New Hampshire Division of Motor Vehicles and the state Veterans Home used the server to transmit financial information, while the New Hampshire Liquor Commission used it as a backup for sales transactions. The server held only credit card numbers; no other personal information was stored on it, officials said. [...] From lyger at attrition.org Thu Apr 20 10:14:51 2006 From: lyger at attrition.org (lyger) Date: Thu, 20 Apr 2006 10:14:51 -0400 (EDT) Subject: [Dataloss] The Anti-ID-Theft Bill That Isn't Message-ID: http://www.wired.com/news/columns/0,70690-0.html By Bruce Schneier 02:00 AM Apr, 20, 2006 California was the first state to pass a law requiring companies that keep personal data to disclose when that data is lost or stolen. Since then, many states have followed suit. Now Congress is debating federal legislation that would do the same thing nationwide. Except that it won't do the same thing: The federal bill has become so watered down that it won't be very effective. I would still be in favor of it -- a poor federal law is better than none -- if it didn't also pre-empt more-effective state laws, which makes it a net loss. Identity theft is the fastest-growing area of crime. It's badly named -- your identity is the one thing that cannot be stolen -- and is better thought of as fraud by impersonation. A criminal collects enough personal information about you to be able to impersonate you to banks, credit card companies, brokerage houses, etc. Posing as you, he steals your money, or takes a destructive joyride on your good credit. Many companies keep large databases of personal data that is useful to these fraudsters. But because the companies don't shoulder the cost of the fraud, they're not economically motivated to secure those databases very well. In fact, if your personal data is stolen from their databases, they would much rather not even tell you: Why deal with the bad publicity? [...] From lyger at attrition.org Fri Apr 21 09:36:35 2006 From: lyger at attrition.org (lyger) Date: Fri, 21 Apr 2006 09:36:35 -0400 (EDT) Subject: [Dataloss] Man charged with accessing USC student data Message-ID: http://www.securityfocus.com/brief/191 Posted by: Robert Lemos Federal prosecutors charged a San Diego-based computer expert on Thursday with breaching the security of a database server at the University of Southern California last June and accessing confidential student data. A statement from the U.S. Attorney for the Central District of California names 25-year-old Eric McCarty as the person who contacted SecurityFocus last June with news of a flaw in the Web server and database system used to accept online applications from prospective students. SecurityFocus notified the University of Southern California of the vulnerability and worked with the university to close the flaw before publishing an article about the issue. The flaw could have allowed an attacker to send commands to the database that powered the site by using the user name and password text boxes. USC's Information Services Division confirmed the problem and shuttered the site, which contained data on nearly 280,000 applicants, on June 20 as a precaution. The university believes, and the prosecutors allege, that only a handful of records were actually accessed. [...] From lyger at attrition.org Sun Apr 23 20:35:59 2006 From: lyger at attrition.org (lyger) Date: Sun, 23 Apr 2006 20:35:59 -0400 (EDT) Subject: [Dataloss] Computer Records on 197, 000 People Breached at University of Texas Message-ID: http://www.statesman.com/news/content/news/stories/local/04/24utcomputers.html Computerized records on nearly 200,000 people with ties to the University of Texas' McCombs School of Business have been accessed without authorization by someone operating from the Far East, the university's president announced today. The records, which in some cases include Social Security numbers, involve faculty members, current and prospective students, staff members, alumni and corporate recruiters, UT President William Powers Jr. said at a hastily called news conference this afternoon. He said records on 197,000 people were accessed by one or more people in Asia. Powers and other university officials urged anyone with a connection to the business school to take steps to guard against identity theft. Steps on how to do so, including posting a fraud alert with credit agencies, are outlined on a Web site set up by the university. The site is accessible through the university's home page, www.utexas.edu. [...] From rforno at infowarrior.org Tue Apr 25 20:38:17 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 25 Apr 2006 20:38:17 -0400 Subject: [Dataloss] LexisNexis finds disclosure meant less pain in data theft Message-ID: LexisNexis finds disclosure meant less pain in data theft At InfoSec conference, the company found that being open about breach paid off http://ww6.infoworld.com/products/print_friendly.jsp?link=/article/06/04/25/ 77752_HNinfosecdatatheft_1.html By Jeremy Kirk, IDG News Service April 25, 2006 After a high-profile security breach exposed personal data about thousands of customers, LexisNexis found that being forthright was the best approach, according to a company executive. By being forthcoming with the public and victims the company survived with minimal impact, said Leo Cronin, LexisNexis senior director for information security, Tuesday at the Infosec Europe 2006 conference in London. The security breach hit LexisNexis, which is owned by Reed Elsevier PLC, early last year. "I think that's why we were so successful in dealing with this," Cronin said of the decision to be open and direct about the breach. LexisNexis is breaking its silence over the incident to help educate and get feedback about approaches to breaches, he said. LexisNexis faced a worst-case scenario after it acquired Seisint Inc. of Boca Raton, Florida, in September 2004. Seisint is a data broker, collecting personal information and providing it to law enforcement and private companies for services such as debt recovery and fraud detection. Attackers went after the service's "less sophisticated customers" with a social engineering ploy that left the identities of up to 300,000 people at risk, Cronin said. The company's customers received an e-mail with a pornographic lure, Cronin said. The mail also contained a worm and a keystroke logger, which stole LexisNexis credentials, specifically for its risk management services, he said. "It was very coveted data," he said. "I think we didn't really realize how much of a risk it was." But when the damage became clear, LexisNexis made an immediate decision to be forthcoming and transparent about the breach, he said. "We tried to do the best job we could," he said. The company contacted all those who were affected by the attack using the framework of a California data security disclosure law passed in 2003 as a guide, Cronin said. The law is catching up after the high-profile cases of last year, including ChoicePoint Inc., a data broker that acknowledged divulging sensitive personal information to identity thieves posing as customers. So far in the U.S., 20 states have implemented notification laws, and a federal law is under consideration. After the data breach, LexisNexis took several steps to implement stronger security, Cronin said. The company reviewed the security of all its Web applications and created new procedures for verifying customers with access to sensitive data, he said. LexisNexis encouraged certain customers to sign up for antivirus software. It revamped online security access, looking at password complexity and expiration times. The company also implemented measures to automatically detect anomalies in use of its products to identity potential security problems, Cronin said. LexisNexis learned other lessons. Passwords are dead, Cronin said, and two-factor authentication is recommended. But front-door perimeter attacks are less likely than the persistent weak link: people. "Attackers are effective at going after low hanging fruit," Cronin said. REFERENCES: Hackers grab LexisNexis info on 32,000 people, Mar. 9, 2005 ChoicePoint to give up some personal data sales, Mar. 4, 2005 ChoicePoint's error sparks talk of ID theft law, Feb. 23, 2005 From jericho at attrition.org Wed Apr 26 03:31:09 2006 From: jericho at attrition.org (security curmudgeon) Date: Wed, 26 Apr 2006 03:31:09 -0400 (EDT) Subject: [Dataloss] Proposed AZ data-theft bill has critics Message-ID: Courtesy of ISN: http://www.azstarnet.com/dailystar/business/126149 By Scott Simonson arizona daily star Tucson, Arizona 04.25.2006 If a hacker steals your bank card number in Arizona, there's no state requirement that your bank or a merchant involved notify you. That could change if Gov. Janet Napolitano signs a bill passed by the Legislature last week. Consumers Union, the non-profit group that publishes Consumer Reports magazine, has criticized the proposed law as ineffective. Arizona's law would allow companies to decide whether a computer-security breach is serious enough to deserve a consumer warning, said Gail Hillebrand, who heads Consumers Union's financial privacy campaign. "Who's going to decide?" she said. "It's going to be the company who failed to protect your data." Currently, Arizona receives much of its information about thefts of computer data from California, said Andrea Esquer, spokeswoman for Arizona Attorney General Terry Goddard. California requires all companies to report stolen information. In 2003, California passed the first U.S. law requiring customer notification of breaches in companies' computerized data. At least 10 other states have followed suit, said Hillebrand. Arizona's bill differs from California's in two important ways, she said. California requires companies to report any security breach, Hillebrand said. Under the Arizona legislation, only breaches that "materially compromise" people's information must be reported. Depending upon how that language is interpreted, companies may be allowed to choose whether to tell consumers, Hillebrand said. Arizona's law also exempts banks, hospitals and some government agencies. California's law requires all companies to report problems. As of Monday, Napolitano had not acted on Senate Bill 1338, said Shilo Mitchell, spokeswoman for the governor. The sponsor of the Arizona bill, Sen. John Huppenthal, R-Chandler, could not be reached for comment on Monday. Rep. Marian McClure, R-Tucson, helped sponsor the bill in the House but said that consumers should be told about all computer security breaches. Senate Bill 1338 represents a step in the right direction, she said, although she introduced a stronger bill that failed earlier in the session. "A consumer should have a right to know that the information has been stolen," she said, "to make sure who stole that information cannot steal my identity." Consumer notification might help, but better enforcement and better information sharing are crucial, according to a Tucson couple who have been victims of identity theft. Elisabeth and Stephen Kling- ler have discovered that three other people have been using his Social Security number. The Klinglers traced some of the thefts to other states, but law enforcement has not investigated, Elisabeth Klingler said. The identity thefts have caused incorrect information about their credit to be reported to data brokers - businesses that collect people's information and sell it to other companies. The Klinglers said consumers need better laws to help clear false information from the files that companies keep. The bad information has hindered them in buying a cell phone and taking out a store credit card, Elisabeth Klingler said, and it could one day affect their ability to buy another home. "We're kind of giving up hope," she said. "It would take a lifetime to get the information corrected." What the bill says * Senate Bill 1338 would require businesses operating in Arizona to notify customers if a computer-security breach compromises their personal information. * Companies that do not notify customers could face fines from the state attorney general. * Government agencies would face the same requirements. The proposed law would not apply to banks, hospitals, health insurance companies, law enforcement agencies or courts. Data thefts * Some of the largest reported thefts of customer data since March 2005, according to ChoicePoint Asset Co.: Disclosed by Date Customers affected Bank of America February 2005 1.2 million* DSW shoes March 2005 1.4 million Ameritrade April 2005 200,000 Bank of America, Wachovia, other banks April 2005 680,000 CitiFinancial June 2005 3.9 million MasterCard June 2005** 40 million OfficeMax February 2006 200,000 * data of federal employees only ** related to security breach at CardSystems Solutions Inc. service center in Tucson From lyger at attrition.org Wed Apr 26 15:10:37 2006 From: lyger at attrition.org (lyger) Date: Wed, 26 Apr 2006 15:10:37 -0400 (EDT) Subject: [Dataloss] Fraudsters steal details on 2,000 credit cards Message-ID: http://news.com.com/2100-7349_3-6065267.html By Andy McCue Special to CNET News.com Fraudsters stole the credit card details of 2,000 MasterCard holders in a major security breach last week. Silicon.com was contacted by one customer of the Clydesdale Bank, who was told that her MasterCard details, along with those of 2,000 other people, were "in the hands of a fraudster." The theft was detected and the card stopped before it could be used by the fraudster. The Clydesdale Bank would not comment except to say it was advised of the problem by MasterCard. [...] From lyger at attrition.org Thu Apr 27 12:58:03 2006 From: lyger at attrition.org (lyger) Date: Thu, 27 Apr 2006 12:58:03 -0400 (EDT) Subject: [Dataloss] Purdue notifies grad students, applicants of possible security breach Message-ID: http://news.uns.purdue.edu/UNS/html3month/2006/060425.Smith.dataincident.html April 26, 2006 WEST LAFAYETTE, Ind. - Purdue University's School of Electrical and Computer Engineering is notifying 1,351 individuals of a computer security breach involving their Social Security numbers. "We have determined that an unauthorized person gained electronic access to a computer containing information belonging to current and former graduate students, applicants to graduate school, and a small number of applicants for undergraduate scholarships," said Mark Smith, head and professor of the School of Electrical and Computer Engineering. "While there is no evidence that their files have been accessed, the potential exists. Consequently, we have sent letters notifying each of these individuals of the incident." The information had been entered during the past three years as part of an application process for graduate and undergraduate programs in the School of Electrical and Computer Engineering. The unauthorized access occurred in February. [...] From lyger at attrition.org Thu Apr 27 16:30:54 2006 From: lyger at attrition.org (lyger) Date: Thu, 27 Apr 2006 16:30:54 -0400 (EDT) Subject: [Dataloss] University of Alaska Fairbanks - 38,941 compromised? Message-ID: (about a week old, but previously unposted here - lyger) http://www.news-miner.com/Stories/0,1413,113~7244~3295338,00.html Article Published: Friday, April 21, 2006 Officials urge people to be on alert for fraud While it's unclear whether a hacker stole the personal information of 38,941 current and former University of Alaska Fairbanks students, faculty and staff, authorities believe the announcement that it might have happened will certainly lead to fraud attempts. "In an event like this, when you take this to the media to assist getting the information out, it turns around and bites us a little," said Sean McGee, UAF's acting police chief. Officials have provided a Web site at www.uaf.edu/security with several pages of information available to those who might have had their names, Social Security numbers and partial e-mail addresses stolen by a hacker who installed an unauthorized program on a university computer server. [...] From cwalsh at cwalsh.org Thu Apr 27 20:42:51 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Thu, 27 Apr 2006 19:42:51 -0500 Subject: [Dataloss] Aetna hit via stolen laptop Message-ID: <20060428004246.GA32504@cwalsh.org> Approximately 38K insurees' info (including names, SSNs, some medical info) now in hands of thief. Majority of info belonged to DoD (ex)workers. Details, links at http://www.emergentchaos.com/archives/2006/04/aetna_insurance38k_custom.html (Not trying to pimp the site, just don't want to type it twice) From lyger at attrition.org Fri Apr 28 12:53:41 2006 From: lyger at attrition.org (lyger) Date: Fri, 28 Apr 2006 12:53:41 -0400 (EDT) Subject: [Dataloss] Personal data of NY transit employees lost Message-ID: http://www.msnbc.msn.com/id/12521884/ Updated: 8:52 p.m. ET April 27, 2006 BOSTON - A company that stores records for the Long Island Railroad lost personal data including Social Security numbers for about 17,000 of the transit agency's current and former employees, apparently while the information was being delivered by a driver. New York police on Thursday said the loss also involved data tapes belonging to the U.S. Department of Veterans Affairs. It was reported by the driver while his van was parked outside a VA hospital in the Bronx. The records storage company, Boston-based Iron Mountain Inc., subsequently confirmed the loss also involved records of another customer besides the railroad, but declined to confirm whether the customer was the VA. [...] From lyger at attrition.org Fri Apr 28 17:23:46 2006 From: lyger at attrition.org (lyger) Date: Fri, 28 Apr 2006 17:23:46 -0400 (EDT) Subject: [Dataloss] Ohio recalls voter registration CDs; SSNs included Message-ID: http://www.computerworld.com/securitytopics/security/story/0,10801,110983,00.html?source=x73 News Story by Todd R. Weiss APRIL 28, 2006 (COMPUTERWORLD) - The Social Security numbers of potentially millions of registered voters in Ohio were included on CD-ROMs distributed to some 20 political campaign operations in recent months as campaigns geared up for spring primary election races. The problem was discovered Tuesday when one of the political campaigns contacted the Ohio secretary of state.s office to say that the personal data was on the discs, even though it wasn.t requested, said James Lee, a spokesman for Secretary of State J. Kenneth Blackwell. All of the political organizations that received the CDs were immediately contacted and have agreed to return the discs for replacements that won.t include the Social Security numbers, Lee said. The records of about 7.7 million registered voters in Ohio are listed on the CDs, but Lee said he didn't know how many voter records included Social Security numbers. The records show what elections a voter participated in since 2002, along with their names and addresses. [...] From lyger at attrition.org Sat Apr 29 11:15:55 2006 From: lyger at attrition.org (lyger) Date: Sat, 29 Apr 2006 11:15:55 -0400 (EDT) Subject: [Dataloss] Intruders Breach DoD Health Care Server Message-ID: http://www.fcw.com/article94232-04-28-06-Web The Defense Department announced April 28 that someone broke into a Tricare Management Activity (TMA) public server and gained access to information. The compromised information included personal information about military employees, DOD officials said. "As a result of this incident, we immediately implemented enhanced security controls throughout the network and installed additional monitoring tools to improve security of existing networks and data files," said William Winkenwerder Jr., assistant secretary of defense for health affairs. "Such incidents are reprehensible, and we deeply regret the inconvenience this may cause the people we serve." Investigators do not know the motive for the crime or whether the information has been misused. The Defense Criminal Investigative Service is participating in an investigation. DOD sent letters to employees who were affected by the intrusion to inform them of potential identity theft. Tricare is DOD's Military Health System, which provides health care for members of the uniformed services and their families and for retirees. TMA oversees Tricare activities. From rforno at infowarrior.org Sat Apr 29 19:09:47 2006 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 29 Apr 2006 19:09:47 -0400 Subject: [Dataloss] SEC must fix data security weaknesses Message-ID: SEC must fix data security weaknesses By John Poirier Reuters Saturday, April 29, 2006; 11:01 AM http://www.washingtonpost.com/wp-dyn/content/article/2006/04/29/AR2006042900 556_pf.html WASHINGTON (Reuters) - It's a nightmare scenario: A hacker accesses e-mails in U.S. Securities and Exchange Commission computers and splashes them across the Internet, revealing an inquiry into a company that shakes investor confidence before the probe is complete. Such an attack has never happened at the SEC, but computer experts say it could if the agency fails to tighten security. The SEC, an investor protection agency that demands tight internal controls from the companies it oversees, was recently criticized by congressional investigators for not having its own house in order when it comes to cyber security. The Government Accountability Office (GAO) said last month the SEC had failed to limit remote access to its servers, establish controls over passwords, securely configure all network devices, and adopt security monitoring procedures. A successful hacker could use nonpublic information to make trouble for a targeted company or rival. "It wouldn't necessarily be manipulation" of data by a hacker that would do the most harm, said Paul Kurtz, a former White House cyber security official. "It would be to expose information to damage another firm." The SEC relies on computer systems to oversee the activities of stock exchanges, brokerage firms, clearing agencies and some 12,000 companies. It collects more than 600,000 public documents annually from companies, as well as confidential information in connection with enforcement cases. LENGTHY REVIEW The GAO staff spent five months last year assessing security at the agency's headquarters, a relatively new building in Washington D.C., and at its computer facility in nearby Alexandria, Virginia. The SEC also has 11 regional and district offices, which were not examined. "Overall, the SEC has not effectively implemented information security controls to properly protect the confidentiality, integrity, and availability of its financial and sensitive information and information systems," the GAO concluded. The investigators said the SEC has made "little progress" in tightening internal controls to protect its information. If a hacker successfully entered some of the SEC computers, "it's likely they (the agency) may not be able to detect it," said Gregory Wilshusen, lead author of the GAO report. There are no reports of an outsider burrowing into the SEC's computer systems, but there have been other incidents that make experts uneasy. Last year, the SEC charged an Estonian financial services firm and two of its employees with fraud for allegedly hacking into Business Wire and stealing corporate press release data that had not yet been made public. The pair made at least $7.8 million by strategically timing long, short and options trades based on the stolen information, according to the SEC. Corey Booth, director of the SEC's office of information technology, said there needs to be a cultural shift in the way the agency's more than 3,800 employees handle passwords, share information and develop systems at the agency. "At the end of day, it's about people who are in possession of data," Booth said. "We are fully committed to cleaning this stuff up by the end of this fiscal year" on September 30. ASSESSING RISK Kurtz, who is now executive director of the Cyber Security Industry Alliance, an information security advocacy group, agreed with Booth that SEC employees must help guard systems. "This is not all about technology (such as) 'Do you have the right firewall and the right authentication technology?"' In its March report, the GAO said the SEC corrected eight of 51 weaknesses previously identified by the GAO. But the GAO audit also uncovered 15 new weaknesses that reflect the SEC's failure to develop a comprehensive security program. GAO investigators said the SEC increased security personnel and created a backup data center, but has not yet developed procedures to assess risks and analyze security incidents. "These controls are essential to ensure that financial information is adequately protected from inadvertent or deliberate misuse, fraudulent use, improper disclosure, or destruction," the GAO investigators said. SEC Chairman Christopher Cox, who inherited the agency's computer shortcomings when he took over in August, has said information security is one of his top priorities in 2006 and steps have been taken on his watch to improve data security. For instance, the SEC has a new incident response program and a disaster recovery procedure for a dozen major computer applications using the SEC's back-up data center. "My feeling is that he (Cox) is on the right track, and that with increased technology, the SEC will be able to achieve the important objectives of the GAO's report," said Harvey Pitt, a former SEC chairman who is now a consultant. Early next month GAO staff will start another round of tests to see how much progress has been made. ? 2006 Reuters