From Dissent at pogowasright.org Sun Dec 3 10:35:38 2006 From: Dissent at pogowasright.org (Dissent) Date: Sun, 3 Dec 2006 10:35:38 -0500 (EST) Subject: [Dataloss] City of Grand Prairie posted sensitive employee info on website Message-ID: http://www.wfaa.com/sharedcontent/dws/wfaa/latestnews/stories/wfaa061203_kd_gpidworries.4c17588e.html GRAND PRAIRIE ? Some employees of a Grand Prairie business are concerned their personal records were not protected. ?You would never think that your employer would make that mistake,? said an employee of the City of Grand Prairie who asked to remain anonymous. She and other employees are on edge all because of a mistake revealed in a letter that said employees? personal information ? including their social security numbers ? ended up on the city?s website. It all started when the city began working with a contractor to iron out details for workers? compensation insurance for city employees. The proposal was put on the city?s website, along with hundreds of employee names and social security numbers. ?It was a mistake, you know, on our part to tell you the truth,? said Amy Sprinkles with the City of Grand Prairie. ?We just didn?t catch it.? The mistake wasn?t caught for an entire year. [...] From lyger at attrition.org Tue Dec 5 12:42:10 2006 From: lyger at attrition.org (lyger) Date: Tue, 5 Dec 2006 12:42:10 -0500 (EST) Subject: [Dataloss] Personal info disappears from college Message-ID: http://www.newsday.com/news/local/longisland/ny-licoll1205,0,7551763.story?coll=ny-top-headlines Someone made off with a print-out of personal information about Nassau Community College's entire student body, more than 21,000 students, prompting the college to offer to pay for credit monitoring services for students for one year. [...] ...said the assistant left her desk in the College Center Building for about 10 minutes. When she returned, the list was gone. The list contained students' names, addresses, Social Security Numbers, and phone numbers, said Sgt. Anthony Repalone, a Nassau County Police spokesman. [...] From Dissent at pogowasright.org Tue Dec 5 22:47:53 2006 From: Dissent at pogowasright.org (Dissent) Date: Tue, 5 Dec 2006 22:47:53 -0500 (EST) Subject: [Dataloss] Computer Stolen from 130th Airlift Wing in Charleston Message-ID: http://www.statejournal.com/story.cfm?func=viewstory&storyid=17093 CHARLESTON -- A laptop computer with personal information about every member of West Virginia's Army National Guard 130th Airlift Wing in Charleston recently was stolen. The government-owned laptop computer was stolen from a member of the unit while he was attending an offical training course. Maj. Todd Harrell said the computer's hard drive contains personal information, including Social Security numbers, names and birth dates of everyone in the 130th Airlift Wing. [..] From Dissent at pogowasright.org Wed Dec 6 08:26:19 2006 From: Dissent at pogowasright.org (Dissent) Date: Wed, 6 Dec 2006 08:26:19 -0500 (EST) Subject: [Dataloss] =?iso-8859-1?q?Premier_Bank=3A_Bank_data_stolen_out_of?= =?iso-8859-1?q?_exec=92s_vehicle?= Message-ID: http://www.stltoday.com/stltoday/news/stories.nsf/stlouiscitycounty/story/FA09E9ED4578DAD48625723C001830CF?OpenDocument [...] Taken from the truck was a bound, blue book about the size of a laptop computer. It contained paper reports with the names and account numbers of 1,800 customers who had opened Premier accounts in October. Bank executives said Tuesday they have written letters to the customers, advising them to monitor those accounts for the next 12 to 24 months. The bank says the stolen papers contained no information that would put any accounts in jeopardy. And there have been no reports of thefts. But the missing names and account numbers were enough to require notifying customers and the FBI, said Mike Anderson, bank president and chief operating officer. [...] Without Social Security numbers or other personal information, Anderson said, he doubts a thief could get into the accounts. [...] From jericho at attrition.org Wed Dec 6 21:42:04 2006 From: jericho at attrition.org (security curmudgeon) Date: Wed, 6 Dec 2006 21:42:04 -0500 (EST) Subject: [Dataloss] followup: Kaiser Letter Message-ID: http://attrition.org/dataloss/2006/11/kais01.html This is the letter sent out, presumably to ~ 38,000 people. Typos are my own. -- November 13, 2006 Dear [name], I am writing to inform you that a laptop computer was stolen from the trunk of an employee's automabile on October 4, 2006 that contained information about you. The employee reported the theft to the police and Kaiser Permanente is cooperating with their investigation. While we believe the risk is limited, there is a possibility that the information on the stolen device could be accessed. Therefore we wanted you to know what information was on it. The laptop device contained your name, medical record number, age, date of birth, sex, indicators related to industry standard health plan performance measures, information about your deductibles and co-pays, and your primary care provider's name. [bold]Your Social Security number was _not_ included in your information.[/bold] Kaiser Permanente respects your right to file a complaint. If you have any questions, concerns or wish to file a complaint, please contact us at (1-866-529-0813) (TTY (303)338-3820). You also have the right to contact the Department of Health and Human Services through the Office for Civil Rights at 1-800-368-1019. On behalf of Kaiser Permanente, I offer our sincerest apology that this unfortunate incident occurred. I assure you that safeguarding your medical information is one of our highest priorities. Thank you for your understanding in this matter. Again, if you have any questions regarding this incidents, please call us at (1-866-529-0813) (TTY (303)338-3820). Very truly yours, [signature] Barbara Collura Privacy and Security Officer - Colorado Region Enclosers --- One item was enclosed, a multiple page handout dated April 2006 offering information and notification of privacy practice. I called the number above at 6:55pm MST and the recording said to leave my name and number and a member's services representative trained to answer your questions would call me back between 5pm and 7pm. From jericho at attrition.org Wed Dec 6 21:50:59 2006 From: jericho at attrition.org (security curmudgeon) Date: Wed, 6 Dec 2006 21:50:59 -0500 (EST) Subject: [Dataloss] Attrition Dataloss Contest Message-ID: That's right, time for one of our fun contests, but this time with the Dataloss theme! Who can beat the Jericho?! Who has received more letters indicating their PII was lost than me? October 16, 2006 - VISA / 1ST BANK October 26, 2006 - ACS State and Local Solutions, Inc. November 13, 2006 - Kaiser Permanente Winner will likely receive a nice case of identity theft, public recognition and maybe some hostile words from Lyger and Dissent. jericho p.s. yes, i know i'm giving away what services i use, i don't really care at this point. From george at myitaz.com Thu Dec 7 09:14:45 2006 From: george at myitaz.com (George Toft) Date: Thu, 07 Dec 2006 07:14:45 -0700 Subject: [Dataloss] Attrition Dataloss Contest In-Reply-To: References: Message-ID: <457821D5.4090309@myitaz.com> If you are looking for the most ever, I have you beat by one. If it is the most per unit of time, I think you are the winner! I have four over a five year period - you have three in less than one month! George Toft, CISSP, MSIS My IT Department www.myITaz.com 623-203-1760 Confidential data protection experts for the financial industry. security curmudgeon wrote: > That's right, time for one of our fun contests, but this time with the > Dataloss theme! > > Who can beat the Jericho?! Who has received more letters indicating their > PII was lost than me? > > > October 16, 2006 - VISA / 1ST BANK > October 26, 2006 - ACS State and Local Solutions, Inc. > November 13, 2006 - Kaiser Permanente > > > Winner will likely receive a nice case of identity theft, public > recognition and maybe some hostile words from Lyger and Dissent. > > > jericho > > p.s. yes, i know i'm giving away what services i use, i don't really care > at this point. > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 142 million compromised records in 495 incidents over 6 years. > > > > From lyger at attrition.org Fri Dec 8 01:59:26 2006 From: lyger at attrition.org (lyger) Date: Fri, 8 Dec 2006 01:59:26 -0500 (EST) Subject: [Dataloss] Financial services firms share security tactics Message-ID: Courtesy InfoSecNews.org and WK: http://www.networkworld.com/news/2006/12706-finsec.html By Ellen Messmer Network World 12/07/06 Some of the top players in the financial services arena-- such as Visa, JPMorgan Chase and Experian International -- are expanding their tactics for preventing customer data loss. IT security managers convening at two interrelated conferences in New York this week said their firms are adopting both new network defenses and organizational structures to lower risk of a data breach. Some say the very survival of their businesses may be at stake, since news reports about incidents are leading to customer loss and million-dollar lawsuits. California was the first state to require public disclosure of a data breach, and now there are now about 30 other states and localities that do as well. When an event becomes public, the stock price tilts, theres brand damage and finally decreased revenues, said James Christiansen, chief information security officer at Experian International, speaking at the Summit on Preventing Data Leakage. [...] From ziplock at pogowasright.org Fri Dec 8 14:32:18 2006 From: ziplock at pogowasright.org (ziplock) Date: Fri, 8 Dec 2006 14:32:18 -0500 (EST) Subject: [Dataloss] Personal info was on stolen state motor vehicle office computers Message-ID: DUNMORE - The Pennsylvania Department of Transportation on Dec. 1 began notifying nearly 11,400 customers whose personal information was contained on two computers stolen during a Nov. 28 burglary at PennDOT?s Wilkes-Barre Driver License Center. PennDOT also took immediate action to increase security of customer data at its facilities across Pennsylvania to reduce the risk of such a breach occurring again. Thieves also took equipment and supplies that could be used to make fraudulent drivers license and photo identification cards. State police are investigating the crime. [...] http://www.strausnews.com/articles/2006/12/08/pike_county_courier/news/16.txt via www.pogowasright.org From ziplock at pogowasright.org Fri Dec 8 21:01:27 2006 From: ziplock at pogowasright.org (ziplock) Date: Fri, 8 Dec 2006 21:01:27 -0500 (EST) Subject: [Dataloss] Health providers' Social Security numbers posted on state site Message-ID: http://www.wcax.com/Global/story.asp?S=5790220 MONTPELIER, Vt. -- At least several hundred, likely more, Social Security numbers of health care providers were posted to the Internet in a state contractor's mistake that officials were scrambling to fix Friday. Human Resources Commissioner Linda McIntire said the names and Social Security numbers of doctors, psychologists and others were posted on a Web site where the state had posted a request for bids by contractors to be the state's health insurance administrator. "Despite the fact that the information was open to access, we have no evidence to date to indicate that your Social Security number was obtained by anyone intending to misuse it," said a letter sent Friday by McIntire to medical and mental health care providers. [...] From lyger at attrition.org Sat Dec 9 00:40:30 2006 From: lyger at attrition.org (lyger) Date: Sat, 9 Dec 2006 00:40:30 -0500 (EST) Subject: [Dataloss] VCU by mistake sends personal information, grades of 561 students Message-ID: http://www.timesdispatch.com/servlet/Satellite?pagename=RTD%2FMGArticle%2FRTD_BasicArticle&%09s=1045855935258&c=MGArticle&cid=1149192095252&path=!news!education For the second time this year, the personal information and Social Security numbers of hundreds of Virginia Commonwealth University students have been compromised. According to the university's technology services Web site, personal information on 561 VCU students in the College of Humanities and Sciences was inadvertently included in two attachments in an e-mail. The information included names, Social Security numbers, local and permanent addresses and grade-point averages. [...] From Dissent at pogowasright.org Sun Dec 10 23:25:57 2006 From: Dissent at pogowasright.org (Dissent) Date: Mon, 11 Dec 2006 04:25:57 -0000 (GMT) Subject: [Dataloss] Greenville (South Carolina) County School District [update] Message-ID: http://www.thetandd.com/articles/2006/12/10/ap-state-sc/d8lu62b04.txt GREENVILLE, S.C. - A company that bought computers from the Greenville school district at surplus auctions must return those computers and confidential data on them, a judge has ordered. The order Friday from Circuit Judge Diane S. Goodstein says both sides agreed to let an independent computer expert document all the data under the supervision of a trustee. Attorney David Gantt represents the WH Group and its two principal members, Kenneth Holbert Jr. and Scott Mann. Gantt said he couldn't comment while the case is in litigation. The school district filed a lawsuit this week asking that the WH Group be ordered to return the equipment and data and stopped from making any copies before turning it over. Gantt has said previously that his clients bought computers, hard drives and other items at school district auctions over a period of about six years. They didn't know when they bought the equipment that it contained information such as the Social Security numbers of thousands of students and employees and driver's license numbers, personnel files and health records of employees, Gantt has said. [...] -- Privacy-related news and resources: http://www.pogowasright.org Privacy news headlines feed: http://www.pogowasright.org/backend/pogowasright.rss From Dissent at pogowasright.org Mon Dec 11 07:48:45 2006 From: Dissent at pogowasright.org (Dissent) Date: Mon, 11 Dec 2006 12:48:45 -0000 (GMT) Subject: [Dataloss] Independent Living Funds: stolen tape Message-ID: http://www.dailyrecord.co.uk/news/tm_headline=id-fraud-fears-as-disabled-records-pinched&method=full&objectid=18242444&siteid=66633-name_page.html THOUSANDS of disabled people have been warned to be vigilant after their personal details were stolen from a support group. The data had been put on a computer back-up tape by Government-backed Independent Living Funds. But the tape was stolen from a van and now clients have been told their details could be in the hands of identity thieves. The information includes full names, dates of birth, addresses, national insurance numbers and bank details of thousands of vulnerable customers. [...] -- Privacy-related news and resources: http://www.pogowasright.org Privacy news headlines feed: http://www.pogowasright.org/backend/pogowasright.rss From lyger at attrition.org Mon Dec 11 13:18:08 2006 From: lyger at attrition.org (lyger) Date: Mon, 11 Dec 2006 13:18:08 -0500 (EST) Subject: [Dataloss] Ameriprise Reaches Settlement With Mass. Regulators Message-ID: http://www.boston.com/business/ticker/2006/12/ameriprise_reac.html In what may be the first regulatory action against a company for losing sensitive customer data, Massachusetts' securities regulators reached a settlement of understanding with Ameriprise Financial Inc., over the company's loss of a laptop computer last year. Under an agreement with regulators in the office of Massachusetts Secretary of State William Galvin, Ameriprise agreed to hire an independent consultant within 60 days to review its policies and procedures for employees' and contractors' use of laptop computers that contain personal or financial information of Ameriprise customers. [...] From rforno at infowarrior.org Mon Dec 11 23:13:21 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 11 Dec 2006 23:13:21 -0500 Subject: [Dataloss] Protectors, Too, Gather Profits From ID Theft Message-ID: December 12, 2006 Stolen Lives Protectors, Too, Gather Profits From ID Theft By ERIC DASH http://www.nytimes.com/2006/12/12/business/12credit.html?ei=5094&en=8e636059 3425c89a&hp=&ex=1165899600&partner=homepage&pagewanted=print Melody Millett was shocked when her car loan company asked her if she was the wife of Abundio Perez, who had applied for 26 credit cards, financed several cars and taken out a home mortgage using a Social Security number belonging to her actual husband. Beyond her shock, Mrs. Millett was angry. Five months earlier, the Milletts had subscribed to a $79.99-a-year service from Equifax, a big financial data warehouse, that promised to monitor any access to her credit records. But it never reported the credit activity that might have signaled that they were victims of identity theft. ?I feel like the whole thing is a sham,? said Mrs. Millett, a 37-year-old information-technology manager from Overland Park, Kan. ?You feel completely violated because here are the people who know the industry. They hold all the data.? The services, she contends, are oversold. It is not just criminals who are profiting from identity theft; financial institutions are making money, too. Fear of identity theft has helped give rise to a nearly billion-dollar business in credit-monitoring services sold by the major credit bureaus ? companies like Equifax, Experian and TransUnion ? as well as direct marketers and banks. Javelin Strategy and Research, which analyzes the credit-monitoring market, says more than 12 million Americans are now subscribers. The services alert them when lenders have requested their credit files, usually an indication a credit application has been made in their name. Credit monitoring has quickly gained traction with consumers through aggressive advertising that often promotes its value in protecting against identity theft. But its abilities are far more limited than is commonly perceived. In the meantime, measures that could stem fraud from identity theft ? like legislation empowering consumers to block access to their credit records, making it impossible to extend new credit ? have faced stiff resistance from industry groups. ?Identity theft has essentially become a business ? not just for bad guys but for good guys, too,? said Robert Gellman, a privacy consultant in Washington. ?A lot of the people that are involved in profiting legally from identity theft are direct participants in the whole credit system that doesn?t have the protections in place to prevent identity theft in the first place.? Some criticism has been aimed at banks, which tolerate a certain amount of fraud as a cost of doing business. But the biggest beneficiaries from identity theft have been the three credit bureaus. Banks and other lenders have long bought information like a person?s payment history or debt load to assess a loan?s risk. But credit monitoring turned the system on its head and helped create a new, consumer- focused financial data industry. In addition to selling files to lenders in bulk, the bureaus now market largely the same records to individuals, including entries that reflect applications for credit, new accounts or balance changes. While the data is sold to a big financial institution for 20 cents to $1 a report, according to analysts and industry executives, it can be repackaged and sold to consumers in the form of credit monitoring for $3 to $16 a month. Persuading customers to sign up can be costly. But today, Wall Street analysts estimate credit monitoring alone to be a $900 million category, growing 20 percent a year or more. ?It?s a pretty big market considering that 10 years ago it didn?t exist,? said J. Bradford Eichler, a consumer data company analyst at Stephens. Peace of Mind, at a Price Representatives of Equifax, Experian and TransUnion, whose consumer affiliates are being sued by the Milletts, would not comment on the couple?s specific contentions because of the continuing litigation. But they say credit monitoring is a valuable tool. ?Our products give consumers an early warning system so they can limit the damage and take care of the problem right away,? said John Danaher, president of TransUnion?s online consumer services arm. And indeed, many consumers speak glowingly of their experiences with credit monitoring. Wendy Barrington, a 36-year-old Houston woman, recalled the annoyance a friend faced for months after her financial information was stolen. ?I am not about to risk something I have worked so hard on,? said Ms. Barrington, who pays about $15 a month for TransUnion?s credit-monitoring service. ?All it takes is one person stealing your information and you are in a world of hurt.? Still, some consumer advocates caution that people may be overpaying for that peace of mind. For one thing, Americans can essentially create their own credit-monitoring service by taking advantage of a federal law that guarantees access to one free credit report a year from each of the three bureaus. And thanks to so-called zero liability policies, the cost of fraud is generally absorbed by the credit card companies, merchants and banks. At the same time, credit monitoring may fail to detect that a credit request was even made. For example, a fraud artist may use someone else?s personal identification information ? like a Social Security number ? but take out a loan in his or her own name. The data mismatch can cause the bureau?s computer systems to route the loan request to a separate file so that a credit-monitoring service never picks it up. That is what Melody and Steven Millett, the Kansas couple, say happened to them. In late January 2003, Mrs. Millett found something was wrong when a Ford Motor Credit computer system refused to let her set up an online account to pay off an auto loan. When she called the lender, Mrs. Millett said, she was told that an account had already been set up with Mr. Millett?s Social Security number but a different name: Abundio Perez. She later learned of at least 26 cases in which Mr. Millett?s personal information had been used in credit applications by Mr. Perez since 1989, according to a lawsuit filed by the Milletts against the credit bureaus, data providers and several creditors in June 2004 in federal court in Kansas City, Kan. The previous August, Mrs. Millett had bought a credit-monitoring subscription from Equifax. Soon after the Ford Motor Credit incident, she also signed up for credit monitoring with Experian and TransUnion. At least one credit application using Mr. Millett?s Social Security number came after the Milletts obtained their credit-monitoring subscriptions, according to their lawyer, Joyce Yeager. But not once, Mrs. Millett said, did the couple receive notice of unusual access to their credit records or the misuse of Mr. Millett?s data. Quite the contrary, the bureaus sent them a succession of reassuring e-mail messages suggesting that their information was safe and offering congratulations. In their legal claims, which have been separated into several class-action lawsuits, the Milletts say that the bureaus? monitoring services do not work as advertised. ?The core identifier is your Social Security number,? Mrs. Millett said in an interview. ?You use it for work, for taxes. You would think that identifier would be covered by someone advertising they protect you from identity theft. To think that they are not is just flabbergasting.? Donald Girard, an Experian spokesman, acknowledged that his company?s credit-monitoring products could not detect cases in which a credit applicant used someone else?s Social Security number but his or her own name because those records were stored separately. He added, however, that in such cases consumers are ?not harmed? financially. Protection vs. Prevention Initially, the credit bureaus sold monitoring as a way for consumers to understand and manage their credit scores before taking out big loans. But since a wave of data breaches in 2004 heightened consumer fears, a security message appears to have moved toward center stage. ?It is advertised as monitoring for identity-theft protection,? said Michael R. Stanfield, chief executive of Intersections, a direct-marketing company that offers credit monitoring through big banks and card companies. But he said consumers hear protection ?and don?t understand if it is prevention or detection.? ?What is needed in the marketplace are products that are going to help you protect your information, monitor it when it is in the process of getting used in a financial fraud, and catch those financial frauds when they are about to occur,? he added. Privacy advocates have suggested providing more fraud-prevention tools to consumers by allowing them to freeze access to credit records if they think they have been identity-theft victims ? or as a precaution. Beginning with California in 2003, such laws have passed in 26 states, including New York last month. But of roughly 148 million credit-eligible customers in those states, Experian estimates 30,000 have elected to freeze their files. Financial and retailing lobbying groups have generally opposed such legislation at the state and federal levels since it could hinder a retailer in issuing a store-branded credit card ? or a bank in extending a loan ? to a legitimate customer, who must first unfreeze the credit file. It can also restrict the bureaus from selling consumer credit files. The big credit bureaus, after initially opposing tougher legislation, are taking a wait-and-see approach. ?It may be that we evolve to that at some point,? said Maxine Sweet, Experian?s vice president for consumer education. ?We have to make sure that we are not interfering with what is a very important part of the whole consumer credit economy.? Such a freeze might not have helped the Milletts, since the problematic files were kept under another name. Mrs. Millett is still using a credit-monitoring service, but she would not recommend it to a friend. ?I still have credit monitoring because of the simple fact that it is the best tool available at this time,? she said. ?It is not ideal, it is broken, and it is not as advertised.? From Dissent at pogowasright.org Tue Dec 12 02:06:38 2006 From: Dissent at pogowasright.org (Dissent) Date: Tue, 12 Dec 2006 02:06:38 -0500 (EST) Subject: [Dataloss] Major breach of UCLA's computer files Message-ID: http://www.latimes.com/news/local/la-me-ucla12dec12,0,7111141.story?coll=la-home-headlines In what appears to be one of the largest computer security breaches ever at an American university, one or more hackers have gained access to a UCLA database containing personal information on about 800,000 of the university's current and former students, faculty and staff members, among others. UCLA officials said the attack on a central campus database exposed records containing the names, Social Security numbers and birth dates ? the key elements of identity theft ? for at least some of those affected. The attempts to break into the database began in October of 2005 and ended Nov. 21, when the suspicious activity was detected and blocked, the officials said. In a letter scheduled to be sent today to potential victims of the breach, acting Chancellor Norman Abrams said that although some Social Security numbers were obtained by the hackers, the university had no evidence that any of the information had been misused. [...] At UCLA, officials said Monday that the targeted database included records for the university's current and former students, faculty and staff, in some cases dating to the early 1990s. Others potentially affected included some applicants during the last five years who did not enroll at the university, as well as some parents of students or applicants who had applied for financial aid. About 3,200 of those being notified are current or former staff and faculty of UC Merced and current or former staff of UC's Oakland headquarters. UCLA handles administrative processing for both groups. Besides names, Social Security numbers and birth dates of those affected, the database includes home addresses and contact information, officials said. It does not contain driver's license numbers or credit card or banking information. [...] -- Privacy-related news and resources: http://www.pogowasright.org Privacy news headlines feed: http://www.pogowasright.org/backend/pogowasright.rss From dano at well.com Tue Dec 12 09:53:09 2006 From: dano at well.com (dano) Date: Tue, 12 Dec 2006 06:53:09 -0800 Subject: [Dataloss] Major breach of UCLA's computer files In-Reply-To: References: Message-ID: Press release from the UCLA web site, and the letter to affected people (unconventional formatting retained from original). --begin press release-- UCLA Warns of Unauthorized Access to Restricted Database UCLA is alerting approximately 800,000 people that their names and certain personal information are contained in a restricted database that was illegally and fraudulently accessed by a sophisticated computer hacker. This database contains certain personal information about UCLA's current and some former students, faculty and staff, some student applicants and some parents of students or applicants who applied for financial aid. Approximately 3,200 of those being notified are current or former staff and faculty of the University of California, Merced, and current or former employees of the University of California Office of the President, for which UCLA does administrative processing. In a letter being sent to affected individuals, Acting Chancellor Norman Abrams said that personal information about at least some of the individuals was obtained by the hacker but that there is no evidence that any data has been misused. The database includes names, Social Security numbers, dates of birth, home addresses and contact information. It does not include driver's license numbers or credit card or banking information. [...] --end press release-- --begin letter-- From: "Norman Abrams, Acting Chancellor, UCLA" To: 800,000 people Subject: UCLA Warns of Unauthorized Access to Restricted Database Date: Tue, 12 Dec 2006 02:37:24 -0800 X-Virus-Status: Clean December 12, 2006 Dear Friend, UCLA computer administrators have discovered that a restricted campus database containing certain personal information has been illegally accessed by a sophisticated computer hacker. This database contains certain personal information about UCLA?s current and some former students, faculty and staff, some student applicants and some parents of students or applicants who applied for financial aid. The database also includes current and some former faculty and staff at the University of California, Merced, and current and some former employees of the University of California Office of the President, for which UCLA does administrative processing. I regret having to inform you that your name is in the database. While we are uncertain whether your personal information was actually obtained, we know that the hacker sought and retrieved some Social Security numbers. Therefore, I want to bring this situation to your attention and urge you to take actions to minimize your potential risk of identity theft. I emphasize that we have no evidence that personal information has been misused. The information stored on the affected database includes names and Social Security numbers, dates of birth, home addresses and contact information. It does not include driver?s license numbers or credit card or banking information. Only designated users whose jobs require working with the restricted data are given passwords to access this database. However, an unauthorized person exploited a previously undetected software flaw and fraudulently accessed the database between October 2005 and November 2006. When UCLA discovered this activity on Nov. 21, 2006, computer security staff immediately blocked all access to Social Security numbers and began an emergency investigation. While UCLA currently utilizes sophisticated information security measures to protect this database, several measures that were already under way have been accelerated. In addition, UCLA has notified the FBI, which is conducting its own investigation. We began notifying those individuals in the affected database as soon as possible after determining that personal data was accessed and after we retrieved individual contact information. As a precaution, I recommend that you place a fraud alert on your consumer credit file. By doing so, you let creditors know to watch for unusual or suspicious activity, such as someone attempting to open a new credit card account in your name. You may also wish to consider placing a security freeze on your accounts by writing to the credit bureaus. A security freeze means that your credit history cannot be seen by potential creditors, insurance companies or employers doing background checks unless you give consent. For details on how to take these steps, please visit http://www.identityalert.ucla.edu/what_you_can_do.htm. Extensive information on steps to protect against personal identity theft and fraud are on the Web site of the California Office of Privacy Protection, a division of the state Department of Consumer Affairs, http://www.privacy.ca.gov. Information also is available on a Web site we have established, http://www.identityalert.ucla.edu. The site includes additional information on this situation, further suggestions for monitoring your credit and links to state and federal resources. If you have questions about this incident and its implications, you may call our toll-free number, (877) 533-8082. Please be aware that dishonest people falsely identifying themselves as UCLA representatives might contact you and offer assistance. I want to assure you that UCLA will not contact you by phone, e-mail or any other method to ask you for personal information. I strongly urge you not to release any personal information in response to inquiries of this nature. We have a responsibility to safeguard personal information, an obligation that we take very seriously. I deeply regret any concern or inconvenience this incident may cause you. Sincerely, Norman Abrams, Acting Chancellor This is an automated message regarding the recent identity alert at UCLA. We're sorry, but we are unable to respond to emails. Please do not reply to this email. If you have questions or concerns and would like to speak with someone, please call (877) 533-8082. For additional information and steps to take, please go to the dedicated website at http://www.identityalert.ucla.edu. --end letter-- From lyger at attrition.org Tue Dec 12 16:52:03 2006 From: lyger at attrition.org (lyger) Date: Tue, 12 Dec 2006 16:52:03 -0500 (EST) Subject: [Dataloss] ID info of 130,000 Aetna customers at risk Message-ID: (bad day today for reporting breaches... another 70,000 gets us a million...) http://www.daytondailynews.com/n/content/oh/story/news/local/2006/12/12/ddn121206aetnaweb.html A lockbox holding personal information on approximately 130,000 Aetna health insurance members was stolen Oct. 26 when thieves broke into an office building occupied by an Aetna vendor, Aetna officials said Tuesday. The lockbox, housed by Naperville, Ill.-based Concentra Preferred Systems, contained computer backup tapes of medical claim data for Aetna and several other Concentra health plan clients, Aetna spokeswoman Cynthia Michener said. [...] From Dissent at pogowasright.org Tue Dec 12 18:39:11 2006 From: Dissent at pogowasright.org (Dissent) Date: Tue, 12 Dec 2006 18:39:11 -0500 (EST) Subject: [Dataloss] Data of UT Dallas students, staff potentially stolen Message-ID: OK, lyger, now it's only another 65k to the million mark... http://charlotte.bizjournals.com/dallas/stories/2006/12/11/daily16.html The University of Texas at Dallas discovered over the weekend that social security numbers and other sensitive information relating to 5,000 students, faculty members and staff may have been exposed by a computer network intrusion. Phone numbers, e-mail addresses and home addresses also may have been exposed. [...] People whose information was known to have been involved in the potential disclosure include: * Students and staff in the Erik Jonsson School of Engineering and Computer Science, as well as applicants for admission dating back as far as 1993. * All staff and faculty of the university, who were employed from September 2003 through August 2005. The UT Dallas breach is not the first breach of university data the University of Texas System has seen this year. In October, the UT System appointed a chief information security officer to build and oversee a system-wide plan to protect UT's information. The appointment came after about 2,500 student records for University of Texas at Arlington students were stolen at the end of September. The UT System's flagship school in Austin has suffered two major IT security breaches in the last few years -- one in 2003 and one earlier this year in April at the McCombs School of Business. The McCombs breach exposed the records, including Social Security numbers and other sensitive information, of 197,000 people. Daniel said the university's information research staff has talked with UT System officials during the course of its investigation. -- Privacy-related news and resources: http://www.pogowasright.org Privacy news headlines feed: http://www.pogowasright.org/backend/pogowasright.rss From Dissent at pogowasright.org Wed Dec 13 08:44:20 2006 From: Dissent at pogowasright.org (Dissent) Date: Wed, 13 Dec 2006 08:44:20 -0500 (EST) Subject: [Dataloss] Boeing laptop stolen -- 382,000 IDs lost Message-ID: http://seattlepi.nwsource.com/local/295769_boeing13.html A laptop with personal information on hundreds of thousands of Boeing Co. employees was stolen earlier this month, and the aerospace company will inform those potentially affected by the theft in a company e-mail today. "In the first week of December, a laptop was stolen from an employee's car," Boeing spokeswoman Kelly Danaghy said. "That laptop had files that contained Social Security numbers for about 382,000 past and present employees, and in most cases it also included a home address, phone number and date of birth." There was no reason to believe that any of the stolen information has been used illegally, she said. It was unclear Tuesday whether the data was encrypted. No banking or credit card information was stored in those files, but the company will provide free three-year credit monitoring for employees whose personal information was compromised. [...] -- Privacy-related news and resources: http://www.pogowasright.org Privacy news headlines feed: http://www.pogowasright.org/backend/pogowasright.rss From lyger at attrition.org Thu Dec 14 09:50:49 2006 From: lyger at attrition.org (lyger) Date: Thu, 14 Dec 2006 09:50:49 -0500 (EST) Subject: [Dataloss] Computer with medical records stolen in Cincinnati area Message-ID: http://www.wkrc.com/news/state/story.aspx?content_id=B0EBA8B8-75D4-41CD-9FC7-F1CF435604BE A Pennsylvania health plan is mailing letters this week to about 25-thousand patients whose medical records were on a computer stolen near Cincinnati. Police in suburban Springdale say the computer was taken from Electronic Registry Systems in a Thanksgiving office break-in. [...] From ziplock at pogowasright.org Thu Dec 14 10:27:55 2006 From: ziplock at pogowasright.org (ziplock) Date: Thu, 14 Dec 2006 10:27:55 -0500 (EST) Subject: [Dataloss] UTD computer hack worse than feared Message-ID: http://www.wfaa.com/sharedcontent/dws/news/localnews/stories/DN-utdhack_14met.ART0.North.Edition1.3eb1c28.html The University of Texas at Dallas said Wednesday that more people may be affected by a computer attack than first believed, raising the total to 6,000 current and former students, faculty, staff and others. UTD officials said people employed between 1999 and 2005 may have had Social Security numbers and other personal information exposed during the network intrusion, discovered over the weekend. [...] From Dissent at pogowasright.org Fri Dec 15 02:42:01 2006 From: Dissent at pogowasright.org (Dissent) Date: Fri, 15 Dec 2006 02:42:01 -0500 (EST) Subject: [Dataloss] SVVSD students' info with stolen laptop Message-ID: http://www.longmontfyi.com/Local-Story.asp?id=12861 Information identifying as many as 600 St. Vrain Valley School District students whose health care is paid by Medicaid was stolen with a school nurse?s laptop computer last month, a school district spokesman said Wednesday. The paper records included students? names and dates of birth; the names of their schools and what grade they are in; the students? Medicaid numbers; and their parents? names, said John Poynton, district spokesman. [...] -- Privacy-related news and resources: http://www.pogowasright.org Privacy news headlines feed: http://www.pogowasright.org/backend/pogowasright.rss From Dissent at pogowasright.org Fri Dec 15 02:45:36 2006 From: Dissent at pogowasright.org (Dissent) Date: Fri, 15 Dec 2006 02:45:36 -0500 (EST) Subject: [Dataloss] Students accused of hacking Durham Public Schools database Message-ID: http://www.heraldsun.com/durham/4-799583.cfm Two Riverside High School students are accused of hacking into the Durham Public Schools computer database and downloading the Social Security numbers and personal information of thousands of school employees, the Durham Sheriff's Office said Thursday. [...] DPS official Hester said the school system felt the boys "hadn't done anything wrong" but contacted the Sheriff's Office out of concern for the safety of school employees' identity information. Charles Douglass, executive director of technical services for the school system, said the hole would have only been accessible to individuals who already had a password to gain access to the school's computers, such as students and employees. Firewalls, which are barriers that prevent outside individuals from gaining access to a network's protected information, prevent the possibility of other hackers from accessing the data, he added. Despite Douglass' claim and the fact that Douglass and Hester said the boys only accessed the data through the school's password-protected computers, Sheriff's deputy Lt. Will Rogers said he believed the boys accessed some of the information via their home computer, which is why, he said, the computers were seized. [...] -- Privacy-related news and resources: http://www.pogowasright.org Privacy news headlines feed: http://www.pogowasright.org/backend/pogowasright.rss From jericho at attrition.org Fri Dec 15 07:23:46 2006 From: jericho at attrition.org (security curmudgeon) Date: Fri, 15 Dec 2006 07:23:46 -0500 (EST) Subject: [Dataloss] [follow-up] Boeing fires employee whose laptop was stolen (fwd) Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://seattlepi.nwsource.com/business/295982_boeinglaptop14ww.html By JAMES WALLACE P-I REPORTER December 14, 2006 The Boeing Co. said Thursday it has fired the employee whose laptop was stolen with personal information about nearly 400,000 retired and current company workers. Files on the stolen computer contained salary information, Social Security numbers, home addresses, phone numbers and birth dates. A person with knowledge of the matter said the employee data was not encrypted as company policy requires once it has been downloaded from a server. Jim McNerney, Boeing's chairman, president and chief executive, said the breach of company policy was so serious that some Boeing managers also will be disciplined. "This latest incident resulted from a clear violation of our data-protection policy," McNerney said in an e-mail to all Boeing employees. "We have very strict and clear policies and procedures about how employee information is handled," he wrote. "An employee, despite proper training, failed to comply with those requirements and as a result is being dismissed from the company." McNerney said action will be taken against some Boeing managers. "I also believe strongly that management must be held accountable when repeated failures like this occur, so the employee's management chain will be reprimanded." Boeing has not identified the employee or where in the company the person works. Nor has Boeing said where the laptop theft occurred. The laptop was stolen earlier this month from the employee's car. Even though the employee data was not encrypted, the laptop was turned off. That means the person who stole the computer would not be able to access the employee data without a password to open the computer once it was turned on. Boeing is notifying the estimated 382,000 workers, mostly retirees, whose names were in the laptop. The company said it will pay for fraud monitoring services for the past and current workers whose names and personal information was in the laptop. This is not the first time a Boeing laptop computer with sensitive employee information has been lost or stolen. There have been at least three such cases. When a similar theft occurred last year, McNerney said, Boeing implemented an "aggressive, multi-phased plan to better safeguard employee information." "But the best policies, procedures, encryption software and awareness-raising in the world can't force people to use them," he said. "It's a matter of leadership and individual responsibility. Cutting corners is never acceptable --especially when the trust of the whole team is at stake." McNerney said investigators do not believe the latest incident was aimed at identity theft. "Our investigations and security teams have been working hard with law-enforcement officials to investigate this crime," he said. "Based on what we know at this point, we believe this incident was the result of petty theft, not an attempt at identity theft. However, as our communications yesterday described, we have put in place a series of actions that assumes the worst case. We are doing everything humanly possible to recover the laptop and our data, and see that an incident like this doesn't happen again." McNerney said he had received many e-mails from Boeing employees about the computer theft. They expressed "disappointment, frustration and downright anger" about the incident. "I am just as disappointed as you are about it," McNerney said in his memo. He said Boeing is taking the right steps to prevent the loss of sensitive data from happening again. "But to ensure that all Boeing-sensitive information is safe -- even in the event of theft -- each and every one of us must actually follow the policies and procedures and use the tools available to protect information," he said. From roy at rant-central.com Fri Dec 15 07:42:03 2006 From: roy at rant-central.com (Roy M. Silvernail) Date: Fri, 15 Dec 2006 07:42:03 -0500 Subject: [Dataloss] [follow-up] Boeing fires employee whose laptop was stolen (fwd) In-Reply-To: References: Message-ID: <4582981B.7050709@rant-central.com> Gotta love this. security curmudgeon forwarded: > Even though the employee data was not encrypted, the laptop was turned > off. That means the person who stole the computer would not be able to > access the employee data without a password to open the computer once it > was turned on. Wrong. As I pointed out on my blog (http://www.rant-central.com/article.php?story=20060914170634681), that's purely a CYA statement with no basis in fact. How long will these outfits be able to get away with this smokescreen? -- Roy M. Silvernail is roy at rant-central.com, and you're not "It's just this little chromium switch, here." - TFT CRM114->procmail->/dev/null->bliss http://www.rant-central.com From bkdelong at pobox.com Fri Dec 15 08:17:44 2006 From: bkdelong at pobox.com (B.K. DeLong) Date: Fri, 15 Dec 2006 08:17:44 -0500 Subject: [Dataloss] [follow-up] Boeing fires employee whose laptop was stolen (fwd) In-Reply-To: <4582981B.7050709@rant-central.com> References: <4582981B.7050709@rant-central.com> Message-ID: If you look through a lot of the dataloss articles, you'll see many media spokespersons claiming similarly that password protection is enough. Might be an interesting stat to track in the database. On 12/15/06, Roy M. Silvernail wrote: > Gotta love this. security curmudgeon forwarded: > > > Even though the employee data was not encrypted, the laptop was turned > > off. That means the person who stole the computer would not be able to > > access the employee data without a password to open the computer once it > > was turned on. > > Wrong. As I pointed out on my blog > (http://www.rant-central.com/article.php?story=20060914170634681), > that's purely a CYA statement with no basis in fact. > > How long will these outfits be able to get away with this smokescreen? > -- > Roy M. Silvernail is roy at rant-central.com, and you're not > "It's just this little chromium switch, here." - TFT > CRM114->procmail->/dev/null->bliss > http://www.rant-central.com > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 143 million compromised records in 507 incidents over 6 years. > > > -- B.K. DeLong (K3GRN) bkdelong at pobox.com +1.617.797.8471 http://www.wkdelong.org Son. http://www.ianetsec.com Work. http://www.bostonredcross.org Volunteer. http://www.carolingia.eastkingdom.org Service. http://bkdelong.livejournal.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org From Kim_Nash at ziffdavis.com Fri Dec 15 10:08:20 2006 From: Kim_Nash at ziffdavis.com (Nash, Kim) Date: Fri, 15 Dec 2006 10:08:20 -0500 Subject: [Dataloss] [follow-up] Boeing fires employee whose laptop wasstolen (fwd) Message-ID: That is one aspect of the typical corporate response to data theft that irked me when I was writing about this topic for the latest issue of Baseline. No company can ever really know that data wasn't accessed or that thieves weren't after data, etc. -- a point on which I quoted a forensics expert from Kroll. It *is* such a smokescreen. -- Kim Nash Link to the article: http://www.baselinemag.com/article2/0,1540,2069952,00.asp -----Original Message----- From: dataloss-bounces at attrition.org on behalf of B.K. DeLong Sent: Fri 12/15/2006 8:17 AM To: Roy M. Silvernail Cc: dataloss at attrition.org Subject: Re: [Dataloss] [follow-up] Boeing fires employee whose laptop wasstolen (fwd) If you look through a lot of the dataloss articles, you'll see many media spokespersons claiming similarly that password protection is enough. Might be an interesting stat to track in the database. On 12/15/06, Roy M. Silvernail wrote: > Gotta love this. security curmudgeon forwarded: > > > Even though the employee data was not encrypted, the laptop was turned > > off. That means the person who stole the computer would not be able to > > access the employee data without a password to open the computer once it > > was turned on. > > Wrong. As I pointed out on my blog > (http://www.rant-central.com/article.php?story=20060914170634681), > that's purely a CYA statement with no basis in fact. > > How long will these outfits be able to get away with this smokescreen? > -- > Roy M. Silvernail is roy at rant-central.com, and you're not > "It's just this little chromium switch, here." - TFT > CRM114->procmail->/dev/null->bliss > http://www.rant-central.com > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 143 million compromised records in 507 incidents over 6 years. > > > -- B.K. DeLong (K3GRN) bkdelong at pobox.com +1.617.797.8471 http://www.wkdelong.org Son. http://www.ianetsec.com Work. http://www.bostonredcross.org Volunteer. http://www.carolingia.eastkingdom.org Service. http://bkdelong.livejournal.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tracking more than 143 million compromised records in 507 incidents over 6 years. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20061215/0717e13b/attachment.html From cwalsh at cwalsh.org Fri Dec 15 12:35:59 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Fri, 15 Dec 2006 11:35:59 -0600 Subject: [Dataloss] [follow-up] Boeing fires employee whose laptop was stolen (fwd) In-Reply-To: References: Message-ID: <20061215173548.GA4666@cwalsh.org> Follow-up question for Boeing: Did you fire those involved in the other three incidents of laptop theft involving PII? Chris From adam at homeport.org Fri Dec 15 13:28:04 2006 From: adam at homeport.org (Adam Shostack) Date: Fri, 15 Dec 2006 13:28:04 -0500 Subject: [Dataloss] [follow-up] Boeing fires employee whose laptop was stolen (fwd) In-Reply-To: References: <4582981B.7050709@rant-central.com> Message-ID: <20061215182804.GC26821@homeport.org> So how can we counter it? What's the counter-meme? "Why would you know?" "Are your passwords better than Myspace?" "What happens if I take out the disk and install it in another machine?" (Those all stink--we need something snappy, snarky and memorable that reporters will spring on people who deploy the smokescreen.) Adam On Fri, Dec 15, 2006 at 08:17:44AM -0500, B.K. DeLong wrote: | If you look through a lot of the dataloss articles, you'll see many | media spokespersons claiming similarly that password protection is | enough. Might be an interesting stat to track in the database. | | On 12/15/06, Roy M. Silvernail wrote: | > Gotta love this. security curmudgeon forwarded: | > | > > Even though the employee data was not encrypted, the laptop was turned | > > off. That means the person who stole the computer would not be able to | > > access the employee data without a password to open the computer once it | > > was turned on. | > | > Wrong. As I pointed out on my blog | > (http://www.rant-central.com/article.php?story=20060914170634681), | > that's purely a CYA statement with no basis in fact. | > | > How long will these outfits be able to get away with this smokescreen? | > -- | > Roy M. Silvernail is roy at rant-central.com, and you're not | > "It's just this little chromium switch, here." - TFT | > CRM114->procmail->/dev/null->bliss | > http://www.rant-central.com | > _______________________________________________ | > Dataloss Mailing List (dataloss at attrition.org) | > http://attrition.org/dataloss | > Tracking more than 143 million compromised records in 507 incidents over 6 years. | > | > | > | | | -- | B.K. DeLong (K3GRN) | bkdelong at pobox.com | +1.617.797.8471 | | http://www.wkdelong.org Son. | http://www.ianetsec.com Work. | http://www.bostonredcross.org Volunteer. | http://www.carolingia.eastkingdom.org Service. | http://bkdelong.livejournal.com Play. | | | PGP Fingerprint: | 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE | | FOAF: | http://foaf.brain-stream.org | _______________________________________________ | Dataloss Mailing List (dataloss at attrition.org) | http://attrition.org/dataloss | Tracking more than 143 million compromised records in 507 incidents over 6 years. | From Kim_Nash at ziffdavis.com Fri Dec 15 13:37:33 2006 From: Kim_Nash at ziffdavis.com (Nash, Kim) Date: Fri, 15 Dec 2006 13:37:33 -0500 Subject: [Dataloss] [follow-up] Boeing fires employee whose laptop wasstolen (fwd) Message-ID: Mainstream press -- local newspapers and TV stations -- don't know the tech issues. But one would think that a good reporter would just ask, "How do you know?" It seems they don't, though. -- Kim Nash -----Original Message----- From: dataloss-bounces at attrition.org on behalf of Adam Shostack Sent: Fri 12/15/2006 1:28 PM To: B.K. DeLong Cc: dataloss at attrition.org Subject: Re: [Dataloss] [follow-up] Boeing fires employee whose laptop wasstolen (fwd) So how can we counter it? What's the counter-meme? "Why would you know?" "Are your passwords better than Myspace?" "What happens if I take out the disk and install it in another machine?" (Those all stink--we need something snappy, snarky and memorable that reporters will spring on people who deploy the smokescreen.) Adam On Fri, Dec 15, 2006 at 08:17:44AM -0500, B.K. DeLong wrote: | If you look through a lot of the dataloss articles, you'll see many | media spokespersons claiming similarly that password protection is | enough. Might be an interesting stat to track in the database. | | On 12/15/06, Roy M. Silvernail wrote: | > Gotta love this. security curmudgeon forwarded: | > | > > Even though the employee data was not encrypted, the laptop was turned | > > off. That means the person who stole the computer would not be able to | > > access the employee data without a password to open the computer once it | > > was turned on. | > | > Wrong. As I pointed out on my blog | > (http://www.rant-central.com/article.php?story=20060914170634681), | > that's purely a CYA statement with no basis in fact. | > | > How long will these outfits be able to get away with this smokescreen? | > -- | > Roy M. Silvernail is roy at rant-central.com, and you're not | > "It's just this little chromium switch, here." - TFT | > CRM114->procmail->/dev/null->bliss | > http://www.rant-central.com | > _______________________________________________ | > Dataloss Mailing List (dataloss at attrition.org) | > http://attrition.org/dataloss | > Tracking more than 143 million compromised records in 507 incidents over 6 years. | > | > | > | | | -- | B.K. DeLong (K3GRN) | bkdelong at pobox.com | +1.617.797.8471 | | http://www.wkdelong.org Son. | http://www.ianetsec.com Work. | http://www.bostonredcross.org Volunteer. | http://www.carolingia.eastkingdom.org Service. | http://bkdelong.livejournal.com Play. | | | PGP Fingerprint: | 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE | | FOAF: | http://foaf.brain-stream.org | _______________________________________________ | Dataloss Mailing List (dataloss at attrition.org) | http://attrition.org/dataloss | Tracking more than 143 million compromised records in 507 incidents over 6 years. | _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tracking more than 143 million compromised records in 507 incidents over 6 years. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20061215/f5a7839b/attachment.html From DAplin at bna.com Fri Dec 15 14:00:46 2006 From: DAplin at bna.com (Donald Aplin) Date: Fri, 15 Dec 2006 14:00:46 -0500 Subject: [Dataloss] [follow-up] Boeing fires employee whose laptop wasstolen Message-ID: I do ask, but they waffle and clam up. Primarily they trot out the PR/communicatrions department people or the PR consulting firm they have hired--and those folks work from a script. They won't willingly give access to their own tech experts and even if I can find one of them on my own, they don't really want to talk for fear of retaliation. Donald G. Aplin Legal Editor BNA's Privacy & Security Law Report From Kim_Nash at ziffdavis.com Fri Dec 15 14:07:02 2006 From: Kim_Nash at ziffdavis.com (Nash, Kim) Date: Fri, 15 Dec 2006 14:07:02 -0500 Subject: [Dataloss] [follow-up] Boeing fires employee whose laptop wasstolen (fwd) Message-ID: I do ask, but they waffle and clam up. Primarily they trot out the PR/communicatrions department ============ good -- keep asking. and yes, pr people are one obstacle. and i don't mean to be too harsh. but even reporting something like, "The company declined to [or could not!] say how it came to conclude that the thief or thieves didn't want/didn't access the data" would further illuminate the issue for readers. i'm an advocate of calling them on the carpet. :-) -- Kim Nash -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20061215/c922607a/attachment.html From cwalsh at cwalsh.org Fri Dec 15 14:33:43 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Fri, 15 Dec 2006 13:33:43 -0600 Subject: [Dataloss] [follow-up] Boeing fires employee whose laptop wasstolen (fwd) In-Reply-To: References: Message-ID: <20061215193331.GA15381@cwalsh.org> "Company spokesperson I.M. Clueless emphasized that the stolen laptop was turned off when stolen, and that a password would be required to access the unencrypted information on 800,000 people saved on it. However, information security expert U. R. Powned explained that in 99% of such cases, accessing such information would be 'trivial' for a knowledgeable thief who had actual possession of the laptop. Using information provided by Mr. Powned, this reporter confirmed that tools capable of bypassing such operating system passwords are widely available at no cost" On Fri, Dec 15, 2006 at 02:07:02PM -0500, Nash, Kim wrote: > > i'm an advocate of calling them on the carpet. :-) > From kzetter at gmail.com Fri Dec 15 15:14:16 2006 From: kzetter at gmail.com (Kim Zetter) Date: Fri, 15 Dec 2006 12:14:16 -0800 Subject: [Dataloss] [follow-up] Boeing fires employee whose laptop wasstolen In-Reply-To: References: Message-ID: <261747340612151214n52223b5dra659afdbd509d243@mail.gmail.com> You don't really need to speak with the company's tech expert. Just include a countering quote from a security expert who says that what the pr expert is saying is bunk. Once you start debunking the pr statements in your articles other reporters will follow suit. At least that's what happened when I started covering Diebold and evoting. Kim Nash is right that mainstream reporters don't know what questions to ask when it comes to tech issues, but if tech reporters do their job correctly, other reporters will learn from this and start finding the right sources to interview for their pieces. On 12/15/06, Donald Aplin wrote: > > I do ask, but they waffle and clam up. Primarily they trot > out the PR/communicatrions department people or the PR > consulting firm they have hired--and those folks work from a > script. They won't willingly give access to their own tech > experts and even if I can find one of them on my own, they > don't really want to talk for fear of retaliation. > > Donald G. Aplin > Legal Editor > BNA's Privacy & Security Law Report > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 143 million compromised records in 507 incidents over 6 years. > > > From blitz at strikenet.kicks-ass.net Fri Dec 15 16:12:26 2006 From: blitz at strikenet.kicks-ass.net (blitz) Date: Fri, 15 Dec 2006 16:12:26 -0500 Subject: [Dataloss] [follow-up] Boeing fires employee whose laptop wasstolen (fwd) In-Reply-To: References: Message-ID: <7.0.1.0.2.20061215160823.05180f10@strikenet.kicks-ass.net> Its about as much assurance, as we get from a laptop being recovered, encrypted or not. Mirror the disk, hand the laptop back, fears subside, while you have all the time in the world to work on the data. In a year or so, random names in the data start having identity theft problems. The recovery of lost or stolen data should never be the end of the case. Period! >That is one aspect of the typical corporate response to data theft >that irked me when I was writing about this topic for the latest >issue of Baseline. No company can ever really know that data wasn't >accessed or that thieves weren't after data, etc. -- a point on >which I quoted a forensics expert from Kroll. > >It *is* such a smokescreen. > >-- Kim Nash > >Link to the article: >http://www.baselinemag.com/article2/0,1540,2069952,00.asp > > > > >-----Original Message----- >From: dataloss-bounces at attrition.org on behalf of B.K. DeLong >Sent: Fri 12/15/2006 8:17 AM >To: Roy M. Silvernail >Cc: dataloss at attrition.org >Subject: Re: [Dataloss] [follow-up] Boeing fires employee >whose laptop wasstolen (fwd) > >If you look through a lot of the dataloss articles, you'll see many >media spokespersons claiming similarly that password protection is >enough. Might be an interesting stat to track in the database. > >On 12/15/06, Roy M. Silvernail wrote: > > Gotta love this. security curmudgeon forwarded: > > > > > Even though the employee data was not encrypted, the laptop was turned > > > off. That means the person who stole the computer would not be able to > > > access the employee data without a password to open the computer once it > > > was turned on. > > > > Wrong. As I pointed out on my blog > > > (http://www.rant-central.com/article.php?story=20060914170634681), > > that's purely a CYA statement with no basis in fact. > > > > How long will these outfits be able to get away with this smokescreen? > > -- > > Roy M. Silvernail is roy at rant-central.com, and you're not > > "It's just this little chromium switch, here." - TFT > > CRM114->procmail->/dev/null->bliss > > http://www.rant-central.com > > _______________________________________________ > > Dataloss Mailing List (dataloss at attrition.org) > > http://attrition.org/dataloss > > Tracking more than 143 million compromised records in 507 > incidents over 6 years. > > > > > > > > >-- >B.K. DeLong (K3GRN) >bkdelong at pobox.com >+1.617.797.8471 > >http://www.wkdelong.org Son. >http://www.ianetsec.com Work. >http://www.bostonredcross.org >Volunteer. >http://www.carolingia.eastkingdom.org >Service. >http://bkdelong.livejournal.com >Play. > > >PGP Fingerprint: >38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE > >FOAF: >http://foaf.brain-stream.org >_______________________________________________ >Dataloss Mailing List (dataloss at attrition.org) >http://attrition.org/dataloss >Tracking more than 143 million compromised records in 507 incidents >over 6 years. > > > > > >_______________________________________________ >Dataloss Mailing List (dataloss at attrition.org) >http://attrition.org/dataloss >Tracking more than 143 million compromised records in 507 incidents >over 6 years. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20061215/bd478157/attachment.html From lyger at attrition.org Fri Dec 15 20:35:05 2006 From: lyger at attrition.org (lyger) Date: Fri, 15 Dec 2006 20:35:05 -0500 (EST) Subject: [Dataloss] CU-Boulder Reports Security Breach Message-ID: http://www.colorado.edu/news/releases/2006/437.html University of Colorado at Boulder officials today announced that a server in the campus's Academic Advising Center was the subject of a computer attack. CU-Boulder officials said they had begun the process of notifying 17,500 individuals that their personal information - including names and Social Security numbers - might have been exposed in the attack. CU-Boulder officials are continuing to determine the extent of information exposed. Employees with CU-Boulder's Information Technology Services office discovered the attack on Dec. 8 and, following CU guidelines, began an investigation to determine how the system compromise occurred. [...] From ziplock at pogowasright.org Fri Dec 15 21:03:46 2006 From: ziplock at pogowasright.org (ziplock) Date: Fri, 15 Dec 2006 21:03:46 -0500 (EST) Subject: [Dataloss] [follow-up] Boeing fires employee whose laptop wasstolen (fwd) In-Reply-To: <7.0.1.0.2.20061215160823.05180f10@strikenet.kicks-ass.net> References: <7.0.1.0.2.20061215160823.05180f10@strikenet.kicks-ass.net> Message-ID: I'd like to see someone publicly volunteer, in a highly visible manner, to demonstrate that s/he can access data on an unknown, standard-issue laptop, without leaving traces. No actual cracking would be necessary; once the data is copied a statement could be made that it can now be attacked and explored at leisure. Perhaps if a known expert made this general challenge, technically aware activists could follow up with letters to the editor when these ridiculous claims are made by those CYA companies. The activists could directly challenge the company, via the press (for what good would it do, if not in the public eye?), to put up or shut up by providing a laptop for the demo. If the successful experiment itself gets any publicity, it could be used as proof of concept against all future similar reports. These companies and these reporters will stick to the script until they're publicly challenged and proven wrong. /z > Its about as much assurance, as we get from a laptop being recovered, > encrypted or not. Mirror the disk, hand the laptop back, fears > subside, while you have all the time in the world to work on the > data. In a year or so, random names in the data start having identity > theft problems. The recovery of lost or stolen data should never be > the end of the case. Period! > > > >>That is one aspect of the typical corporate response to data theft >>that irked me when I was writing about this topic for the latest >>issue of Baseline. No company can ever really know that data wasn't >>accessed or that thieves weren't after data, etc. -- a point on >>which I quoted a forensics expert from Kroll. >> >>It *is* such a smokescreen. >> >>-- Kim Nash >> >>Link to the article: >>http://www.baselinemag.com/article2/0,1540,2069952,00.asp >> >> >> >> >>-----Original Message----- >>From: dataloss-bounces at attrition.org on behalf of B.K. DeLong >>Sent: Fri 12/15/2006 8:17 AM >>To: Roy M. Silvernail >>Cc: dataloss at attrition.org >>Subject: Re: [Dataloss] [follow-up] Boeing fires employee >>whose laptop wasstolen (fwd) >> >>If you look through a lot of the dataloss articles, you'll see many >>media spokespersons claiming similarly that password protection is >>enough. Might be an interesting stat to track in the database. >> >>On 12/15/06, Roy M. Silvernail wrote: >> > Gotta love this. security curmudgeon forwarded: >> > >> > > Even though the employee data was not encrypted, the laptop was >> turned >> > > off. That means the person who stole the computer would not be able >> to >> > > access the employee data without a password to open the computer >> once it >> > > was turned on. >> > >> > Wrong. As I pointed out on my blog >> > >> (http://www.rant-central.com/article.php?story=20060914170634681), >> > that's purely a CYA statement with no basis in fact. >> > >> > How long will these outfits be able to get away with this smokescreen? >> > -- >> > Roy M. Silvernail is roy at rant-central.com, and you're not >> > "It's just this little chromium switch, here." - TFT >> > CRM114->procmail->/dev/null->bliss >> > http://www.rant-central.com >> > _______________________________________________ >> > Dataloss Mailing List (dataloss at attrition.org) >> > http://attrition.org/dataloss >> > Tracking more than 143 million compromised records in 507 >> incidents over 6 years. >> > >> > >> > >> >> >>-- >>B.K. DeLong (K3GRN) >>bkdelong at pobox.com >>+1.617.797.8471 >> >>http://www.wkdelong.org Son. >>http://www.ianetsec.com Work. >>http://www.bostonredcross.org >>Volunteer. >>http://www.carolingia.eastkingdom.org >>Service. >>http://bkdelong.livejournal.com >>Play. >> >> >>PGP Fingerprint: >>38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE >> >>FOAF: >>http://foaf.brain-stream.org >>_______________________________________________ >>Dataloss Mailing List (dataloss at attrition.org) >>http://attrition.org/dataloss >>Tracking more than 143 million compromised records in 507 incidents >>over 6 years. >> >> >> >> >> >>_______________________________________________ >>Dataloss Mailing List (dataloss at attrition.org) >>http://attrition.org/dataloss >>Tracking more than 143 million compromised records in 507 incidents >>over 6 years. > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 143 million compromised records in 507 incidents over 6 > years. > > > From adam at homeport.org Fri Dec 15 21:46:35 2006 From: adam at homeport.org (Adam Shostack) Date: Fri, 15 Dec 2006 21:46:35 -0500 Subject: [Dataloss] [follow-up] Boeing fires employee whose laptop wasstolen (fwd) In-Reply-To: References: <7.0.1.0.2.20061215160823.05180f10@strikenet.kicks-ass.net> Message-ID: <20061216024635.GA20742@homeport.org> Maybe a fun demo to do at Defcon this summer? You could set it up as a challenge--someone brings in three standard laptops, each with a secret file. You open one, hand them all back, they have to determine which of the three were opened? On Fri, Dec 15, 2006 at 09:03:46PM -0500, ziplock wrote: | I'd like to see someone publicly volunteer, in a highly visible manner, to | demonstrate that s/he can access data on an unknown, standard-issue | laptop, without leaving traces. No actual cracking would be necessary; | once the data is copied a statement could be made that it can now be | attacked and explored at leisure. Perhaps if a known expert made this | general challenge, technically aware activists could follow up with | letters to the editor when these ridiculous claims are made by those CYA | companies. The activists could directly challenge the company, via the | press (for what good would it do, if not in the public eye?), to put up or | shut up by providing a laptop for the demo. If the successful experiment | itself gets any publicity, it could be used as proof of concept against | all future similar reports. | | These companies and these reporters will stick to the script until they're | publicly challenged and proven wrong. | | /z | | | > Its about as much assurance, as we get from a laptop being recovered, | > encrypted or not. Mirror the disk, hand the laptop back, fears | > subside, while you have all the time in the world to work on the | > data. In a year or so, random names in the data start having identity | > theft problems. The recovery of lost or stolen data should never be | > the end of the case. Period! | > | > | > | >>That is one aspect of the typical corporate response to data theft | >>that irked me when I was writing about this topic for the latest | >>issue of Baseline. No company can ever really know that data wasn't | >>accessed or that thieves weren't after data, etc. -- a point on | >>which I quoted a forensics expert from Kroll. | >> | >>It *is* such a smokescreen. | >> | >>-- Kim Nash | >> | >>Link to the article: | >>http://www.baselinemag.com/article2/0,1540,2069952,00.asp | >> | >> | >> | >> | >>-----Original Message----- | >>From: dataloss-bounces at attrition.org on behalf of B.K. DeLong | >>Sent: Fri 12/15/2006 8:17 AM | >>To: Roy M. Silvernail | >>Cc: dataloss at attrition.org | >>Subject: Re: [Dataloss] [follow-up] Boeing fires employee | >>whose laptop wasstolen (fwd) | >> | >>If you look through a lot of the dataloss articles, you'll see many | >>media spokespersons claiming similarly that password protection is | >>enough. Might be an interesting stat to track in the database. | >> | >>On 12/15/06, Roy M. Silvernail wrote: | >> > Gotta love this. security curmudgeon forwarded: | >> > | >> > > Even though the employee data was not encrypted, the laptop was | >> turned | >> > > off. That means the person who stole the computer would not be able | >> to | >> > > access the employee data without a password to open the computer | >> once it | >> > > was turned on. | >> > | >> > Wrong. As I pointed out on my blog | >> > | >> (http://www.rant-central.com/article.php?story=20060914170634681), | >> > that's purely a CYA statement with no basis in fact. | >> > | >> > How long will these outfits be able to get away with this smokescreen? | >> > -- | >> > Roy M. Silvernail is roy at rant-central.com, and you're not | >> > "It's just this little chromium switch, here." - TFT | >> > CRM114->procmail->/dev/null->bliss | >> > http://www.rant-central.com | >> > _______________________________________________ | >> > Dataloss Mailing List (dataloss at attrition.org) | >> > http://attrition.org/dataloss | >> > Tracking more than 143 million compromised records in 507 | >> incidents over 6 years. | >> > | >> > | >> > | >> | >> | >>-- | >>B.K. DeLong (K3GRN) | >>bkdelong at pobox.com | >>+1.617.797.8471 | >> | >>http://www.wkdelong.org Son. | >>http://www.ianetsec.com Work. | >>http://www.bostonredcross.org | >>Volunteer. | >>http://www.carolingia.eastkingdom.org | >>Service. | >>http://bkdelong.livejournal.com | >>Play. | >> | >> | >>PGP Fingerprint: | >>38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE | >> | >>FOAF: | >>http://foaf.brain-stream.org | >>_______________________________________________ | >>Dataloss Mailing List (dataloss at attrition.org) | >>http://attrition.org/dataloss | >>Tracking more than 143 million compromised records in 507 incidents | >>over 6 years. | >> | >> | >> | >> | >> | >>_______________________________________________ | >>Dataloss Mailing List (dataloss at attrition.org) | >>http://attrition.org/dataloss | >>Tracking more than 143 million compromised records in 507 incidents | >>over 6 years. | > _______________________________________________ | > Dataloss Mailing List (dataloss at attrition.org) | > http://attrition.org/dataloss | > Tracking more than 143 million compromised records in 507 incidents over 6 | > years. | > | > | > | | | _______________________________________________ | Dataloss Mailing List (dataloss at attrition.org) | http://attrition.org/dataloss | Tracking more than 143 million compromised records in 507 incidents over 6 years. | From roy at rant-central.com Sat Dec 16 00:01:36 2006 From: roy at rant-central.com (Roy M. Silvernail) Date: Sat, 16 Dec 2006 00:01:36 -0500 Subject: [Dataloss] [follow-up] Boeing fires employee whose laptop wasstolen (fwd) In-Reply-To: <20061216024635.GA20742@homeport.org> References: <7.0.1.0.2.20061215160823.05180f10@strikenet.kicks-ass.net> <20061216024635.GA20742@homeport.org> Message-ID: <45837DB0.2040004@rant-central.com> Adam Shostack wrote: > Maybe a fun demo to do at Defcon this summer? You could set it up as > a challenge--someone brings in three standard laptops, each with a > secret file. You open one, hand them all back, they have to determine > which of the three were opened? I *like* that idea! -- Roy M. Silvernail is roy at rant-central.com, and you're not "It's just this little chromium switch, here." - TFT CRM114->procmail->/dev/null->bliss http://www.rant-central.com From george at myitaz.com Sat Dec 16 12:24:20 2006 From: george at myitaz.com (George Toft) Date: Sat, 16 Dec 2006 10:24:20 -0700 Subject: [Dataloss] [follow-up] Boeing fires employee whose laptop wasstolen (fwd) In-Reply-To: References: <7.0.1.0.2.20061215160823.05180f10@strikenet.kicks-ass.net> Message-ID: <45842BC4.3000507@myitaz.com> As we all (on this list) know, this is a trivial exercise, provided the laptop does not use hard drive encryption. For those who don't know, here are the tools you need: 1. Knoppix CD. 2. USB hard drive. I'm in the process of recovering data from a hard drive even as I write this. Since I'm not using Windows, the file access markers are not getting updated. The exact same technique would be used to copy a laptop hard drive. For more information, the see "Knoppix Hacks" ISBN 0-596-00787-6. It has a ton of hints for this type of work, including step-by-step instructions and the CD. George Toft, CISSP, MSIS My IT Department www.myITaz.com 623-203-1760 Confidential data protection experts for the financial industry. ziplock wrote: > I'd like to see someone publicly volunteer, in a highly visible manner, to > demonstrate that s/he can access data on an unknown, standard-issue > laptop, without leaving traces. No actual cracking would be necessary; > once the data is copied a statement could be made that it can now be > attacked and explored at leisure. Perhaps if a known expert made this > general challenge, technically aware activists could follow up with > letters to the editor when these ridiculous claims are made by those CYA > companies. The activists could directly challenge the company, via the > press (for what good would it do, if not in the public eye?), to put up or > shut up by providing a laptop for the demo. If the successful experiment > itself gets any publicity, it could be used as proof of concept against > all future similar reports. > > These companies and these reporters will stick to the script until they're > publicly challenged and proven wrong. > > /z > [snip] From macwheel99 at sigecom.net Sat Dec 16 12:31:33 2006 From: macwheel99 at sigecom.net (Al Mac) Date: Sat, 16 Dec 2006 11:31:33 -0600 Subject: [Dataloss] [follow-up] Boeing fires employee whose laptop wasstolen (fwd) In-Reply-To: <20061216024635.GA20742@homeport.org> References: <7.0.1.0.2.20061215160823.05180f10@strikenet.kicks-ass.net> <20061216024635.GA20742@homeport.org> Message-ID: <6.2.1.2.0.20061216112506.04be22d0@mail.sigecom.net> There have been demos, that have got next to no publicity, regarding the right way to setup security. I remember from years ago: * Some url to a Microsoft.com computer system where people were told that Bill Gates home phone # was in there & hackers invited to find it & use it to phone to get a reward for demonstrating hole in the security. No one claimed the reward. * Some url to an IBM.com computer system where people were told that the CEO of IBM credit card account was in there & hackers invited to find it & use it to give themselves a reward for demonstrating hole in the security. No one claimed any reward. * Both Microsoft and IBM monitored hacker attempts to see how far they managed to get, and used this to improve their security offerings. Perhaps a computer conference could invite places that claim to have good security offerings, to have one of these demos during the course of the conference. >Maybe a fun demo to do at Defcon this summer? You could set it up as >a challenge--someone brings in three standard laptops, each with a >secret file. You open one, hand them all back, they have to determine >which of the three were opened? From lyger at attrition.org Sat Dec 16 13:00:35 2006 From: lyger at attrition.org (lyger) Date: Sat, 16 Dec 2006 13:00:35 -0500 (EST) Subject: [Dataloss] [follow-up] Boeing fires employee whose laptop wasstolen (fwd) In-Reply-To: <6.2.1.2.0.20061216112506.04be22d0@mail.sigecom.net> References: <7.0.1.0.2.20061215160823.05180f10@strikenet.kicks-ass.net> <20061216024635.GA20742@homeport.org> <6.2.1.2.0.20061216112506.04be22d0@mail.sigecom.net> Message-ID: ... but we're getting off the topic of data loss here, folks... On Sat, 16 Dec 2006, Al Mac wrote: ": " There have been demos, that have got next to no publicity, regarding the ": " right way to setup security. I remember from years ago: ": " * Some url to a Microsoft.com computer system where people were told that ": " Bill Gates home phone # was in there & hackers invited to find it & use it ": " to phone to get a reward for demonstrating hole in the security. No one ": " claimed the reward. one person's phone number, even bill gates, <> dataloss (for this list). ": " * Some url to an IBM.com computer system where people were told that the ": " CEO of IBM credit card account was in there & hackers invited to find it & ": " use it to give themselves a reward for demonstrating hole in the ": " security. No one claimed any reward. ": " * Both Microsoft and IBM monitored hacker attempts to see how far they ": " managed to get, and used this to improve their security offerings. one person's CCN, even IBM's CEO, <> dataloss (for this list) ": " Perhaps a computer conference could invite places that claim to have good ": " security offerings, to have one of these demos during the course of the ": " conference. Security breaches happen every day. Everything is vulnerable. For the purpose of this mail list, we're looking at mass breaches of personally identifiable information and related topics. If Katie Couric wants to dive into a dumpster for Bill Gates' phone number, fine with me. Don't care. Not important. Think bigger. From dano at well.com Sat Dec 16 12:57:12 2006 From: dano at well.com (dano) Date: Sat, 16 Dec 2006 09:57:12 -0800 Subject: [Dataloss] [follow-up] Boeing fires employee whose laptop was stolen (fwd) In-Reply-To: References: Message-ID: At 10:08 AM -0500 12/15/06, Nash, Kim wrote: >No company can ever really know that data wasn't accessed After the laptop is gone, the company can only know if cryptware was installed on the machine or not. If not, then this is a policy failure and perhaps the CIO should be fired. Of course if cryptware was installed, there's still little way of knowing if it was in use at time of theft. From rforno at infowarrior.org Sun Dec 17 11:50:35 2006 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 17 Dec 2006 11:50:35 -0500 Subject: [Dataloss] Is dataloss becoming the next 'computer virus' trend? Message-ID: We see these reports of data loss, laptop theft, databse compromises, etc, etc, etc on a weekly, if not daily basis. Some of these are quite large, too. Yet after the initial hysteria of "yet another theft of data" story making the rounds in the media, is anyone tracking not just the number of events, but the outcome of such events over time? I can't remember too many dataloss cases that had much of a "tail" to them after the initial event was reported in the media: What happens after the organization in question notifies their victims? Does it engage in any [effective] corrective action to remedy the problem that caused the data loss? Does anyone get fired? Fined? Arrested? Do the victims sue? Do regulators (state/federal/local) get involved? Or does life just go on and the organization in question (or victims) just brush the event off as another consequence of doing business in the information age, much like dealing with the latest Windows worm/virus/trojan? Consequently, I wonder if "data loss" is fast becoming the new computer virus in terms of what I sense is a growing "routine-ness" about how the media covers such events -- especially if nothing much ever is done to deal with it by the affected entities or to hold their feet to the proverbial (and public) fire of accountability. Which raises the question, I think, of how seriously folks (companies and individuals alike) take this entire issue in a broad sense. Thoughts? -rick Infowarrior.org From Dissent at pogowasright.org Sun Dec 17 11:55:12 2006 From: Dissent at pogowasright.org (Dissent) Date: Sun, 17 Dec 2006 11:55:12 -0500 (EST) Subject: [Dataloss] Hackers get into Wickliffe computer Message-ID: http://www.zwire.com/site/news.cfm?newsid=17599558&BRD=1698&PAG=461&dept_id=21849&rfi=6 Wickliffe Mayor Thomas W. Ruffner announced Friday that hackers had breached security in one of the city's three computer servers, which held personal information on some city employees. The breach was discovered by Building Commissioner Ray Sack, who brought it to the attention of Ruffner and city police. Detective Sgt. Joe Matteo said a malicious virus had gotten through at least two layers of security and into the system, where information on 125 city employees was stored. No information on city residents was stored in the server or compromised, Ruffner said. Those affected included service department and part-time personnel whose names and Social Security numbers were in the system. Employees affected by the breach will be notified today in a letter from the mayor advising them of potential problems involving identity or credit theft, although no reports of either had been reported as of Friday. [...] -- Privacy-related news and resources: http://www.pogowasright.org Privacy news headlines feed: http://www.pogowasright.org/backend/pogowasright.rss From SSteele at infolocktech.com Sun Dec 17 14:12:09 2006 From: SSteele at infolocktech.com (Sean Steele) Date: Sun, 17 Dec 2006 14:12:09 -0500 Subject: [Dataloss] [follow-up] Boeing fires employee whose laptop wasstolen (fwd) Message-ID: <90D8CEF754D7D9448BA11172BB5044320451362D@orange.brnets.int> Great point, George. It's also a great procedure for recovering/mirroring data from a Windoze disk you need to reformat, but which is Acting Badly. Make sure you have a BIOS that allows you to "Boot from USB". If you don't, and you're really serious, you can have a custom upgrade/replacement BIOS created for you. Email me offline if interested. -- Sean Steele, CISSP infoLock Technologies 703.310.6478 direct 202.270.8672 mobile ssteele at infolocktech.com -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of George Toft Sent: Saturday, December 16, 2006 12:24 PM To: dataloss at attrition.org Subject: Re: [Dataloss] [follow-up] Boeing fires employee whose laptop wasstolen (fwd) As we all (on this list) know, this is a trivial exercise, provided the laptop does not use hard drive encryption. For those who don't know, here are the tools you need: 1. Knoppix CD. 2. USB hard drive. I'm in the process of recovering data from a hard drive even as I write this. Since I'm not using Windows, the file access markers are not getting updated. The exact same technique would be used to copy a laptop hard drive. For more information, the see "Knoppix Hacks" ISBN 0-596-00787-6. It has a ton of hints for this type of work, including step-by-step instructions and the CD. George Toft, CISSP, MSIS My IT Department www.myITaz.com 623-203-1760 Confidential data protection experts for the financial industry. ziplock wrote: > I'd like to see someone publicly volunteer, in a highly visible manner, to > demonstrate that s/he can access data on an unknown, standard-issue > laptop, without leaving traces. No actual cracking would be necessary; > once the data is copied a statement could be made that it can now be > attacked and explored at leisure. Perhaps if a known expert made this > general challenge, technically aware activists could follow up with > letters to the editor when these ridiculous claims are made by those CYA > companies. The activists could directly challenge the company, via the > press (for what good would it do, if not in the public eye?), to put up or > shut up by providing a laptop for the demo. If the successful experiment > itself gets any publicity, it could be used as proof of concept against > all future similar reports. > > These companies and these reporters will stick to the script until they're > publicly challenged and proven wrong. > > /z > [snip] _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tracking more than 143 million compromised records in 507 incidents over 6 years. From jericho at attrition.org Sun Dec 17 15:09:36 2006 From: jericho at attrition.org (security curmudgeon) Date: Sun, 17 Dec 2006 15:09:36 -0500 (EST) Subject: [Dataloss] Is dataloss becoming the next 'computer virus' trend? In-Reply-To: References: Message-ID: : We see these reports of data loss, laptop theft, databse compromises, : etc, etc, etc on a weekly, if not daily basis. Some of these are quite : large, too. Yet after the initial hysteria of "yet another theft of : data" story making the rounds in the media, is anyone tracking not just : the number of events, but the outcome of such events over time? We are making an effort to track not only the initial disclosure, but the long term effect and outcome. You will see some of the mails on the list tagged [follow-up] to denote it isn't a new event, but new information related to an older event. Ideally, we'd like to track as much information about each as possible, including if the information was abused, 'recovered', the bad guy caught and/or prosecuted, and more. : I can't remember too many dataloss cases that had much of a "tail" to : them after the initial event was reported in the media: What happens : after the organization in question notifies their victims? Does it I'd imagine most companies don't want to keep their name in the spotlight, and won't issue press releases unless it is about the bad guy getting caught and "relative certainty" that the information was not abused. From blitz at strikenet.kicks-ass.net Sun Dec 17 17:34:21 2006 From: blitz at strikenet.kicks-ass.net (blitz) Date: Sun, 17 Dec 2006 17:34:21 -0500 Subject: [Dataloss] Is dataloss becoming the next 'computer virus' trend? In-Reply-To: References: Message-ID: <7.0.1.0.2.20061217173159.05d03890@strikenet.kicks-ass.net> Id venture to say they want to walk away from their responsibility to those affected as soon as possible and with minimum liability. That's why I go as far as questioning the veracity of the "Oh we found it", or "it was returned" stories. >I'd imagine most companies don't want to keep their name in the spotlight, >and won't issue press releases unless it is about the bad guy getting >caught and "relative certainty" that the information was not abused. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20061217/da1bacd1/attachment.html From ADAIL at sunocoinc.com Mon Dec 18 10:31:37 2006 From: ADAIL at sunocoinc.com (DAIL, ANDY) Date: Mon, 18 Dec 2006 10:31:37 -0500 Subject: [Dataloss] [follow-up] Boeing fires employee whose laptop was stolen Message-ID: <8CA58E707BB1C44385FA71D02B7A1C8EC70876@mds3aex0e.USISUNOCOINC.com> Media relations and public relations are about spin. Security is not about spin. The two subjects do not mix well, especially when the dynamic of human interaction and human perspective is put into the mix (and management is nothing if not about human perspective). Any security (physical or data) is about percentages and odds. You will never stop 100% of all intrusions because of the incredibly complex nature of technology (just as, for instance, you'll never make a device that prevents 100% of car thefts). You can implement security policies, you can implement "defense in depth", or you may implement a bomb that makes a laptop explode if an unauthorized user tries to boot it up, but there will always be the one exception who gets around your security. If statistically speaking, most laptops are stolen by petty thieves who want to pawn the machine, but who are not PC Technicians, then the statement that the data is "Probably not compromised based on a machine password" has merit, at least mathematically it has merit (This actually reminds me of the discussion of how large a hard drive is, based on the sales data or the technical specifications). (Personally, I like biometric hard drives that retain security settings even if moved from machine to machine. I've also seen some products recently that will destroy the contents of a laptop if it does not connect to the corporate network within a defined period.) Most people who make these statements aren't being intentionally misleading, they are trying to put a positive "spin" on the incident, and their meta-message is actually: "Statistically speaking, the data is unlikely to be compromised based on the specific facts of the crime". With no outside factors considered, a basic risk analysis would not find a large financial risk to the company that lost the data, and only a "minimal" risk to the individual who's data was lost (about $2500 & 40 hrs was the last figure I saw). That's why we are seeing Privacy laws; to increase the risk to the company through a fine structure, in order to make it financially attractive for the data handler to implement more expensive security measures. So, if you wanted to ask a hardball question, you might restate that point and ask: "Apparently you've done a risk analysis. What did you find to be the actual likelihood that this particular set of data will be abused?". Follow-up questions could focus on determining if the company is even aware of the costs to the consumer who is a victim of identity theft. I personally have found my best success at penetrating the corporate bureaucratic mindset is when I can make the employee think of himself as the victim of the theft. It's really important to try to understand the motivations of the entire team, and what their goals are. Understanding what the employees are trying do is important, but understanding why they are trying do it sure makes security a lot easier to design & implement. Andy Dail Sunoco PCI Project Manager This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments. From SSteele at infolocktech.com Mon Dec 18 10:26:05 2006 From: SSteele at infolocktech.com (Sean Steele) Date: Mon, 18 Dec 2006 10:26:05 -0500 Subject: [Dataloss] Is dataloss becoming the next 'computer virus' trend? Message-ID: <90D8CEF754D7D9448BA11172BB5044320454676E@orange.brnets.int> The points you raise are good ones, perhaps the most important in this entire larger discussion. >From where I'm sitting, it appears few of these data breaches/losses are becoming, over time, either ID theft problems for the affected individuals, or corporate security calls-to-action for the organizations at fault. Many laptops in particular are stolen as targets of opportunity, for their hardware resale value (not specifically targeted for the data that may reside on them). We see few compliance or regulatory sanctions, little in the way of public flogging (the VA laptop loss being a notable exception), and an ocassional slap on the wrist (e.g., MA Dept of State's whopping $25k fine against Ameriprise Financial for losing a laptop with data about 230,000 customers and financial advisers). You're right, these losses are weekly if not daily news items. They're so commonplace, however, that I'd propose we're (collectively) becoming desensitized: we're tuning out the ongoing "noise". I think it's clear we need a landmark tracking / longitudinal study of these breaches, their affected individuals, and ideally, the organizations in question, to assess whether there is a real crisis. There may not be, as much as we think there is or might be. -- Sean Steele, CISSP infoLock Technologies 703.310.6478 direct 202.270.8672 mobile ssteele at infolocktech.com -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Richard Forno Sent: Sunday, December 17, 2006 11:51 AM To: dataloss at attrition.org Subject: [Dataloss] Is dataloss becoming the next 'computer virus' trend? We see these reports of data loss, laptop theft, databse compromises, etc, etc, etc on a weekly, if not daily basis. Some of these are quite large, too. Yet after the initial hysteria of "yet another theft of data" story making the rounds in the media, is anyone tracking not just the number of events, but the outcome of such events over time? I can't remember too many dataloss cases that had much of a "tail" to them after the initial event was reported in the media: What happens after the organization in question notifies their victims? Does it engage in any [effective] corrective action to remedy the problem that caused the data loss? Does anyone get fired? Fined? Arrested? Do the victims sue? Do regulators (state/federal/local) get involved? Or does life just go on and the organization in question (or victims) just brush the event off as another consequence of doing business in the information age, much like dealing with the latest Windows worm/virus/trojan? Consequently, I wonder if "data loss" is fast becoming the new computer virus in terms of what I sense is a growing "routine-ness" about how the media covers such events -- especially if nothing much ever is done to deal with it by the affected entities or to hold their feet to the proverbial (and public) fire of accountability. Which raises the question, I think, of how seriously folks (companies and individuals alike) take this entire issue in a broad sense. Thoughts? -rick Infowarrior.org _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tracking more than 143 million compromised records in 507 incidents over 6 years. From chris.j.brannigan at usps.gov Mon Dec 18 10:44:40 2006 From: chris.j.brannigan at usps.gov (Brannigan, Chris J - Washington, DC) Date: Mon, 18 Dec 2006 10:44:40 -0500 Subject: [Dataloss] Is dataloss becoming the next 'computer virus' trend? In-Reply-To: <90D8CEF754D7D9448BA11172BB5044320454676E@orange.brnets.int> Message-ID: All true, but just to add one more recent consequence, besides the MA $25K fine, the FTC Choicepoint $15M fine included $5M for consumer redress, those first letters from the FTC have finally gone out to identified ID theft victims of the Choicepoint breach... Chris Brannigan CIPP/G ----------- FTC Mails Refund Forms To ChoicePoint Data Breach Victims InformationWeek By Gregg Keizer, Dec. 7, 2006 URL: http://www.informationweek.com/story/showArticle.jhtml?articleID=1966023 58 Nearly two years after data broker ChoicePoint revealed that it had sold identity information to criminals, the Federal Trade Commission on Wednesday announced it had mailed claim forms to over 1,400 victims who can now file for refunds on money they spent setting things straight. Early in 2005, ChoicePoint reported it had handed over consumers' names, addresses, Social Security numbers, and credit reports to fraudsters working out of Los Angeles County. In February 2005, it sent 145,000 notifications to residents in 50 states whose personal information may have been sold to the identity thieves in the fall of 2004. After an FTC investigation, the commission and ChoicePoint agreed to a settlement in January 2006 that, among other things, required the company to pay up to $5 million to reimburse consumers. According to the FTC, the reparation forms must be postmarked by Feb. 4 to be considered. "The amount applicants receive will depend on a number of factors, including the total number and amount of claims that the agency receives," the FTC said in a statement. Claim forms have also been posted on the FTC's Web site in both English and Spanish, and a toll-free telephone number and e-mail address have been set up to take questions from affected consumers. =========================== -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Sean Steele Sent: Monday, December 18, 2006 10:26 AM To: dataloss at attrition.org Subject: Re: [Dataloss] Is dataloss becoming the next 'computer virus' trend? The points you raise are good ones, perhaps the most important in this entire larger discussion. >From where I'm sitting, it appears few of these data breaches/losses >are becoming, over time, either ID theft problems for the affected individuals, or corporate security calls-to-action for the organizations at fault. Many laptops in particular are stolen as targets of opportunity, for their hardware resale value (not specifically targeted for the data that may reside on them). We see few compliance or regulatory sanctions, little in the way of public flogging (the VA laptop loss being a notable exception), and an ocassional slap on the wrist (e.g., MA Dept of State's whopping $25k fine against Ameriprise Financial for losing a laptop with data about 230,000 customers and financial advisers). You're right, these losses are weekly if not daily news items. They're so commonplace, however, that I'd propose we're (collectively) becoming desensitized: we're tuning out the ongoing "noise". I think it's clear we need a landmark tracking / longitudinal study of these breaches, their affected individuals, and ideally, the organizations in question, to assess whether there is a real crisis. There may not be, as much as we think there is or might be. -- Sean Steele, CISSP infoLock Technologies 703.310.6478 direct 202.270.8672 mobile ssteele at infolocktech.com -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Richard Forno Sent: Sunday, December 17, 2006 11:51 AM To: dataloss at attrition.org Subject: [Dataloss] Is dataloss becoming the next 'computer virus' trend? We see these reports of data loss, laptop theft, databse compromises, etc, etc, etc on a weekly, if not daily basis. Some of these are quite large, too. Yet after the initial hysteria of "yet another theft of data" story making the rounds in the media, is anyone tracking not just the number of events, but the outcome of such events over time? I can't remember too many dataloss cases that had much of a "tail" to them after the initial event was reported in the media: What happens after the organization in question notifies their victims? Does it engage in any [effective] corrective action to remedy the problem that caused the data loss? Does anyone get fired? Fined? Arrested? Do the victims sue? Do regulators (state/federal/local) get involved? Or does life just go on and the organization in question (or victims) just brush the event off as another consequence of doing business in the information age, much like dealing with the latest Windows worm/virus/trojan? Consequently, I wonder if "data loss" is fast becoming the new computer virus in terms of what I sense is a growing "routine-ness" about how the media covers such events -- especially if nothing much ever is done to deal with it by the affected entities or to hold their feet to the proverbial (and public) fire of accountability. Which raises the question, I think, of how seriously folks (companies and individuals alike) take this entire issue in a broad sense. Thoughts? -rick Infowarrior.org _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tracking more than 143 million compromised records in 512 incidents over 6 years. From cwalsh at cwalsh.org Mon Dec 18 11:04:24 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Mon, 18 Dec 2006 10:04:24 -0600 Subject: [Dataloss] Is dataloss becoming the next 'computer virus' trend? In-Reply-To: <90D8CEF754D7D9448BA11172BB5044320454676E@orange.brnets.int> References: <90D8CEF754D7D9448BA11172BB5044320454676E@orange.brnets.int> Message-ID: <20061218160410.GA30341@cwalsh.org> On Mon, Dec 18, 2006 at 10:26:05AM -0500, Sean Steele wrote: > > I think it's clear we need a landmark tracking / longitudinal study of > these breaches, their affected individuals, and ideally, the > organizations in question, to assess whether there is a real crisis. That is exactly what is needed. We have people reading this list who are in a position to know about things like fraud detection software, etc. What would it take to do such a study? Off the top of my head, we would need: 1. A master list of breached records, or the individuals to whom they relate. 3. A second group of records/individuals not known to have been breached. 3. A way to identify attempted/actual using the identifying info of those individuals. Who would/could have such data? What legal restrictions might there be against its use? In principle, this is doable -- ID Analytics took a crack at it, but their sample was one purely of convenience. > There may not be, as much as we think there is or might be. And as much as the "no reason to believe the data were accessed..." crowd would like to think there is not. Chris From chris.j.brannigan at usps.gov Mon Dec 18 11:36:20 2006 From: chris.j.brannigan at usps.gov (Brannigan, Chris J - Washington, DC) Date: Mon, 18 Dec 2006 11:36:20 -0500 Subject: [Dataloss] Is dataloss becoming the next 'computer virus' trend? In-Reply-To: <20061218160410.GA30341@cwalsh.org> Message-ID: Chris Walsh wrote: ...Off the top of my head, we would need: 1. A master list of breached records, or the individuals to whom they relate. 3. A second group of records/individuals not known to have been breached. -------------- IMHO, any list of names originating from any federal govt agency breach (including the VA laptop 26.5M vets) would be covered by the Privacy Act of 1974, therefore very likely unavailable for such a use. Such a disclosure would not technicall be permitted under the Privacy Act, and very likely withholding the data would also come under a covered exception under FOIA. Chris Brannigan CIPP/G -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Chris Walsh Sent: Monday, December 18, 2006 11:04 AM To: dataloss at attrition.org Subject: Re: [Dataloss] Is dataloss becoming the next 'computer virus' trend? On Mon, Dec 18, 2006 at 10:26:05AM -0500, Sean Steele wrote: > > I think it's clear we need a landmark tracking / longitudinal study of > these breaches, their affected individuals, and ideally, the > organizations in question, to assess whether there is a real crisis. That is exactly what is needed. We have people reading this list who are in a position to know about things like fraud detection software, etc. What would it take to do such a study? Off the top of my head, we would need: 1. A master list of breached records, or the individuals to whom they relate. 3. A second group of records/individuals not known to have been breached. 3. A way to identify attempted/actual using the identifying info of those individuals. Who would/could have such data? What legal restrictions might there be against its use? In principle, this is doable -- ID Analytics took a crack at it, but their sample was one purely of convenience. > There may not be, as much as we think there is or might be. And as much as the "no reason to believe the data were accessed..." crowd would like to think there is not. Chris _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tracking more than 143 million compromised records in 512 incidents over 6 years. From blitz at strikenet.kicks-ass.net Mon Dec 18 13:46:49 2006 From: blitz at strikenet.kicks-ass.net (blitz) Date: Mon, 18 Dec 2006 13:46:49 -0500 Subject: [Dataloss] [follow-up] Boeing fires employee whose laptop was stolen In-Reply-To: <8CA58E707BB1C44385FA71D02B7A1C8EC70876@mds3aex0e.USISUNOCO INC.com> References: <8CA58E707BB1C44385FA71D02B7A1C8EC70876@mds3aex0e.USISUNOCOINC.com> Message-ID: <7.0.1.0.2.20061218133416.051bd7a8@strikenet.kicks-ass.net> >A moot point to the corporate mindset, the question they should need >to be asking themselves, is "Can I afford 5 years in prison and a >$100,000 fine" for NOT using best of breed technology to secure PII >data. Can I PROVE due dilligance in a court of law? >Corporate clones only care about the bottom line, the effects of >their misdeeds or incompetence is imaterial without teeth. They >don't give a rat's rectum about the effects on anyone but >themselves. Bad PR blows over. Thus we have to make the possibility >of them getting VERY screwed over VERY real, or few will take it >seriously. The lack of what happened to the "fired employee's" BOSS >is the salient point here, they found a sacrificial lamb, oh >well....the corporate policy on security etc. is what merits public >scrutny. THAT's managerial and missing from the story. When we find >mid-level managers going to a jail cell, then the problem MIGHT be >taken seriously. >Follow-up questions could focus on determining if the company is even >aware of the costs to the consumer who is a victim of identity theft. I >personally have found my best success at penetrating the corporate >bureaucratic mindset is when I can make the employee think of himself as >the victim of the theft. > >It's really important to try to understand the motivations of the entire >team, and what their goals are. Understanding what the employees are >trying do is important, but understanding why they are trying do it sure >makes security a lot easier to design & implement. > >Andy Dail >Sunoco PCI Project Manager -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20061218/d3a5e8aa/attachment-0001.html From blitz at strikenet.kicks-ass.net Mon Dec 18 13:57:13 2006 From: blitz at strikenet.kicks-ass.net (blitz) Date: Mon, 18 Dec 2006 13:57:13 -0500 Subject: [Dataloss] Is dataloss becoming the next 'computer virus' trend? Message-ID: <7.0.1.0.2.20061218135658.051c3fd0@strikenet.kicks-ass.net> Perhaps we need to be taking a larger look here as well, it's high time the US enact Draconian privacy laws, much like the EU has to protect ourselves from the top down. Many of these "unknown" companies who have access to our most private information need to be shut down, or curtailed severely as well. The remainder need to be managed in a "Secret" to "Top Secret" security atmosphere, including logs of each and every access and for what reason and accountability to the people who's data they hold. I believe much evil would then be either curtailed or exposed. Much like the illegal alien problem here in the US, too many people are making too much money from violating the laws, and what should be a foregone assumption (privacy) needs to be codified. >We see few compliance or regulatory sanctions, little in the way of >public flogging (the VA laptop loss being a notable exception), and an >ocassional slap on the wrist (e.g., MA Dept of State's whopping $25k >fine against Ameriprise Financial for losing a laptop with data about >230,000 customers and financial advisers). > >You're right, these losses are weekly if not daily news items. They're >so commonplace, however, that I'd propose we're (collectively) becoming >desensitized: we're tuning out the ongoing "noise". > >I think it's clear we need a landmark tracking / longitudinal study of >these breaches, their affected individuals, and ideally, the >organizations in question, to assess whether there is a real crisis. >There may not be, as much as we think there is or might be. > >-- >Sean Steele, CISSP >infoLock Technologies >703.310.6478 direct >202.270.8672 mobile >ssteele at infolocktech.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20061218/92f7e48c/attachment.html From lyger at attrition.org Tue Dec 19 13:00:53 2006 From: lyger at attrition.org (lyger) Date: Tue, 19 Dec 2006 13:00:53 -0500 (EST) Subject: [Dataloss] (Update) Data on local cancer patients lost in Ohio computer theft Message-ID: (This is related to the previously reported Geisinger Health Systems / Electronic Registry Systems breach of November 23) http://www.ashlandcitytimes.com/apps/pbcs.dll/article?AID=/20061219/COUNTY090101/61219011 A computer containing records of former cancer patients at Williamson Medical Center was stolen late last month from a Cincinnati company that helps the hospital manage its cancer registry data. The hospital announced yesterday that it has mailed letters to about 1,000 former cancer patients informing them of the theft and the possible breach of their private health records. The computer, containing records from five hospitals including Williamson Medical, was stolen in a Nov. 23 burglary of the offices of Electronic Registry Systems Inc. of Cincinnati. Other hospitals affected are in Georgia, Pennsylvania and Ohio. [...] From Dissent at pogowasright.org Tue Dec 19 22:44:23 2006 From: Dissent at pogowasright.org (Dissent) Date: Tue, 19 Dec 2006 22:44:23 -0500 (EST) Subject: [Dataloss] Security breach affects about 2, 400 MSU students, workers Message-ID: http://www.clarionledger.com/apps/pbcs.dll/article?AID=/20061219/NEWS/61219032 Social Security numbers and other private information from about 2,400 Mississippi State University students and employees were ?inadvertently? posted on a publicly accessible Web site, the university said Tuesday. Everyone who was affected has been sent a letter explaining the situation and will be offered free credit monitoring service for one year, the university said. [...] -- Privacy-related news and resources: http://www.pogowasright.org Privacy news headlines feed: http://www.pogowasright.org/backend/pogowasright.rss From Dissent at pogowasright.org Wed Dec 20 15:22:27 2006 From: Dissent at pogowasright.org (Dissent) Date: Wed, 20 Dec 2006 15:22:27 -0500 (EST) Subject: [Dataloss] Report: Privacy breach limited on Big Foot Web site Message-ID: http://www.gazetteextra.com/bigfootwebsite122006.asp WALWORTH-It appears that no one outside Big Foot High School saw personal information that accidentally was posted on the school's Web site, according to a summary report released by the school board Tuesday. [...] On Oct. 18, Nykl was trying to post financial information on the district Web site, including cost of individual teacher and staff salaries and benefits. Nykl didn't know that personal information, such as Social Security numbers and dates of birth, was attached. Salary and benefit information is open to the public; the other information is not. Social Security numbers, last names and years of birth of 87 current and former employees were published on the Internet. [...] -- Privacy-related news and resources: http://www.pogowasright.org Privacy news headlines feed: http://www.pogowasright.org/backend/pogowasright.rss From lyger at attrition.org Wed Dec 20 15:26:52 2006 From: lyger at attrition.org (lyger) Date: Wed, 20 Dec 2006 15:26:52 -0500 (EST) Subject: [Dataloss] E-problem puts library patrons' info on Internet Message-ID: http://www.mlive.com/news/muchronicle/index.ssf?/base/news-10/1166631362312200.xml&coll=8 A technical problem on the Lakeland Library Cooperative Web site made available personal information of more than 15,000 patrons across West Michigan on the Internet. Information that was displayed included names, phone numbers, e-mail addresses, street addresses and library card numbers of library patrons registered on the site. Minors were also indicated on the spreadsheet type document by a listing of parents' names. [...] From Dissent at pogowasright.org Wed Dec 20 15:32:44 2006 From: Dissent at pogowasright.org (Dissent) Date: Wed, 20 Dec 2006 15:32:44 -0500 (EST) Subject: [Dataloss] E-problem puts library patrons' info on Internet Message-ID: http://www.mlive.com/news/muchronicle/index.ssf?/base/news-10/1166631362312200.xml&coll=8 A technical problem on the Lakeland Library Cooperative Web site made available personal information of more than 15,000 patrons across West Michigan on the Internet. Information that was displayed included names, phone numbers, e-mail addresses, street addresses and library card numbers of library patrons registered on the site. Minors were also indicated on the spreadsheet type document by a listing of parents' names. "(Our systems manager) thinks there was a software malfunction," said Martha McKee, interim director of the Lakeland Cooperative Library. "They fixed that, so the information is not accessible anymore." [...] -- Privacy-related news and resources: http://www.pogowasright.org Privacy news headlines feed: http://www.pogowasright.org/backend/pogowasright.rss From ziplock at pogowasright.org Wed Dec 20 18:42:50 2006 From: ziplock at pogowasright.org (ziplock) Date: Wed, 20 Dec 2006 18:42:50 -0500 (EST) Subject: [Dataloss] Man suspected of stealing identities of almost 90 MLB players Message-ID: http://www.belleville.com/mld/belleville/news/politics/16284627.htm A 38-year-old Chicago man was charged with stealing the identities of 27 Lake County residents, and is suspected of stealing the identities of almost 90 Major League Baseball players, according to Lake County authorities. David Dright faces 27 counts of identity theft involving "ordinary people" who live in Lake County, said Patricia Fix, chief deputy of the high-tech crime unit for the Lake County state's attorney's office. A search of Dright's home Tuesday turned up personal information on retired and current ball players, including Chicago White Sox slugger Jim Thome and New York Mets outfielder Moises Alou, Fix said. The information apparently came from trash bins outside Northbrook, Ill.-based SFX Baseball Inc., a sports agency that deals with Major League Baseball. Dright allegedly went into trash bins outside SFX and took the personal information, Fix said. Evidence was found inside Dright's apartment after another man complained that Dright stole his identity, she said. [...] From Dissent at pogowasright.org Thu Dec 21 08:51:32 2006 From: Dissent at pogowasright.org (Dissent) Date: Thu, 21 Dec 2006 08:51:32 -0500 (EST) Subject: [Dataloss] Stolen server holds 2,500 Social Security numbers Message-ID: http://www.mercurynews.com/mld/mercurynews/news/local/states/california/peninsula/16289017.htm A computer stolen from Santa Clara County's employment agency contained the Social Security numbers of 2,500 people who are being advised to take steps to protect themselves from identity theft. The risk to clients is not believed to be high because the information was encrypted by passwords, according to a statement from the county. Only those who have used the PESCO software to assess their job skills are affected. The theft was discovered last week and reported to police Friday. Three computer servers were stolen from an unoccupied building undergoing construction. Because of electrical work, the power had been turned off and the alarm was not working. Two of the servers did not contain client information; the third server did. The information included names, Social Security numbers and job skill assessments, but not addresses or telephone numbers. The county is notifying affected clients. -- Privacy-related news and resources: http://www.pogowasright.org Privacy news headlines feed: http://www.pogowasright.org/backend/pogowasright.rss From Dissent at pogowasright.org Thu Dec 21 09:00:48 2006 From: Dissent at pogowasright.org (Dissent) Date: Thu, 21 Dec 2006 09:00:48 -0500 (EST) Subject: [Dataloss] A vast e-wasteland: Are your digital secrets for sale? Message-ID: http://www.bradenton.com/mld/bradenton/news/world/16289389.htm LAGOS, Nigeria - Computer files on these American high school students are private and revealing. Some of the students have learning disabilities. Many scored low on tests. One suffered a brain injury as a child, and another ran with gangs, according to California school records that include names, birth dates and family details. More computer files, these from an elementary school in Virginia, contain what a security expert called "the Holy Grail" for identity thieves seeking to score: teachers' Social Security numbers, addresses and phone numbers. All of this sensitive information was discovered in an unlikely place: on discarded computers for sale in Nigeria, a cyber-crime capital of the world. [...] -- Privacy-related news and resources: http://www.pogowasright.org Privacy news headlines feed: http://www.pogowasright.org/backend/pogowasright.rss From Dissent at pogowasright.org Thu Dec 21 09:06:16 2006 From: Dissent at pogowasright.org (Dissent) Date: Thu, 21 Dec 2006 09:06:16 -0500 (EST) Subject: [Dataloss] Nissan Investigation Concerning Customer Information Message-ID: http://www.autospectator.com/modules/news/article.php?storyid=7208 December 21, 2006 -- On October 30th 2006, the Japanese weekly magazine ?The Weekly Asahi? ran a story concerning the leak of a database containing personal information on Nissan customers. Although Nissan was unable to obtain a copy of the alleged database from the magazine, the company has conducted a thorough investigation of this matter. The following is a summary of the key findings: * Based on the limited information supplied by the magazine, Nissan has been unable to match that database with one that exists inside the company. * Although the alleged outside database does not match with our own internal database, our investigation has identified certain matching items that could have only been sourced from inside the company. * Based on our extensive research, Nissan has been able to identify that certain internal data may have been sourced from an old customer database. These findings are supported through vehicle model codes (model type, base, class etc.) that are exclusively used inside the company. * From the data investigations, we have concluded that the most likely timing for the leak to have occurred was between May 2003 and February 2004. Nissan?s investigations have been conducted through the engagement of a third-party research company. Based on our findings and available information, we have taken the precautionary measure to notify all potentially affected customers whose information could have been found on this old database. Accordingly, Nissan has sent letters to 5,379,909 customers clarifying the situation and apologizing for any inconvenience caused. [...] -- Privacy-related news and resources: http://www.pogowasright.org Privacy news headlines feed: http://www.pogowasright.org/backend/pogowasright.rss From jericho at attrition.org Thu Dec 21 09:11:46 2006 From: jericho at attrition.org (security curmudgeon) Date: Thu, 21 Dec 2006 09:11:46 -0500 (EST) Subject: [Dataloss] Establish a strategy for security breach notification (fwd) Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.zdnet.com.au/insight/security/soa/Establish_a_strategy_for_security_breach_notification/0,139023764,339272771,00.htm By Michael Mullins CCNA, MCP 21 December 2006 Even if your organisation takes every possible precaution to protect its data, a security breach is often inevitable. What do you do if it happens? Mike Mullins offers some pointers for notifying those affected. News broke recently about one of the largest known security breaches at a university. A database break-in at the University of California, Los Angeles has reportedly exposed the private information of about 800,000 people. While this is the latest in a long line of similar stories, don't let the huge number of potential victims sway your attention. When it comes to security breaches, it's important to remember that old adage about quality vs. quantity. Data breaches aren't just about a hacker breaking into a network and stealing information. In fact, they come in all shapes and sizes: * A data breach can occur with a lost or stolen laptop that has someone's social security number. * A data breach can occur with a lost BlackBerry that has personal information about employees or customers. * A data breach can occur with a fax that includes financial information that's thrown away instead of shredded. In other words, a data breach can happen any time an unauthorised individual has access to sensitive or private information. It's important to remember that a variety of factors can lead to this exposure. Regardless of size, every network will experience some form of data breach at some point. And users are becoming increasingly more savvy about identity theft and sensitive to the long-term damage it can cause to their finances. So when the inevitable data breach happens, what do you do? Establishing notification procedures in advance will help you better deal with the problem when it occurs. Planning now will help mitigate the damage from a customer/employee relationship standpoint later -- and it's the right thing to do. When a data breach occurs, you obviously need to notify those affected. You definitely do not want to tell people that someone accessed their personal information in an e-mail. Users could easily mistake such an e-mail as a phishing attempt and delete it without reading it. While this is the electronic age, there's a better method for delivering the bad news -- snail mail. The postal service will ensure delivery to the person -- and usually even if they've moved to another address. Deciding how to notify people is the easy part -- deciding what should go in that notification can be a lot trickier. First of all, describe what happened. Don't give out information that could compromise the investigation, but do tell people in nontechnical terms how it happened as well as what information the breach exposed or lost. Tell them what your organisation is doing to remedy the situation, and make sure you include contact information. If identify theft is a possibility, explain how they can try to protect themselves. Tell people how to contact the credit reporting agencies to put a fraud alert on their accounts. In addition, the Identity Theft Resource Center is an excellent source of information. Include a link to the Web site in your correspondence, and encourage people to take active steps to protect their financial information. If law enforcement is involved in the case, provide the contact information for the officer working the case, as well as the case report number. This is information people may need to repair credit or obtain a job if they become a victim due to the breach. Finally, if the breach is wide enough, contact the credit reporting agencies first to determine whether identify theft is taking place as a result of the breach. If you uncover evidence of identify theft, offer some form of credit monitoring service in the notification. This could mitigate the damage done to both the individual and your company. Final thoughts While your organisation should take every security precaution to protect its data, a security breach is often inevitable. Too much information stored in too many places provides too much temptation. Losing control of someone's personal, privacy, or financial information can put your company at risk in many ways. How you handle the loss after the fact will speak volumes to your employees and customers (both current and future). Developing some simple procedures before a loss occurs and implementing them when it happens can go a long way to mitigating the damage. From jim.richards at dot.state.wi.us Thu Dec 21 10:57:23 2006 From: jim.richards at dot.state.wi.us (Richards, Jim) Date: Thu, 21 Dec 2006 09:57:23 -0600 Subject: [Dataloss] Stolen server holds 2,500 Social Security numbers Message-ID: 'Encrypted by password' makes me nervous... That would be the vague CYA that PR people would say, when it is merely unencrypted, yet 'protected' by passwords. James Richards Computer Security Officer Wisconsin Department of Transportation -----Original Message----- From: Dissent [mailto:Dissent at pogowasright.org] Sent: Thursday, December 21, 2006 7:52 AM To: dataloss at attrition.org Subject: [Dataloss] Stolen server holds 2,500 Social Security numbers http://www.mercurynews.com/mld/mercurynews/news/local/states/california/peni nsula/16289017.htm A computer stolen from Santa Clara County's employment agency contained the Social Security numbers of 2,500 people who are being advised to take steps to protect themselves from identity theft. The risk to clients is not believed to be high because the information was encrypted by passwords, according to a statement from the county. Only those who have used the PESCO software to assess their job skills are affected. The theft was discovered last week and reported to police Friday. Three computer servers were stolen from an unoccupied building undergoing construction. Because of electrical work, the power had been turned off and the alarm was not working. Two of the servers did not contain client information; the third server did. The information included names, Social Security numbers and job skill assessments, but not addresses or telephone numbers. The county is notifying affected clients. -- Privacy-related news and resources: http://www.pogowasright.org Privacy news headlines feed: http://www.pogowasright.org/backend/pogowasright.rss _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tracking more than 143 million compromised records in 512 incidents over 6 years. From cwalsh at cwalsh.org Thu Dec 21 15:46:21 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Thu, 21 Dec 2006 14:46:21 -0600 Subject: [Dataloss] Nissan Investigation Concerning Customer Information In-Reply-To: References: Message-ID: <20061221204546.GA10593@cwalsh.org> The article doesn't say (unless I somehow missed it) what the personal info was. If anyone knows, can you please provide a pointer? Thanks. Chris On Thu, Dec 21, 2006 at 09:06:16AM -0500, Dissent wrote: > http://www.autospectator.com/modules/news/article.php?storyid=7208 > > December 21, 2006 -- On October 30th 2006, the Japanese weekly > magazine ?The Weekly Asahi? ran a story concerning the leak of a > database containing personal information on Nissan customers. Although > Nissan was unable to obtain a copy of the alleged database from the > magazine, the company has conducted a thorough investigation of this > matter. From Dissent at pogowasright.org Thu Dec 21 20:45:21 2006 From: Dissent at pogowasright.org (Dissent) Date: Thu, 21 Dec 2006 20:45:21 -0500 (EST) Subject: [Dataloss] [follow-up] USC Hacker Gets 6 Months Of Home Detention Message-ID: http://cbs2.com/topstories/local_story_355195822.html A 24-year-old computer security expert was sentenced Thursday to six months of home detention under electronic monitoring for hacking into USC's application system and accessing personal information about would-be students. [...] The database contained about 270,000 records with names and Social Security numbers, according to USC. Prosecutors have said that shortly after hacking into USC's computers in June 2005, McCarty posted a comment on his blog stating "USC Got Hacked, I was involved, I'm sorry, my bad, so all the hot USC girls, I got your phone number ladies ..." On McCarty's home computer, federal investigators found that he had downloaded files containing data about seven people. In addition to names and Social Security numbers, the records included addresses and dates of birth, according to the government. [...] -- Privacy-related news and resources: http://www.pogowasright.org Privacy news headlines feed: http://www.pogowasright.org/backend/pogowasright.rss From Dissent at pogowasright.org Fri Dec 22 12:40:20 2006 From: Dissent at pogowasright.org (Dissent) Date: Fri, 22 Dec 2006 12:40:20 -0500 (EST) Subject: [Dataloss] Bank says customer data may have been stolen Message-ID: http://www.charleston.net/assets/webPages/departmental/news/Stories.aspx?section=business&tableId=123519&pubDate=12/22/2006 Bank of America, one of the region's largest financial institutions, said this week that Social Security numbers and other information about an undisclosed number of its Charleston-area customers may have been stolen. The Charlotte-based financial giant declined to say how many people were affected or what areas they live in, but it said it has notified all of them of the suspected breach in writing. The ill-gotten personal information also includes names, addresses and telephone numbers, the company said. [...] -- Privacy-related news and resources: http://www.pogowasright.org Privacy news headlines feed: http://www.pogowasright.org/backend/pogowasright.rss From Dissent at pogowasright.org Fri Dec 22 12:42:13 2006 From: Dissent at pogowasright.org (Dissent) Date: Fri, 22 Dec 2006 12:42:13 -0500 (EST) Subject: [Dataloss] Bag of 700 passport forms goes missing Message-ID: http://deseretnews.com/dn/view/0,1249,650217060,00.html A bag of about 700 passport applications is missing and a handful of Utahns are among the impacted applicants. The bag was reported missing by the U.S. State Department on Dec. 1, when the applications were supposed to be shipped by commercial air from Los Angeles to the State Department's Passport Center in Charlotte, N.C. "We've conducted a pretty comprehensive search," said Steve Royster, spokesman for consular affairs with the State Department. "We're continuing to work at locating them." [...] Many of the applications listed detailed personal information, such as a Social Security number, address and phone number. Schneider's son included his old passport and original birth certificate with his application. [...] -- Privacy-related news and resources: http://www.pogowasright.org Privacy news headlines feed: http://www.pogowasright.org/backend/pogowasright.rss From Dissent at pogowasright.org Sat Dec 23 00:30:20 2006 From: Dissent at pogowasright.org (Dissent) Date: Sat, 23 Dec 2006 00:30:20 -0500 (EST) Subject: [Dataloss] Personal data of 15,000 TWU students made vulnerable Message-ID: http://www.pegasusnews.com/news/2006/dec/22/personal-data-15000-twu-students-made-vulnerable/ In the wake of this recent potential personal data nightmare at UT Dallas, comes one at Texas Woman's University. From a school release: Texas Woman?s University is notifying approximately 15,000 students that their personal data has been exposed to potential identity theft. The personal data of all students who were enrolled at TWU in the calendar year 2005 was exposed. The personal data includes names, addresses and Social Security Numbers. This exposure affects the university?s three campuses in Denton, Dallas and Houston. University officials discovered earlier this week that IRS 1098-T Tuition Statement data for 2005 was transmitted to an outside vendor via a non-secure connection. The data was briefly exposed only during transmission and is now secure. At this time TWU has no indication that this data has been accessed or used by anyone. However, the university recognizes the seriousness of this exposure and the need to inform the affected students as quickly as possible. [...] -- Privacy-related news and resources: http://www.pogowasright.org Privacy news headlines feed: http://www.pogowasright.org/backend/pogowasright.rss From Dissent at pogowasright.org Sat Dec 23 00:52:09 2006 From: Dissent at pogowasright.org (Dissent) Date: Sat, 23 Dec 2006 00:52:09 -0500 (EST) Subject: [Dataloss] Personal Info. of Faculty and Students Appeared on Yahoo Message-ID: http://www.ksl.com/?nid=148&sid=750672 A security breach at Utah Valley State College has potentially left thousands of students and faculty at risk. Personal information, including Social Security numbers, started to show up on Yahoo's search engine in November. The information has since been removed from UVSC's servers. The compromised data pertains only to Distance Education instructors and students enrolled in UVSC courses between January 2002 and January 2005. Not all faculty and students during that time were affected. -- Privacy-related news and resources: http://www.pogowasright.org Privacy news headlines feed: http://www.pogowasright.org/backend/pogowasright.rss From ziplock at pogowasright.org Sat Dec 23 13:19:08 2006 From: ziplock at pogowasright.org (ziplock) Date: Sat, 23 Dec 2006 13:19:08 -0500 (EST) Subject: [Dataloss] CITY WORKERS IN ID FEAR OVER DATA THEFT Message-ID: http://www.nypost.com/seven/12232006/news/regionalnews/city_workers_in_id_fear_over_data_theft_regionalnews_david_seifman.htm December 23, 2006 -- A major health insurer has delivered a gloomy holiday message to 42,000 city employees, warning that their personal data may have been compromised during a burglary in Massachusetts, The Post has learned. Group Health Insurance Inc. reported that thieves made off with computer tapes containing the names, Social Security numbers "as well as other data" in a break-in at the office of one of its vendors, Concentra Preferred Systems, on Oct. 26. "Other businesses within the same building were broken into and a number of items in addition to the lock box [with the computer tapes], including cash and other valuables, were taken," GHI said in its Dec. 15 letter. "Based upon the items stolen, there is no reason to believe that the computer data was targeted and that this was anything other than a common break-in." Officials said the stolen computer tapes could be read only on commercial equipment equipped with special software. Concentra also provided auditing services for Aetna Inc., which said personal data for about 130,000 clients nationwide had been breached. One city employee said he was furious at GHI for not offering to pay for credit monitoring. "I'm really somewhat outraged by the whole thing," he said. GHI spokeswoman Ilene Margolin said it's "highly unlikely" anyone could access the stolen tapes, but city employees with concerns could contact GHI's compliance and privacy officer, Mitchell Goldberg, to obtain added security for their accounts. From rforno at infowarrior.org Mon Dec 25 23:50:26 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 25 Dec 2006 23:50:26 -0500 Subject: [Dataloss] Justice Dept. Database Stirs Privacy Fears Message-ID: Justice Dept. Database Stirs Privacy Fears Size and Scope of the Interagency Investigative Tool Worry Civil Libertarians http://www.washingtonpost.com/wp-dyn/content/article/2006/12/25/AR2006122500 483_pf.html By Dan Eggen Washington Post Staff Writer Tuesday, December 26, 2006; A07 The Justice Department is building a massive database that allows state and local police officers around the country to search millions of case files from the FBI, Drug Enforcement Administration and other federal law enforcement agencies, according to Justice officials. The system, known as "OneDOJ," already holds approximately 1 million case records and is projected to triple in size over the next three years, Justice officials said. The files include investigative reports, criminal-history information, details of offenses, and the names, addresses and other information of criminal suspects or targets, officials said. The database is billed by its supporters as a much-needed step toward better information-sharing with local law enforcement agencies, which have long complained about a lack of cooperation from the federal government. But civil-liberties and privacy advocates say the scale and contents of such a database raise immediate privacy and civil rights concerns, in part because tens of thousands of local police officers could gain access to personal details about people who have not been arrested or charged with crimes. The little-noticed program has been coming together over the past year and a half. It already is in use in pilot projects with local police in Seattle, San Diego and a handful of other areas, officials said. About 150 separate police agencies have access, officials said. But in a memorandum sent last week to the FBI, U.S. attorneys and other senior Justice officials, Deputy Attorney General Paul J. McNulty announced that the program will be expanded immediately to 15 additional regions and that federal authorities will "accelerate . . . efforts to share information from both open and closed cases." Eventually, the department hopes, the database will be a central mechanism for sharing federal law enforcement information with local and state investigators, who now run checks individually, and often manually, with Justice's five main law enforcement agencies: the FBI, the DEA, the U.S. Marshals Service, the Bureau of Prisons and the Bureau of Alcohol, Tobacco, Firearms and Explosives. Within three years, officials said, about 750 law enforcement agencies nationwide will have access. In an interview last week, McNulty said the goal is to broaden the pool of data available to local and state investigators beyond systems such as the National Crime Information Center, the FBI-run repository of basic criminal records used by police and sheriff's deputies around the country. By tapping into the details available in incident reports, interrogation summaries and other documents, investigators will dramatically improve their chances of closing cases, he said. "The goal is that all of U.S. law enforcement will be able to look at each other's records to solve cases and protect U.S. citizens," McNulty said. "With OneDOJ, we will essentially hook them up to a pipe that will take them into its records." McNulty and other Justice officials emphasize that the information available in the database already is held individually by the FBI and other federal agencies. Much information will be kept out of the system, including data about public corruption cases, classified or sensitive topics, confidential informants, administrative cases and civil rights probes involving allegations of wrongdoing by police, officials said. But civil-liberties and privacy advocates -- many of whom are already alarmed by the proliferation of federal databases -- warn that granting broad access to such a system is almost certain to invite abuse and lead to police mistakes. Barry Steinhardt, director of the Technology and Liberty Project at the American Civil Liberties Union, said the main problem is one of "garbage in, garbage out," because case files frequently include erroneous or unproved allegations. "Raw police files or FBI reports can never be verified and can never be corrected," Steinhardt said. "That is a problem with even more formal and controlled systems. The idea that they're creating another whole system that is going to be full of inaccurate information is just chilling." Steinhardt noted that in 2003, the FBI announced that it would no longer meet the Privacy Act's accuracy requirements for the National Crime Information Center, its main criminal-background-check database, which is used by 80,000 law enforcement agencies across the country. "I look at this system and imagine it will raise many of the same questions that the whole information-sharing approach is raising across the government," said Marc Rotenberg, executive director of the Electronic Privacy Information Center, a Washington-based group that has criticized many of the government's data-gathering policies. "Information that's collected in the law enforcement realm can find [its way] into other arenas and be abused very easily," Rotenberg said. McNulty and other officials said the data compiled under OneDOJ would be subject to the same civil-liberties and privacy oversight as any other Justice Department database. A coordinating committee within Justice will oversee the database and other information-sharing initiatives, according to McNulty's memo. Gene Voegtlin, legislative counsel for the Arlington-based International Association of Chiefs of Police, said his group welcomes any initiatives to share more data with local law enforcement agencies. "The working partnership between the states and the feds has gotten much better than the pre-9/11 era," Voegtlin said. "But we're still overcoming a lot of issues, both functional and organizational . . . so we're happy to see DOJ taking positive steps in that area." From macwheel99 at sigecom.net Wed Dec 27 00:04:34 2006 From: macwheel99 at sigecom.net (Al Mac) Date: Tue, 26 Dec 2006 23:04:34 -0600 Subject: [Dataloss] Nissan Investigation Concerning Customer Information In-Reply-To: <20061221204546.GA10593@cwalsh.org> References: <20061221204546.GA10593@cwalsh.org> Message-ID: <6.2.1.2.0.20061226224234.02883210@mail.sigecom.net> I checked a few other stories for additional info. Forbes says about 5.38 min customers affected. Is "min" a misprint? http://www.forbes.com/markets/feeds/afx/2006/12/21/afx3276888.html According to the original source shared, the number of customers notified was 5,379,909. http://www.autospectator.com/modules/news/article.php?storyid=7208 Perhaps the original source "The Weekly Asahi" has key data not given in later stories. >The information includes customer name, gender, birth date, address, >telephone number, car model owned and license plate. >After the Shukan Asahi article appeared, three customers contacted the >company with questions about fake bills they received and whether that had >any connection with the data leakage, officials said. There's more followup info here if you interested. http://www.asahi.com/english/Herald-asahi/TKY200612230133.html , you wrote: >The article doesn't say (unless I somehow missed it) what the personal info >was. If anyone knows, can you please provide a pointer? > >Thanks. > >Chris From macwheel99 at sigecom.net Tue Dec 26 23:39:39 2006 From: macwheel99 at sigecom.net (Al Mac) Date: Tue, 26 Dec 2006 22:39:39 -0600 Subject: [Dataloss] Deaconess hospital (Evansville Indiana) laptop missing Message-ID: <6.2.1.2.0.20061226222531.02880da0@mail.sigecom.net> An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20061227/0fc84f03/attachment.html From Dissent at pogowasright.org Wed Dec 27 16:25:52 2006 From: Dissent at pogowasright.org (Dissent) Date: Wed, 27 Dec 2006 16:25:52 -0500 (EST) Subject: [Dataloss] University apologizes for mistakenly sharing student information Message-ID: http://www.helenair.com/articles/2006/12/27/montana/000university.txt Montana State University has sent letters of apology to more than 250 students whose names and Social Security numbers were mistakenly shared with other students. Eight students each mistakenly received a list of 30 or so students' names and Social Security numbers, school officials said. School administrators said they do not believe the information was misused, but alerted the 259 students after being unable to immediately reach all of the eight who received the information. [...] Humberger said the mistake occurred when a student working in the MSU loan office mailed out packets to eight students who had paid off their student loans. Each packet contained the contents of each student's file, with the original promissory note marked as paid. But each packet also contained an alphabetical list of 30 or so other students with loans. The name of the packet recipient was highlighted. [...] -- Privacy-related news and resources: http://www.pogowasright.org Privacy news headlines feed: http://www.pogowasright.org/backend/pogowasright.rss From Dissent at pogowasright.org Thu Dec 28 12:39:28 2006 From: Dissent at pogowasright.org (Dissent) Date: Thu, 28 Dec 2006 12:39:28 -0500 (EST) Subject: [Dataloss] [update] Bag With Passport Applications Headed To Charlotte Is Found Message-ID: http://www.wsoctv.com/news/10622504/detail.html SALT LAKE CITY -- A bag with hundreds of passport applications was found at Los Angeles International Airport, nearly after a month after it was supposed to be shipped to a processing center in Charlotte, N.C. "The applications appear to be intact and undamaged," said Kate Goggin, spokeswoman for consular affairs at the U.S. State Department. [...] -- Privacy-related news and resources: http://www.pogowasright.org Privacy news headlines feed: http://www.pogowasright.org/backend/pogowasright.rss From Dissent at pogowasright.org Fri Dec 29 12:07:07 2006 From: Dissent at pogowasright.org (Dissent) Date: Fri, 29 Dec 2006 12:07:07 -0500 (EST) Subject: [Dataloss] [update] Wesco credit card fraud case still under investigation Message-ID: http://www.grandhaventribune.com/paid/299204692597690.bsp Federal officials are still trying to crack the credit card fraud case that apparently stemmed from late-summer purchases at Wesco fuel stations. They're also stepping up the pace to prevent identity-theft infractions in the future. [...] Murray said there is no reason to believe Wesco officials or employees had any part in the recent alleged credit card scam. [...] Wesco worked with U.S. Secret Service agents and the U.S. Attorney's office to identify possible fraud and identity theft that allegedly occurred between July 25 and Sept. 7 at some of the company's 51 Michigan facilities. Wesco spokeswoman Ginny Seyferth said Thursday that there has been no incidents of questionable credit card activity since Sept. 7. Some Tri-Cities residents experienced credit card statement charges during that timeframe from as far away as Tokyo, Spain and New York for purchases they denied making. Although Murray said he wasn't allowed to disclose details of the investigation, he said the fraudulent charges totaled more than $3 million, which would be one of the largest heists to occur during such a short-time period. "There have been some abusers identified," said Murray, who last month said several suspects were in custody. "We are taking steps to see if they can be interviewed, but they aren't necessarily the type of people who want to help law enforcement. We have no indication it was an inside job." [...] -- Privacy-related news and resources: http://www.pogowasright.org Privacy news headlines feed: http://www.pogowasright.org/backend/pogowasright.rss From Dissent at pogowasright.org Sat Dec 30 01:21:05 2006 From: Dissent at pogowasright.org (Dissent) Date: Sat, 30 Dec 2006 01:21:05 -0500 (EST) Subject: [Dataloss] [update] No ID theft in Capo break-in Message-ID: http://www.ocregister.com/ocregister/homepage/abox/article_1401231.php No cases of identity theft have been reported since five computers were stolen from the Capistrano Unified School District office in an October burglary, officials said. [...] -- Privacy-related news and resources: http://www.pogowasright.org Privacy news headlines feed: http://www.pogowasright.org/backend/pogowasright.rss From Dissent at pogowasright.org Sat Dec 30 01:24:28 2006 From: Dissent at pogowasright.org (Dissent) Date: Sat, 30 Dec 2006 01:24:28 -0500 (EST) Subject: [Dataloss] Tax mailing has Social Security numbers visible Message-ID: http://www.jsonline.com/story/index.aspx?id=547475 When Wisconsin taxpayers pull their packets of 2006 state income tax forms out of their mailboxes, tens of thousands of them will see something even less welcome than the annual reminder of how much money they owe to Madison. They'll see their Social Security numbers, printed right on the outside of the booklets - where identity thieves might be able to see them. About 170,000 tax booklets were mailed with Social Security numbers on the address labels because of a computer programming error at a printing company hired by the state, Meredith Helgerson, spokeswoman for the state Department of Revenue, said Friday. That's about 15% of the 1.1 million booklets mailed out to individual taxpayers who file their returns by mail, she said. [...] -- Privacy-related news and resources: http://www.pogowasright.org Privacy news headlines feed: http://www.pogowasright.org/backend/pogowasright.rss