From rforno at infowarrior.org Wed Feb 1 00:17:30 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 01 Feb 2006 00:17:30 -0500 Subject: [Dataloss] Globe and Worcester T&G customer credit info mistakenly released In-Reply-To: Message-ID: Globe and Worcester T&G customer credit info mistakenly released By Robert Gavin, Globe Staff | January 31, 2006 http://www.boston.com/news/local/massachusetts/articles/2006/01/31/globe_and _worcester_tg_customer_credit_info_mistakenly_released?mode=PF Credit and bank card numbers of as many as 240,000 subscribers of The Boston Globe and Worcester Telegram & Gazette were inadvertently distributed with bundles of T&G newspapers on Sunday, officials of the newspapers said Tuesday. The confidential information was on the back of paper used in wrapping newspaper bundles for distribution to carriers and retailers. As many as 9,000 bundles of the T&G, wrapped in paper containing subscribers? names and their confidential information, were distributed Sunday to 2,000 retailers and 390 carriers in the Worcester area, said Alfred S. Larkin Jr., spokesman for the Globe. In addition, routing information for personal checks of 1,100 T&G subscribers also may have been inadvertently released. The Globe and T&G, which are both owned by The New York Times Co., share a computer system. The release of the data is another in a long list of high-profile incidents in which companies, universities, and federal and state agencies have had sensitive financial information lost or stolen. Globe and T&G officials said the newspapers have notified the four major credit card companies ? American Express, Discover, MasterCard, and Visa ? of the problem. The newspapers will turn over the card numbers of subscribers who may have been affected to the companies upon request. As of last night, Mastercard and Visa have asked for the details. The newspapers are doing the same thing with banks of customers who may be affected. About 227,000 Globe subscribers pay by credit or bank cards, although it?s unclear exactly how many had their information released. Larkin, however, said a reconstruction of the errors that took place suggests a majority of those affected are Globe subscribers. The newspapers have also set up a hot line, 1-888-665-2644, for customers to call to learn whether their financial information may have been distributed. As an extra precaution, newspaper officials also urged subscribers to contact their credit card companies if they are concerned about unauthorized transactions. So far, newspaper officials said, there have been no reports that the financial information has been misused. In a letter to subscribers in Wednesday?s Globe, Richard H. Gilman, the paper?s publisher, said, "We deeply value the trust our subscribers place in us and are working diligently to remedy this situation. Immediate steps have been taken internally at the Globe and the Telegram & Gazette to increase security around credit card reporting. We regret the disruption and inconvenience that this incident may cause." The T&G?s publisher, Bruce Bennett, issued similar comments in Wednesday?s T&G. According to the Privacy Rights Clearinghouse, a nonprofit consumer advocacy group in San Diego, more than 100 incidents of lost or stolen financial information were reported over the past year. Among them: Bank of America Corp., which lost computer data tapes containing personal information of 1.2 million federal employees, including some senators; Ameritrade, the on-line discount broker, which said it lost a back-up computer tape containing the personal information of some 200,000 customers; and the US Air Force, which confirmed that personal data of 33,000 officers and enlisted personnel were hacked from an online system. Beth Givens, director of the Privacy Rights Clearinghouse, said the T&G incident ? which she called "most unusual" because of how it happened ? underscores the need for companies to focus on more than just online security to protect the sensitive information of customers, clients, and employees. "What we?ve learned is there are many ways that sensitive information is exposed," Givens said. "Every entity needs to examine all the ways it uses information and develop security safeguards that go far beyond the computer system." Larkin said the newspapers were first notified of the security breach on Monday by a clerk at a Cumberland Farms store. It took until late Monday for officials to confirm the data on the back of the paper were credit and debit card numbers. Senior management learned of the security breach Tuesday morning, Larkin said. The company put out a news release late Tuesday afternoon. The Globe and T&G financial information was inadvertently released when print-outs with the confidential information were recycled for use as so-called "toppers" for newspaper bundles. A topper, placed on top of abundle of newspapers, is inscribed with the quantity of papers in each bundle and the carrier?s route number. Officials of the newspapers said they are recovering as many of the toppers as possible, although most have likely been discarded. The T&G has ended the practice of using any recycled paper for toppers. The Globe does not recycle paper in this fashion. The newspapers have also added a safeguard to the computer system so only the last four numbers of credit and debit cards can be printed. The Globe and T&G share a computer system. Larkin said the data was printed out on two occasions over the past few weeks by T&G business office employees. In one instance, an employee inadvertently hit the print button, aborted the job before the run was complete, and discarded the paper. In the other instance, another employee began printing a report, but soon realized it was the wrong one, aborted that print job, and discarded the paper. Larkin said the newspapers are still investigating the T&G?s procedures for handling confidential customer information. But he said the employees weren?t disciplined because the errors were inadvertent. "There?s no reason to believe this was intentional," he said. Robert Gavin can be reached at rgavin at globe.com. From michael.bean at honeywell.com Wed Feb 1 11:04:29 2006 From: michael.bean at honeywell.com (Bean, Michael (NM75)) Date: Wed, 1 Feb 2006 10:04:29 -0600 Subject: [Dataloss] FW: Former Employee Found to Have Disclosed Confidential Data Message-ID: <3B223242100469459AABA3B0662ED8340262EE23@MN65EV801.global.ds.honeywell.com> Not sure if this has made the dataloss list yet... Thought it was timely. _____ From: Parlato LeDonne, Lisa Sent: Tuesday, January 31, 2006 3:02 PM Subject: Former Employee Found to Have Disclosed Confidential Data Dear Colleague: During the past week, Honeywell has been responding to the unexpected and unauthorized disclosure of personal data from 2003 for 19,000 current and former employees on a third-party Website. Among the data that appeared on this Website were employee names, Social Security numbers and bank account information from that year. All affected individuals have already been contacted by John McClurg, Vice President of Global Security, Business Assurance and Risk Management, but I wanted to provide this update to all U.S. employees so everyone can learn what happened and how we have responded. There are three important points I want everyone to understand: 1. Honeywell moved very quickly to have this information removed from the Internet and to investigate what happened. Upon learning about the site, we immediately contacted the Internet service provider and had the page removed, and we continue to monitor the Internet to ensure that the Webpage and any copies of it remain taken down. Through the work of our investigators, we have determined who we believe is responsible for the disclosure. I am pleased to announce that yesterday we filed a civil lawsuit in U.S. District Court in Arizona against a terminated employee. We received an order from the court that will prevent this individual from making any further disclosures and will allow Honeywell to recover any company information in his possession. We also are continuing to cooperate with an ongoing criminal investigation with the FBI. 2. The company communicated with affected individuals as quickly as possible. Of the 19,000 individuals who were affected, more than 11,000 have active e-mail addresses on Honeywell's system. Within one business day of when we learned about the Website, John McClurg sent updates on the situation to these individuals as well as a first-class letter to those affected for whom we did not have e-mail addresses. Yesterday, John sent another update - his third within the past week - to the active e-mail addresses, and by now, we have sent first-class letters to the homes of all 19,000 affected individuals. If you neither received an e-mail nor a first-class letter from John, you are not among those who were affected. Watch the Inside Honeywell Intranet home page for further updates. 3. The company is taking steps to protect those who were affected. Honeywell takes the protection of its employees' and former employees' data very seriously. That's why we are making credit monitoring and identity theft insurance available to affected individuals free of charge over the next 12 months. Please note that only current and former employees whose data was posted on the site are eligible for these services. We know you'll join us in respecting the need to ensure this help is reserved for those whose data was disclosed. Our One Stop call center has been working busily to answer employee questions while keeping wait times to a minimum. If you have a question that needs to be answered right away, call One Stop at 1-877-258-3699 (select 2 for Payroll Services) between 8 a.m. and 6 p.m. EST, Monday through Friday. If your question can wait, please hold off for a few days, or e-mail One Stop at payrollcustomerservice at es.honeywell.com - they are responding to e-mails within 24 hours. While we have made progress in addressing this situation, everybody involved is mindful that much remains to be done. We regret the inconvenience for those whose data was disclosed. Lisa Parlato LeDonne Chief Privacy Officer Chief Labor & Employment Counsel -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060201/c2d1325e/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/jpeg Size: 1761 bytes Desc: not available Url : http://attrition.org/pipermail/dataloss/attachments/20060201/c2d1325e/attachment.jpe -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4183 bytes Desc: not available Url : http://attrition.org/pipermail/dataloss/attachments/20060201/c2d1325e/attachment.bin From lyger at attrition.org Wed Feb 1 13:33:28 2006 From: lyger at attrition.org (lyger) Date: Wed, 1 Feb 2006 13:33:28 -0500 (EST) Subject: [Dataloss] FCC says AT&T, Alltel failed to protect records Message-ID: http://www.msnbc.msn.com/id/11118732/ WASHINGTON - The Federal Communications Commission has proposed fining AT&T Inc. and Alltel Corp. $100,000 each for apparently failing to certify that they have procedures to protect customers' personal phone records. The finding comes as Congress opens hearings Wednesday on how to stop companies that are selling private phone records over the Internet. AT&T and Alltel have 30 days to respond to a "notice of apparent liability" issued late Monday by the FCC's enforcement bureau. (*$100,000* fine possible? After reporting numbers like these just days eariler? - lyger) http://money.cnn.com/services/tickerheadlines/for5/ 200601261646DOWJONESDJONLINE001328_FORTUNE5.htm "AT&T on Thursday reported its first quarter of results since the former SBC closed the $16 billion acquisition of the old Ma Bell on Nov. 18. SBC then adopted the AT&T name. In the final three months of 2005, the company said net income rose to $1.66 billion, or 46 cents a share, from $688 million, or 21 cents, a year ago. Those figures include a partial contribution from the old AT&T Corp." From lyger at attrition.org Wed Feb 1 19:06:44 2006 From: lyger at attrition.org (lyger) Date: Wed, 1 Feb 2006 19:06:44 -0500 (EST) Subject: [Dataloss] Colorado Tech University, 12/16/05 Message-ID: Greetings all, After looking through a list of data breaches gathered at: http://www.privacyrights.org/ar/ChronDataBreaches.htm I saw the entry for "Colorado Tech. Univ" on December 16, 2005, which states approximately 1,200 people may have been affected due to "Email erroneously sent containing names, phone numbers, email addresses, Social Security numbers and class schedules." Try as I might, I am unable to find any information on this on the web. Would anyone happen to have any sources of information or details regarding this particular alleged breach? Thanks and welcome aboard. Lyger From byurcik at ncsa.uiuc.edu Wed Feb 1 20:02:36 2006 From: byurcik at ncsa.uiuc.edu (Bill Yurcik) Date: Wed, 1 Feb 2006 19:02:36 -0600 (CST) Subject: [Dataloss] complete/official list of security breach disclosures In-Reply-To: Message-ID: It was a great idea to start this list! Maybe someone can help me. I have been looking for a complete list of security breach disclosures. While its nice to have different lists of high profile disclosures what would be interesting would be find out how many total disclosures and the distributions of size and type. The SB-1386 law in California requires companies to contact customers affected by breaches. I checked with the California Attorney General's Office and there are no government records being kept there since companies are not required to contact any government entity. The papers report the high profile breaches -- basing any analysis on the media coverage would be skewed. Are there any states require public reporting of breaches? Since other states are modeling security breach laws after California's SB 1386 it would be great if somehow there could be a public reporting element added to these laws so data on all breaches can be collected and analyzed for fixing the right problems. Cheers! - Bill Yurcik/NCSA University of Illinois From jericho at attrition.org Wed Feb 1 20:34:42 2006 From: jericho at attrition.org (security curmudgeon) Date: Wed, 1 Feb 2006 20:34:42 -0500 (EST) Subject: [Dataloss] complete/official list of security breach disclosures In-Reply-To: References: Message-ID: : Maybe someone can help me. : I have been looking for a complete list of security breach disclosures. : While its nice to have different lists of high profile disclosures : what would be interesting would be find out how many total disclosures : and the distributions of size and type. That is the purpose and intent of the attrition Dataloss page. It was not created with only high profile breaches/disclosures, rather any event of signifigance. http://attrition.org/errata/dataloss/ : The SB-1386 law in California requires companies to contact customers : affected by breaches. I checked with the California Attorney General's : Office and there are no government records being kept there since : companies are not required to contact any government entity. The papers : report the high profile breaches -- basing any analysis on the media : coverage would be skewed. : : Are there any states require public reporting of breaches? There are, but I don't have the list handy. That is something that would compliment the dataloss page actually, links to the states and respective laws. Shortly after California adopted that law, several others followed suit and passed their own. From david-kovarik at northwestern.edu Wed Feb 1 20:42:20 2006 From: david-kovarik at northwestern.edu (David Kovarik) Date: Wed, 01 Feb 2006 19:42:20 -0600 Subject: [Dataloss] complete/official list of security breach disclosures In-Reply-To: References: Message-ID: <6.2.1.2.2.20060201193448.033ad9e8@hecky.it.northwestern.edu> Bill - Illinois has law similar to CA's, the Personal Information Protection Act of 2005. Passed in June, 2005, effective Jan 01, 2006. There is no "public reporting" measure. I'm not entirely sure that I'd want to go public in those instances where data was compromised, but I can see value in sharing the information with other institutions. Last place I worked (bank), we had a system whereby info was first sanitized then exchanged. - Dave David (Dave) Kovarik, CISM, CISSP Director of Information and Systems Security/Compliance Northwestern University/Information Technology 1800 Sherman, Suite 209 Evanston, IL 60201-3883 Office: (847) 467-5930 At 07:02 PM 2/1/2006, Bill Yurcik wrote: >It was a great idea to start this list! > >Maybe someone can help me. >I have been looking for a complete list of security breach disclosures. >While its nice to have different lists of high profile disclosures >what would be interesting would be find out how many total disclosures >and the distributions of size and type. The SB-1386 law in California >requires companies to contact customers affected by breaches. I checked >with the California Attorney General's Office and there are no government >records being kept there since companies are not required to contact any >government entity. The papers report the high profile breaches -- basing >any analysis on the media coverage would be skewed. > >Are there any states require public reporting of breaches? > >Since other states are modeling security breach laws after >California's SB 1386 it would be great if somehow there could be a public >reporting element added to these laws so data on all breaches can be >collected and analyzed for fixing the right problems. > >Cheers! - Bill Yurcik/NCSA University of Illinois > > > >_______________________________________________ >Dataloss mailing list >Dataloss at attrition.org >https://attrition.org/mailman/listinfo/dataloss From lewisnic at acm.org Wed Feb 1 20:55:48 2006 From: lewisnic at acm.org (Nick Lewis) Date: Wed, 1 Feb 2006 20:55:48 -0500 Subject: [Dataloss] complete/official list of security breach disclosures References: Message-ID: <003f01c6279b$cac8cfd0$6501a8c0@frankenstein> > : The SB-1386 law in California requires companies to contact customers > : affected by breaches. I checked with the California Attorney General's > : Office and there are no government records being kept there since > : companies are not required to contact any government entity. The papers > : report the high profile breaches -- basing any analysis on the media > : coverage would be skewed. > : > : Are there any states require public reporting of breaches? > > There are, but I don't have the list handy. That is something that would > compliment the dataloss page actually, links to the states and respective > laws. Shortly after California adopted that law, several others followed > suit and passed their own. I suspect the page you're thinking of is: http://www.crowell.com/pdf/SecurityBreachTable.pdf I found this link from the http://www.cccure.org/ website. Nick From lyger at attrition.org Wed Feb 1 21:26:29 2006 From: lyger at attrition.org (lyger) Date: Wed, 1 Feb 2006 21:26:29 -0500 (EST) Subject: [Dataloss] complete/official list of security breach disclosures In-Reply-To: References: Message-ID: On Wed, 1 Feb 2006, security curmudgeon wrote: ": " That is the purpose and intent of the attrition Dataloss page. It was not ": " created with only high profile breaches/disclosures, rather any event of ": " signifigance. http://attrition.org/errata/dataloss/ One thing to note here: if anyone notices any data loss or data theft incidents *not* included on the attrition data loss page, please feel free to submit them to myself or jericho (preferably with a corresponding news link). Incidents covered on the page are not limited to the United States only; we have also covered items from Russia, India, and the UK in the past few months. From rkholmes at gmail.com Wed Feb 1 21:54:23 2006 From: rkholmes at gmail.com (Rob Holmes) Date: Wed, 1 Feb 2006 18:54:23 -0800 Subject: [Dataloss] Providence Home Services data loss Message-ID: <55bfbe200602011854q73bec2beyd7191a176d6c24ae@mail.gmail.com> Greetings, I'm one of the victims of the Providence Home Services data loss. I'm also an IT Professional who has held positions that focused on Information Security. I have set up a site for the victims of the Providence Home Services fiasco. I wanted to provide the list with my link. http://www.providenceidentitytheft.com Kudos to the attrition.org folks for starting this list. I just wish they would bring the cartoon gallery back. :-) Thanks Rob -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060201/1f7f0973/attachment.html From privacylaws at sbcglobal.net Wed Feb 1 22:09:40 2006 From: privacylaws at sbcglobal.net (Saundra Kae Rubel) Date: Wed, 1 Feb 2006 19:09:40 -0800 Subject: [Dataloss] complete/official list of security breach disclosures In-Reply-To: <003f01c6279b$cac8cfd0$6501a8c0@frankenstein> Message-ID: <000601c627a6$1c62cfd0$210110ac@saundrad38b17a> Hi Other states with security breach notification laws are: Arkansas, Colorado, Connecticut, Delaware, Florida, Georgia, Illinois, Indiana, Louisiana, Maine, Minnesota, Montana, Nevada, New Jersey, New York City, New York, North Carolina, North Dakota, Rhode Island, Tennessee, Texas, Washington I once kept a list of all of the breaches but no longer. I refer you to Beth Given's list at http://www.privacyrights.org/ar/ChronDataBreaches.htm Saundra Kae Rubel, CIPP From emergentchaos at gmail.com Wed Feb 1 20:13:00 2006 From: emergentchaos at gmail.com (Adam Shostack) Date: Wed, 1 Feb 2006 20:13:00 -0500 Subject: [Dataloss] complete/official list of security breach disclosures In-Reply-To: References: Message-ID: The only state requiring a notice (to the attorney general's office) is New York, as of Jan 1, 2006 The best sources are the privacy rights clearinghouse page, and the pages linked from there (including our page at http:/www.emergentchaos.com/archives/cat_breaches.html) . There are some people talking about building a database of things, but its all volunteer effort. Adam On Feb 1, 2006, at 8:02 PM, Bill Yurcik wrote: > > It was a great idea to start this list! > > Maybe someone can help me. > I have been looking for a complete list of security breach disclosures. > While its nice to have different lists of high profile disclosures > what would be interesting would be find out how many total disclosures > and the distributions of size and type. The SB-1386 law in California > requires companies to contact customers affected by breaches. I checked > with the California Attorney General's Office and there are no > government > records being kept there since companies are not required to contact > any > government entity. The papers report the high profile breaches -- > basing > any analysis on the media coverage would be skewed. > > Are there any states require public reporting of breaches? > > Since other states are modeling security breach laws after > California's SB 1386 it would be great if somehow there could be a > public > reporting element added to these laws so data on all breaches can be > collected and analyzed for fixing the right problems. > > Cheers! - Bill Yurcik/NCSA University of Illinois > > > > _______________________________________________ > Dataloss mailing list > Dataloss at attrition.org > https://attrition.org/mailman/listinfo/dataloss > > -- Emergent Chaos! My thoughts on security, privacy, economics, and the occasional giant pink bunny. http://www.emergentchaos.com From blitz at strikenet.kicks-ass.net Wed Feb 1 22:32:08 2006 From: blitz at strikenet.kicks-ass.net (blitz) Date: Wed, 01 Feb 2006 22:32:08 -0500 Subject: [Dataloss] state list? Message-ID: <7.0.1.0.2.20060201223044.03b43db8@macronet.net> Greetings all, newuser here... Do we have a list of states that are compelling notification of data loss yet? I know NY is on that list due to recent legislation as well as CA. Any others? From blitz at strikenet.kicks-ass.net Wed Feb 1 22:32:51 2006 From: blitz at strikenet.kicks-ass.net (blitz) Date: Wed, 01 Feb 2006 22:32:51 -0500 Subject: [Dataloss] complete/official list of security breach disclosures In-Reply-To: References: Message-ID: <7.0.1.0.2.20060201223227.03d8eb50@strikenet.kicks-ass.net> NY just enacted legislation to that effect. At 20:02 2/1/2006, you wrote: >It was a great idea to start this list! > >Maybe someone can help me. >I have been looking for a complete list of security breach disclosures. >While its nice to have different lists of high profile disclosures >what would be interesting would be find out how many total disclosures >and the distributions of size and type. The SB-1386 law in California >requires companies to contact customers affected by breaches. I checked >with the California Attorney General's Office and there are no government >records being kept there since companies are not required to contact any >government entity. The papers report the high profile breaches -- basing >any analysis on the media coverage would be skewed. > >Are there any states require public reporting of breaches? > >Since other states are modeling security breach laws after >California's SB 1386 it would be great if somehow there could be a public >reporting element added to these laws so data on all breaches can be >collected and analyzed for fixing the right problems. > >Cheers! - Bill Yurcik/NCSA University of Illinois > > > >_______________________________________________ >Dataloss mailing list >Dataloss at attrition.org >https://attrition.org/mailman/listinfo/dataloss -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060201/03b5e3ed/attachment.html From cwalsh at cwalsh.org Wed Feb 1 23:08:48 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Wed, 1 Feb 2006 22:08:48 -0600 Subject: [Dataloss] states with laws, etc Message-ID: <701CD0A9-5F83-4248-BA04-B6E44DE0337A@cwalsh.org> First off, AWESOME list. The best resource I could find for a state by state readout on disclosure laws is from the National Conference of State Legislatures: http://www.ncsl.org/programs/lis/CIP/priv/breach.htm It discusses current and pending legislation, and goes into some detail about what each bill/law requires. Given the nature of the organization, and the resources it has available, I think it is likely that this info is the best generally available. If it isn't, I'd welcome a pointer to a better source. HTH Chris From lyger at attrition.org Thu Feb 2 08:40:57 2006 From: lyger at attrition.org (lyger) Date: Thu, 2 Feb 2006 08:40:57 -0500 (EST) Subject: [Dataloss] University of Colorado at Colorado Springs Message-ID: Courtesy Emergent Chaos (emergentchaos.com) http://www.gazette.com/display.php?id=1314249&secid=1 Personal information on about 2,500 current and former employees at the University of Colorado at Colorado Springs has been compromised by someone who hacked into a computer and infected it with a virus. Names, Social Security numbers, birth dates and addresses for employees dating back to 2004 were accessed without authorization Friday, the university said Tuesday. Obtaining that information did not appear to be the reason for the attack on the computer in the Personnel Department, officials said. They still urged faculty and staff members to notify credit reporting bureaus of the breach and take other precautions against ID theft. [...] From cwalsh at cwalsh.org Thu Feb 2 11:04:05 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Thu, 2 Feb 2006 10:04:05 -0600 Subject: [Dataloss] Newspaper CC disclosure aftermath Message-ID: <20060202160404.GB23706@cwalsh.org> Via American Banker (paywall): "Boston Globe: The Boston Globe and Worcester Telegram & Gazette spent the day dealing with the aftermath of a data breach. A deluge of angry customers overwhelmed a special hotline set up to deal with the complaints from the printing of credit card information on newspaper-bundle "toppers". Massachusetts Attorney General Thomas F. Reilly is looking into whether the newspapers violated the state's consumer-protection law. Publishers probably can't rely on a federal-preemption defense." More at http://www.boston.com/business/articles/2006/02/02/hot_lines_deluged_after_tg_globe_leak/ From lyger at attrition.org Fri Feb 3 09:13:48 2006 From: lyger at attrition.org (lyger) Date: Fri, 3 Feb 2006 09:13:48 -0500 (EST) Subject: [Dataloss] Identity theft costs Britain $3.06 bln per year Message-ID: http://news.xinhuanet.com/english/2006-02/02/content_4130127.htm (Chinese site in English) LONDON, Feb. 2 (Xinhuanet) -- Britain loses some 1.7 billion pounds (3.06 billion US dollars) a year to identity theft, said a Home Office minister on Thursday. This results in an average loss of 35 pounds (about 63 dollars)per person, much more expensive than the national identity cards currently under government consideration, Andy Burnham, the Home Office minister, told BBC Radio. Britain has been considering national ID cards for a long time.However, the high cost of ID cards has been a controversial barrier in its introduction. [...] From cwalsh at cwalsh.org Fri Feb 3 14:05:50 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Fri, 3 Feb 2006 13:05:50 -0600 Subject: [Dataloss] Sports Authority hit (stored stripe data) Message-ID: <20060203190549.GC16202@cwalsh.org> >From American Banker: Sports Authority Inc. confirmed this week that it recently launched an investigation into its information system after four international banks alerted it to a potential intrusion into its network in December. With help from the Secret Service and Cybertrust Inc., the sporting goods company determined that there had been no unauthorized access into its system, but that it was violating Payment Card Industry standards by storing magnetic-stripe information. Chas Withers, a spokesman for Sports Authority, said it was surprised by the discovery, because a Visa U.S.A.-approved assessor had told the company it was not storing such information. More at http://www.americanbanker.com/datasecurityscan.html (paywall) From lyger at attrition.org Sat Feb 4 13:48:45 2006 From: lyger at attrition.org (lyger) Date: Sat, 4 Feb 2006 13:48:45 -0500 (EST) Subject: [Dataloss] Do you know about the Dec 2005 CRS Report for Congress: "Personal Data Security Breaches..." Message-ID: Sent to attrition from a non-list member. Forwarded with permission of sender: ---------- Forwarded message ---------- Date: Sat, 04 Feb 2006 07:41:14 -0700 Subject: Do you know about the Dec 2005 CRS Report for Congress: "Personal Data Security Breaches..." Thought you might be interested in these documents if you don't know about them: Congressional Research Service Personal Data Security Breaches: Context and Incident Summaries December 16, 2005 http://www.opencrs.com/rpts/RL33199_20051216.pdf And a couple more links: Oversight Hearing on Data Security, Data Breach Notices, Privacy and Identity Theft 22 September 2005 http://banking.senate.gov/_files/ACFDC9B.pdf This is posted via "Privacy at Choicepoint" (?!) : 2005 Disclosures of U.S. Data Incidents (At least 152 incidents have been disclosed, potentially affecting more than 57.7 million individuals) http://www.privacyatchoicepoint.com/common/pdfs/Data_Disclosures_2005.pdf From cwalsh at cwalsh.org Sat Feb 4 14:28:40 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Sat, 4 Feb 2006 13:28:40 -0600 Subject: [Dataloss] Do you know about the Dec 2005 CRS Report for Congress: "Personal Data Security Breaches..." In-Reply-To: References: Message-ID: <5647C847-D682-4DEF-BD96-5B3C771613F3@cwalsh.org> Wow. I knew about the hearings, and saw an NY Times graphic on breaches w/ data courtesy of (IIRC) ChoicePoint, but these docs really add to the picture. [Sorry if this is OT. I just wanted folks to know this is greatly appreciated.] From rkholmes at gmail.com Sat Feb 4 15:22:22 2006 From: rkholmes at gmail.com (Rob Holmes) Date: Sat, 4 Feb 2006 12:22:22 -0800 Subject: [Dataloss] police report for Providence Home Services data loss Message-ID: <55bfbe200602041222k7bf1c0c5vf0f1a20efd0262a1@mail.gmail.com> Greetings, Rob here from http://www.providenceidentitytheft.com I wanted to let you know that I have received a copy of the CCSO police report and have made it available for download at my site. It appears that the CCSO and Providence both have some level of concern that this might have been an inside job. I've sanitized the report to remove Mr. Shields home address, DOB and phone number. I have also removed Ms. Jorgensons phone number as well as the name of an individual that was named as a potential suspect. It definitely made for an interesting read. Thanks! Rob -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060204/e12ccee7/attachment.html From lyger at attrition.org Sat Feb 4 17:03:38 2006 From: lyger at attrition.org (lyger) Date: Sat, 4 Feb 2006 17:03:38 -0500 (EST) Subject: [Dataloss] Providence Home Services Data Loss/Theft Documentation Message-ID: http://attrition.org/errata/dataloss/providence/ The letter sent to affected PHS clients, the Clackamas County Sheriff's Office report, and sample photos of the stolen tapes have been archived. Lyger From blitz at strikenet.kicks-ass.net Mon Feb 6 13:15:33 2006 From: blitz at strikenet.kicks-ass.net (blitz) Date: Mon, 06 Feb 2006 13:15:33 -0500 Subject: [Dataloss] Fwd: [ISN] Personal data on hundreds of Americans faxed to Manitoba company Message-ID: <7.0.1.0.2.20060206131322.03d597a0@macronet.net> > > >http://www.theglobeandmail.com/servlet/story/RTGAM.20060205.wdata0205/BNStory/National/home > >STEVE LAMBERT >Canadian Press >05/02/06 > >Lockport, Manitoba - Confidential information on hundreds of United >States citizens, including social security numbers, health information >and bank account numbers, is being sent mistakenly by fax to a small >Manitoba company. > >A 60-centimetre-high stack of data, which also includes people's >addresses and salaries, already sits in the offices of North Regent >Rx, a herbal remedy distribution company that operates out of a house >in Lockport, 15 kilometres north of Winnipeg. > >"I know how much these people make, I know what their social security >number is, I know where they live," North Regent Rx spokesman Jody >Baxmeyer told The Canadian Press. > >"Almost everything a person needs for identity theft is actually faxed >to us on a daily basis." > >Far from using the information for any illicit purposes, Ms. Baxmeyer >says his company has been trying to stop the faxes from coming in, but >has been unable to reach an agreement with Prudential Financial, the >U.S.-based company that is the intended recipient. > >The problem started as soon as North Regent Rx began operating 15 >months ago. The company's toll-free fax number is almost identical to >the number used by Prudential's insurance division, which receives >faxes from doctors' offices about medical benefits given to patients >with Prudential insurance. > >Employees at many doctors' offices have dialled the wrong number, >sending the information to North Regent Rx. > >The pile in Ms. Baxmeyer's office reveals data about people in many >states - a Maryland woman with thyroid trouble, a Massachusetts man >suffering from depression, and Kelly McDonough, 43, an Ohio woman who >has lost her sight because of diabetes. > >"That bothers me," McDonough said from her home in Columbus. > >"I do not appreciate the fact that my social security number is in the >hands of someone I don't know. I know that there can be identity theft >with as little information as a social security number." > >McDonough said the mixup has affected her financially, because she >initially didn't get reimbursed for the claim that was mistakenly >faxed to North Regent Rx. After waiting for a few weeks, she assumed >Prudential might have lost the information and had her doctor's office >resend the fax, which reached the right destination on the second try. > >Prudential says it's trying to address the situation. > >"As soon as we learned that disability forms were being misdirected >due to dialer error, Prudential Financial offered to work with North >Regent Rx to resolve the matter," the company said in a written >statement. > >"We have asked the six medical providers that we are aware of that >have misdialled to be more careful when dialing." > >Last August, Prudential vice-president Patrick O'Toole wrote to Ms. >Baxmeyer to suggest that North Regent Rx send Prudential the faxes >they have been receiving. > >Ms. Baxmeyer says North Regent has forwarded some faxes to Prudential, >and has often faxed messages to the clinics to tell them they have >misdialled. > >But he said it's a time-consuming task for a small company. And the >ongoing problem has tied up the fax line, he said, preventing North >Regent customers from sending in their orders. > >"The (solution) from our point of view is pretty simple ? buy our >toll-free number," Ms. Baxmeyer said. > >"It would take care of the problem right there." > >Ms. Baxmeyer said North Regent Rx has approached Prudential about >selling the fax number, but the insurance firm has not yet agreed. > >North Regent Rx would want to be compensated for the cost of changing >its toll-free number on advertising and invoices, as well as for fees >charged by the telephone company, he said. > >Prudential's written statement says the company is "eager to continue >to work with North Regent Rx to resolve the issue." > >This is not the first time personal data has been sent over the >Canada-U.S. border to the wrong recipient. > >In November of 2004, The Globe and Mail and CTV reported that between >2001 and 2004, confidential information about hundreds of Canadian >Imperial Bank of Commerce customers was faxed to a scrapyard in West >Virginia. > >The scrapyard's owner, Wade Peer, said the volume of faxes prevented >him from communicating with his customers and forced him to close one >of his businesses. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060206/1bdad99c/attachment.html From ish at dolphtech.com Mon Feb 6 17:01:30 2006 From: ish at dolphtech.com (J Isherwood) Date: Mon, 6 Feb 2006 17:01:30 -0500 Subject: [Dataloss] Statistics In-Reply-To: <7.0.1.0.2.20060206131322.03d597a0@macronet.net> Message-ID: Does anyone know if a list is being kept of the types/causes of these data-breaches? - Network Intrusion - Insider - Malicious - Careless - Loss by third party (sub-contractor, partner etc...) - Spyware/malware/virii - Poor Physical Security Measures - Loss of hardware - Loss of printed data - Mis-communication of data to a third party From adrian.sanabria at gmail.com Mon Feb 6 20:41:41 2006 From: adrian.sanabria at gmail.com (Adrian Sanabria) Date: Mon, 6 Feb 2006 20:41:41 -0500 Subject: [Dataloss] Statistics In-Reply-To: References: <7.0.1.0.2.20060206131322.03d597a0@macronet.net> Message-ID: You read my mind. I was just looking at that huge dataloss list the other day, and thought (especially from the corporate infosec POV) it would be great to know why this is all happening! On 2/6/06, J Isherwood wrote: > Does anyone know if a list is being kept of the types/causes of these > data-breaches? > > - Network Intrusion > - Insider > - Malicious > - Careless > - Loss by third party (sub-contractor, partner etc...) > - Spyware/malware/virii > - Poor Physical Security Measures > - Loss of hardware > - Loss of printed data > - Mis-communication of data to a third party > > > _______________________________________________ > Dataloss mailing list > Dataloss at attrition.org > https://attrition.org/mailman/listinfo/dataloss > From cwalsh at cwalsh.org Mon Feb 6 22:30:45 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Mon, 6 Feb 2006 21:30:45 -0600 Subject: [Dataloss] Unnamed CC processor hit -- minimum 100K cards exposed Message-ID: I just blogged at EC (http://www.emergentchaos.com/archives/ 002394.html) about a breach at an unnamed processor. Quoting http://www.theindychannel.com/station/6793490/detail.html -- INDIANAPOLIS -- Regions Bank is canceling the credit cards of 100,000 of its customers in 15 states -- including Indiana -- saying a separate company put their credit information at risk. Regions said the security breach involves a company that processes credit and debit cards nationwide. The bank, which says it was not responsible for the problem, will issue new credit cards to its customers soon, Call 6 for Help's Rafael Sanchez reported Monday. "Many times when this happens, there is no impact whatsoever, but we just decided to take the extra precaution," said John Kinman, Regions Bank senior vice president. Information on how the breach happened and the extent of the risk wasn't known, Sanchez reported. The credit-card processing company works for other banks, so it is possible that other banks will take the type of action that Regions is taking, Sanchez reported. Regions sent letters to all affected customers. From cwalsh at cwalsh.org Mon Feb 6 23:09:50 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Mon, 6 Feb 2006 22:09:50 -0600 Subject: [Dataloss] Honeywell: an insider did it Message-ID: <1A280552-B8C9-41E2-8441-737F9AF8E147@cwalsh.org> Honeywell, which recently had PII for 19,000 current and former employees show up on a web site, believes a disgruntled insider is to blame. Report at http://www.azcentral.com/arizonarepublic/news/articles/ 0203honeywell03.html From lyger at attrition.org Mon Feb 6 23:12:43 2006 From: lyger at attrition.org (lyger) Date: Mon, 6 Feb 2006 23:12:43 -0500 (EST) Subject: [Dataloss] Honeywell: an insider did it In-Reply-To: <1A280552-B8C9-41E2-8441-737F9AF8E147@cwalsh.org> References: <1A280552-B8C9-41E2-8441-737F9AF8E147@cwalsh.org> Message-ID: On Mon, 6 Feb 2006, Chris Walsh wrote: ": " Honeywell, which recently had PII for 19,000 current and former ": " employees show up on a web site, believes a disgruntled insider is to ": " blame. ": " ": " Report at http://www.azcentral.com/arizonarepublic/news/articles/ ": " 0203honeywell03.html Note: Additional information may be found here: http://attrition.org/pipermail/dataloss/2006-February/000007.html From rkholmes at gmail.com Mon Feb 6 23:43:25 2006 From: rkholmes at gmail.com (Rob Holmes) Date: Mon, 6 Feb 2006 20:43:25 -0800 Subject: [Dataloss] Honeywell: an insider did it In-Reply-To: References: <1A280552-B8C9-41E2-8441-737F9AF8E147@cwalsh.org> Message-ID: <55bfbe200602062043p65afcac9t7950e18311d56699@mail.gmail.com> Read the police report for the Providence Home Services data loss incident and you will see that both the CCSO and Providence have concerns that their loss was an inside job as well. attrition.org has copies of that police report at their site for review It just chaps my ass to no end that our mass media channels here in Portland, OR won't pick that story up and run with it. On 2/6/06, lyger wrote: > > > On Mon, 6 Feb 2006, Chris Walsh wrote: > > ": " Honeywell, which recently had PII for 19,000 current and former > ": " employees show up on a web site, believes a disgruntled insider is to > ": " blame. > ": " > ": " Report at http://www.azcentral.com/arizonarepublic/news/articles/ > ": " 0203honeywell03.html > > Note: > > Additional information may be found here: > > http://attrition.org/pipermail/dataloss/2006-February/000007.html > > _______________________________________________ > Dataloss mailing list > Dataloss at attrition.org > https://attrition.org/mailman/listinfo/dataloss > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060206/df7b9da3/attachment.html From mfratto at gmail.com Tue Feb 7 14:24:06 2006 From: mfratto at gmail.com (Mike Fratto) Date: Tue, 7 Feb 2006 14:24:06 -0500 Subject: [Dataloss] Statistics In-Reply-To: References: <7.0.1.0.2.20060206131322.03d597a0@macronet.net> Message-ID: I think this list is pretty current and gives dates, names, and methods. http://www.privacyrights.org/ar/ChronDataBreaches.htm From jericho at attrition.org Tue Feb 7 16:51:16 2006 From: jericho at attrition.org (security curmudgeon) Date: Tue, 7 Feb 2006 16:51:16 -0500 (EST) Subject: [Dataloss] Statistics In-Reply-To: References: <7.0.1.0.2.20060206131322.03d597a0@macronet.net> Message-ID: : I think this list is pretty current and gives dates, names, and methods. : : http://www.privacyrights.org/ar/ChronDataBreaches.htm As stated before on the list, it doesn't cite sources and doesn't cover anything before Feb 15, 2005 unfortunately. That is just now giving us a single year to consider for data analysis of the issue. From sbesser at gmail.com Tue Feb 7 17:01:19 2006 From: sbesser at gmail.com (Sharon Besser) Date: Tue, 7 Feb 2006 14:01:19 -0800 Subject: [Dataloss] Statistics Message-ID: In addition to the different public lists available on the net (such as http://www.privacyrights.org/ar/ChronDataBreaches.htm, mentioned here already) , there are the different vendor statistics: DB encryption companies, secure backup guys, information leak detection & prevention systems etc. Without adding commercials to this list, I can say that there are plenty of incidents that the public is unaware of. A reliable list of data loss and information leaks should also cover those cases as well. Being practical, i would say that any public list is an excellent start, even if it goes only one year back. -- Sharon From lyger at attrition.org Tue Feb 7 20:39:54 2006 From: lyger at attrition.org (lyger) Date: Tue, 7 Feb 2006 20:39:54 -0500 (EST) Subject: [Dataloss] Statistics Message-ID: Since the question of statistics about data loss incidents has recently been raised, I thought it might be time to start a tally. http://attrition.org/~lyger/dataloss.htm This sample page starts at the beginning of 2005 (pre-ChoicePoint) and stops at the end of May 2005. Any fields noted with an "x" are unknown at this time. Since the original format of this file is a .csv, hopefully it can be spread out into more detailed columns that can eventually be converted into a very simple database. For instance, "type" can be differentiated between "computers" and "laptops" if that would provide more detailed statistics. Any suggestions or comments are welcome. From lyger at attrition.org Wed Feb 8 08:50:38 2006 From: lyger at attrition.org (lyger) Date: Wed, 8 Feb 2006 08:50:38 -0500 (EST) Subject: [Dataloss] [ISN] Honeywell blames ex-employee in data leak (fwd) Message-ID: ---------- Forwarded message ---------- From: InfoSec News Date: Wed, 8 Feb 2006 02:19:23 -0600 (CST) Subject: [ISN] Honeywell blames ex-employee in data leak http://www.computerworld.com/securitytopics/security/story/0,10801,108434,00 .html By Robert McMillan FEBRUARY 06, 2006 IDG NEWS SERVICE Honeywell International Inc. says a former employee has disclosed sensitive information relating to 19,000 of the company's U.S. employees. Honeywell discovered the information being published on the Web on Jan. 20 and immediately had the Web site in question pulled down, said company spokesman Robert Ferris. In court filings dated Jan. 30, the company accused former employee Howard Nugent of Arizona of accessing the information on a Honeywell computer and then causing "the transmission of that information." Nugent has since been ordered not to disclose any information about Honeywell, including "information about Honeywell's employees (payroll data, Social Security numbers, personal information, etc.)," according to a Jan. 31 order signed by Judge Neil Wake of the U.S. District Court for the District of Arizona. The precise method Nugent is alleged to have used to gain access to the information, and why he may have disclosed it, is not clear. In the court filings, Honeywell claimed that Nugent "intentionally exceeded authorized access to a Honeywell computer," but the integrity of Honeywell's computer systems was not compromised, Ferris said. "Nobody hacked into systems," he said, without disclosing further details on the data breach. Honeywell employees were notified of the breach via e-mail on Jan. 23, just days after it was discovered, and the company has since mailed notices about the compromise to all affected employees, Ferris said. The company is working with federal and local authorities on the case, but Ferris declined to comment on whether criminal charges were expected to be filed. Nugent could not be reached to comment for this story. _________________________________ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org From lyger at attrition.org Wed Feb 8 17:52:37 2006 From: lyger at attrition.org (lyger) Date: Wed, 8 Feb 2006 17:52:37 -0500 (EST) Subject: [Dataloss] BCBS North Carolina Message-ID: Update has been posted to http://attrition.org/errata/dataloss.html Courtesy Emergent Chaos (emergentchaos.com): 'Human error' exposes patients' Social Security numbers in N.C. http://www.computerworld.com/securitytopics/security/privacy/story/0,10801,108444,00.html FEBRUARY 07, 2006 (COMPUTERWORLD) - A "human error" at Blue Cross and Blue Shield of North Carolina allowed the Social Security numbers of more than 600 members to be printed on the mailing labels of envelopes sent to them with information about a new insurance plan. The mistake affected patients who had applied for a new health savings account insurance plan, said Gayle Tuttle, a spokeswoman for the Chapel Hill, N.C.-based insurer. .The mailing label on a welcome letter that we sent out to 629 people enrolled in one of our individual insurance plans contained an 11-digit tracking number, nine of which were the members. Social Security numbers,. Tuttle said. .The release of this information is the result of a regrettable human error.. [...] From jericho at attrition.org Fri Feb 10 03:51:23 2006 From: jericho at attrition.org (security curmudgeon) Date: Fri, 10 Feb 2006 03:51:23 -0500 (EST) Subject: [Dataloss] Some BofA Clients Find Debit Cards Cancelled Message-ID: ---------- Forwarded message ---------- From: Fergie Date: Thu, 9 Feb 2006 14:51:26 GMT Via SFGate.com. [snip] Numerous Bank of America customers have had their debit cards canceled and have been blocked from accessing their accounts online after an unnamed company experienced what appears to be a major security breach. BofA is refusing to identify the company, saying in letters to customers this week only that the breach occurred "at a third-party location unrelated to Bank of America." This is unusual. Past data-security breaches involving financial institutions have centered on systems being compromised at either bank offices or those of affiliated firms. Michael Chee, a BofA spokesman, confirmed Wednesday that the breach in this latest case wasn't at a processing center used by the bank or any other affiliate. [snip] More here: http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2006/02/09/BUGHLH55SQ1.DTL From cwalsh at cwalsh.org Fri Feb 10 10:39:10 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Fri, 10 Feb 2006 09:39:10 -0600 Subject: [Dataloss] More on the BofA card-cancellations Message-ID: <20060210153909.GB91@cwalsh.org> >From today's American Banker Online (http://www.americanbanker.com/datasecurityscan.html [paywall]): Julie Davis, a B of A spokeswoman, told American Banker that to her knowledge ^^^^^^^^^^^^^^^^ no major security breach has occurred in recent weeks at a third party that ^^^^^^^^^^^^^^^ works with B of A, and that the cards that were reissued were likely not connected to a single event. "It's part of our normal process to block and reissue cards when there is any potential for fraud," she said. A group of "customers receiving a letter don't necessarily indicate that they are from the same incident." ^^^^^^^^^^^ [I underlined certain parts] Depending on what "recent" means, this *could* be Sam's Club fallout (among other things). Of course, unless people actually reveal information, we will never know, will we? From sbesser at gmail.com Fri Feb 10 11:51:05 2006 From: sbesser at gmail.com (Sharon Besser) Date: Fri, 10 Feb 2006 08:51:05 -0800 Subject: [Dataloss] More on the BofA card-cancellations Message-ID: According to http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2006/02/10/BUG5HH5N841.DTL There was a security breach. Here are some highlights from this article that also discuss the legal requirements to disclose information to the public. ".... But well-placed sources within the banking and credit card industries now tell me that the company in question is a leading retailer in the office-supply business. Those sources also place the total number of consumers affected by the security breach at nearly 200,000. Washington Mutual confirmed Thursday that it too was involved in the breach and is replacing customers' debit cards. Banking industry sources said they were notified last month by Visa and MasterCard that the computer system of a prominent merchant had been penetrated by a computer hacker, and that account information for thousands of customers had been endangered. Rosetta Jones, a spokeswoman for Visa USA, acknowledged Thursday that the incident involved a U.S. merchant that "may have experienced a data security breach resulting in the compromise of Visa card account information." Sharon Gamsin, a spokeswoman for MasterCard International, said the credit card company had been informed of "a potential security breach at a U.S.-based retailer..... " ---Sharon -----Original Message----- From: Chris Walsh [mailto:cwalsh at cwalsh.org] Sent: Friday, February 10, 2006 7:39 AM To: dataloss at attrition.org Subject: [Dataloss] More on the BofA card-cancellations >From today's American Banker Online (http://www.americanbanker.com/datasecurityscan.html [paywall]): Julie Davis, a B of A spokeswoman, told American Banker that to her knowledge ^^^^^^^^^^^^^^^^ no major security breach has occurred in recent weeks at a third party that ^^^^^^^^^^^^^^^ works with B of A, and that the cards that were reissued were likely not connected to a single event. "It's part of our normal process to block and reissue cards when there is any potential for fraud," she said. A group of "customers receiving a letter don't necessarily indicate that they are from the same incident." ^^^^^^^^^^^ [I underlined certain parts] Depending on what "recent" means, this *could* be Sam's Club fallout (among other things). Of course, unless people actually reveal information, we will never know, will we? _______________________________________________ Dataloss mailing list Dataloss at attrition.org https://attrition.org/mailman/listinfo/dataloss From adam at homeport.org Fri Feb 10 12:13:34 2006 From: adam at homeport.org (Adam Shostack) Date: Fri, 10 Feb 2006 12:13:34 -0500 Subject: [Dataloss] More on the BofA card-cancellations In-Reply-To: References: Message-ID: <20060210171334.GB693@homeport.org> Thanks Sharon! The only explanation(s) I can think of for not disclosing are ongoing investigations, which is starting to get thin as details leak, and that the data was "encrypted." I don't believe that the encryption exemption is going to work, because clearly these banks feel it's worth some expense to protect their customers--therefore, any encryption in place was either weak, or bypassed by the nature of the attack. Adam On Fri, Feb 10, 2006 at 08:51:05AM -0800, Sharon Besser wrote: | According to | | http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2006/02/10/BUG5HH5N841.DTL | There was a security breach. Here are some highlights from this | article that also discuss the legal requirements to disclose | information to the public. | | | ".... But well-placed sources within the banking and credit card | industries now tell me that the company in question is a leading | retailer in the office-supply business. | | Those sources also place the total number of consumers affected by the | security breach at nearly 200,000. | | Washington Mutual confirmed Thursday that it too was involved in the | breach and is replacing customers' debit cards. | | Banking industry sources said they were notified last month by Visa | and MasterCard that the computer system of a prominent merchant had | been penetrated by a computer hacker, and that account information for | thousands of customers had been endangered. | | Rosetta Jones, a spokeswoman for Visa USA, acknowledged Thursday that | the incident involved a U.S. merchant that "may have experienced a | data security breach resulting in the compromise of Visa card account | information." | | Sharon Gamsin, a spokeswoman for MasterCard International, said the | credit card company had been informed of "a potential security breach | at a U.S.-based retailer..... " | | ---Sharon | | | -----Original Message----- | From: Chris Walsh [mailto:cwalsh at cwalsh.org] | Sent: Friday, February 10, 2006 7:39 AM | To: dataloss at attrition.org | Subject: [Dataloss] More on the BofA card-cancellations | | >From today's American Banker Online | (http://www.americanbanker.com/datasecurityscan.html [paywall]): | | Julie Davis, a B of A spokeswoman, told American Banker that to her knowledge | ^^^^^^^^^^^^^^^^ | no major security breach has occurred in recent weeks at a third party that | ^^^^^^^^^^^^^^^ | works with B of A, and that the cards that were reissued were likely not | connected to a single event. | | | "It's part of our normal process to block and reissue cards when there is any | potential for fraud," she said. A group of "customers receiving a letter don't | necessarily indicate that they are from the same incident." | ^^^^^^^^^^^ | | [I underlined certain parts] | | Depending on what "recent" means, this *could* be Sam's Club fallout (among | other things). Of course, unless people actually reveal information, we will | never know, will we? | | _______________________________________________ | Dataloss mailing list | Dataloss at attrition.org | https://attrition.org/mailman/listinfo/dataloss | | _______________________________________________ | Dataloss mailing list | Dataloss at attrition.org | https://attrition.org/mailman/listinfo/dataloss From cwalsh at cwalsh.org Fri Feb 10 13:07:27 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Fri, 10 Feb 2006 12:07:27 -0600 Subject: [Dataloss] More on the BofA card-cancellations In-Reply-To: <20060210171334.GB693@homeport.org> References: <20060210171334.GB693@homeport.org> Message-ID: <20060210180726.GA21724@cwalsh.org> Elsewhere in the article I quoted, The Bank of America is reported as denying that the cancellations reported stem from a single incident, whether it be at a major retailer or anywhere else. "The San Francisco Chronicle reported Thursday that Bank of America Corp. canceled debit cards and suspended online account access for numerous customers after a breach at a third party the Charlotte company would not identify. However, B of A disputed the article's conclusion that the customer notices cited by the Chronicle stemmed from a single incident. The newspaper reported that the company told customers in letters this week that a breach occurred at "a third-party location unrelated to Bank of America." According to the article, B of A would not give the number of customers affected, but it said the breach did not occur at a processor." This is "he said, she said", at least in terms of official pronouncements, and that is a problem. From sbesser at gmail.com Fri Feb 10 14:05:30 2006 From: sbesser at gmail.com (Sharon Besser) Date: Fri, 10 Feb 2006 11:05:30 -0800 Subject: [Dataloss] More on the BofA card-cancellations In-Reply-To: <20060210180726.GA21724@cwalsh.org> References: <20060210171334.GB693@homeport.org> <20060210180726.GA21724@cwalsh.org> Message-ID: Lets wait until the "he said, she said" smoke screen would disappear. As far as we know, *something* happened. Personally, I do not believe that its a "much ado about nothing" situation... -- Sharon On 2/10/06, Chris Walsh wrote: > Elsewhere in the article I quoted, The Bank of America is reported as denying > that the cancellations reported stem from a single incident, whether it be at > a major retailer or anywhere else. > > "The San Francisco Chronicle reported Thursday that Bank of America Corp. canceled debit cards and suspended online account access for numerous customers after a breach at a third party the Charlotte company would not identify. > > However, B of A disputed the article's conclusion that the customer notices cited by the Chronicle stemmed from a single incident. > > The newspaper reported that the company told customers in letters this week that a breach occurred at "a third-party location unrelated to Bank of America." > > According to the article, B of A would not give the number of customers affected, but it said the breach did not occur at a processor." > > This is "he said, she said", at least in terms of official pronouncements, > and that is a problem. > > From cwalsh at cwalsh.org Fri Feb 10 14:17:59 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Fri, 10 Feb 2006 13:17:59 -0600 Subject: [Dataloss] More on the BofA card-cancellations In-Reply-To: References: <20060210171334.GB693@homeport.org> <20060210180726.GA21724@cwalsh.org> Message-ID: <20060210191757.GA8815@cwalsh.org> On Fri, Feb 10, 2006 at 11:05:30AM -0800, Sharon Besser wrote: > Lets wait until the "he said, she said" smoke screen would disappear. > As far as we know, *something* happened. Personally, I do not believe > that its a "much ado about nothing" situation... I agree completely. In particular, http://www.emergentchaos.com/archives/002310.html makes me think that something has been amiss for a while, and has reached a point where the bank felt it needed to "proactively" cancel cards rather than reactively do so (as they seem to have been despite the unusually high amount of debit card fraud). I hope the reporter for the Seattle P-I who wrote the article Adam cites in the blog entry above is digging into this. From jericho at attrition.org Fri Feb 10 17:08:40 2006 From: jericho at attrition.org (security curmudgeon) Date: Fri, 10 Feb 2006 17:08:40 -0500 (EST) Subject: [Dataloss] More on the BofA card-cancellations In-Reply-To: <20060210171334.GB693@homeport.org> References: <20060210171334.GB693@homeport.org> Message-ID: On Fri, 10 Feb 2006, Adam Shostack wrote: : The only explanation(s) I can think of for not disclosing are ongoing : investigations, which is starting to get thin as details leak, and that : the data was "encrypted." Adam brings up an interesting point about this case and possibly others. How many companies are holding off on notification of any kind, citing "ongoing investigation"? If the FBI is involved and have exhausted leads, the case stays open for 7 years (or more). This would be a convenient way for a company to hide an incident from the public and possibly escape legal obligation to do so. From cwalsh at cwalsh.org Fri Feb 10 20:07:36 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Fri, 10 Feb 2006 19:07:36 -0600 Subject: [Dataloss] More on the BofA card-cancellations In-Reply-To: References: <20060210171334.GB693@homeport.org> Message-ID: I can set a lower bound: 1. In a later article (http://www.smartmoney.com/bn/ON/index.cfm? story=ON-20060210-000830-1529) via the Dow Jones News Service, Visa said they wouldn't spill the beans on who the merchant was because of an ongoing investigation. Chris On Feb 10, 2006, at 4:08 PM, security curmudgeon wrote: > > Adam brings up an interesting point about this case and possibly > others. > How many companies are holding off on notification of any kind, citing > "ongoing investigation"? From cwalsh at cwalsh.org Fri Feb 10 21:33:10 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Fri, 10 Feb 2006 20:33:10 -0600 Subject: [Dataloss] BofA new news Message-ID: <8838E913-8FF2-4650-8407-8E0F125EC861@cwalsh.org> According to http://news.zdnet.com/2100-1009_22-6038287.html 1. It's a big box retailer 2. Counterfeit cards are being used 3. FBI and Treasury (Secret Service) are on the case 4. Story about initial fraud was written up in Sac Bee in November 2005 (but I can't find it :^() From jericho at attrition.org Fri Feb 10 23:35:02 2006 From: jericho at attrition.org (security curmudgeon) Date: Fri, 10 Feb 2006 23:35:02 -0500 (EST) Subject: [Dataloss] Cooks Illustrated magazine has a security problem Message-ID: ---------- Forwarded message ---------- From: Richard M. Smith Date: Fri, 10 Feb 2006 23:18:21 -0500 http://www.cooksillustrated.com/webfaqs/ What happened to your website? On January 30, 2006, we determined that a file was deleted from the "back office" part of our site. We do not know how, or by who, this file was deleted, but because we keep sensitive personal information about our website members on our servers, for security reasons we took all of our sites down immediately. Since February 3rd, our sites have been back up and running, although some limited functionality for website members has not yet been restored. Was any of my personal information compromised? As soon as we discovered that a file had been deleted from our website server, we immediately investigated the cause of this problem. Our investigation has been unable to determine how, why, or by whom the files were deleted. Although we do not have conclusive evidence that the file deletion was the work of an intruder, it is possible that an individual gained unauthorized access to our computers. The deleted file did not contain any credit card information. However, given the possibility that someone did gain unauthorized access to our system, we are notifying all website members that their credit card information may have been unlawfully accessed, and providing recommended steps that members should take to protect themselves from credit card fraud and identity theft. Why did you not contact me before now? As soon as we determined that a file had been deleted from our Internet server, we shut down our websites and disconnected our server from the Internet. At the time that our websites were brought back up, we posted messages on our website homepages describing why our site was down and that we were investigating the cause of the file deletion. As our investigation has ended without conclusive information as to how the file was deleted or whether an individual gained unlawful access to sensitive personal information, we are now contacting all website members with our findings and steps that they should take in case their sensitive personal information was, in fact, unlawfully accessed. From lyger at attrition.org Sat Feb 11 14:56:13 2006 From: lyger at attrition.org (lyger) Date: Sat, 11 Feb 2006 14:56:13 -0500 (EST) Subject: [Dataloss] New BoA info - 200,000 possibly affected Message-ID: http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2006/02/10/BUG5HH5N841.DTL David Lazarus Friday, February 10, 2006 A data-security breach that resulted in numerous people having their debit cards canceled this week is actually much larger than first indicated. As first reported in my Thursday column, an unspecified number of Bank of America customers have received letters warning that accounts may have been compromised "at a third-party location unrelated to Bank of America." BofA has said only that the unnamed company is not a bank affiliate. But well-placed sources within the banking and credit card industries now tell me that the company in question is a leading retailer in the office-supply business. Those sources also place the total number of consumers affected by the security breach at nearly 200,000. [...] From lyger at attrition.org Sat Feb 11 19:54:30 2006 From: lyger at attrition.org (lyger) Date: Sat, 11 Feb 2006 19:54:30 -0500 (EST) Subject: [Dataloss] BoA breach - possible Wal-Mart connection? Message-ID: Bank Card Reissues May Be Linked to Wal-Mart Breach By Paul F. Roberts and Matt Hines February 10, 2006 In what appears to be a widening incident, Bank of America, MasterCard and Visa all announced this week that they have been informed of a potential security breach at a U.S.-based retailer. The companies refused to name the retailer involved, but at least one bank said that systems belonging to Wal-Mart Stores, the world's largest retailer, may be to blame. http://security.ithub.com/article/Bank+Card+Reissues+May+Be+Linked+to+WalMar t+Breach/171328_1.aspx From cwalsh at cwalsh.org Sat Feb 11 21:05:43 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Sat, 11 Feb 2006 20:05:43 -0600 Subject: [Dataloss] BoA breach - possible Wal-Mart connection? In-Reply-To: References: Message-ID: <55AB9E16-A52B-426A-BBD4-FA5299178B64@cwalsh.org> And to be specific, is it Sam's Club, which was reported as being breached in early December 2005, and where Wal-Mart denied that a computer system of theirs had been compromised? Where Gartner and American Banker chided Visa and MC for hordeing info and playing favorites? Where PCI standards were not followed and stripe data were stored? Wow. The connection between the BofA/Wamu/Wells Fargo card reissues, and the earlier one by Regions Bank, and the months earlier ones by the Alabama Credit Union, et. al. is one I semi-drew (http:// www.emergentchaos.com/archives/002414.html). I didn't think there was enough to pin it on Sam's Club, especially since BofA said a processor wasn't involved. How would a retailer lose so much info, especially since reports in December were that the detected frauds likely were from customers who bought gasoline at Sam's Club? Sam's Club said this on 12/2/2005 (http://www.prnewswire.com/cgi-bin/ stories.pl?ACCT=104&STORY=/www/story/12-02-2005/0004227070): " SAM'S CLUB stressed that the electronic systems and databases used inside its stores and for http://samsclub.com are not involved." So, databases "inside its stores" and the web site didn't get penetrated. That leaves, uh, POS devices, and....dare I say it...*wireless*? If we find out that they got p0wned via wireless (a la Lowes, back in 2003?) I will fall off my chair. This could be huge. Wal-Mart wants to get into the banking business, and (if true) this isn't exactly a ringing endorsement. Early in December, I had some fun with ID Analytics and used their numbers to argue that this breach would have exposed 600,000 accounts. It doesn't seem like fun, now. On Feb 11, 2006, at 6:54 PM, lyger wrote: > > > Bank Card Reissues May Be Linked to Wal-Mart Breach > > By Paul F. Roberts and Matt Hines > February 10, 2006 > > In what appears to be a widening incident, Bank of America, > MasterCard and > Visa all announced this week that they have been informed of a > potential > security breach at a U.S.-based retailer. > > The companies refused to name the retailer involved, but at least > one bank > said that systems belonging to Wal-Mart Stores, the world's largest > retailer, may be to blame. > > http://security.ithub.com/article/Bank+Card+Reissues+May+Be+Linked > +to+WalMar > t+Breach/171328_1.aspx > > _______________________________________________ > Dataloss mailing list > Dataloss at attrition.org > https://attrition.org/mailman/listinfo/dataloss From dano at well.com Sun Feb 12 01:36:17 2006 From: dano at well.com (dano) Date: Sat, 11 Feb 2006 22:36:17 -0800 Subject: [Dataloss] SBC telco subscriber information (undefined) loss Message-ID: Found (and deeply buried) in a recent story (6 Feb 2006) in the Los Angeles Times about a slimy Hollywood private investigator who has been indicted for conspiracy, explosives and wiretapping is a bit that two telco employees who assisted the guy may have leaked some amount (undefined) of subscriber (undefined) information (also undefined). Only slightly more prominent in the story are statements that some of the guy's co-conspirators - cops and retired cops - also mined LAPD, California Dept of Motor Vehicles and possibly other LE databases for information about the targets. While this story is not about general or widespread consumer data loss or even large numbers of people - the thieves apparently only targeted specific people in a specific local area and industry niche - it seems relevant to the larger theme of dataloss. Also shows how a few insiders with access (two cops, two telco employees) can provide considerable confidential information with apparent ease. (Would be nice to know how much they were paid - "the cost of subversion" so to speak.) Also interesting is how the co-conspirators were allowed to remain free for 2.5 years while the main conspirator was in prison on (other but related) explosives charges. (Note that the LAT hides their stories behind a pay-for wall after a few days. If you want to see the story then get it now. Subscription required, but bugmenot will probably provide a useful login.) --begin story-- From the Los Angeles Times Pellicano Indicted on Racketeering Charges By Andrew Blankstein and Greg Krikorian Times Staff Writers 2:45 PM PST, February 6, 2006 After a three-year investigation that frayed nerves in Hollywood, celebrity private eye Anthony Pellicano and six others were charged today with racketeering and conspiracy to obtain confidential and embarrassing information about dozens of individuals. Pellicano, who pleaded not guilty to the 110-count federal indictment that was unsealed this morning, had just finished serving 30 months in prison on federal charges for storing explosives in his West Hollywood office. He remained in custody. At one time, Pellicano's roster of clients stretched from Michael Jackson to Elizabeth Taylor and Sylvester Stallone. He was the go-to detective for information needed by lawyers and agents representing entertainment A-listers. Pellicano, 61, is charged with organizing and masterminding a corrupt enterprise that allegedly wiretapped phones, entered private computers without authorization, committed wire fraud, bribery, identity theft and obstruction of justice. Pellicano and his associates, including former LAPD Officer Mark Arneson, 52, allegedly tapped Stallone and accessed confidential police records to learn about prominent people, including comedians Garry Shandling and Kevin Nealon, New York Times reporter Bernard Weinraub and former Los Angeles Times reporter Anita Busch, according to the 60-page indictment. "Defendant Pellicano was responsible for securing clients who were willing and able to pay large sums for the purpose of obtaining personal information of a confidential, embarrassing, or incriminating nature regarding other individuals, including opponents or witnesses in criminal or civil litigation who became the enterprise's investigative charges," the indictment alleged. "We take these [charges] very seriously," acting U.S. Atty. George S. Cardona said at an afternoon news conference. "This is not how most private investigators do their job." The indictment alleges a range of crimes with the participants playing a variety of roles: Arneson, of Culver City, was a 29-year veteran of the LAPD. He surrendered to authorities this morning, according to prosecutors. Arneson is accused of illegally searching law enforcement computers to get information for Pellicano, who allegedly paid the officer for his work. Also surrendering was Rayford Earl Turner, 49, of Van Nuys, a former field technician for SBC and Pacific Bell. Pellicano and Turner were accused in the wiretapping conspiracy. Kevin Kachikian, 41, of Fountain Valley, was accused of developing a wiretapping software program called "Telesleuth" for Pellicano. He was arrested this morning by the FBI. Robert Pfeifer, 50, of Hollywood, once president of Disney-owned Hollywood Records, allegedly hired Pellicano to investigate a former girlfriend. Pfeifer was arrested Friday. Abner Nicherie, 42, of Las Vegas was arrested this morning. According to authorities, he was involved in a business dispute with a man who was wiretapped. Also charged was Daniel Nicherie, 45, of Las Vegas, Abner's brother, who was in federal custody on charges of defrauding the man whom Pellicano allegedly wiretapped. The wiretapping conspiracy charge alleged that Pellicano, with the help of Turner and Kachikian, illegally intercepted telephone communications of a number of individuals, including real estate developer Robert Maguire, Herbalife co-founder Mark Hughes, Stallone and journalist Busch. In addition to the conspiracy charge, Pellicano, Turner and Kachikian are charged in nine wiretapping counts. Pellicano and Kachikian are additionally charged with possessing illegal wiretapping equipment. Pfeifer and the Nicherie brothers were each charged with one wiretapping count. Not charged in the indictment was former Beverly Hills police Officer Craig Stevens, who has already pleaded guilty. Arneson and Stevens are alleged to have provided Pellicano with confidential DMV and criminal history information. Turner and fellow SBC employee Teresa Wright, who also has pleaded guilty, are said to have provided confidential information on telephone company subscribers. Pellicano had been in federal custody at the Taft Correctional Institute in Bakersfield until Friday, when he was moved to the San Bernardino County Jail to await today's arraignment. Today's charges are an outgrowth of a bizarre threat made against former Times reporter Busch in 2002. Busch walked out to her car one morning and discovered a dead fish, a rose and a sign that read "Stop" on the hood. An informant led investigators to an ex-convict named Alexander Proctor, who, during a secretly recorded conversation, claimed that Pellicano had paid him to carry out the threat. The FBI subsequently raided Pellicano's Sunset Boulevard offices and allegedly recovered computerized records and other evidence that the detective had illegally wiretapped people on behalf of clients. Three weeks ago, Pellicano's former girlfriend, Sandra Will Carradine, and Stevens, the former Beverly Hills police officer, pleaded guilty to federal charges of lying about the detective's use of wiretaps and other illegal tactics. Both are scheduled for sentencing in the fall. Pellicano also faces state charges in connection with the 2002 threat against the reporter. Pfeifer, 50, was held at the Metropolitan Detention Center in downtown Los Angeles on Friday, sources close to the investigation said. In court documents, Pfeifer's estranged wife said he was a longtime friend of Pellicano and had known for two years that he was a subject of the investigation into the detectives' activities. As part of a custody battle, Maria Misejova Pfeifer filed a sworn declaration alleging that Pfeifer had fled to Canada in September because he believed that an indictment was imminent. Because of Pfeifer's "investigation by the FBI and his affiliation with Mr. Pellicano," Pfeifer "has contemplated and threatened to flee the jurisdiction in the past," she said in her Jan. 16 declaration. A former musician and producer, Pfeifer was a member of the early 1980s band Human Switchboard, which recorded an album for I.R.S. Records, according to published reports. He was president of Hollywood Records from 1994 to 1997. Before joining the Disney company, he worked as an artist and repertoire executive at Epic Records, a division of Sony. In 2000, he founded the multimedia company Segnana Inc. Pellicano's new attorney, Steven Gruel, said Saturday that Pellicano would not testify against others, including former clients. "It is my firm belief that Mr. Pellicano is adamant in his determination not to cooperate with the federal prosecution," Gruel said. Contributing to this report were Times staff writers Michael Muskal and Chuck Philips, and research librarian Robin Mayper. --end story-- From lyger at attrition.org Sun Feb 12 15:26:49 2006 From: lyger at attrition.org (lyger) Date: Sun, 12 Feb 2006 15:26:49 -0500 (EST) Subject: [Dataloss] A bit more about the stolen debit cards Message-ID: (forwarded from another mail list) Date: Sun, 12 Feb 2006 09:42:20 -0500 Subject: A bit more about the stolen debit cards Web of intrigue widens in debit-card theft case http://news.com.com/Web+of+intrigue+widens+in+debit-card+theft+case/2100-102 9_3-6038405.html?tag=nefd.top After receiving a call from CNET News.com about the investigation into the 200,000 cancelled credit cards, a Wal-Mart media representative refused to answer questions but called attention to a statement released by the company on Dec. 2, 2005. In the statement, Wal-Mart acknowledged that credit cards used by some customers who bought gas at the company's Sam's Club stations between Sept. 21, 2005 and Oct. 2, 2005, were compromised. Many Sam's Clubs also accept debit cards. .... But the trail doesn't end with Wal-Mart, said sources close to the investigation. As investigators began to look into the recent rash of unauthorized charges, they found that a large number of people whose debit cards were compromised had one thing in common: they previously had shopped at office-supply chain OfficeMax, said a banking source familiar with the case. Two law enforcement sources also said OfficeMax is part of the investigation but did not provide details. None of the sources, who requested anonymity due to the ongoing investigation, knew for certain whether OfficeMax had suffered a security breach. "We have not suffered any security breach to our knowledge," said William Bonner, an OfficeMax spokesman, on Friday. According to one banking official close to the case, OfficeMax has been queried by at least one financial institution about the matter. "This is why we don't reveal the names to the public," said the banking official who requested anonymity. "We're not sure which customers may have been ripped off in the Wal-Mart deal or whether OfficeMax was the problem." -------------- next part -------------- _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. From lyger at attrition.org Tue Feb 14 09:58:15 2006 From: lyger at attrition.org (lyger) Date: Tue, 14 Feb 2006 09:58:15 -0500 (EST) Subject: [Dataloss] [ISN] NCsoft site deluged with stolen identities Message-ID: I'm guessing a "resident registration number" in Korea is the equivalent of the United States' social security number. (?) ---------- Forwarded message ---------- From: InfoSec News Date: Tue, 14 Feb 2006 00:39:00 -0600 (CST) Subject: [ISN] NCsoft site deluged with stolen identities http://joongangdaily.joins.com/200602/13/200602132130583039900090609061.html By Seo Ji-eun, Lee Weon-ho February 14, 2006 Hackers have used the private information of hundreds of people to register on the Web site of "Lineage," one of Korea's most popular online games. Complaints to the game developer, NCsoft Corp., have been rapidly piling up. The company said yesterday that it had received up to 600 reports so far of people being registered without their knowledge as members of the role-playing games "Lineage" and "Lineage 2." The two games have a combined subscriber base of 2 million members. The Ministry of Information and Communication also said that a large number of people have posted notes on Internet communities and portal sites, saying that their names and resident registration numbers were used to sign up with the game site without their permission. [...] From ish at dolphtech.com Tue Feb 14 15:33:53 2006 From: ish at dolphtech.com (J Isherwood) Date: Tue, 14 Feb 2006 15:33:53 -0500 Subject: [Dataloss] OfficeMax at center of major data-security breach with debit cards In-Reply-To: Message-ID: http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2006/02/14 /BUGGQH7QK21.DTL (I Believe that this ties right into the message lyger sent 2 days ago, quoted for reference down below) Ish... ___________________________________________________________________ OfficeMax at center of major data-security breach with debit cards - David Lazarus, Tuesday, February 14, 2006 OfficeMax is the Northern California retailer at the heart of a major data-security breach affecting as many as 200,000 consumers, banking and law-enforcement sources confirmed Monday. They also said investigators are exploring the possibility that the Russian mob or another Eastern European crime syndicate is responsible for accessing U.S. consumers' debit-card numbers and selling counterfeit cards on the black market worldwide. Bill Bonner, an OfficeMax spokesman, said that to the best of his knowledge, no security breach had occurred at any of the Illinois company's Northern California outlets. "I just can't say that happened," he said. Still, Bonner declined to comment on whether OfficeMax is cooperating with the FBI and Secret Service on their investigation into the debit-card theft. "I can't make any comment on any law-enforcement investigations," he said, adding that "we're trying to be responsible and not create any kind of panic." Four well-placed sources in the banking industry said it's possible that OfficeMax can't yet say with certainty that a breach occurred because it often takes investigators time to piece together a hacker's electronic trail. But they said there's no doubt that OfficeMax has made its computer system available to federal authorities for their investigation. Special Agent Karen Ernst of the FBI's Sacramento office declined to discuss details of the case. "It's an ongoing investigation being worked jointly with other agencies, including the Secret Service," she said. Numerous banks have replaced customers' debit cards in recent weeks, including Bank of America, Wells Fargo and Washington Mutual. An executive at one leading bank told me he spoke with senior officials at OfficeMax shortly after news of the security breach broke in this column last week. He said he was surprised by the bank's decision to remain silent on the matter. "I warned them point blank that they have to get out in front of this," the exec said. It appears that a hacker penetrated the computer network of an OfficeMax outlet in Sacramento last fall, sources said. They said the hacker may have gained access to account information for as many as 200,000 customers, potentially downloading people's names, debit-card numbers and secret codes used to validate transactions. Bank officials said bogus charges related to the incident have cropped up throughout Europe and Asia. Many have originated in former Soviet bloc countries. This has raised investigators' suspicions that the Russian mafia or another Eastern European crime syndicate is behind the OfficeMax breach, sources said. In September 2004, a senior FBI official, Steven Martinez, testified before Congress that the bureau's Internet Crime Complaint Center, or IC3, had noticed an increasing number of cyber crimes involving Eastern Europeans. "The FBI, through the IC3, has observed a continuing increase in both volume and potential impact of cyber crime with significant international elements," he said. "Identifying such trends, as well as formulating an aggressive and proactive counterattack strategy, remains a fundamental objective of the FBI's Cyber Division." It's unclear when the OfficeMax hack actually occurred. Banking industry sources say they believe authorities were made aware of the situation in December. But they acknowledge that consumers' personal info could have been endangered well before this time. Oakland resident Alicia Vagts, 34, illustrates this possibility. She discovered in October that someone in Estonia was running up about $2,500 in fraudulent charges on her Washington Mutual debit card. "I barely knew where Estonia was," she said. (It's on the Baltic Sea, right next to Russia.) Asked if she ever shops at office-supply stores, Vagts said she was a frequent customer of OfficeMax while attending law school in Sacramento. "I was there all the time, buying things for school," she said. A Washington Mutual spokesman said it's not yet known whether Vagts' case is linked to the security breach now being probed by federal investigators or was a separate incident. He and other bank reps said financial institutions are being extra cautious in this latest case, replacing debit cards not just for OfficeMax shoppers but also for an unspecified number of other people who may never have visited the retailer. But OfficeMax is the common denominator for most consumers affected by the security breach. San Francisco resident John Wilson, 52, said he has no doubt why he got a new card in the mail this week. "OfficeMax is the only office-supply store I've gone to where I've used my debit card for the past two years," he said. This isn't the company's first brush with fraud in Northern California. Last month, a former worker at the OfficeMax outlet in the Alameda Towne Centre was arrested for allegedly using a customer's credit card number to pay about $1,000 in cell-phone bills. Sgt. Dennis Hart of the Alameda Police Department said the suspect, Oakland resident Chantalle Adrianna Allen, 19, admitted the theft after being taken into custody. He said the card in question belonged to the Odd Fellows, a fraternal organization. A member of the group had purchased office supplies at OfficeMax in December. David Lazarus' column appears Wednesdays, Fridays and Sundays. Send tips or feedback to dlazarus at sfchronicle.com. Page C - 1 URL: http://sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2006/02/14/BUG GQH7QK21.DTL -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of lyger Sent: Sunday, February 12, 2006 3:27 PM To: dataloss at attrition.org Subject: [Dataloss] A bit more about the stolen debit cards (forwarded from another mail list) Date: Sun, 12 Feb 2006 09:42:20 -0500 Subject: A bit more about the stolen debit cards Web of intrigue widens in debit-card theft case http://news.com.com/Web+of+intrigue+widens+in+debit-card+theft+case/2100-102 9_3-6038405.html?tag=nefd.top After receiving a call from CNET News.com about the investigation into the 200,000 cancelled credit cards, a Wal-Mart media representative refused to answer questions but called attention to a statement released by the company on Dec. 2, 2005. In the statement, Wal-Mart acknowledged that credit cards used by some customers who bought gas at the company's Sam's Club stations between Sept. 21, 2005 and Oct. 2, 2005, were compromised. Many Sam's Clubs also accept debit cards. .... But the trail doesn't end with Wal-Mart, said sources close to the investigation. As investigators began to look into the recent rash of unauthorized charges, they found that a large number of people whose debit cards were compromised had one thing in common: they previously had shopped at office-supply chain OfficeMax, said a banking source familiar with the case. Two law enforcement sources also said OfficeMax is part of the investigation but did not provide details. None of the sources, who requested anonymity due to the ongoing investigation, knew for certain whether OfficeMax had suffered a security breach. "We have not suffered any security breach to our knowledge," said William Bonner, an OfficeMax spokesman, on Friday. According to one banking official close to the case, OfficeMax has been queried by at least one financial institution about the matter. "This is why we don't reveal the names to the public," said the banking official who requested anonymity. "We're not sure which customers may have been ripped off in the Wal-Mart deal or whether OfficeMax was the problem." From lyger at attrition.org Wed Feb 15 17:44:41 2006 From: lyger at attrition.org (lyger) Date: Wed, 15 Feb 2006 17:44:41 -0500 (EST) Subject: [Dataloss] Suffolk County New York SSN Exposure Message-ID: Courtesy Emergent Chaos: http://www.emergentchaos.com/archives/002438.html http://www.newsday.com/news/local/longisland/ny-lisoci154627730feb15,0,7781591 .story?coll=ny-linews-headlines The Suffolk county clerk's office has exposed the Social Security numbers of thousands of homeowners on its Web site, and officials said they don't have a way to remove them. And soon, a new plan will make it easier to retrieve them. Mortgages and deeds that contain Social Security numbers for an estimated 7,000 to 8,000 individuals have been "scanned" and posted on the county clerk's Web site. They can be accessed with a tax map identification number, which is also public record. In the next few weeks, users who pay a $30 daily subscription fee will be able to search the documents dating as far back as 2001 from any computer with just a name or address, county officials said. [...] From lyger at attrition.org Wed Feb 15 18:54:41 2006 From: lyger at attrition.org (lyger) Date: Wed, 15 Feb 2006 18:54:41 -0500 (EST) Subject: [Dataloss] Judge: Firm not negligent in failure to encrypt data (fwd) Message-ID: Forwarded from another mailing list. With 550,000 customers apparently contacted... has anyone heard of this incident before now? Date: Wed, 15 Feb 2006 10:31:55 -0500 Subject: Judge: Firm not negligent in failure to encrypt data http://news.com.com/2100-1030_3-6039645.html A federal court has thrown out a lawsuit that accused a student-loan provider of negligence in failing to encrypt a customer database that was subsequently stolen. Stacy Lawton Guin, a customer of Brazos Higher Education Service, sued the corporation on the grounds that encryption should be used as a routine security precaution. But U.S. District Judge Richard Kyle in Minnesota dismissed the case last week, saying Brazos had a written security policy and other "proper safeguards" for customers' information and that it acted "with reasonable care" even without encrypting the database. [...] From cwalsh at cwalsh.org Wed Feb 15 23:49:25 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Wed, 15 Feb 2006 22:49:25 -0600 Subject: [Dataloss] NH govt breach Message-ID: A quick Google Alerts cut/paste: SECURITY breach reported in state computers Boston Globe - United States CONCORD, NH --New Hampshire's state computer system was breached and might have compromised customers' credit card numbers, Gov. John Lynch said Wednesday. ... From lyger at attrition.org Wed Feb 15 23:57:50 2006 From: lyger at attrition.org (lyger) Date: Wed, 15 Feb 2006 23:57:50 -0500 (EST) Subject: [Dataloss] NH govt breach In-Reply-To: References: Message-ID: On Wed, 15 Feb 2006, Chris Walsh wrote: ": " A quick Google Alerts cut/paste: ": " ": " SECURITY breach reported in state computers ": " Boston Globe - United States ": " CONCORD, NH --New Hampshire's state computer system was breached and ": " might ": " have compromised customers' credit card numbers, Gov. John Lynch said ": " Wednesday. ... ": " "State information technology experts became aware of the breach Wednesday when they spotted a variation of legitimate "Cain and Abel" software in the system. The illegal software, which may have been installed for six months, allows a hacker to watch transactions in real time, but not to recover earlier records, said Richard Bailey, chief information officer for the Office of Information Technology." So "Cain & Abel" is legitimate, but variations are not? This seems to be shoddy reporting, unless I missed something here.. http://www.oxid.it/cain.html From hobbit at avian.org Thu Feb 16 01:02:39 2006 From: hobbit at avian.org (*Hobbit*) Date: Thu, 16 Feb 2006 06:02:39 +0000 (GMT) Subject: [Dataloss] a recurring theme... Message-ID: <20060216060239.C4C5CC305@relayer.avian.org> okay, so I've been on this list all of two days, and so far it's been "organization X got owned, and customer credit cards may be at risk. organization X apologizes." ... very similar to reports I've been seeing filter through a couple of other sources, in fact. Not to disparage the reporting or even the monotonous invariance in overall theme -- my question is, how many such events, and how long is it going to take, before the industry wises up and actually DOES something about it? We HAVE the technology. Why are invariant passwords to money [i.e. credit card numbers, which themselves are only "unpredictable" within the last 5 digits or so] being issued with expected *5-year* lifetimes? Why is the financial industry still relying on crap like the last 4 of the SSN as a default "verifier" of identity? Why the hell don't we have a workable one-time-per-transaction authorization scheme in common use, so this idiocy with stored plaintext card numbers just ceases to be a problem? Because "profitable in the face of tolerable risk" trumps "inherent engineering merit", every time. I would counterargue that these risks are no longer "tolerable", when the volume of loss has gotten so high in the aggegrate. Maybe that's what this list is for -- posting frequency as a gauge of how bad it is. I tried to go change a card number at a local bank not too long ago -- didn't claim it was lost/stolen, I just said it was high time I changed it on principle. They were flabberghasted, and didn't know how to deal, and said that if everyone wanted a new number every 6 months or a year they couldn't afford to offer cards at all. They finally agreed to do it "just this once" and waive the $10 reissue fee, but it was totally pulling teeth to get them to that point. Now, *that* is *broken*. _H* From jericho at attrition.org Thu Feb 16 02:49:31 2006 From: jericho at attrition.org (security curmudgeon) Date: Thu, 16 Feb 2006 02:49:31 -0500 (EST) Subject: [Dataloss] a recurring theme... In-Reply-To: <20060216060239.C4C5CC305@relayer.avian.org> References: <20060216060239.C4C5CC305@relayer.avian.org> Message-ID: : okay, so I've been on this list all of two days, and so far it's been : "organization X got owned, and customer credit cards may be at risk. : organization X apologizes." ... very similar to reports I've been seeing : filter through a couple of other sources, in fact. Not to disparage the : reporting or even the monotonous invariance in overall theme -- my : question is, how many such events, and how long is it going to take, : before the industry wises up and actually DOES something about it? While the list is intended for such disclosures, this is more along the lines of what I wanted to see =) So I will play advocate to start. The first thing to point out, is your use of 'the industry' in this context. These incidents are pretty far reaching, hitting a wide variety of companies and organizations. About the only thing they have in common is they a) use computers and b) have customers. This leads me to think that the problem will remain there, just as countless others do. Why don't companies do X and Y when it seems so obvious and they *could* fix it so easily (voice mail/prompt hell for example). : We HAVE the technology. Why are invariant passwords to money [i.e. : credit card numbers, which themselves are only "unpredictable" within : the last 5 digits or so] being issued with expected *5-year* lifetimes? : Why is the financial industry still relying on crap like the last 4 of : the SSN as a default "verifier" of identity? Why the hell don't we have : a workable one-time-per-transaction authorization scheme in common use, : so this idiocy with stored plaintext card numbers just ceases to be a : problem? : : Because "profitable in the face of tolerable risk" trumps "inherent : engineering merit", every time. I would counterargue that these risks : are no longer "tolerable", when the volume of loss has gotten so high in : the aggegrate. Maybe that's what this list is for -- posting frequency : as a gauge of how bad it is. That is one reason the dataloss page was made. We all saw these incidents here and there in the news. A steady stream of them every few days or weeks. But once seen together, and once some preliminary stats are generated (several groups are working on such a thing), will that be enough to help 'prove' it is no longer tolerable? If not, what is the magic figure? Or is this a case where the 'right' people need to fall victim, then we'll miraculously see a change in policy or law that seeks to protect it (all the while doing it so wrong)? : I tried to go change a card number at a local bank not too long ago -- : didn't claim it was lost/stolen, I just said it was high time I changed : it on principle. They were flabberghasted, and didn't know how to deal, : and said that if everyone wanted a new number every 6 months or a year : they couldn't afford to offer cards at all. They finally agreed to do : it "just this once" and waive the $10 reissue fee, but it was totally : pulling teeth to get them to that point. Now, *that* is *broken*. You'd think they would happily embrace that and cut a profit off of it =) In fact, in the short term, offering such a feature for X dollars (so they profit a little) would be a good thing. Eventually, customers would bitch and that fee would go away like many banks are eliminating ATM fees. From jericho at attrition.org Thu Feb 16 04:31:30 2006 From: jericho at attrition.org (security curmudgeon) Date: Thu, 16 Feb 2006 04:31:30 -0500 (EST) Subject: [Dataloss] a recurring theme... In-Reply-To: <20060216060239.C4C5CC305@relayer.avian.org> References: <20060216060239.C4C5CC305@relayer.avian.org> Message-ID: : Why are invariant passwords to money [i.e. credit card numbers, which : themselves are only "unpredictable" within the last 5 digits or so] : being issued with expected *5-year* lifetimes? Why is the financial : industry still relying on crap like the last 4 of the SSN as a default : "verifier" of identity? Why the hell don't we have a workable : one-time-per-transaction authorization scheme in common use, so this : idiocy with stored plaintext card numbers just ceases to be a problem? On this specific topic: http://www.csoonline.com/read/020106/second_thoughts.html Second Thoughts on Second Factors Seven ways in which a new strong-authentication standard isn't quite what it appears to be By Scott Berinato Last October, a relatively obscure government body called the Federal Financial Institutions Examination Council, or FFIEC, issued what it called guidance but which looks much like a mandate. Starting in January 2007, financial institutions must provide consumers of online financial services with the same security protection enjoyed by customers buying groceries or gas with a debit card: strong authentication. Strong means two or more types of identity verification in return for access. At the grocery store or gas station, those two factors are usually a piece of plastic and a passcode. Online banking, on the other hand, still primarily works with "weak" single-factor authentication: a password. [..] From adam at homeport.org Thu Feb 16 12:02:38 2006 From: adam at homeport.org (Adam Shostack) Date: Thu, 16 Feb 2006 12:02:38 -0500 Subject: [Dataloss] a recurring theme... In-Reply-To: References: <20060216060239.C4C5CC305@relayer.avian.org> Message-ID: <20060216170238.GA17197@homeport.org> On Thu, Feb 16, 2006 at 02:49:31AM -0500, security curmudgeon wrote: | The first thing to point out, is your use of 'the industry' in this | context. These incidents are pretty far reaching, hitting a wide variety | of companies and organizations. About the only thing they have in common | is they a) use computers and b) have customers. This leads me to think I'm really glad hobbit asked these questions--since I'm at RSA and suffering overload, I'll wait until next week to really respond, but wanted to mention up Safenet, who disclosed loss of a printout of employee data: http://www.emergentchaos.com/archives/001231.html Yes, Safenet uses computers, and perhaps this is the exception that proves the rule. ADam From blitz at strikenet.kicks-ass.net Thu Feb 16 12:45:45 2006 From: blitz at strikenet.kicks-ass.net (blitz) Date: Thu, 16 Feb 2006 12:45:45 -0500 Subject: [Dataloss] Fwd: [ISN] Security titans weigh in on buyout environment Message-ID: <7.0.1.0.2.20060216124431.03d7b358@macronet.net> Seems topical: >http://news.com.com/Security+titans+weigh+in+on+buyout+environment/2100-7350_3-6040297.html > >By Dawn Kawamoto >Staff Writer, CNET News.com >February 15, 2006 > >SAN JOSE, Calif.--Psst buddy, got a security company to sell? > >Security companies that are privately held and in the business of >protecting information from espionage and offering up secure access >are attractive among potential buyers, a panel of security titans and >bankers said here Thursday during the RSA Conference 2006. > >The panel, speaking to a standing-room-only crowd, addressed the >current mergers and acquisition environment for security companies, as >well as what it takes for them to gain interest in potential buyout >candidates. > >The current valuation for privately held security companies, based on >projecting out future revenues, is a mean of slightly more than 6.5 >times those revenues. But valuations for publicly traded security >companies are substantially lower, said Rob Owens, vice president of >equity research for Pacific Crest Securities and panel moderator. > >"Most of the innovation comes from smaller companies," said Parveen >Jain, executive vice president of corporate development and strategy >for McAfee, in explaining the difference between valuing a private >security company and a public one. > >Another issue for buyers is public companies tend to be more mature, >offering less potential revenue growth, said Michael Cristinziano, >vice president of strategic development for Citrix, which acquired SSL >VPN start-up Net6 for $50 million two years ago. > >He added that the ability of a potential buyout target to add to his >company's earnings within a 12-month period is a key consideration on >whether to do a deal. > >Symantec, which has been on a tear with acquisitions big and small, >wants its potential lifelong partners to have frank discussions with >the security giant on its financial outlook and performance. James >Socas, senior vice president of Symantec's corporate development, >recalled a time when a private company provided financial information >that showed declining revenues over a three-year period, yet had a >forecast of more than doubling its revenues in the following year. > >McAfee, meanwhile, hones in on the candidate's operating team, >assessing whether they can deliver on the technology and financial >numbers they have projected, and be flexible if changes are needed to >their business plan. > >In providing a broad view of areas in which they are interested in >making acquisitions, Jain said McAfee finds areas that need addressing >include industrial spying, or the tampering and theft of information. > >Symantec is anticipating more companies will find it incumbent to take >on the role of managing their own security, similar to what consumers >have done. Citrix is focusing on deals that will provide its customers >with the "best access experience," Cristinziano said. > >Technology to solve the leakage of sensitive information is an area >that a number of large potential buyers are interested in, said >panelist Neel Kashkari, an investment banker with Goldman Sachs. > >Kashkari noted Microsoft's entry into the antivirus market has had a >negative effect on start-ups in a similar market that are seeking >funding or a buyout. > >"It's created an overhang with valuations," he noted. > >A number of security companies are turning to a buyout, rather than >going public, as a means to pay back initial investors, the panelists >noted, pointing to NetScreen Technologies' 2002 IPO as the last >"meaningful" public offering of a security company. > >The regulatory environment, including Sarbanes-Oxley, has made >executives of private companies more hesitant to go public, rather >than selling their operations, the panelists said. Another issue is >that single product security companies are finding Wall Street is less >receptive in the post-bubble environment. > >And then there are the attractive valuations for privately held >security companies, in the current climate. > >"Mergers and acquisitions are white hot right now," Socas said. "We've >seen a lot of good companies on the private side." -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060216/eece4cbe/attachment.html From jericho at attrition.org Thu Feb 16 13:00:35 2006 From: jericho at attrition.org (security curmudgeon) Date: Thu, 16 Feb 2006 13:00:35 -0500 (EST) Subject: [Dataloss] two articles of interest.. Message-ID: Courtesy of blitz at strikenet.kicks-ass.net: http://news.com.com/Security+titans+weigh+in+on+buyout+environment/2100-7350_3-6040297.html By Dawn Kawamoto Staff Writer, CNET News.com February 15, 2006 SAN JOSE, Calif.--Psst buddy, got a security company to sell? Security companies that are privately held and in the business of protecting information from espionage and offering up secure access are attractive among potential buyers, a panel of security titans and bankers said here Thursday during the RSA Conference 2006. The panel, speaking to a standing-room-only crowd, addressed the current mergers and acquisition environment for security companies, as well as what it takes for them to gain interest in potential buyout candidates. [..] http://www.informationweek.com/news/showArticle.jhtml?articleID=180202429 By Gregg Keizer TechWeb News Feb 15, 2006 The top Internet threats for 2006 will include more attacks through instant messages and cell phones, as well as a boost in identity hacks against online brokerage accounts, the Department of Homeland Security and the National Cyber Security Alliance predicted Wednesday. By joining forces, the Department of Homeland Security (DHS) and National Cyber Security Alliance (NCSA) hope to give consumers time to put additional protection in place on their PCs. [..] From sawaba at forced.attrition.org Thu Feb 16 22:41:32 2006 From: sawaba at forced.attrition.org (sawaba) Date: Thu, 16 Feb 2006 22:41:32 -0500 (EST) Subject: [Dataloss] Fwd: a recurring theme... In-Reply-To: References: <20060216060239.C4C5CC305@relayer.avian.org> Message-ID: > ---------- Forwarded message ---------- > From: security curmudgeon > Date: Feb 16, 2006 2:49 AM > Subject: Re: [Dataloss] a recurring theme... > To: dataloss at attrition.org > > > > : okay, so I've been on this list all of two days, and so far it's been > : "organization X got owned, and customer credit cards may be at risk. > : organization X apologizes." ... very similar to reports I've been seeing > : filter through a couple of other sources, in fact. Not to disparage the > : reporting or even the monotonous invariance in overall theme -- my > : question is, how many such events, and how long is it going to take, > : before the industry wises up and actually DOES something about it? > > While the list is intended for such disclosures, this is more along the > lines of what I wanted to see =) So I will play advocate to start. > > The first thing to point out, is your use of 'the industry' in this > context. These incidents are pretty far reaching, hitting a wide variety > of companies and organizations. About the only thing they have in common > is they a) use computers and b) have customers. This leads me to think > that the problem will remain there, just as countless others do. Why don't > companies do X and Y when it seems so obvious and they *could* fix it so > easily (voice mail/prompt hell for example). > I would argue that these companies also have one more thing in common - they are subject to VISA's requirements and regulations. Unfortunately, VISA's been soft on enforcing requirements, and only one company has been made an example of so far. To force most of these companies to change their practices, you have to threaten their bottom line. Whether by fining them or taking away their processing rights, VISA has options they can exercise to push the situation hard and fast if they wanted to. > : We HAVE the technology. Why are invariant passwords to money [i.e. > : credit card numbers, which themselves are only "unpredictable" within > : the last 5 digits or so] being issued with expected *5-year* lifetimes? > : Why is the financial industry still relying on crap like the last 4 of > : the SSN as a default "verifier" of identity? Why the hell don't we have > : a workable one-time-per-transaction authorization scheme in common use, > : so this idiocy with stored plaintext card numbers just ceases to be a > : problem? > : > : Because "profitable in the face of tolerable risk" trumps "inherent > : engineering merit", every time. I would counterargue that these risks > : are no longer "tolerable", when the volume of loss has gotten so high in > : the aggegrate. Maybe that's what this list is for -- posting frequency > : as a gauge of how bad it is. > > That is one reason the dataloss page was made. We all saw these incidents > here and there in the news. A steady stream of them every few days or > weeks. But once seen together, and once some preliminary stats are > generated (several groups are working on such a thing), will that be > enough to help 'prove' it is no longer tolerable? If not, what is the > magic figure? Or is this a case where the 'right' people need to fall > victim, then we'll miraculously see a change in policy or law that seeks > to protect it (all the while doing it so wrong)? > Again, nothing will happen unless their profits are threatened. They must be forced (tm). > : I tried to go change a card number at a local bank not too long ago -- > : didn't claim it was lost/stolen, I just said it was high time I changed > : it on principle. They were flabberghasted, and didn't know how to deal, > : and said that if everyone wanted a new number every 6 months or a year > : they couldn't afford to offer cards at all. They finally agreed to do > : it "just this once" and waive the $10 reissue fee, but it was totally > : pulling teeth to get them to that point. Now, *that* is *broken*. > > You'd think they would happily embrace that and cut a profit off of it =) > In fact, in the short term, offering such a feature for X dollars (so they > profit a little) would be a good thing. Eventually, customers would bitch > and that fee would go away like many banks are eliminating ATM fees. > > _______________________________________________ > Dataloss mailing list > Dataloss at attrition.org > https://attrition.org/mailman/listinfo/dataloss > From hobbit at avian.org Fri Feb 17 10:17:57 2006 From: hobbit at avian.org (*Hobbit*) Date: Fri, 17 Feb 2006 15:17:57 +0000 (GMT) Subject: [Dataloss] a recurring theme... Message-ID: <20060217151757.3030FC305@relayer.avian.org> Well, by "the industry" I really mean any corporation that accumulates data on people, especially of the financial sort, and is therefore likely to cause privacy leaks in a breach. But more subtly, I mean the outfits that are doing that and then making such data available via largely insecure means -- "it's easy! Manage your account online! Just sign up here, and use the last 4 digits of your social as a default password!" ... it's not *quite* that bad these days, but on the other hand getting a bank or other organization with which one holds an account of some kind to completely *decouple* one's particulars from any sort of online access is increasingly difficult. And they act surprised when someone calls in and says "no, I don't want ANY internet access to my account please". Or be in total shock when someone wants to follow good security guidelines and change an otherwise relatively static secret. Many procedural assumptions are being made, in the financial sector and otherwise, that are fundamentally flawed, and they're all copycatting each other in this madness so that makes it all seem like "accepted practice". This is where things have gone so horribly wrong, and now we see the results. But it's gotten too big, and nobody knows or cares how to fix it anymore. They've learned how to pronounce "identity theft", but that seems to be about as far as it goes. Hopefully this list can help drive home a different conclusion. I think I've seen an aggregate figure of over a million customers at risk go by in just the short time I've been here. Perhaps efforts to bring lists like this to a wider audience would help... _H* From mfratto at gmail.com Fri Feb 17 14:37:54 2006 From: mfratto at gmail.com (Mike Fratto) Date: Fri, 17 Feb 2006 14:37:54 -0500 Subject: [Dataloss] a recurring theme... In-Reply-To: <20060217151757.3030FC305@relayer.avian.org> References: <20060217151757.3030FC305@relayer.avian.org> Message-ID: > Hopefully this list can help drive home a different conclusion. > I think I've seen an aggregate figure of over a million customers > at risk go by in just the short time I've been here. Perhaps > efforts to bring lists like this to a wider audience would help... For that to happen, it has to get on a general news outlet like the Today show or the evening news. Dataloss is a huge problem yet when I talk to organizations about something as simple as encrypting off-site back-ups, they don't perceive the need even with all the coverage of tapes falling off the back of a truck or being stolen. It's somebdoy else's problem. Nothing will happen until there is a financial reason--meaning legal fees and fines--or jail time for execs. From lyger at attrition.org Fri Feb 17 18:32:18 2006 From: lyger at attrition.org (lyger) Date: Fri, 17 Feb 2006 18:32:18 -0500 (EST) Subject: [Dataloss] Pelican Bay Inmates Allegedly Had Access To Personal Data (fwd) Message-ID: Forwarded from another mail list. [snip] Inmates at Pelican Bay State Prison gained access to personal information about employees, including their Social Security numbers, birth dates and pension account information, the state prison guards' union said Thursday. The California Correctional Peace Officers Association said inmates also had access to prison blueprints in a warehouse where the confidential information was stored. Union President Mike Jimenez said the fact that inmates worked in the warehouse violated a law barring the Department of Corrections from assigning prisoners to jobs that give them access to others' personal information. [snip] http://www.cbsnews.com/stories/2006/02/17/tech/main1325852.shtml From lyger at attrition.org Fri Feb 17 19:09:55 2006 From: lyger at attrition.org (lyger) Date: Fri, 17 Feb 2006 19:09:55 -0500 (EST) Subject: [Dataloss] Blue Cross and Blue Shield of Florida (27,000) Message-ID: Once again, courtesy Emergent Chaos (emergentchaos.com): http://www.bradenton.com/mld/bradenton/news/local/13887977.htm JACKSONVILLE, Fla., - The names and Social Security numbers of about 27,000 Blue Cross and Blue Shield of Florida current and former employees, vendors and contractors were sent by a contractor to his home computer in violation of company policies, the company said Thursday. The contractor had access to a database of identification badge information and transferred it via e-mail to a home computer, said Lisa Acheson Luther, a Blue Cross and Blue Shield spokeswoman. "We believe there was only one person involved in the incident," Luther said. "We terminated his access to the systems and we don't believe it went any further than his home computer." [...] From lyger at attrition.org Fri Feb 17 21:59:54 2006 From: lyger at attrition.org (lyger) Date: Fri, 17 Feb 2006 21:59:54 -0500 (EST) Subject: [Dataloss] Old Dominion University: Web/SSN breach Message-ID: Credit to Emergent Chaos: http://www.emergentchaos.com/archives/002448.html http://home.hamptonroads.com/stories/story.cfm?story=99602&ran=129421 NORFOLK . Old Dominion University informed 601 students Tuesday that their names and Social Security numbers had inadvertently been placed on a university Web server nearly two years ago. Jennifer Mullen, a university spokeswoman, said an instructor .copied and pasted a class roster to a Web site which she could access.. Mullen said ODU officials think it was not deliberate. The instructor is believed to have been a graduate student, Mullen said, but officials are still investigating. They do not know if she is still at the university. [...] From lyger at attrition.org Sun Feb 19 01:26:48 2006 From: lyger at attrition.org (lyger) Date: Sun, 19 Feb 2006 01:26:48 -0500 (EST) Subject: [Dataloss] UNI warns of ID theft after computer security breach Message-ID: Courtesy Emergent Chaos (emergentchaos.com): http://www.wcfcourier.com/articles/2006/02/18/news/breaking_news/doc43f7026269046987392075.txt CEDAR FALLS, Iowa (AP) -- The University of Northern Iowa has warned students and faculty to monitor their bank accounts after someone accessed a computer system holding confidential information. The university detected last week that a laptop computer holding W-2 forms was illegally accessed, though officials said the person likely did not realize he could obtain tax information for about 6,000 student employees and faculty. "A virus was detected during routine monitoring," said Tom Schellhardt, vice president for administration and finance. "We immediately took steps to fix the problem and increase security." The university sent letters to everyone whose data was on that computer, warning them to protect against identity theft by monitoring their accounts and contacting credit reporting agencies. [...] From blitz at strikenet.kicks-ass.net Sun Feb 19 06:21:59 2006 From: blitz at strikenet.kicks-ass.net (blitz) Date: Sun, 19 Feb 2006 06:21:59 -0500 Subject: [Dataloss] Update on laptop robbery/data theft In-Reply-To: References: Message-ID: <7.0.1.0.2.20060219061458.03d32de0@strikenet.kicks-ass.net> A couple days ago it was reported two laptops containing medical information were taken in a gunpoint robbery in New Jersey. Yesterday, it was reported in a Buffalo, NY paper that Mt. St. Mary's hospital in Lewiston, NY was one hospital that had confidential information on one of those laptops. --story below: Laptop theft may lead to release of patient data http://www.buffalonews.com/editorial/20060217/3026081.asp 2/17/2006 [] LEWISTON - Personal information may have been released on patients at Mount St. Mary's Hospital from 2001 to 2004, according to President and CEO Angelo G. Calbone. Two laptops were stolen recently in an armed robbery in the New Jersey office of a national consulting firm that was doing work for Mount St. Mary's. Although there is a suspect in the robbery, the two laptops have not been found. "This is a pretty routine business practice. We were one of 10 hospitals that had records with this consulting firm. They look at things like managing files, billing and collections. It's a routine thing that went haywire," said Fred Caso, Mount St. Mary's director of community relations. In the robbery, a man's wallet and two laptops were taken. The laptops are password-protected and the files on the computer also were password-protected, Caso said. However, he said, the hospital wants to warn people that personal information, such as date of birth, address and Social Security numbers, was on the laptops. Calbone is notifying the affected patients of the incident and offering ways to safeguard themselves, such having credit agencies put a fraud alert on their accounts. The hospital has established a dedicated phone line to answer questions from patients. Calls will be taken from 10 a.m. to 3 p.m. Monday through Friday at 298-2000. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060219/f96d8cf6/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: 2eec17c3.jpg Type: application/octet-stream Size: 822 bytes Desc: not available Url : http://attrition.org/pipermail/dataloss/attachments/20060219/f96d8cf6/attachment.obj From adam at homeport.org Mon Feb 20 19:56:29 2006 From: adam at homeport.org (Adam Shostack) Date: Mon, 20 Feb 2006 19:56:29 -0500 Subject: [Dataloss] [vanderaj@greebo.net: SF new column announcement: Strict liability for data breaches?] Message-ID: <20060221005629.GA22379@homeport.org> Interesting article. I wonder how many laptops need to be stolen for it to be forseeable. Adam ----- Forwarded message from Andrew van der Stock ----- From: Andrew van der Stock Subject: SF new column announcement: Strict liability for data breaches? Date: Tue, 21 Feb 2006 10:40:24 +1100 To: webappsec at lists.securityfocus.com X-Mailer: Apple Mail (2.746.2) X-Spam-Status: No, score=-14.9 required=2.5 tests=AWL,USER_IN_DEF_WHITELIST autolearn=disabled version=3.0.3 Today on Security Focus... Begin forwarded message: >Strict liability for data breaches? >by Mark Rasch >2006-02-20 > >A recent case involving a stolen laptop containing 550,000 people's >full credit information sheds new night on what "reasonable" >protections a company must make to secure its customer data - and >what customers need to prove in order to sue for damages. > >http://www.securityfocus.com/columnists/387 ------------------------------------------------------------------------- This List Sponsored by: SpiDynamics ALERT: "How A Hacker Launches A Web Application Attack!" Step-by-Step - SPI Dynamics White Paper Learn how to defend against Web Application Attacks with real-world examples of recent hacking methods such as: SQL Injection, Cross Site Scripting and Parameter Manipulation https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl -------------------------------------------------------------------------- ----- End forwarded message ----- From mfratto at gmail.com Tue Feb 21 11:30:02 2006 From: mfratto at gmail.com (Mike Fratto) Date: Tue, 21 Feb 2006 11:30:02 -0500 Subject: [Dataloss] [vanderaj@greebo.net: SF new column announcement: Strict liability for data breaches?] In-Reply-To: <20060221005629.GA22379@homeport.org> References: <20060221005629.GA22379@homeport.org> Message-ID: On 2/20/06, Adam Shostack wrote: > Interesting article. I wonder how many laptops need to be stolen for > it to be forseeable. That's not the issue. The issue is did the company take due care? Since the regulations like GLBA, HIPAA, SOX 404, and others are so incredibly vague, the courts look to other things like "best practices". One way of defininf that is "are they doing what their peers are doing to protect data." The idea being the collective has a better idea of a best practice than an individual. Stupid, I know, but that is the way it is. The courts need to go somewhere for guidance. I really think the regulations are written in a vacuum. Ever read the techincal requirements for HIPAA? I doubt that they had any IT input. I could think of a dozen ways that I would have reqorded each passage so that it was more specific on the required functions while still being flexible enough for future use. But that's just me. From adam at homeport.org Tue Feb 21 11:35:45 2006 From: adam at homeport.org (Adam Shostack) Date: Tue, 21 Feb 2006 11:35:45 -0500 Subject: [Dataloss] [vanderaj@greebo.net: SF new column announcement: Strict liability for data breaches?] In-Reply-To: References: <20060221005629.GA22379@homeport.org> Message-ID: <20060221163545.GD9439@homeport.org> On Tue, Feb 21, 2006 at 11:30:02AM -0500, Mike Fratto wrote: | On 2/20/06, Adam Shostack wrote: | > Interesting article. I wonder how many laptops need to be stolen for | > it to be forseeable. | | That's not the issue. The issue is did the company take due care? | | Since the regulations like GLBA, HIPAA, SOX 404, and others are so | incredibly vague, the courts look to other things like "best | practices". One way of defininf that is "are they doing what their | peers are doing to protect data." The idea being the collective has a | better idea of a best practice than an individual. Stupid, I know, but | that is the way it is. The courts need to go somewhere for guidance. Sure. Doesn't the standard of due care depend (in part) on foreseeability? Eg, a normal person should forsee that kids will come play in their pool. IANAL. Best practices also change quickly--from the introduction of radio to the time that a ship was expected to have a radio to avoid negligence wasn't all that long. | I really think the regulations are written in a vacuum. Ever read the | techincal requirements for HIPAA? I doubt that they had any IT input. | I could think of a dozen ways that I would have reqorded each passage | so that it was more specific on the required functions while still | being flexible enough for future use. But that's just me. Yes. From MariaParedes at financial.wellsfargo.com Tue Feb 21 11:59:54 2006 From: MariaParedes at financial.wellsfargo.com (MariaParedes at financial.wellsfargo.com) Date: Tue, 21 Feb 2006 10:59:54 -0600 Subject: [Dataloss] [vanderaj@greebo.net: SF new column announcement:Strict liability for data breaches?] Message-ID: I completely agree on having the IT community provide input on the technical aspects for each of those acts. Ever since joining this list (less than a month), I've noticed a pattern: the data breaches across the US and the world seem to be a daily issue. Every time I read of another data loss, I question the security and policies of these major corporations in whom so many consumers trust their personal and financial information to. I believe major changes need to happen in the data security arena and one of those should be to empower (and inform) the billions of affected individuals to take charge and follow suit for any company that mishandles their information. After all, why would I want to trust a company with my personal and/or financial data if they cannot assure me that it will be protected as their most valuable asset? Mar?a G Paredes OS Analyst "This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation". "Este mensaje puede contener informaci?n confidencial y/o privilegiada. Si usted no es el destinatario o no est? autorizado para recibirlo por parte del destinatario, usted no puede usar, copiar, revelar, o tomar ninguna acci?n basada en este mensaje o cualquier informaci?n en el mismo. Si usted ha recibido este mensaje por error, favor de notificarle al remitente inmediatamente al responder a este correo electr?nico y borre este mensaje. Gracias por su cooperaci?n." -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Adam Shostack Sent: Tuesday, February 21, 2006 10:36 AM To: Mike Fratto Cc: dataloss at attrition.org Subject: Re: [Dataloss] [vanderaj at greebo.net: SF new column announcement:Strict liability for data breaches?] On Tue, Feb 21, 2006 at 11:30:02AM -0500, Mike Fratto wrote: | On 2/20/06, Adam Shostack wrote: | > Interesting article. I wonder how many laptops need to be stolen for | > it to be forseeable. | | That's not the issue. The issue is did the company take due care? | | Since the regulations like GLBA, HIPAA, SOX 404, and others are so | incredibly vague, the courts look to other things like "best | practices". One way of defininf that is "are they doing what their | peers are doing to protect data." The idea being the collective has a | better idea of a best practice than an individual. Stupid, I know, but | that is the way it is. The courts need to go somewhere for guidance. Sure. Doesn't the standard of due care depend (in part) on foreseeability? Eg, a normal person should forsee that kids will come play in their pool. IANAL. Best practices also change quickly--from the introduction of radio to the time that a ship was expected to have a radio to avoid negligence wasn't all that long. | I really think the regulations are written in a vacuum. Ever read the | techincal requirements for HIPAA? I doubt that they had any IT input. | I could think of a dozen ways that I would have reqorded each passage | so that it was more specific on the required functions while still | being flexible enough for future use. But that's just me. Yes. _______________________________________________ Dataloss mailing list Dataloss at attrition.org https://attrition.org/mailman/listinfo/dataloss From blitz at strikenet.kicks-ass.net Tue Feb 21 12:45:25 2006 From: blitz at strikenet.kicks-ass.net (blitz) Date: Tue, 21 Feb 2006 12:45:25 -0500 Subject: [Dataloss] [vanderaj@greebo.net: SF new column announcement: Strict liability for data breaches?] In-Reply-To: References: <20060221005629.GA22379@homeport.org> Message-ID: <7.0.1.0.2.20060221124052.03d87e10@strikenet.kicks-ass.net> The regs are written so as to maximize law-vulture profits after enactment. EVERY rule enacted into law is done this way, being purposely vague, until they ascertain where the profit can be milked from. At that point, their income stream will be guaranteed by future amendments to the rules to insure un-interrupted litigation and profit stream. Did you ever think there was any other way? :-D >I really think the regulations are written in a vacuum. Ever read the >techincal requirements for HIPAA? I doubt that they had any IT input. >I could think of a dozen ways that I would have reqorded each passage >so that it was more specific on the required functions while still >being flexible enough for future use. But that's just me. > >_______________________________________________ >Dataloss mailing list >Dataloss at attrition.org >https://attrition.org/mailman/listinfo/dataloss -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060221/cf24fb2b/attachment.html From cwalsh at cwalsh.org Tue Feb 21 12:49:38 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Tue, 21 Feb 2006 11:49:38 -0600 Subject: [Dataloss] [vanderaj@greebo.net: SF new column announcement: Strict liability for data breaches?] In-Reply-To: <20060221163545.GD9439@homeport.org> References: <20060221005629.GA22379@homeport.org> <20060221163545.GD9439@homeport.org> Message-ID: <20060221174937.GB25700@cwalsh.org> On Tue, Feb 21, 2006 at 11:35:45AM -0500, Adam Shostack wrote: > > Sure. Doesn't the standard of due care depend (in part) on > foreseeability? Eg, a normal person should forsee that kids will come > play in their pool. IANAL. Unencrypted PII as an attractive nuisance? I like! I like! >:^) Chris From blitz at strikenet.kicks-ass.net Tue Feb 21 13:14:20 2006 From: blitz at strikenet.kicks-ass.net (blitz) Date: Tue, 21 Feb 2006 13:14:20 -0500 Subject: [Dataloss] [vanderaj@greebo.net: SF new column announcement: Strict liability for data breaches?] In-Reply-To: <20060221163545.GD9439@homeport.org> References: <20060221005629.GA22379@homeport.org> <20060221163545.GD9439@homeport.org> Message-ID: <7.0.1.0.2.20060221124558.03d37268@strikenet.kicks-ass.net> RE: The radio analogy: That took one massive disaster with thousands of lives lost. Those kinds of incidents seem to pique interest in "getting it right", much the same as the disaster of 9.11 inspired major changes to the building codes now used in regards to stairwell design, fire-proofing and emergency procedures. So far we haven't learned of a major disaster in dataloss of any great magnitude, primarily (I would suppose) because #1) they dont want us to know about it. #2) Insurance they've bought covers it, and theres no incentive for the insurance companies to reveal the magnitude or method of the losses, lest they inspire someone else to use the same tact, or #3) (Which is my favorite, most probibal theory) They can simply charge off to the consumers, the costs of losses, either in higher rates, premiums, costs of insurance, etc. etc. etc. Which fleeces ALL equally, giving them a way to profiteer off their losses. And since this is particularly despicable, raping those that DO practice good, safe, best practices, its a thing they readily absorb, and jack up the rates making everyone pay excessive amounts. This is the theory of auto insurance, take the worst drivers, and rape everyone at a fraction of their rates, and spread the costs over the base who do not drive bad. This insures continued fleecing of the very worst drivers at confiscatory rates, while a few dollars more from everyone adds up to huge profits. So until major dataloss incident, that can not be covered up, flows out onto the street and people scream for preventive measures, don't hold your breath. Something like a few billion being scammed by the Russian mob doesn't even come close here. Hell, the US Housing and Urban Development (HUD) took a $4 billion loss and nary batted an eyeball, (like how many of us heard of it?) so if they're not blinking at a few billion, what DOES constitute as a major incident? Money doesn't seem to count, peoples information is more sensitive by far. Money doesn't make noise, people DO! And rest assured, one of these days, some deep pockets organization will do something horribly incompetent, and hundreds of thousands will start a class action suit that will cripple them enough to cause everyone else to rethink security from the ground up. We can all hope that's the way it goes, because if we let the law-vultures have a go at writing rules and regs, we're starting at the very rock bottom of incompetency. >Best practices also change quickly--from the introduction of radio to >the time that a ship was expected to have a radio to avoid negligence >wasn't all that long. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060221/41228f83/attachment.html From blitz at strikenet.kicks-ass.net Tue Feb 21 13:16:48 2006 From: blitz at strikenet.kicks-ass.net (blitz) Date: Tue, 21 Feb 2006 13:16:48 -0500 Subject: [Dataloss] Fwd: [ISN] Online Stores Are Caught In Jihad Web Message-ID: <7.0.1.0.2.20060221131605.03d68458@macronet.net> >http://news.tbo.com/news/metro/MGB47AQ4WJE.html > >By HOWARD ALTMAN >haltman @ tampatrib.com >Feb 20, 2006 > >When Stacey Turmel placed an order online with Davida, an English >motorcycle accessory company, she was looking for protective gear with >style and comfort. > >But after plunking down $255 for a two-tone Deluxe Jet helmet, she >found herself dragged into the shadowy world of global jihad. > >Turmel, a St. Petersburg lawyer, has learned that she was among >several Davida customers whose personal and credit information was >placed on a public Web site - 3asfh.net. The site, hosted temporarily >by a Tampa-based Web-hosting company, has been used to exchange >information on hacking by people waging war in the name of Islam. > >"It was scary to find out that jihadis had my personal information," >Turmel said. > >Her loss was modest. After checking records in the spring of 2002, she >found several small charges she did not make - none more than $40, but >other victims discovered attempts to charge more than $1,000. > >Investigators and Internet security experts say much more is at stake. > >Computer hackers - from wayward teens to organized crime syndicates to >groups associated with al-Qaida - steal hundreds of billions of >dollars every year. Hack attacks such as the one against Turmel are a >key weapon of global jihad, experts say. > >One example is the 2002 explosion that killed more than 200 people at >a nightclub in Bali, Indonesia. Computer security experts say Imam >Samudra, the man behind the attack, financed it through credit card >fraud. > >Turmel's experience tells the "central story" of jihadi hackers, said >Alan Paller, director of research at the SANS Institute, a >cybersecurity firm based near Washington that works with the National >Security Agency, financial institutions and governments around the >world. > >In a book Samudra wrote in jail, he "exhorts followers to 'learn to >hack,'" Paller said. > >The book continues, "Not just because it makes more money in three to >six hours than a policeman makes in six months, because it is how we >can bring America and its cronies to its knees." > > >Fragile Web > >Like Turmel and other customers, Davida's owner, David Fiddaman, was >unaware of the jihadi activity. > >Sellers and buyers need to be more vigilant, say those charged with >securing the Internet. > >Realizing the scope of the problem, the U.S. government is scrambling >to catch up. The 2003 Information Operations Roadmap, a recently >declassified, 74-page Department of Defense report, outlines methods >for government agencies and military units - including Special >Operations Command in Tampa - to attack enemy computer networks and >deal with hacking attempts on U.S. systems. > >The Slammer worm, an intrusive computer program introduced in 2003 by >unknown hackers, is an example of the Internet's vulnerability, >according to a 2004 World Bank report. > >The report says, "Within 15 minutes after the Slammer was introduced, >27 million people in South Korea were left without cell phone or >Internet access, five of the Internet's 13 root servers crashed, >300,000 cables in Portugal went dark, Continental Airlines had to >cancel flights because it had no Internet access, the world's largest >telecommunications provider was shut off, and 911 service in Seattle" >was disrupted. > >The convenience of the Internet makes consumers prime targets, experts >say. > >"Because of the porous nature of security in commerce and finance, and >the prevalence of anonymity, it is very easy to siphon and steal >funds," said Tom Kellerman, former senior risk management specialist >for the World Bank and author of the 2004 report. > >Kellerman rattles off statistics driving home his point: $400 billion >in losses around the world last year from cybercrime, nine out of 10 >businesses affected, identity theft hitting 19.3 million people in the >United States. > >A good chunk of that theft - though no one knows how much - is by >jihadi hackers, said Kellerman, who is chief knowledge officer and >co-founder of the cybersecurity firm Cybrith LLC. > >Cybercrime is safer and easier than selling drugs, dealing in black >market diamonds or robbing banks, he said. > >"In the underground and in chat rooms, these people are sharing >information," Kellerman said. "The Internet is the wild, wild West. >There is a community that shares tricks of the trade very freely." > >The Internet is "almost like a giant arms bazaar," said Kellerman, >where users can download weapons to hack into financial institutions. > >"In this unregulated and wide-open space, they are facilitating the >financing of terrorist acts," he said. > >The government and business communities are aware of the problems, but >their solutions are lacking, Kellerman said. > >"A lot of people don't realize that until we build better castles and >control cyberspace in a better fashion, we are not going to defeat >terrorists' financing," he said. "The lack of security contributes to >cybercrime, which contributes to terrorism. There is a direct link." > > >Emotional Toll > >Kellerman's dour assessment is bad news for potential hacking victims. >So, too, is a January report from the Javelin Strategy and Research >firm, which concludes that although federal laws and credit card >companies have done a good job of protecting consumers for >out-of-pocket losses, it takes about 40 hours to clear up credit >problems after they are discovered. > >"I don't think there is any question that we all lose when there is >fraudulent use of this information," said Gerri Detwiler, president of >the Sarasota-based Ultimate Credit Solutions Inc. "The new Harrison >Ford movie, 'Firewall,' about a guy whose identity is stolen by >thieves, will only add to the concern." > >Cybercrime is the FBI's third priority, behind counterterrorism and >counterintelligence. > >"The network of cyberhackers is extensive, and we are working with our >partners, international, state and local, every day," said FBI >spokeswoman Cathy Milhoan, who could not comment specifically about >problems faced by Turmel and other victims of 3asfh. > >Echoing advice from credit experts, Turmel urged consumer caution. > >"Look at your balances," she said. "Check those statements on a >monthly basis. If there is anything you don't recognize, you need to >follow up on it right away." > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060221/3b0acc17/attachment.html From blitz at strikenet.kicks-ass.net Tue Feb 21 13:31:06 2006 From: blitz at strikenet.kicks-ass.net (blitz) Date: Tue, 21 Feb 2006 13:31:06 -0500 Subject: [Dataloss] =?iso-8859-1?q?Fwd=3A_=5BISN=5D_Passwords_Pass=E9_at_R?= =?iso-8859-1?q?SA?= Message-ID: <7.0.1.0.2.20060221133044.03d63f88@macronet.net> > > >http://www.wired.com/news/technology/0,70234-0.html > >By Ryan Singel >February 17, 2006 > >SAN JOSE, California -- Identity theft and online bank fraud were the >unofficial themes of the 2006 RSA Conference, a massive security >confab where Bill Gates came to announce the imminent death of the >password and vendors filled the exhibition halls with iPod giveaways >and promises that their product could stop everything from spam and >malware to hackers and typos. > >Thanks to a California law known as SB 1386 that requires companies to >disclose sensitive data leaks to California consumers, companies like >ChoicePoint and shoe retailer DSW became poster children for corporate >negligence last year after mishandling sensitive data. > >In the wake of Senate hearings and investigations from federal >regulators, corporations are beefing up security, both behind the >scenes and at their virtual front doors. To find out how those changes >will affect consumers in their daily online activities, Wired News >surveyed the offerings of the over-250 security companies packed into >RSA's exhibit hall, accompanied by cryptographer John Callas, who has >been attending the conference since 1993. > >Callas is currently the CTO of PGP, the industry leader in encrypted >communications and data storage. > >Perhaps the biggest change this year will be in online banking, as >financial institutions move to comply with federal oversight agencies >that are directing banks (.pdf) to secure their sites with more than >just user logins and passwords. > >These extra fraud profiling and authentication measures are necessary, >according to Callas, since the threats on the internet have changed. > >"Now we are not dealing with kids having fun," Callas said. "We are >dealing with criminals -- the Russian mafia. And online banking risks >are there if your bank offers it, even if you don't use it." > >E-trade, for instance, already offers free RSA security tokens to its >most active users. Those battery-powered devices work by using a using >a seed number and the current time to cryptographically generate a >secure one-time code to complement the normal user login and password. > >But those gadgets aren't cheap and most people don't want multiple >tokens or prefer not to carry them around. That's prompted newcomers >to find alternative methods of performing "two factor" authentication. > >Callas likes PassMark Security's solution, which examines the device a >user logs in from, looking for a number of factors including IP >address and a secure cookie or Flash object the bank has previously >stored on the machine, as the extra identification. > >Bank of America began offering the service in May 2005. Now a Bank of >America customer logging in at the usual time from her usual machine >will only need to enter the user name and password. But if that person >is on a different machine using a different browser in a different >time zone, for example, she will be presented with challenge questions >that she answered when she signed up. > >Users could also be sent an additional one-time password by SMS text >message or called on their cell phone by a machine using a synthetic >voice to tell them an extra password. > >Additionally, PassMark helps keep users from entering passwords into >fraud sites pretending to be their bank by displaying a unique image >and caption, such as a sailboat labeled "Dream Boat," on the real >site. > >The authentication back to the user is great, and can't easily be >hacked without detection, according to Callas. And while it won't >eliminate crime, it might be enough to persuade would-be fraudsters to >go after a different bank, Callas said. > >"It is reasonably valuable if you can convince someone to steal from >other people," Callas said. > >Another authentication method that caught Callas' attention was by >BioPassword, a company that adds an extra layer of security by locking >out users who don't type in a password with the same typing style as >the original user. > >Callas says he's generally not bullish on biometrics like fingerprint >readers for e-commerce, since, like credit card numbers, the data can >be stolen. > >But he likes the typing rhythm idea, because unlike a fingerprint, the >user can easily reset the system. "If you pick a new password then you >will have a new rhythm," Callas said. "That's the disposable >biometric." > >The system does have one side effect that may or may not be a bug, >admits BioPassword vice president Dean Bravos. Users who have been >drinking may not be able to log in. > >These two companies aren't the only ones trying to find ways to add >extra authentication without requiring users to carry around security >tokens. > >Conference organizer RSA Security, the undisputed leader in security >tokens, recently acquired Cyota, which offers financial institutions >methods to authenticate users based on their usage patterns. Cyota >technology looks at such metrics as users' cookies and IP address, in >combination with their transaction history -- so a middle-America >socker Mom sending sending $2,000 at 2:00 am to an account in Turkey >might raise a red flag. > >Other new offerings from RSA Security include a browser toolbar that >works like a security token, and software that can turn a mobile phone >or a BlackBerry into a token. > >Even mostly invisible, behind-the-scenes authentication will help >internet users feel safer, as banks and brokerage houses can now offer >financial guarantees to their customers, according to Scott Young, the >vice president of RSA/Cyota's consumer division. > >"A lot of us are familiar with the experience of getting a call from a >credit-card company, saying, 'Hey, did you make this transaction?,'" >Young said. "Even though we don't see that going on all the time, the >reassurance of having someone check with us, even if it was us making >that transaction, is really valuable. > >"Likewise, most of the time, consumers are not inconvenienced by >(RSA/Cyota's) extra security but a decent percent will know, since >they have will some interaction with the security system at some >point, that they are being protected." -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060221/265a4fb2/attachment.html From Doc at dlnt04.fsa.usda.gov Tue Feb 21 18:43:08 2006 From: Doc at dlnt04.fsa.usda.gov (Doc) Date: Tue, 21 Feb 2006 17:43:08 -0600 Subject: [Dataloss] [vanderaj@greebo.net: SF new column announcement: Strict liability for data breaches?] In-Reply-To: <7.0.1.0.2.20060221124558.03d37268@strikenet.kicks-ass.net> Message-ID: <000001c63740$92084d10$a50bdda5@aglo.one.usda.gov> " So until major dataloss incident, that can not be covered up, flows out onto the street and people scream for preventive measures, don't hold your breath. Something like a few billion being scammed by the Russian mob doesn't even come close here. Hell, the US Housing and Urban Development (HUD) took a $4 billion loss and nary batted an eyeball, (like how many of us heard of it?) so if they're not blinking at a few billion, what DOES constitute as a major incident? " Hmmm...millions of seniors living on Social Security getting 'hacked' might constitute a major incident that would bring about change. But, if it happens under this WH, all it will be seen as is an excuse to scrap Social Security. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060221/be0558a2/attachment.html From mfratto at gmail.com Wed Feb 22 12:21:21 2006 From: mfratto at gmail.com (Mike Fratto) Date: Wed, 22 Feb 2006 12:21:21 -0500 Subject: [Dataloss] [vanderaj@greebo.net: SF new column announcement:Strict liability for data breaches?] In-Reply-To: References: Message-ID: On 2/21/06, MariaParedes at financial.wellsfargo.com wrote: > I completely agree on having the IT community provide input on the technical aspects for each of those acts. So it sounds like there are enough people on this list with an interest in making or seeing change. Well, let's do something about it. It your and my data that is at risk. We know what works with orgs, hit them in the wallet or at least threaten to. Let me express my ignorance on the US political machine, but how do you go about effecting change in existing regulations or getting new ones enacted? I haven't heard boo from Congress about a federal notification law (though there are several state ones) so I don't know what the status is there, but I would like to see stiff penalties both civil and criminal for PII data loss and I would like to see existing regulations changed or new ones enacted that provides more clear guidance about required security functionality. mike From rforno at infowarrior.org Wed Feb 22 10:02:45 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 22 Feb 2006 10:02:45 -0500 Subject: [Dataloss] Court says banks don't have to encrypt customer databases Message-ID: A Federal Court Rules That A Financial Institution Has No Duty To Encrypt A Customer Database By ERIC J. SINROD ---- Monday, Feb. 20, 2006 http://writ.news.findlaw.com/commentary/20060220_sinrod.html In a legal decision that could have broad implications for financial institutions, a court has ruled recently that a student loan company was not negligent and did not have a duty under the Gramm-Leach-Bliley statute to encrypt a customer database on a laptop computer that fell into the wrong hands. Intrigued? Read on. Stacey Lawton Guinn filed a federal lawsuit in Minnesota, claiming that Brazos Higher Education Service Corporation, Inc. negligently permitted an employee to maintain unencrypted, private customer data on a laptop computer that ultimately was stolen from the employee's home. The factual background leading up to the lawsuit goes like this. Brazos, a company that originates and services student loans, has had about 365 employees, including John Wright, a financial analyst for the company. While Brazos is based in Texas, Wright has worked from his home office in Maryland. As part of his work, Wright analyses loan portfolios, including purchasing portfolios from other lending institutions and purchasing bonds financed by student loan interest payments. Before he conducts a financial analysis, Wright has received an electronic database from Brazos' finance department in Texas. When he performs asset-liability management for Brazos, he has obtained loan-level details, including customer personal information. All is well and good, right? Wrong. In September, 2004, Wright's home was the subject of a burglary and various items were stolen, including the laptop issued by Brazos to Wright. Notwithstanding a police and private investigation, the laptop never was recovered. Brazos determined that Wright had received databases containing personal information of borrowers seven different times before the laptop was stolen. Because it was not clear which specific borrowers had their personal information at risk due to the theft of the laptop, Brazos sent a notification letter to all of its more than 500,000 customers. Coming full circle back to Guin, who had acquired a student loan through Brazos in August, 2002, received the notification letter and contacted a Brazos call center to ask follow up questions. He then tracked his credit status through various credit agencies, and as a result, he was not apprised of any identity theft or other fraud relating to his personal information. Indeed, according to Brazos, none of its borrowers suffered any fraud as a consequence of the theft of Wright's laptop. Undeterred, Guin filed his federal lawsuit against Brazos, principally claiming that Brazos had been negligent by not properly protecting his personal information and by improperly delegating control of his personal information to another (Wright). Guin asserted that he had suffered out-of-pocket loss, emotional distress, and incidental damages. At the heart of Guin's lawsuit was the allegation that under the Gramm-Leach-Bliley Act, Brazos had a heightened duty to protect customer information, including the duty to make sure that personal information on laptops be encrypted. In response to Guin's lawsuit, Brazos filed a summary judgment motion. By way of this motion, Brazos argued that Guin's case was so lacking in merit that it should be dismissed without the need to even get to trial. Judge Richard Kyle agreed with Brazos, granted the motion, and dismissed Guin's lawsuit. Significantly, while recognizing that Gramm-Leach-Bliley does require financial institutions to protect against unauthorized access to customer records, Judge Kyle held that the statute "does not prohibit someone from working with sensitive data on a laptop computer in a home office," and does not require that "any nonpublic personal information stored on a laptop computer should be encrypted." Financial institutions across America probably are applauding this legal decision, and likely are breathing a sigh of relief knowing that the bar has not been raised further in terms of the protective measures they must take under Gramm-Leach-Bliley. From blitz at strikenet.kicks-ass.net Wed Feb 22 05:02:52 2006 From: blitz at strikenet.kicks-ass.net (blitz) Date: Wed, 22 Feb 2006 05:02:52 -0500 Subject: [Dataloss] [vanderaj@greebo.net: SF new column announcement: Strict liability for data breaches?] In-Reply-To: <000001c63740$92084d10$a50bdda5@aglo.one.usda.gov> References: <7.0.1.0.2.20060221124558.03d37268@strikenet.kicks-ass.net> <000001c63740$92084d10$a50bdda5@aglo.one.usda.gov> Message-ID: <7.0.1.0.2.20060222045814.03d14350@strikenet.kicks-ass.net> Not a chance of that happening, SS is the deadly third rail of politics, and with so many baby-boomers retiring, it would be a death sentence for ANY administration, and they all know it. The idea of it being the incendiary issue setting of reform, yes, it might just be the ticket, especially if it resulted in theft of identities, and cash loss from banking accounts. There would be hell to pay indeed! At 18:43 2/21/2006, you wrote: > " So until major dataloss incident, that can not be covered up, > flows out onto the street and people scream for preventive > measures, don't hold your breath. Something like a few billion > being scammed by the Russian mob doesn't even come close here. > Hell, the US Housing and Urban Development (HUD) took a $4 billion > loss and nary batted an eyeball, (like how many of us heard of it?) > so if they're not blinking at a few billion, what DOES constitute > as a major incident? " > >Hmmm...millions of seniors living on Social Security getting >'hacked' might constitute a major incident that would bring about >change. But, if it happens under this WH, all it will be seen as is >an excuse to scrap Social Security. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060222/dacb32de/attachment.html From privacylaws at sbcglobal.net Wed Feb 22 14:01:46 2006 From: privacylaws at sbcglobal.net (Saundra Kae Rubel) Date: Wed, 22 Feb 2006 11:01:46 -0800 Subject: [Dataloss] Federal Security Breach legislation In-Reply-To: Message-ID: <001101c637e2$6dfa61e0$220110ac@saundrad38b17a> Hi Here are all of the federal security breach bills currently in the 109th (see more at thomas.loc.gov) 1 . Consumer Data Security and Notification Act of 2005 (Introduced in House)[H.R.3140.IH] 2 . Personal Data Privacy and Security Act of 2005 (Reported in Senate)[S.1789.RS] 3 . Personal Data Privacy and Security Act of 2005 (Introduced in Senate)[S.1789.IS] 4 . Data Accountability and Trust Act (DATA) (Introduced in House)[H.R.4127.IH] 5 . Personal Data Privacy and Security Act of 2005 (Placed on Calendar in Senate)[S.1332.PCS] 6 . Identity Theft Protection Act (Introduced in Senate)[S.1408.IS] 7 . Notification of Risk to Personal Data Act (Introduced in Senate)[S.751.IS] 8 . Consumer Access Rights Defense Act (CARD) of 2005 (Introduced in House)[H.R.3501.IH] 9 . Consumer Notification and Financial Data Protection Act of 2005 (Introduced in House)[H.R.3374.IH] 10 . Identity Theft Protection Act (Reported in Senate)[S.1408.RS] 11 . Notification of Risk to Personal Data Act (Introduced in Senate)[S.115.IS] 12 . Notification of Risk to Personal Data Act (Introduced in Senate)[S.1326.IS] 13 . Notification of Risk to Personal Data Act (Reported in Senate)[S.1326.RS] 14 . Notification of Risk to Personal Data Act (Introduced in House)[H.R.1069.IH] 15 . Financial Data Security Act of 2005 (Introduced in House)[H.R.3375.IH] 16 . Financial Services Regulatory Relief Act of 2005 (Reported in House)[H.R.3505.RH2] I haven't heard boo from Congress about a federal notification law (though there are several state ones) so I don't know what the status is there, .. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060222/6923bf7b/attachment.html From halbertt at gmail.com Wed Feb 22 16:49:53 2006 From: halbertt at gmail.com (Halbert Thomas) Date: Wed, 22 Feb 2006 16:49:53 -0500 Subject: [Dataloss] Federal Security Breach legislation In-Reply-To: <001101c637e2$6dfa61e0$220110ac@saundrad38b17a> References: <001101c637e2$6dfa61e0$220110ac@saundrad38b17a> Message-ID: Ohio recently passed a bill that requires that subjects be notified of data loss whenever it poses risk of identity theft. It is HB 104 in the 126th Session. Took effect on 2/16. Here is the summary: *require a state agency, an agency of a political subdivision, or a person, including a business entity that does business in Ohio, to contact individuals residing in Ohio if unencrypted or unredacted personal information about those individuals that is included in computerized data owned or licensed by the agency, person, or business entity is accessed and acquired by unauthorized persons and causes or reasonably is believed will create a material risk of the commission of the offense of identity fraud or other fraud to the individual, and to authorize the Attorney General to investigate and enforce compliance with the requirements. *It can be viewed here: http://www.legislature.state.oh.us/bills.cfm?ID=126_HB_0104 Halbert On 2/22/06, Saundra Kae Rubel wrote: > > > I haven't heard boo from Congress about a federal > > notification law (though there are several state ones) so I don't know > > what the status is there, ?. > > -- Halbert Thomas -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060222/9df64d01/attachment.html From lyger at attrition.org Wed Feb 22 20:32:24 2006 From: lyger at attrition.org (lyger) Date: Wed, 22 Feb 2006 20:32:24 -0500 (EST) Subject: [Dataloss] Federal Security Breach legislation (fwd) Message-ID: Date: Wed, 22 Feb 2006 15:49:53 -0800 From: Beth Givens Subject: Re: [Dataloss] Federal Security Breach legislation This web page lists all the state-level security breach laws now in effect in the U.S.: Security breach notice laws: www.consumersunion.org/campaigns/Breach_laws_May05.pdf And visit the PIRG site here: www.pirg.org/consumer/credit/statelaws.htm. Beth > Ohio recently passed a bill that requires that=20 > subjects be notified of data loss whenever it=20 > poses risk of identity theft. It is HB 104 in=20 > the 126th Session. Took effect on 2/16. Here is the summary: > require a state agency, an agency of a political=20 > subdivision, or a person, including a business=20 > entity that does business in Ohio, to contact=20 > individuals residing in Ohio if unencrypted or=20 > unredacted personal information about those=20 > individuals that is included in computerized=20 > data owned or licensed by the agency, person, or=20 > business entity is accessed and acquired by=20 > unauthorized persons and causes or reasonably is=20 > believed will create a material risk of the=20 > commission of the offense of identity fraud or=20 > other fraud to the individual, and to authorize=20 > the Attorney General to investigate and enforce=20 > compliance with the requirements. > > It can be viewed here: > http:// www.legislature.state.oh.us/bills.cfm?ID=3D126_HB_0104 > > Halbert > On 2/22/06, Saundra Kae Rubel=20 > <privacylaws at sbcglobal.net> wrote: > > I haven't heard boo from Congress about a federal > > notification law (though there are several state ones) so I don't know > > what the status is there, =85. The information, advice, and suggestions contained in this email should be used as an information source and not as legal advice. Beth Givens, Director Privacy Rights Clearinghouse 3100 - 5th Ave., Suite B San Diego, CA 92103 Voice: 619-298-3396 Fax: 619-298-5681 bgivens at privacyrights.org http://www.privacyrights.org +++++++++++++++++++++++++++++++++++++ Join our email newsletter. http://www.privacyrights.org/subscribe.html From lyger at attrition.org Wed Feb 22 21:12:07 2006 From: lyger at attrition.org (lyger) Date: Wed, 22 Feb 2006 21:12:07 -0500 (EST) Subject: [Dataloss] (fwd) Convicted Acxiom Data Thief Gets Eight Years (fwd) Message-ID: Forwarded from another mail list: Date: Thu, 23 Feb 2006 02:04:08 GMT Subject: [funsec] Convicted Acxiom Data Thief Gets Eight Years Via C|Net News. [snip] A bulk e-mailer who looted more than a billion records with personal information from a data warehouse has been sentenced to eight years in prison, federal prosecutors said Wednesday. Scott Levine, 46, was sentenced by a federal judge in Little Rock, Ark., after being found guilty of breaking into Acxiom's servers and downloading gigabytes of data in what the U.S. Justice Department calls one of the largest data heists to date. Acxiom, based in Little Rock, says it operates the world's largest repository of consumer data, and counts major banks, credit card companies and the U.S. government among its customers. [snip] More: http://news.com.com/2100-7348_3-6042290.html From lyger at attrition.org Thu Feb 23 14:56:48 2006 From: lyger at attrition.org (lyger) Date: Thu, 23 Feb 2006 14:56:48 -0500 (EST) Subject: [Dataloss] Oops: Auditor Loses McAfee Employee Data (fwd) Message-ID: ---------- Forwarded message ---------- Date: Thu, 23 Feb 2006 19:49:42 GMT Subject: Oops: Auditor Loses McAfee Employee Data Via C|Net News. [snip] An external auditor lost a CD with information on thousands of current and former McAfee employees, putting them at risk of identity fraud. The disc was lost on Dec. 15 by Deloitte & Touche USA, McAfee spokeswoman Siobhan MacDermott said Thursday. The Santa Clara, Calif.-based security software company was first notified on Jan. 11, and on Jan. 30, it received particulars of the data that may have been on the CD, MacDermott said. The disc contained personal details on all current U.S. and Canadian McAfee workers hired prior to April 2005 and on about 6,000 former employees in the same region, MacDermott said. (The security company currently has approximately 3,290 employees worldwide.) The information wasn't encrypted and potentially includes names, social security numbers and stock holdings in McAfee. [snip] More: http://news.com.com/2100-1029_3-6042544.html From cwalsh at cwalsh.org Thu Feb 23 15:20:37 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Thu, 23 Feb 2006 14:20:37 -0600 Subject: [Dataloss] Oops: Auditor Loses McAfee Employee Data (fwd) In-Reply-To: References: Message-ID: <20060223202036.GE31124@cwalsh.org> It took Deloitte practically 3 weeks to figure out what was on the CD? I don't want to see that consultant's dry-cleaning bill. :^) Here's an idea. If you are a publicly-traded firm, TELL your external auditors that they have to keep your data on encrypted media. If they give you a line of BS about it, have the head of your audit committee call the managing partner at your external auditor. The problem will magically go away, and it will take one phone call. Why firms allow themselves to be bullied by those they engage for professional services mystifies me. (yes, I know switching costs are huge...) Chris On Thu, Feb 23, 2006 at 02:56:48PM -0500, lyger wrote: > > ---------- Forwarded message ---------- > Date: Thu, 23 Feb 2006 19:49:42 GMT > Subject: Oops: Auditor Loses McAfee Employee Data > > Via C|Net News. > > [snip] > > An external auditor lost a CD with information on thousands of current and > former McAfee employees, putting them at risk of identity fraud. > > The disc was lost on Dec. 15 by Deloitte & Touche USA, McAfee spokeswoman > Siobhan MacDermott said Thursday. The Santa Clara, Calif.-based security > software company was first notified on Jan. 11, and on Jan. 30, it received > particulars of the data that may have been on the CD, MacDermott said. > > The disc contained personal details on all current U.S. and Canadian McAfee > workers hired prior to April 2005 and on about 6,000 former employees in the > same region, MacDermott said. (The security company currently has approximately > 3,290 employees worldwide.) The information wasn't encrypted and potentially > includes names, social security numbers and stock holdings in McAfee. > > [snip] > > More: > http://news.com.com/2100-1029_3-6042544.html > > _______________________________________________ > Dataloss mailing list > Dataloss at attrition.org > https://attrition.org/mailman/listinfo/dataloss From lyger at attrition.org Thu Feb 23 17:59:55 2006 From: lyger at attrition.org (lyger) Date: Thu, 23 Feb 2006 17:59:55 -0500 (EST) Subject: [Dataloss] CardSystems Settles FTC Charges Message-ID: http://www.ftc.gov/opa/2006/02/cardsystems_r.htm In the largest known compromise of financial data to date, CardSystems Solutions, Inc. and its successor, Solidus Networks, Inc., doing business as Pay By Touch Solutions, have agreed to settle Federal Trade Commission charges that CardSystems' failure to take appropriate security measures to protect the sensitive information of tens of millions of consumers was an unfair practice that violated federal law. According to the FTC, the security breach resulted in millions of dollars in fraudulent purchases. The settlement will require CardSystems and Pay By Touch to implement a comprehensive information security program and obtain audits by an independent third-party security professional every other year for 20 years. [...] From adrian.sanabria at gmail.com Thu Feb 23 21:06:48 2006 From: adrian.sanabria at gmail.com (Adrian Sanabria) Date: Thu, 23 Feb 2006 21:06:48 -0500 Subject: [Dataloss] CardSystems Settles FTC Charges In-Reply-To: References: Message-ID: That doesn't make sense, unless I'm missing something... VISA's PCI requirements require ANNUAL audits by an external auditor already. So what good are the FTC's requirements if more stringent ones were already in place by VISA? Why not just require this of all companies handling large amounts of sensitive financial data? It is too little, too late, and the FTC is missing a big opportunity to make a real difference. Everyone suprised? On 2/23/06, lyger wrote: > > http://www.ftc.gov/opa/2006/02/cardsystems_r.htm > > In the largest known compromise of financial data to date, CardSystems > Solutions, Inc. and its successor, Solidus Networks, Inc., doing business > as Pay By Touch Solutions, have agreed to settle Federal Trade Commission > charges that CardSystems' failure to take appropriate security measures to > protect the sensitive information of tens of millions of consumers was an > unfair practice that violated federal law. According to the FTC, the > security breach resulted in millions of dollars in fraudulent purchases. > The settlement will require CardSystems and Pay By Touch to implement a > comprehensive information security program and obtain audits by an > independent third-party security professional every other year for 20 > years. > > [...] > > _______________________________________________ > Dataloss mailing list > Dataloss at attrition.org > https://attrition.org/mailman/listinfo/dataloss > From lyger at attrition.org Thu Feb 23 21:17:40 2006 From: lyger at attrition.org (lyger) Date: Thu, 23 Feb 2006 21:17:40 -0500 (EST) Subject: [Dataloss] CardSystems Settles FTC Charges In-Reply-To: References: Message-ID: In the case of CardSystems and their new companies, it might be because VISA is no longer doing business with them? http://attrition.org/errata/dataloss/cardsystems04.html What suprises me is that ChoicePoint was hit with a $15 million settlement and CardSystems, which was a much larger breach in terms of people affected, only has to "implement a comprehensive security program" and undergo ten audits over the next twenty years. On Thu, 23 Feb 2006, Adrian Sanabria wrote: ": " That doesn't make sense, unless I'm missing something... ": " ": " VISA's PCI requirements require ANNUAL audits by an external auditor ": " already. So what good are the FTC's requirements if more stringent ": " ones were already in place by VISA? ": " ": " Why not just require this of all companies handling large amounts of ": " sensitive financial data? ": " ": " It is too little, too late, and the FTC is missing a big opportunity ": " to make a real difference. Everyone suprised? From adam at homeport.org Thu Feb 23 21:16:20 2006 From: adam at homeport.org (Adam Shostack) Date: Thu, 23 Feb 2006 21:16:20 -0500 Subject: [Dataloss] CardSystems Settles FTC Charges In-Reply-To: References: Message-ID: <20060224021620.GC27646@homeport.org> Shocked, shocked to discover. See also http://www.emergentchaos.com/archives/002483.html On Thu, Feb 23, 2006 at 09:06:48PM -0500, Adrian Sanabria wrote: | It is too little, too late, and the FTC is missing a big opportunity | to make a real difference. Everyone suprised? | | | On 2/23/06, lyger wrote: | > | > http://www.ftc.gov/opa/2006/02/cardsystems_r.htm | > | > In the largest known compromise of financial data to date, CardSystems | > Solutions, Inc. and its successor, Solidus Networks, Inc., doing business | > as Pay By Touch Solutions, have agreed to settle Federal Trade Commission | > charges that CardSystems' failure to take appropriate security measures to | > protect the sensitive information of tens of millions of consumers was an | > unfair practice that violated federal law. According to the FTC, the | > security breach resulted in millions of dollars in fraudulent purchases. | > The settlement will require CardSystems and Pay By Touch to implement a | > comprehensive information security program and obtain audits by an | > independent third-party security professional every other year for 20 | > years. | > | > [...] | > | > _______________________________________________ | > Dataloss mailing list | > Dataloss at attrition.org | > https://attrition.org/mailman/listinfo/dataloss | > | | _______________________________________________ | Dataloss mailing list | Dataloss at attrition.org | https://attrition.org/mailman/listinfo/dataloss From hobbit at avian.org Thu Feb 23 21:08:48 2006 From: hobbit at avian.org (*Hobbit*) Date: Fri, 24 Feb 2006 02:08:48 +0000 (GMT) Subject: [Dataloss] semi-OT: OTP(urchase) Message-ID: <20060224020848.3842CC305@relayer.avian.org> Does anyone have good pointers to where one could go for more info on MBNA ShopSafe, or whatever one-time mechanism AMEX is/was offering, or any other currently working schemes to generate a unique one-time credit-card-number equivalent per transaction? Or even per vendor, that I've heard somewhere is also possible? I'm at complete ground zero WRT any knowledge of this stuff, but it sounds like the folks here might be up on these things. Probably best to reply privately and I can summarize later if folks want. tnx _H* From cwalsh at cwalsh.org Thu Feb 23 22:30:52 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Thu, 23 Feb 2006 21:30:52 -0600 Subject: [Dataloss] CardSystems Settles FTC Charges In-Reply-To: References: Message-ID: Interesting that Pay By Touch (which now owns Cardsystems) says (http://www.paybytouchpaymentsolutions.com/about.html) that they are "VISA Cardholder Information Security Program (CISP) Compliant", but VISA's list of CISP compliant service providers (http://usa.visa.com/ download/business/accepting_visa/ops_risk_management/ cisp_List_of_CISP_Compliant_Service_Providers.pdf), dated 2/1/2006, includes neither CardSystems nor Pay By Touch. The PCI Data Security Standard is one MasterCard and VISA require adherence to, and it mandates on-site assessments for processors as large as Cardsystems. I specifically remember Amex and Visa dropping Cardsystems, but I do not have a similar memory for MasterCard. Unfortunately, I cannot find a list of MasterCard's approved processors, analogous to the VISA list above. On Feb 23, 2006, at 8:17 PM, lyger wrote: > > In the case of CardSystems and their new companies, it might be > because > VISA is no longer doing business with them? > > http://attrition.org/errata/dataloss/cardsystems04.html From ejellenc at idefense.com Fri Feb 24 11:05:11 2006 From: ejellenc at idefense.com (Jellenc, Eli) Date: Fri, 24 Feb 2006 11:05:11 -0500 Subject: [Dataloss] [Re] Hobbit's questions on one-time transaction numbers... Message-ID: <2464C1CDB0140943A6D7BA05E91D4654915EB5@Dul1wnexmb04.vcorp.ad.vrsn.com> I've not heard much about this, but then again, I've only begun researching the issue. I have an additional comment that I'd like to submit to the group for criticism. I know a lot of people that play online poker, some of whom are also cognizant of the dangers inherent to ecommerce. All but the very greenest of rookies tend to employ the following strategy: go to a local pharmacy and purchase a "pay as you go" credit card (currently offered only by VISA and MC if I'm not mistaken). When they get ready to connect to the poker site and ante up, they simply transfer funds from their "real" account or credit card into the "pay as you go" card...in a matter of minutes, even this amount is "spoken for" as they immediately use the card to increase their balance on the poker site. The one drawback is that the "pay as you go" cards are $10 a piece to buy, but for people seriously worried about the threat from data exposure, I don't see how this is any great sacrifice. And the intervening step of calling to make the transfer is sort of inconvenient, especially for people that make frequent purchases from many different sites. This is no panacea, to be sure...to publicize this as a method by which to thwart cybercriminals would be quite costly and difficult. Moreover, I have the impression that the credit card companies would be against this because it would begin to undercut their primary avenue of profit (i.e. interest). Heaven forbid people only spend what they have in their accounts at the moment. Either way, except for the cost of "educating" the public on the potential utility of this solution, I don't see many drawbacks. And what drawbacks do exist are still not as serious as the situation is today. Thoughts? Eli Jellenc Sr. Threat Analyst iDefense (www.idefense.com)-- A VeriSign Company 703-390-9456 ejellenc at idefense.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060224/7b9973dd/attachment.html From cwalsh at cwalsh.org Fri Feb 24 22:58:31 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Fri, 24 Feb 2006 21:58:31 -0600 Subject: [Dataloss] Breach resource page Message-ID: <28FCCCBD-847E-41FC-A3D1-59B6448CFFCA@cwalsh.org> Folks: I've put together a small set of web pages containing links to current and pending legislation, breach listings, various on-line resources, and so on. There is probably not much there that is new to this list, but the fact that it is in one place may be helpful. The URL is http://www.cwalsh.org/BreachInfo/ I am clearly not web designer (nor do I play one on TV!), but I wanted to play around with iWeb, so there you have it. I'd be happy to hear any feedback. Chris From adrian.sanabria at gmail.com Fri Feb 24 23:12:09 2006 From: adrian.sanabria at gmail.com (Adrian Sanabria) Date: Fri, 24 Feb 2006 23:12:09 -0500 Subject: [Dataloss] semi-OT: OTP(urchase) In-Reply-To: <20060224020848.3842CC305@relayer.avian.org> References: <20060224020848.3842CC305@relayer.avian.org> Message-ID: If there is such a thing, I can't see it being anything more than just an idea at this point. For such a system to work, the back-end transaction processors would have to support it, and I know the products the larger ones support, and none of them feature a use-once-and-throw-away number. On 2/23/06, *Hobbit* wrote: > Does anyone have good pointers to where one could go for more > info on MBNA ShopSafe, or whatever one-time mechanism AMEX > is/was offering, or any other currently working schemes to > generate a unique one-time credit-card-number equivalent per > transaction? Or even per vendor, that I've heard somewhere > is also possible? > > I'm at complete ground zero WRT any knowledge of this stuff, > but it sounds like the folks here might be up on these things. > Probably best to reply privately and I can summarize later > if folks want. > > tnx > > _H* > > _______________________________________________ > Dataloss mailing list > Dataloss at attrition.org > https://attrition.org/mailman/listinfo/dataloss > From adrian.sanabria at gmail.com Fri Feb 24 23:17:07 2006 From: adrian.sanabria at gmail.com (Adrian Sanabria) Date: Fri, 24 Feb 2006 23:17:07 -0500 Subject: [Dataloss] Breach resource page In-Reply-To: <28FCCCBD-847E-41FC-A3D1-59B6448CFFCA@cwalsh.org> References: <28FCCCBD-847E-41FC-A3D1-59B6448CFFCA@cwalsh.org> Message-ID: The design and content aren't bad. The images though are killing it. It took me a few minutes to load the front page because the picture of that vault is so large (half a MB), and I assume you're running the site of your DSL/cable, so you don't have a lot of bandwidth. Just compress those JPEGs a bit, and you're good to go IMHO. On 2/24/06, Chris Walsh wrote: > Folks: > > I've put together a small set of web pages containing links to > current and pending legislation, breach listings, various on-line > resources, and so on. > There is probably not much there that is new to this list, but the > fact that it is in one place may be helpful. > > The URL is http://www.cwalsh.org/BreachInfo/ > > I am clearly not web designer (nor do I play one on TV!), but I > wanted to play around with iWeb, so there you have it. I'd be happy > to hear any feedback. > > Chris > > _______________________________________________ > Dataloss mailing list > Dataloss at attrition.org > https://attrition.org/mailman/listinfo/dataloss > From adrian.sanabria at gmail.com Fri Feb 24 23:31:53 2006 From: adrian.sanabria at gmail.com (Adrian Sanabria) Date: Fri, 24 Feb 2006 23:31:53 -0500 Subject: [Dataloss] [Re] Hobbit's questions on one-time transaction numbers... In-Reply-To: <2464C1CDB0140943A6D7BA05E91D4654915EB5@Dul1wnexmb04.vcorp.ad.vrsn.com> References: <2464C1CDB0140943A6D7BA05E91D4654915EB5@Dul1wnexmb04.vcorp.ad.vrsn.com> Message-ID: I can't find any proof that cards with one time transaction numbers exist. There are cards that can be preloaded with cash, like the VISA Buxx that is marketed towards parents that want to control their teens' spending. But the number on the card never changes, and is just as vulnerable as any other. The only advantage is that, if stolen, only the remaining balance can be used. Nothing can be charged as credit by the theif. On 2/24/06, Jellenc, Eli wrote: > > > > I've not heard much about this, but then again, I've only begun researching > the issue. I have an additional comment that I'd like to submit to the group > for criticism. I know a lot of people that play online poker, some of whom > are also cognizant of the dangers inherent to ecommerce. All but the very > greenest of rookies tend to employ the following strategy: go to a local > pharmacy and purchase a "pay as you go" credit card (currently offered only > by VISA and MC if I'm not mistaken). When they get ready to connect to the > poker site and ante up, they simply transfer funds from their "real" account > or credit card into the "pay as you go" card?in a matter of minutes, even > this amount is "spoken for" as they immediately use the card to increase > their balance on the poker site. > > > > The one drawback is that the "pay as you go" cards are $10 a piece to buy, > but for people seriously worried about the threat from data exposure, I > don't see how this is any great sacrifice. And the intervening step of > calling to make the transfer is sort of inconvenient, especially for people > that make frequent purchases from many different sites. This is no panacea, > to be sure?to publicize this as a method by which to thwart cybercriminals > would be quite costly and difficult. Moreover, I have the impression that > the credit card companies would be against this because it would begin to > undercut their primary avenue of profit (i.e. interest). Heaven forbid > people only spend what they have in their accounts at the moment. > > > > Either way, except for the cost of "educating" the public on the potential > utility of this solution, I don't see many drawbacks. And what drawbacks do > exist are still not as serious as the situation is today. > > > > Thoughts? > > > > Eli Jellenc > > Sr. Threat Analyst > > iDefense (www.idefense.com)-- A VeriSign Company > > 703-390-9456 > > ejellenc at idefense.com > > > > > > _______________________________________________ > Dataloss mailing list > Dataloss at attrition.org > https://attrition.org/mailman/listinfo/dataloss > > > From rkholmes at gmail.com Fri Feb 24 23:35:16 2006 From: rkholmes at gmail.com (Rob Holmes) Date: Fri, 24 Feb 2006 20:35:16 -0800 Subject: [Dataloss] Providence Home Services - 3 employees resign - 1 fired Message-ID: <55bfbe200602242035x223c088fu772c484b9fea5970@mail.gmail.com> Greetings, I wanted to share some breaking news regarding the Providence Home Services data loss. Today Providence announced three employees resigned and 1 was fired as a result of the investigation surrounding the loss of the backup media from the IT employees vehicle. Linkage http://www.kgw.com/news-local/stories/kgw_022606_news_providence_firings.5d10b67b.html ( free sign up required) The exact story re-produced on my site with no sign-up required to view http://providenceidentitytheft.com/article.php?story=20060224232746923 Thanks Rob From jmiller at securespace.org Fri Feb 24 23:52:41 2006 From: jmiller at securespace.org (Jon Miller) Date: Fri, 24 Feb 2006 23:52:41 -0500 Subject: [Dataloss] Breach resource page In-Reply-To: <28FCCCBD-847E-41FC-A3D1-59B6448CFFCA@cwalsh.org> References: <28FCCCBD-847E-41FC-A3D1-59B6448CFFCA@cwalsh.org> Message-ID: <76B16558-F868-400E-9195-5ACFC6327C88@securespace.org> Nice job Chris! Having this in one spot is indeed useful... --- Jon Miller, CISSP, GSEC, CISM Chief Information Security Officer The City of New York, HRA On Feb 24, 2006, at 10:58 PM, Chris Walsh wrote: Folks: I've put together a small set of web pages containing links to current and pending legislation, breach listings, various on-line resources, and so on. There is probably not much there that is new to this list, but the fact that it is in one place may be helpful. The URL is http://www.cwalsh.org/BreachInfo/ I am clearly not web designer (nor do I play one on TV!), but I wanted to play around with iWeb, so there you have it. I'd be happy to hear any feedback. Chris From cwalsh at cwalsh.org Sat Feb 25 00:23:17 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Fri, 24 Feb 2006 23:23:17 -0600 Subject: [Dataloss] [Re] Hobbit's questions on one-time transaction numbers... In-Reply-To: References: <2464C1CDB0140943A6D7BA05E91D4654915EB5@Dul1wnexmb04.vcorp.ad.vrsn.com> Message-ID: <98FB4830-9FF4-4280-9D76-ACA98763FA6D@cwalsh.org> They existED. Not sure of their current status. Hobbit: I emailed the following last nite, but got a 550 from your smtp daemon. >I think MBNA used Orbiscom's ControlPay. Cyota (now owned by RSA) had a similar solution called SecureClick. Info I could find via google is sparse, >http://specials.ft.com/ftit/sept2001/FT3D4SI86RC.html is about the best I found :^(. I DK about the per-vendor stuff at all. The 550 was my fault, and is now fixed, but since this Q seems to have some general interest.... Chris On Feb 24, 2006, at 10:31 PM, Adrian Sanabria wrote: > I can't find any proof that cards with one time transaction numbers > exist. There are cards that can be preloaded with cash, like the VISA > Buxx that is marketed towards parents that want to control their > teens' spending. > > But the number on the card never changes, and is just as vulnerable as > any other. The only advantage is that, if stolen, only the remaining > balance can be used. Nothing can be charged as credit by the theif. > From cwalsh at cwalsh.org Sat Feb 25 10:57:48 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Sat, 25 Feb 2006 09:57:48 -0600 Subject: [Dataloss] Oops: Auditor Loses McAfee Employee Data (fwd) In-Reply-To: References: Message-ID: <6A1F4302-412A-4257-8054-EC47B18AACDB@cwalsh.org> Meanwhile, Ernst and Young had a similar problem, including losing the info for a client CEO (Sun's Scott McNealy). http://www.theregister.co.uk/2006/02/25/ernst_young_mcnealy/ Chris On Feb 23, 2006, at 1:56 PM, lyger wrote: > > ---------- Forwarded message ---------- > Date: Thu, 23 Feb 2006 19:49:42 GMT > Subject: Oops: Auditor Loses McAfee Employee Data > > Via C|Net News. > > [snip] > > An external auditor lost a CD with information on thousands of > current and > former McAfee employees, putting them at risk of identity fraud. From gbroiles at gmail.com Sat Feb 25 02:38:15 2006 From: gbroiles at gmail.com (Greg Broiles) Date: Fri, 24 Feb 2006 23:38:15 -0800 Subject: [Dataloss] [Re] Hobbit's questions on one-time transaction numbers... In-Reply-To: <98FB4830-9FF4-4280-9D76-ACA98763FA6D@cwalsh.org> References: <2464C1CDB0140943A6D7BA05E91D4654915EB5@Dul1wnexmb04.vcorp.ad.vrsn.com> <98FB4830-9FF4-4280-9D76-ACA98763FA6D@cwalsh.org> Message-ID: <4918801a0602242338p3c5c5294u3df07075b382adf0@mail.gmail.com> On 2/24/06, Chris Walsh wrote: > They existED. Not sure of their current status. MBNA's "ShopSafe" program is still operational - I have used it within the past few months, and it appears ready to assign a new number right now if I want one. The technology is apparently licensed from Orbiscom and is known as "ControlPay CPN (Controlled Payment Numbers)". -- Greg Broiles, JD, LLM Tax, EA gbroiles at gmail.com (Lists only. Not for confidential communications.) Law Office of Gregory A. Broiles San Jose, CA From adam at homeport.org Sat Feb 25 12:14:07 2006 From: adam at homeport.org (Adam Shostack) Date: Sat, 25 Feb 2006 12:14:07 -0500 Subject: [Dataloss] Providence Home Services - 3 employees resign - 1 fired In-Reply-To: <55bfbe200602242035x223c088fu772c484b9fea5970@mail.gmail.com> References: <55bfbe200602242035x223c088fu772c484b9fea5970@mail.gmail.com> Message-ID: <20060225171407.GA12466@homeport.org> Hi Rob, Any word on the seniority of the people involved? Adam On Fri, Feb 24, 2006 at 08:35:16PM -0800, Rob Holmes wrote: | Greetings, | | I wanted to share some breaking news regarding the Providence Home | Services data loss. Today Providence announced three employees | resigned and 1 was fired as a result of the investigation surrounding | the loss of the backup media from the IT employees vehicle. | | Linkage | | http://www.kgw.com/news-local/stories/kgw_022606_news_providence_firings.5d10b67b.html | ( free sign up required) | | The exact story re-produced on my site with no sign-up required to view | http://providenceidentitytheft.com/article.php?story=20060224232746923 | | Thanks | | Rob | | _______________________________________________ | Dataloss mailing list | Dataloss at attrition.org | https://attrition.org/mailman/listinfo/dataloss From jericho at attrition.org Sat Feb 25 12:21:03 2006 From: jericho at attrition.org (security curmudgeon) Date: Sat, 25 Feb 2006 12:21:03 -0500 (EST) Subject: [Dataloss] Oops: Auditor Loses McAfee Employee Data (fwd) In-Reply-To: <6A1F4302-412A-4257-8054-EC47B18AACDB@cwalsh.org> References: <6A1F4302-412A-4257-8054-EC47B18AACDB@cwalsh.org> Message-ID: : Meanwhile, Ernst and Young had a similar problem, including losing the : info for a client CEO (Sun's Scott McNealy). : : http://www.theregister.co.uk/2006/02/25/ernst_young_mcnealy/ The article touches on the most amusing part: Then again, the accounting firm could just stick with the "You have no privacy. Get over it" line. This was said and widely discussed (laughed about) back in Jan of 1999 by Scott McNealy to reporters and analysts. It's a bit ironic that he would bring this incident up when talking about security. I sure hope someone in the audience shouted out his infamous quote. From rkholmes at gmail.com Sat Feb 25 12:24:42 2006 From: rkholmes at gmail.com (Rob Holmes) Date: Sat, 25 Feb 2006 09:24:42 -0800 Subject: [Dataloss] Providence Home Services - 3 employees resign - 1 fired In-Reply-To: <20060225171407.GA12466@homeport.org> References: <55bfbe200602242035x223c088fu772c484b9fea5970@mail.gmail.com> <20060225171407.GA12466@homeport.org> Message-ID: <55bfbe200602250924s51c8f58ap1164ecec1d971fc8@mail.gmail.com> Greetings, Providence isn't talking. However I have an open line of communication with the law office handling the class action suit. I will be taking to my contact person there to see if they know anything. I will definitely post to the list as more information is received. Rob On 2/25/06, Adam Shostack wrote: > Hi Rob, > > Any word on the seniority of the people involved? > > Adam > > On Fri, Feb 24, 2006 at 08:35:16PM -0800, Rob Holmes wrote: > | Greetings, > | > | I wanted to share some breaking news regarding the Providence Home > | Services data loss. Today Providence announced three employees > | resigned and 1 was fired as a result of the investigation surrounding > | the loss of the backup media from the IT employees vehicle. > | > | Linkage > | > | http://www.kgw.com/news-local/stories/kgw_022606_news_providence_firings.5d10b67b.html > | ( free sign up required) > | > | The exact story re-produced on my site with no sign-up required to view > | http://providenceidentitytheft.com/article.php?story=20060224232746923 > | > | Thanks > | > | Rob > | > | _______________________________________________ > | Dataloss mailing list > | Dataloss at attrition.org > | https://attrition.org/mailman/listinfo/dataloss > From iwan.sicalm at gmail.com Sat Feb 25 09:39:33 2006 From: iwan.sicalm at gmail.com (Shopsafe User) Date: Sat, 25 Feb 2006 09:39:33 -0500 Subject: [Dataloss] Re: Hobbit's questions on MBNA Shopsafe, Citibank Virtual Account Numbers - The FAQ's Message-ID: What is ShopSafe? ShopSafe is a new upgrade to your existing NetAccess Service. The service allows you to create a unique, temporary card number each time you're ready to make an online purchase. This number links directly to your real credit card account number but keeps your card number completely private and completely protected. The ShopSafe number is used just like any other credit card - a merchant never knows it's not your real credit card. How do I access the ShopSafe service? Access from your desktop? If you have downloaded ShopSafe, you can access the service by clicking the ShopSafe logo in one of the following locations: * System tray (in the lower right corner of the computer screen) * Browser bar (top of computer screen) * START menu * Desktop icon How do I Log In? ShopSafe uses the same Login Name and Password as Net Access(r). You must be enrolled in Net Access before you can gain access to the ShopSafe service. If you have not enrolled in Net Access and would like to use the ShopSafe service, visit www.mbnanetaccess.com to enroll. What if I forget my user name and password? If you have forgotten your user name or password, visit www.mbnanetaccess.com. If you need further assistance, please call Customer Satisfaction. How does the ShopSafe service work? The ShopSafe service generates a unique 16-digit number that is different from your credit card account number but links back to your credit card account and is valid for making purchases. Click on "Create Number" to generate a new substitute number. How do I create a unique ShopSafe number? Select the "Create Number" option on the menu, or select "Access a ShopSafe Number" on the ShopSafe home page. Simply enter the spending limit, and click on the "Create Number" box. What do I need to know about selecting my spending limit? When creating a unique ShopSafe account number, the ShopSafe service allows you to set the specific dollar limit. When choosing a dollar limit, be sure to include the full purchase amount, any shipping and handling charges, and state tax (if applicable). The merchant will be authorized for charges up to the dollar limit you set. may increase the purchase limit for shipping, handling, and taxes that may not have been taken into consideration at the time of the purchase. What is Increase ShopSafe Limits? Normally the ShopSafe number you create will automatically be valid for two months and for the original dollar amount you selected. If you want to alter the date or dollar amount you can do so by choosing "Increase ShopSafe Limits." What do I need to know about selecting my "Valid Thru" date? When creating a unique ShopSafe number, this service allows you to set the specific period of time that the ShopSafe account number will be valid. The time limit of two months should give the merchant adequate time to process your request. If you need a longer time limit, indicate it as a number of months between 2 and 12. The most common reasons for requiring a longer time limit are listed below: * Back orders If a merchant has an item on back order, it typically does not charge your account until the item is available for shipping. Usually a merchant will tell you how long it will take to obtain the merchandise for shipping; be sure to set the ShopSafe account number time limit (and "Valid Thru" date) to cover the entire time period. If your ShopSafe account number has expired before all of the items are shipped, then the merchant will not receive authorization to send your requested purchase. * Recurring charges Some purchases require a monthly recurring charge (such as book clubs and Internet service providers). The ShopSafe service allows you to set your "Valid Thru" date for up to 12 months in the future. The Recurring monthly payment located on the Create Number screen allows you to securely manage your monthly bills. What's happening when the numbers spin? When the numbers spin, a new and unique ShopSafe account number is being generated for your use online. Are there a maximum number of credit card accounts I can use with the ShopSafe service? No. But all accounts must be credit card accounts registered in Net Access. Can I use any of my credit card accounts with ShopSafe--even if they are not with MBNA or BankCard Services? No. Accounts registered for the ShopSafe service must be accounts registered in Net Access. Is there a charge for using the ShopSafe service? No. There is no charge associated with using the ShopSafe service. You merely need to have a credit card account registered in Net Access. Is there a maximum number of ShopSafe account numbers that I can create? No. You can create as many ShopSafe account numbers as you need to complete your online purchases. Selecting another credit card account When you have more than one account registered with Net Access, these same accounts will automatically be registered in the ShopSafe service. On the "Profile" tab, you can select which account you'd like to shop with by choosing the "Select Another Credit Card" option. What happens to my ShopSafe account numbers if my credit card account is lost or stolen? Any ShopSafe accounts you created with the lost or stolen credit card account number are closed. Closing an active account will prevent any further transactions using this number. It may also lead to the cancellation of any pending transactions. If you've given this number to an online merchant who has your permission to charge you on a recurring basis, you should notify the merchant of the canceled account. When you report your credit card as lost or stolen, a new credit card account number will usually be generated within 24 hours. Once this number has been assigned, you may visit www.mbnanetaccess.com to see the new account. Where can I use the ShopSafe account number? The ShopSafe account number will be accepted anywhere your credit card would be accepted. The online merchant does not need any special software or applications to process your ShopSafe account number. If you are required to present you're Credit Card to pick up the merchandise, the merchant may need to call us to verify the ShopSafe Number is linked to your actual Credit Card Number. An example of this is purchasing airline tickets at an online merchant. Can the same ShopSafe account number be used to make purchases at more than one merchant site? No. To provide additional security at each merchant site, a new ShopSafe account number needs to be generated for each online merchant site. However, you may reuse the same ShopSafe account number at the same merchant site. Can I use the ShopSafe service to purchase items outside the United States? Yes. The ShopSafe account numbers will be accepted anywhere your credit card would be accepted. The online merchant does not need any special software or applications to process your ShopSafe account number. How does a Web merchant know I'm using a ShopSafe account number? The Web merchant does not know that you are using a ShopSafe account number. The ShopSafe service generates a unique 16-digit account number that looks like a normal credit card account number. The merchant will process the transaction in the same way as any other credit card transaction. Can a ShopSafe account be declined for a purchase? A ShopSafe account number may be declined for a purchase for any of the following reasons: * The ShopSafe account number has expired. * The dollar limit is not sufficient to cover the purchase with shipping and taxes. * The ShopSafe number is first used at one merchant and then reused at a different merchant. * The transaction exceeds your available credit. How does the Billing profile work? This is the billing profile we currently have on file for you. To update your Billing profile click "Edit." This will take you to Net Access to update the address information we have on file for you. If you would like to use this address on the merchant form, you can either drag and drop the items or click "Fill Form." How do I use my ShopSafe account number on a Web site where I use one-click or express checkout? Many Web sites offer a faster way to check out by establishing a profile that includes your name, address, e-mail address, and a credit card number. You can provide a ShopSafe account number for this purpose, instead of your credit card number, to increase your safety and security while shopping online. First, determine the limits you need for the ShopSafe account number. You should choose a dollar limit that covers all of the shopping you may do over an extended period of time, and you'll want to decide how many months (up to 12) you'll want the ShopSafe account number to be valid. For example, you could set limits of $500 and 12 months then provide the ShopSafe account number to the online merchant and complete your one-click or express checkout. Every time you shop on that site within that 12-month period, you will use part of the dollar limit established. When the dollar limit is exhausted, or the expiration date is reached, you can increase the ShopSafe limits by clicking the "Activity" tab within ShopSafe and updating the specific ShopSafe number. How do the purchases I make with the ShopSafe service get billed to my credit card account? All ShopSafe transactions are matched back to your credit card account by MBNA or BankCard Services. You can view this activity online in Net Access and will see the activity on your monthly statement. Each ShopSafe transaction will have a "#" symbol next to it to differentiate it from your other credit card account activity. How do I handle returns? (If expiration has passed, can they still credit back to the ShopSafe number? And if I purchase online but return it to the store, will there be a problem if the account number on the receipt does not match the credit card I present to them?) The merchant will refund to the ShopSafe number in the same way as a real credit card number. The ShopSafe service then will link the ShopSafe number back to the real credit card number, which will be refunded. Verified by Visa and MasterCard SecureCode As an added benefit, Customers using a ShopSafe number will bypass the Verified by Visa and MasterCard SecureCode verification process when shopping with participating merchants. How does the form fill feature work? ShopSafe can automatically fill your online forms with the ShopSafe account number and Valid Thru date if you click the "Fill Form" button when you are on an online form. You should always double-check the information on the order form before you submit it. Why does ShopSafe auto-pop when I am browsing on the Internet? ShopSafe can identify when you are on a merchant form that requires an account number. Under these conditions, the service will pop a message box to let you know that ShopSafe can assist you with your transaction. If you login to ShopSafe, you can quickly and easily generate a substitute account number to use for your transaction. ShopSafe can also automatically fill the new account number and Valid Thru date on the online form. How can I disable the auto-pop function? Under the "Profile" menu is a selection to "Change Preferences". Simply click "Change Preferences" and select the appropriate option to turn off auto-pop. Can I view active ShopSafe accounts? Under the "Activity" menu is a selection to "View Active ShopSafe Numbers." You can review information about any ShopSafe account number you have generated that is still active (has not yet expired according to the Valid Thru date that you preset and still has a balance remaining). The name of the merchant where the ShopSafe account number was used is listed here. If the merchant has not yet processed the transaction, the merchant name field will indicate "In Progress." You can close an active account number by selecting it, then clicking "Close Number." Closing an active account number will prevent any further transactions using this number. It may also lead to the cancellation of any pending transactions. If you've given this number to an online merchant who has your permission to charge you on a recurring basis, you should notify the merchant of the canceled account. Can I reuse an existing ShopSafe number? You can reuse an active account number by selecting it, then clicking "Use." The card image displaying the unique ShopSafe account number will appear; it will reference the name of the merchant for whom this account number was created, any remaining balance, and the Valid Thru date. If the balance is large enough to complete your current purchase, you may use the account number. To increase the Valid Thru date or dollar limit click "Increase ShopSafe Limits." Can I close an existing ShopSafe number? Under the "Activity" menu is a selection to "View Active ShopSafe Numbers." You can close an active account number by selecting it, then clicking "Close Number." Closing an active account number will prevent any further transactions using this number. It may also lead to the cancellation of any pending transactions. If you've given this number to an online merchant who has your permission to charge you on a recurring basis, you should notify the merchant of the canceled account. Can I view past ShopSafe purchases? All ShopSafe transactions can be viewed within Net Access(r). Each ShopSafe transaction will have a "#" symbol next to it to differentiate it from your other account transactions. In addition, you may view your past purchases using ShopSafe by clicking on the "Activity" menu and selecting "View past purchases." The specific ShopSafe account number is indicated with every transaction. In the "Status" column, "Settled" means the bank has settled the transaction but there is a remaining balance for that ShopSafe number that can be used for additional purchases at that merchant. "Complete" means there is no remaining balance on the ShopSafe number. Can I access information on my credit card account through ShopSafe? Yes. You can reach our online banking service (Net Access) by selecting "Online Banking Services" on the 'Home' menu or by clicking on the "Net Access" button on any screen of the ShopSafe service. The online banking service provides extensive information on your credit card account including current balance, credit available, payment due, payment due date, past statement activity, and more. Whom do I contact if I get an error while downloading the ShopSafe service? If you experience difficulties in downloading the ShopSafe service, or if you have additional technical questions or concerns, please call Technical Support. What should I do if I don't recognize a ShopSafe account charge? Check the listing on the View Past Purchases window for a record of the transaction with that merchant. Contact the merchant to ask for clarification about the charge. If you did not authorize the charge, ask the merchant to credit your account. You may also dispute the charge in writing by using a copy of the form provided on the back of your credit card statement. You must reference the ShopSafe account number used for the transaction instead of your credit card account number. What is a CVV2 or CVC2 number? This three-digit number appears on the back of your credit card in the signature area, at the end of your account number. It is an additional security element that many online merchants are now requesting in addition to the credit card account number and expiration date. The ShopSafe account number you generate will also have an associated CVV2 or CVC2 number. If the online merchant requests the number from the back of your credit card, use the unique CVV2 (for VISA) or CVC2 (for MasterCard) number generated along with the unique ShopSafe number. What is the O symbol on the ShopSafe card? The ShopSafe service is powered by Orbiscom Payment Technology, the inventors of the ShopSafe product. The O logo is their registered trademark. Is ShopSafe compatible with all operating systems? ShopSafe Web Version and ShopSafe Desktop will work with Windows 98, 2000, ME, XP, and Windows NT 4.0. Is ShopSafe compatible with all browsers? ShopSafe Web Version is compatible with AOL 7 and AOL 8, Netscape 6, and IE 5.0, 5.5, and 6, MAC 0S 9 and MAC OS X. ShopSafe Desktop Client is compatible with AOL 7 and 8, Netscape 6, and IE 5.0, 5.5, and 6. What system requirements are needed for Form Fill and Auto-Launch to function? ShopSafe auto-launch and form fill features are compatible with Windows 98, 2000, ME, XP, and Windows NT 4.0. It is also supported with IE 5.0, 5.5, and 6, and AOL 7 and 8. Can I use ShopSafe if I have a Macintosh Computer? Yes. You can launch the Web Version on any computer with Internet access as long as you are using one of the following browsers: IE 5.0, 5.5, and 6, and AOL 7 and 8. Who has access to my ShopSafe account number? Only you, the merchant for which the ShopSafe account number is generated, and our account managers have access to your ShopSafe number. How secure are my ShopSafe account numbers? The ShopSafe service is the most secure way to shop online. The ShopSafe service, whether residing on your desktop or accessed through the ShopSafe Web site, is password protected. Each ShopSafe account number you generate can be used only by the merchant you select, up to the amount you specify, and for the length of time you specify. What happens to my ShopSafe account numbers if my credit card account is lost or stolen? Any ShopSafe accounts you created with the lost or stolen credit card account number are closed. Closing an active account will prevent any further transactions using this number. It may also lead to the cancellation of any pending transactions. If you've given this number to an online merchant who has your permission to charge you on a recurring basis, you should notify the merchant of the canceled account. When you report your credit card as lost or stolen, a new credit card account number will usually be generated within 24 hours. Once this number has been assigned, you may visit www.mbnanetaccess.com to see the new account. How can I disable the auto- pop function? Right click on the system tray ShopSafe icon in the lower right-hand corner of your screen. Click on Preferences, and select the appropriate option to turn auto-pop off. How can I turn off sounds? Right click on the system tray ShopSafe icon in the lower right-hand corner of your screen. Click on Preferences, and select the appropriate option to turn sound off. How can I turn off the "Help" box that appears to the right of the ShopSafe screen? Click the "Close" button in the bottom right of the "Help" screen and the help box will stay permanently closed. Clicking the "Help" button in the upper right corner of the ShopSafe screen can reopen it. ============ CITIBANK VIRTUAL ACCOUNT NUMBERS =================== How It Works "Sure, it's free and a smart idea, but is it easy to use?" Yes! See for yourself... step 1 For your protection, you will only be able to access this service with your Cardmember User ID and Password. step 2 In one click, you can generate a random credit card number and make it virtually impossible for anyone to steal your actual account number while shopping online. step 3 Enter this number into the merchant's form and complete your purchase. It's really that easy! About Using the PC Option By downloading Virtual Account Numbers to your PC*, you'll have all these benefits at your fingertips: * Easy access from the Logo icon on your desktop, browser, or system launch tray. * Use the Auto Fill button to quickly complete the merchant's form, or click and drag your number (instead of typing it in). * Automatically pops-up at the checkout screen when you're shopping online.? * Store billing addresses to quickly fill merchant forms. Just click Download Now, accept the Terms & Conditions, and in minutes the software will be installed on your computer. Then start shopping! Less than 2 minutes with 56K modem *System Requirements Flash 6.4 or higher, plus Internet access with ONE of the following browsers: * AOL 6.0 or higher * Internet Explorer 5.0 or higher (Windows 98, 2000, NT, ME, and XP) * Netscape 6.x and 7.x However you need to have Internet Explorer 5.0 or greater installed on the machine in order to use Virtual Account Numbers download. How do I check my browser compatibility? * PC option is only compatible with computers using the Windows(r) operating system. If you're not, just use the website option to launch Virtual Account Numbers. ? Automatic pop-up feature is available at top online merchants. About Using the Website Option By launching the website option, you'll have the power to: * Generate virtual account numbers on any computer with Internet access.* * And with nothing to download, it's a great option when you're at work or need to use it from multiple computers. * Copy and paste numbers and billing information into the merchant's form for faster checkout. Just click Launch Now, accept the Terms & Conditions, and the software will open in a small, custom-sized browser window while you shop. You'll get convenience and safety in one neat little online package. *System Requirements Flash 6.4 or higher (Flash 7.0 for Mac OS X), plus Internet access with ONE of the following browsers: * AOL 6.0 or higher * Internet Explorer 5.0 or higher (Windows 95 and NT also work with IE 4.0) * Windows (95, 98, 2000, NT) with Netscape 4.72 and 4.74 * Mac OS 9.0 with Netscape 4.76 and 4.7 How do I check my browser compatibility? Tracking Purchases "If I don't use my real account number, how will I track purchases?" It's easy. Just like your other account transactions, you can always track purchases made with Virtual Account Numbers in Unbilled Activity in Account Online and on your monthly statement. As an added convenience, you can also view all previous virtual account numbers used within the software, plus merchant, purchase date, and other details. Because it's nice to be in control?and have options. Advanced Features "What. There's more?" Get more from Virtual Account Numbers by using the advanced features available: Generate a number with a $ limit Van Example Setting a limit provides an added level of security by ensuring the merchant will charge no more than the set amount. For example: if your purchase total comes to $34.16, set a limit of $35. NOTE: Purchases cannot exceed your account's available credit limit. Generate a number with a $ and time limit This feature lets you use a virtual account number with the same merchant for 2 or more transactions over a period of time (you set the expiration date). Show me examples. Increase your limits If you ever need to increase the dollar amount* or extend your expiration date for an active virtual account number, just choose the Increase Amount/Date link. * Increased amount is subject to available credit on your account. From jericho at attrition.org Sat Feb 25 17:51:55 2006 From: jericho at attrition.org (security curmudgeon) Date: Sat, 25 Feb 2006 17:51:55 -0500 (EST) Subject: [Dataloss] Oops: Auditor Loses McAfee Employee Data (fwd) In-Reply-To: <7.0.1.0.2.20060225173354.03d36f60@strikenet.kicks-ass.net> References: <6A1F4302-412A-4257-8054-EC47B18AACDB@cwalsh.org> <7.0.1.0.2.20060225173354.03d36f60@strikenet.kicks-ass.net> Message-ID: : That goes down in the laugh book, with his proclamation of : "unbreakable", as well. (McNealy) : : You have only the privacy and security you demand and enforce! : : If you declare something unbreakable, the best out there will indeed, : 'break' it, just to make an ass out of you. http://archives.cnn.com/2002/TECH/industry/01/21/oracle.unbreakable.idg/ Oracle Corp. Chairman and Chief Executive Officer Larry Ellison said Thursday that Oracle software remains unbreakable and mocked a memo sent this week by arch rival Bill Gates stressing to Microsoft Corp.'s employees the importance of security in the company's products. The 'unbreakable' campaign wasn't McNealy/Sun. From blitz at strikenet.kicks-ass.net Sat Feb 25 17:36:53 2006 From: blitz at strikenet.kicks-ass.net (blitz) Date: Sat, 25 Feb 2006 17:36:53 -0500 Subject: [Dataloss] Oops: Auditor Loses McAfee Employee Data (fwd) In-Reply-To: References: <6A1F4302-412A-4257-8054-EC47B18AACDB@cwalsh.org> Message-ID: <7.0.1.0.2.20060225173354.03d36f60@strikenet.kicks-ass.net> That goes down in the laugh book, with his proclamation of "unbreakable", as well. (McNealy) You have only the privacy and security you demand and enforce! If you declare something unbreakable, the best out there will indeed, 'break' it, just to make an ass out of you. At 12:21 2/25/2006, you wrote: >: Meanwhile, Ernst and Young had a similar problem, including losing the >: info for a client CEO (Sun's Scott McNealy). >: >: http://www.theregister.co.uk/2006/02/25/ernst_young_mcnealy/ > >The article touches on the most amusing part: > > Then again, the accounting firm could just stick with the "You have no > privacy. Get over it" line. > >This was said and widely discussed (laughed about) back in Jan of 1999 by >Scott McNealy to reporters and analysts. It's a bit ironic that he would >bring this incident up when talking about security. I sure hope someone in >the audience shouted out his infamous quote. > >_______________________________________________ >Dataloss mailing list >Dataloss at attrition.org >https://attrition.org/mailman/listinfo/dataloss -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060225/208dec96/attachment.html From lyger at attrition.org Sun Feb 26 19:30:24 2006 From: lyger at attrition.org (lyger) Date: Sun, 26 Feb 2006 19:30:24 -0500 (EST) Subject: [Dataloss] Florida medical records to go online Message-ID: http://www.news-press.com/apps/pbcs.dll/article?AID=/20060226/NEWS01/6022604 59/1075 Medical records to go online In Florida, inaugural steps of process begin April 1 By Michelle L. Start mstart at news-press.com Originally posted on February 26, 2006 Carrying a prescription that he couldn't read and trying to get it filled at a local CVS store, Bonita Springs resident Sean Balke said he looks forward to the day when medical records will be online. "I don't get that many prescriptions, but this one is for back pain," said Balke, 32. "I can't read it." Starting on April 1, the first step toward having all medical records accessible online will begin in Florida. "We'll be rolling it out over the course of the year," said Rob Cronin, spokesman for SureScripts, which is launching the software in 10 states. "By the end of the year, we expect it to be statewide in Florida." Already 75 percent of Fort Myers pharmacies have signed up for the software, which has yet to go live. Cronin said those pharmacies include stores such as Albertsons, CVS, Kash 'N Karry, Publix, Walgreens and a number of independent pharmacies. It's a big first step in a move to allow patients and physicians to monitor and access medical records online. Federal officials hope to launch software for that type of records-sharing by 2013. In this initial step, doctors will be able to file prescriptions through the SureScript system and pharmacists will be able to view a list of the patients' medications, which will provide an additional safety check. [...] From lyger at attrition.org Sun Feb 26 19:40:46 2006 From: lyger at attrition.org (lyger) Date: Sun, 26 Feb 2006 19:40:46 -0500 (EST) Subject: [Dataloss] Ernst & Young Loses Four More Laptop Message-ID: (no specific mention of lost data, but ties in with recent E&Y story posted to list - lyger) http://www.theregister.co.uk/2006/02/26/ey_laptops/ Ernst and Young appears set on establishing a laptop loss record in February. The accounting giant has lost four more systems, according to a report in the Miami Herald. A group of Ernst and Young auditors toddled off for lunch on Feb. 9, leaving their laptops in an office building conference room. According to security footage, two men entered the conference room a couple of minutes after the Ernst and Young staffers left and walked off with four Dell laptops valued at close to $8,000, the paper reported. [...] From adrian.sanabria at gmail.com Mon Feb 27 20:43:46 2006 From: adrian.sanabria at gmail.com (Adrian Sanabria) Date: Mon, 27 Feb 2006 20:43:46 -0500 Subject: [Dataloss] CardSystems Settles FTC Charges In-Reply-To: References: Message-ID: Mastercard doesn't keep a list, and neither do AMEX or Discover. VISA was the first to organize data security requirements, and although the other card companies were putting together their own programs, they opted to adopt VISA's instead. So, if you're in compliance with PCI, you are in compliance with VISA, Discover, AMEX and Mastercard. That's why AMEX dropped Cardsystems the very next day, after VISA's announcement to do so. I believe the agreement is the same internationally, where VISA's data security program is referred to as AIS instead of PCI. I also believe that VISA will be the first to enforce minimum requirements for payment applications (PC-based apps that allow merchants to swipe and enter credit card numbers, then send them off for processing). They currently only have best practices posted: http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_Payment_Application_Best_Practices.pdf?it=il|/business/accepting_visa/ops_risk_management/cisp_payment_applications.html|Payment%20Application%20Best%20Practices It is very interesting that Pay by Touch isn't on the list. They seem to keep the list fairly up-to-date also... On 2/23/06, Chris Walsh wrote: > Interesting that Pay By Touch (which now owns Cardsystems) says > (http://www.paybytouchpaymentsolutions.com/about.html) that they are > "VISA Cardholder Information Security Program (CISP) Compliant", but > VISA's list of CISP compliant service providers (http://usa.visa.com/ > download/business/accepting_visa/ops_risk_management/ > cisp_List_of_CISP_Compliant_Service_Providers.pdf), dated 2/1/2006, > includes neither CardSystems nor Pay By Touch. > > The PCI Data Security Standard is one MasterCard and VISA require > adherence to, and it mandates on-site assessments for processors as > large as Cardsystems. I specifically remember Amex and Visa dropping > Cardsystems, but I do not have a similar memory for MasterCard. > Unfortunately, I cannot find a list of MasterCard's approved > processors, analogous to the VISA list above. > > > On Feb 23, 2006, at 8:17 PM, lyger wrote: > > > > > In the case of CardSystems and their new companies, it might be > > because > > VISA is no longer doing business with them? > > > > http://attrition.org/errata/dataloss/cardsystems04.html > From adrian.sanabria at gmail.com Mon Feb 27 20:47:26 2006 From: adrian.sanabria at gmail.com (Adrian Sanabria) Date: Mon, 27 Feb 2006 20:47:26 -0500 Subject: [Dataloss] semi-OT: OTP(urchase) In-Reply-To: <44036CF6.6080004@gcmail.maricopa.edu> References: <20060224020848.3842CC305@relayer.avian.org> <44036CF6.6080004@gcmail.maricopa.edu> Message-ID: Interesting. All these implementations seem to be limited to use online though, which doesn't really solve the data security problems though it might help a small minority. For something like this to really have an impact, it would have to be designed and officially supported by VISA and Mastercard, and would have to work at Brick-And-Mortar merchants just as well as online merchants. Without using some kind of token device, I don't see any way that could be done today. On 2/27/06, Steve Smith wrote: > Adrian Sanabria wrote: > > If there is such a thing, I can't see it being anything more than just > > an idea at this point. For such a system to work, the back-end > > transaction processors would have to support it, and I know the > > products the larger ones support, and none of them feature a > > use-once-and-throw-away number. > > Fwiw, Citibank has had "Virtual Account Numbers" for several years now. > Used to be an app that ran in the Windows tray that'd spew a unique > number into the browser (only really worked right w/ IE) but now they > claim to have a web version for Macs and "others". > > Regards, > Steve > > > > > On 2/23/06, *Hobbit* wrote: > > > >>Does anyone have good pointers to where one could go for more > >>info on MBNA ShopSafe, or whatever one-time mechanism AMEX > >>is/was offering, or any other currently working schemes to > >>generate a unique one-time credit-card-number equivalent per > >>transaction? Or even per vendor, that I've heard somewhere > >>is also possible? > >> > >>I'm at complete ground zero WRT any knowledge of this stuff, > >>but it sounds like the folks here might be up on these things. > >>Probably best to reply privately and I can summarize later > >>if folks want. > >> > >>tnx > >> > >>_H* > >> > >>_______________________________________________ > >>Dataloss mailing list > >>Dataloss at attrition.org > >>https://attrition.org/mailman/listinfo/dataloss > >> > > > > > > _______________________________________________ > > Dataloss mailing list > > Dataloss at attrition.org > > https://attrition.org/mailman/listinfo/dataloss > > > -- > There is no Gecko, only Zuul. > From cwalsh at cwalsh.org Mon Feb 27 21:30:13 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Mon, 27 Feb 2006 20:30:13 -0600 Subject: [Dataloss] semi-OT: OTP(urchase) In-Reply-To: References: <20060224020848.3842CC305@relayer.avian.org> <44036CF6.6080004@gcmail.maricopa.edu> Message-ID: <20060228023008.GA4189@cwalsh.org> I don't see why Visa and MC have to design it. Look at SET v. SSL, eg. Perhaps the ubiquity of the mobile phone would allow it to be used as part of a platform supporting this, inasmuch as it provides an on-line component that one would have available at a brick+mortar establishment. On Mon, Feb 27, 2006 at 08:47:26PM -0500, Adrian Sanabria wrote: > For something like this to really have an impact, it would have to be > designed and officially supported by VISA and Mastercard, and would > have to work at Brick-And-Mortar merchants just as well as online > merchants. Without using some kind of token device, I don't see any > way that could be done today.