From rforno at infowarrior.org Sat Jul 1 17:10:37 2006 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 01 Jul 2006 17:10:37 -0400 Subject: [Dataloss] Red Cross laptop with donor information stolen Message-ID: Red Cross laptop with donor information stolen http://www.msnbc.msn.com/id/13657607/ Social Security numbers on computer, but officials say data is encrypted The Associated Press Updated: 3:01 p.m. ET July 1, 2006 DALLAS - A laptop containing personal information from thousands of blood donors ? including Social Security numbers and medical information ? was stolen from a local office of the American Red Cross, but officials said the information was encrypted. The data included matching names and birth dates of donors from Texas and Oklahoma, as well as donors? sexual and disease histories. ?We haven?t viewed this as a security breach at this point,? Darren Irby, spokesman for the national American Red Cross office, told The Dallas Morning News for its Saturday editions. The laptop was one of three stolen from a locked closet in the Farmers Branch office of the American Red Cross in May, but the two others did not contain the personal information. There was no sign of forced entry, said Red Cross spokeswoman Audrey Lundy. Local officials alerted police and national Red Cross offices, Lundy said. Donors were not notified about the missing information, and the Red Cross had no legal obligation to do so. The laptops disappeared on two separate occasions in May, according to police reports. They could have been gone as long as a week before being reported missing. Gordon Bass, acting chief information security officer for the national Red Cross, said supervisors have their own user names and passwords. Access is time-and-date based, so information can be accessed only during blood drives or when new information is uploaded to a central database. The Farmers Branch Red Cross also lost a laptop with encrypted donor information in June 2005, Lundy said, but she could provide no details on circumstances of that incident or any follow-up investigation. Security in the Farmers Branch office was tightened after the most recent disappearances, Lundy said. ? 2006 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed. URL: http://www.msnbc.msn.com/id/13657607/ From lyger at attrition.org Sun Jul 2 13:41:07 2006 From: lyger at attrition.org (lyger) Date: Sun, 2 Jul 2006 13:41:07 -0400 (EDT) Subject: [Dataloss] Japan - NTT Cash Card Falls Victim to Hacking Message-ID: >From Fergie's Tech Blog - http://fergdawg.blogspot.com/ http://www.upi.com/Hi-Tech/view.php?StoryID=20060620-120144-1288r >From taking to prepaid cards from their early years to encouraging people to use mobile phones to purchase everything from train tickets to coffee, Japan has been quick to embrace the concept of a cashless society. Yet that openness to new models of paying for goods and services has backfired, as the country's telecommunications giant announced Tuesday that tens of thousands of its electronic money account holders' information had been leaked. NTT Card Solution, a subsidiary of telecom giant NTT, reported that a hacker had broken into the server of its Net Cash network and gained access to about 81,105 accounts. In a statement, the company apologized to its clients and added that it has already stopped selling more cards and terminated all transactions that could be done by existing cards. So far, about $28,318 (3.27 million yen) has been abused as a result of the hacking, NTT Card Solution reported, and it is working closely with the police to find out who had broken into the system in the first place. [...] From lyger at attrition.org Mon Jul 3 14:50:51 2006 From: lyger at attrition.org (lyger) Date: Mon, 3 Jul 2006 14:50:51 -0400 (EDT) Subject: [Dataloss] VA laptop sold from back of truck Message-ID: http://redtape.msnbc.com/2006/07/what_happened_t.html#posts Posted: Monday, July 3 at 01:04 pm CT by Bob Sullivan We have a few more details on what happened to the nation's most famous runaway laptop computer during those mysterious two months it was missing, courtesy of NBC's Pete Williams. We're talking about the computer and hard drive that were stolen from a Department of Veterans Affairs employee in May, an incident that made headlines because the hardware contained private information on 26.5 million veterans and current GIs. Last week, VA chief Jim Nicholson announced in dramatic fashion that the prodigal computer had been found, but details about the return were sparing. NBC's Williams has been able to fill in some of the blanks after talking to law enforcement officials investigating the incident. Both the laptop and hard drive ended up for sale at a black market just north of Washington D.C., near a subway station outside the Beltway near Wheaton. We're talking about the kind of market that is literally run out of the back of a truck, one official said. Fortunately, a buyer purchased both components at this black market, keeping the missing hardware together. [...] From rforno at infowarrior.org Wed Jul 5 22:34:40 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 05 Jul 2006 22:34:40 -0400 Subject: [Dataloss] Illinois university hit with security breach Message-ID: Illinois university hit with security breach By Dawn Kawamoto http://news.com.com/Illinois+university+hit+with+security+breach/2100-7349_3 -6090860.html Story last modified Wed Jul 05 16:14:35 PDT 2006 Western Illinois University is notifying more than 180,000 people that their personal data is at risk after hackers entered its networks. The university said it mailed the last of its notifications on Monday to people whose Social Security number, credit card account number and other sensitive information were on the student service servers in the security breach. "The breach occurred on June 5 through our electronic student services system servers. They do frequent checks on their system and discovered the breach within hours after it occurred," said Darcie Shinberger, a spokeswoman for Western Illinois University. The incident affects alumni and students who attended the institution between 1983 to the present, as well as 1,000 individuals who were there from 1978 to 1982. Anybody who purchased items online from the university's bookstore or who stayed at the university union hotel also may have had their data exposed, Shinberger said, but could not specify a date range. The hacked servers house Western's electronic student services system, which is used to run the university's admissions Web site, financial aid, bookstore and hotel. Western Illinois University distributed e-mail notices to those affected on June 15 and began following that up with mailings last week. It has not received any reports from its public safety office of individuals having their personal information compromised as a result of the incident, Shinberger said. For the school to say it has no evidence that private information has been used to commit identity theft is disingenuous, said Avivah Litan, an analyst at research firm Gartner. Unless a school has taken an extensive review over an extended period, there's no sure way of determining whether the hackers have profited from the information, Litan said. In addition, victims of identity theft will often turn to other sources to report the problem, such as their credit card companies or local police, before notifying the place where the breach occurred. Following the incident, Western Illinois University, which serves 13,400 students and has an alumni base of 95,000, began installing new security measures. It is reviewing its policies for storing information and handling online credit card information. The security breach is not the first for the university. A few years ago, a student broke into Western's computer system and began rifling through his or her own virtual records. "We have never had anything of this magnitude. This is a first for us," Shinberger said. "There are always risks when doing business online." Perhaps one of the strongest indicators of the level of security at U.S. universities is that even after a string of major breaches at such places as Ohio University, Notre Dame University and the University of Texas, hackers continue to find their way into college computer systems. The pervasiveness of security breaches there stem, in part, from the way educational institutions are set up. Universities and colleges desire an exchange of ideas and information and, as a result, maintain relatively open networks. Security experts have noted that this situation may well be to blame for security breaches at institutions. CNET News.com's Greg Sandoval contributed to this report. Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From lyger at attrition.org Wed Jul 5 22:43:53 2006 From: lyger at attrition.org (lyger) Date: Wed, 5 Jul 2006 22:43:53 -0400 (EDT) Subject: [Dataloss] Illinois university hit with security breach In-Reply-To: References: Message-ID: The original estimate was "up to 240,000". Apparently they found some duplicates in the records, which goes back to the previous discussion of "records" versus "unique individuals". On Wed, 5 Jul 2006, Richard Forno wrote: ": " Illinois university hit with security breach ": " ": " By Dawn Kawamoto ": " http://news.com.com/Illinois+university+hit+with+security+breach/2100-7349_3 ": " -6090860.html ": " ": " Story last modified Wed Jul 05 16:14:35 PDT 2006 ": " ": " Western Illinois University is notifying more than 180,000 people that their ": " personal data is at risk after hackers entered its networks. ": " ": " The university said it mailed the last of its notifications on Monday to ": " people whose Social Security number, credit card account number and other ": " sensitive information were on the student service servers in the security ": " breach. From rforno at infowarrior.org Wed Jul 5 22:39:07 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 05 Jul 2006 22:39:07 -0400 Subject: [Dataloss] Consultant Breached FBI's Computers Message-ID: Consultant Breached FBI's Computers Frustrated by Bureaucracy, Hacker Says Agents Approved and Aided Break-Ins By Eric M. Weiss Washington Post Staff Writer Thursday, July 6, 2006; A05 http://www.washingtonpost.com/wp-dyn/content/article/2006/07/05/AR2006070501 489_pf.html A government consultant, using computer programs easily found on the Internet, managed to crack the FBI's classified computer system and gain the passwords of 38,000 employees, including that of FBI Director Robert S. Mueller III. The break-ins, which occurred four times in 2004, gave the consultant access to records in the Witness Protection Program and details on counterespionage activity, according to documents filed in U.S. District Court in Washington. As a direct result, the bureau said it was forced to temporarily shut down its network and commit thousands of man-hours and millions of dollars to ensure no sensitive information was lost or misused. The government does not allege that the consultant, Joseph Thomas Colon, intended to harm national security. But prosecutors said Colon's "curiosity hacks" nonetheless exposed sensitive information. Colon, 28, an employee of BAE Systems who was assigned to the FBI field office in Springfield, Ill., said in court filings that he used the passwords and other information to bypass bureaucratic obstacles and better help the FBI install its new computer system. And he said agents in the Springfield office approved his actions. The incident is only the latest in a long string of foul-ups, delays and embarrassments that have plagued the FBI as it tries to update its computer systems to better share tips and information. Its computer technology is frequently identified as one of the key obstacles to the bureau's attempt to sharpen its focus on intelligence and terrorism. An FBI spokesman declined to discuss the specifics of the Colon case. But the spokesman, Paul E. Bresson, said the FBI has recently implemented a "comprehensive and proactive security program'' that includes layered access controls and threat and vulnerability assessments. Beginning last year, all FBI employees and contractors have had to undergo annual information security awareness training. Colon pleaded guilty in March to four counts of intentionally accessing a computer while exceeding authorized access and obtaining information from any department of the United States. He could face up to 18 months in prison, according to the government's sentencing guidelines. He has lost his job with BAE Systems, and his top-secret clearance has also been revoked. In court filings, the government also said Colon exceeded his authorized access during a stint in the Navy. While documents in the case have not been sealed in federal court, the government and Colon entered into a confidentiality agreement, which is standard in cases involving secret or top-secret access, according to a government representative. Colon was scheduled for sentencing yesterday, but it was postponed until next week. His attorney, Richard Winelander, declined to comment. According to Colon's plea, he entered the system using the identity of an FBI special agent and used two computer hacking programs found on the Internet to get into one of the nation's most secret databases. Colon used a program downloaded from the Internet to extract "hashes" -- user names, encrypted passwords and other information -- from the FBI's database. Then he used another program to "crack" the passwords by using dictionary-word comparisons, lists of common passwords and character substitutions to figure out the plain-text passwords. Both programs are widely available for free on the Internet. What Colon did was hardly cutting edge, said Joe Stewart, a senior researcher with Chicago-based security company LURHQ Corp. "It was pretty run-of-the-mill stuff five years ago," Stewart said. Asked if he was surprised that a secure FBI system could be entered so easily, Stewart said, "I'd like to say 'Sure,' but I'm not really. They are dealing with the same types of problems that corporations are dealing with." Colon's lawyer said in a court filing that his client was hired to work on the FBI's "Trilogy" computer system but became frustrated over "bureaucratic" obstacles, such as obtaining written authorization from the FBI's Washington headquarters for "routine" matters such as adding a printer or moving a new computer onto the system. He said Colon used the hacked user names and passwords to bypass the authorization process and speed the work. Colon's lawyers said FBI officials in the Springfield office approved of what he was doing, and that one agent even gave Colon his own password, enabling him to get to the encrypted database in March 2004. Because FBI employees are required to change their passwords every 90 days, Colon hacked into the system on three later occasions to update his password list. The FBI's struggle to modernize its computer system has been a recurring headache for Mueller and has generated considerable criticism from lawmakers. Better computer technology might have enabled agents to more closely link men who later turned out to be involved in the Sept. 11, 2001, attacks, according to intelligence reviews conducted after the terrorist strikes. The FBI's Trilogy program cost more than $535 million but failed to produce a usable case-management system for agents because of cost overruns and technical problems, according to the Government Accountability Office. While Trilogy led to successful hardware upgrades and thousands of new PCs for bureau workers and agents, the final phase -- a software system called the Virtual Case File -- was abandoned last year. The FBI announced in March that it would spend an additional $425 million in an attempt to finish the job. The new system would be called "Sentinel." ? 2006 The Washington Post Company From lyger at attrition.org Thu Jul 6 08:25:59 2006 From: lyger at attrition.org (lyger) Date: Thu, 6 Jul 2006 08:25:59 -0400 (EDT) Subject: [Dataloss] Bisys Loses Details of 61,000 Hedge Fund Investors Message-ID: http://www.bloomberg.com/apps/news?pid=20601103&sid=auAh0Q8WqE.w&refer=us Bisys Group Inc. said personal details about 61,000 hedge fund investors were lost when an employee's truck carrying the files was stolen. Backup tapes with the information, including the social security numbers of 35,000 individuals, were being moved June 8 between the Roseland, New Jersey-based Bisys RK business unit to another facility, said Amy Conti, a Bisys spokeswoman. The loss by Bisys, a provider of administrative services to financial companies, is among more than 100 similar thefts reported since January by the U.S. San Diego-based Privacy Rights Clearinghouse. The organization's Web site shows two or more losses of sensitive records every week, including confidential information on 28.6 million U.S. veterans in a laptop stolen from the home of a Department of Veteran Affairs analyst. The Bisys tapes can only be read with ``sophisticated hardware and proprietary software,'' Conti said in an interview from Roseland, New Jersey. ``We began calling our clients last week to notify them.'' [...] From lyger at attrition.org Thu Jul 6 17:13:36 2006 From: lyger at attrition.org (lyger) Date: Thu, 6 Jul 2006 17:13:36 -0400 (EDT) Subject: [Dataloss] ADP security breach - "Hundreds of Thousands" Message-ID: http://abcnews.go.com/Technology/story?id=2160425&page=1 July 6, 2006 -- The latest corporate data breach is from a company you may never have heard of, even though one in six American workers gets paid by the firm. Automatic Data Processing, one of the world's largest payroll service companies, confirmed to ABC News that it was swindled by a data thief looking for information on hundreds of thousands of American investors. According to a company spokeswoman, ADP provided a scammer with personal information of investors who had purchased stock through brokerages that use ADP's investor communications services. Initial reporting indicates that these firms include a number of brand-name brokers, including Fidelity Investments and Morgan Stanley. [...] From lyger at attrition.org Thu Jul 6 17:16:59 2006 From: lyger at attrition.org (lyger) Date: Thu, 6 Jul 2006 17:16:59 -0400 (EDT) Subject: [Dataloss] 97% of stolen laptops are never recovered (fwd) Message-ID: Forwarded from Al Mac Date: Thu, 06 Jul 2006 12:08:29 -0500 97% of stolen laptops are never recovered, according to this article http://news.com.com/Getting+over+laptop+loss/2100-1044_3-6089921.html?tag=nefd.lede at http://search.news.com/search?q=PC+theft+security 600,000 were stolen in 2003 750,000 were stolen in 2005 People need to learn not to leave their laptops unattended such in plain sight in locked auto or in e-sight with the wireless port open when not in use. Anyone can suffer from burglary, but there are prudent actions to reduce risk of an incident. The data on the laptop should also be protected ... encryption, passwords Does your laptop really need to be carrying around sensitive data that can be better protected at employer HQ? Let's assume that some day our laptop is going to get stolen. There needs to be a directory some place of what sensitive info was on it, so that proper notifications can rapidly go to everyone affected. http://en.wikipedia.org/wiki/Computer_Security_Audits Al Mac AKA Alister Wm. Macintyre From sbesser at gmail.com Thu Jul 6 17:36:04 2006 From: sbesser at gmail.com (Sharon Besser) Date: Thu, 6 Jul 2006 14:36:04 -0700 Subject: [Dataloss] ADP security breach - "Hundreds of Thousands" In-Reply-To: <02FD2521A65D4A42AB536E54B32D6D778E1743@mail2.vidius.com> References: <02FD2521A65D4A42AB536E54B32D6D778E1743@mail2.vidius.com> Message-ID: Unfortunately, information leaks are becoming a habit... 2nd annoncment in such a short period of time. Let's hope that they will not break Ohio's record... .... http://www.attrition.org/errata/dataloss/2006/06/adpi01.html http://abcnews.go.com/Technology/story?id=2160425&page=1 Sharon _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/errata/dataloss/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060706/c123430b/attachment.html From lyger at attrition.org Fri Jul 7 03:11:33 2006 From: lyger at attrition.org (lyger) Date: Fri, 7 Jul 2006 03:11:33 -0400 (EDT) Subject: [Dataloss] Hacker breaks into UT employee computer records Message-ID: Courtesy: sawaba at attrition.org http://www.wbir.com/news/local/story.aspx?storyid=35838&provider=kns A hacker broke into a University of Tennessee computer containing names, addresses and Social Security numbers of about 36,000 past and present employees. But university officials say they doubt the data was used. The hacker apparently used the computer over a nine-month period, from August until May, only to store and transmit movies. University officials said they are taking every precaution to safeguard security, including a review of file storing and sharing and strengthening security measures in the affected area. [...] From lyger at attrition.org Fri Jul 7 15:02:17 2006 From: lyger at attrition.org (lyger) Date: Fri, 7 Jul 2006 15:02:17 -0400 (EDT) Subject: [Dataloss] NASD Laptops Stolen, But Risks Played Down Message-ID: http://redtape.msnbc.com/2006/07/nasd_laptops_st.html Friday, July 7 at 03:00 am CT by Bob Sullivan Ten laptop computers were stolen from a team of securities regulators conducting an investigation last February, but the computers contained scant amounts of personal information, according to the National Association of Securities Dealers. There is irony in this story. The regulators were conducting what's known as a "cause" exam, an investigation into possible misconduct by two member firms. The only consumers whose identities were put at risk by the theft were the subjects of the investigation, according to the NASD. The incident underscores the jittery environment surrounding laptop computers and private information in light of several high-profile hardware thefts in recent months. [...] From lyger at attrition.org Fri Jul 7 20:45:22 2006 From: lyger at attrition.org (lyger) Date: Fri, 7 Jul 2006 20:45:22 -0400 (EDT) Subject: [Dataloss] Navy Personnel Data Again Found on Public Web Site Message-ID: Courtesy Fergie's Tech Blog: http://fergdawg.blogspot.com/ http://www.boston.com/news/nation/washington/articles/2006/07/07/navy_data_again_found_on_public_web_site/ For the second time in two weeks, Social Security numbers and other personal information of Navy personnel have been discovered on an Internet site, triggering an investigation. The Navy said Friday that information on more than 100,000 naval and Marine Corps aviators and aircrew was on the Naval Safety Center Web site and on nearly 1,100 computer discs mailed out to naval commands. There was no indication that the information has been used illegally, said Navy spokesman Lt. Ryan Perry. He said Rear Adm. George Mayer, commander of the Naval Safety Center, had the information removed immediately and officials are looking into how the data was posted on the Web site. The Navy is also attempting to retrieve the computer disks, he said, and individuals whose data was revealed on the Internet were being notified. Both active and reserve members were affected by the latest incident, including aviators who may have served within the last 20 years. [...] From rforno at infowarrior.org Sat Jul 8 02:33:11 2006 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 08 Jul 2006 02:33:11 -0400 Subject: [Dataloss] A Chronology of Data Breaches Since ChoicePoint Message-ID: A Chronology of Data Breaches Reported Since the ChoicePoint Incident The data breaches noted below have been reported because the personal information compromised includes data elements useful to identity thieves, such as Social Security numbers, account numbers, and driver's license numbers. A few breaches that do NOT expose such sensitive information have been included in order to underscore the variety and frequency of data breaches. However, we have not included the number of records involved in such breaches in the total because we want this compilation to reflect breaches that expose individuals to identity theft as well as breaches that qualify for disclosure under state laws. The running total we maintain at the end of the Chronology represents the approximate number of *records* that have been compromised due to security breaches, not necessarily the number of *individuals* affected. Some individuals may be the victims of more than one breach, which would affect the totals. < - > http://www.privacyrights.org/ar/ChronDataBreaches.htm From cwalsh at cwalsh.org Sat Jul 8 13:06:24 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Sat, 8 Jul 2006 12:06:24 -0500 Subject: [Dataloss] Hacker breaks into UT employee computer records In-Reply-To: References: Message-ID: <20060708170618.GA7539@cwalsh.org> On Fri, Jul 07, 2006 at 03:11:33AM -0400, lyger wrote: > > A hacker broke into a University of Tennessee computer containing names, > addresses and Social Security numbers of about 36,000 past and present > employees. I wonder how. Here's some info from http://san2.dii.utk.edu/ "What is your NetID? When you came to UT, you were given an email address; it looks something like smithrb at tennessee.edu or maybe it looks like jonesj21 at utk.edu. Either way, your NetID is the first part of your UT email address--in this example that would be smithrb and jonesj21. So when you are asked to enter your NetID in the box above, we are asking you to type in the portion of your email address that comes before @utk.edu or @tennessee.edu. What is your password? You were also given a password that works with your NetID. The original one, also known as your default password, is a combination of your birth month, the last two digits of your birth year and the last four numbers of your Social Security number. If you were born in January of 1981 and your SSN is 123-00-4567, your default password is ja814567. " From lyger at attrition.org Sat Jul 8 15:02:20 2006 From: lyger at attrition.org (lyger) Date: Sat, 8 Jul 2006 15:02:20 -0400 (EDT) Subject: [Dataloss] Visa, MasterCard to unveil new security rules Message-ID: http://computerworld.com/action/article.do?command=viewArticleBasic&articleId=9001637 By Jaikumar Vijayan, July 07, 2006 Visa U.S.A. Inc. and MasterCard International Inc. will release new security rules in the next 30 to 60 days for all organizations that handle credit card data, a Visa official said this week. The rules will be the first major updates to the one-year-old Payment Card Industry (PCI) data security standard, which analysts said is slowly but surely being adopted. One set of PCI extensions is aimed at protecting credit card data from emerging Web application security threats, said Eduardo Perez, vice president of corporate risk and compliance at Foster City, Calif.-based Visa. Other new rules will require companies to ensure that any third parties that they deal with, such as hosting providers, have proper controls for securing credit card data. Merchants who fail to comply with PCI can face fines or be excluded from processing credit cards. [...] From lyger at attrition.org Sat Jul 8 16:04:44 2006 From: lyger at attrition.org (lyger) Date: Sat, 8 Jul 2006 16:04:44 -0400 (EDT) Subject: [Dataloss] Firms play Data Protection roulette Message-ID: http://www.networkworld.com/news/2006/070506-firms-play-data-protection.html?nlhtsec=070306securityalert3 By Radhika Praveen, TechWorld, 07/05/06 Large numbers of companies are taking risks with data protection, because they are not aware of the requirements of the law. Nearly half (44%) of companies use live data in test environments -- something the 1998 Data Protection Act warns against explicitly, according to a recent survey of IT directors by Compuware. Half the directors (48%) were only 'vaguely familiar' with the Act itself, according to the research, which highlights the importance of understanding the demands and keeping track of how customer data is treated. A further "83% used only minimal measures such as using non disclosure agreements (NDA) to control data when outsourcing," said Ian Clarke, world wide enterprise solutions director at Compuware. NDAs are all very well, but companies find it difficult to communicate the complex legal terms to their employees or to outsourcing partners, said the survey report. "Unless they have rigorous procedures in place, they run the risk of live data being leaked to third parties. This can have severe repercussions on customer confidence and company reputation, and ultimately affect the bottom line," Clarke added. An NDA doesn't mean a lot when an employee in an outsourcing company in India for example who earns $100-a-day can earn much more by selling confidential data, he said. [...] From macwheel99 at sigecom.net Sat Jul 8 19:47:32 2006 From: macwheel99 at sigecom.net (Al Mac) Date: Sat, 08 Jul 2006 18:47:32 -0500 Subject: [Dataloss] Firms play Data Protection roulette In-Reply-To: References: Message-ID: <6.2.1.2.0.20060708181528.042c3230@mail.sigecom.net> An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060708/b3f2564c/attachment.html From privacylaws at sbcglobal.net Sat Jul 8 23:10:08 2006 From: privacylaws at sbcglobal.net (Saundra Kae Rubel) Date: Sat, 8 Jul 2006 20:10:08 -0700 Subject: [Dataloss] Firms play Data Protection roulette In-Reply-To: <6.2.1.2.0.20060708181528.042c3230@mail.sigecom.net> Message-ID: <000a01c6a305$2f89ecd0$210110ac@saundrad38b17a> The UK Data Protection Law is just one of many different data protection laws. The UK was required to locally implement the EU Data Protection Directive and did so with their passage of the UK Data Protection Act. To see which countries have laws regulating the use and protection of data, visit http://www.privacyknowledgebase.com/document.jsp?docid=REFDP000 Saundra Kae Rubel, CIPP _____ From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Al Mac Sent: Saturday, July 08, 2006 4:48 PM To: dataloss at attrition.org Subject: Re: [Dataloss] Firms play Data Protection roulette Until this link, I had never heard of the Data Protection Act. I have been employed as a computer professional for over 40 years. Since I am a software developer for a privately owned manufacturer (not yet subject to SOX and many well known other regulations, but we are under UL ISO ROHS and some others), in which I vigorously test all my work using subsets of the live data, where I had always thought the security issues were who can access what data for what purposes, not whether it is in a live or test condition, I went looking for the particulars of this law. It is a British law, perhaps European. http://en.wikipedia.org/wiki/Data_Protection_Act_1998 The Wikipedia article is a small beginning. It does not communicate what constitutes private data under this law. For example, some US law says e-mail addresses are included as private data. There's a lot in US laws about parts of social security #s and bank account numbers. The Wikipedia article does not say anything about restricting testing of software development. Here is another explanation I carefully read through this and saw nothing about any rules saying that we cannot use live data when doing testing. Of course this link might not be as official as the NetworkWorld article. http://www.dataprotectionact.org/ I am in general agreement with the 8 principles, except there can be great ambiguity about how long certain types of data ought to be kept. If we get audited by the taxing authorities, we had better have all the payroll data on our people from several years ago, available for their access. If a question comes up about the safety of any product we have manufactured, we had better have full records on where all the components came from and other details, such as identities of people who inspected and certified product perfection. There is no statute of limitations on product safety in the USA. We have to store that kind of data to infinity. Since some data must be stored for a long long time, there is an issue not just of security to block inappropriate access, but also what kind of media it should be stored on. Today CDs or DVDs make sense, but some data was on various shapes of diskettes when we first got that data, and magnetic media is known to only hold the data reliably for like 10 years in climate controlled conditions,. This varies with quality of diskette or tape manufacturer, and some media is particularly prone to getting messed up so we can't read it, like a tangled tape, or diskette out of registration with the device that reads it Even then, I like to have more than one set of backups. There is a link in turn to www.dca.gov.uk/foi/datprot.htm and http://www.dca.gov.uk/ccpd/about.htm#4 My interpretation of this is that the act does not ban core business activities, I consider the testing of software changes to be a core business activity, and I see no place here where the act disagrees with me, although I have not read all of the content here. http://www.networkworld.com/news/2006/070506-firms-play-data-protection.html ?nlhtsec=070306securityalert3 By Radhika Praveen, TechWorld, 07/05/06 Large numbers of companies are taking risks with data protection, because they are not aware of the requirements of the law. Nearly half (44%) of companies use live data in test environments -- something the 1998 Data Protection Act warns against explicitly, according to a recent survey of IT directors by Compuware. Half the directors (48%) were only 'vaguely familiar' with the Act itself, according to the research, which highlights the importance of understanding the demands and keeping track of how customer data is treated. A further "83% used only minimal measures such as using non disclosure agreements (NDA) to control data when outsourcing," said Ian Clarke, world wide enterprise solutions director at Compuware. NDAs are all very well, but companies find it difficult to communicate the complex legal terms to their employees or to outsourcing partners, said the survey report. "Unless they have rigorous procedures in place, they run the risk of live data being leaked to third parties. This can have severe repercussions on customer confidence and company reputation, and ultimately affect the bottom line," Clarke added. An NDA doesn't mean a lot when an employee in an outsourcing company in India for example who earns $100-a-day can earn much more by selling confidential data, he said. [...] _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/errata/dataloss/ - Al Macintyre http://en.wikipedia.org/wiki/User:AlMac http://www.ryze.com/go/Al9Mac BPCS/400 Computer Janitor ... see http://radio.weblogs.com/0107846/stories/2002/11/08/bpcsDocSources.html -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060708/70902151/attachment-0001.html From adam at homeport.org Sun Jul 9 00:19:07 2006 From: adam at homeport.org (Adam Shostack) Date: Sun, 9 Jul 2006 00:19:07 -0400 Subject: [Dataloss] Firms play Data Protection roulette In-Reply-To: <6.2.1.2.0.20060708181528.042c3230@mail.sigecom.net> References: <6.2.1.2.0.20060708181528.042c3230@mail.sigecom.net> Message-ID: <20060709041907.GA26727@homeport.org> Using real personal data for testing is usually not a purpose specified under various privacy policies & disclosures, and usually doesn't hit the "essential" tests that the laws allow. In the US, that's probably less of a problem legally, because we don't have a general data protection law, but in other countries, using live data for test is probably out. Adam On Sat, Jul 08, 2006 at 06:47:32PM -0500, Al Mac wrote: | Until this link, I had never heard of the Data Protection Act. | | I have been employed as a computer professional for over 40 years. | | Since I am a software developer for a privately owned manufacturer (not yet | subject to SOX and many well known other regulations, but we are under UL ISO | ROHS and some others), in which I vigorously test all my work using subsets of | the live data, where I had always thought the security issues were who can | access what data for what purposes, not whether it is in a live or test | condition, I went looking for the particulars of this law. | | It is a British law, perhaps European. | http://en.wikipedia.org/wiki/Data_Protection_Act_1998 | | The Wikipedia article is a small beginning. | It does not communicate what constitutes private data under this law. | For example, some US law says e-mail addresses are included as private data. | There's a lot in US laws about parts of social security #s and bank account | numbers. | The Wikipedia article does not say anything about restricting testing of | software development. | | Here is another explanation | I carefully read through this and saw nothing about any rules saying that we | cannot use live data when doing testing. | Of course this link might not be as official as the NetworkWorld article. | http://www.dataprotectionact.org/ | | I am in general agreement with the 8 principles, except there can be great | ambiguity about how long certain types of data ought to be kept. If we get | audited by the taxing authorities, we had better have all the payroll data on | our people from several years ago, available for their access. If a question | comes up about the safety of any product we have manufactured, we had better | have full records on where all the components came from and other details, such | as identities of people who inspected and certified product perfection. There | is no statute of limitations on product safety in the USA. We have to store | that kind of data to infinity. | | Since some data must be stored for a long long time, there is an issue not just | of security to block inappropriate access, but also what kind of media it | should be stored on. Today CDs or DVDs make sense, but some data was on | various shapes of diskettes when we first got that data, and magnetic media is | known to only hold the data reliably for like 10 years in climate controlled | conditions,. This varies with quality of diskette or tape manufacturer, and | some media is particularly prone to getting messed up so we can't read it, like | a tangled tape, or diskette out of registration with the device that reads it | Even then, I like to have more than one set of backups. | | There is a link in turn to | www.dca.gov.uk/foi/datprot.htm and http://www.dca.gov.uk/ccpd/about.htm#4 | | My interpretation of this is that the act does not ban core business | activities, I consider the testing of software changes to be a core business | activity, and I see no place here where the act disagrees with me, although I | have not read all of the content here. | | | | http://www.networkworld.com/news/2006/ | 070506-firms-play-data-protection.html?nlhtsec=070306securityalert3 | | By Radhika Praveen, TechWorld, 07/05/06 | | Large numbers of companies are taking risks with data protection, because | they are not aware of the requirements of the law. | | Nearly half (44%) of companies use live data in test environments -- | something the 1998 Data Protection Act warns against explicitly, according | to a recent survey of IT directors by Compuware. | | Half the directors (48%) were only 'vaguely familiar' with the Act itself, | according to the research, which highlights the importance of | understanding the demands and keeping track of how customer data is | treated. | | A further "83% used only minimal measures such as using non disclosure | agreements (NDA) to control data when outsourcing," said Ian Clarke, world | wide enterprise solutions director at Compuware. | | NDAs are all very well, but companies find it difficult to communicate the | complex legal terms to their employees or to outsourcing partners, said | the survey report. "Unless they have rigorous procedures in place, they | run the risk of live data being leaked to third parties. This can have | severe repercussions on customer confidence and company reputation, and | ultimately affect the bottom line," Clarke added. | | An NDA doesn't mean a lot when an employee in an outsourcing company in | India for example who earns $100-a-day can earn much more by selling | confidential data, he said. | | [...] | | _______________________________________________ | Dataloss Mailing List (dataloss at attrition.org) | http://attrition.org/errata/dataloss/ | | - | Al Macintyre | http://en.wikipedia.org/wiki/User:AlMac | http://www.ryze.com/go/Al9Mac | BPCS/400 Computer Janitor ... see | http://radio.weblogs.com/0107846/stories/2002/11/08/bpcsDocSources.html | _______________________________________________ | Dataloss Mailing List (dataloss at attrition.org) | http://attrition.org/errata/dataloss/ | From george at myitaz.com Sun Jul 9 11:10:47 2006 From: george at myitaz.com (George Toft) Date: Sun, 09 Jul 2006 08:10:47 -0700 Subject: [Dataloss] Firms play Data Protection roulette In-Reply-To: <20060709041907.GA26727@homeport.org> References: <6.2.1.2.0.20060708181528.042c3230@mail.sigecom.net> <20060709041907.GA26727@homeport.org> Message-ID: <44B11C77.9080907@myitaz.com> I think we should make a distinction between live data and real data. Some companies make copies of their live data and put it in their development environment(s) for development and testing. It's not live data, but it is certainly real. There are many benefits to using a copy of live data, but in today's reality, I think the risk to the business is too great to endorse this activity. I think it also might violate the spirit of "separation of duty" that most companies implement to keep developers out of production systems. Regards, George Toft, CISSP, MSIS My IT Department www.myITaz.com 480-544-1067 Confidential data protection experts for the financial industry. Adam Shostack wrote: > Using real personal data for testing is usually not a purpose > specified under various privacy policies & disclosures, and usually > doesn't hit the "essential" tests that the laws allow. > > In the US, that's probably less of a problem legally, because we don't > have a general data protection law, but in other countries, using live > data for test is probably out. > > Adam > > On Sat, Jul 08, 2006 at 06:47:32PM -0500, Al Mac wrote: > | Until this link, I had never heard of the Data Protection Act. > | > | I have been employed as a computer professional for over 40 years. > | > | Since I am a software developer for a privately owned manufacturer (not yet > | subject to SOX and many well known other regulations, but we are under UL ISO > | ROHS and some others), in which I vigorously test all my work using subsets of > | the live data, where I had always thought the security issues were who can > | access what data for what purposes, not whether it is in a live or test > | condition, I went looking for the particulars of this law. > | > | It is a British law, perhaps European. > | http://en.wikipedia.org/wiki/Data_Protection_Act_1998 > | > | The Wikipedia article is a small beginning. > | It does not communicate what constitutes private data under this law. > | For example, some US law says e-mail addresses are included as private data. > | There's a lot in US laws about parts of social security #s and bank account > | numbers. > | The Wikipedia article does not say anything about restricting testing of > | software development. > | > | Here is another explanation > | I carefully read through this and saw nothing about any rules saying that we > | cannot use live data when doing testing. > | Of course this link might not be as official as the NetworkWorld article. > | http://www.dataprotectionact.org/ > | > | I am in general agreement with the 8 principles, except there can be great > | ambiguity about how long certain types of data ought to be kept. If we get > | audited by the taxing authorities, we had better have all the payroll data on > | our people from several years ago, available for their access. If a question > | comes up about the safety of any product we have manufactured, we had better > | have full records on where all the components came from and other details, such > | as identities of people who inspected and certified product perfection. There > | is no statute of limitations on product safety in the USA. We have to store > | that kind of data to infinity. > | > | Since some data must be stored for a long long time, there is an issue not just > | of security to block inappropriate access, but also what kind of media it > | should be stored on. Today CDs or DVDs make sense, but some data was on > | various shapes of diskettes when we first got that data, and magnetic media is > | known to only hold the data reliably for like 10 years in climate controlled > | conditions,. This varies with quality of diskette or tape manufacturer, and > | some media is particularly prone to getting messed up so we can't read it, like > | a tangled tape, or diskette out of registration with the device that reads it > | Even then, I like to have more than one set of backups. > | > | There is a link in turn to > | www.dca.gov.uk/foi/datprot.htm and http://www.dca.gov.uk/ccpd/about.htm#4 > | > | My interpretation of this is that the act does not ban core business > | activities, I consider the testing of software changes to be a core business > | activity, and I see no place here where the act disagrees with me, although I > | have not read all of the content here. > | > | > | > | http://www.networkworld.com/news/2006/ > | 070506-firms-play-data-protection.html?nlhtsec=070306securityalert3 > | > | By Radhika Praveen, TechWorld, 07/05/06 > | > | Large numbers of companies are taking risks with data protection, because > | they are not aware of the requirements of the law. > | > | Nearly half (44%) of companies use live data in test environments -- > | something the 1998 Data Protection Act warns against explicitly, according > | to a recent survey of IT directors by Compuware. > | > | Half the directors (48%) were only 'vaguely familiar' with the Act itself, > | according to the research, which highlights the importance of > | understanding the demands and keeping track of how customer data is > | treated. > | > | A further "83% used only minimal measures such as using non disclosure > | agreements (NDA) to control data when outsourcing," said Ian Clarke, world > | wide enterprise solutions director at Compuware. > | > | NDAs are all very well, but companies find it difficult to communicate the > | complex legal terms to their employees or to outsourcing partners, said > | the survey report. "Unless they have rigorous procedures in place, they > | run the risk of live data being leaked to third parties. This can have > | severe repercussions on customer confidence and company reputation, and > | ultimately affect the bottom line," Clarke added. > | > | An NDA doesn't mean a lot when an employee in an outsourcing company in > | India for example who earns $100-a-day can earn much more by selling > | confidential data, he said. > | > | [...] > | > | _______________________________________________ > | Dataloss Mailing List (dataloss at attrition.org) > | http://attrition.org/errata/dataloss/ > | > | - > | Al Macintyre > | http://en.wikipedia.org/wiki/User:AlMac > | http://www.ryze.com/go/Al9Mac > | BPCS/400 Computer Janitor ... see > | http://radio.weblogs.com/0107846/stories/2002/11/08/bpcsDocSources.html > > | _______________________________________________ > | Dataloss Mailing List (dataloss at attrition.org) > | http://attrition.org/errata/dataloss/ > | > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/errata/dataloss/ > > > From cwalsh at cwalsh.org Sun Jul 9 12:48:03 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Sun, 9 Jul 2006 11:48:03 -0500 Subject: [Dataloss] Firms play Data Protection roulette In-Reply-To: <20060709041907.GA26727@homeport.org> References: <6.2.1.2.0.20060708181528.042c3230@mail.sigecom.net> <20060709041907.GA26727@homeport.org> Message-ID: <9BBF2540-94AF-487E-A7B2-30479A46F673@cwalsh.org> Among the european nationals I've spoken to on this, it seems to be universally believed that the ability of firms to comply with the privacy directive (eg., by telling them what personal info is kept, where) borders on nil. Maybe I just hang with a cynical crowd. In my (limited) experience, the privacy directive is good for at least one thing -- it keeps firms from collecting certain information in the first place. From cwalsh at cwalsh.org Sun Jul 9 12:57:00 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Sun, 9 Jul 2006 11:57:00 -0500 Subject: [Dataloss] Montana health office computer stolen -- may have contained PII, health info Message-ID: <7BEA39A9-9E4D-40DF-8684-04DB84CD403F@cwalsh.org> http://news.bostonherald.com/national/view.bg?articleid=147361 Computer stolen from state health office in Montana By Associated Press Friday, July 7, 2006 - Updated: 03:05 PM EST HELENA, Mont. - A state government computer was stolen during a July Fourth break-in at the offices of a drug dependency program, and officials were trying to determine Friday when it contained sensitive information. Top officials in state government were unaware Friday morning that the Public Health and Human Services computer, assigned to a state chemical dependancy program officer, had disappeared. Helena Police Chief Troy McGee said a burglar broke in over the holiday. A state worker who went into the building that day noticed a skylight had been broken and called police. Police were not informed if the computer contained any sensitive data, such as Social Security numbers or medical information, he said. [...] [Trying to determine *when* it contained sensitive info? So they are saying that they know that at one time it did? Or did AP editors let a 'when' slip in where a 'whether' was warranted?] From macwheel99 at sigecom.net Sun Jul 9 20:19:16 2006 From: macwheel99 at sigecom.net (Al Mac) Date: Sun, 09 Jul 2006 19:19:16 -0500 Subject: [Dataloss] Colorado Work Place Identity Theft Statistics Message-ID: <6.2.1.2.0.20060709184509.042249e0@mail.sigecom.net> The Colorado Dept of Labor http://www.coworkforce.com/ just released statistics on the degree to which Identity Theft is being used to secure jobs in that state, perhaps some by illegal immigrants. For list readers not in USA, we all have to pay employment taxes, which are recorded using our social security number, so the government gets all that data, except in cases where employers or independent contractors have failed to file the neccessary paperwork. >In the third quarter of 2005, the department recorded 2,249 instances >where employers reported a Social Security number that was used six or >more times. One number was provided by 50 different employers. > >During the first quarter of 2006, 368 Social Security numbers were filed >more than six times by 2,828 employers. One number was reported by 57 >different employers. How much you want to bet the IRS will be after whoever that social security number belongs to, complaining they under reported their income when they paid their income taxes? {...} more info in the rest of the article http://www.bizjournals.com/denver/stories/2006/07/03/daily18.html Colorado Gov site: http://www.colorado.gov/ Colorado Cyber Security http://www.colorado.gov/cybersecurity/index.html Colorado in perspective http://en.wikipedia.org/wiki/Colorado - Al Mac AKA Alister Wm. Macintyre From peterw at firstbase.co.uk Mon Jul 10 02:16:13 2006 From: peterw at firstbase.co.uk (Peter Wood) Date: Mon, 10 Jul 2006 07:16:13 +0100 Subject: [Dataloss] Firms play Data Protection roulette In-Reply-To: <44B11C77.9080907@myitaz.com> References: <6.2.1.2.0.20060708181528.042c3230@mail.sigecom.net> <20060709041907.GA26727@homeport.org> <44B11C77.9080907@myitaz.com> Message-ID: <7.0.1.0.2.20060710071009.03bc6d28@firstbase.co.uk> We discussed recently the matter of real data in a test environment with a client. Frequently, when conducting an internal penetration test, we find copies of real data on development machines unprotected by passwords or encryption. Rather than try to insist that developers protect this real data properly, which is never going to happen, we suggested the following: (1) replace all name fields with alpha garbage (of the correct field lengths) so as to depersonalise the data (2) randomly swap fields such as city, zip code, credit card number etc. so that any given row of data is useless to a thief but still valid per range checks etc. Any views on this idea? Pete At 08:10 09/07/2006 -0700, George Toft wrote: >I think we should make a distinction between live data and real data. > >Some companies make copies of their live data and put it in their >development environment(s) for development and testing. It's not live >data, but it is certainly real. > >There are many benefits to using a copy of live data, but in today's >reality, I think the risk to the business is too great to endorse this >activity. I think it also might violate the spirit of "separation of >duty" that most companies implement to keep developers out of production >systems. > >Regards, > >George Toft, CISSP, MSIS >My IT Department >www.myITaz.com >480-544-1067 -------------------------------------------------------------------- Peter Wood FBCS CITP MIEEE MIMIS CISSP Chief of Operations First Base Technologies Office: +44 (0)1273 454525 Mobile: +44 (0)7774 239915 www.fbtechies.co.uk www.white-hats.co.uk From macwheel99 at sigecom.net Mon Jul 10 02:39:45 2006 From: macwheel99 at sigecom.net (Al Mac) Date: Mon, 10 Jul 2006 01:39:45 -0500 Subject: [Dataloss] Franklin Transit leaves private data on surplused computers Message-ID: <6.2.1.2.0.20060710013627.027bfeb0@mail.sigecom.net> Old computers were sold at auction. One buyer finds social security numbers for 200 co-workers. This leads to the whistle blower being disciplined, but the transit company also eventually beefing up its security. http://www.tri-cityherald.com/tch/opinions/story/7947732p-7841262c.html From george at myitaz.com Mon Jul 10 08:31:47 2006 From: george at myitaz.com (George Toft) Date: Mon, 10 Jul 2006 05:31:47 -0700 Subject: [Dataloss] Firms play Data Protection roulette In-Reply-To: <7.0.1.0.2.20060710071009.03bc6d28@firstbase.co.uk> References: <6.2.1.2.0.20060708181528.042c3230@mail.sigecom.net> <20060709041907.GA26727@homeport.org> <44B11C77.9080907@myitaz.com> <7.0.1.0.2.20060710071009.03bc6d28@firstbase.co.uk> Message-ID: <44B248B3.6040405@myitaz.com> If the client is really serious about this effort, I think it is much better than using real data. I suggest scrambling the credit card info (SSN's as well) unless there is some aspect of the application that does a validity check on the value. For CC numbers, if the CC processor returned an authorization code at the time of sale, it must be valid, so I see no reason to maintain that number intact. I also recommend they make someone personally accountable for any real data stored outside of the prod environment. Without accountability, the rules won't be followed, and you'll find real data stored on machines without adequate security... My thoughts :) George Toft, CISSP, MSIS My IT Department www.myITaz.com 480-544-1067 Confidential data protection experts for the financial industry. Peter Wood wrote: > We discussed recently the matter of real data in a test environment > with a client. Frequently, when conducting an internal penetration > test, we find copies of real data on development machines unprotected > by passwords or encryption. Rather than try to insist that developers > protect this real data properly, which is never going to happen, we > suggested the following: (1) replace all name fields with alpha > garbage (of the correct field lengths) so as to depersonalise the > data (2) randomly swap fields such as city, zip code, credit card > number etc. so that any given row of data is useless to a thief but > still valid per range checks etc. > > Any views on this idea? > > Pete > > At 08:10 09/07/2006 -0700, George Toft wrote: > >I think we should make a distinction between live data and real data. > > > >Some companies make copies of their live data and put it in their > >development environment(s) for development and testing. It's not live > >data, but it is certainly real. > > > >There are many benefits to using a copy of live data, but in today's > >reality, I think the risk to the business is too great to endorse this > >activity. I think it also might violate the spirit of "separation of > >duty" that most companies implement to keep developers out of production > >systems. > > > >Regards, > > > >George Toft, CISSP, MSIS > >My IT Department > >www.myITaz.com > >480-544-1067 > > > -------------------------------------------------------------------- > Peter Wood FBCS CITP MIEEE MIMIS CISSP > Chief of Operations > First Base Technologies > Office: +44 (0)1273 454525 > Mobile: +44 (0)7774 239915 > www.fbtechies.co.uk > www.white-hats.co.uk > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/errata/dataloss/ > > > From privacylaws at sbcglobal.net Mon Jul 10 11:17:33 2006 From: privacylaws at sbcglobal.net (Saundra Kae Rubel) Date: Mon, 10 Jul 2006 08:17:33 -0700 Subject: [Dataloss] Firms play Data Protection roulette In-Reply-To: <44B248B3.6040405@myitaz.com> Message-ID: <003901c6a433$f9b53e90$210110ac@saundrad38b17a> PCI Data Security Standard #6.3.4 requires that "Production data (real credit card numbers) are not used for testing or development." This applies to all levels of merchants no matter how many transactions are performed. See more at : http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cis p_PCI_Data_Security_Standard.pdf Saundra Kae Rubel, CIPP -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of George Toft Sent: Monday, July 10, 2006 5:32 AM To: dataloss at attrition.org Subject: Re: [Dataloss] Firms play Data Protection roulette If the client is really serious about this effort, I think it is much better than using real data. I suggest scrambling the credit card info (SSN's as well) unless there is some aspect of the application that does a validity check on the value. For CC numbers, if the CC processor returned an authorization code at the time of sale, it must be valid, so I see no reason to maintain that number intact. I also recommend they make someone personally accountable for any real data stored outside of the prod environment. Without accountability, the rules won't be followed, and you'll find real data stored on machines without adequate security... My thoughts :) George Toft, CISSP, MSIS My IT Department www.myITaz.com 480-544-1067 Confidential data protection experts for the financial industry. Peter Wood wrote: > We discussed recently the matter of real data in a test environment > with a client. Frequently, when conducting an internal penetration > test, we find copies of real data on development machines unprotected > by passwords or encryption. Rather than try to insist that developers > protect this real data properly, which is never going to happen, we > suggested the following: (1) replace all name fields with alpha > garbage (of the correct field lengths) so as to depersonalise the > data (2) randomly swap fields such as city, zip code, credit card > number etc. so that any given row of data is useless to a thief but > still valid per range checks etc. > > Any views on this idea? > > Pete > > At 08:10 09/07/2006 -0700, George Toft wrote: > >I think we should make a distinction between live data and real data. > > > >Some companies make copies of their live data and put it in their > >development environment(s) for development and testing. It's not live > >data, but it is certainly real. > > > >There are many benefits to using a copy of live data, but in today's > >reality, I think the risk to the business is too great to endorse this > >activity. I think it also might violate the spirit of "separation of > >duty" that most companies implement to keep developers out of production > >systems. > > > >Regards, > > > >George Toft, CISSP, MSIS > >My IT Department > >www.myITaz.com > >480-544-1067 > > > -------------------------------------------------------------------- > Peter Wood FBCS CITP MIEEE MIMIS CISSP > Chief of Operations > First Base Technologies > Office: +44 (0)1273 454525 > Mobile: +44 (0)7774 239915 > www.fbtechies.co.uk > www.white-hats.co.uk > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/errata/dataloss/ > > > _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/errata/dataloss/ From macwheel99 at sigecom.net Mon Jul 10 10:59:33 2006 From: macwheel99 at sigecom.net (Al Mac) Date: Mon, 10 Jul 2006 09:59:33 -0500 Subject: [Dataloss] Firms play Data Protection roulette Message-ID: <6.2.1.2.0.20060710095639.027b0d40@mail.sigecom.net> An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060710/26a5f69d/attachment.html From macwheel99 at sigecom.net Tue Jul 11 01:07:18 2006 From: macwheel99 at sigecom.net (Al Mac) Date: Tue, 11 Jul 2006 00:07:18 -0500 Subject: [Dataloss] Identity Theft protection changes needed Message-ID: <6.2.1.2.0.20060710234137.042c5290@mail.sigecom.net> In security breach news we are seeing the same scenario played out again and again, with different enterprises doing the same stuff that leads to disaster. How come no one seems to be learning by example to avoid being the next story in the news? I have my theories on this, but in this article, IDG News Services asked leaders of three security businesses to give their theories on this. * People do what is easy and convenient and don't give much thought to the consequences. * Many people do not get insurance until something happens to a neighbor, or they see problem in news, and realize they need insurance against that * Security is a balance between other management priorities, in which several are more important than security * There has been a conceptual shift in recent years. It used to be that companies trusted employees, gave them reasons for that trust, but now job security is threatened by off-shoring, unions have been busted, and Sarbanes Oxley is re-establishing separation of duties ** but none of that is why we have all these new laws saying no one can be trusted ... here's why http://wallstreetfollies.com/ scroll to the bottom and blow it up http://wallstreetfollies.com/diagrams.htm * there's a lot of traffic that goes over the Internet in the clear * you can't tell from a web ad if there is something malicious going on My theories have to do with the notion that security breaches have been occurring since the dawn of computer history, and we are now only hearing about those associated with geographies where there is a legal obligation to report them. Let's suppose you work in a company that has existed for 100 years, had computers for 50 years, have had 20 security breaches and survived them all. The fact that your company is now obligated to publicize breaches means that it does not dawn on anyone what the PR consequences of that are until after the first publicized breach. There are laws that are not enforced. We can go to any electronics store and buy the where with all to tap into cell phone and other radio traffic. Totally illegal, but have you ever heard of anyone being arrested for it?. Do you know what a police scanner is? People who like to listen to police radio calls for their entertainment. You can also listen to taxi service and other outfits. Some parts of the electromagnetic spectrum are reserved for special kinds of traffic, like pagers. I hear tell there's all kinds of interesting stuff for snoops. Companies with wireless not locked down. Several breaches have involved someone with laptop in their parking lot. People get some kind of communication service and assume there is zero risk of it being tapped, hacked, or what have you. http://computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=cybercrime_hacking&articleId=9001672&taxonomyId=82 - Al Mac AKA Alister Wm. Macintyre From lyger at attrition.org Tue Jul 11 06:47:45 2006 From: lyger at attrition.org (lyger) Date: Tue, 11 Jul 2006 06:47:45 -0400 (EDT) Subject: [Dataloss] It's Time to Protect Students' Data Message-ID: Courtesy InfoSec News and WK: http://www.businessweek.com/technology/content/jul2006/tc20060710_558020.htm By Scott Olson Viewpoint JULY 10, 2006 A third of all data leaks are at universities. Academia should be held to stricter record confidentiality standards It pains me to say it: I am advocating government intervention and new regulations. But, as they say, special circumstances apply. As an alumnus of the University of Texas at Austin, specifically its McCombs School of Business, I was chagrined to learn that hackers recently gained access to some of the school's 197,000 recordssome of which included my Social Security number (SSN) and other personal information, as well as that of many other alums. I've signed up with a credit-monitoring bureau and requested that the three main credit-reporting agencies put a fraud alert on my records. So the hackers have already made off with quite a lot: my time, my money, and my already fragile peace of mind. [...] From ADAIL at sunocoinc.com Tue Jul 11 09:36:21 2006 From: ADAIL at sunocoinc.com (DAIL, ANDY) Date: Tue, 11 Jul 2006 09:36:21 -0400 Subject: [Dataloss] Canadian Thieves Swapping out keypad terminals Message-ID: <8CA58E707BB1C44385FA71D02B7A1C8E238004@mds3aex0e.USISUNOCOINC.com> Has anyone heard any additional detail on this? Tampering with the keypad is *SUPPOSED* to wipe the authentication key from memory. DEBIT CARD FRAUD PLAGUES CANADIAN RETAILERS NEW YORK - A recent surge in debit card fraud is plaguing Canadian retailers, reports BankNet 360. The news source writes that debit card thieves are stealing card terminals from gas stations, convenience stores and fast food restaurants so they can rig the devices and swipe embedded data stored on card magnetic strips. Thieves then switch the rigged terminals with genuine machines, which gives them the ability to collect personal account information from swiped debit cards, such as personal identification numbers (PIN). "In Ottawa and Montreal, PIN pad fraud has resulted in approximately $6.7 million in losses during the past few months," notes the news source. Additionally, more than 40 retailers in Montreal have reported that wireless Internet connections were used to remotely retrieve PINs and card numbers from rigged card terminals. Thieves used that data to clear out the bank accounts of approximately 18,000 debit card holders. The news source notes that Canadians use debit cards "more than any other country, averaging 82 million debit transactions a year." Copyright 2006 NACS ________________________________________________________________________ _ NACS Daily Subscribe: http://www.nacsonline.com/NACS/NACSDaily/Subscribe.htm Today's News: http://www.nacsonline.com/NACS/News/ News Archive: http://www.nacsonline.com/NACS/News/Daily_News_Archives/ This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments. From george at myitaz.com Tue Jul 11 11:33:51 2006 From: george at myitaz.com (George Toft) Date: Tue, 11 Jul 2006 08:33:51 -0700 Subject: [Dataloss] Identity Theft protection changes needed In-Reply-To: <6.2.1.2.0.20060710234137.042c5290@mail.sigecom.net> References: <6.2.1.2.0.20060710234137.042c5290@mail.sigecom.net> Message-ID: <44B3C4DF.6040802@myitaz.com> Our business is focusing on a vertical that is clearly governed by Gramm-Leach-Bliley. Their professional journal carried 49 articles on the applicability of GLBA since 2001, yet in 1600+ telephonic conversations with members of this industry, the majority of the business owners have never heard of GLBA. The FTC calls out their business as being regulated. 16 CFR states they are regulated, yet they don't know about it. So where am I going with this? In our research to discover why we are getting little results in our marketing, we stumbled across two pieces of wisdom: 1. It's hard to convince someone to spend money on something they don't understand; and 2. The human mind is built to react, not proact. In our case, we are trying to help these businesses stay out of the [near] daily security breach headlines, yet the business owners do not understand why security is important. "That will never happen to me." Regarding the human mind, I think that we - as security people - are mis-wired. We think proactively - that's why we proactively secure our systems (to the maximum extent allowed by the budget). And it is hard for us to understand why the rest of the world can't see the freight train about to hit them. I have been tasked with presenting a webinar to the senior management of a medium-sized company that is still running Windows NT on all their servers. (By now, most readers are probably gasping in shock.) The IT Director understand the problem, but senior management's mindset is "It's not broken, so why fix it?" So what it comes down to is that senior managers do not think proactively. They are focused on revenue generation, not asset protection, and surely not security. This point is supported in a recent study (http://www.eweek.com/article2/0%2C1895%2C1979919%2C00.asp). They will react when it hits them in the balance sheet, but by then the damage is done. Proactive thought is neither taught nor practiced in college as shown by the trend in data loss (1/3 of victims are universities). In my own studies - undergraduate and graduate - we were taught to solve problems, not prevent them. (My policies class came close - we were taught to look at the failings of others and develop policies to protect the business.) The root cause of the problem lies squarely in our education system. Unfortunately, it takes years to move that industry, so the problem will continue for quite some time. George Toft, CISSP, MSIS My IT Department www.myITaz.com 480-544-1067 Confidential data protection experts for the financial industry. Al Mac wrote: > In security breach news we are seeing the same scenario played out again > and again, with different enterprises doing the same stuff that leads to > disaster. How come no one seems to be learning by example to avoid being > the next story in the news? I have my theories on this, but in this > article, IDG News Services asked leaders of three security businesses to > give their theories on this. > > * People do what is easy and convenient and don't give much thought to the > consequences. > * Many people do not get insurance until something happens to a neighbor, > or they see problem in news, and realize they need insurance against that > * Security is a balance between other management priorities, in which > several are more important than security > * There has been a conceptual shift in recent years. It used to be that > companies trusted employees, gave them reasons for that trust, but now job > security is threatened by off-shoring, unions have been busted, and > Sarbanes Oxley is re-establishing separation of duties > ** but none of that is why we have all these new laws saying no one can be > trusted ... here's why > http://wallstreetfollies.com/ scroll to the bottom and blow it up > http://wallstreetfollies.com/diagrams.htm > * there's a lot of traffic that goes over the Internet in the clear > * you can't tell from a web ad if there is something malicious going on > > My theories have to do with the notion that security breaches have been > occurring since the dawn of computer history, and we are now only hearing > about those associated with geographies where there is a legal obligation > to report them. Let's suppose you work in a company that has existed for > 100 years, had computers for 50 years, have had 20 security breaches and > survived them all. The fact that your company is now obligated to > publicize breaches means that it does not dawn on anyone what the PR > consequences of that are until after the first publicized breach. > > There are laws that are not enforced. We can go to any electronics store > and buy the where with all to tap into cell phone and other radio > traffic. Totally illegal, but have you ever heard of anyone being arrested > for it?. Do you know what a police scanner is? People who like to listen > to police radio calls for their entertainment. You can also listen to taxi > service and other outfits. Some parts of the electromagnetic spectrum are > reserved for special kinds of traffic, like pagers. I hear tell there's > all kinds of interesting stuff for snoops. > > Companies with wireless not locked down. Several breaches have involved > someone with laptop in their parking lot. > > People get some kind of communication service and assume there is zero risk > of it being tapped, hacked, or what have you. > > http://computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=cybercrime_hacking&articleId=9001672&taxonomyId=82 > > - > Al Mac AKA Alister Wm. Macintyre > > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/errata/dataloss/ > > > From macwheel99 at sigecom.net Tue Jul 11 13:39:25 2006 From: macwheel99 at sigecom.net (Al Mac) Date: Tue, 11 Jul 2006 12:39:25 -0500 Subject: [Dataloss] Canadian Thieves Swapping out keypad terminals In-Reply-To: <8CA58E707BB1C44385FA71D02B7A1C8E238004@mds3aex0e.USISUNOCO INC.com> References: <8CA58E707BB1C44385FA71D02B7A1C8E238004@mds3aex0e.USISUNOCOINC.com> Message-ID: <6.2.1.2.0.20060711120811.043981c0@mail.sigecom.net> There have been intermittent incidents like this in the USA, and I can dig up urls of stories if you desire. I feel that phishing via e-mail, and various attacks on poorly secured financial web sites can net crooks a lot more loot, be more likely to be untraceable, be able to escape then open up shop some place else. The hardware attacks seem to be from people of more traditional historical criminal minds, who may not yet be web-savvy. Let's suppose a standard keypad has certain security features. An electronics technician can probably disable those security features, given enough time working on it covertly. You walk into a shopping mall, and you see an ATM machine. You assume that it is really from the bank whose name is on the box. 99% of the time you right but there are some fraudulent machines out there. They take your card, tell you sorry they out of money, you need to find another ATM, but they not tell you this until you have entered your PIN # etc. so the fraudulent machine has your plastic info, the magnetic strip info, your PIN #, and some place someone turns out a duplicate, then drains your account. This is why I only use ATM machines that are right at the actual bank. There was one shopping mall, where it was found that someone had installed a camera with telephoto lens in ceiling over an ATM to record what people keyed in as the PIN#. I not remember from that story how they got the card data for duplicating the magnetic stripe. It may be that there is enough info on the face of the card to make a duplicate. Gasoline prices have been rising in the USA We usually stick credit card into the pump, push buttons on a keypad to select services. That keypad is also used by the retail outfit to adjust the gasoline prices as needed. Some naughty consumers have figured out how to use the keypad to drop the pricing to free or almost free, then after doing a fill up, leave the pricing that way for other consumers to use.s There have been many arrests around the USA in regards to this, but the practice is spreading. My PC is now connected to Internet via Cable Modem. When I was on dial up, it was same line as my portable phone. I could hear over the same line, a local taxi service dispatch, and I assume they could hear my computer signal traffic. Wireless can be a pain to secure. Companies with computer professionals on staff, or computer tech support, often get this taken care of, but your average restaurant, convenience store etc. just gets the special phone line for the credit approval, then becomes vulnerable to telecommunications marketers trying to sell them a cheaper phone line that they neglect to say may be much less secure than what they now using. Security Risks and Security Protection are like Weapons and Defenses in the Military. The enemy is constantly striving to come up with better weapons to penetrate your armor, and also come up with better armor to defend against your weapons. It is a race. If you are operating on technology that was invented years ago, you are probably not secure. Many companies are operating on technology that was invented decades ago. If you go into a bank, you will not find any deposit slips on the counter for your convenience like we had years ago. You have to get them with your checks. The reason for this is that there was a scam where people opened some bank account, printed their own deposit slips that looked blank to human eye, but had the magnetic ink deal that banks use to sort checks. People would go into bank, fill out deposit slip in human readable ink, the banks computers would read the magnetic ink and deposit into the crooks account. Since everyone knew when the bank sent out the bank statements, the crooks would clean out their account and skip town right before customers piling up at bank to complain about deposits not making it into their accounts. Many systems have design flaws that crooks will figure out how to exploit. It is a never ending war, until such time that systems are deployed that have been thoroughly tested for flaws before deployment. But testing is time consuming, needs special software to do it properly. The winner in the marketplace is the outfit that is first to come out with some new feature more inexpensively than the competition. Security is usually in last place in terms of importance. >Has anyone heard any additional detail on this? Tampering with the >keypad is *SUPPOSED* to wipe the authentication key from memory. > > > > >DEBIT CARD FRAUD PLAGUES CANADIAN RETAILERS > >NEW YORK - A recent surge in debit card fraud is plaguing Canadian >retailers, reports BankNet 360. > >The news source writes that debit card thieves are stealing card >terminals from gas stations, convenience stores and fast food >restaurants so they can rig the devices and swipe embedded data stored >on card magnetic strips. Thieves then switch the rigged terminals with >genuine machines, which gives them the ability to collect personal >account information from swiped debit cards, such as personal >identification numbers (PIN). > >"In Ottawa and Montreal, PIN pad fraud has resulted in approximately >$6.7 million in losses during the past few months," notes the news >source. > >Additionally, more than 40 retailers in Montreal have reported that >wireless Internet connections were used to remotely retrieve PINs and >card numbers from rigged card terminals. Thieves used that data to clear >out the bank accounts of approximately 18,000 debit card holders. > >The news source notes that Canadians use debit cards "more than any >other country, averaging 82 million debit transactions a year." > >Copyright 2006 NACS > >________________________________________________________________________ >_ >NACS Daily >Subscribe: http://www.nacsonline.com/NACS/NACSDaily/Subscribe.htm >Today's News: http://www.nacsonline.com/NACS/News/ >News Archive: http://www.nacsonline.com/NACS/News/Daily_News_Archives/ > > >This message and any files transmitted with it is intended solely for the >designated recipient and may contain privileged, proprietary or otherwise >private information. Unauthorized use, copying or distribution of this >e-mail, in whole or in part, is strictly prohibited. If you have received >it in error, please notify the sender immediately and delete the original >and any attachments. >_______________________________________________ >Dataloss Mailing List (dataloss at attrition.org) >http://attrition.org/errata/dataloss/ From lyger at attrition.org Wed Jul 12 19:00:35 2006 From: lyger at attrition.org (lyger) Date: Wed, 12 Jul 2006 19:00:35 -0400 (EDT) Subject: [Dataloss] Data Loss Mail List: Topicality Message-ID: In the last couple of days, I've received a few questions about what types of posts or information are considered "on-topic" or "off-topic" for the Data Loss Mail List. From the subscription info page: "Data Loss is a mail list that covers topics such as news releases regarding large-scale data loss, data theft, and identify theft incidents. Discussion about incidents, indictments, legislation, and recovery of lost or stolen data is encouraged." A few points to make here: 1. "Data loss", at least for this purpose, should be generally defined as the loss, theft, or exposure of private personal information. Social Security numbers, credit and debit card numbers, and medical information are good examples. Not every computer hack, laptop theft, or office break-in results in such exposure for individuals. 2. Discussion about "data loss" is encouraged. Many subscribers to the list work as security professionals and have read the latest media stories about "what to do" or "what not to do". While moderated, this list is not "news only". However, primers on "how to secure your laptop" are old news and generally out of scope. 3. On occasion, an on-topic mail may be sent to the list that has formatting errors or excessive hyperlinking. In those cases, the list moderators will use their discretion on whether to allow, modify, or discard a post. We try to be timely in reviewing posts, but it's not a full time job. :) Any questions, comments, or concerns, please mail me directly at lyger at attrition.org Thanks, Lyger From lyger at attrition.org Thu Jul 13 08:50:53 2006 From: lyger at attrition.org (lyger) Date: Thu, 13 Jul 2006 08:50:53 -0400 (EDT) Subject: [Dataloss] Wisconsin: Tech college student ID information stored on a CD missing Message-ID: http://www.wbay.com/Global/story.asp?S=5142419 A computer disk containing personal information of some 1500 tech students in Beaver Dam, Fond du Lac and West Bend is missing. The students have been in apprenticeship programs at Moraine Park Technical College campuses since 1993. They've gotten letters from the school letting them know the disk is missing. Moraine Park says the information includes names, addresses, telephone numbers and Social Security numbers of apprenticeship students. [...] From lyger at attrition.org Thu Jul 13 18:07:55 2006 From: lyger at attrition.org (lyger) Date: Thu, 13 Jul 2006 18:07:55 -0400 (EDT) Subject: [Dataloss] OU reports drop in donations in wake of data thefts Message-ID: Courtesy InfoSec News and WK: http://www.ohio.com/mld/beaconjournal/news/state/15020648.htm Associated Press July 12, 2006 ATHENS, Ohio - The number of financial donations received by Ohio University dropped in the two months after the school announced electronic break-ins of its computer system. The decline resulted from a downturn in fundraising efforts that followed the five security breaches and a large number of first-time donors in 2005 who did not continue giving, university officials said. About a half-dozen mailings and 3,000 fundraising telephone calls were eliminated "in response to the increased sensitivities over the data security issues that our alumni communicated to us," the school said in a statement. [...] From cwalsh at cwalsh.org Thu Jul 13 21:03:22 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Thu, 13 Jul 2006 20:03:22 -0500 Subject: [Dataloss] Vystar Credit Union, 34K people Message-ID: <20060714010317.GA11232@cwalsh.org> Looks like names and SSNs were gotten. I don't recall seeing this one. Props to the Identity Theft Resource Center for the catch (http://www.idtheftcenter.org/breaches.pdf) Story at: http://www.cuna.org/newsnow/archive/list.php?date=053006#26944 From bgivens at privacyrights.org Thu Jul 13 22:06:32 2006 From: bgivens at privacyrights.org (Beth Givens) Date: Thu, 13 Jul 2006 19:06:32 -0700 Subject: [Dataloss] More on Vystar Credit Union, 34K people In-Reply-To: <20060714010317.GA11232@cwalsh.org> References: <20060714010317.GA11232@cwalsh.org> Message-ID: <6.2.5.6.2.20060713190237.043b5148@privacyrights.org> I had difficulty opening up the cuna.org story. Here are a couple more: http://www.jacksonville.com/tu-online/stories/052706/bus_3223036.shtml ... VyStar President and Chief Executive Officer Terry West said the company noticed the invaded information "a few weeks ago," before turning to Jacksonville-based IT consulting firm Idea Integration, who confirmed the breach. West insisted that the stolen information consisted of "things you can get from a variety of sources anyway." Here's another story: http://www.firstcoastnews.com/news/topstories/news-article.aspx?storyid=58263 Beth At 06:03 PM 7/13/2006, you wrote: >Looks like names and SSNs were gotten. I don't recall seeing this one. >Props to the Identity Theft Resource Center for the catch >(http://www.idtheftcenter.org/breaches.pdf) > >Story at: >http://www.cuna.org/newsnow/archive/list.php?date=053006#26944 >_______________________________________________ >Dataloss Mailing List (dataloss at attrition.org) >http://attrition.org/errata/dataloss/ The information, advice, and suggestions contained in this email should be used as an information source and not as legal advice. Beth Givens, Director Privacy Rights Clearinghouse 3100 - 5th Ave., Suite B San Diego, CA 92103 Voice: 619-298-3396 Fax: 619-298-5681 bgivens at privacyrights.org http://www.privacyrights.org +++++++++++++++++++++++++++++++++++++ Join our email newsletter. http://www.privacyrights.org/subscribe.html -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060713/52aff3f5/attachment.html From lyger at attrition.org Fri Jul 14 07:07:47 2006 From: lyger at attrition.org (lyger) Date: Fri, 14 Jul 2006 07:07:47 -0400 (EDT) Subject: [Dataloss] OMB tightens IT security incident rules Message-ID: Courtesy InfoSec News and WK: http://www.gcn.com/online/vol1_no1/41334-1.html By Mary Mosquera GCN Staff, 07/13/06 Agencies must now report all security incidents involving personally identifiable information within one hour of discovering the incident, the Office of Management and Budget said in a memo tightening information security notification procedures. OMB also added new requirements for incorporating the cost of security in agency IT investments for fiscal 2008 IT budget submissions. The Federal Information Security Management Act of 2002 requires all agencies to report security incidents to the U.S. Computer Emergency Readiness Team (US-CERT) within the Homeland Security Department. Procedures require agencies to report according to various time frames based on the type of incident. OMB has strengthened notification procedures by making the one-hour requirement standard for both electronic and physical security, and for suspected as well as confirmed security breaches. You should report all incidents involving personally identifiable information in electronic or physical form and should not distinguish between suspected and confirmed breaches, said Karen Evans, OMB administrator for e-government and IT in the memo dated yesterday. [...] From lyger at attrition.org Fri Jul 14 08:20:47 2006 From: lyger at attrition.org (lyger) Date: Fri, 14 Jul 2006 08:20:47 -0400 (EDT) Subject: [Dataloss] U of Iowa changes policy to protect identities Message-ID: http://desmoinesregister.com/apps/pbcs.dll/article?AID=/20060714/NEWS02/607140380/1004 By ERIN JORDAN REGISTER IOWA CITY BUREAU July 14, 2006 Iowa City, Ia. - The University of Iowa will reduce the use of student Social Security numbers - a change that, had it been implemented earlier, would have lessened the danger of identity theft when a laptop computer was stolen last month. The U of I has warned 280 current and former students in its MBA program to take precautions after a laptop containing their personal information was stolen from a professor's office in Davenport. There is no indication any of the information has been used since the June 30 theft, said Gary Gaeth, associate dean of the Tippie College of Business. [...] From cwalsh at cwalsh.org Fri Jul 14 21:26:02 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Fri, 14 Jul 2006 20:26:02 -0500 Subject: [Dataloss] Northwestern University -- 17K names and SSNs, 9 p0wned desktops Message-ID: <5F19EB40-E823-4959-B5FE-448BDA993B5E@cwalsh.org> Data Breach Occurs at Northwestern EVANSTON, Ill. --- Northwestern University recently discovered that files containing names and personal identification information were on nine desktop computers that had been accessed by unauthorized persons from outside the University. As many as 17,000 individuals' records have been identified as being stored on the computers in the Office of Admission and Financial Aid. Northwestern is continuing to investigate the incident to determine if additional records may have been involved. There is no indication that the unauthorized persons accessed any of the personal information, or were even aware of its existence on those computers. As soon as the computer security breach was discovered, Northwestern's technical support personnel shut down the affected computers. In compliance with University policies and privacy regulations, Northwestern is notifying the individuals for whom it has addresses whose information was stored on the computers. While there is no indication that any personal information was accessed, Northwestern recommends that, as a precautionary measure, anyone who has provided Social Security number information to the University's Office of Admission and Financial Aid follow the identity theft precautions published by the Federal Trade Commission: http://www.northwestern.edu/newscenter/stories/2006/07/data.html From macwheel99 at sigecom.net Fri Jul 14 17:40:27 2006 From: macwheel99 at sigecom.net (Al Mac) Date: Fri, 14 Jul 2006 16:40:27 -0500 Subject: [Dataloss] Hampton VA Breach Message-ID: <6.2.1.2.0.20060714163312.02f78d40@mail.sigecom.net> A public computer in the Hampton Circuit Court building had data on homeowners from across the city, and Social Security numbers on many, but not all of them, in which anyone with Internet access could get this data. >The computer was put in the court records building sometime early in 2002 >to help title searchers go through public real estate records to make sure >that no back taxes were left on a property. Current law could require >that Hampton send warning letters to notify every person whose information >could have been stolen. This is not the first major breach for this area. >In early May a laptop with sensitive information on about 26.5 million >veterans was stolen in Montgomery County, Md. And in February, Old >Dominion University officials in Norfolk informed more than 600 students >that their names and Social Security numbers had been accidentally placed >on the Internet. http://www.dailypress.com/news/dp-74086sy0jul14,0,2456559.story?track=mostemailedlink From cwalsh at cwalsh.org Sat Jul 15 18:32:21 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Sat, 15 Jul 2006 17:32:21 -0500 Subject: [Dataloss] More on Hampton, Virginia Breach In-Reply-To: <6.2.1.2.0.20060714163312.02f78d40@mail.sigecom.net> References: <6.2.1.2.0.20060714163312.02f78d40@mail.sigecom.net> Message-ID: It gets "better" -- now they say many more kinds of records were available and had SSNs attached: http://www.dailypress.com/news/local/dp- hamptonsocialsecurity.jl15,0,6210278.story?coll=dp-news-local-final Total exposure is guesstimated at 100K records. From the articles it seems that the Hampton folks have little idea what was supposed to be available, and are trying to see how many of the records were accessed over the net. Since a criminal investigation is under way, they also seem to have not ruled out the possibility that the system was maliciously set up to allow this access, or that they consider accessing the information they made available to web surfers to potentially be a crime. On Jul 14, 2006, at 4:40 PM, Al Mac wrote: > > http://www.dailypress.com/news/dp-74086sy0jul14,0,2456559.story? > track=mostemailedlink > From lyger at attrition.org Sat Jul 15 20:06:38 2006 From: lyger at attrition.org (lyger) Date: Sat, 15 Jul 2006 20:06:38 -0400 (EDT) Subject: [Dataloss] Updated total: Hummingbird breaches 1.7 M TX Students Message-ID: From: Al Mac It was earlier reported that 1.3 M had been breached. The count is now up to 1.7 M http://www.wacotrib.com/news/content/news/stories/2006/06/17/06172006wacsecuritybreach.html Texas Guaranteed Student Loan Corp. now says 1.7 million people's personal information was compromised when a computer containing the information was lost. The new number is 400,000 more than the original estimate of 1.3 million people. However, TG spokeswoman Kristin Boyer says there have been no reports of the information . including names and Social Security numbers being improperly accessed or misused as of late this week. [...] From cwalsh at cwalsh.org Sun Jul 16 12:00:47 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Sun, 16 Jul 2006 11:00:47 -0500 Subject: [Dataloss] Northwestern University -- 17K names and SSNs, 9 p0wned desktops, updated In-Reply-To: <5F19EB40-E823-4959-B5FE-448BDA993B5E@cwalsh.org> References: <5F19EB40-E823-4959-B5FE-448BDA993B5E@cwalsh.org> Message-ID: <20060716160042.GA15385@cwalsh.org> http://www.chicagotribune.com/news/custom/newsroom/chi-060714nu-hacked,1,5329380.story?coll=chi-news-hed Additional info from the above: breach discovered two months ago. Boxes immediately disconnected etc. Breach occurred "after troubleshooting software, which allows technical support staff to access computers remotely, was installed on the computers.". From lyger at attrition.org Sun Jul 16 15:56:37 2006 From: lyger at attrition.org (lyger) Date: Sun, 16 Jul 2006 15:56:37 -0400 (EDT) Subject: [Dataloss] Mississippi - Identity details found on state site Message-ID: http://www.clarionledger.com/apps/pbcs.dll/article?AID=/20060716/NEWS/607160386/1001 By Joshua Cogswell July 16, 2006 Until Friday morning, the secretary of state's Web site was a potential gold mine for would-be identity thieves. More than 2 million documents - thousands containing individuals' Social Security numbers - called Uniform Commercial Code filings had been available for public perusal. But after calls from concerned residents, privacy advocates and The Clarion-Ledger, the secretary of state's office on Friday disabled links to the documents. UCC filings are necessary when a person puts up collateral to secure a loan. The information was put online to make it easier for lenders to access the information. [...] From cwalsh at cwalsh.org Sun Jul 16 16:52:31 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Sun, 16 Jul 2006 15:52:31 -0500 Subject: [Dataloss] Question about Polo Ralph Lauren Message-ID: <20060716205225.GA1170@cwalsh.org> In April 2005, it came out that Polo Ralph Lauren had improperly-configured POS terminals that had stored CC information from 6/2002 to 12/2004. This became public when HSBC announced it was sending new cards to 180K customers. Even though we know that this event revealed more than just the HSBC cardholders' info, I can't find a revised number for the amount of records exposed. I also can't find any reports of how the info was revealed (eg., was it accessible via a web site??). If anybody has pointers to more info on this, please let me know? Thanks Chris From cwalsh at cwalsh.org Sun Jul 16 23:45:45 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Sun, 16 Jul 2006 22:45:45 -0500 Subject: [Dataloss] Newspaper: OU investigation notes destroyed, in violation of law Message-ID: http://www.dispatch.com/news-story.php?story=dispatch/ 2006/07/15/20060715-E1-00.html By Randy Ludlow THE COLUMBUS DISPATCH July 15, 2006 ATHENS, Ohio - A consulting firm hired to investigate data theft at Ohio University violated state public records law when it destroyed interview notes and other documents it used to prepare the audit, a newspaper has reported. Moran Technology Consulting of Naperville, Ill., acknowledged the error after The Columbus Dispatch filed a public records request in an effort to get copies of the materials. The firm's report recommended the removal of two employees. Officials at the company routinely discard such materials and didn't realize their contract with the university held them subject to Ohio's public records law, said firm president Charles Moran. "I apologize; we just didn't know," he said. [...] [courtesy of a private local mailing list] From cwalsh at cwalsh.org Mon Jul 17 13:47:52 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Mon, 17 Jul 2006 12:47:52 -0500 Subject: [Dataloss] OU reports drop in donations in wake of data thefts Message-ID: <20060717174747.GA30322@cwalsh.org> Title: OU reports drop in donations in wake of data thefts Author: Associated Press Source: The Beacon Journal Date Published: Wed, Jul. 12, 2006 Excerpt: The number of financial donations received by Ohio University dropped in the two months after the school announced electronic break-ins of its computer system. For complete article see: http://www.ohio.com/mld/beaconjournal/news/state/15020648.htm From lyger at attrition.org Mon Jul 17 19:34:48 2006 From: lyger at attrition.org (lyger) Date: Mon, 17 Jul 2006 19:34:48 -0400 (EDT) Subject: [Dataloss] North Carolina - EMS patient data is stolen Message-ID: (From June, but not yet mentioned on this list. Courtesy Beth Givens and Privacy Rights Clearinghouse): http://www.fayettevillenc.com/article?id=235733 Published on Wednesday, June 21, 2006 By Nancy McCleary Staff writer A portable computer containing the personal information of more than 24,000 people was stolen from a Cumberland County ambulance June 8. The computer contained the information of 24,350 people treated in the past year by Cumberland County Emergency Medical Services. Cape Fear Valley Health System, which operates the EMS, has notified the N.C. Attorney General.s Office and mailed letters to the affected people, urging them to monitor bank and credit card accounts, said Clinton Weaver, a spokesman for the health system. "We're treating this incident seriously," he said. "We know the importance of patient confidentiality, and we're looking at ways to prevent this in the future." [...] From blitz at strikenet.kicks-ass.net Mon Jul 17 21:49:53 2006 From: blitz at strikenet.kicks-ass.net (blitz) Date: Mon, 17 Jul 2006 21:49:53 -0400 Subject: [Dataloss] North Carolina - EMS patient data is stolen In-Reply-To: References: Message-ID: <7.0.1.0.2.20060717214720.038e9068@strikenet.kicks-ass.net> In their position, this is prob a violation of patients HIPPA rights. HOWEVER, the organization in charge of enforcing HIPPA complaints, has yet to undertake a single enforcement action. Wonder why? It's full of self-protecting doctors, insurance-scum and is protecting their own backsides of course. HIPPA is worthless! At 19:34 7/17/2006, you wrote: >(From June, but not yet mentioned on this list. Courtesy Beth Givens >and Privacy Rights Clearinghouse): > >http://www.fayettevillenc.com/article?id=235733 > >Published on Wednesday, June 21, 2006 > >By Nancy McCleary >Staff writer > >A portable computer containing the personal information of more than >24,000 people was stolen from a Cumberland County ambulance June 8. > >The computer contained the information of 24,350 people treated in the >past year by Cumberland County Emergency Medical Services. > >Cape Fear Valley Health System, which operates the EMS, has notified the >N.C. Attorney General.s Office and mailed letters to the affected people, >urging them to monitor bank and credit card accounts, said Clinton Weaver, >a spokesman for the health system. > >"We're treating this incident seriously," he said. "We know the importance >of patient confidentiality, and we're looking at ways to prevent this in >the future." > >[...] > >_______________________________________________ >Dataloss Mailing List (dataloss at attrition.org) >http://attrition.org/errata/dataloss/ -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060717/a4cf863c/attachment.html From henryojo at yahoo.com Tue Jul 18 06:49:35 2006 From: henryojo at yahoo.com (henry ojo) Date: Tue, 18 Jul 2006 11:49:35 +0100 (BST) Subject: [Dataloss] REDUCING THE IMPACT OF PII SECURITY BREACHES Message-ID: <20060718104935.13868.qmail@web56106.mail.re3.yahoo.com> REDUCING THE IMPACT OF PII SECURITY BREACHES The persistent security breaches that occur in so many organisations and institutions are no longer big news. What is worrying is that while it is expected in financial institutions, as obvious targets for their ?monetary rewards?, it is rather unexpected in that about a third of the reported security breaches in the U.S. occur in educational institutions. Obviously the level of protection afforded the information (mainly Personal Identifiable Information PII) held by these educational institutions is much less than their financial counterparts, yet the data breaches could be just as damaging. What makes the PII so valuable to fraudsters? Loans, mortgages, credit cards, illegal employment could be obtained using this kind of information. This now rests the burden of responsibility at the feet of organisations that use PIIs as the only way to validate the identity of applicants for their services. Fraudsters use this information largely because it is inherently ?low risk? with huge returns as the risk of being physically present is eliminated by organisations relying heavily on e-commerce. The question is, do the benefits of cost cutting, easing organisation?s operations by doing substantial amounts of business online outweigh the impact of not providing enough protection to customers PII by not streamlining processes and procedures to aid the security of customers PII at the risk of legislative/regulatory fines etc. A suggestion to revert to the stone ages is not being conceived but the emphasis on using PIIs for validations, verifications and even in some cases authentication by a lot of institutions should be reduced. Biometrics, token password solutions provide alternative authentication mechanisms, which organisations avoid because of costs, but in the long term an ROI might justify the investment against legislative/regulatory fines, litigation, legal fees and loss of goodwill/reputation. Henry Ojo BSc HISP BS7799 Auditor www.efortresses.ie Cell: 00353 874182266 Office:+(0) 7958430094 Fax :+(0) 7092 0950843 --------------------------------- The all-new Yahoo! Mail goes wherever you go - free your email address from your Internet provider. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060718/2e181b8d/attachment.html From info2006 at worldprivacyforum.org Tue Jul 18 12:13:04 2006 From: info2006 at worldprivacyforum.org (World Privacy Forum) Date: Tue, 18 Jul 2006 09:13:04 -0700 Subject: [Dataloss] North Carolina - EMS patient data is stolen In-Reply-To: <7.0.1.0.2.20060717214720.038e9068@strikenet.kicks-ass.net> References: <7.0.1.0.2.20060717214720.038e9068@strikenet.kicks-ass.net> Message-ID: The ambulance company probably has a business associate agreement with one or more health care providers, so they are probably a covered entity under HIPAA. What is disturbing about these cases where medical information is specifically targeted is that the folks making the breach notifications are not giving consumers proper warnings about the medical aspects of identity theft. For example, these breach victims should be specifically checking their insurance company payouts even more than their credit report. We published a report on medical identity theft in May, and have just published a detailed FAQ for victims. The harms for medical identity theft can be profound and challenging for victims to uncover and resolve: . --Pam Dixon On Jul 17, 2006, at 6:49 PM, blitz wrote: > In their position, this is prob a violation of patients HIPPA rights. > HOWEVER, the organization in charge of enforcing HIPPA complaints, > has yet to undertake a single enforcement action. Wonder why? It's > full of self-protecting doctors, insurance-scum and is protecting > their own backsides of course. > HIPPA is worthless! > > > At 19:34 7/17/2006, you wrote: > >> (From June, but not yet mentioned on this list.? Courtesy Beth Givens >> and Privacy Rights Clearinghouse): >> >> http://www.fayettevillenc.com/article?id=235733 >> >> Published on Wednesday, June 21, 2006 >> >> By Nancy McCleary >> Staff writer >> >> A portable computer containing the personal information of more than >> 24,000 people was stolen from a Cumberland County ambulance June 8. >> >> The computer contained the information of 24,350 people treated in >> the >> past year by Cumberland County Emergency Medical Services. >> >> Cape Fear Valley Health System, which operates the EMS, has notified >> the >> N.C. Attorney General.s Office and mailed letters to the affected >> people, >> urging them to monitor bank and credit card accounts, said Clinton >> Weaver, >> a spokesman for the health system. >> >> "We're treating this incident seriously," he said. "We know the >> importance >> of patient confidentiality, and we're looking at ways to prevent >> this in >> the future." >> >> [...] >> >> _______________________________________________ >> Dataloss Mailing List (dataloss at attrition.org) >> http://attrition.org/errata/dataloss/ > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean._______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/errata/dataloss/ > From lyger at attrition.org Tue Jul 18 12:46:41 2006 From: lyger at attrition.org (lyger) Date: Tue, 18 Jul 2006 12:46:41 -0400 (EDT) Subject: [Dataloss] Kansas - USDA Laptop with Personal Data Compromised Message-ID: Courtesy Fergie's Tech Blog: http://fergdawg.blogspot.com/ http://www.boston.com/news/nation/washington/articles/2006/07/18/usda_laptop_with_personal_data_compromised/ A laptop computer bag was stolen from an Agriculture Department worker's car in Kansas, and the names, addresses and Social Security numbers of about 350 employees may have been accessed, the department said. The case, containing a computer and a printout of the data, has since been returned to a meat plant, department spokesman Ed Loyd said Tuesday. But it was obvious someone had rummaged through the case, Loyd said. The theft may have affected about 350 full-time and part-time employees and state contractors involved in federal Agricultural Marketing Service meat grading programs in 30 states and the District of Columbia, the department said. [...] From adam at homeport.org Tue Jul 18 12:53:10 2006 From: adam at homeport.org (Adam Shostack) Date: Tue, 18 Jul 2006 12:53:10 -0400 Subject: [Dataloss] UK Royal Laptop Message-ID: <20060718165310.GA17182@homeport.org> http://www.contractoruk.com/news/002759.html > A contractor has been accused of stealing a laptop containing es > from inside Buckingham Palace, Contractor UK has learnt. > > The 4,000 computer was lifted from a senior aides office inside the > Queen's London home sparking a red alert among royal bodyguards. > The disappearance of the computer was reported by the red-faced > aide, who told Special Branch it contains top secret email > addresses, phone numbers and diaries. via http://www.privacylawyer.ca/blog/2006/07/not-even-royal-laptop-is-safe.html From george at myitaz.com Tue Jul 18 17:38:41 2006 From: george at myitaz.com (George Toft) Date: Tue, 18 Jul 2006 14:38:41 -0700 Subject: [Dataloss] REDUCING THE IMPACT OF PII SECURITY BREACHES In-Reply-To: <20060718104935.13868.qmail@web56106.mail.re3.yahoo.com> References: <20060718104935.13868.qmail@web56106.mail.re3.yahoo.com> Message-ID: <44BD54E1.3060604@myitaz.com> A quick google for the terms: information security program GLBA shows several universities that realize that they ARE financial institutions per the Federal Government's definition under the Gramm-Leach-Bliley Financial Modernization Act. The GLBA Security Rule has been in effect for over three years now, so those universities that are behind the times need to catch up and comply with already existing laws. See http://www.google.com/search?num=50&hl=en&lr=&safe=off&q=information+security+program+GLBA&btnG=Search George Toft, CISSP, MSIS My IT Department www.myITaz.com 480-544-1067 Confidential data protection experts for the financial industry. henry ojo wrote: > > REDUCING THE IMPACT OF PII SECURITY BREACHES > > > The persistent security breaches that occur in so many organisations and > institutions are no longer big news. What is worrying is that while it > is expected in financial institutions, as obvious targets for their > ?monetary rewards?, it is rather unexpected in that about a third of the > reported security breaches in the U.S. occur in educational institutions. > Obviously the level of protection afforded the information (mainly > Personal Identifiable Information PII) held by these educational > institutions is much less than their financial counterparts, yet the > data breaches could be just as damaging. > What makes the PII so valuable to fraudsters? Loans, mortgages, credit > cards, illegal employment could be obtained using this kind of information. > This now rests the burden of responsibility at the feet of organisations > that use PIIs as the only way to validate the identity of applicants for > their services. > Fraudsters use this information largely because it is inherently ?low > risk? with huge returns as the risk of being physically present is > eliminated by organisations relying heavily on e-commerce. > The question is, do the benefits of cost cutting, easing organisation?s > operations by doing substantial amounts of business online outweigh the > impact of not providing enough protection to customers PII by not > streamlining processes and procedures to aid the security of customers > PII at the risk of legislative/regulatory fines etc. > A suggestion to revert to the stone ages is not being conceived but the > emphasis on using PIIs for validations, verifications and even in some > cases authentication by a lot of institutions should be reduced. > Biometrics, token password solutions provide alternative authentication > mechanisms, which organisations avoid because of costs, but in the long > term an ROI might justify the investment against legislative/regulatory > fines, litigation, legal fees and loss of goodwill/reputation. > > > > Henry Ojo BSc HISP BS7799 Auditor > www.efortresses.ie > Cell: 00353 874182266 > Office:+(0) 7958430094 > Fax :+(0) 7092 0950843 > > ------------------------------------------------------------------------ > The all-new Yahoo! Mail > > goes wherever you go - free your email address from your Internet provider. > > > ------------------------------------------------------------------------ > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/errata/dataloss/ > From blitz at strikenet.kicks-ass.net Tue Jul 18 18:42:41 2006 From: blitz at strikenet.kicks-ass.net (blitz) Date: Tue, 18 Jul 2006 18:42:41 -0400 Subject: [Dataloss] North Carolina - EMS patient data is stolen In-Reply-To: References: <7.0.1.0.2.20060717214720.038e9068@strikenet.kicks-ass.net> Message-ID: <7.0.1.0.2.20060718184107.0392db70@strikenet.kicks-ass.net> I will wholeheartedly agree, but due to the lack of HIPPA enforcement, this is barking at the moon, unless you can obtain enough information, (which is kept away from victims) to allow a civil action to go forward. At 12:13 7/18/2006, you wrote: >The ambulance company probably has a business associate agreement >with one or more health care providers, so they are probably a >covered entity under HIPAA. What is disturbing about these cases >where medical information is specifically targeted is that the folks >making the breach notifications are not giving consumers proper >warnings about the medical aspects of identity theft. For example, >these breach victims should be specifically checking their insurance >company payouts even more than their credit report. > >We published a report on medical identity theft in May, and have >just published a detailed FAQ for victims. The harms for medical >identity theft can be profound and challenging for victims to >uncover and resolve: >. > >--Pam Dixon > > > >On Jul 17, 2006, at 6:49 PM, blitz wrote: > >>In their position, this is prob a violation of patients HIPPA rights. >> HOWEVER, the organization in charge of enforcing HIPPA >> complaints, has yet to undertake a single enforcement action. >> Wonder why? It's full of self-protecting doctors, insurance-scum >> and is protecting their own backsides of course. >> HIPPA is worthless! >> >> >> At 19:34 7/17/2006, you wrote: >> >>>(From June, but not yet mentioned on this list. Courtesy Beth Givens >>> and Privacy Rights Clearinghouse): >>> >>>http://www.fayettevillenc.com/article?id=235733 >>> >>> Published on Wednesday, June 21, 2006 >>> >>> By Nancy McCleary >>> Staff writer >>> >>> A portable computer containing the personal information of more than >>> 24,000 people was stolen from a Cumberland County ambulance June 8. >>> >>> The computer contained the information of 24,350 people treated in the >>> past year by Cumberland County Emergency Medical Services. >>> >>> Cape Fear Valley Health System, which operates the EMS, has notified the >>> N.C. Attorney General.s Office and mailed letters to the affected people, >>> urging them to monitor bank and credit card accounts, said Clinton Weaver, >>> a spokesman for the health system. >>> >>> "We're treating this incident seriously," he said. "We know the importance >>> of patient confidentiality, and we're looking at ways to prevent this in >>> the future." >>> >>> [...] >>> >>> _______________________________________________ >>> Dataloss Mailing List (dataloss at attrition.org) >>>http://attrition.org/errata/dataloss/ >>-- >>This message has been scanned for viruses and >>dangerous content by MailScanner, and is >>believed to be clean._______________________________________________ >>Dataloss Mailing List (dataloss at attrition.org) >>http://attrition.org/errata/dataloss/ > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060718/7e538fbe/attachment.html From lyger at attrition.org Wed Jul 19 11:26:30 2006 From: lyger at attrition.org (lyger) Date: Wed, 19 Jul 2006 11:26:30 -0400 (EDT) Subject: [Dataloss] Nebraska - Lost Nelnet tape has data on 188,000 Message-ID: URL behind registration screen: http://www.omaha.com/index.php?u_pg=46&u_sid=2208498&u_rnd=5799049 Published Tuesday July 18, 2006 About 188,000 student loan customers nationwide of Nelnet Inc. of Lincoln may be affected by a lost computer tape that contains their personal information. Nelnet said it is notifying its customers, as well as other lenders whose customers may be affected, that the tape can't be located. The tape, according to Nelnet, was in the possession of United Parcel Service. It included data on loans serviced by Nelnet that were previously serviced by the College Access Network between Nov. 1, 2002, and May 31 of this year. Nelnet said it had no reason to believe the information has been used inappropriately and that it had not received reports of unauthorized activity. UPS conducted "an exhaustive investigation" and could not locate the shipment but also found no indication that the package had left UPS's control, Nelnet said. [...] From cwalsh at cwalsh.org Wed Jul 19 19:49:26 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Wed, 19 Jul 2006 18:49:26 -0500 Subject: [Dataloss] Nelnet -- registration-free info (also a bit on Northwestern) In-Reply-To: References: Message-ID: <5F0755A5-E389-4ACA-8351-9659B047DFE1@cwalsh.org> http://www.consumeraffairs.com/news04/2006/07/northwestern_data.html "On July 17th, student loan company Nelnet reported that a data tape containing information on 188,000 borrowers had gone missing while in the possession of United Parcel Service (UPS). The data involved loans serviced by Nelnet that previously belonged to the College Access Network, dating between November 1, 2002, and May 31st, 2006. In a public statement notifying borrowers of the loss, Nelnet claimed UPS had not "lost control of the package," but was nevertheless unable to find it. Nelnet's chief information officer, Ray Ciarvella, claimed the tapes required "sophisticated data-mapping equipment" to utilize, and that the process used to create them was "no longer employed." Neither Nelnet or UPS explained how the data tapes could be missing and in UPS' control simultaneously, or why such a sophisticated system for storing data was being phased out". From lyger at attrition.org Wed Jul 19 21:08:00 2006 From: lyger at attrition.org (lyger) Date: Wed, 19 Jul 2006 21:08:00 -0400 (EDT) Subject: [Dataloss] Minnesota - Missing package of tax data turns up in mail Message-ID: (follow-up to previously posted story) http://www.startribune.com/462/story/562376.html Mark Brunswick, Star Tribune Last update: July 19, 2006 . 4:55 PM A package containing sensitive taxpayer information that mysteriously disappeared in the mail two months ago just as mysteriously re-appeared on Wednesday. The package contained public, private and non-public data about 2,400 individuals and 48,000 businesses and was sent via certified mail by state Revenue Department employees in Baxter. [...] From lyger at attrition.org Fri Jul 21 07:59:51 2006 From: lyger at attrition.org (lyger) Date: Fri, 21 Jul 2006 07:59:51 -0400 (EDT) Subject: [Dataloss] Official reprimanded in DOE hacker case Message-ID: Courtesy InfoSec News and WK: http://seattlepi.nwsource.com/national/1152AP_File_Theft.html By H. JOSEF HEBERT ASSOCIATED PRESS WRITER July 20, 2006 WASHINGTON -- Energy Secretary Samuel Bodman has reprimanded a senior official because 1,502 nuclear weapons workers were not told for nearly 10 months that their Social Security numbers and other information had been stolen by a computer hacker. The action came as the department's inspector general blamed a breakdown in communications and poor management judgment for the failures to properly respond to the theft. The IG report also said there was a "lengthy delay in the department's assessment of the impact" of the improper penetration of the National Nuclear Security Administration's computers at a service center in Albuquerque, N.M., last September. The incident was not made public, nor were the individuals whose information had been compromised informed, until June. [...] From lyger at attrition.org Sat Jul 22 15:31:18 2006 From: lyger at attrition.org (lyger) Date: Sat, 22 Jul 2006 15:31:18 -0400 (EDT) Subject: [Dataloss] CDT, Groups Oppose Vote on Weak Data Breach Bill Message-ID: Courtesy Fergie's Tech Blog: http://fergdawg.blogspot.com/ http://www.cdt.org/headlines/916 (Center for Democracy and Technology) CDT has joined with a group of public interest advocates to oppose a reported attempt by the House of Representatives to pass a weak data breach bill that would roll back important consumer protections. In a letter sent to House leaders, CDT, Consumers Union, the Consumer Federation of America, the U.S. Public Interest Research Group, Consumer Action and the Privacy Rights Clearinghouse, urged lawmakers not to vote on H.R. 3997, a Financial Services Committee bill which does more to protect banks than consumers. Instead the groups urged lawmakers to vote on H.R. 4127, an Energy and Commerce Committee bill which contains stronger provisions for notifying consumers after data breaches and enables consumers to find out what is in their data broker files. (link includes joint letter in PDF format) From lyger at attrition.org Sat Jul 22 16:21:22 2006 From: lyger at attrition.org (lyger) Date: Sat, 22 Jul 2006 16:21:22 -0400 (EDT) Subject: [Dataloss] CS Stars loses computer with personal details - over 500K in NY Message-ID: http://www.newsday.com/ny-uscomp0722,0,4389008.story?coll=ny-top-headlines By John Riley Newsday Staff Writer July 21, 2006, 8:52 PM EDT More than a half-million New Yorkers who have made claims to a special workers' compensation fund have been notified that a Chicago-based claims-management software firm has lost track of a personal computer containing their private data, including Social Security numbers. The company, CS Stars, a subsidiary of insurance giant Marsh Inc., lost track of the computer while installing claims-management software for the Special Funds Conservation Committee, a private insurer-and-employer group that handles two particular types of workers' comp claims under New York State law. The company has called in the FBI to investigate the May 9 disappearance of the computer, and in a letter dated July 18 promised New Yorkers whose data were lost that it would provide free credit monitoring for the next year to nip any possible identity theft in the bud, and $25,000 in identity-theft insurance. "We're working to recover the data and protect all the people whose data is missing," said Al Modugno, a company spokesman. He said there was no indication, to date, that anyone had misused data from the missing computer. [...] From cwalsh at cwalsh.org Sat Jul 22 20:52:10 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Sat, 22 Jul 2006 19:52:10 -0500 Subject: [Dataloss] Marsh Inc. loses computer with claims data on more than 500K NYers, including DOB, SSN, address Message-ID: Software firm loses computer loaded with personal details of about 500K in NY By JOHN RILEY Newsday Staff Writer July 21, 2006, 8:52 PM EDT More than a half-million New Yorkers who have made claims to a special workers' compensation fund have been notified that a Chicago- based claims-management software firm has lost track of a personal computer containing their private data, including Social Security numbers. The company, CS Stars, a subsidiary of insurance giant Marsh Inc., lost track of the computer while installing claims-management software for the Special Funds Conservation Committee, a private insurer-and-employer group that handles two particular types of workers' comp claims under New York State law. The company has called in the FBI to investigate the May 9 disappearance of the computer, and in a letter dated July 18 promised New Yorkers whose data were lost that it would provide free credit monitoring for the next year to nip any possible identity theft in the bud, and $25,000 in identity-theft insurance. "We're working to recover the data and protect all the people whose data is missing," said Al Modugno, a company spokesman. He said there was no indication, to date, that anyone had misused data from the missing computer. The Special Funds Conservation Committee handles workers' compensation coverage in New York for about 56,500 disabled workers who suffer a second injury, and about 36,000 old claims that are reopened. In existence since 1938, it maintains records on about 540,000 old and current claimants, said chief executive Steven Licht. "Obviously, we're not thrilled with this situation," Licht said. "You always see stories about identity theft," said one Long Islander who got a letter from CS Stars, but asked that his name not be disclosed. "People can play with your name and get loans under your name, so obviously we're worried about that." All the names in the database, Licht said, had address, date of birth and Social Security number attached, and some also would have employer and accident information, but none had confidential medical records included. Licht also said there were copies of all the data, and claims payments had not been interrupted. Modugno said an employee at CS Stars' headquarters first realized that the computer containing New Yorkers' private data was missing on May 9. The employee, he said, did not notify management until June 19. Management was "appalled" by the delay, Modugno said, and initiated an investigation by another Marsh subsidiary, the security firm Kroll Inc., on June 23. It let Licht's group know their data had been lost on June 29, and notified the FBI on June 30. The company still has no idea what happened to the computer. "The facility is protected by key-card access, on-site personnel, and has cameras," Modugno said. [http://www.newsday.com/ny-uscomp0722,0,4389008.story?coll=ny-top- headlines] From lyger at attrition.org Mon Jul 24 16:56:36 2006 From: lyger at attrition.org (lyger) Date: Mon, 24 Jul 2006 16:56:36 -0400 (EDT) Subject: [Dataloss] Personal Information of NYC Homeless Leaked Message-ID: Courtesy Fergie's Tech Blog: http://fergdawg.blogspot.com/ http://www.scmagazine.com/uk/news/article/571262 The personal information of more than 8,000 of New York City's homeless accidentally was leaked in an email Friday, the New York Daily News reported in its Saturday editions. The email attachment, errantly sent out by an unnamed city Department of Homeless Services employee, landed in the inboxes of an unknown number of homeless advocates and city officials, the paper reported, citing undisclosed sources. The agency immediately recognized the mistake and sent another email to recipients, asking them to kill the message, which contained the names and Social Security numbers of 8,400 homeless parents. Department spokeswoman Angela Allen confirmed to SC Magazine this morning that the incident occurred, although she would not immediately release additional details, such as whether the city had notified or planned to notify the victims. She said she planned to research the matter and provide more findings this afternoon. [...] From lyger at attrition.org Tue Jul 25 11:50:08 2006 From: lyger at attrition.org (lyger) Date: Tue, 25 Jul 2006 11:50:08 -0400 (EDT) Subject: [Dataloss] Georgetown University - E-Health Gaffe Exposes Hospital Message-ID: http://www.wired.com/news/technology/0,71453-0.html By Kevin Poulsen 02:00 AM Jul, 25, 2006 Georgetown University Hospital suspended a trial program with an electronic prescription-writing firm last week after a computer consultant stumbled upon an online cache of data belonging to thousands of patients, Wired News has learned. The leaked information included patients' names, addresses, Social Security numbers and dates of birth, but not medical data or the drugs the patients were prescribed, says Marianne Worley, a spokeswoman for the Washington, D.C.-based hospital known for providing emergency care to the nation's most powerful political figures. The hospital had securely transmitted the patient data to e-prescription provider InstantDx. But an Indiana-based consultant accidentally discovered the data on InstantDx's computers while working to install medical software for a client. "The initial investigation has found that no patient demographic data was inappropriately used," says Worley, who says between 5,600 and 23,000 patients were affected. She added that the hospital learned of the breach when Wired News contacted it last week. [...] From lyger at attrition.org Tue Jul 25 15:00:38 2006 From: lyger at attrition.org (lyger) Date: Tue, 25 Jul 2006 15:00:38 -0400 (EDT) Subject: [Dataloss] Armstrong World Industries employee data lost Message-ID: http://local.lancasteronline.com/4/24293 By Patrick Burns, Intelligencer Journal Staff Published: Jul 25, 2006 8:09 AM EST LANCASTER COUNTY, PA - Armstrong World Industries informed workers last week that a thief had stolen a laptop computer containing personal information on about 12,000 current and former employees. A company memo sent July 20 from Armstrong's Lancaster headquarters said the stolen laptop had been in the possession of an employee of Deloitte & Touche LLP, a firm that conducts regular internal audits for Armstrong. F. Nicholas Grasberger III, Armstrong senior vice president and chief financial officer, said the personal information on the stolen laptop contained names, home addresses, phone numbers, Social Security numbers, employee identification numbers, annual salary/hourly wage data and the bank account numbers of employees who have their checks directly deposited. "We sincerely apologize for the incident and its associated risk," Grasberger's two-page memo stated. [...] From lyger at attrition.org Tue Jul 25 17:31:41 2006 From: lyger at attrition.org (lyger) Date: Tue, 25 Jul 2006 17:31:41 -0400 (EDT) Subject: [Dataloss] Old Mutual Capital client data stolen Message-ID: http://www.moneyweb.co.za/shares/international_news/767831.htm Shefali Anand, Wall Street Journal Posted: Tue, 25 Jul 2006 07:47 It is the latest instance of a lost laptop triggering concern about identity theft. Old Mutual Capital Inc., a midsize distributor of mutual funds, has sent letters to 6,500 fund shareholders informing them that a laptop was stolen that contained personal information about clients' names, addresses, account numbers and in some cases Social Security numbers. Old Mutual Capital, a subsidiary of United Kingdom-based financial-services firm Old Mutual PLC, is a distributor of funds of Old Mutual and its affiliates. A spokesman for the company said the theft, which took place in late May, affects "slightly more than two percent of the shareholder base." He added that to date there have been "no instances of inappropriate attempts to access accounts" and "no discernible signs of identity-theft activity." [...] From lyger at attrition.org Wed Jul 26 18:27:54 2006 From: lyger at attrition.org (lyger) Date: Wed, 26 Jul 2006 18:27:54 -0400 (EDT) Subject: [Dataloss] Subsidiary of Canadian Medical Association Reports Possible Privacy Data Loss Message-ID: Courtesy Fergie's Tech Blog: http://fergdawg.blogspot.com/ http://www.theglobeandmail.com/servlet/story/RTGAM.20060726.gtlaptop0726/BNStory/Technology/ Hundreds of angry doctors and their families are demanding answers from a financial services company after a laptop containing thousands of personal files was stolen from a car in a parking lot. "I'm furious," said one of the clients, who asked not to be identified. "We trust these people with virtually all our financial information." About 8,000 clients of MD Management, a subsidiary of the Canadian Medical Association, received a letter from the company dated June 29 warning them that a laptop computer containing detailed information about their financial and professional circumstances had been stolen. The computer was taken from an MD Management employee's locked car during a break-in, said Guy Belanger, president of the MD Financial Group. [...] From lyger at attrition.org Wed Jul 26 18:31:15 2006 From: lyger at attrition.org (lyger) Date: Wed, 26 Jul 2006 18:31:15 -0400 (EDT) Subject: [Dataloss] CS Stars - Computer holding personal data found Message-ID: http://www.msnbc.msn.com/id/14047484/ Updated: 54 minutes ago ALBANY, N.Y. - A computer that was lost with the personal information of as many as 540,000 injured workers has been located, state officials said Wednesday. The FBI and the private company that had been in possession of the state-owned personal computer would not say how or where it was found, only that it was in "a secure location." Officials said Monday the computer was missing from a secured facility of Chicago-based CS Stars, an independent insurance brokerage. Most of the workers are New Yorkers from across the state who are in two special funds of the workers' compensation system. [...] From lyger at attrition.org Wed Jul 26 20:30:01 2006 From: lyger at attrition.org (lyger) Date: Wed, 26 Jul 2006 20:30:01 -0400 (EDT) Subject: [Dataloss] Two Navy Computers With Personal Data of 31,000 Stolen Message-ID: Courtesy Fergie's Tech Blog: http://fergdawg.blogspot.com/ http://www.sfgate.com/cgi-bin/article.cgi?f=/n/a/2006/07/26/national/w161435D73.DTL Wednesday, July 26, 2006 16:14 PDT WASHINGTON Two laptop computers with personal information on about 31,000 Navy recruiters and their prospective recruits were stolen from Navy offices in New Jersey in June and July, the Navy disclosed on Wednesday. It was the third time in little more than a month that personal data on Navy personnel has been lost or unintentionally released publicly over the Internet. "There have been no reports of illegal usage of personal data identified by these incidents," said Navy spokesman, Lt. Bashon W. Mann, adding that the Navy is identifying the affected individuals. He said the information on the laptops was secured by several layers of password protection. [...] From blitz at strikenet.kicks-ass.net Wed Jul 26 20:41:43 2006 From: blitz at strikenet.kicks-ass.net (blitz) Date: Wed, 26 Jul 2006 20:41:43 -0400 Subject: [Dataloss] CS Stars - Computer holding personal data found In-Reply-To: References: Message-ID: <7.0.1.0.2.20060726204021.03940628@strikenet.kicks-ass.net> I got a notification today I was one of the victims. Anyone know a good law firm that takes these cases? The locals are all paid-off or too stupid to know what's at stake here. At 18:31 7/26/2006, you wrote: >http://www.msnbc.msn.com/id/14047484/ > >Updated: 54 minutes ago > >ALBANY, N.Y. - A computer that was lost with the personal information of >as many as 540,000 injured workers has been located, state officials said >Wednesday. > >The FBI and the private company that had been in possession of the >state-owned personal computer would not say how or where it was found, >only that it was in "a secure location." > >Officials said Monday the computer was missing from a secured facility of >Chicago-based CS Stars, an independent insurance brokerage. Most of the >workers are New Yorkers from across the state who are in two special funds >of the workers' compensation system. > >[...] > >_______________________________________________ >Dataloss Mailing List (dataloss at attrition.org) >http://attrition.org/errata/dataloss/ > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060726/3c3cac14/attachment.html From lyger at attrition.org Thu Jul 27 18:51:33 2006 From: lyger at attrition.org (lyger) Date: Thu, 27 Jul 2006 18:51:33 -0400 (EDT) Subject: [Dataloss] Los Angeles County - Private data is at risk of theft Message-ID: (If anyone has more information on the three events listed in the following story, please pass along?) http://www.dailynews.com/news/ci_4099829 Security breaches at three Los Angeles County agencies in recent months might have put hundreds of consumers' personal information at risk, officials said Wednesday. Laptop computers at an Adult Protective Services office in Burbank were stolen over the weekend, the laptop of a community and senior services employee was stolen two months ago and earlier this month a computer hacker in Germany broke into the Community Development Commission's computer system in Monterey Park, officials said. While no incidences of identity theft have been reported in connection with the cases, county Sheriff's Department officials on Wednesday urged residents and agencies to take even greater care in protecting vital information, noting that identity theft is now the fastest-growing form of consumer fraud, with more than 1 million Californians victimized so far this year. [...] From lyger at attrition.org Fri Jul 28 00:24:20 2006 From: lyger at attrition.org (lyger) Date: Fri, 28 Jul 2006 00:24:20 -0400 (EDT) Subject: [Dataloss] Kaiser Permanente Joins Lost Laptop Crowd: 160, 000 at Risk Message-ID: Courtesy Fergies Tech Blog: http://fergdawg.blogspot.com http://blog.wired.com/27BStroke6/index.blog?entry_id=1529043 Kaiser Permanente mailed letters this week to 160,000 of its Northern California-based HMO subscribers, informing them that a laptop containing their personal information, including their phone numbers and Kaiser numbers, had been stolen. The data was being used to market Hearing Aid Services to 160,000 Health Plan members in Northern California, though the person who tipped Wired News to the story has no history of hearing problems. No social security numbers were on the laptop, which was stolen sometime in late June from a "secure office" in the Permanente Medical Group Business Development Group, according to a Kaiser spokeswoman and a member represent answering a toll free number for Kaiser members. The letter suggested that the risk may be limited, as the laptop required a user name and password, but made no mention of encryption. [...] From blitz at strikenet.kicks-ass.net Fri Jul 28 04:42:54 2006 From: blitz at strikenet.kicks-ass.net (blitz) Date: Fri, 28 Jul 2006 04:42:54 -0400 Subject: [Dataloss] CS Stars Document Message-ID: <7.0.1.0.2.20060728043934.00a2cae8@macronet.net> For your convenience, attrition has it hosted here: (Best tradeoff of bandwidth vs availability) http://attrition.org/dataloss/cs_stars_redact.pdf Anyone wanting a copy use that link. Feel free to use it in the furtherance of data security with my blessings. Marc Blitz -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060728/d261d5f2/attachment.html From lyger at attrition.org Sat Jul 29 21:47:55 2006 From: lyger at attrition.org (lyger) Date: Sat, 29 Jul 2006 21:47:55 -0400 (EDT) Subject: [Dataloss] Sentry Insurance Says Customer Data Stolen Message-ID: Courtesy Fergie's Tech Blog: http://fergdawg.blogspot.com/ http://www.mercurynews.com/mld/mercurynews/business/technology/15153907.htm Personal information on 72 worker's compensation claimants was stolen from Sentry Insurance and later sold over the Internet, the company said. The data sold included names and Social Security numbers but not medical records, Sentry said. Data on an additional 112,198 claimants was also stolen but there is no evidence it was sold, the company said. Sentry said it notified everyone affected and was providing credit monitoring services to help prevent fraud. [...] From george at myitaz.com Sun Jul 30 14:15:18 2006 From: george at myitaz.com (George Toft) Date: Sun, 30 Jul 2006 11:15:18 -0700 Subject: [Dataloss] Sentry Insurance Says Customer Data Stolen In-Reply-To: References: Message-ID: <44CCF736.8060008@myitaz.com> At this point, I would like to point out that Wisconsin has a weak Identity Theft protection/reporting law (might not even be law yet). Per Consumers Union (www.consumersunion.org/campaigns/Breach_laws_May05.pdf), Wisconsin has a bill SB164: "The entity need only provide notice if it knows that personal information has been acquired by an unauthorized person. And there is a material risk of identity theft or fraud." Well, the risk has been realized. And we have an insurance company [bound to comply with the Gramm-Leach-Bliley Act and SOX 404, so they should have had adequate security measures in place to prevent this incident - separation of duty (legal requirement) and not using live data in development (best practice)] who chooses not to report the breach until 72 people's information is sold over the Internet. They chose to keep it quiet and not tell anyone because there was no requirement to notify anyone of the breach. Reading between the lines in the article, it looks like the Secret Service was on top of the event before Sentry Insurance. I wonder how soon the class-action lawsuit will be filed. As this incident demonstrates, failure to disclose data loss events leads to identity theft. Disclosure seems to have a positive [short-term] effect on preventing ID Theft. George Toft, CISSP, MSIS My IT Department www.myITaz.com 480-544-1067 Confidential data protection experts for the financial industry. lyger wrote: > Courtesy Fergie's Tech Blog: http://fergdawg.blogspot.com/ > > http://www.mercurynews.com/mld/mercurynews/business/technology/15153907.htm > > Personal information on 72 worker's compensation claimants was stolen > from Sentry Insurance and later sold over the Internet, the company said. > > The data sold included names and Social Security numbers but not > medical records, Sentry said. Data on an additional 112,198 claimants > was also stolen but there is no evidence it was sold, the company said. > > Sentry said it notified everyone affected and was providing credit > monitoring services to help prevent fraud. > > [...] > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/errata/dataloss/ > > > From george at myitaz.com Sun Jul 30 14:14:01 2006 From: george at myitaz.com (George Toft) Date: Sun, 30 Jul 2006 11:14:01 -0700 Subject: [Dataloss] long term effects of data loss Message-ID: <44CCF6E9.5030104@myitaz.com> I am wondering about the long-term effects of record loss. It seems to me that all a thief needs to do is wait a year or two to use the information - after all, you can't change your SSN, Birth Date, and are probably not changing your name, so the info is good for years to come. My thinking is that people tend to forget about the fraud alerts, which only last 90 days. Maybe they renew them a couple times. After a year or so, the thief should be able to act on the data and perhaps 1/2 will be effective. Thoughts? Enlightenment? -- George Toft, CISSP, MSIS My IT Department www.myITaz.com 480-544-1067 Confidential data protection experts for the financial industry. From macwheel99 at sigecom.net Mon Jul 31 07:03:28 2006 From: macwheel99 at sigecom.net (Al Mac) Date: Mon, 31 Jul 2006 06:03:28 -0500 Subject: [Dataloss] long term effects of data loss In-Reply-To: <44CCF6E9.5030104@myitaz.com> References: <44CCF6E9.5030104@myitaz.com> Message-ID: <6.2.1.2.0.20060731055800.029a8770@mail.sigecom.net> An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060731/ff74eb7f/attachment.html From bgivens at privacyrights.org Mon Jul 31 18:05:52 2006 From: bgivens at privacyrights.org (Beth Givens) Date: Mon, 31 Jul 2006 15:05:52 -0700 Subject: [Dataloss] long term effects of data loss Message-ID: <98483c675027db3c211076e25512dc65@privacyrights.org> You are absolutely right. There's a terrible loophole in the current law, Fair Credit Reporting Act as it was amended by FACTA. And that is that ONLY bona fide id theft victims can place an "extended fraud alert" on their 3 credit reports. The extended alert is for 7 years. One has to have a police report and provide a copy to the 3 bureaus before they will establish the 7 year alert. So people who are affected by security breaches can only place an "initial" alert of 90 days. The careful and savvy ones will keep renewing it each 90 days which is a pain. The law needs to be changed to enable ANYONE to have an extended alert, and in fact, to heck with the 7 year alert, it should be without end. The best thing for people to do is to take advantage of the credit freeze if they are in a state that has such a law. Beth Givens -----Original message----- From: George Toft george at myitaz.com Date: Sun, 30 Jul 2006 10:51:33 -0700 To: dataloss at attrition.org Subject: [Dataloss] long term effects of data loss > I am wondering about the long-term effects of record loss. It seems to > me that all a thief needs to do is wait a year or two to use the > information - after all, you can't change your SSN, Birth Date, and are > probably not changing your name, so the info is good for years to come. > > My thinking is that people tend to forget about the fraud alerts, which > only last 90 days. Maybe they renew them a couple times. After a year > or so, the thief should be able to act on the data and perhaps 1/2 will > be effective. > > Thoughts? Enlightenment? > -- > George Toft, CISSP, MSIS > My IT Department > www.myITaz.com > 480-544-1067 > > Confidential data protection experts for the financial industry. > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/errata/dataloss/ > > Beth Givens Director Privacy Rights Clearinghouse (619) 298-3396 www.privacyrights.org bgivens at privacyrights.org