From hobbit at avian.org Wed Mar 1 09:06:48 2006 From: hobbit at avian.org (*Hobbit*) Date: Wed, 1 Mar 2006 14:06:48 +0000 (GMT) Subject: [Dataloss] semi-OT: OTP(urchase) Message-ID: <20060301140648.25946C30E@relayer.avian.org> Perhaps the ubiquity of the mobile phone would allow it to be used as part of a platform supporting this, inasmuch as it provides an on-line component that one would have available at a brick+mortar establishment. Not until the "featurization" problem with mobile devices is FIXED, and right now things seem to be rapidly heading in the wrong direction. Thanks everyone for all the replies/discussion about the one-time options, by the way. I'll dig further into it as time permits, and be sure to report any interesting experiences I encounter along the way. I suspect that browser "requirements" may be a showstopper since most systems of this sort count on the user completely dropping his drawers. _H* From cwalsh at cwalsh.org Wed Mar 1 17:39:08 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Wed, 1 Mar 2006 16:39:08 -0600 Subject: [Dataloss] Bermuda bank cancels cards, cites processor breach Message-ID: <20060301223907.GB21740@cwalsh.org> http://www.theroyalgazette.com/apps/pbcs.dll/article?AID=/20060301/NEWS/103010124 Around 800 Bank of Bermuda customers have had their cards compromised after a security breach in the US. It comes less than a year after 1,600 of the bank.s customers were hit when a hacker broke into a system . again in America. Richard Brown, head of personal financial services, said: .Bank of Bermuda received notification from Visa that as a result of a recent breach of security associated with a processor of ATM transactions in the United States, a number of Bermuda-based credit and debit card numbers had been exposed to possible fraud.. [...] Smells like the whole OfficeMax deal, but it says that this was "associated with a processor". Tough to know, isn't it? Chris From cwalsh at cwalsh.org Wed Mar 1 22:45:21 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Wed, 1 Mar 2006 21:45:21 -0600 Subject: [Dataloss] Medco loses 4600 prescription records, delays notice Message-ID: <4AD096A2-5756-4EA7-A94A-8A5E80F45AE9@cwalsh.org> Prescription drug benefits provider Medco employee loses laptop with Ohio government employee (and dependents) info. Waits six weeks to let Ohio know. Ohio complains vociferously. Interestingly, the names of the affected individuals were not on the laptop. Details at: http://www.networkworld.com/news/2006/030106-medco-data- breach.html Opinion plus details of Ohio's notification law at http:// www.emergentchaos.com/archives/2006/03/medco_prescription_drug_s.html From adam at homeport.org Thu Mar 2 18:38:34 2006 From: adam at homeport.org (Adam Shostack) Date: Thu, 2 Mar 2006 18:38:34 -0500 Subject: [Dataloss] Olympic Funding Chicago? Message-ID: <20060302233834.GB23351@homeport.org> Does anyone know anything? there's not quite enough here for my stereotyped blog headline... http://www.pioneerlocal.com/cgi-bin/ppo-story/localnews/current/eb/03-02-06-846416.html > George Gilou arrived at his mortgage office Feb. 6 and discovered > the back door had been forced open. It didn't take long before he > realized the business he owns, Olympic Funding Chicago, 6308 > N. Milwaukee Ave., had been burglarized. > > According to police reports, three computer hard drives were stolen, > containing clients names, social security numbers, addresses and > phone numbers. In particular, was this actually just the hard drives being stolen? How many people were affected? Adam From cwalsh at cwalsh.org Thu Mar 2 20:38:22 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Thu, 2 Mar 2006 19:38:22 -0600 Subject: [Dataloss] LA Department of Social Services mishandling of docs exposes PII Message-ID: <53B5CD42-6FC4-43E1-AD4D-CCE5DB921CC7@cwalsh.org> Details (and video) at http://www.nbc4.tv/news/7612757/detail.html Piles of boxes with W-2 info, SSNs, etc left at a recycler and elsewhere for months. The recycler *ships them to China* where (one presumes...) they are made into paper. From adam at homeport.org Thu Mar 2 20:54:43 2006 From: adam at homeport.org (Adam Shostack) Date: Thu, 2 Mar 2006 20:54:43 -0500 Subject: [Dataloss] LA Department of Social Services mishandling of docs exposes PII In-Reply-To: <53B5CD42-6FC4-43E1-AD4D-CCE5DB921CC7@cwalsh.org> References: <53B5CD42-6FC4-43E1-AD4D-CCE5DB921CC7@cwalsh.org> Message-ID: <20060303015443.GA28696@homeport.org> On Thu, Mar 02, 2006 at 07:38:22PM -0600, Chris Walsh wrote: | Details (and video) at http://www.nbc4.tv/news/7612757/detail.html | | Piles of boxes with W-2 info, SSNs, etc left at a recycler and | elsewhere for months. | | The recycler *ships them to China* where (one presumes...) they are | made into paper. You are, of course, intentionally using paper in the banker's sense of the term? From blitz at strikenet.kicks-ass.net Fri Mar 3 04:28:08 2006 From: blitz at strikenet.kicks-ass.net (blitz) Date: Fri, 03 Mar 2006 04:28:08 -0500 Subject: [Dataloss] Olympic Funding Chicago? In-Reply-To: <20060302233834.GB23351@homeport.org> References: <20060302233834.GB23351@homeport.org> Message-ID: <7.0.1.0.2.20060303042359.03cd3af0@strikenet.kicks-ass.net> Hard drives alone like that would make one think it was a well planned job. Someone wanted that specific information, and its a LOT easier to put a couple hard drives in your pocket than take the whole computer. Whole bunches less conspicious. Whoever did this had a specific target and knew what they wanted...do doubt about it. With hard drives approaching the price of breakfast cereal, no one but a determined, focused thief would take the trouble to dismount them. This has the smell of an inside job ALL OVER it. At 18:38 3/2/2006, you wrote: >Does anyone know anything? there's not quite enough here for my stereotyped >blog headline... > >http://www.pioneerlocal.com/cgi-bin/ppo-story/localnews/current/eb/03-02-06-846416.html > > > George Gilou arrived at his mortgage office Feb. 6 and discovered > > the back door had been forced open. It didn't take long before he > > realized the business he owns, Olympic Funding Chicago, 6308 > > N. Milwaukee Ave., had been burglarized. > > > > According to police reports, three computer hard drives were stolen, > > containing clients names, social security numbers, addresses and > > phone numbers. > >In particular, was this actually just the hard drives being stolen? >How many people were affected? > >Adam > > >_______________________________________________ >Dataloss Mailing List (dataloss at attrition.org) >http://attrition.org/errata/dataloss/ > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060303/0b9f213f/attachment.html From adam at homeport.org Fri Mar 3 08:04:14 2006 From: adam at homeport.org (Adam Shostack) Date: Fri, 3 Mar 2006 08:04:14 -0500 Subject: [Dataloss] Olympic Funding Chicago? In-Reply-To: <7.0.1.0.2.20060303042359.03cd3af0@strikenet.kicks-ass.net> References: <20060302233834.GB23351@homeport.org> <7.0.1.0.2.20060303042359.03cd3af0@strikenet.kicks-ass.net> Message-ID: <20060303130414.GA12671@homeport.org> While I'm tempted to agree, I don't think there's nearly enough information in the single media report to say "This has the smell of an inside job ALL OVER it." On Fri, Mar 03, 2006 at 04:28:08AM -0500, blitz wrote: | Hard drives alone like that would make one think it was a well planned job. | Someone wanted that specific information, and its a LOT easier to put a couple | hard drives in your pocket than take the whole computer. Whole bunches less | conspicious. | Whoever did this had a specific target and knew what they wanted...do doubt | about it. | With hard drives approaching the price of breakfast cereal, no one but a | determined, focused thief would take the trouble to dismount them. | This has the smell of an inside job ALL OVER it. | | | | At 18:38 3/2/2006, you wrote: | | Does anyone know anything? there's not quite enough here for my stereotyped | blog headline... | | http://www.pioneerlocal.com/cgi-bin/ppo-story/localnews/current/eb/ | 03-02-06-846416.html | | > George Gilou arrived at his mortgage office Feb. 6 and discovered | > the back door had been forced open. It didn't take long before he | > realized the business he owns, Olympic Funding Chicago, 6308 | > N. Milwaukee Ave., had been burglarized. | > | > According to police reports, three computer hard drives were stolen, | > containing clients names, social security numbers, addresses and | > phone numbers. | | In particular, was this actually just the hard drives being stolen? | How many people were affected? | | Adam | | | _______________________________________________ | Dataloss Mailing List (dataloss at attrition.org) | http://attrition.org/errata/dataloss/ | | | -- | This message has been scanned for viruses and | dangerous content by MailScanner, and is | believed to be clean. | | | -- | This message has been scanned for viruses and | dangerous content by MailScanner, and is | believed to be clean. | -- | This message has been scanned for viruses and | dangerous content by MailScanner, and is | believed to be clean. From lyger at attrition.org Fri Mar 3 08:37:54 2006 From: lyger at attrition.org (lyger) Date: Fri, 3 Mar 2006 08:37:54 -0500 (EST) Subject: [Dataloss] Social Security Numbers Found on State Websites Message-ID: http://www.usatoday.com/tech/news/internetprivacy/2006-03-02-social_x.htm The disclosure of Ohio residents' Social Security numbers on the state government's website highlights what many privacy experts -- and criminals -- already know: Such information is readily available to anyone with an Internet connection. It is common for the websites of the USA's secretaries of state to contain personal information, including Social Security numbers (SSNs) and home addresses, in business statements. Besides Ohio, the data is available in New York, Florida and at least seven other states, say privacy experts who provided USA TODAY with links to public websites. [...] From lyger at attrition.org Fri Mar 3 11:13:08 2006 From: lyger at attrition.org (lyger) Date: Fri, 3 Mar 2006 11:13:08 -0500 (EST) Subject: [Dataloss] Breach notification laws: When should companies tell all? Message-ID: http://computerworld.com/securitytopics/security/story/0,10801,109161,00.html MARCH 02, 2006 (COMPUTERWORLD) - While there appears to be growing industry consensus that security breach notification laws have forced companies to take more responsibility for the data they own, there is little agreement on exactly when companies should be required to notify consumers when a data breach occurs. Ranged on one side of the debate are those who want alerts for any breach involving the potential exposure of sensitive data. On the other side are those who say that a higher disclosure threshold is needed to avoid overnotification and needless costs. "We clearly have a responsibility to safeguard customer information," said Kirk Herath, chief privacy officer and associate general counsel at Nationwide Mutual Insurance Co. in Columbus, Ohio. "If we lose information, it's our responsibility to inform consumers because that"s the only way they can protect themselves." However, many existing state laws have "hair-triggers" when it comes to disclosure requirements, he said. "I really think the standard for disclosure should be a clear risk of danger or harm to the consumer." [...] From lyger at attrition.org Fri Mar 3 20:24:58 2006 From: lyger at attrition.org (lyger) Date: Fri, 3 Mar 2006 20:24:58 -0500 (EST) Subject: [Dataloss] Colorado College Warns 93,000 After Laptop Theft Message-ID: http://www.networkworld.com/news/2006/030306-colorado-college-laptop-theft.html A state college in Denver believes it may have lost sensitive information on more than 93,000 students after one of the school's laptop computers was stolen from an employee's home late last month. The unnamed employee of Metropolitan State College had been using the information, including student names and Social Security numbers, to write a grant proposal, the college said Thursday. The data, which appears to have been unencrypted, was also being used by the employee to write a master's degree thesis, the school said. The laptop was stolen on Feb. 25, but Denver police asked the school to wait until March 1 to go public with news of the theft to help with the ongoing investigation. Students who registered for Metropolitan State courses between the 1996 fall semester and the 2005 summer semester are now being notified of the incident via letter, the college said. [...] From blitz at strikenet.kicks-ass.net Fri Mar 3 23:32:14 2006 From: blitz at strikenet.kicks-ass.net (blitz) Date: Fri, 03 Mar 2006 23:32:14 -0500 Subject: [Dataloss] Olympic Funding Chicago? In-Reply-To: <20060303130414.GA12671@homeport.org> References: <20060302233834.GB23351@homeport.org> <7.0.1.0.2.20060303042359.03cd3af0@strikenet.kicks-ass.net> <20060303130414.GA12671@homeport.org> Message-ID: <7.0.1.0.2.20060303170648.03d645d0@strikenet.kicks-ass.net> Well Adam, I'm basing the premise of "an inside job" on both the specificity of the target: the drives, which can be used on ANY similar computer, and can be easily concealed, (an employee walking out could easily conceal them, and not attract much attention) plus the type of information contained therein. It would be just as easy to use a server somewhere else in a secure environ, than to store them locally as happened here. A person would need to know they were on site. It's difficult to imagine someone risking a commercial burglary charge, and data theft charges for hard drives worth at most a few hundred dollars. The information would be worth more in the right hands, and to know that information was where it was, one could easily make the connection either the burglar worked there, or someone who did, tipped someone else to the value of the drive's information. Even if it wasn't data theft, but a desire to cripple the operations of the company, cause panic, loose customer faith, etc. a former employee, or a competitor who knew it was there would, IMHO, qualify as an "insider". Now, couple all that, with the claim of "taking extra ordinary" measures to secure that data, including the $2800 "security" software, and the alarm system which mysteriously was left off that weekend, and I believe we have someone with the key to the encryption, and the knowledge or ability to foil the alarm. The whole thing was just too smooth IMHO. Also missing is whether the company was insured for the theft. (Disruption of business insurance etc,) If I were a detective, this is the route I'd be taking most certainly. At 08:04 3/3/2006, you wrote: >While I'm tempted to agree, I don't think there's nearly enough >information in the single media report to say "This has the smell of >an inside job ALL OVER it." > >On Fri, Mar 03, 2006 at 04:28:08AM -0500, blitz wrote: >| Hard drives alone like that would make one think it was a well planned job. >| Someone wanted that specific information, and its a LOT easier to >put a couple >| hard drives in your pocket than take the whole computer. Whole bunches less >| conspicious. >| Whoever did this had a specific target and knew what they wanted...do doubt >| about it. >| With hard drives approaching the price of breakfast cereal, no one but a >| determined, focused thief would take the trouble to dismount them. >| This has the smell of an inside job ALL OVER it. >| >| >| >| At 18:38 3/2/2006, you wrote: >| >| Does anyone know anything? there's not quite enough here for >my stereotyped >| blog headline... >| >| http://www.pioneerlocal.com/cgi-bin/ppo-story/localnews/current/eb/ >| 03-02-06-846416.html >| >| > George Gilou arrived at his mortgage office Feb. 6 and discovered >| > the back door had been forced open. It didn't take long before he >| > realized the business he owns, Olympic Funding Chicago, 6308 >| > N. Milwaukee Ave., had been burglarized. >| > >| > According to police reports, three computer hard drives were stolen, >| > containing clients names, social security numbers, addresses and >| > phone numbers. >| >| In particular, was this actually just the hard drives being stolen? >| How many people were affected? >| >| Adam >| >| >| _______________________________________________ >| Dataloss Mailing List (dataloss at attrition.org) >| http://attrition.org/errata/dataloss/ >| >| >| -- >| This message has been scanned for viruses and >| dangerous content by MailScanner, and is >| believed to be clean. >| >| >| -- >| This message has been scanned for viruses and >| dangerous content by MailScanner, and is >| believed to be clean. >| -- >| This message has been scanned for viruses and >| dangerous content by MailScanner, and is >| believed to be clean. > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060303/125aad65/attachment.html From lyger at attrition.org Fri Mar 3 23:55:04 2006 From: lyger at attrition.org (lyger) Date: Fri, 3 Mar 2006 23:55:04 -0500 (EST) Subject: [Dataloss] Olympic Funding Chicago? In-Reply-To: <7.0.1.0.2.20060303170648.03d645d0@strikenet.kicks-ass.net> References: <20060302233834.GB23351@homeport.org> <7.0.1.0.2.20060303042359.03cd3af0@strikenet.kicks-ass.net> <20060303130414.GA12671@homeport.org> <7.0.1.0.2.20060303170648.03d645d0@strikenet.kicks-ass.net> Message-ID: On Fri, 3 Mar 2006, blitz wrote: ": " value of the drive's information. Even if it wasn't data theft, but a ": " desire to cripple the operations of the company, cause panic, loose ": " customer faith, etc. a former employee, or a competitor who knew it was ": " there would, IMHO, qualify as an "insider". Competitors and former employees may not qualify as "insiders", even though they may have inside knowledge regarding a company's practices. If that were to be the case, "corporate espionage" may be a better term and better qualified as an "outside attack". ": " Now, couple all that, with the claim of "taking extra ordinary" measures to ": " secure that data, including the $2800 "security" software, and the alarm ": " system which mysteriously was left off that weekend, and I believe we have ": " someone with the key to the encryption, and the knowledge or ability to I see no quoted claim of "taking extraordinary measures" in the article, and the article plainly states that "the stolen database... had no encryption software." From rforno at infowarrior.org Sun Mar 5 10:32:40 2006 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 05 Mar 2006 10:32:40 -0500 Subject: [Dataloss] GU Breach Found Almost 3 Weeks Ago Message-ID: GU Breach Found Almost 3 Weeks Ago http://www.washingtonpost.com/wp-dyn/content/article/2006/03/04/AR2006030401 028_pf.html By Caryle Murphy Washington Post Staff Writer Sunday, March 5, 2006; A09 A cyber attack on a Georgetown University computer server that exposed personal information on 41,000 elderly District residents was discovered almost three weeks ago during a routine, internal inspection, a university spokesman said yesterday. The break-in, first disclosed by the university Friday, was not reported earlier because "it took some time to understand the nature and scope of the intrusion," spokesman Erik Smulson said. Additional time was needed for the U.S. Secret Service -- the federal agency that investigates identity theft -- to examine the compromised server and for the university to set up a Web site and a hotline to inform the public about the attack, Smulson added. The invaded server was used by a researcher to monitor services provided to the elderly for the D.C. Office on Aging. The personal information, including names, birthdates and Social Security numbers, was supplied by about 20 groups that contract with the Office on Aging to serve the elderly. University computer security specialists first became aware of the intrusion Feb. 12, Smulson said, and after attempting to determine the extent of the breach, the university contacted the Office on Aging on Feb. 24. By Friday morning, they concluded that the attack may have exposed up to 41,000 names. That is the cumulative total entered into the server since the researcher's grant began in 1983. Georgetown University is attempting to locate addresses for the 41,000 individuals to mail them letters informing them of the breach. Smulson said some people may be deceased or impossible to track down. Meanwhile, the university is urging people who believe their name was exposed to set up a fraud alert on their credit file. It has provided information on how to do that at http://identity.georgetown.edu . Information is also available at a toll-free number, 866-740-2458. ? 2006 The Washington Post Company From lyger at attrition.org Sun Mar 5 15:09:36 2006 From: lyger at attrition.org (lyger) Date: Sun, 5 Mar 2006 15:09:36 -0500 (EST) Subject: [Dataloss] What's up with Citibank? Message-ID: http://www.boingboing.net/2006/03/05/citibank_under_fraud.html BoingBoing pal and Citibank customer Jake Appelbaum tried to withdraw some cash with his ATM card on Saturday night. He initiated his bank account long ago in the US, but was in Toronto, Canada yesterday. Jake explains: "To my surprise, the ATM machine rejected the transaction and urged me to contact my financial institution. The machine also reported on the receipt "INELIGIBLE ACCOUNT." Jake called Citibank's international customer support number, and soon learned that the lockout was part of a much larger fraud crisis -- by no means the only data security issue at Citibank in recent months. Jake continues: "The supervisor identified herself as a manager named Carla ID#CRU194. I identified myself as an upset customer whose account was locked for some unknown reason. She asked me a few questions about my location, my issue and then informed me that my card was suspected of fraud. Naturally, I perked my ears up and asked for details of any fraud. She informed me that there had been no direct fraudulent transactions on my account. Rather, she informed me that the ATM networks of Canada, Russia and the United Kingdom have been compromised. I used the term class break as a question and she repeated that there has been a class break of the ATM networks in those countries. The ATM network in Canada has been compromised and as a result, using my ATM card over the Canadian network locked my account automatically. She informed me that this has been an ongoing issue for the last two weeks. When I asked why there was no media attention, she said she wasn't sure. I said it was a pretty big deal and she agreed. "She informed me that I would have to return to the United States to change my pin number before my card would be valid and in a usable state again. When I informed her that I would be traveling outside of the United States for at least a few months, possibly up to six, she repeated that I would have to re-enter the United States to fix the problem." In other words, if you're a US Citibank customer trying to use your ATM card in Canada, Russia, or the UK right now, you are totally fuxx0red. Citibank didn't handle Jake's problem in a customer-friendly way at all, and it appears they're handling all affected customers with exactly the same procedure. [...] From rforno at infowarrior.org Sun Mar 5 18:40:13 2006 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 05 Mar 2006 18:40:13 -0500 Subject: [Dataloss] Health records on tapes sold at public auction] In-Reply-To: <440B736A.8040400@farber.net> Message-ID: Health records sold at public auction B.C. government tapes contain information on conditions such as HIV status, mental illness Jonathan Fowlie Vancouver Sun http://www.canada.com/vancouversun/news/story.html?id=512bec85-3609-4610-83d a-8c6e2885e6f6&k=28942 Saturday, March 04, 2006 Labour Minister Mike de Jong has ordered an investigation into the sale of these computer tapes containing private health information. The provincial government has auctioned off computer tapes containing thousands of highly sensitive records, including information about people's medical conditions, their social insurance numbers and their dates of birth. Sold for $300 along with various other pieces of equipment, the 41 high-capacity data tapes were auctioned in mid-2005 at a site in Surrey that routinely sells government surplus items to the public. Included among the files were records showing certain people's medical status -- including whether they have a mental illness, HIV or a substance-abuse problem -- details of applications for social assistance, and whether or not people are fit to work. "This should never happen," Mary Carlson, director of the Office of the Information and Privacy Commissioner of B.C., said Friday in an interview. "There are dignity issues involved in a lot of these disclosures," she said, pointing to things such as HIV status and a need to apply for social assistance. In an interview Friday afternoon, Labour Minister Mike de Jong, whose ministry oversees the auction process, said he has ordered an immediate investigation to determine how the breach took place. "It is completely unacceptable for information like this to be unsecured in the way this clearly is," he said. "People deserve to know [this] type of information . . . is secure and kept private," he added, offering an apology. "I can think of no excuse for information of this sort finding its way into the public domain." In addition to the records containing social insurance numbers and medical conditions, there were also hundreds of what appeared to be caseworker entries divulging extremely intimate details of people's lives. One of those entries details a letter from a woman whose daughter was sexually abused, which provides the woman's name. "Re: her daughter . . . sexually abused by a tenant living in the basement of her house," said the entry, which was logged in 1996. "No mental handicap . . . RCMP involved." Because of the sensitive nature of the information, The Vancouver Sun will not publish any details that would directly identify any of the people involved. Another entry, which included the person's name and phone number, contained the following. "Wants to recover back pay from MSS because she did not know she had to have a Dr.'s note . . . was beaten by her boyfriend . . . wanting for money from WCB but in the meantime wants to pay her bills." Among the other files there was also a document containing more than 65,000 names along with corresponding social insurance numbers, birthdays and what appeared to be amounts paid to each person for social support and shelter. The files on the tapes appear to have been created between 1995 and 2001 and appear to have come from the Ministry of Human Resources and the Ministry of Social Services. The person who bought the reusable tapes says he intended to sell them as blanks for a profit, and only recently discovered they were filled with information. He gave the tapes to The Vancouver Sun out of concern that other information might not be properly destroyed, and did so on the condition of anonymity. On Friday, De Jong could not say exactly what happened, but said there are standards in place and that he wants to find out immediately what went wrong. "I want ministry officials to work closely with the privacy commissioner to do what can be done now to retrieve and secure the information and also to begin an exhaustive examination of how this happened," he said. "There are a strict set of guidelines that are in place governing the storage of information and also governing the disposal of assets." A technology product specialist with Grand and Toy Technology said Friday most private industry will not sell backup tapes or any other removable media, but rather will go to great lengths to ensure the data completely disappears. "Depending on what the organization requires, we can have the tapes crushed, or we can have them crushed and burned," said Brent Wilson. "It's a certified process." Carlson also said the government had sold sensitive information to the public once before, but that the details of that case had not been made public. She added that she is "disappointed" to hear it has happened again. "There is a positive duty in law both for government agencies and private sector entities," she said. "It requires them to pay attention to secure disposal of information. You can't just sell things. You can't throw things in the garbage or in dumpsters. You have to take steps to make sure that information is scrubbed off." jfowlie at png.canwest.com -- = From dano at well.com Sun Mar 5 23:28:24 2006 From: dano at well.com (dano) Date: Sun, 5 Mar 2006 20:28:24 -0800 Subject: [Dataloss] Breach notification laws: When should companies tell all? In-Reply-To: References: Message-ID: At 11:13 AM -0500 3/3/06, lyger wrote: >MARCH 02, 2006 (COMPUTERWORLD) - While there appears to be growing >industry consensus that security breach notification laws have forced >companies to take more responsibility for the data they own, there is >little agreement on exactly when companies should be required to notify >consumers when a data breach occurs. In some industries there is not only no financial accountability, there is deliberate obfuscation which protects the people who make off with data. And they know it, which seemingly encourages them. (At least in the US.) The following is from the Travel section of the Los Angeles Times and describes how easy it is to make off with valuables - including laptop computers - in checked luggage. Of course some people would not check their laptops, but some would. And since the baggage screeners get to x-ray the luggage to see which bags have valuables and which don't, their task is made easy for them. I wonder how many claims have been filed with TSA for loss; or how easy it might be to get those records. DESPITE repeated warnings to leave cameras, diamonds and other valuables at home when flying, travelers continue to check and lose. Here, a recent ripoff that could have been prevented: Question: In November, my wife and I flew from San Francisco to Los Angeles on United. At the ticket kiosk, an agent advised us to check our carry-ons because the bins over our last-row seats were filled with emergency equipment. We agreed. When we got home, I unpacked my bag and discovered that a new $1,800 laptop had disappeared. The Transportation Security Agency said it didn't open the luggage. United sent a form letter, denying responsibility. Do I have any recourse? STEVE HOUGLAND Santa Monica Answer: By the time we spoke to Hougland, he had already filed an insurance claim for the missing laptop. But the ripoff and runaround could have been avoided if our reader had removed the computer before checking his bag. Many travelers think, incorrectly, that Department of Transportation rules cover them for all losses. Not true. Neither the airlines nor the TSA is liable for big-ticket items such as electronic equipment. United's letter to Hougland explained this. Even when a carrier is at fault, it routinely denies claims for "excluded" items. These exclusions, which include money, jewelry, cameras, heirlooms and "irreplaceable documents," are listed online in the airlines' contracts of carriage. (Search airline websites for "baggage liability" or go to latimes.com/contracts.) Proving theft is tough because most screening and handling happen out of public view. And although surveillance systems have become more sophisticated, they're not bulletproof. "Anyone who works behind the scenes knows the dead spots," said LAX spokesman Paul Haney. Protect your valuables by following these rules of thumb: * Don't pack anything you can't afford to lose. Once that bag hits the conveyor belt, it's touched by many hands. Almost 90% of claims filed with the TSA in 2005 cited theft from checked luggage, said spokesman Nico Melendez. Last year, LAX ranked No. 1 in mishandled bag claims (about 4,000) filed with TSA. Haney says it's due to greater traffic, not more thieves. "We screen more bags here [55 million annually] than any other airport in the world." * File twice - with the airline and the TSA. The agency has been known to settle claims even when it's not at fault. If you have no hope of getting a refund, it's still a good idea to register your gripe because complaints help officials identify and fix recurring problems or violations. * Only a quarter of complaints filed with TSA are approved for full refund; most are settled for an average $110. You can appeal a refund, but it takes time. A Southland flier whose cashmere coat was snatched at an LAX security checkpoint in 2003 disputed the $261 award and won, said an aide for Rep. Henry A. Waxman (D-Los Angeles), who assisted in the case. It took more than two years and some political muscle, but TSA came through last April with an $850 refund. * File police reports. Don't assume TSA routinely turns over complaints to local authorities. The onus is on fliers to put officials on alert. From lyger at attrition.org Wed Mar 8 15:50:18 2006 From: lyger at attrition.org (lyger) Date: Wed, 8 Mar 2006 15:50:18 -0500 (EST) Subject: [Dataloss] Citibank cards pulled after network breach (fwd) Message-ID: Forwarded from ISN. Follow-up to: http://attrition.org/pipermail/dataloss/2006-March/000138.html http://www.networkworld.com/news/2006/030706-citibank-network-breach.html By Robert McMillan IDG News Service 03/07/06 Citigroup is reissuing MasterCard credit and debit cards used in the U.K., Russia and Canada, saying they may have become compromised following an unspecified breach of its network. "Last year, Citibank and our customers were the victims of a third-party business' information breach," the company said Wednesday in a statement. "In mid-February, we detected several hundred fraudulent cash withdrawals in three countries. We are currently reissuing cards, as appropriate, to affected customers." In an earlier statement, published in media outlets, Citigroup said that the accounts may have been compromised in "previous retailer breaches in the U.S.," and that the company was aware of fraudulent ATM cash withdrawals being made in the U.K., Russia, and Canada. The company did not say how many cards were affected by these breaches. [...] From lyger at attrition.org Wed Mar 8 21:40:10 2006 From: lyger at attrition.org (lyger) Date: Wed, 8 Mar 2006 21:40:10 -0500 (EST) Subject: [Dataloss] Undisclosed Number of Verizon Employees at Risk of ID Theft Message-ID: http://news.com.com/2061-10789_3-6047682.html A theft of two laptop computers has put a "significant number" of Verizon Communications' employees at risk of having their identities stolen, the company said Wednesday. The computers were pilfered from a company facility and may contain important personal information, such as Social Security numbers, according to a report in The Wall Street Journal. Verizon executives told employees in a March 1 letter that the theft appears to be "a random criminal act" and that the laptops were password-protected, according to the Journal. Verizon executives told the Journal that both current and former employees could be at risk. Verizon is offering affected workers free use of a credit monitoring service to help them watch out for identity theft. http://news.com.com/2061-10789_3-6047682.html From dano at well.com Wed Mar 8 23:22:29 2006 From: dano at well.com (dano) Date: Wed, 8 Mar 2006 20:22:29 -0800 Subject: [Dataloss] iBill loses 17M customer records Message-ID: Porn Billing Leak Exposes Buyers By Quinn Norton | Also by this reporter 14:15 PM Mar, 08, 2006 EST Seventeen million customers of the online payment service iBill have had their personal information released onto the internet, where it's been bought and sold in a black market made up of fraud artists and spammers, security experts say. The stolen data, examined by Wired News, includes names, phone numbers, addresses, e-mail addresses and internet IP addresses. Other fields in the compromised databases appear to be logins and passwords, credit card types and purchase amounts, but credit card numbers are not included. The breach has broad privacy implications for the victims. Until it was brought low by legal and financial difficulties, iBill was a top credit card processor for adult entertainment websites -- providing billing services for such outlets as DominaBDSM and Top-Nude.com. The transactions documented in the database are dated between 1998 and 2003, spanning a period at the height of iBill's success. The company didn't respond to repeated e-mail and telephone inquires by Wired News. Two caches of stolen iBill customer data were discovered separately by two security companies while conducting routine research into malicious software online. Southern California-based Secure Science Corporation found the first data file containing records on 17 million individuals on a private website set up by scammers. The site was part of a so-called "phishing" scheme, in which a spamming fraudster poses as a bank or online retailer in an attempt to con consumers out of identification and financial information. Secure Science found that data in February 2005, and reported it to the FBI's Miami field office, the company says. The FBI declined comment. Last month, Sunbelt Software found an additional list of slightly over 1 million individual entries labeled Ibill_1m.txt on a spamming website. That list also appeared to date from 2003. IBill has a troubled history. Founded in 1997 by executives of a Florida-based BBS software developer, by 2002 iBill was a big player in internet billing, processing approximately $400 million in credit card transactions per year, according to SEC filings. The company took 15 percent off the top in fees. Todd Dugas, a former inside sales representative for iBill, estimates that pornography made up 85 percent of the business. But when Atlanta-based InterCept acquired iBill for $120 million in 2002, it immediately encountered problems. New rules from Visa made it more complicated and costly to process adult website transactions, and "accounts dropped like flies," says Dugas. Meanwhile MasterCard levied $5.85 million in fines against iBill for an unusually high volume of "charge backs" -- consumer-disputed charges -- though InterCept managed to recoup most of the fine from iBill's previous owners. In September 2004, iBill lost the contract with its upstream credit card processor, First Data, which had grown wary of being associated with adult content. Website operators relying on iBill for payments had to wait months for their checks while First Data held the money in escrow. Roger Jacobs, who followed the story of iBill for adult industry publications AVN and XBiz, described low morale and a hemorrhaging of employees during this period.. Lance James of Secure Science and Adam Thomas of Sunbelt Software speculate that the company's troubles may have left them vulnerable to information embezzlement: The breach, they say, has all the markings of an inside job. The files appear to have been generated by exporting an SQL database into a CSV format -- a procedure that would be unusually extravagant for a quick, furtive hack-attack. Moreover, at 4.5 gigabytes in size, the larger file would have been tough to download unnoticed over iBill's internet connection. Thomas speculates that an employee or other insider may have simply walked out of iBill with the transaction records to sell on the data black market. What happened with the records from there is anyone's guess. The 1 million addresses found by Sunbelt Software were being used for spamming. Sunbelt found the database by tracing malware-infected computers as they connected to the internet to refresh their list of spam targets. The target list turned out to be the iBill database, hosted on a rogue website. Secure Science's James says the 17 million database entries he found is prime data for spamming, phishing attacks, pretext phone calls, and even possible hacking of vulnerable computers at the IP addresses listed. Independently, Wired News found that entries from the smaller cache are listed as mortgage leads on a spammer community site, specialham.com. (The website's homepage offered no contact information and Wired News was unable to reach the registered owner of the domain, one "Juice Wobble.") This suggests that the database was marketed as a lead list for outside businesses. "I can attest to the fact that this goes on with phishing groups," says James. "They break in and steal leads and then sell those leads to (black market) leads companies, who resell them to legitimate companies, and sometimes the same companies they stole them from." "The fact that a total of 17,781,462 iBill records have been found in the hands of criminal hackers is quite disturbing, be it an inside job or the successful work of criminal hackers," says Thomas. Contacted by Wired News, one of the victims of the breach expressed dismay that his information was in the hands of criminals. The 41-year-old San Diego man says he allowed a "business partner" to use his credit card on an adult website dedicated to finding resources in Tijuana's red light district, with discussion groups and locations of prostitutes. "Life is difficult enough," says the victim. "It makes the net that much less secure in my eyes... I plan to not use any credit card information on any site." The man says that neither iBill nor the FBI notified him of the breach. Because the information didn't include Social Security, credit card or driver's license numbers, no U.S. laws require iBill or the companies for which they provided billing to warn victims. A year after the FBI first learned of the larger leak, they have also failed to issue any public warnings. In January of last year, iBill was purchased by Interactive Brand Development for $23.5 million. On Monday, IBC's stock closed at 8 cents a share in over-the-counter trading. From lyger at attrition.org Thu Mar 9 07:38:22 2006 From: lyger at attrition.org (lyger) Date: Thu, 9 Mar 2006 07:38:22 -0500 (EST) Subject: [Dataloss] Debit Card Fraud Tied to OfficeMax Breach (fwd) Message-ID: Courtesy ISN: http://www.eweek.com/article2/0,1895,1935677,00.asp By Paul F. Roberts March 8, 2006 Debit card fraud that has affected customers at a number of credit unions in central Massachusetts is linked to transactions at office supply retailer OfficeMax, according to investigators. Dozens of credit union members in the towns of Leominster and Fitchburg, Mass., have been defrauded of more than $45,000 in the last few weeks by criminals in the United States and abroad, according to law enforcement officials in those towns. The fraudulent transactions involve cloned Visa debit cards and may be linked to the theft of blocks of PINs from OfficeMax or an intermediary processor, sources familiar with the case said. [...] From sbesser at gmail.com Thu Mar 9 08:27:57 2006 From: sbesser at gmail.com (Sharon Besser) Date: Thu, 9 Mar 2006 05:27:57 -0800 Subject: [Dataloss] Debit Card Fraud Tied to OfficeMax Breach (fwd) Message-ID: We have seen similar case in Israel ~ 2 years ago. Someone managed to get access to VISA cards information (including PIN numbers) by stealing an on-line processing machine, which apparently, had offline backup (....) Then he decrypted the data and build his own 'white card'. AFAIK they never caught the person that was leading the gang. Sharon from http://www.eweek.com/article2/0,1895,1935677,00.asp The fraudulent transactions involve cloned Visa debit cards and may be linked to the theft of blocks of PINs from OfficeMax or an intermediary processor, sources familiar with the case said. From hypronix at gmail.com Thu Mar 9 11:55:09 2006 From: hypronix at gmail.com (hypronix) Date: Thu, 9 Mar 2006 08:55:09 -0800 Subject: [Dataloss] Debit Card Fraud Tied to OfficeMax Breach (fwd) In-Reply-To: References: Message-ID: <780bb65a0603090855x787b9405k1ad45b1da952c4d9@mail.gmail.com> Catching is hard in most cases. The PINs are usually traded overseas [from EU to N.Am. or otherwise] and 'cashing out' is done by one or more independent people which all pay a certain comission back to the PIN/CC# provider. Depending on one's will to risk themselves getting caught, withdrawals of up to US$15000 a day are not all that common. Short of utter stupidity or pushing one's luck too far, there is no immediate way in which 'cash-outs' can be stopped. Short of, of course, invalidating all CC#'s at the first sign of compromise. But that doesn't seem to be as 'normal' as one would expect it... On 3/9/06, Sharon Besser wrote: > We have seen similar case in Israel ~ 2 years ago. Someone managed to > get access to VISA cards information (including PIN numbers) by > stealing an on-line processing machine, which apparently, had offline > backup (....) Then he decrypted the data and build his own 'white > card'. AFAIK they never caught the person that was leading the gang. > > Sharon > > from > > http://www.eweek.com/article2/0,1895,1935677,00.asp > > > The fraudulent transactions involve cloned Visa debit cards and may be > linked to the theft of blocks of PINs from OfficeMax or an > intermediary processor, sources familiar with the case said. > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/errata/dataloss/ > > From lyger at attrition.org Fri Mar 10 09:17:07 2006 From: lyger at attrition.org (lyger) Date: Fri, 10 Mar 2006 09:17:07 -0500 (EST) Subject: [Dataloss] Porn Biller Says It Was Framed (fwd) Message-ID: Courtesy ISN: Follow-up to iBill story http://www.wired.com/news/technology/0,70380-0.html Online payment company iBill on Thursday said a massive cache of stolen consumer data uncovered by security experts did not come from its database. "I'm the first person that would have taken this to the FBI and the first person to have gone on 60 Minutes to say 'we screwed up,' if that were the case," said iBill President Gary Spaniak Jr. Two caches of stolen data were discovered separately by two security companies while conducting routine research into malicious software online. Both had file names that purportedly linked them to iBill. Southern California-based Secure Science Corporation found the first data file containing records on 17 million individuals on a private website set up by scammers. The site was part of a so-called "phishing" scheme, in which a spamming fraudster poses as a bank or online retailer in an attempt to con consumers out of identification and financial information. [...] From lyger at attrition.org Tue Mar 14 08:53:29 2006 From: lyger at attrition.org (lyger) Date: Tue, 14 Mar 2006 08:53:29 -0500 (EST) Subject: [Dataloss] Prosecutor: Debit card crime ring busted Message-ID: http://news.com.com/2100-1029_3-6049290.html Law enforcement officials in New Jersey have arrested 14 people in connection with a crime spree that has forced banks across the nation to replace hundreds of thousands of debit cards. The suspects, all U.S. citizens, are accused of using stolen credit and debit card information to produce counterfeit cards that were used to make fraudulent purchases and withdrawals from card-holder accounts, Hudson County Prosecutor Edward DeFazio said. Most of the arrests were made during the past two weeks. Some of the stolen credit card information came from the office-supply chain OfficeMax as well as North Carolina's State Employees' Credit Union and other businesses, DeFazio told CNET News.com on Monday. "We had cooperation from the security people from many victimized businesses," he said. [...] From lyger at attrition.org Tue Mar 14 23:31:55 2006 From: lyger at attrition.org (lyger) Date: Tue, 14 Mar 2006 23:31:55 -0500 (EST) Subject: [Dataloss] OfficeMax: No evidence of security breach Message-ID: (follow-up to earlier post) http://news.com.com/2100-1029_3-6049758.html?part=rss&tag=6049758&subj=news Following an extensive review of its security systems, OfficeMax says it has no reason to believe it was the company that suffered the data breach that resulted in thousands of cases of debit card fraud. On Tuesday, the office-supply chain said that an independent study by a security expert found no indication that the company's customer information was lost. An internal investigation came to the same conclusion. "OfficeMax takes the security of our customers' information with the utmost seriousness and is committed to protecting private customer information," the company said in a statement. "As we have stated consistently, we have no knowledge of a security breach at OfficeMax." But the company wouldn't explain why it was still involved in the investigation into the debit card thefts. From jericho at attrition.org Wed Mar 15 03:36:08 2006 From: jericho at attrition.org (security curmudgeon) Date: Wed, 15 Mar 2006 03:36:08 -0500 (EST) Subject: [Dataloss] Hacker gains access to Bisons fans' Web data Message-ID: From: InfoSec News http://www.buffalonews.com/editorial/20060314/1033934.asp By STEPHEN T. WATSON News Staff Reporter 3/14/2006 A computer hacker recently gained access to sensitive financial information - including credit card numbers - on the Buffalo Bisons' Web site, the team is warning its customers. The Secret Service, with the assistance of the FBI, is investigating the security breach, which occurred last month. So far, the Bisons say they have no indication that the intruder has misused any of the ill-gotten data. The team has set up a toll-free number for people to call for more information and has notified the four credit card companies that are involved. "We apologize for any inconvenience this situation has caused any of our fans," the team said in a statement. Choice One Online, which hosted the Bisons' Web site at the time of the breach, said that it has hired the VeriSign global Internet security firm to conduct its own investigation into the security breach. "VeriSign did confirm that we caught it early enough that damage, if any, will be next to nothing," said Keith Radford Jr., director of Choice One Online. Employees of the Bisons and Choice One noticed the breach about Feb. 13, according to the team and Radford. An intruder got into the Choice One system and uploaded a program that gave this person access to names, passwords, financial data and other information collected from customers who ordered items through Bisons.com, the Bisons said in a letter to customers. The intruder accessed the information on the Bisons' Web site, the Bisons said, but so far, there is no evidence that this information was misused in any way. The Bisons are cooperating in the investigation by the federal agencies and by VeriSign, according to the team's statement. The Bisons mailed out the letters to any potentially affected Web customers shortly after learning of the breach, said Mike Buczkowski, the team's general manager. He would not say how many customers might have been affected. The Bisons and Choice One changed their passwords and shut down the computer servers that were infiltrated, and the team notified American Express, Discover, MasterCard and Visa about the breach. The Bisons are warning their Internet customers to monitor statements from their financial institutions and notify their credit card or debit card companies that their accounts might have been compromised. The toll-free number the team set up for customers is (800) 380-1447. Choice One, a Buffalo Internet services company, said the VeriSign investigation will show the full extent of the damage caused by the breach, which Radford described as "minimal." The company is beefing up its security measures in response to the incident, he said. Choice One and the Bisons no longer are working together, a move that Buczkowski said is not related to the security breach. The team last July began talking with Major League Baseball Advanced Media about hosting the Bisons' Web site, he said, and the switch went into effect last month. From lyger at attrition.org Wed Mar 15 15:30:38 2006 From: lyger at attrition.org (lyger) Date: Wed, 15 Mar 2006 15:30:38 -0500 (EST) Subject: [Dataloss] Former GM Security Guard Arrested for Identity Theft Message-ID: http://www.detnow.com/wxyz/nw_local_news/article/0,2132,WXYZ_15924_4540530,00.html Former GM Security Guard Arrested for Identity Theft By Kimberly Craig Web produced by Sarah Morgan March 14, 2006 100 GM employees became victims of identity theft, after a former GM security guard stole their social security numbers and used the information to send harassing email. Investigators said James Green II was fired in the .80s, but held on to a list of employee names and their social security numbers. Using the stolen information, Green had hacked into a GM employee website. [...] From cwalsh at cwalsh.org Wed Mar 15 21:06:41 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Wed, 15 Mar 2006 20:06:41 -0600 Subject: [Dataloss] Hacker gains access to Bisons fans' Web data In-Reply-To: References: Message-ID: On Mar 15, 2006, at 2:36 AM, security curmudgeon wrote: > Mike Buczkowski, the > team's general manager. He would not say how many customers might have > been affected. 621 From lyger at attrition.org Wed Mar 15 21:15:58 2006 From: lyger at attrition.org (lyger) Date: Wed, 15 Mar 2006 21:15:58 -0500 (EST) Subject: [Dataloss] Hacker gains access to Bisons fans' Web data In-Reply-To: References: Message-ID: On Wed, 15 Mar 2006, Chris Walsh wrote: ": " On Mar 15, 2006, at 2:36 AM, security curmudgeon wrote: ": " ": " > Mike Buczkowski, the ": " > team's general manager. He would not say how many customers might have ": " > been affected. ": " ": " 621 Chris, Do you have a source for this number and/or any new info regarding the incident? Lyger From lyger at attrition.org Wed Mar 15 22:59:33 2006 From: lyger at attrition.org (lyger) Date: Wed, 15 Mar 2006 22:59:33 -0500 (EST) Subject: [Dataloss] Lost Ernst & Young laptop exposes IBM staff Message-ID: http://www.theregister.co.uk/2006/03/15/ernstyoung_ibm_laptop/ The Register has learned that the laptop was stolen from an Ernst & Young employee's car in January. The employee handled some of the tax functions Ernst & Young does for IBM's workers who have been stationed overseas at one time or another during their careers. As a result of the theft, the names, dates of birth, genders, family sizes, SSNs and tax identifiers for IBM employees have been exposed. The husband of one IBM employee has provided The Register with an exclusive copy of the letter Ernst & Young mailed out to the affected parties. This particular letter did not arrive until March 8 - two months after the theft. Neither IBM nor Ernst & Young have returned calls seeking comment. [...] From lyger at attrition.org Thu Mar 16 23:10:44 2006 From: lyger at attrition.org (lyger) Date: Thu, 16 Mar 2006 23:10:44 -0500 (EST) Subject: [Dataloss] Bananas.com: credit card information possibly exposed Message-ID: http://news.yahoo.com/s/ap/20060317/ap_on_hi_te/web_site_breach A musical instrument and sound gear Web site that advertises its relationship with artists such as Dave Matthews, Carlos Santana and Mary J. Blige notified some customers that their credit card information may have been stolen. The warning, which came more than a month after someone broke into Bananas.com, was delivered Wednesday after The Associated Press inquired about the breach. The San Rafael-based company said none of its celebrity clients was among the 274 people notified. Web site operators still are trying to determine how the intruder gained access. Following the discovery, administrators changed passwords and added other safeguards to restrict unauthorized access to the system, Bananas.com owner J.D. Sharp said. [...] From lyger at attrition.org Fri Mar 17 16:21:56 2006 From: lyger at attrition.org (lyger) Date: Fri, 17 Mar 2006 16:21:56 -0500 (EST) Subject: [Dataloss] Groups Slam Data Breach Notification Bill Message-ID: http://www.internetnews.com/security/article.php/3592416 A U.S. House panel effort to write a national data breach disclosure law is running into fierce opposition by consumer groups calling the legislation the "worst data security bill ever." Passed out of the House Financial Services Committee on a 48-17 vote late Thursday afternoon, the Financial Data Protection Act of 2005 (H.R. 3997) allows data brokers and other companies to conduct an investigation of a breach and determine if notification to consumers is necessary. The bill also allows companies that choose to protect their data with encryption to take that into consideration when determining if consumer notification is necessary in the aftermath of a breach. "We think consumers should be notified in case of a breach and it shouldn't be left to the companies to decide," Susanna Montezemolo, a policy analyst with Consumers Union, told internetnews.com. The legislation also pre-exempts any state laws mandating breach disclosures to consumers. According the Consumers Union, 11 states currently have stricter notification standards than H.R. 3997, including a California law that resulted in data broker ChoicePoint being forced into disclosing the breach of 145,000 consumer records. [...] From lyger at attrition.org Fri Mar 17 16:35:58 2006 From: lyger at attrition.org (lyger) Date: Fri, 17 Mar 2006 16:35:58 -0500 (EST) Subject: [Dataloss] Visa Issues Cash-Register Flaw Warning Message-ID: (interesting tie-in to the PIN issue - lyger) http://www.eweek.com/article2/0,1759,1939301,00.asp The U.S. arm of credit and debit card giant Visa International has issued an alert for flaws in cash-register software made by Fujitsu Transaction Solutions that could put sensitive cardholder information at risk. According to a report in The Wall Street Journal, the bug can cause the inadvertent storage of customer data—including secret PINs—within the point-of-sale software installed in retail locations. The report said Visa USA sent the warning to "merchant acquirers" that process card transactions for some of the biggest names in retail and urged users to apply a software upgrade from Fujitsu to fix the flaw. Officials from Visa USA and Fujitsu could not be reached for comment at press time but, according to the newspaper, the confidential alert was sent several days ago to raise awareness about the bug. [...] http://www.eweek.com/article2/0,1759,1939301,00.asp From cwalsh at cwalsh.org Fri Mar 17 21:34:04 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Fri, 17 Mar 2006 20:34:04 -0600 Subject: [Dataloss] Visa Issues Cash-Register Flaw Warning In-Reply-To: References: Message-ID: <0A62445D-A31A-493E-844F-533C9EA90342@cwalsh.org> Fascinating. Guess who makes OfficeMax's POS SW? http://www.fujitsu.com/us/news/pr/ftxs_20060109.html T On Mar 17, 2006, at 3:35 PM, lyger wrote: > > (interesting tie-in to the PIN issue - lyger) > > http://www.eweek.com/article2/0,1759,1939301,00.asp > > The U.S. arm of credit and debit card giant Visa International has > issued an alert for flaws in cash-register software made by Fujitsu > Transaction Solutions that could put sensitive cardholder > information at risk. From lyger at attrition.org Mon Mar 20 09:21:37 2006 From: lyger at attrition.org (lyger) Date: Mon, 20 Mar 2006 09:21:37 -0500 (EST) Subject: [Dataloss] Tax return information for sale? Message-ID: http://money.cnn.com/2006/03/17/commentary/everyday/sahadi/index.htm?cnn=yes By Jeanne Sahadi, CNNMoney.com senior writer March 17, 2006: 1:45 PM EST Would you ever agree to work overtime for free, indefinitely, creating profits for someone else? I didn't think so. But that's often what we do when we buy a product or service from companies. That's because they can continue to make money off us by selling whatever personal information we give them in the course of the transaction. Your payback: more junk mail and greater risk of identity theft. And now it looks very likely that tax preparers will be able to profit off clients in ways having nothing to do with taxes. Thanks to proposed changes to the IRS' privacy regulation of tax preparers, everyone from H&R Block to your local tax-prep shop may be allowed to sell their clients' tax return information to any third party, including marketers and data brokers. Mind you, they would need to get your consent, according to the proposed regulations. But why on earth would you ever give it? The firm may try to sell you on the idea that by letting them "share" your sensitive financial information, you will benefit by getting pitched products and services that you really want. That would be some serious tripe. How many times have you ever gotten a solicitation in the mail and said, 'Oh that's exactly what I need. Sign me up.' [...] From lyger at attrition.org Mon Mar 20 09:24:07 2006 From: lyger at attrition.org (lyger) Date: Mon, 20 Mar 2006 09:24:07 -0500 (EST) Subject: [Dataloss] Opening the Door on the Credit Report and Throwing Away the Lock Message-ID: http://www.nytimes.com/2006/03/18/business/yourmoney/18money.html?ex=1300338000&en=679b5dd491c851cd&ei=5090 Your Money Opening the Door on the Credit Report and Throwing Away the Lock By DAMON DARLIN The New York Times March 18, 2006 In a dozen states, legislatures have set up procedures for residents afraid of identity theft to lock and unlock their credit reports. But credit-reporting agencies are pushing Congress to override the state laws, which could make it harder for Americans to keep their credit information under wraps. Lobbyists for the big agencies - Equifax, Experian and TransUnion, owned by the Marmon Group - are seeking to add an amendment to the Financial Data Protection Act, a bill being rewritten by the House of Representatives. (A similar bill, S1408, is working its way through the Senate.) While the wording has not been set for the bill, also known as HR3997, lobbyists for the credit agencies are pushing for a law that limits the ability to lock credit reports to victims of identity theft. Moreover, the reports could be unlocked with five days' advance notice. Once a report is locked, an agency cannot release any of its details. Consumer groups are upset that a federal law might supersede what has been done at the state level. [...] From lyger at attrition.org Tue Mar 21 13:00:42 2006 From: lyger at attrition.org (lyger) Date: Tue, 21 Mar 2006 13:00:42 -0500 (EST) Subject: [Dataloss] Debit-card fraud underscores legal loopholes Message-ID: http://www.securityfocus.com/news/11381 Recent widespread debit-card fraud likely has roots in three major data leaks that occurred in the last six months, two of which have yet to be publicly disclosed by the companies involved. Consumers have noted a large increase in the amount of debit-card fraud since the beginning of 2006, as well as a wide recall of cards by banks and financial institutions. Three major incidents are likely fueling the fraud, according to financial and security experts. A breach associated with bulk-goods retailer Sam's Club last autumn likely resulted in millions of debit-cards potentially being put at risk, according to financial-industry insiders. A second, smaller breach affecting hundreds of thousands of debit cards has been connected to office-supply retailer OfficeMax, although that company has denied any breach of its systems. And, the most recent data leak occurred in an ATM network and likely affected millions of debit-cards as well, banking executives told SecurityFocus. Despite security-breach notification laws on the books in 23 states, credit-card companies and financial institutions have not named the sources of the breaches. "There are few details of these leaks because credit-card companies do not want people to lose confidence in debit cards," said Beth Givens, executive director of the consumer advocacy group Privacy Rights Clearinghouse. The mystery surrounding the data breaches underscores loopholes within the majority of state laws which aim to mandate the disclosure of security breaches. Moreover, the silence over responsibility for the breaches contrasts consumer advocates' warnings that a federal law currently being considered by Congress will ironically roll back protections even further. [...] From lyger at attrition.org Tue Mar 21 15:51:49 2006 From: lyger at attrition.org (lyger) Date: Tue, 21 Mar 2006 15:51:49 -0500 (EST) Subject: [Dataloss] Breach Notification Escape Mechanisms Message-ID: (commentary on securityfocus.com debit-card fraud article posted earlier) http://www.emergentchaos.com/archives/2006/03/breach_notification_escap.html In a somewhat incendiary piece published today at Securityfocus.com, Robert Lemos reports on loopholes in notification laws which permit firms to avoid informing people that their personal information has been revealed. According to the article, which along with unnamed "security experts" also cites industry notable Avivah Levitan, "[t]here are three cases in which a company suffering a breach can bypass current notification laws". First is if notification would impede an investigation by law enforcement, then: If the stolen data includes identifiable information--such as debit card account numbers and PINs--but not the names of consumers, then a loophole in the law allows the company who failed to protect the data to also forego notification. Finally, if the database holding the personal information was encrypted but the encryption key was also stolen, then the company responsible for the data can again withhold its warning. Not quite. At least one state has a law that closes the quoted loopholes. [...] From cwalsh at cwalsh.org Tue Mar 21 16:01:54 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Tue, 21 Mar 2006 15:01:54 -0600 Subject: [Dataloss] Breach Notification Escape Mechanisms In-Reply-To: References: Message-ID: <20060321210153.GB2339@cwalsh.org> Rob Lemos has expanded his original article to note that NY's law doesn't have the loopholes discussed in his piece. From lyger at attrition.org Tue Mar 21 20:52:40 2006 From: lyger at attrition.org (lyger) Date: Tue, 21 Mar 2006 20:52:40 -0500 (EST) Subject: [Dataloss] The High Cost Of Data Loss Message-ID: (I find the "Top 10 Customer Data-Loss Incidents" chart to be of special interest due to possible omissions. Comments? - Lyger) http://www.informationweek.com/story/showArticle.jhtml?articleID=183700367 How many ways are there to expose sensitive personal data? One company misplaces a backup tape; another puts customers' Social Security numbers onto mailing labels for anyone to see. Others lose laptops, inadvertently post private information online, or leave documents exposed to prying eyes. The possibilities are endless-- as we're learning with every new revelation of a data breach or hack or inexcusable lapse in secure business practices. By one estimate, 53 million people--including consumers, employees, students, and patients--have had data about themselves exposed over the past 13 months. This sorry state of affairs is taking its toll: fines, lawsuits, firings, damaged reputations, spooked customers, credit card fraud, a regulatory crackdown, and the expense of fixing what's broken. The situation has become untenable. Here's the ugly truth about how it keeps happening, who's been affected, and what's being done about it. [...] From sawaba at forced.attrition.org Tue Mar 21 23:32:10 2006 From: sawaba at forced.attrition.org (sawaba) Date: Tue, 21 Mar 2006 23:32:10 -0500 (EST) Subject: [Dataloss] The High Cost Of Data Loss In-Reply-To: References: Message-ID: Of course, it is all subjective, depending on how you define "data loss". Based on the Attrition data, you have to pull a top 20 to get their top ten, which equals 10 omissions that are as bad or worse than ones in their top ten. Here are the top 20 based on Attrition data: 'CardSystems(Visa,MC,AMEX)', 40000000, '2005-06-19' 'AmericaOnline', 30000000, '2004-06-24' 'MedicaHealthPlans', 12000000, '2005-06-29' 'DataProcessorsInternational', 5000000, '2003-03-06' 'Citigroup', 3900000, '2005-06-06' 'LaSalleBank', 2000000, '2005-12-21' 'DSWShoes', 1496000, '2005-06-30' 'BankofAmerica', 1000000, '2005-02-26' 'BankofAmerica/Wachovia', 676000, '2005-05-23' 'TimeWarnerInc.', 600000, '2005-07-06' 'PetCo', 500000, '2003-07-12' 'GeorgiaTechnologyAuthority', 465000, '2005-05-14' 'ProvidenceHomeServices', 365000, '2006-01-26' 'U.S.DepartmentofAgriculture', 350000, '2006-02-16' 'Lexis-Nexis', 310000, '2005-04-12' 'RBCDainRauscher', 300000, '2005-09-28' 'UniversityofSouthernCailfornia', 270000, '2005-07-09' 'BostonGlobe/WorchesterT&G', 240000, '2006-01-31' 'AmeripriseFinancial', 226000, '2006-01-25' 'MarriottInternational', 206000, '2005-12-28' Again, addressing the definition of "data loss", you'll notice AOL is #2, which was due to email address theft, which is not nearly as damaging as credit card or identity theft. So, if you rule out any data losses other than SSNs and credit card numbers, our list begins to look more similar: 'CardSystems(Visa,MC,AMEX)', 40000000, '2005-06-19' 'DataProcessorsInternational', 5000000, '2003-03-06' 'Citigroup', 3900000, '2005-06-06' 'LaSalleBank', 2000000, '2005-12-21' 'DSWShoes', 1496000, '2005-06-30' 'BankofAmerica', 1000000, '2005-02-26' 'TimeWarnerInc.', 600000, '2005-07-06' 'PetCo', 500000, '2003-07-12' 'GeorgiaTechnologyAuthority', 465000, '2005-05-14' 'U.S.DepartmentofAgriculture', 350000, '2006-02-16' 'Lexis-Nexis', 310000, '2005-04-12' 'UniversityofSouthernCailfornia', 270000, '2005-07-09' 'BostonGlobe/WorchesterT&G', 240000, '2006-01-31' 'AmeripriseFinancial', 226000, '2006-01-25' 'MarriottInternational', 206000, '2005-12-28' --Sawaba > > On 3/21/06, lyger wrote: > > (I find the "Top 10 Customer Data-Loss Incidents" chart to be of special > interest due to possible omissions. Comments? - Lyger) > > http://www.informationweek.com/story/showArticle.jhtml?articleID=183700367 > > How many ways are there to expose sensitive personal data? One company > misplaces a backup tape; another puts customers' Social Security numbers > onto mailing labels for anyone to see. Others lose laptops, inadvertently > post private information online, or leave documents exposed to prying > eyes. The possibilities are endless-- as we're learning with every new > revelation of a data breach or hack or inexcusable lapse in secure > business practices. By one estimate, 53 million people--including > consumers, employees, students, and patients--have had data about > themselves exposed over the past 13 months. > > This sorry state of affairs is taking its toll: fines, lawsuits, firings, > damaged reputations, spooked customers, credit card fraud, a regulatory > crackdown, and the expense of fixing what's broken. The situation has > become untenable. Here's the ugly truth about how it keeps happening, > who's been affected, and what's being done about it. > > [...] > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/errata/dataloss/ > > > From lyger at attrition.org Wed Mar 22 17:24:26 2006 From: lyger at attrition.org (lyger) Date: Wed, 22 Mar 2006 17:24:26 -0500 (EST) Subject: [Dataloss] HP retirees compromised by notebook theft Message-ID: http://www.theinquirer.net/?article=30483 Individuals in HP sponsored retirement plans as well as former employees of firms it took over have been told that a theft of a notebook containing personal information needs to be taken seriously. Immediately the theft, which happened on March 15th, was discovered, the law was informed. The retired folk were told in a letter that the laptop included a number of personal details relating to former employees. But they have been re-assured that there's no evidence as yet the information has been misused. [...] From lyger at attrition.org Wed Mar 22 20:02:45 2006 From: lyger at attrition.org (lyger) Date: Wed, 22 Mar 2006 20:02:45 -0500 (EST) Subject: [Dataloss] Breach Notification Escape Mechanisms (fwd) Message-ID: Forwarded from: blitz NY's law was a late to be enacted, and because of input from previous experiences, (notably California) and some work from people working in the interest of data security, (cof) it thus avoided the more obvious loopholes. It was crafted as airtight as possible. The legislative process had absolutely no idea of where to start, they initially looked at the CA law as good, but insisted it be better. The result is what they came up with. So let it be known, NY DID get something right. Now, if they would actually prosecute those flouting it. NY has a long history of selective prosecutions, but they usually rise in an election year. It depends on who's contributing to whom. At 16:01 3/21/2006, Chris Walsh wrote: >Rob Lemos has expanded his original article to note that NY's law >doesn't have the loopholes discussed in his piece. From lyger at attrition.org Thu Mar 23 08:33:57 2006 From: lyger at attrition.org (lyger) Date: Thu, 23 Mar 2006 08:33:57 -0500 (EST) Subject: [Dataloss] Laptop with Hewlett-Packard employees' ID stolen (fwd) Message-ID: (follow-up to yesterday's HP retirees story) Courtesy InfoSec News http://www.mercurynews.com/mld/mercurynews/business/14162732.htm By Nicole C. Wong Mercury News Mar. 22, 2006 A Fidelity Investments laptop that contained the names, addresses, Social Security numbers, birth dates, compensation and other information for 196,000 current and former Hewlett-Packard employees participating in the company-sponsored retirement plan was stolen a week ago, the two companies confirmed Wednesday. Fidelity sent e-mails and letters overnight to the retirement plan participants notifying them of the security breach. The Boston-based financial services company, which administers HP's defined benefit pension plan and 401k retirement plan, has subsequently stepped up monitoring of its HP accounts and added more authentication measures so people must provide extra personal information to access their accounts. [...] From lyger at attrition.org Thu Mar 23 16:23:10 2006 From: lyger at attrition.org (lyger) Date: Thu, 23 Mar 2006 16:23:10 -0500 (EST) Subject: [Dataloss] 40,000 BP workers exposed in Ernst & Young laptop loss Message-ID: http://www.theregister.co.uk/2006/03/23/ey_bp_laptop/ By Ashlee Vance in Mountain View Published Thursday 23rd March 2006 20:40 GMT Like sands through the hourglass, these are The Days of Ernst & Young laptop loss. Yes, friends, The Register can confirm that BP has been added to the list of Ernst & Young customers whose personal data has been exposed after a laptop theft. BP joins Sun Microsystems, Cisco and IBM in this not so exclusive club. Ernst & Young has sent out a letter to all 38,000 BP employees in the US, telling them that a laptop theft had exposed their names and social security numbers. To keep the BP staff's mind at ease, Ernst & Young said that the file name containing their info did not indicate what type of information was on the laptop, and the laptop was password protected. Phew! Ernst & Young confirmed that this is the very same laptop that held data on the Sun, Cisco and IBM workers. All of these data losses were revealed by us in a set of exclusive stories. Ernst & Young also recently lost four more laptops in Miami, although it has not said which customers were affected in those incidents. [...] From cwalsh at cwalsh.org Thu Mar 23 19:19:46 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Thu, 23 Mar 2006 18:19:46 -0600 Subject: [Dataloss] 40, 000 BP workers exposed in Ernst & Young laptop loss In-Reply-To: References: Message-ID: <3908B839-FC0A-492D-A8D0-93182650D088@cwalsh.org> According to the report E&Y filed with the NY State Consumer Protection Board, this laptop (stolen in Hoboken, NJ on 1/4/2006) contained PII on 84,000 people in all. We wrote briefly abt this on 3/13 -- http://www.emergentchaos.com/ archives/2006/03/stolen_ernst_and_young_la.html On Mar 23, 2006, at 3:23 PM, lyger wrote: > All of these data losses were revealed > by us in a set of exclusive stories. From lyger at attrition.org Thu Mar 23 19:54:15 2006 From: lyger at attrition.org (lyger) Date: Thu, 23 Mar 2006 19:54:15 -0500 (EST) Subject: [Dataloss] 40,000 BP workers exposed in Ernst & Young laptop loss Message-ID: Chris Walsh cwalsh at cwalsh.org wrote: According to the report E&Y filed with the NY State Consumer Protection Board, this laptop (stolen in Hoboken, NJ on 1/4/2006) contained PII on 84,000 people in all. We wrote briefly abt this on 3/13 -- http://www.emergentchaos.com/ archives/2006/03/stolen_ernst_and_young_la.html On Mar 23, 2006, at 3:23 PM, lyger wrote: > All of these data losses were revealed > by us in a set of exclusive stories. Just to clarify, my quote above should be attributed to the story's original author: http://www.theregister.co.uk/2006/03/23/ey_bp_laptop/ By Ashlee Vance in Mountain View Published Thursday 23rd March 2006 20:40 GMT From privacylaws at sbcglobal.net Fri Mar 24 11:55:58 2006 From: privacylaws at sbcglobal.net (Saundra Kae Rubel) Date: Fri, 24 Mar 2006 08:55:58 -0800 Subject: [Dataloss] State lets out private data In-Reply-To: Message-ID: <001a01c64f63$d3d005e0$02126b80@saundrad38b17a> State lets out private data http://rds.yahoo.com/S=53720272/K=state+development+department+california+br each/v=2/SID=w/l=NSR/R=1/;_ylt=A9iIgNQMJCREDVMBPiTQtDMD;_ylu=X3oDMTBjMHZkMjZ yBHBvcwMxBHNlYwNzcg--/SIG=13oraod0s/EXP=1143305612/*-http%3A//www.broward.co m/mld/mercurynews/business/14176227.htm?source=rss&channel=mercurynews_busin ess 64,000 TAX FORMS SENT TO WRONG ADDRESSES By Matthai Chakko KuruvilaMercury News The state Employment Development Division confirmed Thursday that it sent out about 64,000 tax forms containing Social Security numbers and income information to the wrong addresses, potentially exposing those taxpayers to identity theft. The 1099 tax forms, which summarize annual benefit payouts, were sent to people who had changed addresses over the past 18 months and had received unemployment, paid family leave or disability payouts from the state. The EDD said a ``software glitch'' resulted in 1099s being sent in January to garbled addresses that combined old street addresses with recipients' new cities and ZIP codes. The incident represents only the latest example of consumers seeing sensitive personal information mishandled by others. Just Wednesday, Hewlett-Packard acknowledged the theft of a laptop containing the names, Social Security numbers and other information for 196,000 current and former employees. The laptop belonged to Fidelity Investments, which administers HP's retirement plans. Data breaches have become increasingly publicized, in large part because of California's pioneering consumer protection laws, which require that consumers be notified if their personal information is exposed -- whether or not it was misused. But that safeguard, along with the power to lock out potential fraudsters by freezing credit reports, is threatened by Congressional legislation that would lessen those protections. Unlike the EDD case, many data breaches have involved electronic data, which can be easily stored and transferred in any number of ways. Missing or stolen laptops, data tapes and even compact discs have all been the sources of recent data breaches. Still, the EDD's mistake had the same effect of exposing sensitive personal information. ``I think I'm particularly outraged because it's a government agency,'' said Ken McEldowney, executive director for San Francisco-based Consumer Action. ``I think people expect government agencies to protect their personal financial information more than private industry. As this shows, that's not the case: They're just as sloppy.'' McEldowney said it was ``one of the most serious'' data breaches he had heard of. The department sent out the 1099s in January, learned of the problem in February and notified potential victims last week, said EDD spokeswoman Velessata Kelley. Kelley said the department waited to inform people because ``we had to identify who had been impacted and how to correct the problem.'' The latest data breach comes as federal policy-makers are pushing a bill that critics say will erode California's strict notification law. Just a week ago, the House Financial Services Committee voted to approve a bill that would leave many notification decisions to the discretion of businesses. In addition, the same bill would allow individuals to ``freeze'' their credit only if they've already been victims of identity theft. Currently, Californians can put a freeze on their credit as soon as they discover their information was misplaced -- essentially preventing fraudsters from opening an account under someone else's name. ``It's so important to give consumers the tools, like a security freeze, that allow them to proactively protect themselves,'' said Michael McCauley, a spokesman for Consumers Union. Rosetta Jones, a vice president for Visa USA, said ``there are no specific requirements'' for how issuers should verify an applicant's true identity beyond a name and Social Security number. But, she added, ``it's in the issuers' best interest to make sure to screen their applications closely so as not to let a fraudster into the system.'' With more and more personal data living in the public sphere -- from medical records to certain Google Groups where Social Security numbers are traded -- private industry has moved in. The credit bureaus, which maintain credit reports, each sell credit monitoring services -- as do a growing number of other companies. But McEldowney, the consumer activist, noted that consumer protections, meanwhile, could be at risk. ``The problem is that given the current political environment, the credit and banking industry is so strong in Washington, there's no chance of getting decent legislation or to prevent Congress from pre-empting stronger state laws, such as in California.'' From lyger at attrition.org Fri Mar 24 21:19:16 2006 From: lyger at attrition.org (lyger) Date: Fri, 24 Mar 2006 21:19:16 -0500 (EST) Subject: [Dataloss] Suit alleges Internet privacy breach Message-ID: (Following link provided by blitz at strikenet.kicks-ass.net via AP newswire) http://www.buffalonews.com/editorial/20060324/1058953.asp?PFVer=Story New York's attorney general sued an Internet company Thursday over the selling of e-mail addresses in what authorities say may be the biggest deliberate breach of Internet privacy ever. Attorney General Eliot Spitzer accused Gratis Internet of selling personal information obtained from millions of consumers despite a promise of confidentiality. The consumers thought they were registering to see a Web site offering free iPod music players or DVD movies and video games, Spitzer spokesman Brad Maione said. On sign-up pages, Gratis promised it "does not . . . sell/rent e-mails." Instead of confidentiality, Spitzer said, Gratis sold access to its e-mail information to three independent e-mail marketers, and hundreds of millions of e-mail solicitations followed. [...] From lyger at attrition.org Mon Mar 27 07:31:52 2006 From: lyger at attrition.org (lyger) Date: Mon, 27 Mar 2006 07:31:52 -0500 (EST) Subject: [Dataloss] VSC laptop theft creates security concerns (fwd) Message-ID: Courtesy: InfoSec News http://www.timesargus.com/apps/pbcs.dll/article?AID=/20060324/NEWS/603240363/1002 By Darren M. Allen Vermont Press Bureau March 24, 2006 MONTPELIER - Thousands of Vermont State Colleges students, faculty and staff learned this week that a VSC laptop computer stolen from a car parked in Montreal on Feb. 28 could have given thieves access to their personal financial information, including Social Security numbers and payroll data. And while system administrators assured the thousands of potential identity-theft victims that they had all but eliminated access to the colleges' computer network from the laptop, some faculty and staff are furious that VSC took three weeks to warn them. "I can share with you that many, many people have come to me to express their anger," said Ernest Broadwater, an education professor at Lyndon State College and the president of the Vermont State Colleges Faculty Federation. The union has contacted an attorney to "learn what measures the VSC has taken to protect the information of our students, staff and faculty." [...] From lyger at attrition.org Mon Mar 27 10:52:59 2006 From: lyger at attrition.org (lyger) Date: Mon, 27 Mar 2006 10:52:59 -0500 (EST) Subject: [Dataloss] Offshoring cited in Florida data leak (fwd) Message-ID: From: blitz http://ww6.infoworld.com/products/print_friendly.jsp?link=/article/06/03/24/76798_HNoffshoreleak_1.html News Story by Robert McMillan MARCH 26, 2006 (IDG NEWS SERVICE) - Florida state employees are being warned that their personal information may have been compromised after work on the state's People First payroll and human resources system was improperly subcontracted to a company in India. Employees who worked for the state during the 18-month period between Jan. 1, 2003, and June 30, 2004, may be affected, according to an e-mail message sent to all state employees on March 16. The state's Department of Management Services (DMS), which oversees the People First system, estimates that 108,000 current and former state employees may be affected by the data breach, although that estimate could change as the department's investigation into the matter continues. The e-mail was sent after a subcontractor of outsourcing service provider Convergys Corp. improperly allowed subcontractors in India to index state personnel files, said DMS spokeswoman Tiffany Koenigkramer. Transferring information offshore is in violation of Convergys' nine-year, $350 million contract to manage the state's personnel work. [...] From gbroiles at gmail.com Tue Mar 28 23:40:00 2006 From: gbroiles at gmail.com (Greg Broiles) Date: Tue, 28 Mar 2006 20:40:00 -0800 Subject: [Dataloss] Laptop with Hewlett-Packard employees' ID stolen (fwd) In-Reply-To: References: Message-ID: <4918801a0603282040s708f8562jf114ecf226e32a3b@mail.gmail.com> To follow up further, the Mercury News ran another article today in the Business section discussing a rise in laptop thefts locally, suggesting that laptop thieves are targeting rental cars parked on or near El Camino Real, a street which runs from San Jose to San Francisco and which, in many stretches, has many popular restaurants and motels, and hence is likely to attract out-of-town visitors, especially business visitors. The article, online at , discloses further details re the HP/Fidelity dataloss: [...] "In the case involving HP employee data, a traveling Fidelity Investments account representative was having dinner at PF Chang's in the Stanford Shopping Center on March 15. One of the Fidelity employees went out to get something from the vehicle and accidentally left it unlocked, said Ryan. When the group came out from the restaurant around 8:30 p.m., the laptop that had been in the car was gone and there was no sign of forced entry. [...] According to an HP memo provided to its employees last week, the Fidelity representative was traveling with the laptop to demonstrate a new software product to HP. The HP employee data was imported onto the laptop for the software demonstration. Hewlett-Packard told its employees in the memo that it was not informed by Fidelity ahead of time that actual data would be used by the Fidelity representative. ``HP views this as a very serious problem,'' the memo stated. HP spokeswoman Brigida Bergkamp declined to comment. Ann Crowley, a Fidelity spokeswoman, said ``it is not our practice to have that level of data on a laptop.'' [...] -- Greg Broiles, JD, LLM Tax, EA gbroiles at gmail.com (Lists only. Not for confidential communications.) Law Office of Gregory A. Broiles San Jose, CA From lyger at attrition.org Wed Mar 29 13:19:43 2006 From: lyger at attrition.org (lyger) Date: Wed, 29 Mar 2006 13:19:43 -0500 (EST) Subject: [Dataloss] U.S. Arrests 7 on Charges of Credit Card Data Trading Message-ID: http://www.nytimes.com/2006/03/29/technology/29theft.html The Secret Service yesterday announced seven arrests in five states and the District of Columbia as part of a continuing crackdown on online forums where credit card data and other stolen consumer information is routinely traded. A total of 21 people have been arrested in the United States and Britain in the last three months in the undercover operation, the agency said. It is the largest federal law enforcement action taken against the thriving online trade in credit card numbers, bank accounts, passwords, personal identification numbers and other data since an earlier effort, Operation Firewall, broke up the largest black market trading board, Shadowcrew.com, in 2004. Jonathan Cherry, a spokesman for the Secret Service, said the new crackdown, called Operation Rolling Stone, was aimed at "online criminal enterprises that threaten our financial infrastructure." The arrests yesterday were made in Florida, New York, Illinois, Pennsylvania, California and Washington on a variety of state and federal charges related to online identity theft, credit card and access device fraud, Mr. Cherry said. [...] From lyger at attrition.org Thu Mar 30 14:39:13 2006 From: lyger at attrition.org (lyger) Date: Thu, 30 Mar 2006 14:39:13 -0500 (EST) Subject: [Dataloss] "Nokia staff jacked by Ernst & Young laptop loss" Message-ID: http://www.theregister.com/2006/03/30/ey_nokia_lapop/ When Ernst & Young loses a laptop, it doesn't mess around. The Register has learned that the same missing system with personal information on Sun Microsystems, Cisco, IBM and BP workers also contained data on Nokia's US staff. A Nokia source notified us that he received a letter from Ernst & Young detailing the accounting firm's loss of his personal information. An Ernst & Young spokesman then confirmed that the laptop was "the same" machine with thousands of Sun, Cisco, IBM and BP staff data, including their ages, social security numbers, tax identification numbers and addresses. Ernst & Young continues to maintain that the laptop poses little risk as it was password protected. Some rather prominent security folk, however, dispute Ernst & Young's contention. This letter comes from a top security expert at a very, very large technology company. We've agreed to protect his identity. [...] From john.r.porter at gmail.com Thu Mar 30 16:59:08 2006 From: john.r.porter at gmail.com (John R. Porter) Date: Thu, 30 Mar 2006 16:59:08 -0500 Subject: [Dataloss] MArines lose portable drive, expose records Message-ID: *Thousands of Marines may be at risk for identity theft after loss of portable drive* By Leo Shane III, Stars and Stripes Mideast edition, Thursday, March 30, 2006 *http://www.estripes.com/article.asp?section=104&article=36125* WASHINGTON ? A portable drive with personal information on more than 207,750 Marines was lost earlier this month, possibly jeopardizing those troops' credit records and privacy. In a message sent out to Marines, officials said the information was encoded and so far they've seen no evidence the information is being abused. But, because the data could be used for criminal purposes, they are asking all Marines to be on guard for signs of identity theft. According to officials from the Manpower Information Technology Branch, the portable drive was part of a Naval Postgraduate School research project. The information was being used in research about the effectiveness of re-enlistment bonuses, but it was lost in a computer lab on campus in Monterey, Calif? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060330/d5002197/attachment.html From jericho at attrition.org Fri Mar 31 01:43:07 2006 From: jericho at attrition.org (security curmudgeon) Date: Fri, 31 Mar 2006 01:43:07 -0500 (EST) Subject: [Dataloss] Hacker hits Georgia state database via hole in security software Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.computerworld.com/securitytopics/security/holes/story/0,10801,110094,00.html By Jaikumar Vijayan MARCH 30, 2006 COMPUTERWORLD An unpatched flaw in a "widely used security program" was exploited by an unknown hacker to gain access to a Georgia Technology Authority (GTA) database containing confidential information on more than 570,000 members of the state's pension plans. The intrusion occurred sometime between Feb. 21 and Feb. 23 and involved a hacker who used "sophisticated hacking tools" to break through several layers of security after accessing the server hosting the database via the software flaw, said Joyce Goldberg, a GTA spokeswoman. Goldberg refused to name the security vendor whose software was exploited, citing an ongoing investigation. She added, however, that the vulnerability exploited by the hacker had already been publicly disclosed by the vendor, "We were in the midst of fixing the flaw that the software vendor had identified. But the hacker got in before we were able to do that," she said. "Shortly after the breach, we saw some unusual activity, and in looking at that, we discovered the breach." Goldberg declined to elaborate on what that unusual activity was. The breached server contained information on a total of eight pension plans administered by the state. The core database itself was managed by the state Employees Retirement System, though the server it was hosted on was administered by the GTA. At this point, there is no evidence that confidential information, including names, Social Security numbers and bank-account details, have been misused, Goldberg said. Even so, the GTA is sending out letters to 180,000 affected employees for whom it has contact information, she said. The state does not have current addresses for the remaining 373,000 individuals affected and is relying on media reports and its own outreach efforts to inform them of the potential compromise of data, Goldberg said. The Georgia Bureau of Investigation is investigating the incident. The GTA is also bringing in outside security advisers to do a security assessment, the agency said in a note posted on its site. This is the second major breach involving the GTA in the past year. In April 2005, the GTA disclosed that a state employee had downloaded confidential information belonging to more than 450,000 members of the state's health benefit plan onto a home computer. Since that breach, the GTA has implemented several measures to tighten security, including stricter password controls, more timely reviews of logs and alerts, more extensive employee background checks and stricter control of access confidential data, according to the GTA's Web site. Incidents such as this highlight the dangers companies face when the software they rely on to protect their data itself turns bad, said Lloyd Hession, vice president and chief technology officer at BT Radianz, a New York-based provider of telecommunications services to financial companies. "The most important point to remember [from such incidents] is that you don't want to be overly dependent on a single vendor's product" for security, Hession said. Earlier this month, a faulty antivirus update from McAfee Inc. mistakenly identified hundreds of legitimate programs as a Windows virus, resulting in the accidental deletion of significant amounts of data from company computers that had the faulty software installed on them. Two years ago, the Witty worm, which was reported to have damaged 15,000 to 20,000 computers worldwide, took advantage of a flaw involving the BlackIce and RealSecure intrusion-prevention products from Atlanta-based Internet Security Systems Inc. The worm wrote random data onto the hard disks of vulnerable systems, causing the drives to fail and making it impossible for users to start up the systems. Such incidents highlight quality lapses that sometimes occur when security vendors try to rush out products to keep up with security threats, Hession said. "Security vendors have to adapt very quickly to new threats," resulting in very short development and testing cycles, he said. With security products, "the perception is that it should be more reliable than other software," which is not always the case, said Ken Dunham, director of the rapid response team at VeriSign Inc.'s iDefense Labs unit. IT managers need to remember that all software is susceptible to errors that pose security risks, he said. From lyger at attrition.org Fri Mar 31 12:08:08 2006 From: lyger at attrition.org (lyger) Date: Fri, 31 Mar 2006 12:08:08 -0500 (EST) Subject: [Dataloss] L.A. County Warns 94,000 Of Possible ID Theft Message-ID: (Update to story originally posted March 2 by Chris Walsh) http://www.cbsnews.com/stories/2006/03/31/national/main1459534.shtml County officials have sent 94,000 letters warning people of possible identity theft after documents containing their confidential information were publicly exposed in January. The documents were left next to a recycling bin in a parking garage outside a Department of Public Social Services office in Exposition Park. The documents contained names, addresses, phone numbers, Social Security numbers and medical information of people who received services from the office in the last two to three years, said department spokeswoman Shirley Christensen. There have been no reports of identity theft from any of the 2.2 million people who use the department's service, Christensen said. [...] From lyger at attrition.org Fri Mar 31 15:19:14 2006 From: lyger at attrition.org (lyger) Date: Fri, 31 Mar 2006 15:19:14 -0500 (EST) Subject: [Dataloss] Educators' Social Security numbers sent via e-mail Message-ID: http://www.connpost.com/search//ci_3654023 Article created: 03/30/2006 4:33 AM EST LINDA CONNER LAMBECK The Social Security numbers of the 1,250 teachers and school administrators in the Connecticut Technical High School System were mistakenly sent via e-mail to staff, triggering an investigation by state Attorney General Richard Blumenthal. Blumenthal said Wednesday that he is appalled and astonished by the apparent "senseless" security breach. He promised an immediate investigation into the incident, which occurred Monday, and warned the state Department of Education to notify all affected employees immediately. Blumenthal was alerted to the situation by the State Vocational Federation of Teachers, the union that represents the system's staff. Union President Aaron Silvia called the accidental release of the numbers "shocking." [...] From lyger at attrition.org Fri Mar 31 16:58:50 2006 From: lyger at attrition.org (lyger) Date: Fri, 31 Mar 2006 16:58:50 -0500 (EST) Subject: [Dataloss] Privacy Breach at Astratel (Australia) Message-ID: http://australianit.news.com.au/articles/0,7204,18665780%5E15306%5E%5Enbv%5E,00.html Andrew Colley MARCH 31, 2006 A security hole in Sydney internet provider Astratel's LiveBilling online account management system has seriously compromised its customers' privacy. Astratel customer Nick Adams notified the ISP after he discovered that he could view billing information and call records for other customers, by lodging their phone number into an online query form. Mr Adams also demonstrated that non-Astratel member could access the compromised web query service by transplanting code from the page where it was located and placing it at an alternative web address. "There's no security moving between the pure members section and this LiveBilling part of the web site. You can put anyone's phone number and you pull their call records and their account balance," Mr Adams said. The link to the compromised billing service was still accessible until late today. [...]