From Dissent at pogowasright.org Sun Apr 1 16:22:13 2007 From: Dissent at pogowasright.org (Dissent) Date: Sun, 01 Apr 2007 12:22:13 -0400 Subject: [Dataloss] Prison staff wins in case of information breach Message-ID: <7.0.0.16.2.20070401121128.022cbc88@pogowasright.org> http://www.kentucky.com/211/story/31580.html A U.S. district judge ruled in favor of a group of prison employees who were the victims of a security breach when a file with their personal information -- home addresses, Social Security numbers -- were made accessible to prisoners in a work program. The court ruling said "prison officials went to great lengths to thwart the plaintiffs' efforts to discover the extent of the security breach" by claiming the file was marked as sensitive and by destroying the folder in question. According to their lawyer, Doug McSwain, 99 guards and employees of Federal Medical Center on Leestown Road in Lexington filed the lawsuit in 2003. Judge Jennifer B. Coffman ruled Friday that the plaintiffs be paid $1,000 or the amount of damages, and the cost of prosecuting the lawsuit. [...] -- Main site: http://www.pogowasright.org Main RSS feed: http://www.pogowasright.org/backend/pogowasright.rss Breaches RSS feed: http://www.pogowasright.org/backend/breaches.rss From lyger at attrition.org Sun Apr 1 18:10:31 2007 From: lyger at attrition.org (lyger) Date: Sun, 1 Apr 2007 18:10:31 +0000 (UTC) Subject: [Dataloss] TJX breach shows that encryption can be foiled Message-ID: http://www.boston.com/business/globe/articles/2007/03/31/tjx_breach_shows_that_encryption_can_be_foiled/ Encryption alone is no panacea for threats to consumer data, according to specialists who say the technology's limit can be seen in the problems reported by TJX Cos. of Framingham. The notion of using complex math formulas to scramble electronic information is gaining steam as a way to protect individuals' privacy, an area of growing concern for retailers and banks as data thefts become more brazen. But recent details to emerge on how hackers accessed the parent of stores including T.J. Maxx and Marshalls show how encryption can be defeated by clever thieves -- and suggest the breach may have been an inside job. A securities filing by TJX on Wednesday disclosed that the incident may have compromised more than 45 million credit and debit card numbers, the most in any single incident. In the filing, TJX also stated that "we believe that the intruder had access to the decryption tool for the encryption software utilized by TJX." [...] From bkdelong at pobox.com Mon Apr 2 19:33:22 2007 From: bkdelong at pobox.com (B.K. DeLong) Date: Mon, 2 Apr 2007 15:33:22 -0400 Subject: [Dataloss] TJX breach shows that encryption can be foiled In-Reply-To: References: Message-ID: If that isn't a loaded statement. So TJX is claiming all their credit card data is always encrypted at-rest? How many people would have access to such a "decryption tool". This sounds fishy. On 4/1/07, lyger wrote: > > http://www.boston.com/business/globe/articles/2007/03/31/tjx_breach_shows_that_encryption_can_be_foiled/ > > Encryption alone is no panacea for threats to consumer data, according to > specialists who say the technology's limit can be seen in the problems > reported by TJX Cos. of Framingham. > > The notion of using complex math formulas to scramble electronic > information is gaining steam as a way to protect individuals' privacy, an > area of growing concern for retailers and banks as data thefts become more > brazen. > > But recent details to emerge on how hackers accessed the parent of stores > including T.J. Maxx and Marshalls show how encryption can be defeated by > clever thieves -- and suggest the breach may have been an inside job. > > A securities filing by TJX on Wednesday disclosed that the incident may > have compromised more than 45 million credit and debit card numbers, the > most in any single incident. In the filing, TJX also stated that "we > believe that the intruder had access to the decryption tool for the > encryption software utilized by TJX." > > [...] > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 203 million compromised records in 609 incidents over 7 years. > -- B.K. DeLong (K3GRN) bkdelong at pobox.com +1.617.797.8471 http://www.wkdelong.org Son. http://www.ianetsec.com Work. http://www.bostonredcross.org Volunteer. http://www.carolingia.eastkingdom.org Service. http://bkdelong.livejournal.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org From Troy.Casey at mckesson.com Mon Apr 2 19:44:12 2007 From: Troy.Casey at mckesson.com (Casey, Troy # Atlanta) Date: Mon, 2 Apr 2007 15:44:12 -0400 Subject: [Dataloss] TJX breach shows that encryption can be foiled In-Reply-To: Message-ID: <324D9F7B57D2C143A7CF16A9CECAD25340BF2A@EXCHANGE2.dsa.int> It should make for a short list of suspects, assuming TJX was doing a reasonable job of key management...but it does seem that they would have been in a bigger hurry than this to declare that the data was encrypted -- assuming that it, in fact, _was_ encrypted. That said, following their behavior pattern of releasing little to no information about this, nothing is said about what sort of encryption or what cipher strength was in use. A lot of encryption technology has been obsoleted in recent years and if they were using a weak algorithm it may not have been necessary for the thieves to lay hands on their key in order to decrypt. Given how long the breach went on, I'd say the bad guys had plenty of time, in theory at least, to break an algorithm or "guess" the key by automation...especially if they threw a couple hundred Nigerian laptops at the problem :-) -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of B.K. DeLong Sent: Monday, April 02, 2007 3:33 PM To: lyger Cc: dataloss at attrition.org Subject: Re: [Dataloss] TJX breach shows that encryption can be foiled If that isn't a loaded statement. So TJX is claiming all their credit card data is always encrypted at-rest? How many people would have access to such a "decryption tool". This sounds fishy. On 4/1/07, lyger wrote: > > http://www.boston.com/business/globe/articles/2007/03/31/tjx_breach_show s_that_encryption_can_be_foiled/ > > Encryption alone is no panacea for threats to consumer data, according > to specialists who say the technology's limit can be seen in the > problems reported by TJX Cos. of Framingham. > > The notion of using complex math formulas to scramble electronic > information is gaining steam as a way to protect individuals' privacy, > an area of growing concern for retailers and banks as data thefts > become more brazen. > > But recent details to emerge on how hackers accessed the parent of > stores including T.J. Maxx and Marshalls show how encryption can be > defeated by clever thieves -- and suggest the breach may have been an inside job. > > A securities filing by TJX on Wednesday disclosed that the incident > may have compromised more than 45 million credit and debit card > numbers, the most in any single incident. In the filing, TJX also > stated that "we believe that the intruder had access to the decryption > tool for the encryption software utilized by TJX." > > [...] > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss Tracking more than 203 million > compromised records in 609 incidents over 7 years. > -- B.K. DeLong (K3GRN) bkdelong at pobox.com +1.617.797.8471 http://www.wkdelong.org Son. http://www.ianetsec.com Work. http://www.bostonredcross.org Volunteer. http://www.carolingia.eastkingdom.org Service. http://bkdelong.livejournal.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tracking more than 203 million compromised records in 609 incidents over 7 years. From cwalsh at cwalsh.org Mon Apr 2 22:41:40 2007 From: cwalsh at cwalsh.org (Chris Walsh) Date: Mon, 2 Apr 2007 17:41:40 -0500 Subject: [Dataloss] TJX breach shows that encryption can be foiled In-Reply-To: <324D9F7B57D2C143A7CF16A9CECAD25340BF2A@EXCHANGE2.dsa.int> References: <324D9F7B57D2C143A7CF16A9CECAD25340BF2A@EXCHANGE2.dsa.int> Message-ID: <39C3168B-F87E-4C6E-8595-308BAB9BE2DE@cwalsh.org> On Apr 2, 2007, at 2:44 PM, Casey, Troy # Atlanta wrote: > It should make for a short list of suspects, assuming TJX was doing a > reasonable job of key management... That (reasonable key management) is a critical assumption. I'd be interested in learning what algorithm (and implementation thereof) they were using, as well. Not holding my breath on that info :^) cw From adrian.sanabria at gmail.com Tue Apr 3 03:58:53 2007 From: adrian.sanabria at gmail.com (Adrian Sanabria) Date: Mon, 2 Apr 2007 23:58:53 -0400 Subject: [Dataloss] TJX breach shows that encryption can be foiled In-Reply-To: <39C3168B-F87E-4C6E-8595-308BAB9BE2DE@cwalsh.org> References: <324D9F7B57D2C143A7CF16A9CECAD25340BF2A@EXCHANGE2.dsa.int> <39C3168B-F87E-4C6E-8595-308BAB9BE2DE@cwalsh.org> Message-ID: So frustrating, getting little bits of technical info at a time. It is even common for people to refer to something password protected as "encrypted". Just the phrase "decryption tool" is a big clue. Clue to what, I don't know, but most encryption I've worked with would never lead me to use that phrase. Can anyone think of a specific product that would refer to? The only thing I can think of is the decryption tool (usually put on a bootable floppy or cd) Helpdesk and Security use to decrypt most enterprise full disk encryption. --Sawaba On 4/2/07, Chris Walsh wrote: > > > On Apr 2, 2007, at 2:44 PM, Casey, Troy # Atlanta wrote: > > > It should make for a short list of suspects, assuming TJX was doing a > > reasonable job of key management... > > That (reasonable key management) is a critical assumption. > > I'd be interested in learning what algorithm (and implementation > thereof) they were using, as well. > > Not holding my breath on that info :^) > > cw > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 203 million compromised records in 609 incidents over 7 > years. > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070402/493b45ea/attachment.html From avery.sawaba at gmail.com Tue Apr 3 04:00:11 2007 From: avery.sawaba at gmail.com (Avery Sawaba) Date: Tue, 3 Apr 2007 00:00:11 -0400 Subject: [Dataloss] TJX breach shows that encryption can be foiled In-Reply-To: <39C3168B-F87E-4C6E-8595-308BAB9BE2DE@cwalsh.org> References: <324D9F7B57D2C143A7CF16A9CECAD25340BF2A@EXCHANGE2.dsa.int> <39C3168B-F87E-4C6E-8595-308BAB9BE2DE@cwalsh.org> Message-ID: I just read over the 10-k again, and I think they've included enough information to figure out what happened, using some educated guesses. I'm going to start working on "reverse engineering" the statements. --Sawaba On 4/2/07, Chris Walsh wrote: > > > On Apr 2, 2007, at 2:44 PM, Casey, Troy # Atlanta wrote: > > > It should make for a short list of suspects, assuming TJX was doing a > > reasonable job of key management... > > That (reasonable key management) is a critical assumption. > > I'd be interested in learning what algorithm (and implementation > thereof) they were using, as well. > > Not holding my breath on that info :^) > > cw > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 203 million compromised records in 609 incidents over 7 > years. > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070403/d50fa0de/attachment.html From ADAIL at sunocoinc.com Tue Apr 3 13:49:26 2007 From: ADAIL at sunocoinc.com (DAIL, ANDY) Date: Tue, 3 Apr 2007 09:49:26 -0400 Subject: [Dataloss] TJX breach shows that encryption can be foiled In-Reply-To: <39C3168B-F87E-4C6E-8595-308BAB9BE2DE@cwalsh.org> Message-ID: <8CA58E707BB1C44385FA71D02B7A1C8EC70A8B@mds3aex0e.USISUNOCOINC.com> I don't care if you're using 1024 bit encryption with an atomic booby-trap, there is no business reason to retain that much card data for such a long period after authorization. Especially magnetic track data!! In the final analysis, if the data were not being retained, the data could not be stolen. TJX is a perfect case-in-point of a retailer who is afraid to purge historical data, or does not spend the effort to triage the data to determine what is obsolete. Data Management policy anyone? -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Chris Walsh Sent: Monday, April 02, 2007 5:42 PM To: dataloss at attrition.org Subject: Re: [Dataloss] TJX breach shows that encryption can be foiled On Apr 2, 2007, at 2:44 PM, Casey, Troy # Atlanta wrote: > It should make for a short list of suspects, assuming TJX was doing a > reasonable job of key management... That (reasonable key management) is a critical assumption. I'd be interested in learning what algorithm (and implementation thereof) they were using, as well. Not holding my breath on that info :^) cw _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tracking more than 203 million compromised records in 609 incidents over 7 years. This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments. From SSteele at infolocktech.com Tue Apr 3 14:00:41 2007 From: SSteele at infolocktech.com (Sean Steele) Date: Tue, 3 Apr 2007 10:00:41 -0400 Subject: [Dataloss] TJX breach shows that encryption can be foiled In-Reply-To: <8CA58E707BB1C44385FA71D02B7A1C8EC70A8B@mds3aex0e.USISUNOCOINC.com> References: <39C3168B-F87E-4C6E-8595-308BAB9BE2DE@cwalsh.org> <8CA58E707BB1C44385FA71D02B7A1C8EC70A8B@mds3aex0e.USISUNOCOINC.com> Message-ID: <90D8CEF754D7D9448BA11172BB504432052580B7@orange.brnets.int> I'm familiar with PCI-DSS standards for DAR encryption for cardholder information, but less sure of retention requirements. Does anyone know conclusively if TJX was simply retaining cardholder data per regulations? -Sean -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of DAIL, ANDY Sent: Tuesday, April 03, 2007 9:49 AM To: dataloss at attrition.org Subject: Re: [Dataloss] TJX breach shows that encryption can be foiled I don't care if you're using 1024 bit encryption with an atomic booby-trap, there is no business reason to retain that much card data for such a long period after authorization. Especially magnetic track data!! In the final analysis, if the data were not being retained, the data could not be stolen. TJX is a perfect case-in-point of a retailer who is afraid to purge historical data, or does not spend the effort to triage the data to determine what is obsolete. Data Management policy anyone? -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Chris Walsh Sent: Monday, April 02, 2007 5:42 PM To: dataloss at attrition.org Subject: Re: [Dataloss] TJX breach shows that encryption can be foiled On Apr 2, 2007, at 2:44 PM, Casey, Troy # Atlanta wrote: > It should make for a short list of suspects, assuming TJX was doing a > reasonable job of key management... That (reasonable key management) is a critical assumption. I'd be interested in learning what algorithm (and implementation thereof) they were using, as well. Not holding my breath on that info :^) cw _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tracking more than 203 million compromised records in 609 incidents over 7 years. This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments. _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tracking more than 203 million compromised records in 609 incidents over 7 years. From ADAIL at sunocoinc.com Tue Apr 3 14:33:31 2007 From: ADAIL at sunocoinc.com (DAIL, ANDY) Date: Tue, 3 Apr 2007 10:33:31 -0400 Subject: [Dataloss] TJX breach shows that encryption can be foiled In-Reply-To: <90D8CEF754D7D9448BA11172BB504432052580B7@orange.brnets.int> Message-ID: <8CA58E707BB1C44385FA71D02B7A1C8EC70A8C@mds3aex0e.USISUNOCOINC.com> Some attorneys and CPA's will make the case that you should retain transaction records for a period of 7 years in the event of a tax audit. This requirement does not necessarily include the credit card number, just a record of the transaction. The only reason to store the number would be in the event of a charge-back, but if you have the card number only, and the date & transaction amount, you can still deal with the charge-back. Another reason might be to attempt to data-mine purchases by a specific card number and attempt targeted advertising, or sell the demographic data. Still, that's something I'd outsource and get that data off of MY servers. However, if you are storing any track data after the authorization you're in violation of the PCI-DSS v1.1 in a couple of places. The preface of 1.1 states quite clearly: ** Sensitive authentication data must not be stored subsequent to authorization (even if encrypted). Section 3 deals specifically with data retention and again states not to retain data after authorization. It does provide a caveat, but unless you're in the data mining business, I can't think of a reason (at least in our business model) that we'd want to retain this data one second longer than necessary: [Quote] PCI DSS v1.1 section 3.2.1 In the normal course of business, the following data elements from the magnetic stripe may need to be retained: the accountholder's name, primary account number (PAN), expiration date, and service code. To minimize risk, store only those data elements needed for business. NEVER store the card verification code or value or PIN verification value data elements. Note: See "Glossary" for additional information. [End Quote] If you stop and think about the liability you take upon yourself when you allow this data to reside in your company, you'd probably purge your servers of it as expeditiously as possible. A good analogy, I think, would be this: Keeping card data you are not actively using, is like agreeing to allow a friend to store his illegal drugs at your house, because the police are watching his house. It just doesn't make sense to take that kind of risk, and it is the sort of risk that provides no sort of positive return. It's just risk that sits there waiting for the law of averages to bite you. -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Sean Steele Sent: Tuesday, April 03, 2007 9:01 AM To: dataloss at attrition.org Subject: Re: [Dataloss] TJX breach shows that encryption can be foiled I'm familiar with PCI-DSS standards for DAR encryption for cardholder information, but less sure of retention requirements. Does anyone know conclusively if TJX was simply retaining cardholder data per regulations? -Sean -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of DAIL, ANDY Sent: Tuesday, April 03, 2007 9:49 AM To: dataloss at attrition.org Subject: Re: [Dataloss] TJX breach shows that encryption can be foiled I don't care if you're using 1024 bit encryption with an atomic booby-trap, there is no business reason to retain that much card data for such a long period after authorization. Especially magnetic track data!! In the final analysis, if the data were not being retained, the data could not be stolen. TJX is a perfect case-in-point of a retailer who is afraid to purge historical data, or does not spend the effort to triage the data to determine what is obsolete. Data Management policy anyone? -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Chris Walsh Sent: Monday, April 02, 2007 5:42 PM To: dataloss at attrition.org Subject: Re: [Dataloss] TJX breach shows that encryption can be foiled On Apr 2, 2007, at 2:44 PM, Casey, Troy # Atlanta wrote: > It should make for a short list of suspects, assuming TJX was doing a > reasonable job of key management... That (reasonable key management) is a critical assumption. I'd be interested in learning what algorithm (and implementation thereof) they were using, as well. Not holding my breath on that info :^) cw _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tracking more than 203 million compromised records in 609 incidents over 7 years. This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments. _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tracking more than 203 million compromised records in 609 incidents over 7 years. _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tracking more than 203 million compromised records in 609 incidents over 7 years. This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments. From bkdelong at pobox.com Tue Apr 3 17:46:43 2007 From: bkdelong at pobox.com (B.K. DeLong) Date: Tue, 3 Apr 2007 13:46:43 -0400 Subject: [Dataloss] TJX breach shows that encryption can be foiled In-Reply-To: <90D8CEF754D7D9448BA11172BB504432052580B7@orange.brnets.int> References: <39C3168B-F87E-4C6E-8595-308BAB9BE2DE@cwalsh.org> <8CA58E707BB1C44385FA71D02B7A1C8EC70A8B@mds3aex0e.USISUNOCOINC.com> <90D8CEF754D7D9448BA11172BB504432052580B7@orange.brnets.int> Message-ID: I think Andy's got it covered but I'm confident the amount of data (including Track 2) they were retaining was above and beyond the PCI-DSS maximum; especially with such a failure cryptography-wise. On 4/3/07, Sean Steele wrote: > I'm familiar with PCI-DSS standards for DAR encryption for cardholder > information, but less sure of retention requirements. > > Does anyone know conclusively if TJX was simply retaining cardholder > data per regulations? > > -Sean > > -----Original Message----- > From: dataloss-bounces at attrition.org > [mailto:dataloss-bounces at attrition.org] On Behalf Of DAIL, ANDY > Sent: Tuesday, April 03, 2007 9:49 AM > To: dataloss at attrition.org > Subject: Re: [Dataloss] TJX breach shows that encryption can be foiled > > > > I don't care if you're using 1024 bit encryption with an atomic > booby-trap, there is no business reason to retain that much card data > for such a long period after authorization. Especially magnetic track > data!! > > In the final analysis, if the data were not being retained, the data > could not be stolen. > > TJX is a perfect case-in-point of a retailer who is afraid to purge > historical data, or does not spend the effort to triage the data to > determine what is obsolete. Data Management policy anyone? > > > > -----Original Message----- > From: dataloss-bounces at attrition.org > [mailto:dataloss-bounces at attrition.org] On Behalf Of Chris Walsh > Sent: Monday, April 02, 2007 5:42 PM > To: dataloss at attrition.org > Subject: Re: [Dataloss] TJX breach shows that encryption can be foiled > > > > On Apr 2, 2007, at 2:44 PM, Casey, Troy # Atlanta wrote: > > > It should make for a short list of suspects, assuming TJX was doing a > > reasonable job of key management... > > That (reasonable key management) is a critical assumption. > > I'd be interested in learning what algorithm (and implementation > thereof) they were using, as well. > > Not holding my breath on that info :^) > > cw > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss Tracking more than 203 million compromised > records in 609 incidents over 7 years. > > This message and any files transmitted with it is intended solely for > the designated recipient and may contain privileged, proprietary or > otherwise private information. Unauthorized use, copying or distribution > of this e-mail, in whole or in part, is strictly prohibited. If you have > received it in error, please notify the sender immediately and delete > the original and any attachments. > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 203 million compromised records in 609 incidents over > 7 years. > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 203 million compromised records in 609 incidents over 7 years. > -- B.K. DeLong (K3GRN) bkdelong at pobox.com +1.617.797.8471 http://www.wkdelong.org Son. http://www.ianetsec.com Work. http://www.bostonredcross.org Volunteer. http://www.carolingia.eastkingdom.org Service. http://bkdelong.livejournal.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org From james at iqbio.net Tue Apr 3 18:20:00 2007 From: james at iqbio.net (James Childers) Date: Tue, 3 Apr 2007 11:20:00 -0700 Subject: [Dataloss] TJX breach shows that encryption can be foiled In-Reply-To: References: <39C3168B-F87E-4C6E-8595-308BAB9BE2DE@cwalsh.org><8CA58E707BB1C44385FA71D02B7A1C8EC70A8B@mds3aex0e.USISUNOCOINC.com><90D8CEF754D7D9448BA11172BB504432052580B7@orange.brnets.int> Message-ID: <88677D8E4FBE2A4C9CEF9FBF8F38E7051A0261@prometheus.HQ.IQBIO.NET> From what I understand extended retention of Track 2 data along with CVV (as evidenced from some media reports) is strictly against PCI-DSS standards - especially when they were also capturing drivers license and address details and coordinating these records in a single database. Perfect tool for ID thieves if you ask me... Are there any other regulatory penalties or fines (other than PCI non-compliance) that TJX could get hit with? What safeguards should be put in place to prevent this stupidity in the future? WRT cryptography - once the database is "decrypted" and available for viewing in raw form on any terminal, it can be captured quite easily with a trojan or any other logger. From what I have been able to gather they were using a proprietary system of PKI and not maintaining a good key management system. Does anyone else have other data? Were they using strictly SW encryption or were they using a hardware token? Single factor? Multi-Factor authentication? Local or remote storage of keys? Terminal emulation, Windows server, Linux, SQL, Etc... Any data would be helpful. James (Jim) Childers President / Owner Artemis Solutions Group (USA) BioCert(r) - iQBio(tm) - BioSaf(r) www.iqbio.com USA Headquarters PO Box 403 1635 East Main Street Suite A-8 Freeland, WA 98249 Phone - (360) 331-1071 X-2101 -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of B.K. DeLong Sent: Tuesday, April 03, 2007 10:47 AM To: Sean Steele Cc: dataloss at attrition.org Subject: Re: [Dataloss] TJX breach shows that encryption can be foiled I think Andy's got it covered but I'm confident the amount of data (including Track 2) they were retaining was above and beyond the PCI-DSS maximum; especially with such a failure cryptography-wise. On 4/3/07, Sean Steele wrote: > I'm familiar with PCI-DSS standards for DAR encryption for cardholder > information, but less sure of retention requirements. > > Does anyone know conclusively if TJX was simply retaining cardholder > data per regulations? > > -Sean > > -----Original Message----- > From: dataloss-bounces at attrition.org > [mailto:dataloss-bounces at attrition.org] On Behalf Of DAIL, ANDY > Sent: Tuesday, April 03, 2007 9:49 AM > To: dataloss at attrition.org > Subject: Re: [Dataloss] TJX breach shows that encryption can be foiled > > > > I don't care if you're using 1024 bit encryption with an atomic > booby-trap, there is no business reason to retain that much card data > for such a long period after authorization. Especially magnetic track > data!! > > In the final analysis, if the data were not being retained, the data > could not be stolen. > > TJX is a perfect case-in-point of a retailer who is afraid to purge > historical data, or does not spend the effort to triage the data to > determine what is obsolete. Data Management policy anyone? > > > > -----Original Message----- > From: dataloss-bounces at attrition.org > [mailto:dataloss-bounces at attrition.org] On Behalf Of Chris Walsh > Sent: Monday, April 02, 2007 5:42 PM > To: dataloss at attrition.org > Subject: Re: [Dataloss] TJX breach shows that encryption can be foiled > > > > On Apr 2, 2007, at 2:44 PM, Casey, Troy # Atlanta wrote: > > > It should make for a short list of suspects, assuming TJX was doing a > > reasonable job of key management... > > That (reasonable key management) is a critical assumption. > > I'd be interested in learning what algorithm (and implementation > thereof) they were using, as well. > > Not holding my breath on that info :^) > > cw > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss Tracking more than 203 million compromised > records in 609 incidents over 7 years. > > This message and any files transmitted with it is intended solely for > the designated recipient and may contain privileged, proprietary or > otherwise private information. Unauthorized use, copying or distribution > of this e-mail, in whole or in part, is strictly prohibited. If you have > received it in error, please notify the sender immediately and delete > the original and any attachments. > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 203 million compromised records in 609 incidents over > 7 years. > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 203 million compromised records in 609 incidents over 7 years. > -- B.K. DeLong (K3GRN) bkdelong at pobox.com +1.617.797.8471 http://www.wkdelong.org Son. http://www.ianetsec.com Work. http://www.bostonredcross.org Volunteer. http://www.carolingia.eastkingdom.org Service. http://bkdelong.livejournal.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tracking more than 203 million compromised records in 609 incidents over 7 years. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From SSteele at infolocktech.com Tue Apr 3 18:31:36 2007 From: SSteele at infolocktech.com (Sean Steele) Date: Tue, 3 Apr 2007 14:31:36 -0400 Subject: [Dataloss] TJX breach shows that encryption can be foiled In-Reply-To: <88677D8E4FBE2A4C9CEF9FBF8F38E7051A0261@prometheus.HQ.IQBIO.NET> References: <39C3168B-F87E-4C6E-8595-308BAB9BE2DE@cwalsh.org><8CA58E707BB1C44385FA71D02B7A1C8EC70A8B@mds3aex0e.USISUNOCOINC.com><90D8CEF754D7D9448BA11172BB504432052580B7@orange.brnets.int> <88677D8E4FBE2A4C9CEF9FBF8F38E7051A0261@prometheus.HQ.IQBIO.NET> Message-ID: <90D8CEF754D7D9448BA11172BB504432052886E6@orange.brnets.int> James, You pose some interesting questions re: what other regulations TJX is likely non-compliant with -- as a public company, I'd guess their SOX 404 controls should be examined. GLBA may come into play, though they're not a finsrv company. Who is their PCI-DSS auditor and are the results of their most recent audit either able to be requested or legally discoverable outside a lawsuit? The PCI Security Standards Council is a private, non-profit organization, so FOIA can't be used to force disclosure from them, correct? FWIW, I was a victim of this breach. I had my debit card re-issued by my bank this week. It's the first one of 2007 for me ;-( -- Sean Steele, CISSP infoLock Technologies 703.310.6478 direct 202.270.8672 mobile ssteele at infolocktech.com -----Original Message----- From: James Childers [mailto:james at iqbio.net] Sent: Tuesday, April 03, 2007 2:20 PM To: B.K. DeLong; Sean Steele Cc: dataloss at attrition.org Subject: RE: [Dataloss] TJX breach shows that encryption can be foiled >From what I understand extended retention of Track 2 data along with CVV (as evidenced from some media reports) is strictly against PCI-DSS standards - especially when they were also capturing drivers license and address details and coordinating these records in a single database. Perfect tool for ID thieves if you ask me... Are there any other regulatory penalties or fines (other than PCI non-compliance) that TJX could get hit with? What safeguards should be put in place to prevent this stupidity in the future? WRT cryptography - once the database is "decrypted" and available for viewing in raw form on any terminal, it can be captured quite easily with a trojan or any other logger. From what I have been able to gather they were using a proprietary system of PKI and not maintaining a good key management system. Does anyone else have other data? Were they using strictly SW encryption or were they using a hardware token? Single factor? Multi-Factor authentication? Local or remote storage of keys? Terminal emulation, Windows server, Linux, SQL, Etc... Any data would be helpful. James (Jim) Childers President / Owner Artemis Solutions Group (USA) BioCert(r) - iQBio(tm) - BioSaf(r) www.iqbio.com USA Headquarters PO Box 403 1635 East Main Street Suite A-8 Freeland, WA 98249 Phone - (360) 331-1071 X-2101 -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of B.K. DeLong Sent: Tuesday, April 03, 2007 10:47 AM To: Sean Steele Cc: dataloss at attrition.org Subject: Re: [Dataloss] TJX breach shows that encryption can be foiled I think Andy's got it covered but I'm confident the amount of data (including Track 2) they were retaining was above and beyond the PCI-DSS maximum; especially with such a failure cryptography-wise. On 4/3/07, Sean Steele wrote: > I'm familiar with PCI-DSS standards for DAR encryption for cardholder > information, but less sure of retention requirements. > > Does anyone know conclusively if TJX was simply retaining cardholder > data per regulations? > > -Sean > > -----Original Message----- > From: dataloss-bounces at attrition.org > [mailto:dataloss-bounces at attrition.org] On Behalf Of DAIL, ANDY > Sent: Tuesday, April 03, 2007 9:49 AM > To: dataloss at attrition.org > Subject: Re: [Dataloss] TJX breach shows that encryption can be foiled > > > > I don't care if you're using 1024 bit encryption with an atomic > booby-trap, there is no business reason to retain that much card data > for such a long period after authorization. Especially magnetic track > data!! > > In the final analysis, if the data were not being retained, the data > could not be stolen. > > TJX is a perfect case-in-point of a retailer who is afraid to purge > historical data, or does not spend the effort to triage the data to > determine what is obsolete. Data Management policy anyone? > > > > -----Original Message----- > From: dataloss-bounces at attrition.org > [mailto:dataloss-bounces at attrition.org] On Behalf Of Chris Walsh > Sent: Monday, April 02, 2007 5:42 PM > To: dataloss at attrition.org > Subject: Re: [Dataloss] TJX breach shows that encryption can be foiled > > > > On Apr 2, 2007, at 2:44 PM, Casey, Troy # Atlanta wrote: > > > It should make for a short list of suspects, assuming TJX was doing a > > reasonable job of key management... > > That (reasonable key management) is a critical assumption. > > I'd be interested in learning what algorithm (and implementation > thereof) they were using, as well. > > Not holding my breath on that info :^) > > cw > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss Tracking more than 203 million compromised > records in 609 incidents over 7 years. > > This message and any files transmitted with it is intended solely for > the designated recipient and may contain privileged, proprietary or > otherwise private information. Unauthorized use, copying or distribution > of this e-mail, in whole or in part, is strictly prohibited. If you have > received it in error, please notify the sender immediately and delete > the original and any attachments. > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 203 million compromised records in 609 incidents over > 7 years. > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 203 million compromised records in 609 incidents over 7 years. > -- B.K. DeLong (K3GRN) bkdelong at pobox.com +1.617.797.8471 http://www.wkdelong.org Son. http://www.ianetsec.com Work. http://www.bostonredcross.org Volunteer. http://www.carolingia.eastkingdom.org Service. http://bkdelong.livejournal.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tracking more than 203 million compromised records in 609 incidents over 7 years. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Dissent at pogowasright.org Tue Apr 3 19:09:47 2007 From: Dissent at pogowasright.org (Dissent) Date: Tue, 03 Apr 2007 15:09:47 -0400 Subject: [Dataloss] TJX breach shows that encryption can be foiled Message-ID: <7.0.0.16.2.20070403150635.022a5a48@nowhere.org> Forwarded for snippage purposes. Return-Path: Message-ID: <4612A466.1070707 at sbcglobal.net> Date: Tue, 03 Apr 2007 15:00:54 -0400 So was my wife. If history can tell parts of the future, I think that the next item will be a suit from the FTC for unfair business practice which will end up with 10 m fine, 5 m relief, and every other year an audit from a security specialist, for 20 years. That is what Cardservices and Choicepoint settled with the FTC last year. BTW, FTC has adopted GLBA as the standard to protect Business to consumer relationships. Sean Steele wrote: >James, > >You pose some interesting questions re: what other regulations TJX is >likely non-compliant with -- as a public company, I'd guess their SOX >404 controls should be examined. GLBA may come into play, though they're >not a finsrv company. > >Who is their PCI-DSS auditor and are the results of their most recent >audit either able to be requested or legally discoverable outside a >lawsuit? > >The PCI Security Standards Council is a private, non-profit >organization, so FOIA can't be used to force disclosure from them, >correct? > >FWIW, I was a victim of this breach. I had my debit card re-issued by my >bank this week. It's the first one of 2007 for me ;-( > >-- >Sean Steele, CISSP >infoLock Technologies >703.310.6478 direct >202.270.8672 mobile >ssteele at infolocktech.com From cwalsh at cwalsh.org Tue Apr 3 19:21:11 2007 From: cwalsh at cwalsh.org (Chris Walsh) Date: Tue, 3 Apr 2007 14:21:11 -0500 Subject: [Dataloss] TJX breach shows that encryption can be foiled In-Reply-To: <7.0.0.16.2.20070403150635.022a5a48@nowhere.org> References: <7.0.0.16.2.20070403150635.022a5a48@nowhere.org> Message-ID: <20070403192108.GB24958@cwalsh.org> Not sure of the jurisdictional issues, but since this seems also to have affected people in CA and the UK, it could get quite interesting. cw From DAplin at bna.com Tue Apr 3 19:24:20 2007 From: DAplin at bna.com (Donald Aplin) Date: Tue, 3 Apr 2007 15:24:20 -0400 Subject: [Dataloss] TJX breach shows that encryption can be foiled In-Reply-To: <7.0.0.16.2.20070403150635.022a5a48@nowhere.org> Message-ID: Section 5 of the FTC Act does NOT provide for any fines against companies for data security breaches. CardSystems was not fined a penny in the settlement with FTC, nor was DSW in its settlement, nor BJ's before that.The presence of an independent Fair Credit Reporting Act claim in the ChoicePoint action allowed for the imposition of a $10 million fine. Donald G. Aplin Legal Editor BNA's Privacy & Security Law Report (202) 452-4688 From Dan.Good at evault.com Tue Apr 3 19:25:18 2007 From: Dan.Good at evault.com (Dan Good) Date: Tue, 3 Apr 2007 12:25:18 -0700 Subject: [Dataloss] TJX breach shows that encryption can be foiled In-Reply-To: <7.0.0.16.2.20070403150635.022a5a48@nowhere.org> Message-ID: Without quick severe financial penalties imposed, this will continue to happen. Brand Damage is not enough because the companies that breach confidential customer data pass the buck and blame their vendor(s). -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Dissent Sent: Tuesday, April 03, 2007 3:10 PM To: dataloss at attrition.org Subject: Re: [Dataloss] TJX breach shows that encryption can be foiled Forwarded for snippage purposes. Return-Path: Message-ID: <4612A466.1070707 at sbcglobal.net> Date: Tue, 03 Apr 2007 15:00:54 -0400 So was my wife. If history can tell parts of the future, I think that the next item will be a suit from the FTC for unfair business practice which will end up with 10 m fine, 5 m relief, and every other year an audit from a security specialist, for 20 years. That is what Cardservices and Choicepoint settled with the FTC last year. BTW, FTC has adopted GLBA as the standard to protect Business to consumer relationships. Sean Steele wrote: >James, > >You pose some interesting questions re: what other regulations TJX is >likely non-compliant with -- as a public company, I'd guess their SOX >404 controls should be examined. GLBA may come into play, though they're >not a finsrv company. > >Who is their PCI-DSS auditor and are the results of their most recent >audit either able to be requested or legally discoverable outside a >lawsuit? > >The PCI Security Standards Council is a private, non-profit >organization, so FOIA can't be used to force disclosure from them, >correct? > >FWIW, I was a victim of this breach. I had my debit card re-issued by my >bank this week. It's the first one of 2007 for me ;-( > >-- >Sean Steele, CISSP >infoLock Technologies >703.310.6478 direct >202.270.8672 mobile >ssteele at infolocktech.com _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tracking more than 203 million compromised records in 609 incidents over 7 years. From bkdelong at pobox.com Tue Apr 3 19:32:05 2007 From: bkdelong at pobox.com (B.K. DeLong) Date: Tue, 3 Apr 2007 15:32:05 -0400 Subject: [Dataloss] TJX breach shows that encryption can be foiled In-Reply-To: References: <7.0.0.16.2.20070403150635.022a5a48@nowhere.org> Message-ID: As I previously mentioned in my "rant", (which I really should post on Attrition), the PCI Co is not disclosing the fines and loss of processing privileges that is going on behind the scenes. Those with influence, (press, vendors, customers), should endeavor to have PCI co make at least minimal information public such as number of fines per quarter and total amount money-wise as well as how many companies lost processing privileges. No public accountability....very dull teeth. On 4/3/07, Dan Good wrote: > Without quick severe financial penalties imposed, this will continue to > happen. Brand Damage is not enough because the companies that breach > confidential customer data pass the buck and blame their vendor(s). > > -----Original Message----- > From: dataloss-bounces at attrition.org > [mailto:dataloss-bounces at attrition.org] On Behalf Of Dissent > Sent: Tuesday, April 03, 2007 3:10 PM > To: dataloss at attrition.org > Subject: Re: [Dataloss] TJX breach shows that encryption can be foiled > > Forwarded for snippage purposes. > > Return-Path: > Message-ID: <4612A466.1070707 at sbcglobal.net> > Date: Tue, 03 Apr 2007 15:00:54 -0400 > > So was my wife. If history can tell parts of the future, I think > that the next item will be a suit from the FTC for unfair business > practice which will end up with 10 m fine, 5 m relief, and every > other year an audit from a security specialist, for 20 years. That is > what Cardservices and Choicepoint settled with the FTC last year. > BTW, FTC has adopted GLBA as the standard to protect Business to > consumer relationships. > > Sean Steele wrote: > > >James, > > > >You pose some interesting questions re: what other regulations TJX is > >likely non-compliant with -- as a public company, I'd guess their SOX > >404 controls should be examined. GLBA may come into play, though > they're > >not a finsrv company. > > > >Who is their PCI-DSS auditor and are the results of their most recent > >audit either able to be requested or legally discoverable outside a > >lawsuit? > > > >The PCI Security Standards Council is a private, non-profit > >organization, so FOIA can't be used to force disclosure from them, > >correct? > > > >FWIW, I was a victim of this breach. I had my debit card re-issued by > my > >bank this week. It's the first one of 2007 for me ;-( > > > >-- > >Sean Steele, CISSP > >infoLock Technologies > >703.310.6478 direct > >202.270.8672 mobile > >ssteele at infolocktech.com > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 203 million compromised records in 609 incidents over > 7 years. > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 203 million compromised records in 609 incidents over 7 years. > -- B.K. DeLong (K3GRN) bkdelong at pobox.com +1.617.797.8471 http://www.wkdelong.org Son. http://www.ianetsec.com Work. http://www.bostonredcross.org Volunteer. http://www.carolingia.eastkingdom.org Service. http://bkdelong.livejournal.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org From james_ritchie at sbcglobal.net Tue Apr 3 19:54:03 2007 From: james_ritchie at sbcglobal.net (James Ritchie, CISA, QSA) Date: Tue, 03 Apr 2007 15:54:03 -0400 Subject: [Dataloss] TJX breach shows that encryption can be foiled In-Reply-To: References: Message-ID: <4612B0DB.1000802@sbcglobal.net> FTC settlements http://www.ftc.gov/opa/2006/02/cardsystems_r.htm http://www.ftc.gov/opa/2006/01/choicepoint.htm Donald Aplin wrote: > Section 5 of the FTC Act does NOT provide for any fines against > companies for data security breaches. CardSystems was not fined a > penny in the settlement with FTC, nor was DSW in its settlement, > nor BJ's before that.The presence of an independent Fair Credit > Reporting Act claim in the ChoicePoint action allowed for the > imposition of a $10 million fine. > > > Donald G. Aplin Legal Editor BNA's Privacy & Security Law Report > (202) 452-4688 > > _______________________________________________ Dataloss Mailing > List (dataloss at attrition.org) http://attrition.org/dataloss > Tracking more than 203 million compromised records in 609 incidents > over 7 years. > -- James Ritchie MCSE, MCP+I, M-CIW-D, CIW-CI, Inet+, Network+, A+ Attachments with this email, not explicitly referenced, should not be opened. Always scan your email and their associated attachments for viruses prior to opening. This message and any accompanying documents are confidential and may contain information covered under the Privacy Act, 5 USC 552(a), the Health Insurance Portability and Accountability Act (PL 104-191), or the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521 and its various implementing regulations and must be protected in accordance with those provisions. Unauthorized disclosure or failure to maintain the confidentiality of the information may result in civil or criminal sanctions. This e-mail is strictly confidential and intended solely for the addressee. Should you not be the intended addressee you have no right to any information contained in this e-mail. If you received this message by mistake you are kindly requested to inform us of this and to destroy the message. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070403/55990475/attachment.html From kfelten at gmail.com Tue Apr 3 20:47:39 2007 From: kfelten at gmail.com (Katie Felten) Date: Tue, 3 Apr 2007 15:47:39 -0500 Subject: [Dataloss] TJX breach shows that encryption can be foiled In-Reply-To: References: <7.0.0.16.2.20070403150635.022a5a48@nowhere.org> Message-ID: <007801c77631$527df510$f779df30$@com> We are seeing so much dataloss when will these companies begin to pay fines. Katie Felten,?CITRMS Data Security & Privacy Specialist Certified Identity?Theft Risk Management Specialist www.getsmartcomply.com ? K Felten & Associates, LLC N78W14573 Appleton Ave #297 Menomonee Falls, WI 53051 Direct?? 262-227-0772 Katie at k-felten.com -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Donald Aplin Sent: Tuesday, April 03, 2007 2:24 PM To: Dissent Cc: dataloss-bounces at attrition.org; dataloss at attrition.org Subject: Re: [Dataloss] TJX breach shows that encryption can be foiled Section 5 of the FTC Act does NOT provide for any fines against companies for data security breaches. CardSystems was not fined a penny in the settlement with FTC, nor was DSW in its settlement, nor BJ's before that.The presence of an independent Fair Credit Reporting Act claim in the ChoicePoint action allowed for the imposition of a $10 million fine. Donald G. Aplin Legal Editor BNA's Privacy & Security Law Report (202) 452-4688 _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tracking more than 203 million compromised records in 609 incidents over 7 years. From lyger at attrition.org Tue Apr 3 21:56:52 2007 From: lyger at attrition.org (lyger) Date: Tue, 3 Apr 2007 21:56:52 +0000 (UTC) Subject: [Dataloss] FTC Approves Final Guidance Settlement Message-ID: (Seems timely considering today's previous discussions.) http://www.internetnews.com/security/article.php/3669561 Guidance Software's settlement with the Federal Trade Commission (FTC) became official today, almost five months after the Pasadena, Calif.-based computer forensics specialist admitted it did not adequately protect customer data. Victimized by a December 2005 data breach and theft of 4,000 credit card numbers, Guidance agreed to implement a comprehensive information security program, including independent, third-party audits every other year for the next ten years. [...] From hbrown at knology.net Wed Apr 4 10:26:57 2007 From: hbrown at knology.net (Henry Brown) Date: Wed, 04 Apr 2007 05:26:57 -0500 Subject: [Dataloss] cyber crime & data breech reporting Message-ID: <46137D71.6060801@knology.net> http://scmagazine.com/uk/news/article/648626/third-businesses-fail-report-e-crime/ Third of businesses fail to report e-crime Fiona Raisbeck Apr 4 2007 11:13 A third of businesses are failing to report information security crimes and breaches, according to the latest research by Infosecurity Europe. Yet the study, which sought the views of 285 companies plus a panel of 20 chief security officers (CSOs), found that organisations are subject to attempted e-crime every day. ?From my experience as a media lawyer, reporting crime to the police is a double edged sword as invariably the press have found out about the incident within 24 hours of reporting it to the police, creating a real PR risk,? explains media lawyer Jonathan Coad from Swan Turton. However, Tony Neate, managing director of GetSafeOnline, argues that in order to gauge the true extent of the problem cybercrime must be reported. ?This can only be measured if we report incidents when they occur,? he said. ?Without collating the scale of the e-crime problem, we will never truly be aware of the cost to society at large and the measures that need to be put in place to fight it.? Phillip Virgo, secretary general of EURIM, added: ?The time has come to respond to the needs of the customer for security tools they can understand, realistic advice, guidance and support on how to use them and for reporting systems that will route their enquiry to some-one who will respond - be it law enforcement or technical support.? From ADAIL at sunocoinc.com Wed Apr 4 15:35:43 2007 From: ADAIL at sunocoinc.com (DAIL, ANDY) Date: Wed, 4 Apr 2007 11:35:43 -0400 Subject: [Dataloss] TX: RadioShack customers' personal info found in dumpster In-Reply-To: Message-ID: <8CA58E707BB1C44385FA71D02B7A1C8EC70A9B@mds3aex0e.USISUNOCOINC.com> Here is an update to Lyger's original story. http://www.darkreading.com/document.asp?doc_id=121092&WT.svl=news1_3 Garbage Out, Cops In APRIL 3, 2007 | When Texas Attorney General Greg Abbott filed legal action against Radio Shack yesterday for illegally dumping documents containing personal information, it wasn't the first time he stuck his nose in someone else's garbage. In fact, he's done it three times in the last two weeks -- and he's not done yet. Abbott and his team gained national attention yesterday when the Texas Attorney General's Office filed an action against a Radio Shack store in Portland, Texas -- near Corpus Christi -- for allegedly exposing thousands of customers' personal information in a bulk garbage dump behind the store. The documents contained Social Security numbers, credit card information, and addresses. Radio Shack is accused of violating the 2005 Identity Theft Enforcement and Protection Act, a Texas state law that requires the protection and proper destruction of clients' sensitive personal information. The company faces penalties of up to $50,000 for each violation. But Radio Shack isn't the only company in hot water over garbage disposal. On March 14, Abbott took action against Jones Beauty College of Dallas for improperly discarding student financial aid forms. Just a day before that, he threw the book at On Track Modeling, a N.C.-based talent agency that abruptly shut down its Grand Prairie, Texas office and abandoned more than 60 boxes containing hundreds of confidential client records. "Identity theft is one of the fastest-growing crimes in the United States," said Abbott in a statement following the Radio Shack filing. "Texans expect their personal information to be protected. The Office of the Attorney General will take all necessary steps to ensure that consumers are protected from identity thieves." Checking the trash may seem above and beyond the call of a police officer's duty, but as identity theft becomes more visible, law enforcement agencies are obliged to demonstrate their willingness to do something about it, observers say. Last Wednesday, U.S. marshals took some heat when they evicted a temporary staffing company from a D.C. office building and left boxes of personal files on the street. If Abbott's prosecutions are successful, they could bring pressure on companies to be more diligent in how they store and dispose of personal information, even in branch offices or retail outlets. The Texas laws apply to any company that improperly dump personal data in the state, even if they are headquartered elsewhere, he asserts. Several states, including R.I. and S.C., have enacted data protection laws similar to those in Texas. - Tim Wilson, Site Editor, Dark Reading -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of lyger Sent: Thursday, March 29, 2007 12:06 PM To: dataloss at attrition.org Subject: [Dataloss] TX: RadioShack customers' personal info found in dumpster http://sanantonio.bizjournals.com/dallas/stories/2007/03/26/daily28.html Thousands of payment slips showing the credit card numbers and other personal information of RadioShack employees was found in a dumpster behind a Corpus Christi-area RadioShack, a news station reported Wednesday. According to the KZTV report, a man rummaging through trash behind a RadioShack store in Portland, Texas, found nearly 20 boxes of discarded records. [...] _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tracking more than 203 million compromised records in 609 incidents over 7 years. This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments. From lyger at attrition.org Wed Apr 4 18:16:42 2007 From: lyger at attrition.org (lyger) Date: Wed, 4 Apr 2007 18:16:42 +0000 (UTC) Subject: [Dataloss] UCSF reports possible compromise in computer security Message-ID: http://pub.ucsf.edu/newsservices/releases/200704041/ UCSF is notifying students, faculty, and staff that their personal information may have been accessed by an unauthorized party due to a possible compromise in security of a computer server. The server did not contain any patient names or patient information. There is no evidence at this time that any specific information was accessed, according to Randy Lopez, co-chief information officer for the Office of Academic and Administration Information Systems. As a precautionary measure, the University is contacting about 46,000 individuals to alert them to look for signs of identity theft and advise them of steps to protect personal information. The contact list is comprised of students, faculty, and staff associated with UCSF or UCSF Medical Center over the past two years. [...] From Dissent at pogowasright.org Thu Apr 5 11:54:49 2007 From: Dissent at pogowasright.org (Dissent) Date: Thu, 05 Apr 2007 07:54:49 -0400 Subject: [Dataloss] Personal data at risk in lost IRS laptops Message-ID: <7.0.0.16.2.20070405075321.0229e800@nowhere.org> http://www.usatoday.com/money/perfi/credit/2007-04-05-irs-usat_N.htm?csp=34 At least 490 IRS computers have been stolen or lost since 2003 in security breaches that potentially jeopardized the personal information of more than 2,000 taxpayers, a government audit reported Wednesday. The computers were lost in 387 incidents, most of which were not reported to the IRS computer security office as required, according to the report by the Treasury Inspector General for Tax Administration. The audit also found that IRS laptops lacked adequate password controls and encryption software that would protect taxpayer information and other data. "This is a serious concern," said Inspector General J. Russell George, whose findings quantified one of several recent computer security breaches involving federal agencies. "The American public relies on the IRS to protect the personal information they provide." IRS Commissioner Mark Everson said the agency was unaware of any identity thefts stemming from the loss of the laptops. The IRS has "moved aggressively" since last summer to strengthen protection of taxpayer data, he said. The audit focused on computer security incidents from January 2003 to June 2006 involving IRS personnel authorized to take electronic files outside their offices. Some of the incidents were previously made public in media or government reports. The IRS has assigned more than 52,000 laptops to its workers. While acknowledging that the IRS can't completely avoid computer thefts or losses, auditors found that many of the laptops had been stolen from vehicles, homes or other locations where the units had been left unattended or not locked up. Personal data on at least 2,359 individuals were lost in the incidents, auditors found. Based on an examination that showed other IRS computers had unencrypted taxpayer and employee data, plus inadequate password protection, auditors reported it's "likely that a large number of the lost or stolen IRS computers could be accessed by unauthorized individuals." IRS rules require employees to report lost or stolen computers to the agency's computer security office and the inspector general. Auditors determined that 76% of the incidents were not reported to IRS security personnel, who "could have helped negate the risk to taxpayers." The auditors recommended that the IRS improve its response to computer security breaches by assessing the risk to taxpayers whose data could be threatened. The IRS should also periodically remind workers about security rules and provide instructions for encryption software, the audit said. "Protection of taxpayer data is a top priority," said Everson, who said IRS laptops are now encrypted before they're issued to employees. Also, the agency now assesses the potential threat to taxpayers in all computer losses and stresses security training, he said. -- Main site: http://www.pogowasright.org Main RSS feed: http://www.pogowasright.org/backend/pogowasright.rss Breaches RSS feed: http://www.pogowasright.org/backend/breaches.rss From lyger at attrition.org Fri Apr 6 00:00:51 2007 From: lyger at attrition.org (lyger) Date: Fri, 6 Apr 2007 00:00:51 +0000 (UTC) Subject: [Dataloss] Pension data loss could put DCH employees, retirees at risk Message-ID: http://www.tuscaloosanews.com/article/20070405/TL01/70405018/-1/NEWS03 The social security numbers and other personal identification data of 6,000 DCH Health System employees are missing raising concerns about the possibility of identity theft. An encrypted disc and hardcopy documents containing the personal identification information were lost by a consultant company -- Mercer Human Resources Consulting -- that reviews the DCH pension plan to determine the annual employer contribution requirements. Neither Mercer nor DCH were aware of any of the information being accessed or illegally misused. Mercer notified DCH on March 22 that a package of documents containing retirement benefit information had disappeared. The pension documents had been mailed from Mercer offices in Birmingham March 2, but disappeared after reaching its intended destination in Louisiana. [...] From jericho at attrition.org Fri Apr 6 08:53:19 2007 From: jericho at attrition.org (security curmudgeon) Date: Fri, 6 Apr 2007 08:53:19 +0000 (UTC) Subject: [Dataloss] Title Agency Warns Customers About Security Breach (fwd) Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://ktar.com/?nid=6&sid=440413 By Kevin Tripp KTAR April 5th, 2007 There's a new warning about identity theft. Security Title Agency in Phoenix is warning customers about a security breach. About five weeks ago their Web site was altered by computer hackers. Customer information is stored on the same server as the Web site. The company believes that information is safe. They say they hackers "defaced" their website and likened them to "graffiti artists." "Even if a hacker hacks into a website as a joke, they're not specifically targeting your personal information. That still doesn't mean they didn't get and the company can't honestly say they didn't get your personal information," says Bob Hartle from ID Theft Services. Hackers have the ability to gather information off a business' Web site. So if somebody hacks into Security's Web site, they have the ability to take off the website whatever they want. Security Title Agency admits it's not "100 percent sure" customer information wasn't obtained. But the company is providing free credit monitoring for its customers. "What the business community is not doing is making the Internet safe. And apparently they can't do it because you're hearing about all these security breaches," says Hartle. From lyger at attrition.org Fri Apr 6 18:27:58 2007 From: lyger at attrition.org (lyger) Date: Fri, 6 Apr 2007 18:27:58 +0000 (UTC) Subject: [Dataloss] Hortica Alerting Public to Loss of Backup Tapes Message-ID: http://www.pr-inside.com/hortica-alerting-public-to-loss-of-r87434.htm Florists' Mutual Insurance Company (Hortica), an Illinois-based provider of employee benefits and insurance to companies in the horticultural industry, today announced that a locked shipping case containing magnetic backup tapes cannot be located. Hortica believes that the backup tapes contained personal information including names, Social Security numbers, drivers' license numbers, and/or bank account numbers. The locked shipping case was being transported by UPS from a secure offsite facility to the company's Illinois headquarters. UPS informed Hortica that the shipping case could not be located, and Hortica has been working with UPS in an attempt to locate the case. On April 5, 2007, UPS notified Hortica that all internal recovery processes had been exhausted and the shipping case could not be located. [...] From Dissent at pogowasright.org Sat Apr 7 15:09:18 2007 From: Dissent at pogowasright.org (Dissent) Date: Sat, 07 Apr 2007 11:09:18 -0400 Subject: [Dataloss] Stolen laptops contain data on 40, 000 Chicago schools employees Message-ID: <7.0.0.16.2.20070407110821.02425288@nowhere.org> http://www.daily-journal.com/archives/dj/display.php?id=392152 Two laptop computers stolen from Chicago Public Schools headquarters Friday contain the names and Social Security numbers of about 40,000 current and former employees, officials said. The theft occurred at the downtown offices about noon, and a suspect's image was captured by surveillance video, CPS said in a statement. No one was in custody late Friday and a Chicago police spokesman said he had no information on the theft. The names and Social Security numbers belong to any current and former CPS employees who contributed to the system's Teacher Pension Fund from 2003 to 2006. That includes teachers, principals and assistant principals, the statement said. The laptops do not contain addresses or birth dates. [...] -- Main site: http://www.pogowasright.org Main RSS feed: http://www.pogowasright.org/backend/pogowasright.rss Breaches RSS feed: http://www.pogowasright.org/backend/breaches.rss From Dissent at pogowasright.org Sun Apr 8 17:35:19 2007 From: Dissent at pogowasright.org (Dissent) Date: Sun, 08 Apr 2007 13:35:19 -0400 Subject: [Dataloss] Rogers data on clients found in lot Message-ID: <7.0.0.16.2.20070408133418.02265d40@nowhere.org> http://www.thestar.com/News/article/200727 A Toronto resident found hundreds of Rogers order forms ? complete with names, addresses, phone numbers, driver's licence numbers and, in a few cases, what appear to be credit card and SIN numbers ? tucked behind a coffee shop and strewn across a parking lot and park on Mutual St. in downtown Toronto yesterday. A random check of some names and numbers on work orders for both cable and Internet services found that some clients had had the work done a number of years ago. In some cases they no longer lived at the address. Some order forms were dated March 2002. One order dated back seven or eight years, according to one of the clients reached at home. [...] Main site: http://www.pogowasright.org Main RSS feed: http://www.pogowasright.org/backend/pogowasright.rss Breaches RSS feed: http://www.pogowasright.org/backend/breaches.rss From Dissent at pogowasright.org Mon Apr 9 15:17:50 2007 From: Dissent at pogowasright.org (Dissent) Date: Mon, 09 Apr 2007 11:17:50 -0400 Subject: [Dataloss] Turbo Tax Error Message-ID: <7.0.0.16.2.20070409111632.022cd678@nowhere.org> http://www.wrcbtv.com/news/index.cfm?sid=7473 A Nebraska woman recently discovered a shocking flaw with a website thousands of people use to prepare their taxes. Instead of taking advantage of this potential gold mine for identity thieves, she is calling attention to it to protect other taxpayers. In her laptop, Jennifer discovered a key to the backdoor of some tax returns filed on line through Turbo Tax. A Turbo Tax customer herself, Jennifer attempted to access some past filings and the route she took online opened returns for several others with the same last name, but different first initials. For security reasons we're not revealing the common last name or how Jennifer inadvertently gained access to three other Turbo Tax accounts. She was able to access tax returns for three Turbo Tax customers she never met in different parts of the country. There on her screen, everything needed for electronic filing from bank account to routing digits and of course social security numbers. An Omaha based official with the Turbo Tax parent company says the inadvertent access to some tax files came as a shock. "We think it was a quirk, an individual circumstance as far as we know. So what we did is we took that link down in the product for now until we can fully investigate to make sure the issue won't happen again to anybody else," says Gordon Whitten. Jennifer wouldn't want an internet stranger peeking into her tax filings so she'll delete any information that opened the back door to others with the same last name. This does not involve the Turbo Tax software, only the website that allows taxpayers to create an account and do their taxes there. Company officials say the inadvertent window of opportunity for potential thieves has been closed. Turbo Tax has not received any reports of customer accounts being accessed by identity thieves, and says it is grateful the Nebraska customer brought it to the company's attention. -- Main site: http://www.pogowasright.org Main RSS feed: http://www.pogowasright.org/backend/pogowasright.rss Breaches RSS feed: http://www.pogowasright.org/backend/breaches.rss From jwalker at absolute.com Mon Apr 9 15:45:59 2007 From: jwalker at absolute.com (Jeff Walker) Date: Mon, 9 Apr 2007 08:45:59 -0700 Subject: [Dataloss] Chicago Public Schools - Laptop Theft Message-ID: <646F1FBDAF84414BA7892F1D9BD69DB604D8887F@ABSEXCH.absolute.com> http://www.chicagotribune.com/news/local/chicago/chi-0704070330apr08,1,2 319093,print.story?coll=chi-newslocalchicago-hed -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070409/1bafc5c3/attachment.html From murray.dianne at gmail.com Mon Apr 9 21:02:48 2007 From: murray.dianne at gmail.com (Dianne Murray) Date: Mon, 9 Apr 2007 17:02:48 -0400 Subject: [Dataloss] Rogers data on clients found in lot In-Reply-To: <7.0.0.16.2.20070408133418.02265d40@nowhere.org> References: <7.0.0.16.2.20070408133418.02265d40@nowhere.org> Message-ID: http://www.theglobeandmail.com/servlet/story/RTGAM.20070409.wgtrogers09/BNStory/Technology/?cid=al_gam_nletter_dtechal Rogers blames outside employee after client data found unsecured Hundreds of customer order forms containing sensitive personal information discovered in Toronto parking lot JEFF GRAY Globe and Mail Update Rogers Communications Inc. was blaming a rogue employee at a company it hired to sell cable TV and high-speed Internet access after hundreds of customer order forms containing sensitive personal information turned up in a downtown Toronto parking lot. "We are investigating this internally," Taanta Gupta, the company's vice-president of communications, said yesterday after reports of the breach and concerns about the danger of identity theft surfaced in the media. She said as many as 300 or 400 forms, containing names, addresses, phone numbers, social insurance numbers and driver's licence numbers -- but no credit card numbers, she insisted -- were found by a passerby in a parking lot on Mutual Street, south of Ryerson University. Normally, she said, the forms, which are up to five years old, would have been kept and eventually destroyed by the third-party company, which she declined to name. But in this case, the forms were traced to a single employee, whom she also would not identify. She said the worker was no longer with the third-party company, and had been contacted by Rogers. Police have not been called in, she said. "It appears to be an isolated incident, but we are continuing to complete the investigation," Ms. Gupta said. The mishap raises questions about the risks major companies -- and their customers -- take when sales or other functions are outsourced to smaller firms, which may or may not have the same level of privacy controls. John Simke, founder of the Toronto-based Centre for Outsourcing Research and Education, said large firms such as Rogers usually insist on strict language in outsourcing contracts, as well as sanctions, to protect customer privacy. "These are big companies that live or die on their ability to protect customer data," said Mr. Simke, who has advised banks, corporations and governments on outsourcing. "They wouldn't sacrifice those protections for efficiencies." He said that if outsourcing is done correctly, customer data would be at no more risk than it would be with possible rogue internal employees. "Clearly if you don't do your homework, don't have a good contract, don't do your due diligence, your risk will increase." Missing customer data and fears of identity theft have made headlines in recent months. Hackers reportedly stole 47.5 million credit-card numbers from U.S. retail giant TJX Cos., which operates Winners and HomeSense in Canada. The Canadian Imperial Bank of Commerce and fashion retailer Club Monaco have also acknowledged recent data breaches. Rogers has also been caught in an identity-theft controversy before, with none other than Ted Rogers himself as the victim. In 2005, The Globe revealed that a group linked to the Lebanese militant group Hezbollah "cloned" Mr. Rogers's cellphone, and those of other senior Rogers executives, by duplicating the phones' numbers and their encrypted security codes. The cloned phones were used to make long-distance calls in the Middle East. On 4/8/07, Dissent wrote: > http://www.thestar.com/News/article/200727 > > A Toronto resident found hundreds of Rogers order forms ? complete > with names, addresses, phone numbers, driver's licence numbers and, > in a few cases, what appear to be credit card and SIN numbers ? > tucked behind a coffee shop and strewn across a parking lot and park > on Mutual St. in downtown Toronto yesterday. > > A random check of some names and numbers on work orders for both > cable and Internet services found that some clients had had the work > done a number of years ago. In some cases they no longer lived at the address. > > Some order forms were dated March 2002. One order dated back seven or > eight years, according to one of the clients reached at home. > > [...] > > > Main site: http://www.pogowasright.org > Main RSS feed: http://www.pogowasright.org/backend/pogowasright.rss > Breaches RSS feed: http://www.pogowasright.org/backend/breaches.rss > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 204 million compromised records in 615 incidents over 7 years. > -- Subscribe to Let X = X. Science... with an edge: http://let-x-equal-x.blogspot.com From lyger at attrition.org Tue Apr 10 14:44:50 2007 From: lyger at attrition.org (lyger) Date: Tue, 10 Apr 2007 14:44:50 +0000 (UTC) Subject: [Dataloss] GA: State reports data lost for Medicaid and PeachCare recipients Message-ID: http://www.ledger-enquirer.com/mld/ledgerenquirer/news/politics/17055473.htm A CD containing personal data on Medicaid and PeachCare recipients was lost, Georgia health officials said Tuesday. The CD contained addresses, birth dates, names and Social Security numbers of participants in the health programs. The breach was reported to the state by Affiliated Computer Services, a private vendor. It was not immediately clear how many people were affected. [...] From lyger at attrition.org Tue Apr 10 14:51:38 2007 From: lyger at attrition.org (lyger) Date: Tue, 10 Apr 2007 14:51:38 +0000 (UTC) Subject: [Dataloss] [Update] Personal data on 2.9 million Georgians lost Message-ID: http://www.ajc.com/metro/content/metro/stories/2007/04/10/0410metlost_web.html A CD containing personal information on about 2.9 million Georgians has been lost, state officials said Tuesday. The data include Social Security numbers, birthdates and addresses of people on Medicaid and PeachCare, but no medical information, according to Department of Community Health spokeswoman Dena Brummer. That agency runs the Medicaid and PeachCare programs in Georgia. Affiliated Computer Services, a Dallas-based company which handles claims for the two state health programs, lost the CD, the state agency said. ACS will notify the people involved of the lost data. [...] From cwalsh at cwalsh.org Tue Apr 10 19:08:13 2007 From: cwalsh at cwalsh.org (Chris Walsh) Date: Tue, 10 Apr 2007 14:08:13 -0500 Subject: [Dataloss] [Update] Personal data on 2.9 million Georgians lost In-Reply-To: References: Message-ID: <20070410190810.GB19735@cwalsh.org> Are these the same Affiliated Computer Services involved in the Colorado Family Support Registry breach (http://www.cwalsh.org/BreachInfo/primary_sources//pdfs/ACSinc-20061016.PDF)? On Tue, Apr 10, 2007 at 02:51:38PM +0000, lyger wrote: > > http://www.ajc.com/metro/content/metro/stories/2007/04/10/0410metlost_web.html > > A CD containing personal information on about 2.9 million Georgians has > been lost, state officials said Tuesday. > > The data include Social Security numbers, birthdates and addresses of > people on Medicaid and PeachCare, but no medical information, according to > Department of Community Health spokeswoman Dena Brummer. That agency runs > the Medicaid and PeachCare programs in Georgia. > > Affiliated Computer Services, a Dallas-based company which handles claims > for the two state health programs, lost the CD, the state agency said. ACS > will notify the people involved of the lost data. From fergdawg at netzero.net Tue Apr 10 19:16:33 2007 From: fergdawg at netzero.net (Fergie) Date: Tue, 10 Apr 2007 19:16:33 GMT Subject: [Dataloss] [Update] Personal data on 2.9 million Georgians lost Message-ID: <20070410.121634.694.997399@webmail29.lax.untd.com> An embedded and charset-unspecified text was scrubbed... Name: not available Url: http://attrition.org/pipermail/dataloss/attachments/20070410/d80d23cf/attachment.ksh From bkdelong at pobox.com Tue Apr 10 19:46:53 2007 From: bkdelong at pobox.com (B.K. DeLong) Date: Tue, 10 Apr 2007 15:46:53 -0400 Subject: [Dataloss] [Update] Personal data on 2.9 million Georgians lost In-Reply-To: <20070410190810.GB19735@cwalsh.org> References: <20070410190810.GB19735@cwalsh.org> Message-ID: Yeah, looking in the DLDOS (http://attrition.org/dataloss/dataloss.csv), ACS has had 5 breaches since June 2006 totaling roughly 4.3M records and that's for only 3 of the 5. we don't have a number for the June 2005 Motorola data breech or the February 2006 breach at Denver Intl Airport. On 4/10/07, Chris Walsh wrote: > Are these the same Affiliated Computer Services involved in the Colorado Family Support Registry breach (http://www.cwalsh.org/BreachInfo/primary_sources//pdfs/ACSinc-20061016.PDF)? > > On Tue, Apr 10, 2007 at 02:51:38PM +0000, lyger wrote: > > > > http://www.ajc.com/metro/content/metro/stories/2007/04/10/0410metlost_web.html > > > > A CD containing personal information on about 2.9 million Georgians has > > been lost, state officials said Tuesday. > > > > The data include Social Security numbers, birthdates and addresses of > > people on Medicaid and PeachCare, but no medical information, according to > > Department of Community Health spokeswoman Dena Brummer. That agency runs > > the Medicaid and PeachCare programs in Georgia. > > > > Affiliated Computer Services, a Dallas-based company which handles claims > > for the two state health programs, lost the CD, the state agency said. ACS > > will notify the people involved of the lost data. > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 207 million compromised records in 620 incidents over 7 years. > -- B.K. DeLong (K3GRN) bkdelong at pobox.com +1.617.797.8471 http://www.wkdelong.org Son. http://www.ianetsec.com Work. http://www.bostonredcross.org Volunteer. http://www.carolingia.eastkingdom.org Service. http://bkdelong.livejournal.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org From lyger at attrition.org Wed Apr 11 23:35:16 2007 From: lyger at attrition.org (lyger) Date: Wed, 11 Apr 2007 23:35:16 +0000 (UTC) Subject: [Dataloss] FL: Police: Stolen Laptop Contains Foster Parents' Personal Info Message-ID: http://www.local10.com/news/11624491/detail.html A computer with personal information of thousands of adoptive and foster-care parents has been stolen from a Broward agency. Last Friday, a laptop computer was stolen from ChildNet Headquarters, 1400 W. Commercial Blvd. Officials at the headquarters said the computer was in a secure office. Police said they believe at least one former employee is responsible. [...] From Dissent at pogowasright.org Thu Apr 12 12:52:47 2007 From: Dissent at pogowasright.org (Dissent) Date: Thu, 12 Apr 2007 08:52:47 -0400 Subject: [Dataloss] [update] Childnet Message-ID: <7.0.0.16.2.20070412084446.02317190@nowhere.org> Two stories in the media today with additional details on this breach: http://www.sun-sentinel.com/news/local/southflorida/sfl-cchildnet12apr12,0,5437573.story?coll=sfla-home-headlines [...] Peter Balitsaris, president and CEO of ChildNet, acknowledged at a Wednesday afternoon press conference that the laptop contains financial and credit data, Social Security numbers, driver's license data and passport numbers for ChildNet program applicants. He said the computer doesn't have information about foster children and cannot be accessed without a password. He also said that there are no known full backups of the computer's hard drive, though his staff can work from paper copies of the information. [...] http://www.miamiherald.com/467/story/70966.html The agency responsible for Broward's foster children fired two employees on Wednesday after realizing they had previous criminal records and may have stolen from the agency. ChildNet had discovered the men's previous convictions, including one for manslaughter, during background checks before they were hired four years ago, but the agency hired them anyway, said Peter Balitsaris, agency president. [...] Missing from ChildNet are $8,000 in Wal-Mart gift cards and a laptop with personal information for about 12,000 people, including foster parents and employees. The gray Dell Latitude laptop contained personal information, including driver's license numbers, home addresses and Social Security numbers, Balitsaris said. The computer was used to gather information for background checks, including fingerprint scans. [...] Grant was sentenced to prison in 1995 for manslaughter in Palm Beach County and again in 2001 on a cocaine conviction, according to the Florida Department of Corrections. Williams' convictions included burglary in 1988 and battery in 1992, both in Tampa, according to the Florida Department of Law Enforcement. [...] -- Main site: http://www.pogowasright.org Main RSS feed: http://www.pogowasright.org/backend/pogowasright.rss Breaches RSS feed: http://www.pogowasright.org/backend/breaches.rss From lyger at attrition.org Thu Apr 12 13:19:25 2007 From: lyger at attrition.org (lyger) Date: Thu, 12 Apr 2007 13:19:25 +0000 (UTC) Subject: [Dataloss] SD: BHSU Website Lists Personal Information Message-ID: http://www.keloland.com/News/NewsDetail6374.cfm?Id=0,56215 Several students at Black Hills State University in Spearfish were notified Wednesday that their Social Security numbers were mistakenly posted on the college's Web site. A document announcing scholarship winners included the names and Social Security numbers for 56 students. It was placed online March 29th. [...] From Dissent at pogowasright.org Thu Apr 12 13:30:15 2007 From: Dissent at pogowasright.org (Dissent) Date: Thu, 12 Apr 2007 09:30:15 -0400 Subject: [Dataloss] University of Pittsburgh Medical Center Message-ID: <7.0.0.16.2.20070412092819.0220bd98@nowhere.org> http://www.pittsburghlive.com/x/pittsburghtrib/news/cityregion/s_502354.html The University of Pittsburgh Medical Center was trying to figure out how private information for about 80 patients, including names and Social Security numbers and even radiology images of their bodies, wound up on the Internet. The information was first put on the Web inadvertently in 2005 then taken down. The information from a medical symposium held in 2002 was posted on an area of the Web site where the health system's faculty members are encouraged to share their work and other data, UPMC said in a statement Thursday. Once the health network discovered patient names and other information were included, it was removed, but somehow it was posted again and remained on the Web site until UPMC was notified again on Tuesday, said Robert Cindrich, a former federal judge who now serves as UPMC's chief attorney. UPMC was notifying the patients affected and offering to pay for credit protection services, just in case the information might have been used by identity thieves. No financial information about patients was posted, nor were patient addresses or other contact information. [...] A copy of UPMC's full release appears at the bottom of the story. -- Main site: http://www.pogowasright.org Main RSS feed: http://www.pogowasright.org/backend/pogowasright.rss Breaches RSS feed: http://www.pogowasright.org/backend/breaches.rss From Troy.Casey at McKesson.com Thu Apr 12 13:23:09 2007 From: Troy.Casey at McKesson.com (Casey, Troy # Atlanta) Date: Thu, 12 Apr 2007 09:23:09 -0400 Subject: [Dataloss] Voter registration cards trashed - Fulton county, GA In-Reply-To: <7.0.0.16.2.20070412084446.02317190@nowhere.org> Message-ID: <324D9F7B57D2C143A7CF16A9CECAD25340C223@EXCHANGE2.dsa.int> The following taken from http://wsbradio.com/news/041207votercards3a.html - probably also in other news outlets this morning, but this is the first one I found... -------------------------------- Trashed Voter Registration Cards (WSB Radio) -- The Georgia Secretary of State's office has launched an investigation into the disposal of tens of thousands of Fulton County voter registration cards, More than 75,000 cards that contained a voter's full name, address and Social Security number were found in a trash bin and a random sampling showed many were for active voters. The cards were contained in more than 30 boxes of voter registration application cards, precinct cards and other documents Monday in a construction trash bin at Atlanta Technical College in southwest Atlanta. ``This represents a significant and serious breach of the personal information of Fulton County voters and an outrageous violation of the trust and integrity of Fulton County's elections,'' Secretary of State Karen Handel. Handel has called in the Georgia Bureau of Investigation and the county solicitor general's office to investigate and said she will audit the county elections office, because ``this breach also creates serious concerns about the overall operations'' of the office. ----------------------------------- -- Troy Casey From lyger at attrition.org Thu Apr 12 23:30:44 2007 From: lyger at attrition.org (lyger) Date: Thu, 12 Apr 2007 23:30:44 +0000 (UTC) Subject: [Dataloss] Stolen BofA laptop held employee data Message-ID: http://charlotte.com/115/story/83368.html A stolen Bank of America Corp. laptop has resulted in lost personal information of current, former and retired employees, according to a letter sent this week to those affected. The letter said a "limited" number of people were affected, but the Charlotte bank on Thursday would not provide a number. Employees at various levels of the company were affected, spokesman Scott Silvestri said. The lost data included names, addresses, dates of birth and Social Security numbers, but there is no sign the information has been misused, according to an April 10 letter obtained by the Observer. The bank is offering a free credit monitoring service for two years to those affected. [...] From nepen at attrition.org Sat Apr 14 17:06:38 2007 From: nepen at attrition.org (nepen) Date: Sat, 14 Apr 2007 17:06:38 +0000 (UTC) Subject: [Dataloss] Visa Check Cards Compromised in TJX Breach Message-ID: Seems like it took them long enough... My mother received a letter from Commerce Bank today warning her that her Visa Check Card may have been compromised as a result of the TJX breach. >From what I can tell, it seems like they took their sweet old time getting around to notifying customers of the situation--to the tune of waiting several months. According to the archives*, the credit and debit card issuers were made aware of this in January. *http://attrition.org/pipermail/dataloss/2007-January/001012.html Also, their letter assures me in nice, comforting bold text that my mother's PIN was not compromised, as though this were of any importance whatsoever when it comes to Visa Check Cards. According to my mother, the only time a PIN is required to use this card is when you use MAC. Your PIN is not required when the card is used to deduct money from the checking account or when it is used as a credit card. Ah, there are some days where I'm glad I pay cash for everything... nepen I've copied the letter here verbatim and any typos here are mine. All emphasis is theirs. Dear Valued Customer, You may have recently heard about a security breach at TJX Companies, the parent company of TJ Maxx, Home Goods, Marshalls, AJ Wright, Winners, HomeSense and Bob's stores. We have been notified that your Check Card may have been impacted by this situation. [bold emphasis]This breach did not include your Personal Identification Number (PIN).[/bold emphasis] Although this breach does not mean your card will be used for unauthorized activity, we are taking action to further protect your account. Enclosed is a new Check Card with a new card number and our brand new design. Your PIN has not changed. lease activate your new card and begin using it immediately. If you have any recurring payments on your Check Card, please contact the merchant(s) and transfer them to your new card. To allow time to change these payments, your existing card will remain open until May 31, 2007. During this time you will continue to be protected from any unauthorized purchases by Visa's Zero Liability Policy. As always, if you have any questions, please contact our Customer Service Center at 1-888-751-9000. Sincerely, [Signature] Frank Papotto Vice President Chairman's Service Center From lyger at attrition.org Sun Apr 15 04:35:54 2007 From: lyger at attrition.org (lyger) Date: Sun, 15 Apr 2007 04:35:54 +0000 (UTC) Subject: [Dataloss] Darwin Professional Underwriters - Tech-404.com Message-ID: For anyone interested, we came across a curious situation in the last week. It seems that a company by the name of Darwin Professional Underwriters took it upon themselves to "borrow" attrition.org's RSS feed and incorporate it into one of their own pages, found here: http://www.tech-404.com/rss/data_loss.aspx Darwin is a provider of commercial services for "liability insurance". Press releases have been issued, media attention has been gained, and Darwin has gathered quite a bit of press and attention regarding their "data loss calculator" in the last week. However, it should be noted that Darwin IN NO WAY contacted attrition.org about using our RSS feed for their page. In NO WAY did Darwin responnd to email contact about this situation. They are using OUR resources that we spent our own time developing and making available to the public... for their own commercial gain. They're ripping off attrition.org, and we will not let this stand. Darwin representatives, get a set of balls. Our work. Our time. You owe us. Take it down or we'll just clown you again. Oh, wait... we already did. http://www.tech-404.com/rss/data_loss.aspx Lyger (attrition.org staff, damn proud of it, and screw you, Darwin) http://attrition.org/dataloss/tech404-1.gif http://attrition.org/dataloss/tech404-2.gif From avery.sawaba at gmail.com Sun Apr 15 04:58:43 2007 From: avery.sawaba at gmail.com (Avery Sawaba) Date: Sun, 15 Apr 2007 00:58:43 -0400 Subject: [Dataloss] Darwin Professional Underwriters - Tech-404.com In-Reply-To: References: Message-ID: Oopsie. Someone forgot to read the terms of use! Copyright 2005-2007 by attrition.org. Permission is granted to use this page in non-profit works and research. Use of this page for commercial interests requires authorization and licensing arrangements. For more information, please e-mail staff at attrition.org with a brief summary of how you would like to use this information; product, service, research, etc. --Sawaba On 4/15/07, lyger wrote: > > > > For anyone interested, we came across a curious situation in the last > week. > > It seems that a company by the name of Darwin Professional Underwriters > took it > upon themselves to "borrow" attrition.org's RSS feed and incorporate it > into > one of their own pages, found here: > > http://www.tech-404.com/rss/data_loss.aspx > > Darwin is a provider of commercial services for "liability insurance". > Press > releases have been issued, media attention has been gained, and Darwin has > gathered quite a bit of press and attention regarding their "data loss > calculator" in the last week. However, it should be noted that Darwin IN > NO > WAY contacted attrition.org about using our RSS feed for their page. In > NO WAY > did Darwin responnd to email contact about this situation. They are using > OUR > resources that we spent our own time developing and making available to > the > public... for their own commercial gain. They're ripping off > attrition.org, > and we will not let this stand. > > Darwin representatives, get a set of balls. Our work. Our time. You owe > us. > Take it down or we'll just clown you again. > > Oh, wait... > > we already did. > > http://www.tech-404.com/rss/data_loss.aspx > > Lyger (attrition.org staff, damn proud of it, and screw you, Darwin) > > http://attrition.org/dataloss/tech404-1.gif > http://attrition.org/dataloss/tech404-2.gif > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 207 million compromised records in 620 incidents over 7 > years. > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070415/418b8491/attachment.html From murray.dianne at gmail.com Sun Apr 15 22:51:06 2007 From: murray.dianne at gmail.com (Dianne Murray) Date: Sun, 15 Apr 2007 18:51:06 -0400 Subject: [Dataloss] Darwin Professional Underwriters - Tech-404.com In-Reply-To: References: Message-ID: I'm pretty sure attrition could sue these clowns at Darwin for hefty damages, payment for use of the service or else that the feed they've stolen shut down (and so maybe Darwin should receive a "Darwin Award") On 4/15/07, Avery Sawaba wrote: > Oopsie. Someone forgot to read the terms of use! > > Copyright 2005-2007 by attrition.org. Permission is granted to use this page > in non-profit works and research. Use of this page for commercial interests > requires authorization and licensing arrangements. For more information, > please e-mail staff at attrition.org with a brief summary of how you would like > to use this information; product, service, research, etc. > > --Sawaba > > > On 4/15/07, lyger wrote: > > > > > > For anyone interested, we came across a curious situation in the last > week. > > > > It seems that a company by the name of Darwin Professional Underwriters > took it > > upon themselves to "borrow" attrition.org's RSS feed and incorporate it > into > > one of their own pages, found here: > > > > http://www.tech-404.com/rss/data_loss.aspx > > > > Darwin is a provider of commercial services for "liability insurance". > Press > > releases have been issued, media attention has been gained, and Darwin has > > gathered quite a bit of press and attention regarding their "data loss > > calculator" in the last week. However, it should be noted that Darwin IN > NO > > WAY contacted attrition.org about using our RSS feed for their page. In > NO WAY > > did Darwin responnd to email contact about this situation. They are using > OUR > > resources that we spent our own time developing and making available to > the > > public... for their own commercial gain. They're ripping off > attrition.org, > > and we will not let this stand. > > > > Darwin representatives, get a set of balls. Our work. Our time. You owe > us. > > Take it down or we'll just clown you again. > > > > Oh, wait... > > > > we already did. > > > > http://www.tech-404.com/rss/data_loss.aspx > > > > Lyger ( attrition.org staff, damn proud of it, and screw you, Darwin) > > > > http://attrition.org/dataloss/tech404-1.gif > > http://attrition.org/dataloss/tech404-2.gif > > _______________________________________________ > > Dataloss Mailing List (dataloss at attrition.org) > > http://attrition.org/dataloss > > Tracking more than 207 million compromised records in 620 incidents over 7 > years. > > > > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 207 million compromised records in 620 incidents over 7 > years. > > -- Subscribe to Let X = X. Science... with an edge: http://let-x-equal-x.blogspot.com From avery.sawaba at gmail.com Mon Apr 16 03:09:00 2007 From: avery.sawaba at gmail.com (Avery Sawaba) Date: Sun, 15 Apr 2007 23:09:00 -0400 Subject: [Dataloss] Darwin Professional Underwriters - Tech-404.com In-Reply-To: References: Message-ID: Since they advertise copyright work as one of their services, doesn't that earn them the honor of going on the Irony page? Areas of Exposure Addressed - Errors and omissions (failure to perform, without the restriction of "for a fee") - Third party business interruption - Network security (unauthorized access, ID theft, loss of data) - Data privacy (unauthorized use, invasion of privacy) - Compliance with HIPAA, GLB, CA 1386 and other data privacy regulations - Media and online content (libel, slander, defamation, virus transmission) - Third party loss of data - Intellectual property (patent, copyright, trademark) - Defense against governmental investigations for data privacy --Sawaba On 4/15/07, Dianne Murray wrote: > > I'm pretty sure attrition could sue these clowns at Darwin for hefty > damages, payment for use of the service or else that the feed they've > stolen shut down (and so maybe Darwin should receive a "Darwin Award") > > On 4/15/07, Avery Sawaba wrote: > > Oopsie. Someone forgot to read the terms of use! > > > > Copyright 2005-2007 by attrition.org. Permission is granted to use this > page > > in non-profit works and research. Use of this page for commercial > interests > > requires authorization and licensing arrangements. For more information, > > please e-mail staff at attrition.org with a brief summary of how you would > like > > to use this information; product, service, research, etc. > > > > --Sawaba > > > > > > On 4/15/07, lyger wrote: > > > > > > > > > For anyone interested, we came across a curious situation in the last > > week. > > > > > > It seems that a company by the name of Darwin Professional > Underwriters > > took it > > > upon themselves to "borrow" attrition.org's RSS feed and incorporate > it > > into > > > one of their own pages, found here: > > > > > > http://www.tech-404.com/rss/data_loss.aspx > > > > > > Darwin is a provider of commercial services for "liability insurance". > > Press > > > releases have been issued, media attention has been gained, and Darwin > has > > > gathered quite a bit of press and attention regarding their "data loss > > > calculator" in the last week. However, it should be noted that Darwin > IN > > NO > > > WAY contacted attrition.org about using our RSS feed for their > page. In > > NO WAY > > > did Darwin responnd to email contact about this situation. They are > using > > OUR > > > resources that we spent our own time developing and making available > to > > the > > > public... for their own commercial gain. They're ripping off > > attrition.org, > > > and we will not let this stand. > > > > > > Darwin representatives, get a set of balls. Our work. Our time. You > owe > > us. > > > Take it down or we'll just clown you again. > > > > > > Oh, wait... > > > > > > we already did. > > > > > > http://www.tech-404.com/rss/data_loss.aspx > > > > > > Lyger ( attrition.org staff, damn proud of it, and screw you, Darwin) > > > > > > http://attrition.org/dataloss/tech404-1.gif > > > http://attrition.org/dataloss/tech404-2.gif > > > _______________________________________________ > > > Dataloss Mailing List (dataloss at attrition.org) > > > http://attrition.org/dataloss > > > Tracking more than 207 million compromised records in 620 incidents > over 7 > > years. > > > > > > > > > _______________________________________________ > > Dataloss Mailing List (dataloss at attrition.org) > > http://attrition.org/dataloss > > Tracking more than 207 million compromised records in 620 incidents over > 7 > > years. > > > > > > > -- > Subscribe to Let X = X. Science... with an edge: > http://let-x-equal-x.blogspot.com > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070415/f8562224/attachment.html From bkdelong at pobox.com Mon Apr 16 13:46:23 2007 From: bkdelong at pobox.com (B.K. DeLong) Date: Mon, 16 Apr 2007 09:46:23 -0400 Subject: [Dataloss] Fortune 500/1000 list out for 2007 Message-ID: TJX is at 133 with 17,516.4M in revenue in 2006 they were at 138 with only 16,057.9M in revenue. Interesting. I suppose we'll see the backlash next year. Anyone notice any other interesting trends? http://money.cnn.com/magazines/fortune/fortune500/2007/full_list/ -- B.K. DeLong (K3GRN) bkdelong at pobox.com +1.617.797.8471 http://www.wkdelong.org Son. http://www.ianetsec.com Work. http://www.bostonredcross.org Volunteer. http://www.carolingia.eastkingdom.org Service. http://bkdelong.livejournal.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070416/ebf41ae5/attachment.html From ADAIL at sunocoinc.com Mon Apr 16 14:49:27 2007 From: ADAIL at sunocoinc.com (DAIL, ANDY) Date: Mon, 16 Apr 2007 10:49:27 -0400 Subject: [Dataloss] Something you should read if your business processes credit cards In-Reply-To: Message-ID: <8CA58E707BB1C44385FA71D02B7A1C8E02499AFD@mds3aex0e.USISUNOCOINC.com> Not really a breach story, but something all of us should check: http://www.paulhastings.com/Backup/Client_Alerts/42992.PDF?wt.mc_ID=4299 2.pdf Andy Dail (918) 586-6160 This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments. From ADAIL at sunocoinc.com Mon Apr 16 15:32:18 2007 From: ADAIL at sunocoinc.com (DAIL, ANDY) Date: Mon, 16 Apr 2007 11:32:18 -0400 Subject: [Dataloss] Fortune 500/1000 list out for 2007 In-Reply-To: Message-ID: <8CA58E707BB1C44385FA71D02B7A1C8E02499B00@mds3aex0e.USISUNOCOINC.com> TJMaxx sells to discount demographic. I'd be curious if there is any retaliatory behavioral difference between a high-end retail customer and a discount customer. Andy Dail (918) 586-6160 -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of B.K. DeLong Sent: Monday, April 16, 2007 8:46 AM To: dataloss at attrition.org Subject: [Dataloss] Fortune 500/1000 list out for 2007 TJX is at 133 with 17,516.4M in revenue in 2006 they were at 138 with only 16,057.9M in revenue. Interesting. I suppose we'll see the backlash next year. Anyone notice any other interesting trends? http://money.cnn.com/magazines/fortune/fortune500/2007/full_list/ -- B.K. DeLong (K3GRN) bkdelong at pobox.com +1.617.797.8471 http://www.wkdelong.org Son. http://www.ianetsec.com Work. http://www.bostonredcross.org Volunteer. http://www.carolingia.eastkingdom.org Service. http://bkdelong.livejournal.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070416/5c2066b3/attachment.html From rwise29210 at gmail.com Mon Apr 16 15:55:48 2007 From: rwise29210 at gmail.com (Rodney Wise) Date: Mon, 16 Apr 2007 11:55:48 -0400 Subject: [Dataloss] Fortune 500/1000 list out for 2007 In-Reply-To: <8CA58E707BB1C44385FA71D02B7A1C8E02499B00@mds3aex0e.USISUNOCOINC.com> References: <8CA58E707BB1C44385FA71D02B7A1C8E02499B00@mds3aex0e.USISUNOCOINC.com> Message-ID: <24e2acc50704160855u31ef4891n1a10c3e3b24d52e7@mail.gmail.com> Look at Wal-mart. They have been accused of using child labor, not promoting women, and forcing employees to work off the clock. How is their stock suffering? Rodney Wise http://pplrwise.blogspot.com On 4/16/07, DAIL, ANDY wrote: > > TJMaxx sells to discount demographic. I'd be curious if there is any > retaliatory behavioral difference between a high-end retail customer and a > discount customer. > > > Andy Dail > (918) 586-6160 > > -----Original Message----- > *From:* dataloss-bounces at attrition.org [mailto: > dataloss-bounces at attrition.org] *On Behalf Of *B.K. DeLong > *Sent:* Monday, April 16, 2007 8:46 AM > *To:* dataloss at attrition.org > *Subject:* [Dataloss] Fortune 500/1000 list out for 2007 > > TJX is at 133 with 17,516.4M in revenue > in 2006 they were at 138 with only 16,057.9M in revenue. > > Interesting. I suppose we'll see the backlash next year. > > Anyone notice any other interesting trends? > > http://money.cnn.com/magazines/fortune/fortune500/2007/full_list/ > > -- > B.K. DeLong (K3GRN) > bkdelong at pobox.com > +1.617.797.8471 > > http://www.wkdelong.org Son. > http://www.ianetsec.com Work. > http://www.bostonredcross.org Volunteer. > http://www.carolingia.eastkingdom.org Service. > http://bkdelong.livejournal.com Play. > > > PGP Fingerprint: > 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE > > FOAF: > http://foaf.brain-stream.org > > This message and any files transmitted with it is intended solely for > the designated recipient and may contain privileged, proprietary or > otherwise private information. Unauthorized use, copying or distribution of > this e-mail, in whole or in part, is strictly prohibited. If you have > received it in error, please notify the sender immediately and delete the > original and any attachments. > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 207 million compromised records in 620 incidents over 7 > years. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070416/dcf3edef/attachment.html From rwise29210 at gmail.com Mon Apr 16 16:10:57 2007 From: rwise29210 at gmail.com (Rodney Wise) Date: Mon, 16 Apr 2007 12:10:57 -0400 Subject: [Dataloss] Something you should read if your business processes credit cards In-Reply-To: <8CA58E707BB1C44385FA71D02B7A1C8E02499AFD@mds3aex0e.USISUNOCOINC.com> References: <8CA58E707BB1C44385FA71D02B7A1C8E02499AFD@mds3aex0e.USISUNOCOINC.com> Message-ID: <24e2acc50704160910g6bd06db0i57af465e1e32ec48@mail.gmail.com> Check out a publication from the FTC called "Take Charge Fighting Back Against Identity Theft. Page 19 states: * Credit Cards * The Fair Credit Billing Act establishes procedures for resolving billing errors on your credit card accounts, including fraudulent charges on your accounts. The law also limits your liability for unauthorized credit card charges to $50 per card. To take advantage of the law's consumer protections, you *must*: ? write to the creditor at the address given for "billing inquiries," NOT the address for sending your payments. Include your name, address, account number, and a description of the billing error, including the amount and date of the error. A sample letter is on page 20. ? *send your letter so that it reaches the creditor within 60 days after the first* *bill containing the error was mailed to you. If an identity thief changed the* *address on your account and you didn't receive the bill, your dispute letter* *still must reach the creditor within 60 days of when the creditor would have* *mailed the bill.* This is one reason it's essential to keep track of your billing statements, and follow up quickly if your bills don't arrive on time. If someone opens a new account in you name, changes your address so you never get the bill, after 60 days you owe the bill and no matter what kind of insurance you get the underwriters will not pay it because it is a valid debt. http://www.ftc.gov/bcp/edu/pubs/consumer/idtheft/idt04.pdf Rodney Wise http://pplrwise.blogspot.com On 4/16/07, DAIL, ANDY wrote: > > > Not really a breach story, but something all of us should check: > > > http://www.paulhastings.com/Backup/Client_Alerts/42992.PDF?wt.mc_ID=4299 > 2.pdf > > Andy Dail > (918) 586-6160 > > > This message and any files transmitted with it is intended solely for the > designated recipient and may contain privileged, proprietary or otherwise > private information. Unauthorized use, copying or distribution of this > e-mail, in whole or in part, is strictly prohibited. If you have received it > in error, please notify the sender immediately and delete the original and > any attachments. > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 207 million compromised records in 620 incidents over 7 > years. > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070416/59f39389/attachment.html From rwise29210 at gmail.com Mon Apr 16 16:15:43 2007 From: rwise29210 at gmail.com (Rodney Wise) Date: Mon, 16 Apr 2007 12:15:43 -0400 Subject: [Dataloss] Fortune 500/1000 list out for 2007 In-Reply-To: References: Message-ID: <24e2acc50704160915k59255173t53da9133fd9d3fb3@mail.gmail.com> Just in... http://www.ohio.com/mld/beaconjournal/business/17077991.htm By Mark Jewell Associated Press April 14, 2007 BOSTON - Bargain shopping appears to be trumping fears about data theft at TJX Cos., owner of nearly 2,500 discount stores that are enjoying brisk sales despite a security breach that exposed at least 45.7 million credit and debit cards to potential fraud. TJX reported that sales at stores open at least a year rose 6 percent in March, beating Wall Street's expectations. The performance extended a recent run of sales gains since TJX three months ago announced a breach now known to be the nation's biggest data theft. Customers leaving a T.J. Maxx store in Boston on Thursday said the retailer's cut-rate prices on clothing and home goods are a big enough draw to offset any worries about lax data security. They said they don't see TJX as any more susceptible to such theft than any other retailer. ``It's a sad thing, but it can happen anywhere,'' said Chamia Kissoon, a 30-year-old bank employee from Boston who left with a bag filled with clothing. ``Identity theft and data theft seem endemic, and I've got to presume that since TJX is aware of this theft, that they've fixed their problem here,'' said Peter Hartzel, a 60-year-old financial manager from Dedham, Mass. An expert who helps corporate clients repair their reputations said he was not surprised by TJX's strong sales amid bad publicity. ``Convenience and price are huge factors in bringing people to any store,'' said Peter Morrissey, an associate professor of communications at Boston University who helped advise Johnson & Johnson after product tampering in 1982 involving its medication Tylenol. ``It's just hard to change people's patterns.'' ``And with something as mysterious as a data breach, it seems to be remote, and beyond people's control, so customers cut you a fair amount of slack,'' Morrissey said. ``It's almost like white noise.'' News doesn't hurt sales TJX's 6 percent increase in same-store sales in the five weeks through April 7 beat expectations of industry analysts polled by the research firm Thomson Financial. They had forecast an increase of 4.6 percent at TJX, whose stores are T.J. Maxx, Marshalls, HomeGoods and A.J. Wright in the United States, Winners and HomeSense in Canada and T.K. Maxx in Britain. TJX reported a 2 percent same-store gain in February and a 4 percent gain in January. Same-store sales are a key measure of retailer performance because they measure growth at existing stores rather than from new ones. TJX's sales have risen even as the company has acknowledged the breach was worse than first thought. On Feb. 21, TJX said the breach of its computer systems by an unknown hacker or hackers had started 10 months earlier than initially believed, beginning in July 2005. On March 28, TJX for the first time put a number on how many of its shoppers' cards had been compromised: at least 45.7 million. The Privacy Rights Clearinghouse, a consumer advocacy group that tracks data thefts, ranks the theft at TJX as the largest such U.S. breach. The company and the Secret Service are investigating, and the company has said it remains unsure how many people were involved in the breach, or whether anyone inside the company may have played a role. The only arrests have come in Florida, where 10 people who aren't believed to be the TJX hackers are accused of using stolen TJX customer data to buy Wal-Mart gift cards. But the more than 50 experts TJX put on the case have reached no conclusions. Besides not knowing how many thieves were involved, TJX isn't sure whether there was one continuing intrusion or separate break-ins, according to a March 28 regulatory filing. Estimating losses The company says it's too early to estimate its losses beyond the $5 million it spent through January to cover expenses such as legal and investigative costs, and letters sent to customers who may have been exposed to fraud. Banks nationwide have reissued debit and credit cards to guard against further fraud. TJX also faces lawsuits from consumers and financial institutions, and potential fines from government investigations. TJX's stock has fallen only slightly through the ordeal. ``Wall Street is very focused on their operating performance, and on how this credit card issue is something that will be corrected, and then it will be history,'' said Mark Montagna, an industry analyst with C.L. King & Associates. As for customers, Patrick McKeever, an analyst with Avondale Partners, said surveys that he and others in his firm have conducted with TJX shoppers indicate that any consumer backlash will be negligible. ``There were certainly a few people who had heard about it on the news and decided to curtail their shopping at TJX, but for the most part, people seemed not to be overly concerned about it,'' McKeever said. ``Consumers are well aware of the kind of value TJX offers because you can go and see the same merchandise you would see in department stores, and it's 20 to 60 percent cheaper. It's very compelling at the end of the day.'' Rodney Wise http://pplrwise.blogspot.com On 4/16/07, B.K. DeLong wrote: > > TJX is at 133 with 17,516.4M in revenue > in 2006 they were at 138 with only 16,057.9M in revenue. > > Interesting. I suppose we'll see the backlash next year. > > Anyone notice any other interesting trends? > > http://money.cnn.com/magazines/fortune/fortune500/2007/full_list/ > > -- > B.K. DeLong (K3GRN) > bkdelong at pobox.com > +1.617.797.8471 > > http://www.wkdelong.org Son. > http://www.ianetsec.com Work. > http://www.bostonredcross.org Volunteer. > http://www.carolingia.eastkingdom.org Service. > http://bkdelong.livejournal.com Play. > > > PGP Fingerprint: > 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE > > FOAF: > http://foaf.brain-stream.org > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 207 million compromised records in 620 incidents over 7 > years. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070416/b1631f97/attachment.html From kfelten at gmail.com Mon Apr 16 17:45:30 2007 From: kfelten at gmail.com (Katie Felten) Date: Mon, 16 Apr 2007 12:45:30 -0500 Subject: [Dataloss] Something you should read if your business processes credit cards In-Reply-To: <24e2acc50704160910g6bd06db0i57af465e1e32ec48@mail.gmail.com> References: <8CA58E707BB1C44385FA71D02B7A1C8E02499AFD@mds3aex0e.USISUNOCOINC.com> <24e2acc50704160910g6bd06db0i57af465e1e32ec48@mail.gmail.com> Message-ID: <00c901c7804f$07a6eba0$16f4c2e0$@com> Rodney - great information you shared - We have been telling people this and most don't believe until we show them it In writing. I keep several copies of this book to give to people. If you are interested in learning more about the other types of ID theft from a leading expert go to my website And watch a short flash presentation www.k-felten.com Katie Katie Felten, CITRMS Data Security & Privacy Specialist Certified Identity Theft Risk Management Specialist www.getsmartcomply.com K Felten & Associates, LLC N78W14573 Appleton Ave #297 Menomonee Falls, WI 53051 Direct 262-227-0772 Katie at k-felten.com From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Rodney Wise Sent: Monday, April 16, 2007 11:11 AM To: DAIL, ANDY Cc: nepen; dataloss at attrition.org Subject: Re: [Dataloss] Something you should read if your business processes credit cards Check out a publication from the FTC called "Take Charge Fighting Back Against Identity Theft. Page 19 states: Credit Cards The Fair Credit Billing Act establishes procedures for resolving billing errors on your credit card accounts, including fraudulent charges on your accounts. The law also limits your liability for unauthorized credit card charges to $50 per card. To take advantage of the law's consumer protections, you must: . write to the creditor at the address given for "billing inquiries," NOT the address for sending your payments. Include your name, address, account number, and a description of the billing error, including the amount and date of the error. A sample letter is on page 20. . send your letter so that it reaches the creditor within 60 days after the first bill containing the error was mailed to you. If an identity thief changed the address on your account and you didn't receive the bill, your dispute letter still must reach the creditor within 60 days of when the creditor would have mailed the bill. This is one reason it's essential to keep track of your billing statements, and follow up quickly if your bills don't arrive on time. If someone opens a new account in you name, changes your address so you never get the bill, after 60 days you owe the bill and no matter what kind of insurance you get the underwriters will not pay it because it is a valid debt. http://www.ftc.gov/bcp/edu/pubs/consumer/idtheft/idt04.pdf Rodney Wise http://pplrwise.blogspot.com On 4/16/07, DAIL, ANDY wrote: Not really a breach story, but something all of us should check: http://www.paulhastings.com/Backup/Client_Alerts/42992.PDF?wt.mc_ID=4299 2.pdf Andy Dail (918) 586-6160 This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments. _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tracking more than 207 million compromised records in 620 incidents over 7 years. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070416/7ad3998d/attachment.html From cwalsh at cwalsh.org Mon Apr 16 18:23:38 2007 From: cwalsh at cwalsh.org (Chris Walsh) Date: Mon, 16 Apr 2007 13:23:38 -0500 Subject: [Dataloss] Fortune 500/1000 list out for 2007 In-Reply-To: <24e2acc50704160915k59255173t53da9133fd9d3fb3@mail.gmail.com> References: <24e2acc50704160915k59255173t53da9133fd9d3fb3@mail.gmail.com> Message-ID: <20070416182329.GA20247@cwalsh.org> On Mon, Apr 16, 2007 at 12:15:43PM -0400, Rodney Wise wrote: > Just in... > > ``And with something as mysterious as a data breach, it seems to be > remote, and beyond people's control, so customers cut you a fair amount > of slack,'' Morrissey said. ``It's almost like white noise.'' A thought experiment: And with something as mysterious as repairing a defective heart valve, it seems to be remote, and beyond people's control, so customers cut you a fair amount of slack,'' cardiac surgeon Dr. Nick Riviera said. ``It's almost like white noise.'' Maybe if it was called "identity protection malpractice" people would not think of it as background radiation. From lyger at attrition.org Tue Apr 17 03:10:49 2007 From: lyger at attrition.org (lyger) Date: Tue, 17 Apr 2007 03:10:49 +0000 (UTC) Subject: [Dataloss] CO: New Horizons Community CU Takes Action Message-ID: http://www.ncua.gov/news/press_releases/2007/MR07-0411.htm New Horizons Community Credit Union (NHCCU), a state chartered federally insured credit union located in Denver, Colo., and operating under conservatorship of the National Credit Union Administration, is notifying members of a potential breach of confidential member loan information. The potential breach results from the theft of a laptop computer from Protiviti, a consultant employed by Bellco Credit Union conducting due diligence to prepare a possible acquisition bid. There are no indications at this time that any identity fraud, theft, or other harmful activity has occurred. All member accounts at NHCCU remain safe and sound, and members. savings are federally insured. [...] From lyger at attrition.org Tue Apr 17 13:38:31 2007 From: lyger at attrition.org (lyger) Date: Tue, 17 Apr 2007 13:38:31 +0000 (UTC) Subject: [Dataloss] Personal info stolen from OSU computer Message-ID: http://www.coshoctontribune.com/apps/pbcs.dll/article?AID=/20070417/UPDATES01/70417003/1002/NEWS01 Someone hacked into an Ohio State University computer and stole the personal information of more than 14,000 current and former faculty and staff members, the school said. The hacker breached a computer firewall the weekend of March 31 and accessed records from an Office of Research database, university spokesman Jim Lynch said Monday. The records of 7,160 former and 6,934 current faculty and staff members contained names, Social Security numbers, employee ID numbers and birth dates, the university said. [...] From cwalsh at cwalsh.org Tue Apr 17 16:27:32 2007 From: cwalsh at cwalsh.org (Chris Walsh) Date: Tue, 17 Apr 2007 11:27:32 -0500 Subject: [Dataloss] Improper access to student PII granted, 60 mil exposed Message-ID: <20070417162729.GC30295@cwalsh.org> Report: Lenders illicitly accessing student database Published: 2007-04-16 A database containing the personal and financial details of nearly 60 million students had repeatedly been accessed by some lending companies in ways the violated federal privacy laws, the Washington Post reported on Sunday. According to the article, the database contains everything needed to steal a person's identity, including students' names, Social Security numbers, addresses, phone numbers, birth dates and phone numbers as well as information on loan balances. Some lending companies have apparently given unauthorized users, such as marketing companies, access to the information in the database on a regular basis, according to the Post's article. "We are just in shock that student data could be compromised like this," Nancy Hoover, director of financial aid at Denison University, told the Washington Post. The revelation comes as some lending companies and schools are under fire for improper relationships. At least three financial aid directors at various schools have resigned positions or been put on administrative leave after ties with student-lending firm Student Loan Xpress were uncovered. The possible improper access of a database on 60 million students puts the breach in the same category as the repeated breaches of retail giant TJX that led to the leak of at least 46.5 million credit-card numbers and the attack on CardSystems Solutions that resulted in the possible compromise of some 40 million credit-card numbers. Officials at the U.S. Department of Education are mulling a possible shut down of the database system while access policies and security are tightened, according to the Post. [http://www.securityfocus.com/brief/484] From bkdelong at pobox.com Tue Apr 17 18:11:57 2007 From: bkdelong at pobox.com (B.K. DeLong) Date: Tue, 17 Apr 2007 14:11:57 -0400 Subject: [Dataloss] Improper access to student PII granted, 60 mil exposed In-Reply-To: <20070417162729.GC30295@cwalsh.org> References: <20070417162729.GC30295@cwalsh.org> Message-ID: Interesting. This sounds like the Lexis/Nexis case where someone got illicit access to a law enforcement privileged account to the service by backdooring the computer thus essentially getting access to a huge amount of data unchecked. On 4/17/07, Chris Walsh wrote: > > Report: Lenders illicitly accessing student database > Published: 2007-04-16 > > A database containing the personal and financial details of nearly 60 > million students had repeatedly been accessed by some lending companies in > ways the violated federal privacy laws, the Washington Post reported on > Sunday -- B.K. DeLong (K3GRN) bkdelong at pobox.com +1.617.797.8471 http://www.wkdelong.org Son. http://www.ianetsec.com Work. http://www.bostonredcross.org Volunteer. http://www.carolingia.eastkingdom.org Service. http://bkdelong.livejournal.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070417/06996956/attachment-0001.html From lyger at attrition.org Tue Apr 17 22:33:18 2007 From: lyger at attrition.org (lyger) Date: Tue, 17 Apr 2007 22:33:18 +0000 (UTC) Subject: [Dataloss] Texas AG: CVS Dumped Customers' Records Message-ID: http://www.forbes.com/feeds/ap/2007/04/17/ap3621733.html Texas Attorney General Greg Abbott sued CVS Corp. on Tuesday, alleging pharmacy employees dumped credit card numbers, medical information and other sensitive material from more than 1,000 customers into a garbage container. The Rhode Island company was accused of failing to protect its customers from identity theft at the store in Liberty, about 45 miles northeast of Houston. The lawsuit alleges employees dumped the records behind a store that apparently was being vacated by CVS (nyse: CVS - news - people ). CVS did not immediately return a telephone call seeking comment Tuesday. [...] From rforno at infowarrior.org Wed Apr 18 03:20:10 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 17 Apr 2007 23:20:10 -0400 Subject: [Dataloss] Wireless Security Puts IRS Data at Risk Message-ID: Would somebody kindly explain WTF the IRS is using wireless networking anywhere in their IT environment??? -rf April 17, 2007 Wireless Security Puts IRS Data at Risk By THE ASSOCIATED PRESS http://www.nytimes.com/aponline/technology/AP-IRS-Wireless-Security.html?_r= 1&oref=slogin&pagewanted=print Filed at 10:57 p.m. ET WASHINGTON (AP) -- Internal Revenue Service offices across the nation that use wireless technology are still vulnerable to hackers, according to the latest assessment of the agency's security policies released Tuesday. Despite efforts to improve wireless security the past four years, the Inspector General's assessment of 20 buildings in 10 cities discovered four separate locations at which hackers could have easily gained access to IRS computers using wireless technology. There was no evidence that the computers were connected to the IRS network at the time and no signs that any hacking had occurred, the report said. ''However, anyone with a wireless detection tool could pick up the wireless signal and gain access to the computer,'' wrote Michael Phillips, the Inspector General. And if an employee had been connected to the IRS network, ''a hacker conceivably could gain access to the IRS network,'' which contains sensitive financial data of more than 226 million taxpayers, he added. The vulnerabilities were discovered in Denver and at three other IRS facilities in Texas and Florida. Wireless networks are created by linking computers using hardware called routers. The devices enable wireless laptop or mobile device users, such as Treos, to send signals back and forth to each other. Data can be encrypted, but the report said that software available on the Internet can decode the encryption. The inspector general's office said it used inexpensive wireless equipment and software freely available on the Internet to scan the facilities for wireless signals. According to the report, the IRS also is not effectively monitoring its uses of wireless technology. As of May 2006, the agency had scanned fewer than 6 percent of all IRS offices - mainly in the Washington, D.C., and Baltimore metropolitan areas. The inspector general's office recommended increased of the IRS network for unapproved wireless devices and educating employees about security risks. The report said the agency agreed with the IG's recommendations and will implement them. From lyger at attrition.org Wed Apr 18 19:22:09 2007 From: lyger at attrition.org (lyger) Date: Wed, 18 Apr 2007 19:22:09 +0000 (UTC) Subject: [Dataloss] Hackers, laptop thieves compromise personal information of 17, 500 at Ohio State in separate incidents Message-ID: (update: another unrelated incident exposes another 3,500) http://scmagazine.com/us/news/article/651562/hackers-laptop-thieves-compromise-personal-information-17500-ohio-state-separate-incidents/ On March 31 or April 1, a hacker using a foreign web address cracked a university firewall and accessed the names, Social Security numbers, employee ID numbers and birth dates of more than 14,000 current and former staff members, according to a university statement. [...] In an unrelated incident, the personal information of about 3,500 current and former chemistry students was compromised when two laptop computers were stolen from the home of a university professor on Feb. 24. The laptops were likely not the target of the burglary, and were stolen with a number of other household items, according to Lynch. Records stored in the laptops contained names, Social Security numbers and grades, according to the university. [...] From lyger at attrition.org Thu Apr 19 01:51:53 2007 From: lyger at attrition.org (lyger) Date: Thu, 19 Apr 2007 01:51:53 +0000 (UTC) Subject: [Dataloss] UCSF computer server with research subject information is stolen Message-ID: http://pub.ucsf.edu/newsservices/releases/200704189/ A computer file server containing research subject information related to studies on causes and cures for different types of cancer was stolen from a locked UCSF office on March 30, 2007. The server contained files with names, contact information, and social security numbers for study subjects and potential study subjects. For some individuals, the files also included personal health information. [...] Notification letters were sent Monday, April 16, to about 3,000 individuals. Using backup files, UCSF officials are conducting an extensive analysis of the server data to determine as quickly as possible all the names involved in this incident. [...] From lyger at attrition.org Thu Apr 19 15:48:23 2007 From: lyger at attrition.org (lyger) Date: Thu, 19 Apr 2007 15:48:23 +0000 (UTC) Subject: [Dataloss] Personal data of NMSU students posted online Message-ID: http://www.freenewmexican.com/news/60444.html The names and Social Security numbers of more than 5,600 New Mexico State University students were accidentally posted on the school's Web site, but officials say odds are minimal that any students' identities were compromised. The information was in a public section of the site for nearly two hours on April 5 before the mistake was caught. The file was accessed by 14 computers and all of their IP addresses have been tracked, said Mrinal Virnave, NMSU's director of enterprise application services. Virnave said the file contained the names and Social Security numbers of students who registered online to attend their commencement ceremonies from 2003 to 2005, meaning most of the names and numbers are of former students. [...] From lyger at attrition.org Fri Apr 20 15:38:20 2007 From: lyger at attrition.org (lyger) Date: Fri, 20 Apr 2007 15:38:20 +0000 (UTC) Subject: [Dataloss] Los Alamos warns workers about identity theft Message-ID: http://www.freenewmexican.com/news/60494.html Los Alamos National Laboratory warned employees about protecting themselves against identity theft after the names and Social Security numbers of 550 lab workers were posted on a Web site run by a subcontractor working on a security system. An April 5 letter to the employees from Jan A. Van Prooyen, the lab's acting deputy director, said the problem was discovered the previous week when a lab employee happened upon the Web site of a software services company that had been hired years before. Clicking a link and entering a password provided online led to a table that included names, and in some cases, Social Security numbers, of people who entered certain lab sites around 1998, the letter said. [...] From lyger at attrition.org Fri Apr 20 21:11:44 2007 From: lyger at attrition.org (lyger) Date: Fri, 20 Apr 2007 21:11:44 +0000 (UTC) Subject: [Dataloss] Federal Database Exposes Social Security Numbers Message-ID: http://www.nytimes.com/2007/04/20/washington/20cnd-data.html?_r=1&hp=&adxnnl=1&oref=slogin&adxnnlx=1177103032-yUYrfkNKmHsZVZ/hqNZWCw The Social Security numbers of tens of thousands of people who received loans or other financial assistance from two Agriculture Department programs were disclosed for years in a publicly available database, raising concerns about identity theft and other privacy violations. Officials at the Agriculture Department and the Census Bureau, which maintains the database, were evidently unaware that the Social Security numbers were accessible in the database until they were notified last week by a farmer from Illinois, who stumbled across the database on the Internet. [...] Ms. Bergmeier said she was able to identify almost 30,000 records in the database that contained Social Security numbers. [...] From lyger at attrition.org Sat Apr 21 00:40:18 2007 From: lyger at attrition.org (lyger) Date: Sat, 21 Apr 2007 00:40:18 +0000 (UTC) Subject: [Dataloss] (update) Fed Breach Leaks Social Security Numbers Message-ID: (Original numbers reported almost 30,000, now 150,000. Updated) http://www.forbes.com/feeds/ap/2007/04/20/ap3637323.html The Social Security numbers of up to 150,000 people who received Agriculture Department grants have been posted on a government Web site since 1996, but they were taken down last week. Free credit monitoring is being offered to those affected. The security breach was only noticed last week and promptly closed, the Agriculture Department and Census Bureau announced Friday. The Agriculture data that included Social Security numbers were removed from the Web on April 13 and similar data from 32 other agencies were taken down April 17 as a precaution, said Agriculture spokeswoman Terri Teuber. [...] From lyger at attrition.org Sat Apr 21 05:18:23 2007 From: lyger at attrition.org (lyger) Date: Sat, 21 Apr 2007 05:18:23 +0000 (UTC) Subject: [Dataloss] (update) Fed breach leaks Social Security numbers Message-ID: (first 30K, then 150K, now 63K... hope everybody has erasers handy...) http://origin.denverpost.com/nationworld/ci_5714663 The Social Security numbers of 63,000 people who received Agriculture Department grants have been posted on a government Web site since 1996, but they were taken down last week. Free credit monitoring is being offered to those affected. The security breach was only noticed last week and promptly closed, the Agriculture Department and Census Bureau announced Friday. The Agriculture data that included Social Security numbers were removed from the Web on April 13 and similar data from 32 other agencies were taken down April 17 as a precaution, said Agriculture spokeswoman Terri Teuber. [...] The department originally said Friday the Social Security numbers of 105,000 to 150,000 individuals had been entered into federal databases open to the public since 1981. But by Friday evening, after they calculated how many people had been entered more than once, USDA announced that 63,000 individuals had their Social Security numbers exposed. The data has only been posted on the Internet by the Census Bureau since 1996. [...] From lyger at attrition.org Mon Apr 23 20:07:36 2007 From: lyger at attrition.org (lyger) Date: Mon, 23 Apr 2007 20:07:36 +0000 (UTC) Subject: [Dataloss] USDA Narrows List to 38,700... Message-ID: (yet another newly revised total...) http://www.usda.gov/wps/portal/!ut/p/_s.7_0_A/7_0_1OB?contentidonly=true&contentid=2007/04/0110.xml The U.S. Department of Agriculture (USDA) has narrowed to approximately 38,700 the number of people whose private identification information was accessible to the public on a government-wide website. USDA takes seriously its responsibility to protect private information and after learning of the potential exposure, immediately took action to remove the information from the website. USDA is also offering credit monitoring services to protect the personal accounts of affected individuals, due to the potential that information was downloaded prior to removal. There is no evidence that this information has been misused. [...] From rwise29210 at gmail.com Mon Apr 23 14:55:45 2007 From: rwise29210 at gmail.com (rwise29210 at gmail.com) Date: Mon, 23 Apr 2007 10:55:45 -0400 Subject: [Dataloss] Counter Strike Struck Message-ID: <00c501c785b7$792d4db0$6401a8c0@xp1> I haven't seen this on the list. Sorry if it is a repost. Rodney Wise http://pplrwise.blogspot.com Counter Strike firm in credit card hack claim Hacker, customers accuse Valve of coverup By Chris Williams ? More by this author Published Thursday 19th April 2007 11:09 GMT Receive the days biggest stories by email http://www.theregister.co.uk/2007/04/19/valve_steam_hack/ Valve Software, the company behind Counter Strike and Half Life, has been accused of covering up a hack of its servers which allegedly exposed the credit card details of thousands of customers. A hacker calling himself MaddoxX has trumpeted details of the claimed break-in on his website, and threatened to publish more credit card information if Valve do not "come with something good". Customers say Valve has known about the alleged security breach since April 8 at the latest. A customer told us he raised the hacker's claims on Valve's Steampowered.com forums, but a company moderator quickly stepped in to delete it, writing, "Please do not re-post that thread. Valve are aware of the issue and are investigating. Making threads on the issue will not help." Sources say a dozen threads about the matter have been suppressed on Valve's official forums. In the meantime the firm has made no attempt to contact the thousands of cyber cafe owners potentially affected. A large file posted on a file sharing site appears to back up the hacker's claims of breaking into the server of Valve's distribution network, Steam. It contains sensitive financial information including Valve's current assets, full details of five credit card transactions from March 12 with the threat of exposing more, and details of how to set up a fake cyber cafe certificate for multiplayer Counter Strike. The 14MB plus directory is essentially a "rip" of the cyber cafe content delivery platform, Steam Cafe, and contains all the files to access Valve's Central Authentication Server. We contacted MaddoxX via email. He claimed he first gained access to Steam this January, and said that although the cyber cafe customer database is not linked to the standard customer list, he has access to that too. Valve have not contacted him, he said, but have approached his hosting provider to take down the page which announces the hack, so far without success. The hacker says it's not his intention to steal information. He told us: "I just came accross the login details when I was browsing some stuff. The access to their whole customer database was more like luck, but still a hack because the login details are inside some files. They changed the logins now and made it not possible anymore to get the details from the files. The [credit card] details itself are stored in a MySQL database where I still have access to." "It is just to show how lax they are with their security. I want a full excuse from VALVe on their site that they did NOT inform anyone about this. I've got several e-mails from cafe owners and they said VALVe hasn't even said shit to them...so you can see how they threat their customers." One cyber cafe owner contacted by The Register said: "Why has it taken days if not weeks before they told us if there is even the slightest possibility someone has our CC details then we should have been told?" Valve did not return repeated requests for comment.? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070423/bd30c0b4/attachment.html From rwise29210 at gmail.com Mon Apr 23 15:06:32 2007 From: rwise29210 at gmail.com (rwise29210 at gmail.com) Date: Mon, 23 Apr 2007 11:06:32 -0400 Subject: [Dataloss] Does a data loss of one count if she is famous? It just isn't for "Ordinary People" anymore. Message-ID: <00ef01c785b8$fabe9860$6401a8c0@xp1> Thieves take laptop with Smith photos April 20, 2007 By Alan J. Keays Herald Staff The head of Edgewood Studios in Rutland is looking for the return of a stolen laptop containing some valuable information, including unreleased images of Anna Nicole Smith, the star of his most recent film. "There are photographs in there that are not to be released," Giancola said Thursday afternoon in a phone interview from the offices of his Rutland-based movie production studio. "There is stuff that we have that is just not cleared for release." Police said burglars early Thursday broke into Edgewood Studios, at Howe Center, a large complex of offices and businesses just outside Rutland's downtown. Several other businesses in the complex were also burglarized. Police have made no arrest. Although the thieves did not steal all that much from his studio, the laptop contained a great deal of "proprietary material," including future movie scripts, plot lines, phone numbers and e-mail addresses, Giancola said. The laptop also contained unreleased photos of Smith, who before her death of a drug overdose in February played a starring a role in the studio's soon-to-be-released movie, "Illegal Aliens." "We're trying to find the laptop because it has material that has proprietary information to Edgewood Studios," Giancola said. "We're really hoping to get that laptop back because of the copyrighted material that was on it." "Illegal Aliens" is set to be released on DVD next month. The movie, filmed in September 2005 in Rutland, has generated international interest following the media attention that accompanied Smith's death. "What we're most concerned about is 'Illegal Aliens' kind of stuff, and that movie is not being released until May 1," Giancola said. "There's another movie called 'Zombie Town' and that movie's not going to be released probably until Halloween and there's material from that on (the laptop) and we don't want that out there, either." Surveillance video suggested the burglars did not target the laptop for theft because of its connection to Smith. Instead, Giancola said, it appeared the burglars were on a "drunken rampage," smashing the front door and two inside doors at the studio. Giancola said the value of the stolen items and the cost of repairing damage would amount to a couple of thousand dollars. However, he said, a dollar amount cannot be placed on the value of the "proprietary material" that was on the stolen laptop, including the Smith photos. "The intellectual property is way more valuable than any of the physical equipment we have," Giancola said. Contact Alan J. Keays at alan.keays at rutlandherald.com. Rodney Wise For New stories about ID Theft and Data Loss by Compaines visit: http://pplrwise.blogspot.com See what is happening to your information -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070423/4d2ba8dd/attachment.html From lyger at attrition.org Tue Apr 24 03:55:22 2007 From: lyger at attrition.org (lyger) Date: Tue, 24 Apr 2007 03:55:22 +0000 (UTC) Subject: [Dataloss] Administravia: List Reminders and Changes Message-ID: Greetings all, I'll try to be as brief as I can. The Data Loss Mail List would like to remind subscribers and posters that list topics should adhere to the following guidelines: Data Loss is a non-commercial mail list that covers topics such as news releases regarding large-scale personal data loss and personal data theft incidents. Discussion about incidents, indictments, legislation, and recovery of lost or stolen personal data is encouraged. Advertisements or endorsements for commercial products and/or services, on or off list, are not allowed. Isolated personal incidents regarding identity theft are not considered to be topical. Discussion is welcome about items that are topical. Please contact me directly with any questions or concerns about list content. Thanks, Lyger From lyger at attrition.org Tue Apr 24 17:04:46 2007 From: lyger at attrition.org (lyger) Date: Tue, 24 Apr 2007 17:04:46 +0000 (UTC) Subject: [Dataloss] Neiman says employee data stolen Message-ID: http://www.wfaa.com/sharedcontent/dws/bus/stories/042507dnbusneiman.40beadd.html The Neiman Marcus Group said Tuesday that computer equipment containing files with sensitive information of nearly 160,000 current and former employees has been stolen. The files were owned by a pension consultant and contained 2-year-old data that was current as of Aug. 30, 2005. Information included each person.s name, address, social security number, date of birth, period of employment and salary information. Employees hired after Aug. 30, 2005 are not affected. [...] From lyger at attrition.org Tue Apr 24 22:41:30 2007 From: lyger at attrition.org (lyger) Date: Tue, 24 Apr 2007 22:41:30 +0000 (UTC) Subject: [Dataloss] Baltimore Co. Laptop Stolen With Personal Info Message-ID: http://wjz.com/local/local_story_114155042.html A laptop containing the personal information of about 6,000 people was stolen from a Baltimore County health center, a health department spokeswoman said Tuesday. The computer did not contain medical information but did have names, date of birth, social security numbers, telephone numbers and emergency contact information. The personal information was from patients who were seen at the clinic between Jan. 1, 2004 and April 12. [...] From rwise29210 at gmail.com Wed Apr 25 10:59:07 2007 From: rwise29210 at gmail.com (Rodney Wise) Date: Wed, 25 Apr 2007 06:59:07 -0400 Subject: [Dataloss] The cost of doing business? Message-ID: <24e2acc50704250359yaf861b5wd847586701bfda85@mail.gmail.com> Bank groups in 3 states plan to sue TJX over data theft http://www.mercurynews.com/businessheadlines/ci_5745507 The Associated Press Article Launched: 04/25/2007 01:50:15 AM PDT BOSTON (AP) - Bank associations in Massachusetts, Connecticut and Maine said Tuesday that they will sue TJX over a data theft that exposed at least 45 million credit and debit cards to potential fraud. Banks have been saddled with costs to replace cards and cover fraudulent charges tied to the theft from TJX, the owner of nearly 2,500 discount stores including T.J. Maxx and Marshalls. On Jan. 17, Framingham, Mass.-based TJX disclosed a breach of its computer systems by an unknown hacker or hackers who accessed card data from transactions as long ago as late 2002. On March 28, TJX said at least 45.7 million of its shoppers' cards had been compromised. -- Rodney Wise http://pplriwse.blogspot.com From lyger at attrition.org Wed Apr 25 20:13:02 2007 From: lyger at attrition.org (lyger) Date: Wed, 25 Apr 2007 20:13:02 +0000 (UTC) Subject: [Dataloss] (update) Darwin Professional Underwriters - Tech-404.com Message-ID: For anyone interested in the follow-up: Darwin Professional Underwriters, which operates the website Tech-404.com, has come to an agreement with attrition.org regarding the use of our Data Loss web page and RSS feed. In return for use of attrition.org's RSS service and/or web page, Darwin has graciously agreed to make a contribution to the Open Source Vulnerability Database (http://osvdb.org) in order to further promote security awareness. We appreciate Darwin's willingness to work with us to help resolve this matter and we wish them the best in their future endeavors. Lyger From lyger at attrition.org Thu Apr 26 16:01:31 2007 From: lyger at attrition.org (lyger) Date: Thu, 26 Apr 2007 16:01:31 +0000 (UTC) Subject: [Dataloss] Ceridian accidentally leaks data from NY firm Message-ID: http://twincities.bizjournals.com/twincities/stories/2007/04/23/daily36.html Payroll processing firm Ceridian Corp. accidentally leaked employee data from a New York advertising firm on a Web site, the company confirmed Thursday. Bloomington-based Ceridian (NYSE: CEN) notified New York advertising company Innovation Interactive last week , after it learned that it had inadvertently leaked ID and bank-account data on 150 employees, company spokesman Pete Stoddart said. Ceridian said a former employee accidentally posted the information on a personal Web site. The employee took the data by accident after leaving the company in March 2006. [...] From Phack at 4thebank.com Thu Apr 26 16:15:28 2007 From: Phack at 4thebank.com (Patrick Hack) Date: Thu, 26 Apr 2007 11:15:28 -0500 Subject: [Dataloss] Ceridian accidentally leaks data from NY firm In-Reply-To: References: Message-ID: <463089CF.E11B.0075.0@4thebank.com> Just wondering, how do you 'Accidentally' take private customer information as you're leaving employment and 'Accidentally' post it to your personal web site? This sure sounds like straight-up data theft to me. P. Hack >>> lyger 4/26/2007 11:01 AM >>> http://twincities.bizjournals.com/twincities/stories/2007/04/23/daily36.html Payroll processing firm Ceridian Corp. accidentally leaked employee data from a New York advertising firm on a Web site, the company confirmed Thursday. Bloomington-based Ceridian (NYSE: CEN) notified New York advertising company Innovation Interactive last week , after it learned that it had inadvertently leaked ID and bank-account data on 150 employees, company spokesman Pete Stoddart said. Ceridian said a former employee accidentally posted the information on a personal Web site. The employee took the data by accident after leaving the company in March 2006. [...] _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tracking more than 207 million compromised records in 634 incidents over 7 years. CONFIDENTIALITY NOTICE: This email message is private, confidential property of the sender, and the materials may be privileged communications intended solely for the receipt, use, benefit, and information of the intended recipient indicated above. If you are not the intended recipient, you are hereby notified that any review, disclosure,distribution, copying or taking of any other action in reference to the contents of this message is strictly prohibited, and may result in legal liability on your part. If you have received this message in error, please notify the sender immediately and delete this message from your system. We believe that this email and any attachments are free of any virus or other defect that might affect any computer system that it is received and opened in, however, it is the responsibility of the recipient to ensure that it is virus free and the sender accepts no responsibility for any loss or damage. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070426/b48707ee/attachment.html From kfelten at gmail.com Thu Apr 26 17:27:25 2007 From: kfelten at gmail.com (Katie Felten) Date: Thu, 26 Apr 2007 12:27:25 -0500 Subject: [Dataloss] Ceridian accidentally leaks data from NY firm In-Reply-To: <463089CF.E11B.0075.0@4thebank.com> References: <463089CF.E11B.0075.0@4thebank.com> Message-ID: <000801c78828$29df7c10$7d9e7430$@com> P, my thoughts exactly when I read this article this morning Katie Felten, CITRMS Data Security & Privacy Specialist Certified Identity Theft Risk Management Specialist www.getsmartcomply.com K Felten & Associates, LLC N78W14573 Appleton Ave #297 Menomonee Falls, WI 53051 Direct 262-227-0772 Katie at k-felten.com From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Patrick Hack Sent: Thursday, April 26, 2007 11:15 AM To: dataloss at attrition.org Subject: Re: [Dataloss] Ceridian accidentally leaks data from NY firm Just wondering, how do you 'Accidentally' take private customer information as you're leaving employment and 'Accidentally' post it to your personal web site? This sure sounds like straight-up data theft to me. P. Hack >>> lyger 4/26/2007 11:01 AM >>> http://twincities.bizjournals.com/twincities/stories/2007/04/23/daily36.html Payroll processing firm Ceridian Corp. accidentally leaked employee data from a New York advertising firm on a Web site, the company confirmed Thursday. Bloomington-based Ceridian (NYSE: CEN) notified New York advertising company Innovation Interactive last week , after it learned that it had inadvertently leaked ID and bank-account data on 150 employees, company spokesman Pete Stoddart said. Ceridian said a former employee accidentally posted the information on a personal Web site. The employee took the data by accident after leaving the company in March 2006. [...] _______________________________________________ Dataloss Mailing List (dataloss@ attrition.org) http://attrition.org/dataloss Tracking more than 207 million compromised records in 634 incidents over 7 years. CONFIDENTIALITY NOTICE: This email message is private, confidential property of the sender, and the materials may be privileged communications intended solely for the receipt, use, benefit, and information of the intended recipient indicated above. If you are not the intended recipient, you are hereby notified that any review, disclosure,distribution, copying or taking of any other action in reference to the contents of this message is strictly prohibited, and may result in legal liability on your part. If you have received this message in error, please notify the sender immediately and delete this message from your system. We believe that this email and any attachments are free of any virus or other defect that might affect any computer system that it is received and opened in, however, it is the responsibility of the recipient to ensure that it is virus free and the sender accepts no responsibility for any loss or damage. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070426/ae2665fa/attachment.html From jericho at attrition.org Thu Apr 26 23:37:58 2007 From: jericho at attrition.org (security curmudgeon) Date: Thu, 26 Apr 2007 23:37:58 +0000 (UTC) Subject: [Dataloss] slightly OT: LifeLock Identity Theft Protection Message-ID: http://www.lifelock.com/ My name is Todd Davis This is my social security number 457-55-5462 "I'm Todd Davis, CEO of LifeLock. Yes, that really is my social security number. No I'm not crazy. I'm just sure our system works. Just like we have with mine, LifeLock will make your personal information useless to a criminal. And it's GUARANTEED." Here at LifeLock, We Guarantee Your Good Name. No one else does because no one else can. http://www.lifelock.com/our-guarantee $1 Million Guarantee Our $1 Million Guarantee Our Guarantee is simple. If you are our client when someone steals your personal information and subsequently misuses it, we will reimburse any and all direct expenses that you incur and pay for professionals with the proper expertise. The maximum amount that we will pay is $1 million over the life of the incident. We provide this guarantee because we are so confident in our product. Direct expenses include lost wages, long-distance calls, postage and other miscellaneous costs in addition to any funds that are actually stolen from you or a third party that holds you responsible. If you need an attorney to help resolve the claims, we will select them and manage the case on your behalf. Your request must not be fraudulent and you must tell us of the event within 30 days of first learning of it. How the Guarantee Works: If your Identity is used by a third party without your consent, we will do the following: 1. We will pay any direct expenses you incur subject to the terms below. Usually, we will advance these costs on your behalf. If we do that, you must assign your guarantee request to any such re-imbursement by any third party. For example, if your bank charges you fees because someone else used your credit card and it took you over your limit, we will ensure that you are reimbursed that money promptly. If the bank doesn't do it, then we will and if and when the professionals we hire to assist you get the bank to refund the money, you agree that it will be sent to us or that, if paid directly to you, that you will send it to us as soon as you receive it. 2. If the amount involved is over $1,000, we reserve the right to investigate the guarantee request and conclude that the claim is valid. For instance, if you are arrested for bank fraud and you assert that you did not commit the crime and that someone else stole your identity to commit the crime, we will investigate your assertion. If we are confident that you did not commit the crime, we will advance any legal fees, bail or other costs required to get you out of jail and back to your life. We will perform our investigation with all due haste and we will render our decision as quickly as we can. The standard we will use is that if any reasonable person would come to the conclusion that you are not responsible, we will as well. Once we are comfortable that you are innocent due to Identity Theft that occurred while you are our client, we will advance all fees and costs as discussed above. Note that we do not necessarily require that you are found innocent by the authorities before performing on our guarantee. 3. If it turns out that our investigation is wrong and that you misrepresented a loss or that you weren't our client when it happened, you agree to pay us back any amount we have advanced or incurred on your behalf upon demand, including any costs we incur to collect the money from you. Being found guilty of the crime which you attributed to Identity theft is sufficient evidence to conclude that we are entitled to recover all amounts advanced or paid on your behalf as described above. 4. Should we, however, decline your guarantee request and you are found innocent due to the fact that someone used your Identity to commit the crime, we will then honor our guarantee and pay you$10,000 for the hardship you suffered. You agree that we are not liable for any additional costs or awards for any reason. That's it. No more fancy language. From jericho at attrition.org Fri Apr 27 01:59:19 2007 From: jericho at attrition.org (security curmudgeon) Date: Fri, 27 Apr 2007 01:59:19 +0000 (UTC) Subject: [Dataloss] slightly OT: LifeLock Identity Theft Protection In-Reply-To: References: Message-ID: On Thu, 26 Apr 2007, security curmudgeon wrote: : http://www.lifelock.com/ : : My name is Todd Davis : This is my social security number 457-55-5462 My post was not an endorsement of lifelock.com, Todd Davis or anything else. This post was made because I found it surprising that a CEO would post his own social security number "proving" his own service, something that other services don't do. Attrition does not have any affiliation with lifelock.com or any other company/service that provides identity theft protection. Until earlier this evening, neither Lyger nor myself had heard of lifelock.com despite their "million dollar advertising campaign" (from what we were later told). If anyone has any comments, criticisms or rebuttal of my post, we will selectively post them if they are fair, reasonable and cite their sources. By reading this mail you absolve myself and attrition.org of any wrongdoing, pinkie swear you will eat a twinkie before midnight and will print and shred this message if it was not intended for you. - Jericho From chris at cwalsh.org Fri Apr 27 01:21:24 2007 From: chris at cwalsh.org (Chris Walsh) Date: Thu, 26 Apr 2007 20:21:24 -0500 Subject: [Dataloss] slightly OT: LifeLock Identity Theft Protection In-Reply-To: References: Message-ID: Great. Now lyger's gonna have to send out a notification letter to the guy. Couldn't you have ROT13'd the email to avoid this? :^) Chris On Apr 26, 2007, at 6:37 PM, security curmudgeon wrote: > > http://www.lifelock.com/ > > My name is Todd Davis > This is my social security number 457-55-5462 > > "I'm Todd Davis, CEO of LifeLock. Yes, that really is my social > security > number. No I'm not crazy. I'm just sure our system works. Just like we > have with mine, LifeLock will make your personal information > useless to a > criminal. And it's GUARANTEED." From lyger at attrition.org Fri Apr 27 15:22:29 2007 From: lyger at attrition.org (lyger) Date: Fri, 27 Apr 2007 15:22:29 +0000 (UTC) Subject: [Dataloss] 175 told of possible computer security incident at Purdue Message-ID: (from April 24, 2007) http://news.uns.purdue.edu/x/2007a/070424KsanderEngineer.html Purdue University is informing 175 people who were students in fall 2001 that a Web page containing information about them was inadvertently available on the Internet. The page, which was no longer in use but was on a computer server connected to the Internet, contained names and Social Security numbers of students who were enrolled in a freshman engineering honors course and were scheduling to meet with advisers. Although forgotten, the page had been indexed by Internet search engines and consequently was available to individuals searching the Web. The page has been removed and, at Purdue's request, Yahoo and Google have removed the page from their indexes and cache. Letters are in the mail to those potentially affected. [...] From lyger at attrition.org Sat Apr 28 01:47:50 2007 From: lyger at attrition.org (lyger) Date: Sat, 28 Apr 2007 01:47:50 +0000 (UTC) Subject: [Dataloss] Caterpillar Says Employee Data Stolen Message-ID: (if anyone can find verifiable details on number affected or type of information, please let us know) http://www.sfgate.com/cgi-bin/article.cgi?f=/n/a/2007/04/27/financial/f172558D76.DTL&type=business Caterpillar Inc. said late Friday that a laptop computer containing personal data on employees was stolen from a benefits consultant that works with the company. Caterpillar spokesman Rusty Dunn declined to provide many details Friday. "This is an open investigation and we're not prepared to get into any specifics," Dunn said. He said one laptop computer was stolen earlier this month, but didn't say where the theft took place or identify the consultant. Dunn declined to say how many employees were affected. [...] From lyger at attrition.org Sat Apr 28 02:12:56 2007 From: lyger at attrition.org (lyger) Date: Sat, 28 Apr 2007 02:12:56 +0000 (UTC) Subject: [Dataloss] FEMA's 'Unfortunate' Privacy Disaster Message-ID: >From April 23, 2007 http://www.washingtonpost.com/wp-dyn/content/article/2007/04/22/AR2007042201362.html Sometimes when they are not busy dealing with natural disasters, FEMA folks just make up their own. We got this letter the other day from Glenn M. Cannon, assistant administrator in the Disaster Operations Directorate. "Dear Disaster Generalist," he wrote to about 2,300 people on April 16, "an unfortunate administrative processing error at FEMA . . . has resulted in the printing of Social Security numbers on the outside address labels of Disaster Assistance Employee (DAE) . . . reappointment letters." The mail distribution center mishandled the letters, he said, creating this "unintentional release of Privacy Act information." [...] From chris at cwalsh.org Sat Apr 28 03:45:03 2007 From: chris at cwalsh.org (Chris Walsh) Date: Fri, 27 Apr 2007 22:45:03 -0500 Subject: [Dataloss] NY AG settles first data breach case Message-ID: <738474A5-36BC-4B2E-9A52-AADE095DDDE1@cwalsh.org> By Sharon Gaudin InformationWeek April 27, 2007 01:32 PM The New York Attorney General has obtained the first settlement under the state's new security breach notification law. Attorney General Andrew Cuomo announced Thursday that it has reached an agreement with CS Stars LLC, a Chicago-based claims management company, to implement precautionary procedures, comply with New York's notification law in the event of another security breach, and pay $60,000 to the AG's office for investigation costs. On May 9, 2006, an employee at CS Stars noticed that a computer was missing that held personal information, including the names, addresses, and Social Security numbers of recipients of workers' compensation benefits, according to the AG's office. The New York Special Funds Conservation Committee, a not-for-profit organization created to assist in providing benefits to workers under the New York Workers' Compensation Law, was the owner of the data contained in the missing computer. It was not until June 29, 2006 that CS Stars first notified Special Funds of the security breach, the AG's office reported. On the same date, the company notified the FBI, as well. The FBI instructed the company to not send out any notifications to people who might be affected by the data breach because it might impede their investigation. According to the AG's release, CS Stars notified the Attorney General's office, the Consumer Protection Board, and the state office of Cyber Security about the breach on June 30, 2006. Then on July 18, the company, with the permission of the FBI, the company began sending out notices to the approximately 540,000 potentially affected New York consumers notifying them of the security breach. [...] Via http://www.informationweek.com/news/showArticle.jhtml? articleID=199202218 From lyger at attrition.org Sat Apr 28 21:47:15 2007 From: lyger at attrition.org (lyger) Date: Sat, 28 Apr 2007 21:47:15 +0000 (UTC) Subject: [Dataloss] N. Texas Company Posted Private Information Online Message-ID: http://www.nbc5i.com/money/13207482/detail.html A North Texas company posted online the private information of hundreds of job applicants, NBC 5 reported. Couriers On Demand, run by Kyle Bowers, made available for public viewing names, addresses, phone numbers, Social Security numbers and drivers license numbers on its Web site, NBC 5 reported. Attorney Cami Boyd, who specializes in data privacy, said the company should have been encrypting its data behind a secure firewall. Without taking those precautions, she said, it is in violation of state law and federal law. [...] From rwise29210 at gmail.com Sun Apr 29 11:36:44 2007 From: rwise29210 at gmail.com (Rodney Wise) Date: Sun, 29 Apr 2007 07:36:44 -0400 Subject: [Dataloss] Is it just about credit? Message-ID: <24e2acc50704290436u343d7975y1645480e00c9cd9e@mail.gmail.com> (In his best Columbo accent).... There is just one more thing mam... I am having trouble understanding a few things... gee do ya think you could help me out here? I have a few questions for discussion by the group. I have seen time and time again that companies that have been compromised have offered credit munitioning to help REDUCE any monetary damages that might be gained from lawsuits. It is not just about credit. You can lodk it down for your life and still have problems. Question 1 Is is just about your credit? If someone gets you SSN or SIN (Canida) they can do a lot more than get cash. If they get medical treatment for ... I don't know ... a heart problem of even... HIV do you think you will ever get insurance again? Question 2 What about death and taxes? Well if you are in the US without the proper permissions to be here in most situations you MUST have 2 forms of identity to gain employment. A SSN AND a drivers license number. If they have YOUR SSN and get employment that can put you in another tax bracket owing more money than the job they are doing will be deducting for taxes. What if that happens multiple times? There is NO verification process in place that will tell an employer that it is not you. It will just verify it is a valid number. Lets go one more step further... I get your Driver License Number from a check you give me. I make $5/hr at a retail store and see several of these a day, I can sell this for about $50 (read 10 hours of work) for each one. You are flying to that city where what happens there stays there and use your DLN as your ID. OOPS I forgot to tell you I used your number when I got pulled over for a DUI. YOU now have a crimanl record. Question 3 3. How does credit monitoring help these problems? Question 4 What does the federal government REQUIRE businesses to do to help reduce data theft? Five thing. 1.Take Stock ... like and inventory of your data 2. Scale Down... What do you REALLY need 3.Lock it down... Protect it 4. Pitch it... READ SHRED 5. Plan Ahead... create a written plan http://www.ftc.gov/bcp/edu/pubs/business/privacy/bus69.pdf Question 4 If you read the publication, is this too much to ask of the companies we willingly give our data to? Rodney Wise http://pplriwse.blogspot.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070429/95858e29/attachment.html From jericho at attrition.org Sun Apr 29 17:39:20 2007 From: jericho at attrition.org (security curmudgeon) Date: Sun, 29 Apr 2007 17:39:20 +0000 (UTC) Subject: [Dataloss] Is it just about credit? (question 1 / health care) In-Reply-To: <24e2acc50704290436u343d7975y1645480e00c9cd9e@mail.gmail.com> References: <24e2acc50704290436u343d7975y1645480e00c9cd9e@mail.gmail.com> Message-ID: : Question 1 : Is is just about your credit? : : If someone gets you SSN or SIN (Canida) they can do a lot more than get : cash. If they get medical treatment for ... I don't know ... a heart : problem of even... HIV do you think you will ever get insurance again? Hopefully someone in the health care industry can speak up on this but a few points. Many (most? all?) hospitals require photo ID for everything now. While we know that a bad guy can do a full identity theft, including getting a new license or birth certificate, it does require a dedicated person. They ask for the photo ID with insurance card, which you'd also have to get issued. Some hospitals actually train their staff (a full class) on handling photo ID, recognizing aspects that would be suspicious (birth date, etc) and how to respond. This has lead to some cases where the person using a stolen identity recived medical treatment, walked out of the hospital all better, only to be arrested immediately as the hospital staff watched (they knew what was going on but wouldn't deny treatment of course). Some hospitals use computer systems that have routines specifically designed to flag possible identity theft. Various incidents (most related to billing I assume) will flag a record with a potential identity theft marker which is visible to any hospital employee who loads the record. Employees are trained to act normal and provide treatment but call a special security number (internal to the hospital) and trained security staff respond. This leads one to wonder if the DMV when re-issuing a license might notice discrepancies. Eye color goes from blue to brown, hair color, height, weight .. how many changes before someone says "wait"? From nepen at attrition.org Sun Apr 29 18:36:50 2007 From: nepen at attrition.org (nepen) Date: Sun, 29 Apr 2007 18:36:50 +0000 (UTC) Subject: [Dataloss] Is it just about credit? (question 1 / health care) In-Reply-To: References: <24e2acc50704290436u343d7975y1645480e00c9cd9e@mail.gmail.com> Message-ID: On Sun, 29 Apr 2007, security curmudgeon wrote: > > : Question 1 > : Is is just about your credit? > : > : If someone gets you SSN or SIN (Canida) they can do a lot more than get > : cash. If they get medical treatment for ... I don't know ... a heart > : problem of even... HIV do you think you will ever get insurance again? > > Hopefully someone in the health care industry can speak up on this but a > few points. > > Many (most? all?) hospitals require photo ID for everything now. While we > know that a bad guy can do a full identity theft, including getting a new > license or birth certificate, it does require a dedicated person. They ask > for the photo ID with insurance card, which you'd also have to get issued. > Some hospitals actually train their staff (a full class) on handling photo > ID, recognizing aspects that would be suspicious (birth date, etc) and how > to respond. This has lead to some cases where the person using a stolen > identity recived medical treatment, walked out of the hospital all better, > only to be arrested immediately as the hospital staff watched (they knew > what was going on but wouldn't deny treatment of course). Just a note, but back when I had absolutely no way to prove who I was, the ER would treat me. This was post 9-11, and the hospital had significantly upgraded their security procedures. ERs have charity care programs, however, for those who cannot pay, and they are [or mine was] retroactive. If you state that you cannot pay upon arriving, they will set up an appointment for you. I don't really see an issue there with ID theft unless someone is deliberately attempting to keep their particular ailment off of their own record. The requirements for these programs [at least here] are relatively loose, but usually last only one year, at which time you must re-file. You may be able to pull it off for minor problems that are put through Fast-Track [but charity care, at least in my state, covers that 100%], but if you go in with heart problems you may wake up 10 hours later handcuffed to your bed after your open-heart surgery. > This leads one to wonder if the DMV when re-issuing a license might notice > discrepancies. Eye color goes from blue to brown, hair color, height, > weight .. how many changes before someone says "wait"? That's the beauty of contact lenses [particularly blue to brown--brown to blue not so easy to pull off], hair and weight don't seem like big issues, and depending upon the age of the person, a one or two inch height discrepancy doesn't seem like a big deal. My mother had no problems getting her license--she went when I went--and she's changed her hair colour, weight, and height. If I'd have given her a pair of blue contact lenses, I'd doubt they'd have even noticed. Her previous license had no photo. Though at the NJ DMV, I was able to receive my ID and /bypass/ their "6 point identification system" which requires a certain amount of documents worth a certain number of points, adding up to 6, before you're able to get a license or photo ID. I was also able to do this at the SSA. This was all relatively recently--this month, in fact. All the SSA required was a note from my doctor--who simply wrote everything I told him to write when it came to my description--in lieu of their new post-9/11 requirements. For my birth certificate: I never had to get out of the car. It seems to me that everyone now has to juggle leniency for those who have fallen through the cracks with vigilance for those who are exploiting the system. I spent hours worrying about how I would be able to get my new Social Security Card or meet the DMV's 6 points, and I had absolutely no problem doing either. It was incredibly easy. It seems like this transitioning issue, where they are accommodating people unable to meet the new requirements, might be the easiest point of abuse. nepen From lyger at attrition.org Sun Apr 29 19:43:46 2007 From: lyger at attrition.org (lyger) Date: Sun, 29 Apr 2007 19:43:46 +0000 (UTC) Subject: [Dataloss] UNM says some employee information on stolen laptop Message-ID: http://kob.com/article/stories/S72768.shtml?cat=517 University of New Mexico officials say personal information for 3,000 employees may have been stored on a laptop computer that was stolen. The university notified the employees by e-mail that some personal information may have been on a laptop taken Wednesday from a San Francisco office. University officials learned of the theft Friday from an outside consultant working on UNM's human resource and payroll systems. [...] From rwise29210 at gmail.com Sun Apr 29 22:51:24 2007 From: rwise29210 at gmail.com (Rodney Wise) Date: Sun, 29 Apr 2007 18:51:24 -0400 Subject: [Dataloss] Is it just about credit? (question 1 / health care) In-Reply-To: References: <24e2acc50704290436u343d7975y1645480e00c9cd9e@mail.gmail.com> Message-ID: <24e2acc50704291551x683b6e86off6a59e2455c90df@mail.gmail.com> I guess the basic question is: As people who are aware of data breeches how can we alert others that is is NOT just about credit. Rodney On 4/29/07, security curmudgeon wrote: > > > : Question 1 > : Is is just about your credit? > : > : If someone gets you SSN or SIN (Canida) they can do a lot more than get > : cash. If they get medical treatment for ... I don't know ... a heart > : problem of even... HIV do you think you will ever get insurance again? > > Hopefully someone in the health care industry can speak up on this but a > few points. > > Many (most? all?) hospitals require photo ID for everything now. While we > know that a bad guy can do a full identity theft, including getting a new > license or birth certificate, it does require a dedicated person. They ask > for the photo ID with insurance card, which you'd also have to get issued. > Some hospitals actually train their staff (a full class) on handling photo > ID, recognizing aspects that would be suspicious (birth date, etc) and how > to respond. This has lead to some cases where the person using a stolen > identity recived medical treatment, walked out of the hospital all better, > only to be arrested immediately as the hospital staff watched (they knew > what was going on but wouldn't deny treatment of course). > > Some hospitals use computer systems that have routines specifically > designed to flag possible identity theft. Various incidents (most related > to billing I assume) will flag a record with a potential identity theft > marker which is visible to any hospital employee who loads the record. > Employees are trained to act normal and provide treatment but call a > special security number (internal to the hospital) and trained security > staff respond. > > This leads one to wonder if the DMV when re-issuing a license might notice > discrepancies. Eye color goes from blue to brown, hair color, height, > weight .. how many changes before someone says "wait"? > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 207 million compromised records in 634 incidents over 7 > years. > -- Rodney Wise http://pplriwse.blogspot.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070429/95212b4b/attachment.html From nepen at attrition.org Sun Apr 29 23:32:01 2007 From: nepen at attrition.org (nepen) Date: Sun, 29 Apr 2007 23:32:01 +0000 (UTC) Subject: [Dataloss] Is it just about credit? (question 1 / health care) In-Reply-To: <24e2acc50704291551x683b6e86off6a59e2455c90df@mail.gmail.com> References: <24e2acc50704290436u343d7975y1645480e00c9cd9e@mail.gmail.com> <24e2acc50704291551x683b6e86off6a59e2455c90df@mail.gmail.com> Message-ID: On Sun, 29 Apr 2007, Rodney Wise wrote: > I guess the basic question is: > > As people who are aware of data breeches how can we alert others that is is > NOT just about credit. > > Rodney Simple: Research the potential results of dataloss that do not involve identity theft/credit issues, write about these new ideas, and put the information out there. Notsosimple: Hope for interest, particularly if there is some sort of marketable protection against these other outcomes. Sadly, the ability for someone to profit from offering services to protect against these potential non-credit-related outcomes of dataloss events may have an effect on whether or not there is much interest in them. Research, write, publish: Create awareness and cross your fingers? nepen From j.beebe at cox.net Mon Apr 30 02:27:59 2007 From: j.beebe at cox.net (J Beebe) Date: Sun, 29 Apr 2007 19:27:59 -0700 Subject: [Dataloss] The cost of doing business? In-Reply-To: <24e2acc50704250359yaf861b5wd847586701bfda85@mail.gmail.com > References: <24e2acc50704250359yaf861b5wd847586701bfda85@mail.gmail.com> Message-ID: <20070430022820.KICS24310.fed1rmmtao104.cox.net@fed1rmimpo01.cox.net> Here's a link to the complaint filed by the Mass. Bankers Assoc. It notes that they and the other 2 bankers assocs. are asking for "tens of millions of dollars." https://www.massbankers.org/pdfs/DataBreachSuitNR5.pdf Should be interesting. JB At 03:59 AM 4/25/2007, Rodney Wise wrote: >Bank groups in 3 states plan to sue TJX over data theft >http://www.mercurynews.com/businessheadlines/ci_5745507 >The Associated Press >Article Launched: 04/25/2007 01:50:15 AM PDT > >BOSTON (AP) - Bank associations in Massachusetts, Connecticut and >Maine said Tuesday that they will sue TJX over a data theft that >exposed at least 45 million credit and debit cards to potential fraud. > >Banks have been saddled with costs to replace cards and cover >fraudulent charges tied to the theft from TJX, the owner of nearly >2,500 discount stores including T.J. Maxx and Marshalls. > >On Jan. 17, Framingham, Mass.-based TJX disclosed a breach of its >computer systems by an unknown hacker or hackers who accessed card >data from transactions as long ago as late 2002. >On March 28, TJX said at least 45.7 million of its shoppers' cards had >been compromised. >-- >Rodney Wise >http://pplriwse.blogspot.com >_______________________________________________ >Dataloss Mailing List (dataloss at attrition.org) >http://attrition.org/dataloss >Tracking more than 207 million compromised records in 630 incidents >over 7 years. > > >-- >No virus found in this incoming message. >Checked by AVG Free Edition. >Version: 7.5.463 / Virus Database: 269.5.10/774 - Release Date: >4/23/2007 5:26 PM From macwheel99 at sigecom.net Mon Apr 30 01:41:43 2007 From: macwheel99 at sigecom.net (Al Mac) Date: Sun, 29 Apr 2007 20:41:43 -0500 Subject: [Dataloss] Is it just about credit? In-Reply-To: <24e2acc50704290436u343d7975y1645480e00c9cd9e@mail.gmail.co m> References: <24e2acc50704290436u343d7975y1645480e00c9cd9e@mail.gmail.com> Message-ID: <6.2.1.2.1.20070429195335.02a52360@mail.sigecom.net> How difficult is it for the criminal underworld to manufacture fake driver's licenses? The photo-id looks exactly like the person carrying it (it is their photo), but the identity is whoever identity they stole. Such an id can be used to help get a job, get medical treatment, anything such a fake id is used for. Does not matter if thumb print on there, because fake-id has photo and thumb print of the crook instead of the real person who has the real-id-license that was issued by the state DMV. You right that the DMV record ought to have eye color, hair color etc. But one of the types of data theft has been entire DMV data bases. Crooks in the fake-id business can then match identity to be stolen with person needing fake id with similar characteristics ... eye color, hair color, gender, approx age, etc. This will cease to work when the photo-id gets scanned in some place to compare it to the official copy in DMV records, unless crooks have the sophistication to also mess with the official records, or the communication between police car check point and official records. I expect it will be pretty rare for people running around with fake-ids to have the kinds of hacker skills to real-time spoof whatever is done to validate photo or thumb print on the fake-id. A small fortune is spent on protecting the nation's currency from counterfeiting, but yet there still are people who get away with passing counterfeit money. Nothing like that expense can be incurred to protect individual states from not having fraudulent driver's licenses and other identification in circulation. A while back, the state of Colorado sorted employee tax reporting data by SSN to get a count of how many different places same SSN being used ... I think the biggest was like 50 or 100 employers had someone simultaneously working there with same SSN. We can reasonably assume that if other US states were to do this, that they might get similar numbers. Bigger in the more populated states. Similar story other nations. The feds have done this with critical infrastructure ... people working at Pentagon, Nuclear weapons facilities, etc. & yes found lots of fraudulent identities there. We can hope most of them are people who just need a job, not many potential terrorists in the bunch. Is there a serious risk that the states will crack down on the real people, in whose names those 50 other people using their SSN? Or is there temptation for states to look the other way, since this is tax money being paid for services that the fake SSN holders may be less likely to claim than valid SSN holders? You may be better off with a bunch of people paying extra taxes in your name, than only one of them. Except with how easy it is to fraudulently claim income tax refund, which is big problem for IRS, and also the person in whoever name this got done. More risks than you said. You don't even get on the plane at airport to go home, because your identity was used by someone stopped by the police, let go on minimal bail, supposed to return for court date, never did. Now you have the legal expense of proving you not whoever that is running around the country committing more crimes in your name. Let's suppose the real Rodney Wise is in the hospital for serious treatment, and while there, persons with fake identity for Rodney Wise steal his car, sell it, occupy his home, sell everything there, get second mortgage on it, sell house, run up ungodly bills, clean out bank accounts. Real Rodney gets out of hospital & try to go home, be arrested as intruder in home now belong someone else. This has happened to people in nations where possession is 9/10 of law. Credit monitoring helps with some of the problems but we need more. Some day, DNA testing will be as rapid as stick some skin cells or spit into a gadget that will say "You born in nation X, legally in nation Y, have a blood relative criminal Z" and we pray that long before that reality the data bases locked down with good support for people to correct errors about themselves.. - Al Macintyre From chris at cwalsh.org Mon Apr 30 04:47:24 2007 From: chris at cwalsh.org (Chris Walsh) Date: Sun, 29 Apr 2007 23:47:24 -0500 Subject: [Dataloss] Is it just about credit? In-Reply-To: <6.2.1.2.1.20070429195335.02a52360@mail.sigecom.net> References: <24e2acc50704290436u343d7975y1645480e00c9cd9e@mail.gmail.com> <6.2.1.2.1.20070429195335.02a52360@mail.sigecom.net> Message-ID: <9E72B570-5BCC-4F3C-B9D2-0D6DDD7EF078@cwalsh.org> Here in IL, we just had a high-profile federal bust of some folks who were allegedly selling fake drivers' licenses and fake SocSec cards as a combo pack for $300. This was in a section of Chicago with many undocumented workers. Reports are that this is undoubtedly so the buyers can work in the US, but of course the news coverage says that the sellers don't exactly care why someone is looking for ID as long as they have the $$. In this particular instance, the Feds say they acted because the gang allegedly selling these IDs had murdered someone who tried to go into competition with them. Clearly, then, the cost of production of these IDs is less than the $300, or else the dead guy would have been no threat since he could not possibly undercut the gang. On Apr 29, 2007, at 8:41 PM, Al Mac wrote: > How difficult is it for the criminal underworld to manufacture fake > driver's licenses? From adam at homeport.org Mon Apr 30 15:15:00 2007 From: adam at homeport.org (Adam Shostack) Date: Mon, 30 Apr 2007 11:15:00 -0400 Subject: [Dataloss] Is it just about credit? (question 1 / health care) In-Reply-To: <24e2acc50704291551x683b6e86off6a59e2455c90df@mail.gmail.com> References: <24e2acc50704290436u343d7975y1645480e00c9cd9e@mail.gmail.com> <24e2acc50704291551x683b6e86off6a59e2455c90df@mail.gmail.com> Message-ID: <20070430151500.GB8860@homeport.org> On Sun, Apr 29, 2007 at 06:51:24PM -0400, Rodney Wise wrote: | I guess the basic question is: | | As people who are aware of data breeches how can we alert others that is is NOT | just about credit. We used to use words like 'privacy' or 'data protection.' To Jericho's point, I'd argue that the problem is central medical databases, and upgrading the trusted third parties to control what goes in them is just poor thinking. Adam | | On 4/29/07, security curmudgeon wrote: | | | : Question 1 | : Is is just about your credit? | : | : If someone gets you SSN or SIN (Canida) they can do a lot more than get | : cash. If they get medical treatment for ... I don't know ... a heart | : problem of even... HIV do you think you will ever get insurance again? | | Hopefully someone in the health care industry can speak up on this but a | few points. | | Many (most? all?) hospitals require photo ID for everything now. While we | know that a bad guy can do a full identity theft, including getting a new | license or birth certificate, it does require a dedicated person. They ask | for the photo ID with insurance card, which you'd also have to get issued. | Some hospitals actually train their staff (a full class) on handling photo | ID, recognizing aspects that would be suspicious (birth date, etc) and how | to respond. This has lead to some cases where the person using a stolen | identity recived medical treatment, walked out of the hospital all better, | only to be arrested immediately as the hospital staff watched (they knew | what was going on but wouldn't deny treatment of course). | | Some hospitals use computer systems that have routines specifically | designed to flag possible identity theft. Various incidents (most related | to billing I assume) will flag a record with a potential identity theft | marker which is visible to any hospital employee who loads the record. | Employees are trained to act normal and provide treatment but call a | special security number (internal to the hospital) and trained security | staff respond. | | This leads one to wonder if the DMV when re-issuing a license might notice | discrepancies. Eye color goes from blue to brown, hair color, height, | weight .. how many changes before someone says "wait"? | | _______________________________________________ | Dataloss Mailing List (dataloss at attrition.org) | http://attrition.org/dataloss | Tracking more than 207 million compromised records in 634 incidents over 7 | years. | | | | | -- | Rodney Wise | http://pplriwse.blogspot.com | _______________________________________________ | Dataloss Mailing List (dataloss at attrition.org) | http://attrition.org/dataloss | Tracking more than 207 million compromised records in 634 incidents over 7 years. From lyger at attrition.org Mon Apr 30 23:51:50 2007 From: lyger at attrition.org (lyger) Date: Mon, 30 Apr 2007 23:51:50 +0000 (UTC) Subject: [Dataloss] (update) Stolen Caterpillar laptop contained employees personal information Message-ID: (now disclosed that SSNs were on the stolen laptop. other reports have also disclosed that the laptop belonged to an "SBA Inc." located in Georgia.) http://www.wjbc.com/wire2/news/01943_Caterpillar-Data-WEB_145542.htm Caterpillar Incorporated told employees in a letter that a laptop stolen this month contained current and former workers' Social Security numbers, banking information and addresses. Peoria-based Caterpillar has declined to say how many of its roughly 95-thousand employees were affected but has set up a call center to answer their questions. [...]