From d2d at attrition.org Thu Aug 2 12:45:30 2007 From: d2d at attrition.org (d2d) Date: Thu, 2 Aug 2007 12:45:30 +0000 (UTC) Subject: [Dataloss] OH: Personal information may be stolen at UT Message-ID: http://toledoblade.com/apps/pbcs.dll/article?AID=/20070802/NEWS21/70802036 Personal information of some students and staff at the University of Toledo might have been on two hard drives stolen from the Health and Human Services Building, the university announced yesterday. The hard drives, which are believed to have contained some names, Social Security numbers, and grade changes, were taken from UTs department of health and rehabilitative services. The university computer of Jeanette Espinosa, a department secretary, was reported stolen June 18, and Associate Professor Thomas Tatchells computer was reported stolen July 12, according to the UT police department. Ms. Espinosas computer is believed to have been taken between June 15 and June 18. Memory cards for the computer also were taken. [...] From d2d at attrition.org Thu Aug 2 18:26:23 2007 From: d2d at attrition.org (d2d) Date: Thu, 2 Aug 2007 18:26:23 +0000 (UTC) Subject: [Dataloss] KY: Laptop with E.On employee identity info stolen Message-ID: http://www.courier-journal.com/apps/pbcs.dll/article?AID=/20070802/BUSINESS/70802021 A Louisville accounting firms laptop with names, Social Security numbers and birth dates of most E.On U.S. employees and some retirees was stolen last month in Chicago, according to letters to potential victims from E.On and the accounting firm. Mountjoy & Bressler, the accounting firm, and E.On sent letters to potential identity theft victims about a week after the July 20 theft of the computer, which contained 2005 data. The data did not include addresses. Chip Keeling, an E.On spokesman, said the company is not disclosing how many names of employees and retirees were included in the data because of an ongoing police investigation. The theft appears to be random and the company does not want to give thieves an incentive to hunt for the information, Keeling said. [...] From d2d at attrition.org Fri Aug 3 19:58:11 2007 From: d2d at attrition.org (d2d) Date: Fri, 3 Aug 2007 19:58:11 +0000 (UTC) Subject: [Dataloss] CA: Stolen health computer stored 20,000 names Message-ID: http://www.edmontonsun.com/News/Alberta/2007/08/03/4390118-sun.html Police and the office of the information and privacy commissioner are investigating a theft of four Capital Health computers - one containing 20,000 patient names, health card numbers, addresses and reason for admittance to hospital. But the risk of a hacker cracking the passwords is very low, said Capital Health spokesman Steve Buick. The computers were stolen from a secure desk with a cable lock in a secure downtown building on the evening of May 8. Capital Health waited nearly three months before announcing the crime because it took that long for the addresses of the 20,000 patients to be confirmed, Buick said, adding letters to the affected patients were mailed out yesterday. [...] From d2d at attrition.org Fri Aug 3 20:02:33 2007 From: d2d at attrition.org (d2d) Date: Fri, 3 Aug 2007 20:02:33 +0000 (UTC) Subject: [Dataloss] UT: Hundreds of Documents Found in Garbage with Personal Info - Part 2 Message-ID: http://www.ksl.com/?nid=148&sid=1577147 A truck driver has come forward, telling KSL about documents found in the trash. The documents contained names, addresses, telephone numbers, Social Security numbers and birth dates of dozens of Utahns. So how did they end up where they were found? And what does Utah law say about what a business is required to do to stop such records from getting into the wrong hands? The records are dated 2004 and 2005, all with Work Care of Orem's name and former address; they've moved a few blocks to the west since then. The truck driver who found the papers says there were maybe hundreds of documents in his trash truck. [...] From d2d at attrition.org Fri Aug 3 20:07:12 2007 From: d2d at attrition.org (d2d) Date: Fri, 3 Aug 2007 20:07:12 +0000 (UTC) Subject: [Dataloss] AU: Visa confirms data tapes theft Message-ID: courtesy pogowasright.org http://www.thesheet.com/nl05_news_selected.php?act=2&stream=1&selkey=2309&hlc=2&hlw= Visa has confirmed that recent mass credit-card account cancellations at Westpac are related to a data tape theft in late May. But just which payment gateway or third party vendor lost the tapes remains a mystery. So too does the extent of the security breach and how many card accounts have been affected. Pauline Hayes, corporate relations manager at Visa International - Australia and New Zealand confirmed the data tape theft to eCommerce Report by email earlier this week. "In response to your question about the recent article about Westpac - as I outlined, an investigation into the theft of data tapes on May 25 is ongoing and therefore we cannot comment further on this matter." [...] From d2d at attrition.org Sat Aug 4 04:43:19 2007 From: d2d at attrition.org (d2d) Date: Sat, 4 Aug 2007 04:43:19 +0000 (UTC) Subject: [Dataloss] IN: Computer breach gives prison staff access to employee information Message-ID: http://www.tribstar.com/news/local_story_216000536.html Carlisle . Officials at a Wabash Valley prison confirmed Friday that an internal computer security breach allowed prison staff access to Social Security numbers and other identifying information of employees for an unknown period of time. Rich Larsen, public information officer for the Wabash Valley Correctional Facility in Carlisle, said a database containing Social Security numbers, dates of birth and names of people employed at the facility between 1997 and 2002 was unintentionally moved .from a secure private drive that was accessible only by the human resources department to a shared directory that could be accessed by other employees here.. The database was not accessible by the general public, Larsen added. There have been no complaints or reports of identity theft because of the breach, Larsen said, but as a precaution, officials sent letters to the staff members, current and former, whose information was included in the database. [...] From d2d at attrition.org Sun Aug 5 02:36:47 2007 From: d2d at attrition.org (d2d) Date: Sun, 5 Aug 2007 02:36:47 +0000 (UTC) Subject: [Dataloss] MI: Credit union: members' data stolen Message-ID: courtesy pogowasright.org http://www.battlecreekenquirer.com/apps/pbcs.dll/article?AID=/20070804/NEWS01/708040313/1002/NEWS01 A computer containing personal information on an undisclosed number of Kellogg Community Federal Credit Union members was stolen during a break-in sometime in the third week of July. In a letter dated July 25 sent to affected customers, the credit union said the computer was taken along with other items from "the offices of a vendor who has been providing services to the Credit Union." A file containing some members' names, addresses, telephone numbers, birth dates, social security numbers and account numbers was on the computer's hard drive. Kellogg Community has more than 25,300 members and more than $231.2 million in assets in 2005, according to its Web site. Tracy Miller, Kellogg Community's chief executive officer, refused to say who the vendor is or how many people were affected, citing an ongoing investigation. "I won't be providing any additional information," she said. "We're working with the FBI." [...] From jericho at attrition.org Mon Aug 6 15:46:03 2007 From: jericho at attrition.org (security curmudgeon) Date: Mon, 6 Aug 2007 15:46:03 +0000 (UTC) Subject: [Dataloss] Question about exploit exposing SSN & user info (fwd) Message-ID: ---------- Forwarded message ---------- From: hsukowa at yahoo.com To: bugtraq at securityfocus.com Date: 6 Aug 2007 02:35:18 -0000 Subject: Question about exploit exposing SSN & user info My apologies if this question is inappropriate for this email list, but it is a last resort and a friend recommended posting this question here. In the last 36 hours I uncovered an exploit that compromises the private information of thousands of individuals - including SSN and address information. I cannot judge whether or not the exploit is easy to find. I do know that if found, it would not be difficult to write a simple script in php or perl to exploit the hole. My concern is that the company responsible for this hole (for whom I am currently employed) will patch the problem on seeing it occur on Monday (a good thing) but do little or nothing to notify any user whose private information is on their system (downplaying the likelihood of risk). This exploit has very likely existed for years and whether or not a company typically keeps logs for years is beyond my knowledge - the exploit is however detectable through web log files. I also lack faith in the company's ability to make an objective determination whether or not the exploit has been used to download the private information of its' users. My question is this - does anyone out there have any experience dealing with this type of a situation? --- Where a company has silenced an exploit without notifying customers who may have been victims of it? Does anyone have any recommendations for a course of action I might take to somehow ensure users whose private information may have been compromised are notified in the event the company chooses to "sweep it under the rug"? Again my apologies if my asking this question in the wrong forum has offended anyone. And many thanks to anyone who responds. From rforno at infowarrior.org Mon Aug 6 14:12:40 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 06 Aug 2007 10:12:40 -0400 Subject: [Dataloss] VeriSign worker exits after laptop security breach Message-ID: (Good riddance to this idiot.......no sympathy from this former VRSN employee.....rf) VeriSign worker exits after laptop security breach Man overboard By John Leyden ? More by this author Published Monday 6th August 2007 11:20 GMT http://www.theregister.co.uk/2007/08/06/verisign_laptop_theft/ VeriSign has warned workers of the theft of a laptop that contained their personal information. The laptop was stolen from a car parked in the garage of a California worker sometime on the night of 12 July. The laptop contained personal information - name, Social Security number, date of birth, salary information, telephone numbers, and home addresses - of an unknown number of VeriSign employees. Bank account numbers or password information were not stored on the machine. Data on the machine was not encrypted, in contravention of VeriSign policies, raising ID theft concerns. The unnamed worker involved has left VeriSign while the web security firm has responded by promising to tighten up its security policies. In a letter to workers, VeriSign said the laptop was probably stolen in a random burglary. Nonetheless, the security infrastructure firm is offering to pay a year's credit watch monitoring subscription to those potentially affected. Reports of the breach first surfaced on Wizbang on Friday. Prompted by our follow-up questions, Verisign issued a statement explaining its response to the breach. VeriSign is taking the recent laptop theft very seriously. The Company initiated an investigation as soon as the theft was discovered. We have no reason to believe that the thief or thieves acted with the intent to extract and use this information. The local police have said the theft may be tied to a series of neighborhood burglaries. We disabled any access by the employee?s computer to the VeriSign network. The employee involved in this incident has since left VeriSign. The Company has a policy on how to manage laptops that contain sensitive information and company data - which in this case was not followed. That policy includes not leaving laptops in vehicles in plain view, keeping the amount of confidential and sensitive data stored on laptops to a minimum, and using data encryption tools to protect those sets of data that absolutely must be stored on a laptop. Going forward, we will continue to review our security procedures to prevent future human errors of this type. VeriSign specialises in marketing the digital certificates and other elements of the infrastructure that underpin secure web transactions, so any kind of security breach is embarrassing. It's far from alone in having problems with lost or stolen laptops containing sensitive information, however. Similar thefts have sparked security flaps at Marks & Spencer, Nationwide Building Society, the Metropolitan Police, the US Department of Veterans Affairs, and others. ? From lyger at attrition.org Tue Aug 7 13:19:29 2007 From: lyger at attrition.org (lyger) Date: Tue, 7 Aug 2007 13:19:29 +0000 (UTC) Subject: [Dataloss] UK: First Response issues ID theft alert after burglary Message-ID: First Response Finance has warned thousands of UK customers to be wary of suspicious transactions on their accounts following the theft of storage discs from the finance firm's offices near Manchester. Server equipment containing customer data was stolen in a break-in at its Leigh offices late last month, prompting the firm to issue a precautionary alert. Bank and card details for both current and previous customers, as well as First Response workers, was potentially exposed as a result of the burglary. However the firm stresses that a "sophisticated level of equipment and knowledge" would be needed to access the data. [...] From lyger at attrition.org Tue Aug 7 13:47:49 2007 From: lyger at attrition.org (lyger) Date: Tue, 7 Aug 2007 13:47:49 +0000 (UTC) Subject: [Dataloss] (update) University of Toledo professor accused in theft of hard drive Message-ID: http://toledoblade.com/apps/pbcs.dll/article?AID=/20070807/NEWS02/70807039 A University of Toledo professor who reported his computer stolen, leading to concerns that personal information could be at risk, was charged yesterday by UT police with taking the hard drive. Thomas Tatchell, 33, an associate professor of health education, was charged in arrest warrants filed yesterday in Toledo Municipal Court with receiving stolen property, tampering with evidence, unauthorized use of property, obstructing official business, and filing a false report. Mr. Tatchell, who joined UT's public health and rehabilitative services department in Aug., 2000, reported his university hard drive stolen on July 12. [...] From lyger at attrition.org Tue Aug 7 17:58:23 2007 From: lyger at attrition.org (lyger) Date: Tue, 7 Aug 2007 17:58:23 +0000 (UTC) Subject: [Dataloss] Merrill Lynch reports computer theft Message-ID: http://www.reuters.com/article/fundsFundsNews/idUSN0723295420070807 Merrill Lynch & Co. Inc. (MER.N: Quote, Profile, Research) said on Tuesday a computer with personal information on some employees had been stolen from one of its offices. Merrill Lynch, the world's largest brokerage, said the theft did not involve client information. It did not give other details and declined to say how many employees records were on the computer. [...] From lyger at attrition.org Tue Aug 7 19:41:18 2007 From: lyger at attrition.org (lyger) Date: Tue, 7 Aug 2007 19:41:18 +0000 (UTC) Subject: [Dataloss] (update) CNBC's Gasparino: Merrill Lynch ID Theft May Affect 33, 000 Employees Message-ID: http://www.cnbc.com/id/20162588 A "major identity-theft incident" has occurred at brokerage giant Merrill Lynch that may affect more than 30,000 employees, CNBC's Charlie Gasparino reported. "A computer device apparently was stolen from [Merrill's] corporate offices in New Jersey," Gasparino said. According to sources, the device contained sensitive personal information, including Social Security numbers, about some 33,000 employees of the financial firm. [...] From lyger at attrition.org Tue Aug 7 20:23:39 2007 From: lyger at attrition.org (lyger) Date: Tue, 7 Aug 2007 20:23:39 +0000 (UTC) Subject: [Dataloss] AL: Ex-employee of Electronic Data Systems charged with stealing identities Message-ID: http://birmingham.bizjournals.com/birmingham/stories/2007/08/06/daily11.html?jst=b_ln_hl A Montgomery woman, a former employee of Electronic Data Systems, was arrested this week for allegedly trafficking in stolen identities she received through her work with the company. Attorney General Troy King annouced the arrest of Kwantrice M. Thornton, 24. The warrant charges Thornton with Medicaid fraud and claims she "obtained the names and identifying information of 498 Alabama Medicaid recipients and subsequently sold 50 of those identities to other individuals to be used in filing fraudulent federal tax returns." [...] From adam at homeport.org Wed Aug 8 01:30:10 2007 From: adam at homeport.org (Adam Shostack) Date: Tue, 7 Aug 2007 21:30:10 -0400 Subject: [Dataloss] Merrill Lynch reports computer theft In-Reply-To: References: Message-ID: <20070808013009.GA410@homeport.org> Chris will doubtless get the numbers from a FOIA request to New York. Adam On Tue, Aug 07, 2007 at 05:58:23PM +0000, lyger wrote: | | http://www.reuters.com/article/fundsFundsNews/idUSN0723295420070807 | | Merrill Lynch & Co. Inc. (MER.N: Quote, Profile, Research) said on Tuesday | a computer with personal information on some employees had been stolen | from one of its offices. | | Merrill Lynch, the world's largest brokerage, said the theft did not | involve client information. | | It did not give other details and declined to say how many employees | records were on the computer. | | [...] | _______________________________________________ | Dataloss Mailing List (dataloss at attrition.org) | http://attrition.org/dataloss | | Tenable Network Security offers data leakage and compliance monitoring | solutions for large and small networks. Scan your network and monitor your | traffic to find the data needing protection before it leaks out! | http://www.tenablesecurity.com/products/compliance.shtml From bkdelong at pobox.com Wed Aug 8 01:48:53 2007 From: bkdelong at pobox.com (B.K. DeLong) Date: Tue, 7 Aug 2007 21:48:53 -0400 Subject: [Dataloss] Merrill Lynch reports computer theft In-Reply-To: <20070808013009.GA410@homeport.org> References: <20070808013009.GA410@homeport.org> Message-ID: What's the required reporting time and the average ETA of said data on a FOIA? On 8/7/07, Adam Shostack wrote: > Chris will doubtless get the numbers from a FOIA request to New York. > > Adam > > On Tue, Aug 07, 2007 at 05:58:23PM +0000, lyger wrote: > | > | http://www.reuters.com/article/fundsFundsNews/idUSN0723295420070807 > | > | Merrill Lynch & Co. Inc. (MER.N: Quote, Profile, Research) said on Tuesday > | a computer with personal information on some employees had been stolen > | from one of its offices. > | > | Merrill Lynch, the world's largest brokerage, said the theft did not > | involve client information. > | > | It did not give other details and declined to say how many employees > | records were on the computer. > | > | [...] > | _______________________________________________ > | Dataloss Mailing List (dataloss at attrition.org) > | http://attrition.org/dataloss > | > | Tenable Network Security offers data leakage and compliance monitoring > | solutions for large and small networks. Scan your network and monitor your > | traffic to find the data needing protection before it leaks out! > | http://www.tenablesecurity.com/products/compliance.shtml > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor your > traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml > -- B.K. DeLong (K3GRN) bkdelong at pobox.com +1.617.797.8471 http://www.wkdelong.org Son. http://www.ianetsec.com Work. http://www.bostonredcross.org Volunteer. http://www.carolingia.eastkingdom.org Service. http://bkdelong.livejournal.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org From lyger at attrition.org Wed Aug 8 13:52:52 2007 From: lyger at attrition.org (lyger) Date: Wed, 8 Aug 2007 13:52:52 +0000 (UTC) Subject: [Dataloss] Yale: Computers containing 10,000 SSNs are stolen Message-ID: http://www.yaledailynews.com/articles/view/21093 Social Security numbers for over 10,000 current and former students, faculty and staff were compromised last month following the theft of two University computers, officials said Tuesday. The computers were stolen from the Yale College Dean.s Office on July 17, in only the latest in a series of data security breaches that have plagued universities nationwide. The computers were password-protected, and were probably stolen to be sold rather than for the data stored on them, University officials said. Yale has sent letters to the individuals whose personal information may now be at risk. [...] From jericho at attrition.org Fri Aug 10 12:58:33 2007 From: jericho at attrition.org (security curmudgeon) Date: Fri, 10 Aug 2007 12:58:33 +0000 (UTC) Subject: [Dataloss] follow-up: Credit card headaches from TJX breach remain (fwd) Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.boston.com/business/personalfinance/articles/2007/08/09/credit_card_headaches_from_tjx_breach_remain/ By Se Young Lee Globe Correspondent August 9, 2007 Almost seven months after the biggest security breach of financial data in the nation was revealed, some banks still appear to be sorting out which of their credit card customers were put at risk. Retail giant TJX Cos., with headquarters in Framingham, revealed this spring that at least 45.7 million credit and debit card numbers were compromised by hackers who gained access to the company's computer systems in the second half of 2005 as well as from May 2006 to January of this year. But some companies, such as Citibank, are still reissuing cards for customers whose information may have been exposed. "As a preventative measure we are in the process of notifying and issuing new credit and debit cards to some customers whom we believe may be subject to increased risk," Citibank said in a statement yesterday. [..] From lyger at attrition.org Fri Aug 10 13:51:37 2007 From: lyger at attrition.org (lyger) Date: Fri, 10 Aug 2007 13:51:37 +0000 (UTC) Subject: [Dataloss] IL: Loyola warns 5,800 students at risk of ID theft Message-ID: http://www.wandtv.com/Global/story.asp?S=6914214 A Loyola University computer with the Social Security numbers of 58 hundred students was discarded before its hard drive was erased, forcing the school to warn students about potential identify theft. Loyola spokeswoman Susan Malisch says there's no evidence any personal information has or will be accessed. But she told students in a letter they should take every possible step to safeguard their privacy. [...] From lyger at attrition.org Fri Aug 10 14:49:02 2007 From: lyger at attrition.org (lyger) Date: Fri, 10 Aug 2007 14:49:02 +0000 (UTC) Subject: [Dataloss] Norway: Internet hackers steal confidential data on 60, 000 Norwegians Message-ID: http://news.brisbanetimes.com.au/internet-hackers-steal-confidential-data-on-60000-norwegians/20073511-spc.html Internet hackers have stolen confidential data on 60,000 Norwegians, including the head of the agency for safeguarding them, the agency itself revealed Friday. It said they had used a weakness on the website of the telephone operators Tele2 to procure the national personal identity numbers and addresses of subscribers, amounting to 1.3 percent of the country's population. The information would enable the hackers to change the addresses of the people concerned so as to intercept their mail, or order goods on their account. [...] From lyger at attrition.org Fri Aug 10 18:31:26 2007 From: lyger at attrition.org (lyger) Date: Fri, 10 Aug 2007 18:31:26 +0000 (UTC) Subject: [Dataloss] OR: Patient information, cash missing after Legacy clinic theft Message-ID: http://www.bizjournals.com/portland/stories/2007/08/06/daily51.html A Legacy Health System primary care physician practice has discovered the theft of $13,000 in cash and personal data for 747 patients who got care at the clinic between January 2006 and February 2007. Patient receipts, credit card transaction slips and checks are also missing at Legacy Clinic Mount Hood, in addition to Social Security numbers and dates of birth for patients. "Based on our investigation, we believe this was an isolated incident involving one dishonest person who we no longer employ," said John Reid, director of security for Legacy Health System. [...] From lyger at attrition.org Sat Aug 11 16:26:04 2007 From: lyger at attrition.org (lyger) Date: Sat, 11 Aug 2007 16:26:04 +0000 (UTC) Subject: [Dataloss] IL: Motorists' information lost in bureau burglary Message-ID: http://www.chicagotribune.com/news/local/west/chi-licenses_11aug11,1,2920627.story?ctrack=1&cset=true The Illinois secretary of state's office plans to send letters next week to more than 300 motorists whose photos and personal information may have been on a camera cartridge stolen from a facility in Elgin, a spokesman said Friday. [.] The cartridge contained photographs, names, addresses and license numbers -- but not Social Security numbers -- of people who were issued driver's licenses on Wednesday, Druker said. Social Security numbers are no longer printed on Illinois driver's licenses, Druker said. [...] From lyger at attrition.org Sat Aug 11 16:30:49 2007 From: lyger at attrition.org (lyger) Date: Sat, 11 Aug 2007 16:30:49 +0000 (UTC) Subject: [Dataloss] AK: Laptop with patient information missing from Providence Message-ID: http://www.ktuu.com/Global/story.asp?S=6918228 A laptop computer that contains the personal information of up to 250 patients is missing from Providence Alaska Medical Center. There are concerns that private information might get into the wrong hands. Providence started calling patients today to tell them about the missing computer. Hospital officials say it hasn't been stolen, but no one has seen it since May 31. [.] On it are names, medical record numbers, dates of birth and patient diagnoses. "There could have been social security numbers and addresses on there, but we don't believe that was the case for the majority of the information," Hultberg said. [...] From fergdawg at netzero.net Sun Aug 12 03:17:24 2007 From: fergdawg at netzero.net (Paul Ferguson) Date: Sun, 12 Aug 2007 03:17:24 GMT Subject: [Dataloss] UK: Database of Top-Secret Police Phone Taps Stolen Message-ID: <20070811.201724.18143.1@webmail11.lax.untd.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Via The Independent. [snip] Police chiefs have launched a major investigation after the theft of a computer database containing thousands of top-secret mobile phone records from terrorism and organised crime investigations. Scotland Yard is concerned that crucial evidence from undercover investigations could be lost forever or has found its way into "the wrong hands" after the computer and other IT equipment disappeared from a private firm in Sevenoaks, Kent, last Monday night after a break-in. Forensic Telecommunications Services, whose clients include Scotland Yard, The Police Service of Northern Ireland, HM Revenue and Customs and the Crown Prosecution Service, specialises in tapping mobile phone calls made by criminal suspects. The stolen security-protected server contained the minutiae of phone calls it had screened, including the identity of the person who had made the call, as well as the exact time and location of the suspect when the call was made. In a statement released to The Mail on Sunday, Forensic Telecommunications Services confirmed that the equipment had been stolen from its offices but denied that its disappearance would impact negatively on current police cases. [snip] Yeah. Right. Link: http://news.independent.co.uk/uk/crime/article2856892.ece - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) wj8DBQFGvnWXq1pz9mNUZTMRAsBXAKDwJLcx3xSPpNXDt1C60oE4gdZP1gCfXfTz lyWssIXjJtBkikZKEapaYSI= =ptQe -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/ From jericho at attrition.org Mon Aug 13 12:46:07 2007 From: jericho at attrition.org (security curmudgeon) Date: Mon, 13 Aug 2007 12:46:07 +0000 (UTC) Subject: [Dataloss] follow-up: The TJX Effect (fwd) Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.informationweek.com/news/showArticle.jhtml?articleID=201400171 By Larry Greenemeier InformationWeek August 11, 2007 TJX will be glad when this year is over. The $17 billion-a-year parent company of T.J. Maxx, Marshall's, and several other discount retail chains has spent the past eight months dealing with the largest breach of customer data in U.S. history, the details of which are starting to come to light. Last December, TJX says it alerted law enforcement that data thieves had made off with more than 45 million customer records. Since that time, at least one business, Wal-Mart, has lost millions of dollars as a result of the theft, while TJX has spent more than $20 million investigating the breach, notifying customers, and hiring lawyers to handle dozens of lawsuits from customers and financial institutions. Should TJX lose in the courts, it could be on the hook for millions more in damages. But there's an even broader TJX Effect: The data breach, which actually took place over a period of years, has put the entire retail industry on the defensive and stirred up demands for all businesses that handle payment card information to do a better job of protecting it. Legislators are invoking TJX's name to fast-track data-security bills. Few details of the TJX debacle have been made public by the company or investigators. As recently as June, TJX said in a regulatory filing that it didn't know "who took this action, whether there were one or more intruders involved, or whether there was one continuing intrusion or multiple, separate intrusions." Still, important details can be gleaned from internal and external sources. [..] From lyger at attrition.org Mon Aug 13 19:48:31 2007 From: lyger at attrition.org (lyger) Date: Mon, 13 Aug 2007 19:48:31 +0000 (UTC) Subject: [Dataloss] CT: Pfizer Has Another Breach of Security Message-ID: http://www.theday.com/re.aspx?re=7b6d810e-f7ef-4243-a86c-bfdb9093f983 Pfizer Inc., criticized by security professionals after a data breach exposed 17,000 employees and former employees to possible identity theft earlier this year, has notified state Attorney General Richard Blumenthal of another incident, this time affecting 950 people. "I am deeply disturbed and troubled by these continuing security problems with information that should be closely safeguarded," Blumenthal said today. "This kind of information should be treated as if it was cash because it has the same value as cash to someone who might misuse it." In a letter dated July 20 but received just recently by Blumenthal's office, attorney Bernard Nash said a management consulting company named Axia Ltd. had notified Pfizer on June 14 of an incident in which two Pfizer laptops were stolen from a locked car. The laptops, which disappeared May 31 in Boston, included the names and Social Security numbers of health-care professionals who "were providing or considering providing contract services for Pfizer," according to the letter. [...] From lyger at attrition.org Mon Aug 13 21:29:11 2007 From: lyger at attrition.org (lyger) Date: Mon, 13 Aug 2007 21:29:11 +0000 (UTC) Subject: [Dataloss] blog: Oops! SSNBreach.org exposes students' personal info in Google Message-ID: (More information and commentaryregarding events surrounding the Louisiana Board of Regents data breach...) http://www.pogowasright.org/blogs/dissent/?p=582 On July 18th, SSNBreach.org ("SSNB") was launched by Liberty Coalition and Aaron Titus. The site's stated purpose was to assist and empower those whose personally identifiable information had been accessible via the web due to the Louisiana Board of Regents. ("LBR") failure to password-protect over 200 files containing confidential student and employee records. Less than three weeks after its launch, SSNB's own files on some of these students are being indexed by Google. Despite being notified of the problem on August 7, the problem isn't fixed, with more students. names and files appearing in Google every day. The History of SSNBreach.org: "Finders, Keepers" On or before June 18, Titus, a self-described "privacy advocate" and "privacy expert," discovered that the LBR files were accessible via search engines and cache. He did not inform LBR. Instead, he contacted the media. WDSU broke the story on July 17, after they had notified LBR. While they left LBR in the dark about the exposure and the files accessible to cybercriminals, Titus and the Liberty Coalition were busy using the contents of those sensitive and confidential files to create their own database on everyone affected. When it was pointed out to them that they did not seek or secure permission to use information from files which "the reasonable man" would realize had been accidentally exposed and were intended to be confidential, Ostrolenk responded: "You are correct that we do not ask permission to retrieve online information. In fact, I cannot recall a single instance when I have contacted the proprietor of a website to ask permission to view information placed in the public domain." Of course, Titus and the Liberty Coalition did much more than just view the information that had been unintentionally exposed. They used it. An identity thief might make the same statement they did. [...] From hbrown at knology.net Tue Aug 14 12:00:26 2007 From: hbrown at knology.net (Henry Brown) Date: Tue, 14 Aug 2007 07:00:26 -0500 Subject: [Dataloss] Blog analysis of IBM's data breech from Feb 2007 Message-ID: <46C1995A.5010603@knology.net> An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070814/1ebae8fd/attachment.html From lyger at attrition.org Wed Aug 15 11:49:01 2007 From: lyger at attrition.org (lyger) Date: Wed, 15 Aug 2007 11:49:01 +0000 (UTC) Subject: [Dataloss] Idaho Army National Guard Info Stolen Message-ID: http://www.foxnews.com/wires/2007Aug15/0,4670,GuardInformationTheft,00.html A small computer drive containing Social Security numbers and other personal information about every Army National Guard soldier in Idaho has been stolen, a National Guard spokeswoman said Tuesday. The device containing information on roughly 3,400 soldiers was stolen Monday night out of a soldier's car while she was traveling on official duty, Lt. Col. Stephanie Dowling said. Officials hope the person who stole the drive _ along with other computer equipment and personal items _ doesn't know what he has. Guard members were being notified by phone and mail. [...] From jericho at attrition.org Wed Aug 15 13:12:43 2007 From: jericho at attrition.org (security curmudgeon) Date: Wed, 15 Aug 2007 13:12:43 +0000 (UTC) Subject: [Dataloss] follow-up: Hackers Break Into TJX's Bottom Line (fwd) Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.forbes.com/markets/2007/08/14/tjx-retail-update-markets-equity-cx_jl_0814markets31.html By Joshua Lipton Forbes.com 08.14.07 TJX has learned the hard way that hackers can cause damage to both a company's sense of security and its balance sheet. TJX, which operates discount stores like T.J. Maxx and Marshalls, told traders Tuesday morning that its profit was severely undercut as it absorbed a $118 million charge that resulted from a dramatic breach of customer data. For the second-quarter ended July 28, the company said its net income fell 57.3%, from $59 million, or 13 cents per share, versus $138.2 million, or 29 cents per share, for the year-ago period. The after-tax charge for the data breach totaled $118 million, or 25 cents per share. That charge includes $11 million, or 2 cents per share, for costs incurred during quarter as well as $107 million, or 23 cents per share, for the company's exposure to potential losses. Excluding this charge, adjusted diluted earnings per share from continuing operations for the quarter were 38 cents versus 29 cents for the prior year, a 31% increase. [..] From lyger at attrition.org Wed Aug 15 15:59:33 2007 From: lyger at attrition.org (lyger) Date: Wed, 15 Aug 2007 15:59:33 +0000 (UTC) Subject: [Dataloss] Patient information left open online at Oregon hospital Message-ID: http://www.oregonlive.com/newsflash/regional/index.ssf?/base/news-20/1187192116196040.xml&storylist=orlocal Information such as Social Security numbers about patients at Sky Lakes Medical Center was available online for about a month when the hospital's security was down. But hospital officials say they found no unauthorized access after scanning thousands of records. [.] The hospital shut down the online bill payment system in late May, sent letters to about 30,000 patients and canceled its contract with Verus, he said. [...] From fergdawg at netzero.net Thu Aug 16 02:35:54 2007 From: fergdawg at netzero.net (Paul Ferguson) Date: Thu, 16 Aug 2007 02:35:54 GMT Subject: [Dataloss] eWeek: Worst Data Breaches Ever Message-ID: <20070815.193554.20107.11@webmail16.lax.untd.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I think the folks at eWeek need some help: http://www.eweek.com/slideshow/0,1206,a=213491,00.asp - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) wj8DBQFGw7gHq1pz9mNUZTMRAnApAKChzGVBW4s1uDscHnXViE50zlnkSACeO59E ZPuo+RfVcaYHaV6foyIejps= =nZsw -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/ From lyger at attrition.org Thu Aug 16 13:14:31 2007 From: lyger at attrition.org (lyger) Date: Thu, 16 Aug 2007 13:14:31 +0000 (UTC) Subject: [Dataloss] JP: Computer containing personal data on over 50, 000 people stolen from hospital Message-ID: http://mdn.mainichi-msn.co.jp/national/news/20070816p2a00m0na012000c.html A laptop computer containing personal information and medical records of 51,156 people was stolen from Toshiba General Hospital, hospital officials announced Thursday. Officials said the computer contained the names, dates of birth and test data of 51,156 people. They said that since a password was required to log on to the computer, it would be difficult for anyone else to view the personal information. [...] From lyger at attrition.org Thu Aug 16 13:22:22 2007 From: lyger at attrition.org (lyger) Date: Thu, 16 Aug 2007 13:22:22 +0000 (UTC) Subject: [Dataloss] Personal data leaks 'worse in Australia than other regions' Message-ID: (Interesting article considering only three incidents out of 759 in the Data Loss Database - Open Source were reported from Australia...) http://www.securecomputing.net.au/news/59136,personal-data-leaks-worse-in-australia-than-other-regions.aspx Corporate data breaches - which can lead to identity theft - are occurring in Australia and without disclosure laws similar to those in the US those affected will never know they are at risk, claim Gartner analysts. Speaking at the Gartner IT Security Summit in Sydney this week, Rich Mogull research VP at Gartner said he can guarantee data breaches in Australia are occurring and the situation could be worse than in other regions of the world -the only difference is - here it is hidden. "I know breaches are occurring, banks don't tell me when they have breaches, the merchants don't tell me when they have breaches but I work with a lot of businesses here," said Mogull. "Australia is not getting off easy, it's just hidden. To be honest this is a harsher environment - because of the proximity to some of the Asian economies where a lot of this happens," said Mogull. [...] From jericho at attrition.org Thu Aug 16 13:30:21 2007 From: jericho at attrition.org (security curmudgeon) Date: Thu, 16 Aug 2007 13:30:21 +0000 (UTC) Subject: [Dataloss] Medical IT Contractor Folds After Breaches Message-ID: http://www.pogowasright.org/article.php?story=20070815192755969 Wednesday, August 15 2007 @ 07:27 PM CDT Contributed by: PrivacyNews News Section: Breaches Blamed for privacy breaches at five different hospitals, Verus Inc. silently closes its doors: http://www.darkreading.com/document.asp?doc_id=131712 Related - Verus Inc. and patient privacy breaches: http://www.pogowasright.org/blogs/dissent/?p=461 From MKEVHILL at aol.com Thu Aug 16 13:32:00 2007 From: MKEVHILL at aol.com (MKEVHILL at aol.com) Date: Thu, 16 Aug 2007 09:32:00 EDT Subject: [Dataloss] Boxes Full Of Personal Information Found In The Trash Message-ID: _http://kotv.com/news/local/story/?id=133886_ (http://kotv.com/news/local/story/?id=133886) Private information, free for the taking is discovered in the trash. Bixby police say a company was willing to let anyone, including identity thieves, have access to thousands of social security numbers, bank records and more. Utica Title and Escrow went out of business and put about 200 boxes of personal papers in a storage unit. The storage company says they stopped paying their monthly rent, so the storage place had no choice but to get rid of everything. News On 6 crime reporter Lori Fullbright reports they had no idea the boxes contained a mother load of private information, including social security numbers, bank accounts and pay stubs. An anonymous tip led Bixby police to a stack of boxes in and a trash dumpster Tuesday night. Officers couldn't believe the gold mine of personal information they found. Authorities say an identity thief could've turned the information into millions. "It was amazing. I didn't understand how big it was until I got to the scene and saw for myself, looked through the boxes and saw how much stuff was in there," said Bixby Police Chief James Kite. The boxes belonged to Utica Title and Escrow and had been stored at a storage unit in Bixby. When Utica quit paying rent the storage company went through the legal process to be able to sell everything left behind, and whatever doesn't sell is trashed. No one wanted to buy boxes of paper so the boxes were thrown out. [...] Mike ************************************** Get a sneak peek of the all-new AOL at http://discover.aol.com/memed/aolcom30tour -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070816/951dea6d/attachment.html From gmail at canadaballoons.com Thu Aug 16 13:47:05 2007 From: gmail at canadaballoons.com (Arsen Shirokov) Date: Thu, 16 Aug 2007 09:47:05 -0400 Subject: [Dataloss] Boxes Full Of Personal Information Found In The Trash In-Reply-To: References: Message-ID: <6c1b5200708160647y1e9dd07bg48e4c2e4c557329@mail.gmail.com> Interesting. > ...When Utica quit paying rent the storage company went through the legal process to be able to sell everything left behind... Does this mean somebody could have bought the boxes, thus coming into legal possession of the information ? They wouldn't have been able to use the information for illegal purposes such as generating false identities, but there are so many other legal, privacy-violating things the purchaser could've done. Arsen On 8/16/07, MKEVHILL at aol.com wrote: > > > > http://kotv.com/news/local/story/?id=133886 > > > > Private information, free for the taking is discovered in the trash. Bixby > police say a company was willing to let anyone, including identity thieves, > have access to thousands of social security numbers, bank records and more. > Utica Title and Escrow went out of business and put about 200 boxes of > personal papers in a storage unit. The storage company says they stopped > paying their monthly rent, so the storage place had no choice but to get rid > of everything. News On 6 crime reporter Lori Fullbright reports they had no > idea the boxes contained a mother load of private information, including > social security numbers, bank accounts and pay stubs. > > An anonymous tip led Bixby police to a stack of boxes in and a trash > dumpster Tuesday night. Officers couldn't believe the gold mine of personal > information they found. Authorities say an identity thief could've turned > the information into millions. > > "It was amazing. I didn't understand how big it was until I got to the scene > and saw for myself, looked through the boxes and saw how much stuff was in > there," said Bixby Police Chief James Kite. > > The boxes belonged to Utica Title and Escrow and had been stored at a > storage unit in Bixby. When Utica quit paying rent the storage company went > through the legal process to be able to sell everything left behind, and > whatever doesn't sell is trashed. No one wanted to buy boxes of paper so the > boxes were thrown out. > > [...] > > > > > Mike > > > ________________________________ > Get a sneak peek of the all-new AOL.com. > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor your > traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml > > From MKEVHILL at aol.com Thu Aug 16 14:06:22 2007 From: MKEVHILL at aol.com (MKEVHILL at aol.com) Date: Thu, 16 Aug 2007 10:06:22 EDT Subject: [Dataloss] Boxes Full Of Personal Information Found In The Trash Message-ID: Why go thru the legal process if all you are going to do is throw it all in the dumpster which is what this storage company did? Mike ************************************** Get a sneak peek of the all-new AOL at http://discover.aol.com/memed/aolcom30tour -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070816/e16ec9d6/attachment.html From lists at merchant911.org Thu Aug 16 14:15:51 2007 From: lists at merchant911.org (Tom Mahoney) Date: Thu, 16 Aug 2007 10:15:51 -0400 Subject: [Dataloss] Boxes Full Of Personal Information Found In The Trash In-Reply-To: References: Message-ID: The legal process was needed to make it their property. At 10:06 AM -0400 8/16/07, MKEVHILL at aol.com typed out: >Why go thru the legal process if all you are going to do is throw it >all in the dumpster which is what this storage company did? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070816/0546235d/attachment.html From cwalsh at cwalsh.org Thu Aug 16 17:00:19 2007 From: cwalsh at cwalsh.org (Chris Walsh) Date: Thu, 16 Aug 2007 12:00:19 -0500 Subject: [Dataloss] Personal data leaks 'worse in Australia than other regions' In-Reply-To: References: Message-ID: <20070816170005.GA21883@cwalsh.org> This just in -- Rich Mogull has X-Ray vision! :^) The headline is misleading. He didn't say it *is* worse, he said that he knows it exists and that it *could* be worse. As many of us have been saying for years, the hidden part of the iceberg is the part we need to learn more about. Chris On Thu, Aug 16, 2007 at 01:22:22PM +0000, lyger wrote: > > (Interesting article considering only three incidents out of 759 in the > Data Loss Database - Open Source were reported from Australia...) > > http://www.securecomputing.net.au/news/59136,personal-data-leaks-worse-in-australia-than-other-regions.aspx > > Corporate data breaches - which can lead to identity theft - are occurring > in Australia and without disclosure laws similar to those in the US those > affected will never know they are at risk, claim Gartner analysts. > > Speaking at the Gartner IT Security Summit in Sydney this week, Rich > Mogull research VP at Gartner said he can guarantee data breaches in > Australia are occurring and the situation could be worse than in other > regions of the world -the only difference is - here it is hidden. > > "I know breaches are occurring, banks don't tell me when they have > breaches, the merchants don't tell me when they have breaches but I work > with a lot of businesses here," said Mogull. > > "Australia is not getting off easy, it's just hidden. To be honest this is > a harsher environment - because of the proximity to some of the Asian > economies where a lot of this happens," said Mogull. > > [...] > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor your > traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml From lyger at attrition.org Sun Aug 19 18:37:46 2007 From: lyger at attrition.org (lyger) Date: Sun, 19 Aug 2007 18:37:46 +0000 (UTC) Subject: [Dataloss] (update) Police recover Idaho National Guard data, arrest suspect Message-ID: http://www.idahopress.com/news/?id=172 Boise Police have made an arrest in a string of car burglaries and recovered a thumb drive containing personal information about thousands of Idaho National Guard members stolen from one of the vehicles. Authorities said that at about 3 a.m. today, a citizen called dispatchers to report a suspicious subject near 8th and Brumback streets. Patrol officers responded to the area and used a K-9 unit to locate a juvenile suspect hiding in the bushes. [.] The recovered property detectives found included a laptop computer and the thumb drive taken from National Guard personnel. [...] From lyger at attrition.org Mon Aug 20 13:16:00 2007 From: lyger at attrition.org (lyger) Date: Mon, 20 Aug 2007 13:16:00 +0000 (UTC) Subject: [Dataloss] OH: UT Investigates Theft of Personal Data Message-ID: http://www.wtol.com/Global/story.asp?S=6951942 It's back-to-school time at the University of Toledo, but many students and faculty are concerned about a possible security breach. The university's Compliant and Privacy Officer sent an e-mail to students on Friday, saying a laptop computer had been stolen from an office in the Student Recreation Center that contained some student and employee names and Social Security numbers. "Although there is no indication this information was targeted in the theft, [and] we believe the risk is minimal, we are treating this matter very seriously. The UT Police are currently investigating," said the e-mail from Lynn Hutt, UT's Compliance/Privacy Officer. "We apologize to all those affected by this incident, and we are taking measures to minimize the possibility of future incidents." [...] From lyger at attrition.org Tue Aug 21 11:53:09 2007 From: lyger at attrition.org (lyger) Date: Tue, 21 Aug 2007 11:53:09 +0000 (UTC) Subject: [Dataloss] MD: Army Documents With Personal Data Found in Trash Bin Message-ID: http://www.wjla.com/news/stories/0807/449095.html Police say boxes of documents containing personal information from the Walter Reed Army Institute of Research were supposed to be shredded but instead turned up last week in an off-base trash bin. A resident of a suburban Washington neighborhood near the Army medical research's campus found "numerous boxes" in the trash receptacle on Friday and alerted Montgomery County police. Officers eventually returned the boxes to the research center. A spokeswoman for the U.S. Army Medical Command says the files were research study records. [...] From jericho at attrition.org Tue Aug 21 15:16:16 2007 From: jericho at attrition.org (security curmudgeon) Date: Tue, 21 Aug 2007 15:16:16 +0000 (UTC) Subject: [Dataloss] follow-up: Suspect named in TJX credit card probe Message-ID: http://www.boston.com/business/personalfinance/articles/2007/08/21/suspect_named_in_tjx_credit_card_probe/ Suspect named in TJX credit card probe Ukrainian's arrest seen as break in record fraud case By Ross Kerber, Globe Staff | August 21, 2007 Authorities have zeroed in on a Ukrainian man they suspect played a key role in the sale of many credit card numbers stolen from TJX Cos. in what is considered the biggest corporate data breach to date. Officials hope the recent arrest of Maksym Yastremskiy will be a breakthrough in the investigation of who hacked into systems at TJX and other companies, said Greg Crabb, a program manager in the global investigations division of the US Postal Inspection Service. The service is among various law enforcement agencies trying to track down hackers who made off with more than 45 million credit and debit card numbers from TJX starting in 2005. Crabb said Yastremskiy allegedly sold card numbers through online forums hosted overseas, sometimes in Cyrillic or that were password protected. He is likely the largest seller of stolen TJX numbers, Crabb said. Prices ranged from $20 to $100 per stolen card, and the cards were sold in batches of up to 10,000, depending on factors like the credit limits of the consumer accounts being traded. Crabb said Yastremskiy is associated with at least one other Ukrainian man previously charged with similar crimes, though unrelated to the TJX case. [..] From lyger at attrition.org Tue Aug 21 17:12:38 2007 From: lyger at attrition.org (lyger) Date: Tue, 21 Aug 2007 17:12:38 +0000 (UTC) Subject: [Dataloss] WV: State Hairstylists Fall Victims to ID Theft Message-ID: http://www.statejournal.com/story.cfm?func=viewstory&storyid=27876 Every barber and cosmetologist licensed in the state of West Virginia since 1986 could now potentially be a victim of identity theft. Last Friday, Charleston police say someone broke into the second floor office of the Board of Barbers and Cosmetologists and stole a safe. The director of the agency says the safe contains the personal information of thousands of hair dressers. [...] From dopacki at adotout.com Tue Aug 21 17:56:57 2007 From: dopacki at adotout.com (Dennis Opacki) Date: Tue, 21 Aug 2007 10:56:57 -0700 Subject: [Dataloss] Exposing personal data to meth-heads Message-ID: <1F6DD8EE-E90B-4C4E-B92F-62E03A89DBC8@adotout.com> I had a humbling experience this weekend that got me thinking about data security; I purchased a box of Sudafed at a Seattle pharmacy. Of course, given its connection to methamphetamine abuse, this "dangerous drug" is no longer available to casual shoppers. Instead, I selected from the pharmacy shelf, a card that resembled the box I wanted to purchase. I presented this card to the pharmacist. She asked to see my state driver's license and reached for a thick logbook sitting on the counter. The logbook contained roughly 100 pages of identical tables. Each page had close to 20 rows. The pharmacist proceeded to copy my name, address, driver's license number and license expiration date into a fresh row on the partially populated page. She then asked me to sign to record. Examining the log, I found a cautionary message detailing the penalties I could expect upon entering false data, but not a word about how my data would be handled and protected, or to whom they will be disclosed. What struck me as particularly dangerous about this process is recent media attention of a correlation between methamphetamine abuse and identity theft[1]. Here is a logbook full of juicy personal data, and the authorities insist that people, whom they suspect are drug abusers, view a dozen or so identity records when purchasing the raw materials for their next batch. How hard would it be for an individual to memorize the record above, or simply run out the door with the entire logbook? Whom does this process serve? -Dennis [1] http://www.msnbc.msn.com/id/4460349/ From lyger at attrition.org Wed Aug 22 11:42:34 2007 From: lyger at attrition.org (lyger) Date: Wed, 22 Aug 2007 11:42:34 +0000 (UTC) Subject: [Dataloss] CA: Apology sent over CalPERS privacy error Message-ID: http://www.sacbee.com/111/story/338031.html State pension fund officials apologized Tuesday to hundreds of thousands of retirees whose Social Security numbers were printed on brochures mailed out last week and vowed to take immediate steps to ensure that such an error does not happen again. Roughly 445,000 retirees across the state received the brochures announcing an upcoming election to fill a rare vacancy on the board of the California Public Employees' Retirement System. All or a portion of each person's Social Security number appeared -- without hyphens -- on the address panel. "While it is unlikely that someone would recognize the series of numbers as being a Social Security number except you, we consider this a serious incident," read a letter to state retirees explaining the breach. [...] From lyger at attrition.org Thu Aug 23 12:48:53 2007 From: lyger at attrition.org (lyger) Date: Thu, 23 Aug 2007 12:48:53 +0000 (UTC) Subject: [Dataloss] Laptop with NYC retirees finance data stolen Message-ID: http://www.newsday.com/business/am-retiree0823,0,6813539,print.story A laptop loaded with financial information on as many as 280,000 city retirees was stolen from a consultant who took the computer to a restaurant, city officials said. The private consultant to the city Financial Information Services Agency had access to personal data about members of various city pension systems, mayoral spokesman Jason Post said Wednesday. The consultant told authorities Monday the portable computer had been stolen. Post said the city would notify any retirees whose data might be compromised. [...] From lyger at attrition.org Thu Aug 23 15:32:06 2007 From: lyger at attrition.org (lyger) Date: Thu, 23 Aug 2007 15:32:06 +0000 (UTC) Subject: [Dataloss] CT: Loomis Chaffee grads warned about potential identity theft Message-ID: http://www.journalinquirer.com/site/news.cfm?newsid=18740383&BRD=985&PAG=461&dept_id=569436&rfi=6 A burglary earlier this month at the Loomis Chaffee School has potentially left the personal information, including Social Security numbers, of several hundred past students vulnerable, officials say. The theft occurred on Aug. 2 in the school's Information Technology Department, with someone removing "thousands of dollars worth" of computer equipment, said Capt. Thomas LePore of the Windsor Police Department. No other rooms in the school were broken into, LePore said. Loomis Chaffee is a private school for grades 9 through 12 at 4 Bachelder Road. When reached at the school this week Headmaster Russel H. Weigel said that due to the ongoing police investigation into the burglary he could not comment on what equipment was taken or what type of information may have been compromised. [...] From jericho at attrition.org Thu Aug 23 15:46:00 2007 From: jericho at attrition.org (security curmudgeon) Date: Thu, 23 Aug 2007 15:46:00 +0000 (UTC) Subject: [Dataloss] follow-up (TJX): Ukrainian jet setter in world's largest cyber heist? Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.theregister.co.uk/2007/08/22/possible_break_in_tjx_investigation/ By Dan Goodin in San Francisco 22nd August 2007 US authorities have taken a keen interest in a recently-arrested Ukrainian man after discovering he had ties to the criminal hackers behind the colossal data breach at US retail giant TJX. Responsible for more than 45.6m stolen accounts, the infiltration has understandably landed on the top of investigators' to-do list. Their new-found interest is in Maksym Yastremskiy, who was arrested several weeks ago for selling stolen credit card numbers in online forums. It turns out a "significant number" of them belonged to customers whose credentials were siphoned out of TJX's rather porous network. "It's a significant point in the investigation," said Doug Bem, a public information officer for the US Postal Inspection Service, one of a handful of federal agencies probing the TJX breach. "We don't have any information that suggests this person was the one who committed the attack on TJX, but at some point he did come into possession of the (stolen TJX) card accounts." Bem wouldn't say how many of the stolen credit card numbers in Yastremskiy's possession belonged to TJX customers, but he said there were "a significant number of accounts that could be traced back to the TJX database." [..] From jericho at attrition.org Fri Aug 24 01:27:02 2007 From: jericho at attrition.org (security curmudgeon) Date: Fri, 24 Aug 2007 01:27:02 +0000 (UTC) Subject: [Dataloss] follow-up: Federal Court Slaps Data Theft Victims Message-ID: ---------- Forwarded message ---------- From: Paul Ferguson [snip] Tens of thousands of Old National Bancorp customers whose personal and financial information was hijacked by a computer hacker cannot recover damages from the Indiana banking institution who lost the data in 2005, a federal appeals court ruled Thursday. In dismissing a proposed class action against Old National Bancorp, the 7th U.S. Circuit Court of Appeals said damages were unavailable to victims of data theft if those victims did not suffer economically. [snip] More: http://blog.wired.com/27bstroke6/2007/08/federal-court-s.html From dano at well.com Fri Aug 24 14:56:24 2007 From: dano at well.com (dano) Date: Fri, 24 Aug 2007 07:56:24 -0700 Subject: [Dataloss] world: Monster.com job-seeker database infiltrated, personal data taken Message-ID: Note that no numbers are given here. Early reports on business news speculate "millions could be affected". Security Notice Monster is continuing to actively investigate and take measures to address the impact of malicious software, called Infostealer.Monstres, on our resume database. We are currently analyzing the number of job seekers who may have been affected by this software, and will be contacting them as appropriate. Fortunately, we have been able to identify and shut down the source of the software. By gaining unauthorized access to employer accounts, the software was obtaining job seeker contact information. The information obtained was limited to the names, addresses, phone numbers and email addresses of job seekers primarily located in the United States. The purpose of gathering this information appears to be sending email disguised as Monster in order to gain recipients' trust, and then attempting to convince users to engage in financial transactions, or lure them into downloading malicious software. Protecting our users from fraudulent activity is one of Monster's top priorities. Regrettably, opportunistic criminals are increasingly using the Internet for illegitimate purposes. This problem spans the Web, particularly websites that receive heavy traffic and serve a variety of users across the globe. Monster understands the importance of protecting your personal information, and values the trust that you place in us. We are committed to utilizing all of our available resources to remedy this situation and protect your account information. We will continue to share information and updates on this situation as available. If you think you have received an email that may be fraudulent, please contact us immediately. If you have clicked on a link in this email, we highly recommend that you run an anti-virus application to remove anything that may have been installed on your computer, and contact a Monster Representative to have your Monster account password changed. If you receive any email that asks you to download a tool or update your account or access agreement, contact us to verify its legitimacy first. For further information on avoiding email fraud and keeping your Internet experience secure, please see below. From jericho at attrition.org Fri Aug 24 15:30:55 2007 From: jericho at attrition.org (security curmudgeon) Date: Fri, 24 Aug 2007 15:30:55 +0000 (UTC) Subject: [Dataloss] 'Off-Network Data' Is Major Security Threat For Companies Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.informationweek.com/news/showArticle.jhtml?articleID=201801989 By Sharon Gaudin InformationWeek August 23, 2007 01:38 PM A new study shows that 73% of companies have had a data loss in the past two years, but they've made only limited efforts to shore up their defenses and their protect data. The study [1], which is being presented today at Harvard University's Privacy Symposium, reported that the majority of companies put their data at risk when devices like laptops and portable storage devices leave company walls. "Protecting data that is stored on devices outside the confines and control of the corporate network is a problem for which many companies simply do not have a solution," said Larry Ponemon, founder and chairman of the Ponemon Institute, in a statement. "Our research shows that, while most companies recognize the risk off-network data poses, few seem to have a grasp on how to manage the many challenges off-network data present to maintaining a strong data security program, and many do not even have a policy to address the situation." According to Ponemon, the study showed that 62% of those surveyed said they are unsure if their off-network equipment contains unprotected sensitive or confidential information, while 39% do not view managing this equipment as a critical security step. With recent security breaches at the likes of Boeing, the Veteran's Administration and the FBI making headlines, Ponemon reported that 70% of data breaches result from the loss of equipment that leaves the confines of the corporate environment and either heads out on the road with mobile workers or home with teleworkers. And it's possible that the numbers are worse than reported since 30% said they would never detect the loss or theft of confidential data from off-network equipment. [1] http://www.redemtech.com/ponemon-study.aspx From hbrown at knology.net Sat Aug 25 18:23:13 2007 From: hbrown at knology.net (Henry Brown) Date: Sat, 25 Aug 2007 13:23:13 -0500 Subject: [Dataloss] Oklahoma Law Enforcement Breach Message-ID: <46D07391.6080807@knology.net> Breach puts information in peril http://newsok.com/article/3110406/1187986334 Someone hacked into computers at three Oklahoma law enforcement agencies and may have stolen private information meant only for police use, the state Department of Public Safety announced Friday. Details of the extent of the security compromise remained sketchy Friday, but officials said only the Elk City and Eufaula police departments and the Kiowa County Sheriff Department were affected. The Department of Public Safety is urging anyone who has had contact with those agencies to check for any suspicious charges on credit cards or to obtain a credit report as soon as possible. Even people pulled over for a traffic stop but not given a ticket could be at risk. "Because this is an ongoing investigation, we are not able to release a lot of information,? said Capt. Chris West, spokesman for the Oklahoma Highway Patrol. ... From hbrown at knology.net Sun Aug 26 10:11:30 2007 From: hbrown at knology.net (Henry Brown) Date: Sun, 26 Aug 2007 05:11:30 -0500 Subject: [Dataloss] Veterans information stolen Message-ID: <46D151D2.7010408@knology.net> An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070826/773cac0e/attachment.html From lyger at attrition.org Mon Aug 27 22:20:43 2007 From: lyger at attrition.org (lyger) Date: Mon, 27 Aug 2007 22:20:43 +0000 (UTC) Subject: [Dataloss] IL: UI students' information accidentally sent with e-mail Message-ID: (addresses and grades seem fairly fringe, but still of interest) http://www.news-gazette.com/news/local/2007/08/27/students_information_accidentally_sent An e-mail sent Friday to about 700 University of Illinois engineering students contained a spreadsheet listing personal information, including addresses and grade point averages, of thousands of students. The spreadsheet attached to the mass mail did not contain Social Security numbers or the students' university identification numbers. "It was a mistake, an accident. It was completely unintentional," said UI spokeswoman Robin Kaler. A College of Engineering staff person sent a mass e-mail at 7:51 a.m. on Friday to all electrical and computer engineering students. The note was to inform the 714 students about a new class on Lego robotics. [...] From jericho at attrition.org Tue Aug 28 16:06:57 2007 From: jericho at attrition.org (security curmudgeon) Date: Tue, 28 Aug 2007 16:06:57 +0000 (UTC) Subject: [Dataloss] Harvard Business Review - Data Breach Case Study. Message-ID: http://tinyurl.com/2q87md HBR Case Study Boss, I Think Someone Stole Our Customer Data Flayton Electronics learns that the security of its customer data has been compromisedand faces tough decisions about what to do next. by Eric McNulty Brett Flayton, CEO of Flayton Electronics, stared intently at a troubling memo on his desk from the firms head of security. Running his hands through his full head of barely graying hair, he looked not unlike his father did when he established the first Flayton Cameras and Stereos 25 years ago. The security situation had come to Bretts attention just before nine oclock the previous evening. On his way home from a vendor meeting, he had been settling into an armchair in the airline lounge. He had barely opened Electronics News when his mobile phone rang. It was Laurie Benson, vice president for loss prevention. Brett, we have a problem. There might be a data breach. Laurie, a tough but polished former Chicago police detective, had been responsible for security at Flaytons for almost three years. She had an impressive record of reducing store thefts while building productive relationships with local schools, community groups, and law enforcement. [..] Sergei stiffened. We meet about 75% or so of the PCI requirements. Thats better than average for retailers of our size. The response was defensive but honest. How have we been able to get away with that? Brett growled. He knew that PCI compliance, which was mandated by all the major credit card companies, required regular scans by an outside auditor to ensure that a companys systems were workingwith stiff penalties for failure. They dont scan us every day, Sergei demurred. Compliance really is up to us, to me, in the end. [..] From lyger at attrition.org Tue Aug 28 19:06:11 2007 From: lyger at attrition.org (lyger) Date: Tue, 28 Aug 2007 19:06:11 +0000 (UTC) Subject: [Dataloss] CT: Computer stolen with state tax data for 106, 000 residents Message-ID: http://www.wtnh.com/Global/story.asp?S=6994392&nav=3YeX State officials say a computer laptop with the names and Social Security numbers of more than 100,000 Connecticut taxpayers has been stolen. The state Department of Revenue Services says it will begin notifying affected taxpayers about the theft. Officials say the computer is password-protected and access is unlikely by anyone without specialized knowledge. [...] From jericho at attrition.org Wed Aug 29 08:35:06 2007 From: jericho at attrition.org (security curmudgeon) Date: Wed, 29 Aug 2007 08:35:06 +0000 (UTC) Subject: [Dataloss] Security breach hits online brokerage Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.theglobeandmail.com/servlet/story/LAC.20070828.RTRADEFREEDOM28/TPStory/Business By Roma Luciw August 28, 2007 Online broker TradeFreedom Securities Inc. has quietly notified an unidentified number of its customers that a computer security breach has compromised some of their personal information, potentially exposing them to fraud. In what it described as a follow-up to an Aug. 17 notice to clients, it said in a Friday e-mail that it had finished its investigation into the "recent unauthorized intrusion" of one of its computer systems. "We have subsequently determined that, despite our security systems in place at the time, this unauthorized intrusion has also resulted in the compromise of some of your personal information," TradeFreedom said. "This information is your name, social insurance number, city, province and postal code." Citing a continuing police investigation by the Sret du Qubec, TradeFreedom president Bruce Seago said he could not release any details about the nature or timing of the computer security breach. [..] From lyger at attrition.org Thu Aug 30 11:38:47 2007 From: lyger at attrition.org (lyger) Date: Thu, 30 Aug 2007 11:38:47 +0000 (UTC) Subject: [Dataloss] (follow-up) Data Breach Suit Against Ohio U. Tossed Message-ID: http://www.whec.com/article/stories/S113838.shtml?cat=10054 (AP) COLUMBUS, Ohio - A judge dismissed a lawsuit by two Ohio University graduates whose Social Security numbers were among thousands exposed in a series of security breaches involving school computers, the university said. Donald Jay Kulpa of Cincinnati and Kenneth Neben of North Bergen, N.J., argued their right to privacy had been violated after the security breaches were discovered last year. The lawsuit asked a judge to order the school to pay for credit monitoring services for the people whose personal information may have been compromised. Judge J. Craig Wright of the Ohio Court of Claims granted a motion by the university Wednesday to dismiss the case, saying the plaintiffs failed to prove they suffered damages for which they could be compensated, the school said. [...] From hbrown at knology.net Thu Aug 30 13:32:32 2007 From: hbrown at knology.net (Henry Brown) Date: Thu, 30 Aug 2007 08:32:32 -0500 Subject: [Dataloss] Data breech at Monster.com Message-ID: <46D6C6F0.8020002@knology.net> ALSO includes data from the USAJOBS.gov http://www.federaltimes.com/index.php?S=3001571 Hackers steal info on USAJOBS.gov subscribers By STEPHEN LOSEY August 29, 2007 Hackers have stolen the names, e-mail addresses and telephone numbers of about 146,000 subscribers to USAJOBS.gov, the Office of Personnel Management said Aug. 29. The hackers accessed the information from the resume database run by Monster.com, which provides the technology for USAJOBS.gov, OPM said. Monster Worldwide told OPM that no Social Security numbers were compromised. OPM said that because of the breach, job seekers could find themselves targeted by so-called ?phishing? e-mails, possibly disguised as Monster.com or USAJOBS.gov messages. Phishing e-mails try to trick people into revealing sensitive information such as passwords or downloading malicious software. Monster has identified and shut down the server that was accessing and collecting the information, OPM said. From lyger at attrition.org Thu Aug 30 15:00:45 2007 From: lyger at attrition.org (lyger) Date: Thu, 30 Aug 2007 15:00:45 +0000 (UTC) Subject: [Dataloss] Maryland reports theft of laptop containing personal information Message-ID: http://www.hometownannapolis.com/cgi-bin/read/2007/08_30-07/TOP Maryland officials say a laptop computer containing personal information on people with state licenses has been stolen. The Maryland Department of the Environment says the laptop was stolen from a vehicle. It contains four databases that include personal information related to licenses issued by four state boards. [...] From lyger at attrition.org Fri Aug 31 00:25:49 2007 From: lyger at attrition.org (lyger) Date: Fri, 31 Aug 2007 00:25:49 +0000 (UTC) Subject: [Dataloss] AT&T laptop theft exposes employee data Message-ID: http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=networking_and_internet&articleId=9033813&taxonomyId=16 AT&T and Maryland's Department of the Environment have become the latest organizations to find out first hand why security analysts for some time now have advocated the use of encryption to protect sensitive data on laptops and other mobile devices. A laptop containing unencrypted personal data on current and former employees of the AT&T Corp. was stolen recently from the car of an employee of a professional services firm doing work for the company. That theft prompted the company to notify an unspecified number of individuals about the potential compromise of their Social Security numbers, names and other personal details. A spokesman for AT&T today confirmed the July 27 incident and said it affected only employees of the former AT&T Corp. acquired by SBC Communications Inc. in 2005. No data involving employees of SBC, Bell South or Cingular was affected, the spokesman said. [...] From hbrown at knology.net Fri Aug 31 21:11:44 2007 From: hbrown at knology.net (Henry Brown) Date: Fri, 31 Aug 2007 16:11:44 -0500 Subject: [Dataloss] California Data Breech Bill Message-ID: <46D88410.6070208@knology.net> http://tinyurl.com/ysl3eb Calif. bill holding retailers responsible for breach costs advances August 31, 2007 (Computerworld) -- Retailers hoping to convince California lawmakers not to pass a proposed bill that would require them to pay banks and credit unions for the costs associated with a data breach lost another important round Thursday. The state's Senate Appropriations Committee approved the landmark Consumer Data Protection Act or AB 779, by a 13-2 vote late Thursday. The measure, authored by Assemblyman Dave Jones, (D-Sacramento), won overwhelming approval (58-2) in the State Assembly in early June. The bill is now expected to go before the full Senate in as little as a week. If approved, it would then go to Gov. Arnold Schwarzenegger for his approval. If signed into law, analysts expect the measure could have a ripple effect in other states, in much the same way an earlier California's measure affected data breach notification laws. ...