[Dataloss] blog: Oops! SSNBreach.org exposes students' personal info in Google
lyger
lyger at attrition.org
Mon Aug 13 21:29:11 UTC 2007
(More information and commentaryregarding events surrounding the Louisiana
Board of Regents data breach...)
http://www.pogowasright.org/blogs/dissent/?p=582
On July 18th, SSNBreach.org ("SSNB") was launched by Liberty Coalition and
Aaron Titus. The site's stated purpose was to assist and empower those
whose personally identifiable information had been accessible via the web
due to the Louisiana Board of Regents. ("LBR") failure to password-protect
over 200 files containing confidential student and employee records.
Less than three weeks after its launch, SSNB's own files on some of these
students are being indexed by Google. Despite being notified of the
problem on August 7, the problem isn't fixed, with more students. names
and files appearing in Google every day.
The History of SSNBreach.org: "Finders, Keepers"
On or before June 18, Titus, a self-described "privacy advocate" and
"privacy expert," discovered that the LBR files were accessible via search
engines and cache. He did not inform LBR. Instead, he contacted the media.
WDSU broke the story on July 17, after they had notified LBR.
While they left LBR in the dark about the exposure and the files
accessible to cybercriminals, Titus and the Liberty Coalition were busy
using the contents of those sensitive and confidential files to create
their own database on everyone affected. When it was pointed out to them
that they did not seek or secure permission to use information from files
which "the reasonable man" would realize had been accidentally exposed and
were intended to be confidential, Ostrolenk responded:
"You are correct that we do not ask permission to retrieve online
information. In fact, I cannot recall a single instance when I have
contacted the proprietor of a website to ask permission to view
information placed in the public domain."
Of course, Titus and the Liberty Coalition did much more than just view
the information that had been unintentionally exposed. They used it. An
identity thief might make the same statement they did.
[...]
More information about the Dataloss
mailing list