From lyger at attrition.org Sat Dec 1 00:42:38 2007 From: lyger at attrition.org (lyger) Date: Sat, 1 Dec 2007 00:42:38 +0000 (UTC) Subject: [Dataloss] (update) OH: Community Blood Center affected by laptop theft Message-ID: (note: I love pre-dated news stories...) http://www.springfieldnewssun.com/hp/content/oh/story/news/local/2007/11/30/sns120107laptop.html By Kelly Baker Staff Writer Saturday, December 01, 2007 Community Blood Center is the latest business to be notified that employees' information was stored on a laptop stolen in October from a Kettering auditing firm. Battelle & Battelle LLC was conducting an audit of the blood center's 401K plan when a laptop was stolen from a Battelle employee's vehicle, said Blood Center spokeswoman Sher Patrick. Up to 600 employees appeared to be affected. "The message we want to get out is that this does not affect our blood donors in any way," Patrick said. Only employees and their 401K information was on the laptop stolen in Oakwood. [...] From lyger at attrition.org Sat Dec 1 00:58:01 2007 From: lyger at attrition.org (lyger) Date: Sat, 1 Dec 2007 00:58:01 +0000 (UTC) Subject: [Dataloss] Data theft touches 150,000 Massachusetts seniors Message-ID: http://www.infoworld.com/article/07/11/30/Data-theft-touches-Massachusetts-seniors_1.html?source=rss&url=http://www.infoworld.com/article/07/11/30/Data-theft-touches-Massachusetts-seniors_1.html The state of Massachusetts is warning 150,000 members of its Prescription Advantage insurance program that their personal information may have been snatched by an identity thief. Local authorities arrested a lone identity thief in August who had been using information taken from the program in an attempted identity theft scheme, said Alison Goodwin, a spokeswoman for the state's Executive Office of Health and Human Services. Goodwin could not add many details on the nature of the breach, citing an ongoing criminal investigation, but she said Prescription Advantage is conducting an internal review of the incident to determine if additional security measures might be required. [...] From lyger at attrition.org Tue Dec 4 13:29:39 2007 From: lyger at attrition.org (lyger) Date: Tue, 4 Dec 2007 13:29:39 +0000 (UTC) Subject: [Dataloss] Security flaw on Passport Canada's website exposes applicants' personal information Message-ID: http://680news.com/news/local/article.jsp?content=20071204_080504_1760 A security flaw at Passport Canada's website has allowed an Ontario man access to the personal information of other people applying for new passports. The Globe and Mail reported the breach was discovered last week while Jamie Laning was completing his own passport application. He found he could view the applications of others by altering one character in the Internet address displayed by the Web browser. The information he viewed included social insurance numbers, driver's licence numbers and addresses. [...] From hbrown at knology.net Tue Dec 4 15:33:16 2007 From: hbrown at knology.net (Henry Brown) Date: Tue, 04 Dec 2007 09:33:16 -0600 Subject: [Dataloss] Thousands of Indianapolis Power & Light customers exposed Message-ID: <4755733C.2050505@knology.net> http://www.theindychannel.com/news/14768281/detail.html Security Lapse Affects Thousands Of Electric Customers The private information of thousands of Indianapolis Power and Light customers was inadvertently posted online for up to four years, officials said Monday. The information affects 3,000 residential IPL customers from 2003 until November 2007. IPL said the data included names, addresses and Social Security numbers that somehow ended up on an accessible server on the Internet. (...) From jericho at attrition.org Tue Dec 4 20:23:27 2007 From: jericho at attrition.org (security curmudgeon) Date: Tue, 4 Dec 2007 20:23:27 +0000 (UTC) Subject: [Dataloss] IT pro admits to stealing 8.4M consumer records Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.channelregister.co.uk/2007/12/04/admin_steals_consumer_records/ By Dan Goodin in San Francisco 4 Dec 2007 A senior database administrator for a consumer reporting agency in Florida has admitted stealing more than 8.4 million account records and selling them to a data broke. He netted $580,000 over five years from the scheme. William Gary Sullivan, a DBA for Fidelity National Information Services, faces up to 10 years in federal prison and $500,000 in fines, although prosecutors agreed to recommend a more lenient sentence in exchange for his guilty pleas. He's also required to surrender all remaining proceeds and pay restitution to his victims. Working for a subsidiary called Certegy Check Services, Sullivan used his access to Fidelity's database on to pilfer records that included individuals' names, addresses and financial account information, according to court documents. To cover his tracks, he incorporated a business called S&S Computer Services, which sold the data to an unindicted co-conspirator. The unidentified cohort, according to authorities, then resold the consumer information to direct marketers, including one called Strategia Marketing, which also went by the name Suntasia. [..] From lyger at attrition.org Wed Dec 5 00:15:44 2007 From: lyger at attrition.org (lyger) Date: Wed, 5 Dec 2007 00:15:44 +0000 (UTC) Subject: [Dataloss] NC: Duke: Social Security Numbers May Have Been Accessed Message-ID: http://www.nbc17.com/midatlantic/ncn/news.apx.-content-articles-NCN-2007-12-04-0031.html Duke University officials say the Social Security numbers of about 1,400 prospective law school applicants may have been compromised when a school Web site was accessed illegally. School officials say they don't know if the hackers gained access to the numbers but said they are contacting those affected as a precaution. The site stored data from prospective applicants who requested information from the school's admissions office. [...] From lyger at attrition.org Wed Dec 5 21:14:24 2007 From: lyger at attrition.org (lyger) Date: Wed, 5 Dec 2007 21:14:24 +0000 (UTC) Subject: [Dataloss] MN: Memorial Blood Centers Notifying Donors of Possible Data Loss Message-ID: http://www.businesswire.com/portal/site/google/index.jsp?ndmViewId=news_view&newsId=20071205005914&newsLang=en Memorial Blood Centers reported today that it has begun notifying blood donors of the theft of a laptop computer holding donor information. About 268,000 donor records on this laptop computer contain a donor name in combination with the donor.s social security number. The laptop computer was stolen on November 28, 2007 in downtown Minneapolis during early morning preparations for a blood drive. The theft was captured on building security cameras. The Minneapolis Police Department was notified and Memorial Blood Centers is working with law enforcement authorities to recover the laptop computer. Access to the donor information on the laptop is protected by multiple levels of passwords and requires the use of other technologies to prevent unauthorized use. The donor records do not contain medical information. [...] From mhill at idtexperts.com Wed Dec 5 22:22:25 2007 From: mhill at idtexperts.com (Michael Hill, CITRMS) Date: Wed, 5 Dec 2007 17:22:25 -0500 Subject: [Dataloss] TX: Doctors Left Behind Medical Files and Waste Message-ID: <003201c8378d$50810bd0$6501a8c0@mkevhill> http://www.newschannel5.tv/2007/12/4/983388/Doctors-Left-Behind-Medical-Files-and-Waste Texas Medical Board may launch investigation MCALLEN - A realtor says a pair of doctors left an office filled with medical files and waste. "I don't know where to go," says realtor Vicki Chrysler. "There's biohazards. There's blood. There's needles everywhere." Chrysler is the builder owner's realtor agent. She tells us Dr. Jorge Trevino and Dr. James Stewart left the mess when they moved over three weeks ago. "These are blood samples of I don't know what," she says. NEWSCHANNEL 5 found about a dozen vials of blood on the floor of what used to be the McAllen Primary Care Clinic. Medical files, equipment, binders, and bank statements were scattered on the floor. There were also containers full of prescription medicines. Chrysler says, "I'm not in the medical field, but I can pretty much tell they are patients files." The offices had thousands of X-rays and medical records with names, addresses, phone number, social security numbers, and other personal information. "I don't know what to do with it," says the realtor, "I need to get it out of here, but I need the proper way of doing it." Chrysler says never got a response when she asked why the mess was left. She had even offered to open the office for them. NEWSCHANNEL 5 went to the doctors' new office. No one returned our calls. We contacted the Texas Medical Board. A spokesman tells use the messy office poses public danger. People's records are vulnerable to identity theft, and potential HIPPA confidentiality laws could be violated. Investigators could find the doctors guilty of unprofessional conduct. The Texas Medical Board spokesman says the enforcement department will hear about these concerns and could launch an investigation. Just before our story aired, Chrysler called us to say she'd been contacted by the doctor. He told her he'd have the mess cleaned up tomorrow. Michael Hill Certified Identity Theft Risk Management Specialist IDT Consultants 404-216-3751 "If You Think You're Not At Risk, Think Again!" -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20071205/ecbb7323/attachment.html From jericho at attrition.org Thu Dec 6 10:50:02 2007 From: jericho at attrition.org (security curmudgeon) Date: Thu, 6 Dec 2007 10:50:02 +0000 (UTC) Subject: [Dataloss] follow-up: Passport security breach repaired, official says Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.theglobeandmail.com/servlet/story/RTGAM.20071205.wpassport05/BNStory/National/home By Kenyon Wallace Globe and Mail December 5, 2007 Passport Canada says that a security breach in its passport application website that allowed easy access to the personal information of applicants has been repaired. "We're definitely looking into how this happened, but right now, it's fixed," said Fabien Lengelle, a spokesman for Passport Canada. "We are very committed to security and we would like to reassure the Canadian public that passport online is a secure application." Mr. Lengelle added that the personal information of applicants is never stored online. However, an Ontario man applying online for a passport last Thursday discovered he could access personal information - such as social insurance numbers, birthdates and driver's licence numbers - of other applicants by altering one character in the Internet address displayed by his Web browser. [..] From jericho at attrition.org Thu Dec 6 10:15:11 2007 From: jericho at attrition.org (security curmudgeon) Date: Thu, 6 Dec 2007 10:15:11 +0000 (UTC) Subject: [Dataloss] UK: Hackers force mass website closures (Fasthosts) Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://technology.timesonline.co.uk/tol/news/tech_and_web/article3007298.ece By Simon de Bruxelles The Times December 6, 2007 Hundreds of websites have been shut down temporarily by one of the largest web hosting companies in Britain after the personal details of customers were stolen by computer hackers. The hackers managed to access the master database of Fasthosts for information, including addresses, bank details, e-mails and passwords. The action is expected to lose vital business for hundreds of small companies in the run-up to Christmas. Fasthosts claimed that it had no option other than to perform an emergency shutdown after it discovered that the hackers had tried to use information gleaned from its servers. New passwords had to be sent out by post rather than e-mail to avoid the information being compromised again. [..] From mhill at idtexperts.com Thu Dec 6 16:48:03 2007 From: mhill at idtexperts.com (Michael Hill, CITRMS) Date: Thu, 6 Dec 2007 11:48:03 -0500 Subject: [Dataloss] Forrester Loses Laptop Containing Personnel Data Message-ID: <000d01c83827$c587caf0$6501a8c0@mkevhill> http://www.eweek.com/article2/0,1895,2228887,00.asp Thieves stole a laptop from the home of a Forrester Research employee during the week of Nov. 26, potentially exposing the names, addresses and Social Security numbers of an undisclosed number of current and former employees and directors, the company said in a letter mailed to those affected on Dec. 3. Forrester "Chief People Officer" Elizabeth Lemons said in the letter that the hard drive is password-protected but made no mention of encryption. The laptop contained records pertaining to those who have received grants of Forrester stock options or who have participated in the research firm's Employee Stock Purchase Plan, according to the letter. Those who have done contractual work for the consultancy, but who haven't participated in either stock plan, also appear to be affected. The incident appears to be a clear case of, "Do as I say, not as I do." Besides the irony of a technology consultancy that apparently does not encrypt sensitive data on employee laptops, the office of Forrester's "chief people officer" apparently had not informed the firm's media staff of the incident before sending out the letter. When eWEEK contacted Forrester's press hotline on Dec. 5, a staffer said that this was the first she had heard of the incident. [...] The idea that password protection actually protects laptop data is one that's laughed out of the room by security professionals. "Anybody with a relative clue, or at least a copy of Knoppix or F.I.R.E. [data recovery tools], could potentially bypass security measures implemented on lost or stolen drives. Period," wrote data breach experts at Attrition.org, a volunteer-run site that keeps a running list of data breaches relied on by organizations including Privacy Rights Clearinghouse. "Unless data on a drive is encrypted with a key either unknown or inaccessible to an intruder, that data is open to compromise," Attrition said in a February posting that followed the recovery of a lost VA laptop. "We won't even go into cracking AES256 or 3DES here; for the most part, such measures are impractical. Cracking algorithms over 128-bit is possible, but only with a lot of time and/or firepower. However, shoving a CD in the machine, rebooting and typing: '# mount /dev/hda1 /tmp/stolen_info/ # cd /tmp/stolen_info/ # ls -la' is not that difficult and it makes all of that 'password-protected' data quite readable, even for a casual computer user. "If the person who stole the laptop were to remove the drive and perform a bit-by-bit copy, they would circumvent any password protection on the computer. Remember, BIOS and Operating System passwords rely on the computer and OS to boot up. If you remove the drive, neither will offer any level of protection and are completely worthless." A volunteer for Attrition who goes by the online name "Lyger" told eWEEK that Forrester's notification letter to those affected "should be of little comfort," given that Forrester didn't divulge whether the laptop's hard drive was encrypted. At any rate, it may be ironic, but Forrester's dilemma is far from unique. A former analyst for a defunct technology consultancy wasn't surprised to learn the details behind the breach. "When I was at Meta, we didn't do anything in our back office that we preached to others," he said. "It is symptomatic of all businesses. They really don't pay any attention to their own employees when warned of something [..] -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20071206/f17d83f1/attachment.html From hbrown at knology.net Fri Dec 7 00:50:35 2007 From: hbrown at knology.net (Henry Brown) Date: Thu, 06 Dec 2007 18:50:35 -0600 Subject: [Dataloss] Personal Info From PA. Welfare Rolls Stolen Message-ID: <475898DB.5050109@knology.net> http://www.msnbc.msn.com/id/22119026/ Personal info from Pa. welfare rolls stolen Computer contained names, Social Security numbers of 86 people updated 6:39 p.m. CT, Wed., Dec. 5, 2007 HARRISBURG, Pa. - State officials said they have begun notifying 86 welfare recipients that a computer containing their personal information was stolen from an office in Philadelphia three weeks ago. The Department of Public Welfare began mailing letters Wednesday warning the recipients to take steps to protect themselves from identity theft, agency spokeswoman Anne Bale said. The theft occurred Nov. 13 when someone apparently broke through a locked trap door in the ceiling, Bale said. Welfare officials in Harrisburg were notified Tuesday, she said. Story continues below ?advertisement Bale said she did not know why it took three weeks for the department to find out or take action, and she said officials are looking into the matter. The computer, which is protected by a password, contained names and Social Security numbers of 14 clients and the names and addresses of 72 other clients, Bale said. From rwise29210 at gmail.com Fri Dec 7 01:20:35 2007 From: rwise29210 at gmail.com (Rodney) Date: Thu, 06 Dec 2007 20:20:35 -0500 Subject: [Dataloss] Personal Info From PA. Welfare Rolls Stolen In-Reply-To: <475898DB.5050109@knology.net> References: <475898DB.5050109@knology.net> Message-ID: <1196990435.18941.34.camel@MYTUX> On Thu, 2007-12-06 at 18:50 -0600, Henry Brown wrote: > The Department of Public Welfare began mailing letters Wednesday > warning > the recipients to take steps to protect themselves from identity > theft, > agency spokeswoman Anne Bale said. This strikes me as odd and I have a couple of questions for the group. 1. If your data is lost and there is a clear "at fault" party as seems to be the case here (the data was unencrypted) they isn't the "at fault party supposed to provide ID theft protection? Is that a law or just something done to reduce damages should they ever be sued over release of personally identifiable information without informed consent? 2. If it is welfare rolls, then these people can't afford to do this on their own, so again why isn't the state setting this up for them? Rodney Wise -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20071206/71a0621e/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3165 bytes Desc: not available Url : http://attrition.org/pipermail/dataloss/attachments/20071206/71a0621e/attachment.bin From jericho at attrition.org Fri Dec 7 07:40:41 2007 From: jericho at attrition.org (security curmudgeon) Date: Fri, 7 Dec 2007 07:40:41 +0000 (UTC) Subject: [Dataloss] Law & Order - No ID Theft Reported From Stolen Computers Message-ID: The broker quoted below sure understands technology. ---------- Forwarded message ---------- From: InfoSec News http://www.modbee.com/local/story/143953.html December 06, 2007 Employees at a Modesto mortgage company that had computer equipment stolen last month say they believe information on the equipment can't be used for identity theft. Matt Crawford, broker at All-American Mortgage, said the information on a stolen computer server was password protected, so it would be difficult for someone to access it. He said he had no reason to believe a thief would have such a password. A burglar broke into All-American's Coffee Road office sometime during the weekend of Nov. 10 and stole the server, a modem and a wireless router. Crawford said the company warned hundreds of clients whose information was on the computer about the break-in and theft, but has received no reports of identity theft. "That doesn't eliminate the possibility that it could still happen," said Crawford, who added that company officials still are determining whose information was on the server. Crawford said he believes the thief or thieves stole the equipment as a way to disrupt All-American's operations rather than for resale value or identity theft. He said Modesto police are investigating the break-in. [...] From macwheel99 at wowway.com Fri Dec 7 09:51:36 2007 From: macwheel99 at wowway.com (Al Mac Wheel) Date: Fri, 07 Dec 2007 03:51:36 -0600 Subject: [Dataloss] Personal Info From PA. Welfare Rolls Stolen In-Reply-To: <1196990435.18941.34.camel@MYTUX> References: <475898DB.5050109@knology.net> <1196990435.18941.34.camel@MYTUX> Message-ID: <6.2.1.2.1.20071207033455.0276be30@pop3.mail.wowway.com> An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20071207/2b5dfee6/attachment.html From hbrown at knology.net Fri Dec 7 10:54:10 2007 From: hbrown at knology.net (Henry Brown) Date: Fri, 07 Dec 2007 04:54:10 -0600 Subject: [Dataloss] Personal Information of thousands of lab visitors stolen Message-ID: <47592652.2080904@knology.net> http://tinyurl.com/2wyok6 KNOXVILLE, Tenn. (AP) -- The Oak Ridge National Laboratory revealed today that a "sophisticated cyber attack" over the last few weeks may have allowed personal information about thousands of lab visitors to be stolen. Lab officials said the assault appeared "to be part of a coordinated attempt to gain access to computer networks at numerous laboratories and other institutions across the country." Oak Ridge officials would not identify the other institutions. But at Oak Ridge, they say, hackers may have infiltrated a non-classified database containing names, Social Security numbers and birth dates of every lab visitor between 1990 and 2004. The lab estimates 3,000 researchers annually come to the facility, a major DOE energy research and high-performance computing center. Officials stressed that no classified data was compromised. The lab has sent letters to about 12,000 potential victims. The assault was in the form of phony e-mails containing attachments, which when opened allowed hackers to penetrate the lab's computer security. (Copyright 2007 by The Associated Press. All Rights Reserved.) From jordantd at comcast.net Fri Dec 7 12:19:41 2007 From: jordantd at comcast.net (Dale Jordan) Date: Fri, 7 Dec 2007 07:19:41 -0500 Subject: [Dataloss] Personal Info From PA. Welfare Rolls Stolen In-Reply-To: <1196990435.18941.34.camel@MYTUX> References: <475898DB.5050109@knology.net> <1196990435.18941.34.camel@MYTUX> Message-ID: <000b01c838cb$77e85310$640fa8c0@internal.earthlink.net> Hi Rodney, Not all states have the privacy laws enacted. The link below describes the Pennsylvania law that went into effect in 2006: http://www.privsecblog.com/archives/state-legislation-pennsylvania-becomes-2 2nd-state-to-enact-a-data-breach-disclosure-law.html Thank you, Dale Jordan _____ From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Rodney Sent: Thursday, December 06, 2007 8:21 PM To: dataloss at attrition.org Subject: Re: [Dataloss] Personal Info From PA. Welfare Rolls Stolen On Thu, 2007-12-06 at 18:50 -0600, Henry Brown wrote: The Department of Public Welfare began mailing letters Wednesday warning the recipients to take steps to protect themselves from identity theft, agency spokeswoman Anne Bale said. This strikes me as odd and I have a couple of questions for the group. 1. If your data is lost and there is a clear "at fault" party as seems to be the case here (the data was unencrypted) they isn't the "at fault party supposed to provide ID theft protection? Is that a law or just something done to reduce damages should they ever be sued over release of personally identifiable information without informed consent? 2. If it is welfare rolls, then these people can't afford to do this on their own, so again why isn't the state setting this up for them? Rodney Wise -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20071207/37ed6ae9/attachment.html From macwheel99 at wowway.com Fri Dec 7 16:03:02 2007 From: macwheel99 at wowway.com (Al Mac Wheel) Date: Fri, 07 Dec 2007 10:03:02 -0600 Subject: [Dataloss] Personal Info From PA. Welfare Rolls Stolen In-Reply-To: <6.2.1.2.1.20071207033455.0276be30@pop3.mail.wowway.com> References: <475898DB.5050109@knology.net> <1196990435.18941.34.camel@MYTUX> <6.2.1.2.1.20071207033455.0276be30@pop3.mail.wowway.com> Message-ID: <6.2.1.2.1.20071207095939.02f8dc80@pop3.mail.wowway.com> A more important ethical issue is how difficult it is for these people to figure out what they need to do, and how to do it. Many years ago I read that not all US households have Internet access. I wonder what percent of people who are on welfare are among those who don't. Those of us with Internet access have many web sites, such as FTC, to guide us on what to do. >2. If it is welfare rolls, then these people can't afford to do this on >their own, so again why isn't the state setting this up for them? From lyger at attrition.org Fri Dec 7 18:13:24 2007 From: lyger at attrition.org (lyger) Date: Fri, 7 Dec 2007 18:13:24 +0000 (UTC) Subject: [Dataloss] Ireland: Personal information lost Message-ID: http://u.tv/newsroom/indepth.asp?id=86401&pt=n Personal details of up to 60,000 people have been lost by Citizens Advice, it was revealed today. Bank account numbers, National Insurance numbers, names, addresses and dates of birth were on a laptop stolen from a staff member`s car in Belfast earlier this week. The details are of people who have sought advice from the bureau - but it said they were encrypted and the bureau claimed it was unlikely it could be accessed. Derek Alcorn, chief executive of CAB Northern Ireland, apologised to all of those whose could be affected. [...] From hbrown at knology.net Sun Dec 9 22:27:38 2007 From: hbrown at knology.net (Henry Brown) Date: Sun, 09 Dec 2007 16:27:38 -0600 Subject: [Dataloss] wales driver license information sent to wrong people Message-ID: <475C6BDA.6000607@knology.net> http://news.bbc.co.uk/2/hi/uk_news/wales/7132278.stm The Driver and Vehicle Licensing Agency (DVLA) broke data protection rules when confidential documents were sent to the wrong motorists, it has been claimed. The agency sent 1,215 questionnaires, including dates of birth and motoring offence records, and about 100 went to the wrong addresses. The National ID Theft Assistance Centre said the DVLA had breached the Data Protection Act 1998. The DVLA said "human error" had led to the "isolated incident". (...) From hbrown at knology.net Mon Dec 10 12:50:29 2007 From: hbrown at knology.net (Henry Brown) Date: Mon, 10 Dec 2007 06:50:29 -0600 Subject: [Dataloss] Tricare data breach affects 4,700 families Message-ID: <475D3615.2040909@knology.net> http://www.airforcetimes.com/news/2007/12/military_tricarebreach_071207w/ Tricare data breach affects 4,700 families By Karen Jowers - Staff writer Posted : Friday Dec 7, 2007 16:19:05 EST Letters are in the mail to about 4,700 households who submitted claims through the Tricare Europe office since 2004 about a data breach involving their personal information ? a month after the breach was reported. Most of those affected have since moved from Europe. Electronic Data Systems notified Tricare on Nov. 7 that they had not properly secured a part of the system it maintains for Tricare, and ?certain external entities? had been allowed access to a file with personal information. That file contained full or partial Social Security numbers. For one or more members of each household, it included their name, date of birth, and a medical diagnosis code associated with a health benefits claim submitted to Tricare Management Activity. ?We don?t think this is a malicious intrusion,? said Julie Basa, a spokeswoman for EDS, an information technology company that supports a health benefits system for the Defense Department?s Tricare Management Activity. There has been no indication that any data has been misused, she said. [...] From lyger at attrition.org Tue Dec 11 01:19:52 2007 From: lyger at attrition.org (lyger) Date: Tue, 11 Dec 2007 01:19:52 +0000 (UTC) Subject: [Dataloss] TX: Employee Accused of Emailing County Workers' Personal Information Message-ID: http://www.newschannel5.tv/2007/12/10/983648/ A letter sent to Cameron County employees states their personal information was released through an e-mail. According to the letter, an employee released an e-mail with a list of all county officials and employees. It reportedly contained names, social security numbers, and salaries. "This letter was sent out as a precaution to all elected officials, appointed officials, anyone employed by Cameron County in August of 2006... to let them know that this inadvertent information was sent out," says Cameron County Judge Carlos Cascos. [...] From mhill at idtexperts.com Tue Dec 11 03:35:29 2007 From: mhill at idtexperts.com (Michael Hill, CITRMS) Date: Mon, 10 Dec 2007 22:35:29 -0500 Subject: [Dataloss] Stolen car leads to ID theft ring Message-ID: <001a01c83ba6$e12271c0$6501a8c0@mkevhill> http://www.9news.com/news/article.aspx?storyid=82418 LONE TREE - More than a hundred Colorado dentists and their patients could be at risk for identity theft after a car containing a bag of sensitive information was stolen. Lone Tree Police says the bag of documents were in the trunk of the car, which belonged to an employee of the Colorado Board of Dental Examiners. "There was a substantial amount," said Det. Todd Pachello with Lone Tree Police. "Three, 3-ring binders in a bag that contained sensitive medical information." According to police and the Colorado Board of Dental Examiners, the employee was taking the information home to finish work, but first made a stop at Park Meadows Mall to shop November 30. Police say the car was stolen in the parking lot with the documents inside. Authorities found the car a few days later this week at an apartment complex located at 4500 South Monaco in Denver where one of the alleged thieves lived. Inside the unit, police discovered a massive amount of personal information from previous crimes. "Social Security numbers, dates of birth, the credit card numbers, the pin numbers to those credit cards, they even have the photo IDs of the individuals they stole those credit cards from," said Pachello. Rodney Hendrix, Curtis Jenkins, and Adam Silva were arrested and taken into custody. Hendrix, the so-called ring leader, faces a possible lifetime sentence if convicted, because police say this is his fifth offense. The Colorado Board of Dental Examiners says its employee did not violate any company policies by taking the documents out of the building. It's not known whether the suspects used the victims' personal information before they were arrested, but all the victims are currently being contacted by authorities. If you have questions about the case, you're asked to call Lone Tree Police at 303-339-8150. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20071210/87c0ccfc/attachment.html From lyger at attrition.org Tue Dec 11 15:10:13 2007 From: lyger at attrition.org (lyger) Date: Tue, 11 Dec 2007 15:10:13 +0000 (UTC) Subject: [Dataloss] CA: Stolen laptop holds private information Message-ID: http://www.record-bee.com/local/ci_7687954 Sutter Lakeside Hospital (SLH) reported Monday that a laptop computer containing personal and medical information of approximately 45,000 former patients, employees and physicians has been stolen from the residence of a contractor. It has not been recovered. The information, dating from 2005 and earlier, was to be transferred from one secure system to another as part of an equipment upgrade, but the contractor went against hospital policy by downloading the information onto the laptop's hard drive. The hospital, upon learning of the misuse of the laptop, discontinued a business relationship with the contractor, who was not an employee of SLH, but was hired for a special project in the IT department, according to Marketing and Communications Manager Mitch Proaps. [...] From lyger at attrition.org Tue Dec 11 22:27:21 2007 From: lyger at attrition.org (lyger) Date: Tue, 11 Dec 2007 22:27:21 +0000 (UTC) Subject: [Dataloss] IA: DNR Tells 7000: Social Security Numbers Lost Message-ID: http://www.kcrg.com/news/local/12370426.html A contractor working for the DNR revealed on December 5th that a computer jump drive containing the names and social security numbers for 7000 people is missing. The DNR says the drive actually disappeared on November 21st. Chief Technology Officer Rick Hindman tells TV9 the worker waited to report the error because he thought he would be able to find the piece of missing equipment. Hindman says the contractor believes the jump drive fell off of his desk and into a garbage can at a DNR office in Des Moines. [...] From lyger at attrition.org Wed Dec 12 02:37:04 2007 From: lyger at attrition.org (lyger) Date: Wed, 12 Dec 2007 02:37:04 +0000 (UTC) Subject: [Dataloss] (follow-up) Ohio Plans To Encrypt After Data Breach Message-ID: http://it.slashdot.org/article.pl?sid=07/12/11/2144255 "After a backup tape containing sensitive information on 130,000 Ohio residents, current and former employees, and businesses was stolen from the car of a government intern in June, the state government just announced it has purchased 60,000 licenses of encryption software - McAfee's SafeBoot - for state offices to use to protect data. It's estimated that the missing backup tape will cost Ohio $3 million. In September, the state docked a government official about a week of future vacation time for not ensuring that the data would be protected." [...] From jericho at attrition.org Wed Dec 12 06:53:46 2007 From: jericho at attrition.org (security curmudgeon) Date: Wed, 12 Dec 2007 06:53:46 +0000 (UTC) Subject: [Dataloss] follow-up: TJX Lawsuit Transferred Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://online.wsj.com/article/SB119743288731823035.html By Joseph Pereira The Wall Street Journal December 12, 2007 BOSTON -- A lawsuit by a group of New England and Alabama banks against TJX Cos. over a data breach that resulted in the theft of millions of credit-card numbers was transferred to a Massachusetts state court by a federal judge. In his order yesterday, U.S. District Judge William G. Young denied the plaintiffs' request to sue as a class and ruled that without class-action status the case would no longer fall under federal jurisdiction. The decision underscores a problem litigants in electronic data-breach cases -- a relatively new phenomenon in the U.S. legal system -- will have to resolve to be granted financial relief for alleged damages. "It is very difficult to prove whether any particular fraud loss is connected to the particular data breach as opposed to some other source," said Kevin McGinty, a class-action defense expert in Boston who isn't involved in the TJX case. How a specific loss occurred would have to be investigated on an individual basis, he said, and "that's why the judge decertified the case." [...] From hbrown at knology.net Thu Dec 13 20:53:40 2007 From: hbrown at knology.net (Henry Brown) Date: Thu, 13 Dec 2007 14:53:40 -0600 Subject: [Dataloss] data thieves hit gas station Message-ID: <47619BD4.8020504@knology.net> http://cbs2.com/local/ID.Theft.Investigation.2.609494.html ID Theft Investigated At El Monte Gas Station At Least 45 Customers Have Been Victimized EL MONTE, Calif. (CBS) ? Police were searching Wednesday for the thieves who stole debit card information from, at least, 45 customers at an Arco station in El Monte. The suspects made off with thousands of dollars from unsuspecting customers. A computerized device apparently was used to lift key information, including debit card identification numbers, concealed in the card's magnetic strip, investigators told the San Gabriel Valley Tribune. "It looks like the victims were gassing up here and using the outside pump terminals, and their credit card information was compromised," El Monte police Detective Brian Glick said. Police don't believe it was an inside job but that the fraud artists picked the station in the 4300 block North Santa Anita Avenue because of its high customer volume. Fraudulent withdrawals, ranging from $400 to $1,500 per customer, were made in Las Vegas, Palms Springs and New York, police said. Investigator Victor Hernandez told the San Gabriel Valley Tribune there could be as many as 100 victims. [...] From rwise at seostrich.com Fri Dec 14 12:48:54 2007 From: rwise at seostrich.com (Rodney Wise) Date: Fri, 14 Dec 2007 07:48:54 -0500 Subject: [Dataloss] Botnet-controlled Trojan robbing online bank customers Message-ID: <1197636534.14010.6.camel@MYTUX> NetworkWorld.com > Security > Botnet-controlled Trojan robbing online bank customers Security firm says malware targeting commercial customers believed to have come from Russia By Ellen Messmer, Network World, 12/13/07 A new variant on the "Prg Banking Trojan" malware discovered in June is stealing funds from commercial accounts in the United States, United Kingdom, Spain and Italy with a botnet called Zbot, says Atlanta-based SecureWorks. "It's been very successful since we've first seen this at the end of November," says Don Jackson, senior security researcher at SecureWorks, which believes the Prg Trojan variant is designed by the Russian hackers group known as Russian UpLevel working with some German affiliates. ________________________________________________________________________ Read the latest WhitePaper - A Good Mobile Experience: Balancing IT Requirements While Giving End-Users the Mobile Experience They Want ________________________________________________________________________ "The Trojan has the ability to use a man-in-the-middle attack, a kind of shoulder-surfing when someone logs into a bank account. It can inject a request for a Social Security number or other information, and it's very dynamic. It?s targeted for each specific bank." SecureWorks says about a dozen banks -- which it wouldn't identify because it says the U.S. Secret Service is investigating the incidents -- have had their commercial customers affected by the Trojan-based money fraud operation. According to SecureWorks, the bank Trojan malware can be distributed using iFrame exploits on Web sites or through very targeted attacks against bank customers via phishing. Oftentimes, the phishing e-mail attempts to lure the victim into clicking on a site to offer software disguised as a real certificate, security code or soft token, the company says, adding that it has uncovered caches of stolen data in its research. If the attacker succeeds in getting the Trojan malware onto the victim's computer, he can piggyback on a session of online banking without even having to use the victim's name and password. The infected computer communicates back to the Trojan's command-and-controller exactly which bank the victim has an account with. It then automatically feeds code that tells the Trojan how to mimic actual online transactions with a particular bank to do wire transfers or bill payments SecureWorks says the Trojan performs keystrokes that imitate the victim's keystrokes to avoid any online fraud-monitoring. Although the Secret Service is investigating the Trojan's impact on banks and their customers, Jackson says Russian law authorities are lax in reining in online criminal groups widely believed to be operating from Russia, including Russian UpLevel and the Russian Business Network. Rodney Wise Rodney Wise South East Ostrich Supply http://www.seostrich.com (803) 741-5636 From lyger at attrition.org Sun Dec 16 21:34:31 2007 From: lyger at attrition.org (lyger) Date: Sun, 16 Dec 2007 21:34:31 +0000 (UTC) Subject: [Dataloss] Deloitte partner, principal confidential information on stolen laptop Message-ID: http://www.scmagazineus.com/Deloitte-partner-principal-confidential-information-on-stolen-laptop/article/99945/ A laptop containing the personal information of an undisclosed number of Deloitte & Touche partners, principals and other employees was stolen while in possession of a contractor responsible for scanning the accounting firm's pension fund documents, SCMagazineUS.com learned today. The computer contained confidential data, including names, Social Security numbers, birth dates, and other personnel information, such as hire and termination dates, according to a Dec. 6 letter Deloitte sent to victims. Some of the information belonged to people working at Deloitte subsidiaries. The laptop, stolen during Thanksgiving week, was protected by a password but was not encrypted, according to the letter. Deloitte has no evidence any of the data has been used for fraudulent purposes, and police are investigating. [...] From macwheel99 at wowway.com Sun Dec 16 22:41:38 2007 From: macwheel99 at wowway.com (Al Mac Wheel) Date: Sun, 16 Dec 2007 16:41:38 -0600 Subject: [Dataloss] off-topic: repetitive breaches Message-ID: <6.2.1.2.1.20071216162453.027ac770@pop3.mail.wowway.com> This is a March 2007 report that I did not notice at the time. http://www.eweek.com/article2/0,1895,2101733,00.asp Almost seven out of 10 companies?68 percent?are losing sensitive data or having it stolen out from under them six times a year, according to new research from the IT Policy Compliance Group. An additional 20 percent are losing sensitive data a whopping 22 times or more per year. [...] Ninety percent of the organizations were located in the United States. The good news to come out of the group's survey is that 12 percent of surveyed organizations are losing sensitive data less than twice each year. [..] The most sensitive losses are around customer data, financial data, corporate data, employee data and IT security data, according to the report, titled "Taking Action to Protect Sensitive Data." [..] the leading cause for data loss is user error. Policy violations are the second leading cause, but Internet threats, attacks and hacks only comes in at No. 3. When it comes to how data vanished, lost devices topped the chart, including loss of PCs, laptops and mobile field devices. The second most common channel of data loss was through e-mail, IM and other electronic means. Software applications, including databases and the systems they work on, came in as the third most frequent channel through which data is being lost. [..] The cost on average to notify customers and to clean up and restore data was $100 per record. +++++ Here is summary of the report. You have to join the organization to download the whole thing http://www.itpolicycompliance.com/research_reports/data_protection/read.asp?ID=9 - Al Mac From tomd2004 at gmail.com Mon Dec 17 18:41:42 2007 From: tomd2004 at gmail.com (Tom) Date: Mon, 17 Dec 2007 18:41:42 +0000 Subject: [Dataloss] DSA Data loss Message-ID: <6f6f4a050712171041o5bd66c9cv950033c498e19593@mail.gmail.com> Millions of L-driver details lost Ruth Kelly Ms Kelly apologised but said risks were not substantial The details of three million candidates for the driving theory test have gone missing, Ruth Kelly has told MPs.... http://news.bbc.co.uk/1/hi/uk_politics/7147715.stm Regards Tom From lyger at attrition.org Mon Dec 17 23:37:42 2007 From: lyger at attrition.org (lyger) Date: Mon, 17 Dec 2007 23:37:42 +0000 (UTC) Subject: [Dataloss] PA: Nurse's Stolen Laptop May Put Thousands Of Local Patients At Risk Message-ID: http://www.wpxi.com/news/14875284/detail.html The names, social security numbers, phone numbers, addresses and patient care information of 42,000 patients were all on a laptop computer stolen from a nurse's home. A spokesman for West Penn Allegheny Health System said they are not aware of any inappropriate use of patient information. The computer and other possessions were stolen from a home care nurse's home. The hospital said the data on the laptop is protected once the computer is shut off or when the battery runs out in about four hours. [...] From jericho at attrition.org Tue Dec 18 07:00:53 2007 From: jericho at attrition.org (security curmudgeon) Date: Tue, 18 Dec 2007 07:00:53 +0000 (UTC) Subject: [Dataloss] follow-up: Insurer gets record fine for ID theft disaster Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.techworld.com/security/news/index.cfm?newsID=10952 By John E. Dunn Techworld 17 December 2007 A UK insurance house has been slapped with a record fine by the Financial Services Authority (FSA) watchdog for incompetent customer account security. The latest offender is Norwich Union, which allowed fraudsters to impersonate customers when phoning its call centres, cashing in policies on an astonishing 74 occasions out of a total of recorded 632 attempts. The criminals 11 suspects have now been arrested were able to steal a total of 3.3 million during the scam, which took place in 2006. The FSA has hit the company with a 1.26 ($2.6 million) million fine, a record for the UK, and even larger than that levied on The Nationwide Building Society earlier this year for losing a laptop full of unspecified customer data in August 2006. The Norwich Union only avoided an even larger fine of 1.8 million ($3.6 million) by promptly settling the charges with the industry regulator, and agreeing to tighten up its procedures. [..] From hbrown at knology.net Tue Dec 18 12:37:19 2007 From: hbrown at knology.net (Henry Brown) Date: Tue, 18 Dec 2007 06:37:19 -0600 Subject: [Dataloss] Ohio's Medicaid system revealing sealed adoption information Message-ID: <4767BEFF.3050805@knology.net> http://www.ohio.com/news/ap?articleID=288711 A glitch in Ohio's troubled child-welfare system is revealing information from sealed adoption records, a data breach some child advocates say is a massive violation of confidentiality. The data breach involves children who were adopted out of the foster-care system and now are enrolled in a children's health insurance program in 35 Ohio counties, said Dennis Evans, spokesman for the Ohio Department of Job and Family Services. Those counties issue Medicaid cards through the new Statewide Automated Child Welfare Information System, which draws information from health records before adoptions, Evans said. In some cases, when medical personnel use the number on the Medicaid cards to look up health records, the system emits sealed data such as a birth mother's name. That information is supposed to be secret, Evans said. The state has not yet determined how many children are directly affected, although several counties have registered complaints. The agency is working to pinpoint the problem, Evans said. [...] From hbrown at knology.net Tue Dec 18 12:46:40 2007 From: hbrown at knology.net (Henry Brown) Date: Tue, 18 Dec 2007 06:46:40 -0600 Subject: [Dataloss] Computer theft in hospital in Bolton England Message-ID: <4767C130.4070305@knology.net> http://tinyurl.com/2pa7yw Computer theft hits hundreds of patients By Paul Keaveny A COMPUTER containing the personal details of hundreds of patients at the Royal Bolton Hospital has been stolen. Thieves took the laptop when they broke into the department for thoracic care, which handles patients with chest and breathing complaints. The computer contains the information of around 350 patients who receive, or have received, oxygen treatment at home. Details include names, addresses, dates of birth, NHS numbers, GP practices and some details about the patients' oxygen supply. advertisement The hospital has sent letters to those affected and apologised for any concern the theft may cause. Heather Edwards, head of communications at the hospital, said: "While we believe the risk of anybody using the information contained on the computer is extremely small, we thought that it was right for the patients to know what had happened. "We are very sorry about this and hope it doesn't cause people any undue concern." She said engineers for the company which services the oxygen supplies carried identification cards and that patients should check their ID before letting them in. Mrs Edwards said the information was backed-up and patient health and treatment had not been affected. Cllr Andy Morgan, chairman of the health scrutiny committee, added: "I will be asking for a full report to be brought to my committee with regards the storage of personal data by both the hospital and the Primary Care Trust, to reassure the public that all is being done to protect their personal information in Bolton." The theft in November is being investigated by the police. Last October, computer equipment worth around ?3,000 and thought to contain important medical information was stolen from the hospital. From lyger at attrition.org Tue Dec 18 14:15:23 2007 From: lyger at attrition.org (lyger) Date: Tue, 18 Dec 2007 14:15:23 +0000 (UTC) Subject: [Dataloss] UK: Revenue loses 6,500 people's data Message-ID: http://news.bbc.co.uk/1/hi/wales/7149767.stm The personal details of 6,500 customers belonging to a pension firm have been lost at an office of HM Revenue and Customs (HMRC) in Cardiff. Names, addresses, date of births, national insurance numbers and pension contributions were included on a data cartridge which has been lost. It had been sent by courier in September from Countrywide Assured. The HMRC has apologised about its seventh such loss of data and has told the Information Commissioner. [...] From mhill at idtexperts.com Tue Dec 18 14:23:49 2007 From: mhill at idtexperts.com (Michael Hill, CITRMS) Date: Tue, 18 Dec 2007 09:23:49 -0500 Subject: [Dataloss] TX: Forms with Employee Personal Information Discovered Message-ID: <002d01c84181$9bb44b50$6501a8c0@mkevhill> http://www.newschannel5.tv/2007/12/17/984027/Forms-with-Employee-Personal-Information-Discovered School district says document slipped through the cracks BROWNSVILLE - Forms with employee personal information littered the fence of a Brownsville school district warehouse. NEWSCHANNEL 5 found confidential letters with names, bank account numbers, and Social Security numbers in plain sight. The forms may be more than ten years old, but they each contain information that's still valuable. We ran one of the names we found. NEWSCHANNEL 5 learned that person is still employed with the school district. She didn't want to talk to, so we spoke to district spokesperson Drue Brown. "When you made us aware of it, we took immediate action and spent the afternoon cleaning them up," she says. We've learned the district has a department responsible for maintaining and destroying old records. They're in charge of shredding this type of information. District leaders say the documents simply slipped through the cracks. Brown says, "Perhaps some of these records were in a file cabinet that wasn't completely cleaned up. And they somehow ended up here." Just after NEWSCHANNEL 5 contacted the district, workers were out in numbers cleaning up the mess. "We were surprised by it," Brown says. "This is not our standard practice." The district tells us they'll make every attempt to keep this from happening again. The documents NEWSCHANNEL 5 found will be returned to the district Michael Hill Certified Identity Theft Risk Management Specialist IDT Consultants 404-216-3751 "If You Think You're Not At Risk, Think Again!" -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20071218/621c468b/attachment.html From lyger at attrition.org Wed Dec 19 01:57:24 2007 From: lyger at attrition.org (lyger) Date: Wed, 19 Dec 2007 01:57:24 +0000 (UTC) Subject: [Dataloss] follow-up: TJX, banks settle litigation over breach Message-ID: http://www.businessweek.com/ap/financialnews/D8TK750O0.htm TJX Cos. and nearly all the banks and bank associations that sued the discount retailer over a massive credit card data breach said Tuesday they have settled the lawsuit for an undisclosed amount. Although both sides said the settlement total would remain confidential, TJX said the costs were covered by a $107 million reserve that it set aside against its second-quarter earnings. TJX also has said that $107 million would cover the costs of another breach agreement: a Nov. 30 deal with Visa Inc. to help pay a maximum $40.9 million to help the network's card-issuing banks recover expenses to replace customers' Visa cards. [...] From lyger at attrition.org Wed Dec 19 05:37:46 2007 From: lyger at attrition.org (lyger) Date: Wed, 19 Dec 2007 05:37:46 +0000 (UTC) Subject: [Dataloss] PA: Stolen laptop holds data on seniors Message-ID: http://ads.advance.net/RealMedia/ads/Creatives/PENNLIVE/PrivParty_PN_RoS_Mark/1penn.htm A state Department of Aging-owned laptop computer containing personal information on nearly 21,000 senior citizens was stolen from a Johnstown home during a Dec. 5 break-in. The computer was issued to a department employee who works with the agencies on aging in Indiana, Union, Snyder and Clearfield counties. The employee was attending a funeral when the theft occurred, said Michele Bell Gopinath, a department spokeswoman. Police suspect the computer was taken for its street value, she said. There have been no reports of misuse of the information, which included names, addresses, Social Security numbers, some medical information and the services clients received, Gopinath said. [...] From jericho at attrition.org Wed Dec 19 12:15:48 2007 From: jericho at attrition.org (security curmudgeon) Date: Wed, 19 Dec 2007 12:15:48 +0000 (UTC) Subject: [Dataloss] follow-up: Data breach officials could be sent to the big house Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.theregister.co.uk/2007/12/18/hmrc_crim_penalties/ By Joe Fay The Register 18th December 2007 Civil servants responsible for the loss of public data could face prison sentences in future, instead of a brief period in sackcloth and ashes before being shifted into a consultancy role. In his update on the HMRC data loss to MPs yesterday, Alistair Darling said: "There will now also be new sanctions under the Data Protection Act for the most serious breaches of its principles. "These will take account of the need not only to provide high levels of data security but also to ensure that sensible data sharing practices can be conducted with legal certainty. We will consult early in the New Year on how this can best be done." The Times reports that ministers have accepted that the penalties for "gross failures" to protect citizens' details should include criminal penalties. These could be as harsh as a two year prison sentence for the most serious offenses. Darling, yesterday, also said that spot check powers introduced in Whitehall in the wake of the HMRC data loss would be extended right across the public sector. [..] From lyger at attrition.org Wed Dec 19 12:26:28 2007 From: lyger at attrition.org (lyger) Date: Wed, 19 Dec 2007 12:26:28 +0000 (UTC) Subject: [Dataloss] (corrected URL) PA: Stolen laptop holds data on seniors Message-ID: (previously sent URL was a misfire, oops...) http://www.pennlive.com/news/patriotnews/index.ssf?/base/news/1198033089169550.xml&coll=1 A state Department of Aging-owned laptop computer containing personal information on nearly 21,000 senior citizens was stolen from a Johnstown home during a Dec. 5 break-in. The computer was issued to a department employee who works with the agencies on aging in Indiana, Union, Snyder and Clearfield counties. The employee was attending a funeral when the theft occurred, said Michele Bell Gopinath, a department spokeswoman. Police suspect the computer was taken for its street value, she said. There have been no reports of misuse of the information, which included names, addresses, Social Security numbers, some medical information and the services clients received, Gopinath said. [...] From lyger at attrition.org Thu Dec 20 12:35:17 2007 From: lyger at attrition.org (lyger) Date: Thu, 20 Dec 2007 12:35:17 +0000 (UTC) Subject: [Dataloss] NY: Dormitory Authority hunts missing ID tapes Message-ID: http://timesunion.com/AspStories/story.asp?storyID=648817&category=FRONTPG&BCCode=HOME&newsdate=12/20/2007 Data tapes containing Social Security numbers, phone numbers and addresses for up to 800 current and former employees of the state Dormitory Authority, many of whom live in the Capital Region, are missing. Employees of the agency, which funds and oversees construction of college dorms and other capital projects, were informed of the missing tapes on Wednesday via an e-mail that also offered advice on how to learn about identity theft precautions. "UPS is investigating it at their end. We are investigating it to the extent that we can on our end," said authority spokesman Marc Violette. [...] From jericho at attrition.org Fri Dec 21 08:45:56 2007 From: jericho at attrition.org (security curmudgeon) Date: Fri, 21 Dec 2007 08:45:56 +0000 (UTC) Subject: [Dataloss] Thousands of doctors' details put on web Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.telegraph.co.uk/news/main.jhtml?xml=/news/2007/12/20/ndocs120.xml By Rebecca Smith Medical Editor 20/12/2007 Computer security failures that allowed sensitive personal details of junior doctors applying for training posts to be viewed by others were an "unacceptable breach of security" by the Department of Health, the Information Commissioner has found. The sensitive details of thousands of doctors, including religious beliefs and sexual orientation, could be seen by anyone logging on to the Medical Training Application Service site. The commissioner said the Department of Health had breached the Data Protection Act and warned that if it happened again the department would be prosecuted. The findings increase pressure on ministers over the handling of sensitive personal data and follows a series of security blunders. [..] From lyger at attrition.org Fri Dec 21 12:27:08 2007 From: lyger at attrition.org (lyger) Date: Fri, 21 Dec 2007 12:27:08 +0000 (UTC) Subject: [Dataloss] UK: Computer theft puts 14,000 at risk of ID fraud Message-ID: http://www.yorkshirepost.co.uk/news/Computer-theft-puts-14000-at.3611872.jp Up to 14,000 customers of the financial giant Skipton have been left open to identity fraud, after the company admitted that a laptop containing customers' personal details was stolen last week. Investors with money in the Fidelity FundsNetwork were told yesterday that the stolen information includes names, addresses, date of birth, National Insurance numbers, fund investment details - and even how much each person had invested. The Yorkshire Post understands the laptop was taken from a locker being used by a staff member of an information technology (IT) consultancy employed by Skipton Financial Services. [...] From lyger at attrition.org Fri Dec 21 12:29:39 2007 From: lyger at attrition.org (lyger) Date: Fri, 21 Dec 2007 12:29:39 +0000 (UTC) Subject: [Dataloss] SC: School Employees' Personal Data Stolen Message-ID: http://www.wyff4.com/news/14900680/detail.html Hundreds of current and former Greenville County School District employees had personal information stolen from computers accessing state insurance information, prompting an investigation by federal Homeland Security officials. The district notified employees last week that the computers had been compromised and that employees' personal information was taken, including their names, home phone numbers and Social Security numbers. Homeland Security said that school employees were among several governmental agencies across the state whose employees were hit by data thieves. [...] From hbrown at knology.net Fri Dec 21 22:37:08 2007 From: hbrown at knology.net (Henry Brown) Date: Fri, 21 Dec 2007 16:37:08 -0600 Subject: [Dataloss] CT DMV computer stolen Message-ID: <476C4014.1060208@knology.net> http://abclocal.go.com/wabc/story?section=news/local&id=5846995 HARTFORD -- The Connecticut Department of Motor Vehicles is notifying 155 customers that their personal information may have been on a computer stolen from a mobile service center vehicle while it was being repaired. Both the DMV and the State Police have begun investigations into the recovery of the stolen equipment. Authorities say the personal data on the computer included name, address, date of birth, license number, photo and signature. It is unlikely that the data could be accessed due to a number of security features, including a software program that triggers a deletion of the data when the computer is turned on. It is important to note that credit card information was encrypted so that it cannot be used and social security numbers were not part of this file. (...) From hbrown at knology.net Sun Dec 23 12:17:05 2007 From: hbrown at knology.net (Henry Brown) Date: Sun, 23 Dec 2007 06:17:05 -0600 Subject: [Dataloss] ID thieves lifted personal info from court Web site Message-ID: <476E51C1.3000307@knology.net> From the Coshocton Ohio Tribune http://tinyurl.com/ytfxsk ID thieves lifted personal info from court Web site COLUMBUS (AP) - Police say hundreds of people in five states are victims of identity theft after someone lifted their Social Security numbers from a municipal court Web site. Someone manually fed random numbers into the Franklin County Municipal Court Web site, hoping to find someone with one of the numbers. Once the thief made a connection, the persons' name, address, age and other information was used to obtain credit cards and open bank accounts. The Web site contains personal information for thousands of people charged with misdemeanors. The victims, from Ohio, Kentucky, South Carolina, Texas and Wyoming, may not realize their identities were stolen, said Worthington police. From lyger at attrition.org Mon Dec 24 16:45:34 2007 From: lyger at attrition.org (lyger) Date: Mon, 24 Dec 2007 16:45:34 +0000 (UTC) Subject: [Dataloss] UK: Tories offer NHS IT rescue plan after major patient data losses Message-ID: http://www.theregister.co.uk/2007/12/24/nhs_trust_data_losses/ The Tory party has put forward a rescue plan for the NHS IT system in the wake of the latest government data losses, which were revealed over the weekend. Nine English NHS trusts have owned up to large scale losses of personal data, and although in most cases the nature of this data has yet to be revealed, City & Hackney Primary Care Trust reportedly mislaid the names and addresses of 160,000 children. Speaking on Radio 4's Today programme, Tory Shadow Health Secretary Andrew Lansley said that the losses illustrated the dangers of holding all NHS records on a single database that could be accessed by 300,000 individuals. The system need not however, he stressed, be entirely abandoned. Instead, data should be held on smaller, interoperable local databases. [...] From lyger at attrition.org Wed Dec 26 13:40:35 2007 From: lyger at attrition.org (lyger) Date: Wed, 26 Dec 2007 13:40:35 +0000 (UTC) Subject: [Dataloss] fringe: unlisted phone number information Message-ID: From: Henry Brown To: dataloss at attrition.org Date: Mon, 24 Dec 2007 19:18:25 -0600 http://blog.wired.com/27bstroke6/2007/12/site-leaking-un.html A site that allows consumers to compare prices for digital phone, internet and TV services has been leaking private address information belonging to people with unlisted phone numbers. The site DigitalLanding.com, which is owned by Acceller, Inc., initially said it was not doing anything wrong and that the information it provided was all publicly available, despite the fact that addresses connected to unlisted numbers are not intended to be public by customers who pay a fee to protect that information or, presumably, by the phone companies that offer unlisted numbers to their customers. Acceller has since recanted and announced that it's in the process of fixing the data so that information belonging to people with unlisted numbers will be protected. [...] From dano at well.com Thu Dec 27 02:22:40 2007 From: dano at well.com (Dan O'Donnell) Date: Wed, 26 Dec 2007 18:22:40 -0800 Subject: [Dataloss] UK: Police personal data found on discarded floppy Message-ID: Police data details found at dump A senior police officer has apologised after confidential details of staff were found on a dump in Devon. The details, on a floppy disk, included names, addresses, telephone numbers and ranks of employees of Devon and Cornwall Police. The disk was in an obsolete computer that had been used by the force and had been sent for recycling. Ass Ch Con Bob Pennington apologised to staff and said the matter was being investigated. Recycling centre "We take our responsibilities for protecting all information seriously and are extremely concerned as to how this single disk was not removed before the machine was taken out of use," he said. "Recycling old computers was a conscious decision taken by the force as part of an overall cost cutting exercise and hard drives are always wiped clean but it appears that on this occasion the floppy disk has been overlooked." Information stored on the disk also included firearms qualifications. It was found by a man looking for spare computer parts at a recycling centre in Exeter, who alerted a national newspaper. It follows the loss of details for millions of hospital patients, learner drivers and child benefit claimants. From lyger at attrition.org Thu Dec 27 02:56:04 2007 From: lyger at attrition.org (lyger) Date: Thu, 27 Dec 2007 02:56:04 +0000 (UTC) Subject: [Dataloss] UK: Police personal data found on discarded floppy In-Reply-To: References: Message-ID: On Wed, 26 Dec 2007, Dan O'Donnell wrote: ": " ": " ": " Police data details found at dump ": " A senior police officer has apologised after confidential details of ": " staff were found on a dump in Devon. ": " ": " The details, on a floppy disk, included names, addresses, telephone ": " numbers and ranks of employees of Devon and Cornwall Police. ": " ": " The disk was in an obsolete computer that had been used by the force ": " and had been sent for recycling. While losing the personal information of police officers is certainly a concern due to the nature of their jobs, I've noticed other recent reports of general "data loss" involving not much more than names, addresses, and sometimes phone numbers. Should this generally be considered "personal information" if such data can usually be found in a phone book or Google (for most people anyway)? Just a thought and something we consider when including (or not including) breach data on attrition's data loss web page and database... From adam at homeport.org Thu Dec 27 03:07:05 2007 From: adam at homeport.org (Adam Shostack) Date: Wed, 26 Dec 2007 22:07:05 -0500 Subject: [Dataloss] UK: Police personal data found on discarded floppy In-Reply-To: References: Message-ID: <20071227030704.GA12438@homeport.org> On Thu, Dec 27, 2007 at 02:56:04AM +0000, lyger wrote: | On Wed, 26 Dec 2007, Dan O'Donnell wrote: | ": " | ": " | ": " Police data details found at dump | ": " A senior police officer has apologised after confidential details of | ": " staff were found on a dump in Devon. | ": " | ": " The details, on a floppy disk, included names, addresses, telephone | ": " numbers and ranks of employees of Devon and Cornwall Police. | ": " | ": " The disk was in an obsolete computer that had been used by the force | ": " and had been sent for recycling. | | While losing the personal information of police officers is certainly a | concern due to the nature of their jobs, I've noticed other recent reports | of general "data loss" involving not much more than names, addresses, and | sometimes phone numbers. Should this generally be considered "personal | information" if such data can usually be found in a phone book or | Google (for most people anyway)? Just a thought and something we consider | when including (or not including) breach data on attrition's data loss web | page and database... I suspect this one is inclusion-worthy. The addresses and personal phone numbers of police officers are usually protected for reasons of personal security. Similarly, many women chose to protect their home addresses. When Ameritrade lost control of email, it may have been a broader breach. To turn it around, I want as much disclosure as I can get, so we can better analyze what's happening in computer security. Why not include broadly? Adam From mhill at idtexperts.com Thu Dec 27 03:23:17 2007 From: mhill at idtexperts.com (Michael Hill, CITRMS) Date: Wed, 26 Dec 2007 22:23:17 -0500 Subject: [Dataloss] UK: Police personal data found on discarded floppy References: Message-ID: <002e01c84837$d3b7d320$6501a8c0@mkevhill> We get that question a lot in our business and here's how we answer it. "Mr. (Business Owner) if I call into your business and ask for your home address and phone number, will you or whomever answers the phone going to give it to me?" I think not. The home address and phone number is just the first step to getting your identity stolen. Michael Hill Certified Identity Theft Risk Management Specialist IDT Consultants 404-216-3751 "If You Think You're Not At Risk, Think Again!" ---------------------------------------------------------------------------- From: lyger at attrition.org To: dataloss at attrition.org Sent: 12/26/2007 9:56:31 P.M. Eastern Standard Time Subj: Re: [Dataloss] UK: Police personal data found on discarded floppy On Wed, 26 Dec 2007, Dan O'Donnell wrote: ": " ": " ": " Police data details found at dump ": " A senior police officer has apologised after confidential details of ": " staff were found on a dump in Devon. ": " ": " The details, on a floppy disk, included names, addresses, telephone ": " numbers and ranks of employees of Devon and Cornwall Police. ": " ": " The disk was in an obsolete computer that had been used by the force ": " and had been sent for recycling. While losing the personal information of police officers is certainly a concern due to the nature of their jobs, I've noticed other recent reports of general "data loss" involving not much more than names, addresses, and sometimes phone numbers. Should this generally be considered "personal information" if such data can usually be found in a phone book or Google (for most people anyway)? Just a thought and something we consider when including (or not including) breach data on attrition's data loss web page and database... _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml ------------------------------------------------------------------------------ See AOL's top rated recipes and easy ways to stay in shape for winter. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20071226/77c61d1d/attachment.html From lyger at attrition.org Thu Dec 27 04:40:52 2007 From: lyger at attrition.org (lyger) Date: Thu, 27 Dec 2007 04:40:52 +0000 (UTC) Subject: [Dataloss] UK: Police personal data found on discarded floppy In-Reply-To: <002e01c84837$d3b7d320$6501a8c0@mkevhill> References: <002e01c84837$d3b7d320$6501a8c0@mkevhill> Message-ID: On Wed, 26 Dec 2007, Michael Hill, CITRMS wrote: ": " We get that question a lot in our business and here's how we answer it. ": " ": " "Mr. (Business Owner) if I call into your business and ask for your home address and phone number, will you or whomever answers the phone going to give it to me?" I think not. The home address and phone number is just the first step to getting your identity stolen. Not to take things too far, but I guess that was my part of my point. If someone cold-called my place of business and asked for that information, I wouldn't be willing to give it out. However, what's to stop anyone from getting a copy of the White Pages or just getting online and hitting Google or a dozen other search engines for the same information (if the person in question is listed by such)? By the way, Adam made a good point about wanting a broader realm of disclosure for tracking and analysis. I wasn't trying to criticize the content of the original post; it was more about opening discussion as to what might be considered "personal", "private", "public", or "other". Any other thoughts? From chris at cwalsh.org Thu Dec 27 04:47:19 2007 From: chris at cwalsh.org (Chris Walsh) Date: Wed, 26 Dec 2007 22:47:19 -0600 Subject: [Dataloss] UK: Police personal data found on discarded floppy In-Reply-To: References: <002e01c84837$d3b7d320$6501a8c0@mkevhill> Message-ID: <6FFA7725-94D9-4EF4-99CD-04727DCDADF9@cwalsh.org> In part it depends on the law in wherever it is that the loss took place. I don't have to strain my brain too much to imagine that in the UK an exposure like this is more likely to be a transgression of some kind of privacy regulation, whereas in the US it might not be. Even here I seem to remember running into a FOIA exception relating to the addresses of police officers. Can't recall what state it was, but I don't think I'm remembering this wrong.... On Dec 26, 2007, at 10:40 PM, lyger wrote: > By the way, Adam made a good point about wanting a broader realm of > disclosure for tracking and analysis. I wasn't trying to criticize > the > content of the original post; it was more about opening discussion > as to > what might be considered "personal", "private", "public", or > "other". Any > other thoughts? From brian.honan at bhconsulting.ie Thu Dec 27 10:09:41 2007 From: brian.honan at bhconsulting.ie (Brian Honan) Date: Thu, 27 Dec 2007 10:09:41 +0000 Subject: [Dataloss] UK: Police personal data found on discarded floppy In-Reply-To: References: Message-ID: <239d6076f176b3d6a82cb96ee44dbb6a@mail.hosting365.ie> Don't forget that under EU, and UK, Data Protection legislation businesses and organisations are obliged to protect the personal information they hold on their customers and in some cases their staff. While the EU Data Protection legisation places obligations on companies to protect this personal data, there are no significant breach disclosure laws. So in my opinion breaches of this nature within the EU are significant as they could be in breach of the Data Protection legislation and we need to publicly know what breaches are occuring so that we can better argue for the introduction of data breach disclosure laws. Brian On Thu, 27 Dec 2007 04:40:52 +0000 (UTC), lyger wrote: > > > On Wed, 26 Dec 2007, Michael Hill, CITRMS wrote: > > ": " We get that question a lot in our business and here's how we answer > it. > ": " > ": " "Mr. (Business Owner) if I call into your business and ask for your > home address and phone number, will you or whomever answers the phone > going to give it to me?" I think not. The home address and phone number > is just the first step to getting your identity stolen. > > Not to take things too far, but I guess that was my part of my point. If > someone cold-called my place of business and asked for that information, I > wouldn't be willing to give it out. However, what's to stop anyone from > getting a copy of the White Pages or just getting online and hitting > Google or a dozen other search engines for the same information (if the > person in question is listed by such)? > > By the way, Adam made a good point about wanting a broader realm of > disclosure for tracking and analysis. I wasn't trying to criticize the > content of the original post; it was more about opening discussion as to > what might be considered "personal", "private", "public", or "other". Any > other thoughts? > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor your > traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml -- Brian Honan BH Consulting Helping You Piece IT Together Tel: +353-1-4404065 Mob: +353-86-8114066 Email: brian.honan at bhconsulting.ie www: http://www.bhconsulting.ie Support Global Security Week http://www.globalsecurityweek.com This message is for the named person's use only. If you received this message in error, please immediately delete it and all copies and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Any views expressed in this message are those of the individual sender and not of BH Consulting From hbrown at knology.net Thu Dec 27 11:13:58 2007 From: hbrown at knology.net (Henry Brown) Date: Thu, 27 Dec 2007 05:13:58 -0600 Subject: [Dataloss] A study on the cost of US data breach's Message-ID: <477388F6.3040602@knology.net> Ponemon 2007 Annual Study: U.S. Cost of a Data Breach - Understanding Financial Impact, Customer Turnover, and Preventitive Solutions: This study "was derived from a detailed analysis of 35 data breach incidents. According to the study, the cost per compromised customer record increased in 2007, compared to 2006. Lost business opportunity, including losses associated with customer churn and acquisition, represented the most significant component of the cost increase. Companies analyzed were from 16 different industries, including communications, consumer goods, education, entertainment, financial services, gaming, health care, hospitality, internet, manufacturing, marketing, media, retail, services, technology, and transportation." http://www.vontu.com/uploadedfiles/global/Ponemon-Cost-of-a-Data-Breach-2007.pdf From macwheel99 at wowway.com Thu Dec 27 15:03:35 2007 From: macwheel99 at wowway.com (Al Mac Wheel) Date: Thu, 27 Dec 2007 09:03:35 -0600 Subject: [Dataloss] Off-topic: TJX perspective Message-ID: <6.2.1.2.1.20071227085017.0288b3d0@pop3.mail.wowway.com> "Did TJX do what was reasonable and appropriate at the time it did it?" As they discovered they had various problems, did they take prudent steps, that we should expect of any organization in same situation? http://www.eweek.com/article2/0,1895,2240150,00.asp?kc=EWKNLRET122707FEA1 [...] The core problem with the TJX cases is that the lawsuits wanted to accuse TJX of something that is not illegal in any state. They wanted to hold the retailer liable for not properly protecting consumer credit card data. But there isn't anything on the books in any state or the federal government that requires that. Some industry efforts?most notably the PCI DSS (Payment Card Industry's Data Security Standard)?seek to require it, but those efforts have no muscle, other than the ability to deny a chain the right to accept the cards for payment. [..] One of TJX's defenses has been that its security wasn't materially worse than any other retailer of similar size. Sadly, it's a true point. [..] (I'm still waiting for an explanation of how intrusions continued to happen for multiple years before they were detected.) But I am pointing out that security investments are among the most difficult decisions and we need to be careful before criticizing those decisions. [..] Bigger chunks of coal need to go to state legislators and the U.S. House and Senate for failing to pass any laws protecting consumer data (although Minnesota got quite close). [..] TJX theorized?correctly?that any breach wouldn't cause any impact on sales, as consumers (protected by the card brands' zero-liability deals) would stand by it. With that regrettable fact out there, it would have been extremely difficult for TJX to have justified spending much more than it did. - Al Mac From lyger at attrition.org Thu Dec 27 22:11:21 2007 From: lyger at attrition.org (lyger) Date: Thu, 27 Dec 2007 22:11:21 +0000 (UTC) Subject: [Dataloss] Missing NY state employee data tapes found Message-ID: http://www.newsday.com/news/local/wire/newyork/ny-bc-ny--personalinformati1227dec27,0,2523910.story Five computer tapes containing the Social Security numbers, birth dates and other personal information for about 900 employees and retirees are back in the hands of the state Dormitory Authority after going missing for more than a week. Authority spokesman Marc Violette says UPS found the tapes at its Missouri warehouse for lost items, where they were sent after getting separated from their packaging at a sorting facility in Manhattan. They were returned Thursday. He says the tapes were checked and found undamaged and free of tampering. From lyger at attrition.org Fri Dec 28 12:35:15 2007 From: lyger at attrition.org (lyger) Date: Fri, 28 Dec 2007 12:35:15 +0000 (UTC) Subject: [Dataloss] TN: Laptops Containing Voter Information Stolen Message-ID: From: sysopsdan http://www.wsmv.com/news/14934234/detail.html Police said on Thursday that the Davidson County Election Commission was broken into. [.] Barrett said a computer router, a cell phone, a couple of radios and two laptops were taken. He said one of the laptops contained voter files on every registered voter in Davidson County. The files contain information such as addresses and Social Security numbers. [...] From hbrown at knology.net Fri Dec 28 13:00:03 2007 From: hbrown at knology.net (Henry Brown) Date: Fri, 28 Dec 2007 07:00:03 -0600 Subject: [Dataloss] TN: Laptops Containing Voter Information Stolen In-Reply-To: References: Message-ID: <4774F353.9020709@knology.net> slight correction, this is from the Nashville Tennessean... http://tinyurl.com/ysybz2 ... Thieves broke in to the Davidson County Election Commission offices over the Christmas holiday and made off with computers containing the names and identifying information of every voter in Nashville. The missing laptop contained names, addresses, phone numbers and the last Four digits of about 337,000 voters' Social Security numbers. It's the same information that candidates buy from the county when they're putting together mailing lists (...) lyger wrote: > From: sysopsdan > > http://www.wsmv.com/news/14934234/detail.html > > Police said on Thursday that the Davidson County Election Commission was > broken into. > > [.] > > Barrett said a computer router, a cell phone, a couple of radios and two > laptops were taken. He said one of the laptops contained voter files on > every registered voter in Davidson County. The files contain information > such as addresses and Social Security numbers. > > [...] > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor your > traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml > > > > From jericho at attrition.org Fri Dec 28 12:44:12 2007 From: jericho at attrition.org (security curmudgeon) Date: Fri, 28 Dec 2007 12:44:12 +0000 (UTC) Subject: [Dataloss] fringe: Porn industry frets over security breach Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.dailynews.com/ci_7816784 By Lisa Friedman Washington Bureau LA Daily News 12/27/2007 WASHINGTON - A New Jersey company that helps run thousands of pornography Web sites acknowledged a major security breach Wednesday, sparking widespread concern in the adult-entertainment industry that consumers' personal data could be endangered. According to industry chat boards that have been buzzing about the problem, the violation so far appears to be limited to e-mail addresses, with an avalanche of spam e-mail hitting Web site customers' inboxes - including unique addresses created for joining specific porn sites. John Albright, owner of the Too Much Media Corp., said in a statement Wednesday that no credit-card information was affected by the October incident. Officials with both Visa and MasterCard said they were unaware Wednesday of any problems in connection with the company. "An investigation is under way as to the cause and level of the security breach," Albright said in the statement. "TMM intends to prosecute to the fullest extent possible anyone responsible for any breach of its servers and programs." [..] From lyger at attrition.org Fri Dec 28 13:43:12 2007 From: lyger at attrition.org (lyger) Date: Fri, 28 Dec 2007 13:43:12 +0000 (UTC) Subject: [Dataloss] follow-up: Data broker at center of Certegy storm Message-ID: http://www.sptimes.com/2007/12/28/Business/Data_broker_at_center.shtml When Largo resident William "Gary" Sullivan pleaded guilty last month to stealing consumer financial records from his former employer, Certegy Check Services, he described the man he sold them to as a "co-conspirator." Sullivan did not identify his alleged accomplice, who may face federal charges in the case. But Seminole data broker Michael S. Currier has some news for us: He is the guy who bought millions of records from Sullivan. And he had no idea they were stolen. [...] From lyger at attrition.org Fri Dec 28 21:39:55 2007 From: lyger at attrition.org (lyger) Date: Fri, 28 Dec 2007 21:39:55 +0000 (UTC) Subject: [Dataloss] Stolen Laptop had Minnesotans' personal info, state agency says Message-ID: http://www.twincities.com/allheadlines/ci_7830298?nclick_check=1 A laptop computer containing personal information on 219 Minnesotans licensed by the state Commerce Department was stolen from one of its Pennsylvania vendors earlier this month and has not been recovered, the department announced Friday. The laptop was stolen from an employee of Promissor Corporation in Philadelphia on Dec. 6 and reported to the Philadelphia Police Department. The Commerce Department uses Promissor to manage licensing data for the real estate, mortgage, and debt collection industries in Minnesota. [...] From lyger at attrition.org Sat Dec 29 01:44:46 2007 From: lyger at attrition.org (lyger) Date: Sat, 29 Dec 2007 01:44:46 +0000 (UTC) Subject: [Dataloss] update: Nashville voters' Social Security numbers may be at risk Message-ID: (now claiming full Social Security numbers may be involved, not just last 4 digits) http://www.bizjournals.com/nashville/stories/2007/12/24/daily22.html A break-in at the Davidson County Election Office at 800 Second Ave. has jeopardized a large number of voters' personal data, according to Ray Barrett, election administrator. Barrett said further investigation has revealed a greater loss of information during the break-in than originally thought and that voters' Social Security numbers may be involved. [...] "As we looked deeper into determining the extent of loss that occurred during the holiday break-in, we now know that full Social Security numbers were included on the voter files contained on one or more of the stolen computers," Barrett said. "Initially, we thought that the only information was the same that the public can purchase when putting together mailing lists, we now know that was incorrect." [...] From fergdawg at netzero.net Sat Dec 29 02:13:15 2007 From: fergdawg at netzero.net (Paul Ferguson) Date: Sat, 29 Dec 2007 02:13:15 GMT Subject: [Dataloss] update: Nashville voters' Social Security numbers may b e at risk Message-ID: <20071228.181315.18196.1@webmail09.vgs.untd.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -- lyger wrote: >http://www.bizjournals.com/nashville/stories/2007/12/24/daily22.html Via The Boston Globe (AP). [snip] Thieves stole laptop computers containing the names and Social Security numbers of every registered voter in the city from election commission offices over the Christmas holiday, authorities said Friday. The computers also contain voters' addresses and phone numbers, Election Commissioner Ray Barrett said. The commission intends to send notices to the more than 337,000 registered voters in the city informing them of the theft. Voters are warned to monitor their bank accounts for suspicious activity. Barrett says he has asked the county's computer specialists to make changes to the system to safeguard against any future problems. [snip] Link: http://www.boston.com/news/nation/articles/2007/12/28/election_computers_st olen_in_tenn/ - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFHda06q1pz9mNUZTMRAkO/AKDQJK8RPj7ooe6tUyIYnTfvxu5DuQCg/Rls Kw71AjbsfrUF72o0UZ8aw2c= =56N/ -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/ From lyger at attrition.org Sat Dec 29 19:37:33 2007 From: lyger at attrition.org (lyger) Date: Sat, 29 Dec 2007 19:37:33 +0000 (UTC) Subject: [Dataloss] AL: WSFA 12 News Update on Missing Air Force Computer Message-ID: http://www.wsfa.com/Global/story.asp?S=7550098&nav=0RdE J.J. Evans spent 24 years in the Air Force protecting our country. Now he's angry because he says the military didn't protect his personal information. He says, "When you trust someone with that, you expect better." Air Force officials sent Evans a letter detailing how a military laptop computer is missing and it contains personal information including social security numbers, birth dates, addresses, and telephone numbers of active and retired Air Force members. "When someone gets a hold of a computer, they can wreck things," Evans says. [...] http://www.wsfa.com/Global/story.asp?S=7554385&nav=menu33_3 WSFA 12 News has new information on a story we first reported Thursday night on WSFA 12 News at ten. Friday, Air Force Officials contacted WSFA 12 News telling us the personal information of 10,501 people are on a missing military computer. [...]