From Dissent at pogowasright.org  Tue Jan  2 17:22:39 2007
From: Dissent at pogowasright.org (Dissent)
Date: Tue, 2 Jan 2007 17:22:39 -0500 (EST)
Subject: [Dataloss] Cancer patients now face risk of ID theft, Emory warns
Message-ID: <MTE2Nzc3NjU1OS50cmFmZmlj.1167776559@dissimulo.com>

http://www.ajc.com/news/content/news/stories/2007/01/02/0103meshemory.html

Officials at Emory University said Tuesday they have sent letters to
more than 38,000 patients who have been treated for cancer at Emory
Hospital, Emory Crawford Long Hospital and Grady Memorial Hospital,
warning them that a computer containing their personal information had
been stolen from a business contractor in Cincinnati.

The patients were advised to put a fraud alert on their credit reports
because of the identity theft.

The patient records included names, addresses, medical data, treatment
information and Social Security numbers, Emory said in a statement.
The information was in a computer stolen from an office of Electronic
Registry Systems, one of Emory Healthcare's business contractors.

Emory spokeswoman Sarah Goodwin said confidential information from
32,071 patient files of Emory and Crawford Long patients had been
taken, along with and 5,959 from Grady. Emory University owns Emory
Healthcare, of which Emory Hospital and Crawford Long are a part.

[...]


-- 
Privacy-related news and resources: http://www.pogowasright.org
Privacy news headlines feed:
http://www.pogowasright.org/backend/pogowasright.rss


From jericho at attrition.org  Wed Jan  3 03:55:42 2007
From: jericho at attrition.org (security curmudgeon)
Date: Wed, 3 Jan 2007 03:55:42 -0500 (EST)
Subject: [Dataloss] Security grabs attention, but not always dollars  (fwd)
Message-ID: <Pine.LNX.4.64.0701030355280.4230@forced.attrition.org>



---------- Forwarded message ----------
From: InfoSec News <alerts at infosecnews.org>

http://www.fcw.com/article97197-01-02-07-Web

By John Moore
Jan. 2, 2007

The data breach the University of California at Los Angeles reported last 
month marks the latest in a series of public-sector security lapses that 
have kept information technology security top of mind among IT executives.

The university disclosed Dec. 12 that a restricted database containing 
names and Social Security numbers had been illegally accessed for more 
than a year. The school said access attempts had been made since October 
2005. UCLA notified all 800,000 people whose names were contained in the 
database. The breach follows other data-loss incidents last year, such as 
the loss of a Department of Veterans Affairs laptop computer containing 
personal information on more than 25 million veterans.

An Accenture/IDC study, released days before the UCLA incident was 
reported, shows security to be the main concern for the government IT 
executives surveyed. More than 90 percent of the executives said securing 
data is a priority for the new year. The next highest priority was network 
infrastructure, identified by 80 percent of the respondents.

Security was clearly the top-priority area, said David Chen, a senior 
executive and U.S. government technology consulting lead at Accenture.

But although security ranks as a high priority, it doesnt top the list 
when it comes to IT investment. The study shows that on average, about 10 
percent of the respondents IT budgets are earmarked for security. Network, 
data center, operations and desktop expenditures each garnered bigger 
slices of the budget.

Chen said security technology is less expensive in some respects than 
other infrastructure elements when overall cost is considered. He cited 
the expense of managing numerous desktop devices. Still, IT security 
expenditures can be hard to justify when managers emphasize bottom-line 
results.

The impact of security investment can be difficult to quantify, Chen said. 
Some of the agencies are still struggling with putting the right amount of 
dollars behind security commensurate with the priority that it really is, 
he added.

Industry executives suggested a couple of ways government IT managers can 
help build the case for greater security investment.

Bryan Sartin, managing principal and security consultant in Cybertrusts 
Investigative Response group, said executive leaders need to be educated 
on the potential impact of a security breach. He suggested computer 
incident response training for the chief executive officer, legal counsel, 
human resources directors and other executives with a role in incident 
response.

He described such classes as a high-impact but inexpensive way to 
communicate what can happen.

Chen also said IT managers can also try to demonstrate that a given 
security investment enables a function that couldnt be safely accomplished 
otherwise -- such as the ability to exchange information between two 
departments.

From lyger at attrition.org  Wed Jan  3 17:35:43 2007
From: lyger at attrition.org (lyger)
Date: Wed, 3 Jan 2007 17:35:43 -0500 (EST)
Subject: [Dataloss] Ohio: Personal Info On Bank Customers Stolen
Message-ID: <Pine.LNX.4.64.0701031734250.18743@forced.attrition.org>


http://www.akronnewsnow.com/business/itemdetail.asp?ID=960&section=business&subsection=localnews

KeyCorp has notified customers in Ohio and other states that private 
information about them was taken when a laptop computer was stolen from an 
outside vendor.

Officials say the information on 9,300 customers may include Social 
Security Numbers. Corporate communications for the Cleveland-based bank 
say affected customers were notified by mail.

[...]

From Dissent at pogowasright.org  Wed Jan  3 19:31:59 2007
From: Dissent at pogowasright.org (Dissent)
Date: Wed, 3 Jan 2007 19:31:59 -0500 (EST)
Subject: [Dataloss] [update] State urges taxpayers to watch for identity
 theft in wake of misprint
Message-ID: <MTE2Nzg3MDcxOS50cmFmZmlj.1167870719@dissimulo.com>

http://www.wbay.com/Global/story.asp?S=5887666

MILWAUKEE The state Department of Revenue today is urging taxpayers to
contact credit bureaus to guard against identity theft after
acknowledging late last week that Social Security numbers for
171-thousand taxpayers inadvertently ended up on mailing labels.

The department first notified people and post offices of the misprint
on Friday night, after it heard from people who had received the
mailings earlier in the day.

Department spokeswoman Meredith Helgerson says by this afternoon, some
54-thousand-500 undelivered booklets had been retrieved from post
offices in Portage, Madison and Oshkosh.

This means the remainder of the mailings _ now estimated at
171-thousand, up from 170-thousand _ were delivered in the past few
days.

She says the department provided a file to the printer with
confidential information such as names, addresses and Social Security
numbers, which has been done in years past, but this time the numbers
ended up on the labels.

The department said the name of the company was Ripon Community
Printers and they've were paid 22-thousand dollars for the service
this year.

Company president Andy Lyke says they're trying to figure out how the
numbers ended up on the labels and they regret the error.

-- 
Privacy-related news and resources: http://www.pogowasright.org
Privacy news headlines feed:
http://www.pogowasright.org/backend/pogowasright.rss


From Dissent at pogowasright.org  Wed Jan  3 19:48:11 2007
From: Dissent at pogowasright.org (Dissent)
Date: Wed, 3 Jan 2007 19:48:11 -0500 (EST)
Subject: [Dataloss] Third Case of Computer Theft at High School
Message-ID: <MTE2Nzg3MTY5MS50cmFmZmlj.1167871691@dissimulo.com>

http://www.wcbd.com/midatlantic/cbd/news.apx.-content-articles-CBD-2007-01-03-0015.html

North Charleston police are trying to find out who stole a laptop
computer from Academic Magnet High School. That computer contains
personal information about hundreds of students. This theft is
actually the third time someone has stolen computers from this school.
November 17th-- someone stole a desktop computer from a guidance
counselor?s office. November 30th-- someone stole three monitors and
two laptops from the media center. Over the holidays-- someone stole a
lap top again from the same guidance counselor?s office. School
officials say parents and students have nothing to worry about.

[...]

Schools officials and police say someone broke into the school and
stole a lap top from a guidance counselor?s office. Charleston County
school representative Jerry Adams says that computer contained
personal information for about 500 students who go to that school. But
he says that information should be safe no matter whose hands it falls
into.

?Identity theft and privacy issues concern us,? said Adams. ?But we
don't think its an issue because the information is password protected
and encrypted.?

[...]


-- 
Privacy-related news and resources: http://www.pogowasright.org
Privacy news headlines feed:
http://www.pogowasright.org/backend/pogowasright.rss


From bkdelong at pobox.com  Fri Jan  5 16:01:22 2007
From: bkdelong at pobox.com (B.K. DeLong)
Date: Fri, 5 Jan 2007 16:01:22 -0500
Subject: [Dataloss] New mandatory reporting laws & FOIA requests?
Message-ID: <a98a91c0701051301t4b5446d6w4d507f2db32d2cba@mail.gmail.com>

Does anyone know if any new State laws went into effect Jan 1? We're
up to 38 now? Chris - I know you did some FOIAing of NC. I'd be
curious what it would take to do all the other states and TRULY get a
better insight into what's happening. Maybe we need to find a Privacy
Rights Clearinghouse type org that can manage a FOIA project.

-- 
B.K. DeLong (K3GRN)
bkdelong at pobox.com
+1.617.797.8471

http://www.wkdelong.org                    Son.
http://www.ianetsec.com                    Work.
http://www.bostonredcross.org             Volunteer.
http://www.carolingia.eastkingdom.org   Service.
http://bkdelong.livejournal.com             Play.


PGP Fingerprint:
38D4 D4D4 5819 8667 DFD5  A62D AF61 15FF 297D 67FE

FOAF:
http://foaf.brain-stream.org

From Dissent at pogowasright.org  Fri Jan  5 17:28:04 2007
From: Dissent at pogowasright.org (Dissent)
Date: Fri, 5 Jan 2007 17:28:04 -0500 (EST)
Subject: [Dataloss] New mandatory reporting laws & FOIA requests?
In-Reply-To: <a98a91c0701051301t4b5446d6w4d507f2db32d2cba@mail.gmail.com>
References: <a98a91c0701051301t4b5446d6w4d507f2db32d2cba@mail.gmail.com>
Message-ID: <MTE2ODAzNjA4NC50cmFmZmlj.1168036084@dissimulo.com>

Re new legislation: I know that Vermont has some:
http://www.pogowasright.org/article.php?story=2006122107272726

Here are two urls that may be of some interest to you for
clearinghouse on breach notification by states:

http://www.ncsl.org/programs/lis/cip/priv/breach06.htm
http://www.ncsl.org/programs/lis/cip/priv/breach.htm

Cheers,

/Dissent

> Does anyone know if any new State laws went into effect Jan 1? We're
up to 38 now? Chris - I know you did some FOIAing of NC. I'd be
> curious what it would take to do all the other states and TRULY get
a
> better insight into what's happening. Maybe we need to find a
Privacy
> Rights Clearinghouse type org that can manage a FOIA project.
>

<snip>

-- 
Privacy-related news and resources: http://www.pogowasright.org
Privacy news headlines feed:
http://www.pogowasright.org/backend/pogowasright.rss


From Dissent at pogowasright.org  Fri Jan  5 18:39:09 2007
From: Dissent at pogowasright.org (Dissent)
Date: Fri, 5 Jan 2007 18:39:09 -0500 (EST)
Subject: [Dataloss] Stolen laptop contains firemens' SSNs
Message-ID: <MTE2ODA0MDM0OS50cmFmZmlj.1168040349@dissimulo.com>

http://rdu.news14.com/content/headlines/Default.asp?ArID=97605&SecID=2&

SELMA, NC -- A stolen laptop in Johnston County has firemen on alert
for identity theft. The computer contained the names and social
security numbers of volunteer firemen in Selma.

Earlier this week, someone stole a laptop computer from Selma?s Water
Treatment Plant. The computer was only valued at about $1,000, but
some of the information on it could be priceless. That's because it
contained the names and social security numbers of Selma's volunteer
firefighters.

[...]

-- 
Privacy-related news and resources: http://www.pogowasright.org
Privacy news headlines feed:
http://www.pogowasright.org/backend/pogowasright.rss


From chris at cwalsh.org  Sat Jan  6 22:43:00 2007
From: chris at cwalsh.org (Chris Walsh)
Date: Sat, 6 Jan 2007 21:43:00 -0600
Subject: [Dataloss] New mandatory reporting laws & FOIA requests?
In-Reply-To: <a98a91c0701051301t4b5446d6w4d507f2db32d2cba@mail.gmail.com>
References: <a98a91c0701051301t4b5446d6w4d507f2db32d2cba@mail.gmail.com>
Message-ID: <63E2AC08-3994-451A-9F91-EC6F2C33A58B@cwalsh.org>

I have considered this.

The thing is, w/out some requirement that breaches be reported to the  
government, I dont see how the government would have breach  
information except about the government itself. As we have seen in  
the situation with the federal govt, there can be a great deal of  
this. but I personally haven't seen the value in trying it,  
especially since it would be necessary to send out umpteen requests  
to the various departments in each of the states.  You could easily  
have hundreds of requests in flight.  Way beyond my means, but as a  
project by, say, a journalism or law school, totally doable.  Hint,  
Hint :^)

You are correct that I asked NC for records.  They responded quickly  
and disappointingly.  However, after my request they published a  
breach reporting form which -- if it is actually used -- would  
contain great information.  NY responded to my most recent request,  
and I should be receiving 1289 pages (!) of breach-related records  
soon.  My plan is to scan them all in and make them available.  I'll  
fire off a foia request to North Carolina for any and breach  
reporting forms they have.  Hopefully, they wont put up a fight over  
it.  I already foia'ed NJ.  Their law mandates central reporting, but  
to the state police.  As a result, they are calling these  
investigatory records that are exempt from disclosure.  Maine also  
requires central reporting if the breached entity is regulated by  
Maine's dept of professional and financial regulation.  Other than  
for data brokers, the maine law kicks in on 1/31/2007.  I'll probably  
get around to asking them for their records after NY and NC.

Chris

On Jan 5, 2007, at 3:01 PM, B.K. DeLong wrote:
> I know you did some FOIAing of NC. I'd be
> curious what it would take to do all the other states and TRULY get a
> better insight into what's happening. Maybe we need to find a Privacy
> Rights Clearinghouse type org that can manage a FOIA project.


From lyger at attrition.org  Mon Jan  8 00:22:35 2007
From: lyger at attrition.org (lyger)
Date: Mon, 8 Jan 2007 00:22:35 -0500 (EST)
Subject: [Dataloss] PogoWasRight.org Status
Message-ID: <Pine.LNX.4.64.0701080021230.9443@forced.attrition.org>


(for those who follow PogoWasRight.org)

http://www.pogowasright.org/article.php?story=20070107213304961

Sunday, January 07 2007 @ 09:33 PM CST - Contributed by: PrivacyNews -

We're in the process of migrating this site to another server, so news may 
not be updated for the next 24-48 hours. We'll be back as soon as we can!


From DAplin at bna.com  Mon Jan  8 08:44:54 2007
From: DAplin at bna.com (Donald Aplin)
Date: Mon, 8 Jan 2007 08:44:54 -0500
Subject: [Dataloss] New mandatory reporting laws & FOIA requests?
In-Reply-To: <MTE2ODAzNjA4NC50cmFmZmlj.1168036084@dissimulo.com>
Message-ID: <OF6B0D2436.9918055B-ON8525725D.004B2C11-8525725D.004BB9A4@bna.com>

New data breach consumer notice law tok effect 12/3/06 in
Arizona. New breach notice laws  took effect Jan. 1 in
Hawaii and Utah. Extension of Maine's data breach notice law
from just databrokers to all businesses takes effect Jan.
31.

New credit freeze laws took effect Jan. 1 in Penn., R.I.,
Ok., Hawaii, N.H., Ill., Kan., and Wisc.

Indiana's junk fax law took effect Jan. 1



Donald G. Aplin
Legal Editor
BNA's Privacy & Security Law Report
(202) 452-4688


From Dissent at pogowasright.org  Mon Jan  8 18:41:50 2007
From: Dissent at pogowasright.org (Dissent)
Date: Mon, 8 Jan 2007 18:41:50 -0500 (EST)
Subject: [Dataloss] Notre Dame Security Breach
Message-ID: <MTE2ODI5OTcxMC50cmFmZmlj.1168299710@dissimulo.com>

http://www.wndu.com/news/headlines/5123266.html

Notre Dame employees recently received a letter in the mail that some
of their personal information may have gotten into the wrong hands.

A University Director's laptop was stolen before Christmas. On January
2nd university employees received the letter notifying them of the
crime. They were told they may want to monitor activities on personal
accounts because the computer was storing Social Security numbers and
salary information.

[...]

-- 
Privacy-related news and resources: http://www.pogowasright.org
Privacy news headlines feed:
http://www.pogowasright.org/backend/pogowasright.rss


From Dissent at pogowasright.org  Mon Jan  8 20:06:19 2007
From: Dissent at pogowasright.org (Dissent)
Date: Mon, 8 Jan 2007 20:06:19 -0500 (EST)
Subject: [Dataloss] Laptops Containing Retirement Data Are Reported Stolen
Message-ID: <MTE2ODMwNDc3OS50cmFmZmlj.1168304779@dissimulo.com>

http://online.wsj.com/google_login.html?url=http%3A%2F%2Fonline.wsj.com%2Farticle%2FSB116829611935870675.html%3Fmod%3Dgooglenews_wsj

Five laptops containing data about tens of thousands of
retirement-plan participants at multiple companies were reported
stolen by benefits consulting giant Towers Perrin last month, the
latest in a string of thefts across industries raising concerns about
privacy and identity theft.

Towers Perrin reported the laptops missing on Dec. 7, and New York
City police made an arrest on Dec. 28, but the computers haven't been
recovered, people familiar with the matter said. A criminal complaint
filed in New York suggests the laptops were stolen from a locked room
in the building housing Towers Perrin's Manhattan office on Nov. 27.

[sub. req. for full article]

-- 
Privacy-related news and resources: http://www.pogowasright.org
Privacy news headlines feed:
http://www.pogowasright.org/backend/pogowasright.rss


From lyger at attrition.org  Mon Jan  8 20:22:14 2007
From: lyger at attrition.org (lyger)
Date: Mon, 8 Jan 2007 20:22:14 -0500 (EST)
Subject: [Dataloss] Laptops Containing Retirement Data Are Reported Stolen
Message-ID: <Pine.LNX.4.64.0701082021000.9422@forced.attrition.org>


http://online.wsj.com/google_login.html?url=http%3A%2F%2Fonline.wsj.com%2Farticle%2FSB116829611935870675.html%3Fmod%3Dgooglenews_wsj

Five laptops containing data about tens of thousands of retirement-plan 
participants at multiple companies were reported stolen by benefits 
consulting giant Towers Perrin last month, the latest in a string of 
thefts across industries raising concerns about privacy and identity 
theft.

Towers Perrin reported the laptops missing on Dec. 7, and New York City 
police made an arrest on Dec. 28, but the computers haven't been 
recovered, people familiar with the matter said. A criminal complaint 
filed in New York suggests the laptops were stolen from a locked room in 
the building housing Towers Perrin's Manhattan office on Nov. 27.

[...]

From lyger at attrition.org  Mon Jan  8 20:42:04 2007
From: lyger at attrition.org (lyger)
Date: Mon, 8 Jan 2007 20:42:04 -0500 (EST)
Subject: [Dataloss] Laptops Containing Retirement Data Are Reported Stolen
Message-ID: <Pine.LNX.4.64.0701082040420.23803@forced.attrition.org>


http://online.wsj.com/google_login.html?url=http%3A%2F%2Fonline.wsj.com%2Farticle%2FSB116829611935870675.html%3Fmod%3Dgooglenews_wsj

Five laptops containing data about tens of thousands of retirement-plan
participants at multiple companies were reported stolen by benefits
consulting giant Towers Perrin last month, the latest in a string of
thefts across industries raising concerns about privacy and identity
theft.

Towers Perrin reported the laptops missing on Dec. 7, and New York City
police made an arrest on Dec. 28, but the computers haven't been
recovered, people familiar with the matter said. A criminal complaint
filed in New York suggests the laptops were stolen from a locked room in
the building housing Towers Perrin's Manhattan office on Nov. 27.

[...]

From rforno at infowarrior.org  Wed Jan 10 09:03:47 2007
From: rforno at infowarrior.org (Richard Forno)
Date: Wed, 10 Jan 2007 09:03:47 -0500
Subject: [Dataloss] They Take it Seriously? Oh, Sure
Message-ID: <C1CA5C73.5D4AD%rforno@infowarrior.org>

They Take it Seriously? Oh, Sure
January 9th, 2007 by Dan Gillmor

(I originally wrote this for PR Week magazine.)

Several weeks ago, UCLA acknowledged that some of its computers had been
hacked. Obeying a state law, it notified more than 800,000 people that their
personal data, including Social Security numbers, might have ended up in the
wrong hands.

The fact that the data got loose wasn?t all that striking. Unfortunately,
that?s all too common. What struck me was this statement from a hapless UCLA
honcho: ?We have a responsibility to safeguard personal information, an
obligation that we take very seriously.?

When and where have I heard that before? All kinds of times and places,
actually. It?s becoming a mantra that means almost nothing.

Try this: Plug ?we take? and ?very seriously? into a Google News or Yahoo
News search. You?ll get hundreds of hits, albeit some repeats, where some
big institution - corporate, educational, government, whatever - makes a
giant blunder and then issues a ?we take (insert the violated policy) very
seriously? statement.

< - >

http://citmedia.org/blog/2007/01/09/they-take-it-seriously-oh-sure/



From bkdelong at pobox.com  Wed Jan 10 09:20:15 2007
From: bkdelong at pobox.com (B.K. DeLong)
Date: Wed, 10 Jan 2007 09:20:15 -0500
Subject: [Dataloss] They Take it Seriously? Oh, Sure
In-Reply-To: <C1CA5C73.5D4AD%rforno@infowarrior.org>
References: <C1CA5C73.5D4AD%rforno@infowarrior.org>
Message-ID: <a98a91c0701100620p4d6e0fafgd3087cc3c0f808f0@mail.gmail.com>

That would be an interesting data point to collect - how many
incidents had a corporate wonk saying something to the effect of "very
seriously" or "extremely seriously".

On 1/10/07, Richard Forno <rforno at infowarrior.org> wrote:
> They Take it Seriously? Oh, Sure
> January 9th, 2007 by Dan Gillmor
>
> (I originally wrote this for PR Week magazine.)
>
> Several weeks ago, UCLA acknowledged that some of its computers had been
> hacked. Obeying a state law, it notified more than 800,000 people that their
> personal data, including Social Security numbers, might have ended up in the
> wrong hands.
>
> The fact that the data got loose wasn?t all that striking. Unfortunately,
> that?s all too common. What struck me was this statement from a hapless UCLA
> honcho: ?We have a responsibility to safeguard personal information, an
> obligation that we take very seriously.?
>
> When and where have I heard that before? All kinds of times and places,
> actually. It?s becoming a mantra that means almost nothing.
>
> Try this: Plug ?we take? and ?very seriously? into a Google News or Yahoo
> News search. You?ll get hundreds of hits, albeit some repeats, where some
> big institution - corporate, educational, government, whatever - makes a
> giant blunder and then issues a ?we take (insert the violated policy) very
> seriously? statement.
>
> < - >
>
> http://citmedia.org/blog/2007/01/09/they-take-it-seriously-oh-sure/
>
>
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
> Tracking more than 143 million compromised records in 529 incidents over 6 years.
>
>
>


-- 
B.K. DeLong (K3GRN)
bkdelong at pobox.com
+1.617.797.8471

http://www.wkdelong.org                    Son.
http://www.ianetsec.com                    Work.
http://www.bostonredcross.org             Volunteer.
http://www.carolingia.eastkingdom.org   Service.
http://bkdelong.livejournal.com             Play.


PGP Fingerprint:
38D4 D4D4 5819 8667 DFD5  A62D AF61 15FF 297D 67FE

FOAF:
http://foaf.brain-stream.org

From SSteele at infolocktech.com  Wed Jan 10 09:41:28 2007
From: SSteele at infolocktech.com (Sean Steele)
Date: Wed, 10 Jan 2007 09:41:28 -0500
Subject: [Dataloss] They Take it Seriously? Oh, Sure
Message-ID: <90D8CEF754D7D9448BA11172BB50443204736056@orange.brnets.int>

Not to sound flippant, but would do we expect them to say?  Spin control is spin control, and PR wonks and in-the-crosshairs execs will continue to say the only thing they can say -- namely, that they take security very seriously. Such is life, right?

What I'd like to see is regulatory and civil penalties levied at the offending organizations, done in a "very serious" way.

--
Sean Steele, CISSP
infoLock Technologies
703.310.6478  direct
202.270.8672  mobile
ssteele at infolocktech.com

-----Original Message-----
From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of B.K. DeLong
Sent: Wednesday, January 10, 2007 9:20 AM
To: Richard Forno
Cc: dataloss at attrition.org
Subject: Re: [Dataloss] They Take it Seriously? Oh, Sure

That would be an interesting data point to collect - how many
incidents had a corporate wonk saying something to the effect of "very
seriously" or "extremely seriously".

On 1/10/07, Richard Forno <rforno at infowarrior.org> wrote:
> They Take it Seriously? Oh, Sure
> January 9th, 2007 by Dan Gillmor
>
> (I originally wrote this for PR Week magazine.)
>
> Several weeks ago, UCLA acknowledged that some of its computers had been
> hacked. Obeying a state law, it notified more than 800,000 people that their
> personal data, including Social Security numbers, might have ended up in the
> wrong hands.
>
> The fact that the data got loose wasn?t all that striking. Unfortunately,
> that?s all too common. What struck me was this statement from a hapless UCLA
> honcho: ?We have a responsibility to safeguard personal information, an
> obligation that we take very seriously.?
>
> When and where have I heard that before? All kinds of times and places,
> actually. It?s becoming a mantra that means almost nothing.
>
> Try this: Plug ?we take? and ?very seriously? into a Google News or Yahoo
> News search. You?ll get hundreds of hits, albeit some repeats, where some
> big institution - corporate, educational, government, whatever - makes a
> giant blunder and then issues a ?we take (insert the violated policy) very
> seriously? statement.
>
> < - >
>
> http://citmedia.org/blog/2007/01/09/they-take-it-seriously-oh-sure/
>
>
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
> Tracking more than 143 million compromised records in 529 incidents over 6 years.
>
>
>


-- 
B.K. DeLong (K3GRN)
bkdelong at pobox.com
+1.617.797.8471

http://www.wkdelong.org                    Son.
http://www.ianetsec.com                    Work.
http://www.bostonredcross.org             Volunteer.
http://www.carolingia.eastkingdom.org   Service.
http://bkdelong.livejournal.com             Play.


PGP Fingerprint:
38D4 D4D4 5819 8667 DFD5  A62D AF61 15FF 297D 67FE

FOAF:
http://foaf.brain-stream.org
_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss
Tracking more than 143 million compromised records in 529 incidents over 6 years.



From jwalker at absolute.com  Wed Jan 10 10:02:13 2007
From: jwalker at absolute.com (Jeff Walker)
Date: Wed, 10 Jan 2007 07:02:13 -0800
Subject: [Dataloss] They Take it Seriously? Oh, Sure - Criminally Liable?
Message-ID: <646F1FBDAF84414BA7892F1D9BD69DB603FE0729@ABSEXCH.absolute.com>

Good stuff, guys.
 
My questions to the experts on data protection laws are:  1) do some states say organizations don't have to disclose a breach if the data was encrypted?, and 2) are there differences in disclosure methodology/semantics for an external theft versus an internal one?
 
Thanks in advance!
 
 
--jeff 
 
________________________________

From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of ray.hawkins at comcast.net
Sent: Wednesday, January 10, 2007 8:50 AM
To: B.K. DeLong; Richard Forno
Cc: dataloss at attrition.org
Subject: Re: [Dataloss] They Take it Seriously? Oh, Sure - Criminally Liable? [faked-from]
 
My sense is that it has become nothing more than "aw shucks" gotta fess up p.r. vomit.  It may be intersting to see how, if any, political winds may shift with the new Congress and whether any cohesive regualtory/statutory bills with teeth will pass with the Dems.  Have the prevailing perspectives become that "it is not a matter of 'if' but 'when'" a breach or another breach will happen?  Shoring up data privacy controls is a business decision that is being weighed in terms of the cost of control and risk mitigation versus the cost absorption of a breach - just another footnote on a balance sheet or a single buried line in the annual report.  The "what if" may be whether or not the wascally wabbits would weally weally take it seriously (insert Elmer Fudd voice) if they were instead criminally liable for data breaches in absence of a defined due diligence in protecting data.  Thoughts?
 
--
~The Hawk
	-------------- Original message -------------- 
	From: "B.K. DeLong" <bkdelong at pobox.com> 
	
	> That would be an interesting data point to collect - how many 
	> incidents had a corporate wonk saying something to the effect of "very 
	> seriously" or "extremely seriously". 
	> 
	> On 1/10/07, Richard Forno wrote: 
	> > They Take it Seriously? Oh, Sure 
	> > January 9th, 2007 by Dan Gillmor 
	> > 
	> > (I originally wrote this for PR Week magazine.) 
	> > 
	> > Several weeks ago, UCLA acknowledged that some of its computers had been 
	> > hacked. Obeying a state law, it notified more than 800,000 people that their 
	> > personal data, including Social Security numbers, might have ended up in the 
	> > wrong hands. 
	> > 
	> > The fact that the data got loose wasn?t all that striking. Unfortunately, 
	> > that?s all too common. What struck me was this statement from a hapless UCLA 
	> > honcho: ?We have a responsibility to safeguard personal information, an 
	> > obligation that we take very seriously.? 
	> > 
	> > When and where have I heard that before? All kinds of times and places, 
	> > actually. It?s becoming a mantra that means almost nothing. 
	> > 
	> > Try this: Plug ?we take? and ?very seriously? into a Google News or Yahoo 
	> > News search. You?ll get hundreds of hits, albeit some repeats, where some 
	> > big institution - corporate, educational, government, whatever - makes a 
	> > giant blunder and then issues a ?we take (insert the violated policy) very 
	> > seriously? statement. 
	> > 
	> > < - > 
	> > 
	> > http://citmedia.org/blog/2007/01/09/they-take-it-seriously-oh-sure/ 
	> > 
	> > 
	> > _______________________________________________ 
	> > Dataloss Mailing List (dataloss at attrition.org) 
	> > http://attrition.org/dataloss 
	> > Tracking more than 143 million compromised records in 529 incidents over 6 
	> years. 
	> > 
	> > 
	> > 
	> 
	> 
	> -- 
	> B.K. DeLong (K3GRN) 
	> bkdelong at pobox.com 
	> +1.617.797.8471 
	> 
	> http://www.wkdelong.org Son. 
	> http://www.ianetsec.com Work. 
	> http://www.bostonredcross.org Volunteer. 
	> http://www.carolingia.eastkingdom.org Service. 
	> http://bkdelong.livejournal.com Play. 
	> 
	> 
	> PGP Fingerprint: 
	> 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE 
	> 
	> FOAF: 
	> http://foaf.brain-stream.org 
	> _______________________________________________ 
	> Dataloss Mailing List (dataloss at attrition.org) 
	> http://attrition.org /dataloss 
	> Tracking more than 143 million compromised records in 529 incidents over 6 
	> years. 
	> 
	> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20070110/8c97e72c/attachment-0001.html 

From bkdelong at pobox.com  Wed Jan 10 10:13:57 2007
From: bkdelong at pobox.com (B.K. DeLong)
Date: Wed, 10 Jan 2007 10:13:57 -0500
Subject: [Dataloss] They Take it Seriously? Oh, Sure
In-Reply-To: <a98a91c0701100707r7d1330d0hd910eccd8504b105@mail.gmail.com>
References: <90D8CEF754D7D9448BA11172BB50443204736056@orange.brnets.int>
	<a98a91c0701100655k5ee34af7l3f06c87fbfd46409@mail.gmail.com>
	<a98a91c0701100707r7d1330d0hd910eccd8504b105@mail.gmail.com>
Message-ID: <a98a91c0701100713j5dc2c998wcd28171795db41cd@mail.gmail.com>

We just had an interesting briefing here at The Institute about
compliance enforcement and how little personal action and even less
regulatory action is being taken with regard to GLB, SOX, FFIEC, PCI
etc.

On 1/10/07, Sean Steele <SSteele at infolocktech.com> wrote:
> Not to sound flippant, but would do we expect them to say?  Spin control is spin control, and PR wonks and in-the-crosshairs execs will continue to say the only thing they can say -- namely, that they take security very seriously. Such is life, right?
>
> What I'd like to see is regulatory and civil penalties levied at the offending organizations, done in a "very serious" way.



-- 
B.K. DeLong (K3GRN)
bkdelong at pobox.com
+1.617.797.8471

http://www.wkdelong.org                    Son.
http://www.ianetsec.com                    Work.
http://www.bostonredcross.org             Volunteer.
http://www.carolingia.eastkingdom.org   Service.
http://bkdelong.livejournal.com             Play.


PGP Fingerprint:
38D4 D4D4 5819 8667 DFD5  A62D AF61 15FF 297D 67FE

FOAF:
http://foaf.brain-stream.org

From DAplin at bna.com  Wed Jan 10 10:44:49 2007
From: DAplin at bna.com (Donald Aplin)
Date: Wed, 10 Jan 2007 10:44:49 -0500
Subject: [Dataloss] They Take it Seriously? Oh, Sure - Criminally Liable?
In-Reply-To: <646F1FBDAF84414BA7892F1D9BD69DB603FE0729@ABSEXCH.absolute.com>
Message-ID: <OF612A8A1F.AC11B39C-ON8525725F.0056036C-8525725F.0056B6EA@bna.com>

The vast majority of the 34 state-enacted data breach
consumer notification laws only require notice if there is
a breach of unencrypted data. A few of the newer ones added
that it's still a covered breach if the encryption key goes
missing at the same time encrypted data is lost.  Perhaps
more important are the risk of harm threshold provisions in
many of the laws which do not require notification if after
a "reasonable" investigation by the covered entity there is
a determination that there was no actual damage or any
reasonable risk of future harm done by the breach (this is
consistent with the court examinations of breaches in which
they pretty much uniformly do not consider the threat of
potential ID theft to be actual damages). In short, the fox
gets to guard the henhouse.

 Donald G. Aplin
Legal Editor
BNA's Privacy & Security Law Report
(202) 452-4688


From Dissent at pogowasright.org  Wed Jan 10 15:07:52 2007
From: Dissent at pogowasright.org (Dissent)
Date: Wed, 10 Jan 2007 15:07:52 -0500 (EST)
Subject: [Dataloss] CIPPIC White Paper: Approaches to Security Breach
	Notifications
Message-ID: <MTE2ODQ1OTY3Mi50cmFmZmlj.1168459672@dissimulo.com>

http://www.cippic.ca/en/news/documents/BreachNotification_9jan07-web.pdf

[...]

Following a review of gaps in the Canadian legal framework, this Paper
analyzes security breach legislation in the U.S., where over half the
states have enacted a mandatory security breach disclosure requirement
and where several federal bills are currently pending. Various
arguments for and against mandatory notification are analyzed, and
specific recommendations for amending PIPEDA are proposed.

[...]


-- 
Privacy-related news and resources: http://www.pogowasright.org
Privacy news headlines feed:
http://www.pogowasright.org/backend/pogowasright.rss


From cwalsh at cwalsh.org  Wed Jan 10 15:23:28 2007
From: cwalsh at cwalsh.org (Chris Walsh)
Date: Wed, 10 Jan 2007 14:23:28 -0600
Subject: [Dataloss] CIPPIC White Paper: Approaches to Security Breach
	Notifications
In-Reply-To: <MTE2ODQ1OTY3Mi50cmFmZmlj.1168459672@dissimulo.com>
References: <MTE2ODQ1OTY3Mi50cmFmZmlj.1168459672@dissimulo.com>
Message-ID: <20070110202317.GA23660@cwalsh.org>

Just skimmed it.

Looks GREAT.  Plenty of important info in one place.



From Dissent at pogowasright.org  Thu Jan 11 09:09:01 2007
From: Dissent at pogowasright.org (Dissent)
Date: Thu, 11 Jan 2007 09:09:01 -0500 (EST)
Subject: [Dataloss] [Update?] Philip Morris ID Theft Alert
Message-ID: <MTE2ODUyNDU0MS50cmFmZmlj.1168524541@dissimulo.com>

[Note:  I think that this news item is probably part of the Towers
Perrin breach reported previously on DL, but more details are needed.]

http://www.wric.com/Global/story.asp?S=5924191

Thousands of local Philip Morris workers could be at risk of identity
theft.

Philip Morris is warning thousands of local workers their personal
information may have been accessed. The company began alerting
employees this week that laptop computers have been stolen that
included names, salaries and social security numbers of employees.

These laptops were taken from the offices of a New York City
consulting firm that handles benefit programs for Philip Morris.

---

Privacy-related news and resources: http://www.pogowasright.org
Privacy news headlines feed:
http://www.pogowasright.org/backend/pogowasright.rss


From george at myitaz.com  Thu Jan 11 09:18:21 2007
From: george at myitaz.com (George Toft)
Date: Thu, 11 Jan 2007 07:18:21 -0700
Subject: [Dataloss] They Take it Seriously? Oh, Sure
In-Reply-To: <C1CA5C73.5D4AD%rforno@infowarrior.org>
References: <C1CA5C73.5D4AD%rforno@infowarrior.org>
Message-ID: <45A6472D.3060807@myitaz.com>

In UC's defense, they have a very aggressive information protection 
policy - something like 150 pages of policy/procedure designed to 
protect information as required by GLBA (it's been a while since I read 
it, so my page count might be off).

I think they are the exception rather than the rule as they've done more 
than most to protect their data.

George Toft, CISSP, MSIS
My IT Department
www.myITaz.com
623-203-1760

Confidential data protection experts for the financial industry.


Richard Forno wrote:
> They Take it Seriously? Oh, Sure
> January 9th, 2007 by Dan Gillmor
> 
> (I originally wrote this for PR Week magazine.)
> 
> Several weeks ago, UCLA acknowledged that some of its computers had been
> hacked. Obeying a state law, it notified more than 800,000 people that their
> personal data, including Social Security numbers, might have ended up in the
> wrong hands.
> 
> The fact that the data got loose wasn?t all that striking. Unfortunately,
> that?s all too common. What struck me was this statement from a hapless UCLA
> honcho: ?We have a responsibility to safeguard personal information, an
> obligation that we take very seriously.?
> 
> When and where have I heard that before? All kinds of times and places,
> actually. It?s becoming a mantra that means almost nothing.
> 
> Try this: Plug ?we take? and ?very seriously? into a Google News or Yahoo
> News search. You?ll get hundreds of hits, albeit some repeats, where some
> big institution - corporate, educational, government, whatever - makes a
> giant blunder and then issues a ?we take (insert the violated policy) very
> seriously? statement.
> 
> < - >
> 
> http://citmedia.org/blog/2007/01/09/they-take-it-seriously-oh-sure/
> 
> 
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
> Tracking more than 143 million compromised records in 529 incidents over 6 years.
> 
> 
> 
> 

From george at myitaz.com  Thu Jan 11 09:25:16 2007
From: george at myitaz.com (George Toft)
Date: Thu, 11 Jan 2007 07:25:16 -0700
Subject: [Dataloss] They Take it Seriously? Oh, Sure - Criminally Liable?
In-Reply-To: <OF612A8A1F.AC11B39C-ON8525725F.0056036C-8525725F.0056B6EA@bna.com>
References: <OF612A8A1F.AC11B39C-ON8525725F.0056036C-8525725F.0056B6EA@bna.com>
Message-ID: <45A648CC.3090107@myitaz.com>

And this verbiage is what is so irritating.  If the server hard drive is 
encrypted, they can say the data was encrypted, right?  But if the 
attack were network based, and the OS decrypted the data and the 
attacker got the data, it was unencrypted.  Security professionals know 
the data was unencrypted - that's how the thief got it.  But the 
managers are going to say the drive was encrypted.

I think this verbiage is geared toward laptop theft, not server attacks. 
  The verbiage is loose enough to give the negligent ones wiggle room to 
not have to report.

The other side of this coin is getting business owners to acknowledge 
the law.  I spent the last year talking to business regulated by GLBA, 
and most of them (99%) refuse to acknowledge their obligation under the 
law, and none of them ever heard of Arizona's breach reporting law.

George Toft, CISSP, MSIS
My IT Department
www.myITaz.com
623-203-1760

Confidential data protection experts for the financial industry.


Donald Aplin wrote:
> The vast majority of the 34 state-enacted data breach
> consumer notification laws only require notice if there is
> a breach of unencrypted data. A few of the newer ones added
> that it's still a covered breach if the encryption key goes
> missing at the same time encrypted data is lost.  Perhaps
> more important are the risk of harm threshold provisions in
> many of the laws which do not require notification if after
> a "reasonable" investigation by the covered entity there is
> a determination that there was no actual damage or any
> reasonable risk of future harm done by the breach (this is
> consistent with the court examinations of breaches in which
> they pretty much uniformly do not consider the threat of
> potential ID theft to be actual damages). In short, the fox
> gets to guard the henhouse.
> 
>  Donald G. Aplin
> Legal Editor
> BNA's Privacy & Security Law Report
> (202) 452-4688
> 
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
> Tracking more than 143 million compromised records in 530 incidents over 7 years.
> 
> 
> 
> 

From ADAIL at sunocoinc.com  Thu Jan 11 12:00:08 2007
From: ADAIL at sunocoinc.com (DAIL, ANDY)
Date: Thu, 11 Jan 2007 12:00:08 -0500
Subject: [Dataloss] They Take it Seriously? Oh, Sure - Criminally Liable?
Message-ID: <8CA58E707BB1C44385FA71D02B7A1C8EC708B0@mds3aex0e.USISUNOCOINC.com>


At least once per week I still get a credit card receipt with the full
number printed on it.

A
The other side of this coin is getting business owners to acknowledge
the law.  I spent the last year talking to business regulated by GLBA,
and most of them (99%) refuse to acknowledge their obligation under the
law, and none of them ever heard of Arizona's breach reporting law.

George Toft, CISSP, MSIS
My IT Department
www.myITaz.com
623-203-1760

Confidential data protection experts for the financial industry.


This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments.

From marcus.dolce at gmail.com  Thu Jan 11 12:29:11 2007
From: marcus.dolce at gmail.com (Marcus Dolce)
Date: Thu, 11 Jan 2007 12:29:11 -0500
Subject: [Dataloss] They Take it Seriously? Oh, Sure - Criminally Liable?
In-Reply-To: <OF612A8A1F.AC11B39C-ON8525725F.0056036C-8525725F.0056B6EA@bna.com>
References: <646F1FBDAF84414BA7892F1D9BD69DB603FE0729@ABSEXCH.absolute.com>
	<OF612A8A1F.AC11B39C-ON8525725F.0056036C-8525725F.0056B6EA@bna.com>
Message-ID: <705683c90701110929m5f0f6d5ep6801bdeab7561961@mail.gmail.com>

Spot on, in my opinion.  It is not always what it is...but what is seems to
be. perception is reality... etc, etc.

That is why this entire topic needs to become as publicized as possible.
The more people like us continue to create awareness around the loopholes
and caveats of the laws that are out, the better.

Just like most things in life, it seems that the real fight, and progress to
be made in all of this, is much faster on the legal front...as opposed to
the technical front.

MD


On 1/10/07, Donald Aplin <DAplin at bna.com> wrote:
>
> The vast majority of the 34 state-enacted data breach
> consumer notification laws only require notice if there is
> a breach of unencrypted data. A few of the newer ones added
> that it's still a covered breach if the encryption key goes
> missing at the same time encrypted data is lost.  Perhaps
> more important are the risk of harm threshold provisions in
> many of the laws which do not require notification if after
> a "reasonable" investigation by the covered entity there is
> a determination that there was no actual damage or any
> reasonable risk of future harm done by the breach (this is
> consistent with the court examinations of breaches in which
> they pretty much uniformly do not consider the threat of
> potential ID theft to be actual damages). In short, the fox
> gets to guard the henhouse.
>
> Donald G. Aplin
> Legal Editor
> BNA's Privacy & Security Law Report
> (202) 452-4688
>
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
> Tracking more than 143 million compromised records in 530 incidents over 7
> years.
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20070111/95a5abb5/attachment.html 

From Dissent at pogowasright.org  Thu Jan 11 12:59:40 2007
From: Dissent at pogowasright.org (Dissent)
Date: Thu, 11 Jan 2007 12:59:40 -0500 (EST)
Subject: [Dataloss] [update] Arrest made in Altria laptop case
Message-ID: <MTE2ODUzODM4MC50cmFmZmlj.1168538380@dissimulo.com>

http://www.timesdispatch.com/servlet/Satellite?pagename=RTD/MGArticle/RTD_BasicArticle&c=MGArticle&cid=1149192605701

New York police have arrested a security officer in the theft of five
laptops containing the names of about 18,000 past and present
employees of Altria, the parent company of Philip Morris USA in
Richmond.

Altria spokeswoman Lisa Gonzalez said Philip Morris has sent e-mails
and letters to many of its 6,300 area employees whose names, social
security numbers and other pension-related information were found on
the stolen computers.

The theft occurred in late November in the New York City offices of
Towers Perrin, which handles pension and benefit consulting for
Altria. Employees at other branches of the company, including Kraft
Foods and Philip Morris International, also have been notified.

Altria and Towers Perrin waited to inform the affected employees until
after police made an arrest on Dec. 28. Towers Perrin said in its
letter that "we have no reason to believe that your information has
been misused."

Dewayne Rivers, 30, of Brooklyn, has been charged in the theft. Rivers
worked as chief information security officer at the Towers Perrin
offices, according to a police report.

Rivers was released Dec. 28 on $10,000 bail and has an April 5 court
date, a spokesman for the Manhattan District Attorney's office said
today.


-- 
Privacy-related news and resources: http://www.pogowasright.org
Privacy news headlines feed:
http://www.pogowasright.org/backend/pogowasright.rss


From lyger at attrition.org  Thu Jan 11 16:10:22 2007
From: lyger at attrition.org (lyger)
Date: Thu, 11 Jan 2007 16:10:22 -0500 (EST)
Subject: [Dataloss] Stolen UI computers contain personal data for 70,000
Message-ID: <Pine.LNX.4.64.0701111609170.9722@forced.attrition.org>


http://www.ktvb.com/news/localnews/stories/ktvbn-jan1107-stolen_data.2df71504.html

BOISE - Three desktop computers have disappeared from the University of 
Idaho's Advancement Services office . and now school officials say the 
personal data of alumni, donors, employees and students may be in danger.

UI says someone stole the computers . and an internal investigation shows 
that as many as 70,000 social security numbers, names and addresses may be 
stored on the hard drives.

[...]

From lyger at attrition.org  Thu Jan 11 20:37:16 2007
From: lyger at attrition.org (lyger)
Date: Thu, 11 Jan 2007 20:37:16 -0500 (EST)
Subject: [Dataloss] (no subject)
Message-ID: <Pine.LNX.4.64.0701112036310.25373@forced.attrition.org>


http://www.upi.com/NewsTrack/view.php?StoryID=20070111-075324-5127r

WASHINGTON, Jan. 11 (UPI) -- The Department of Veterans Affairs in 
Washington didn't take seriously congressional requests to safeguard 
veterans' information, The Hill reported.

The Capitol Hill newspaper said a tape recording of a meeting between 
lawmakers and VA officials shows a veterans affairs official accusing 
Congress of engaging in a power play over the handling of veterans' 
personal data stored on computers.

[...]

From hbrown at knology.net  Fri Jan 12 05:29:33 2007
From: hbrown at knology.net (Henry Brown)
Date: Fri, 12 Jan 2007 04:29:33 -0600
Subject: [Dataloss] (VA Data loss Followup)
In-Reply-To: <Pine.LNX.4.64.0701112036310.25373@forced.attrition.org>
References: <Pine.LNX.4.64.0701112036310.25373@forced.attrition.org>
Message-ID: <45A7630D.1050704@knology.net>

The Full article is available at 
http://www.hillnews.com/thehill/export/TheHill/News/Frontpage/011107/tape.html 
, at least at this time

lyger wrote:
> http://www.upi.com/NewsTrack/view.php?StoryID=20070111-075324-5127r
>
> WASHINGTON, Jan. 11 (UPI) -- The Department of Veterans Affairs in 
> Washington didn't take seriously congressional requests to safeguard 
> veterans' information, The Hill reported.
>
> The Capitol Hill newspaper said a tape recording of a meeting between 
> lawmakers and VA officials shows a veterans affairs official accusing 
> Congress of engaging in a power play over the handling of veterans' 
> personal data stored on computers.
>
> [...]
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
> Tracking more than 143 million compromised records in 530 incidents over 7 years.
>
>
>
>
>
>   


From lyger at attrition.org  Fri Jan 12 13:29:15 2007
From: lyger at attrition.org (lyger)
Date: Fri, 12 Jan 2007 13:29:15 -0500 (EST)
Subject: [Dataloss] MoneyGram says consumer info accessed
Message-ID: <Pine.LNX.4.64.0701121326320.14511@forced.attrition.org>


http://www.businessweek.com/ap/financialnews/D8MJSR0O1.htm

MoneyGram International Inc., a global payment services provider, 
announced Friday that a company server with consumer information for about 
79,000 bill payment customers was unlawfully accessed over the Internet 
last month.

...

The information involved did not include Social Security or driver's 
license numbers. It did include the names, addresses, phone numbers -- and 
in some cases -- the bank account numbers of MoneyGram customers.

[...]

From Dissent at pogowasright.org  Sat Jan 13 09:37:54 2007
From: Dissent at pogowasright.org (Dissent)
Date: Sat, 13 Jan 2007 09:37:54 -0500 (EST)
Subject: [Dataloss] Laptop theft puts residents at risk
Message-ID: <MTE2ODY5OTA3NC50cmFmZmlj.1168699074@dissimulo.com>

http://www.charlotte.com/mld/charlotte/16451423.htm

RALEIGH - A laptop computer containing files on 30,000 taxpayers was
stolen from the car of an N.C. Department of Revenue employee last
month, and state officials are cautioning everyone on the list to keep
an eye on their finances for potential fraud.

The Revenue Department this week dispatched letters to all 30,000
people, apparently the first such episode since the enactment of an
N.C. law last fall requiring government agencies to notify consumers
when their data are lost or stolen.

Police have not recovered the computer, but the Jan. 10 letter from
Secretary of Revenue Norris Tolson said state officials are not aware
of anyone gaining access to the data.

[...]

-- 
Privacy-related news and resources: http://www.pogowasright.org
Privacy news headlines feed:
http://www.pogowasright.org/backend/pogowasright.rss


From Dissent at pogowasright.org  Tue Jan 16 13:11:06 2007
From: Dissent at pogowasright.org (Dissent)
Date: Tue, 16 Jan 2007 13:11:06 -0500 (EST)
Subject: [Dataloss] Personal info may be at risk after burglary
Message-ID: <MTE2ODk3MTA2Ni50cmFmZmlj.1168971066@dissimulo.com>

http://media.www.dailylobo.com/media/storage/paper344/news/2007/01/16/News/Personal.Info.May.Be.At.Risk.After.Burglary-2634025.shtml?sourcedomain=www.dailylobo.com&MIIHost=media.collegepublisher.com

At least three computers and four monitors were stolen from the
associate provost's office overnight between Jan. 2 and 3, said Lt.
Pat Davis, UNM Police spokesman.

The computers may have contained faculty members' names and Social
Security numbers, said Richard Holder, associate provost.

[...]

The associate provost's office sent an e-mail to faculty members Jan.
9, warning that their personal information may have been accessed and
suggested precautionary steps to prevent identity theft.

[...]

-- 
Privacy-related news and resources: http://www.pogowasright.org
Privacy news headlines feed:
http://www.pogowasright.org/backend/pogowasright.rss


From Dissent at pogowasright.org  Wed Jan 17 08:02:48 2007
From: Dissent at pogowasright.org (Dissent)
Date: Wed, 17 Jan 2007 08:02:48 -0500 (EST)
Subject: [Dataloss] Customer data stolen from water district
Message-ID: <MTE2OTAzODk2OC50cmFmZmlj.1169038968@dissimulo.com>

http://www.signonsandiego.com/news/northcounty/20070117-9999-1mi17rincon.html


The credit-card numbers of about 500 customers in the Rincon del
Diablo Municipal Water District were stolen yesterday in an
early-morning break-in, officials said.

Thieves smashed a glass wall at the district's offices on North Iris
Lane and stole two computers, one from the customer services
department and the other from engineering, said Darlene Lynn, interim
general manager.

Customers' names and credit-card numbers were contained in software on
the customer services computer, but their Social Security numbers and
birth dates were not on either computer, Lynn said. She said the
number of stolen credit-card numbers could increase because officials
are still determining the extent of information that was taken. No
instances of credit-card numbers being used illegally have been
reported, the district said, and police are investigating the
burglary.

[..]

About 5 percent of the district's customers pay with credit cards on a
regular basis, she said.

The district serves about 7,600 customers within a 42-square-mile
service area that includes parts of the city of Escondido,
unincorporated neighborhoods outside the city and parts of San Marcos
and San Diego. For more information, call the water district at (760)
745-5522.

-- 
Privacy-related news and resources: http://www.pogowasright.org
Privacy news headlines feed:
http://www.pogowasright.org/backend/pogowasright.rss


From Dissent at pogowasright.org  Wed Jan 17 08:04:16 2007
From: Dissent at pogowasright.org (Dissent)
Date: Wed, 17 Jan 2007 08:04:16 -0500 (EST)
Subject: [Dataloss] Debit cards canceled after security breach
Message-ID: <MTE2OTAzOTA1Ni50cmFmZmlj.1169039056@dissimulo.com>

http://www.telegram.com/apps/pbcs.dll/article?AID=/20070117/NEWS/701170343/1002/BUSINESS


FITCHBURG? About 1,300 debit-ATM cards issued by Fitchburg Savings
Bank were deactivated yesterday after the bank was told by Visa USA
that a ?large-scale data compromise? may have included its check
cards.

None of the cards was used fraudulently and all are being replaced,
said Martin F. Connors Jr., bank president and chief executive
officer. ?If someone has the person?s information, at this point they
can?t do anything with it,? he said.

Mr. Connors said he was aware of at least one other financial
institution in Worcester County with far more cards affected by the
security breach. A broader problem was confirmed by the Massachusetts
Bankers Association yesterday.


?It appears that Visa has notified a number of banks in Massachusetts
that a large-scale retailer has had a problem with some of its
customer data,? said Bruce E. Spitzer, an MBA spokesman. ?Quite a few
banks are replacing cards or notifying customers to be extra vigilant
in monitoring their accounts. If a card needs to be reissued, the bank
will do it.?

Another source indicated that the breach may be broader than Visa cards.

[...]

-- 
Privacy-related news and resources: http://www.pogowasright.org
Privacy news headlines feed:
http://www.pogowasright.org/backend/pogowasright.rss


From rforno at infowarrior.org  Wed Jan 17 08:42:48 2007
From: rforno at infowarrior.org (Richard Forno)
Date: Wed, 17 Jan 2007 08:42:48 -0500
Subject: [Dataloss] Less Data, More Security
Message-ID: <C1D39208.5DD2C%rforno@infowarrior.org>

Less Data, More Security
By Ed Sutherland
http://www.internetnews.com/bus-news/article.php/3654211

Barely a week goes by these days without news of laptops stolen or lost, and
loaded with data that can expose employees, consumers or patients to
identity theft.

For companies involved, data breaches harm more than a corporate image. They
impact the bottom line.

According to research from the Ponemon Institute, a research firm focusing
on privacy and data protection practices, data breaches cost companies $182
per record lost. The Privacy Rights Clearinghouse counts more than 100
million records lost to data breaches since February 2005. An FBI survey
pegged losses due to data breaches at $67.2 billion in 2006.

And it's not just companies handling personal data, such as Social Security
numbers or medical information, bearing the costs. According to Ponemon, 81
percent of the companies it surveyed reported annually losing one or more
laptops containing confidential data. Each laptop contains data worth around
$972,000, according to a 2006 Symantec (Quote) survey.

That's why security experts already see a shift in security policies
underway, with more to come this year. Data minimization is one of them.

"People are running scared with their hair on fire," said Troy Allen, a risk
consultant and CEO of security firm Kroll's Fraud Solutions unit. That sense
of alarm has created an unregulated industry offering consumers and
companies ways to "prevent" data breaches.

"You can't stop identity theft. Period," Allen said. No matter what policies
are in place, laptops will walk off with data. And fraud alerts, the
ubiquitous answer to data breaches have become meaningless, he added.

Indeed, the rash in stolen laptops led Kroll to label 2006 "The Year of the
Data Breach." Plenty of online auctions exist where identities are bought
and sold, where, eBay style, the sellers get reviews. He said clean
identities can go for as much as $40 a pop.

When Pennsylvania's Geisinger Health Systems learned personal data of some
of its patients might be exposed as a result of a laptop theft, it offered
ID theft protection from American Insurance Group (AIG). Begun in 2006, the
policy covers businesses, providing up to $25 million in coverage for
companies facing costs, including legal, regulatory and other. AIG's
policies provide form letters helping ID theft victims contact creditors,
even covering lost wages due to time off due to recovering a stolen
identity.

With identity theft and data breaches a costly reality, what can companies
do to protect data? The most common response - simple passwords - is rarely
enough, say experts.

"Password protection only is very weak," Yankee Group's Sal Capizzi said.
Securing mobile data is a three-prong process. Capizzi recommended
authentication, encryption and automated policies. It is not enough to have
policies in place. Boeing had a policy requiring data downloaded be
encrypted, but an employee skipped encryption. The result: a laptop stolen
containing employee's personal data. To avoid the human element, security
policies must be automated, according to Capizzi.

The new year will see greater focus on corporate and employee education
regarding preventing data breaches. Allen predicts firms will also restrict
or ban downloading data to CD or USB flash drives. "Employers will begin
insisting that more information exchange takes place via secure online
transfer," Allen said in a statement.

Kroll is advising data minimization, a concept counter to the prevailing
belief that customer information is an advantage. "Information is a
liability," Allen said.

NEW Data minimization involves three steps. Don't require or maintain
information you don't absolutely need. Minimize the number of locations the
information is stored and purge the data once it's no longer needed.

Just as ego-satisfying virus writing evolved to for-profit criminal
behavior, so will data breaches. Identity theft is now linked to organized
crime, drug financing and illegal immigration, according to Kroll.

For Allen, excuses that a stolen laptop was only a ?smash and grab? where
thieves aren't interested in the data stored there doesn?t hold water.
Thieves don't work alone. One person may want only to pawn the hardware,
other thieves will siphon off the data.

Not satisfied with a few hundred or thousand data files, criminals will turn
to social engineering to gain access to data, according to Allen. A popular
method is either bribing employees or planting employees hired to steal
records. The employees use stolen identities to get the jobs, according to
Allen.

Data breaches will likely increase this year as companies that once thought
a stolen laptop was a property theft understand it as a potential identity
theft, according to Kroll.



From dbloys at door.net  Wed Jan 17 13:38:00 2007
From: dbloys at door.net (David Bloys)
Date: Wed, 17 Jan 2007 12:38:00 -0600
Subject: [Dataloss] ID Theft Bill Targets Government Websites
Message-ID: <028301c73a66$9de982f0$0202a8c0@Office>

I thought you might want to see this one.
 
HYPERLINK "http://www.davickservices.com/New%20Law%20Could%20Stop.htm"ID
Theft Bill Targets Government Websites

David Bloys - HYPERLINK
"http://www.davickservices.com/News%20for%20County%20Officials.htm"News for
Public Officials

Jan-17-07

Law enforcement agencies have known for years that criminals were using
HYPERLINK "http://www.davickservices.com/web_breaches.htm" \ngovernment
websites to gather information on victims. Now, proposed legislation could
cut criminals off from this rich source of sensitive data.

 

David Bloys

Davick Services

HYPERLINK "http://www.davickservices.com/"www.davickservices.com

Phone: 800-658-6656

Fax:     512-233-1768

 

 

-- 
Internal Virus Database is out-of-date.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.15.29/608 - Release Date: 12/29/2006
8:22 AM
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20070117/eb62d572/attachment.html 

From Dissent at pogowasright.org  Wed Jan 17 15:40:10 2007
From: Dissent at pogowasright.org (Dissent)
Date: Wed, 17 Jan 2007 15:40:10 -0500 (EST)
Subject: [Dataloss] The TJX Companies,
	Inc. Victimized by Computer Systems Intrusion
Message-ID: <MTE2OTA2NjQxMC50cmFmZmlj.1169066410@dissimulo.com>

http://home.businesswire.com/portal/site/google/index.jsp?ndmViewId=news_view&newsId=20070117005971&newsLang=en

(Press Release):

The TJX Companies, Inc. (NYSE:TJX) today announced that it has
suffered an unauthorized intrusion into its computer systems that
process and store information related to customer transactions. While
TJX has specifically identified some customer information that has
been stolen from its systems, the full extent of the theft and
affected customers is not yet known. This intrusion involves the
portion of TJX?s computer network that handles credit card, debit
card, check, and merchandise return transactions for customers of its
T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.S. and
Puerto Rico, and its Winners and HomeSense stores in Canada, and may
involve customers of its T.K. Maxx stores in the U.K. and Ireland. The
intrusion could also extend to TJX?s Bob?s Stores in the U.S. The
Company immediately alerted law enforcement authorities of the crime
and is working closely with them to help identify those responsible.
TJX is also cooperating with credit and debit card issuers and
providing them with information on the intrusion.

[...]

 Through its investigation, TJX has learned the following with respect
to the intrusion:

    * An unauthorized intruder accessed TJX's computer systems that
process and store information related to customer transactions for
its T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the
U.S. and Puerto Rico and its Winners and HomeSense stores in
Canada.
    * The Company is concerned that the intrusion may extend to the
computer systems that process and store information related to
customer transactions for T.K. Maxx in the U.K. and Ireland,
although TJX?s investigation has not yet been able to confirm any
such intrusion. It is possible that the intrusion may extend to
Bob's Stores.
    * Portions of the information stored in the affected part of TJX?s
network regarding credit and debit card sales transactions in
TJX?s stores (excluding Bob?s Stores) in the U.S., Canada, and
Puerto Rico during 2003, as well as such information for these
stores for the period from mid-May through December, 2006 may have
been accessed in the intrusion. TJX has provided the credit card
companies and issuing banks with information on these and other
transactions.
    * To date, TJX has been able to specifically identify a limited
number of credit card and debit card holders whose information was
removed from its system and is providing this information to the
credit card companies. In addition, TJX has been able to
specifically identify a relatively small number of customer names
with related drivers' license numbers that were also removed from
its system, and TJX is contacting these individuals directly.
    * TJX is continuing its investigation seeking to determine whether
additional customer information may have been compromised. TJX
does not know if it will be able to identify additional
information of specific customers that may have been taken.

[...]

-- 
Privacy-related news and resources: http://www.pogowasright.org
Privacy news headlines feed:
http://www.pogowasright.org/backend/pogowasright.rss


From lyger at attrition.org  Wed Jan 17 17:56:17 2007
From: lyger at attrition.org (lyger)
Date: Wed, 17 Jan 2007 17:56:17 -0500 (EST)
Subject: [Dataloss] The TJX Companies,
	Inc. Victimized by Computer Systems Intrusion
In-Reply-To: <MTE2OTA2NjQxMC50cmFmZmlj.1169066410@dissimulo.com>
References: <MTE2OTA2NjQxMC50cmFmZmlj.1169066410@dissimulo.com>
Message-ID: <Pine.LNX.4.64.0701171753330.29297@forced.attrition.org>



On Wed, 17 Jan 2007, Dissent wrote:

": " http://home.businesswire.com/portal/site/google/index.jsp?ndmViewId=news_view&newsId=20070117005971&newsLang=en
": " 
": " (Press Release):
": " 
": " The TJX Companies, Inc. (NYSE:TJX) today announced that it has
": " suffered an unauthorized intrusion into its computer systems that
": " process and store information related to customer transactions. While
": " TJX has specifically identified some customer information that has
": " been stolen from its systems, the full extent of the theft and
": " affected customers is not yet known. This intrusion involves the

(snip)

We're guessing TJX is directly related to the previously announced 
Fitchburg Savings Bank incident.  Anyone have any more information?

Thanks,

Lyger

From Dissent at pogowasright.org  Thu Jan 18 12:41:27 2007
From: Dissent at pogowasright.org (Dissent)
Date: Thu, 18 Jan 2007 12:41:27 -0500 (EST)
Subject: [Dataloss] CIBC loses info on 470,000 Canadians
Message-ID: <MTE2OTE0MjA4Ny50cmFmZmlj.1169142087@dissimulo.com>

http://www.theglobeandmail.com/servlet/story/RTGAM.20070118.wcibc0118/BNStory/Business/home

The personal information of nearly half-a-million customers at a CIBC
mutual fund subsidiary has gone missing, prompting fears of a
potential security breach and forcing the bank to spring into damage
control mode.

A backup computer file containing application data for 470,000
investors at Montreal-based Talvest Mutual Funds disappeared in
transit on the way to Toronto recently, the bank said in a news
release Thursday.

The file contained everything from client names and addresses to
signatures, birth dates, bank account numbers and Social Security
numbers. Officials at CIBC Asset Management Inc., a division of the
Canadian Imperial Bank of Commerce, said there is no evidence of
fraud, nor is there any indication that any data on this hard drive
has been accessed. The company did not explain how it lost the drive.

[...]

-- 
Privacy-related news and resources: http://www.pogowasright.org
Privacy news headlines feed:
http://www.pogowasright.org/backend/pogowasright.rss


From Dissent at pogowasright.org  Thu Jan 18 19:08:07 2007
From: Dissent at pogowasright.org (Dissent)
Date: Thu, 18 Jan 2007 19:08:07 -0500 (EST)
Subject: [Dataloss] [update] Massachusetts Bankers Association Responds to
 TJX Companies Data Breach
Message-ID: <MTE2OTE2NTI4Ny50cmFmZmlj.1169165287@dissimulo.com>

Press release:
http://home.businesswire.com/portal/site/google/index.jsp?ndmViewId=news_view&newsId=20070118005947&newsLang=en


The Massachusetts Bankers Association (MBA) said today that in
addition to VISA USA, now MasterCard is contacting Massachusetts banks
to report that some of their customers? personal banking information
may have been compromised due to the data breach reported by TJX
Companies yesterday. Bay State banks are acting quickly to protect
customers who have been red-flagged by the two card associations after
doing business with TJX stores including TJMaxx, Marshalls, Winners,
HomeGoods, TKMaxx, AJWright, and HomeSense.

After surveying its banks, the MBA is reporting that thus far 28 banks
have been contacted by the card associations indicating that some of
their card holders have had personal information that may have been
exposed due to the TJX data breach. The MBA is cautioning, however,
that the number is likely to grow higher as, thus far, only 48 out of
205 banks in Massachusetts have reported in to the Association.

In addition, the MBA is questioning the TJX?s self-characterization as
being ?victimized? by the intrusion in a news release issued yesterday
by the retailer.

Daniel J. Forte, CEO and president of the MBA said, ?We think it?s a
little odd that they would characterize themselves as victims when it
appears that they may have been capturing data that is unnecessary.?

[...]

-- 
Privacy-related news and resources: http://www.pogowasright.org
Privacy news headlines feed:
http://www.pogowasright.org/backend/pogowasright.rss


From lyger at attrition.org  Thu Jan 18 20:34:37 2007
From: lyger at attrition.org (lyger)
Date: Thu, 18 Jan 2007 20:34:37 -0500 (EST)
Subject: [Dataloss] KB Home warns of ID theft risk
Message-ID: <Pine.LNX.4.64.0701182033210.13915@forced.attrition.org>


http://www.thestate.com/mld/thestate/business/16485189.htm

Thousands of KB Home customers are being warned of the risk of identity 
theft after one of the home builder's computers was stolen from a 
Charleston sales office.

The company sent letters to 2,700 people Friday advising them to put a 
fraud alert on their credit reports and to monitor their credit for the 
next couple of years.

...

The stolen computer likely had names, addresses and Social Security 
numbers only of people who had visited the sales office for Foxbank 
Plantation, a new home community in Berkeley County near Charleston, said 
Jeff Meyer, division president for KB Home South Carolina.

From Dissent at pogowasright.org  Fri Jan 19 08:51:12 2007
From: Dissent at pogowasright.org (Dissent)
Date: Fri, 19 Jan 2007 08:51:12 -0500 (EST)
Subject: [Dataloss] [update-TJX] Identity thieves hit pay dirt
Message-ID: <MTE2OTIxNDY3Mi50cmFmZmlj.1169214672@dissimulo.com>

http://www.canada.com/vancouversun/news/story.html?id=6736c975-4837-4bd8-81b1-8e12a40cfe0c&k=14488

[...]

Meanwhile, a senior banking industry executive said Thursday that
credit card information of Canadians who used the HomeSense and
Winners stores has been used for fraudulent activity after hackers
broke into computers belonging to a U.S.-based discount chain company.

Senior representatives from the Canadian banks held a conference call
Thursday with major Canadian card issuers Visa and MasterCard to
discuss damage control regarding the HomeSense and Winners breach.

A senior banking executive confirmed information has already been used
for fraudulent activity and the banks had received thousands of calls
about the compromised credit card information.

[...]

-- 
Privacy-related news and resources: http://www.pogowasright.org
Privacy news headlines feed:
http://www.pogowasright.org/backend/pogowasright.rss


From Dissent at pogowasright.org  Fri Jan 19 08:59:02 2007
From: Dissent at pogowasright.org (Dissent)
Date: Fri, 19 Jan 2007 08:59:02 -0500 (EST)
Subject: [Dataloss] 26 IRS tapes missing from City Hall
Message-ID: <MTE2OTIxNTE0Mi50cmFmZmlj.1169215142@dissimulo.com>

http://www.kansascity.com/mld/kansascity/16493570.htm

Twenty-six IRS computer tapes containing taxpayer information are
missing after they were delivered to City Hall months ago.

Kansas City is one of hundreds of governmental entities that share
taxpayer information back and forth with the Internal Revenue Service.
City officials use the federal tax return information to enforce their
collection of the 1 percent city earnings tax, which is paid by people
who live or work in Kansas City.

City and IRS officials on Thursday either would not or could not say
exactly what information is on the tapes or the number of taxpayers
whose information is on the tapes.

But the information potentially could include taxpayers? names, Social
Security numbers and bank account numbers, or they could contain
employer information.

[...]


-- 
Privacy-related news and resources: http://www.pogowasright.org
Privacy news headlines feed:
http://www.pogowasright.org/backend/pogowasright.rss


From bkdelong at pobox.com  Fri Jan 19 09:07:23 2007
From: bkdelong at pobox.com (B.K. DeLong)
Date: Fri, 19 Jan 2007 09:07:23 -0500
Subject: [Dataloss] [update-TJX] Identity thieves hit pay dirt
In-Reply-To: <MTE2OTIxNDY3Mi50cmFmZmlj.1169214672@dissimulo.com>
References: <MTE2OTIxNDY3Mi50cmFmZmlj.1169214672@dissimulo.com>
Message-ID: <a98a91c0701190607k5f8d418h4537dd96544ff482@mail.gmail.com>

Interesting. So second-hand (or third hand) confirmation of actual
fraudulent use.

On 1/19/07, Dissent <Dissent at pogowasright.org> wrote:
> http://www.canada.com/vancouversun/news/story.html?id=6736c975-4837-4bd8-81b1-8e12a40cfe0c&k=14488
>
> [...]
>
> Meanwhile, a senior banking industry executive said Thursday that
> credit card information of Canadians who used the HomeSense and
> Winners stores has been used for fraudulent activity after hackers
> broke into computers belonging to a U.S.-based discount chain company.
>
> Senior representatives from the Canadian banks held a conference call
> Thursday with major Canadian card issuers Visa and MasterCard to
> discuss damage control regarding the HomeSense and Winners breach.
>
> A senior banking executive confirmed information has already been used
> for fraudulent activity and the banks had received thousands of calls
> about the compromised credit card information.
>
> [...]
>
> --
> Privacy-related news and resources: http://www.pogowasright.org
> Privacy news headlines feed:
> http://www.pogowasright.org/backend/pogowasright.rss
>
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
> Tracking more than 144 million compromised records in 536 incidents over 7 years.
>
>
>


-- 
B.K. DeLong (K3GRN)
bkdelong at pobox.com
+1.617.797.8471

http://www.wkdelong.org                    Son.
http://www.ianetsec.com                    Work.
http://www.bostonredcross.org             Volunteer.
http://www.carolingia.eastkingdom.org   Service.
http://bkdelong.livejournal.com             Play.


PGP Fingerprint:
38D4 D4D4 5819 8667 DFD5  A62D AF61 15FF 297D 67FE

FOAF:
http://foaf.brain-stream.org

From Dissent at pogowasright.org  Fri Jan 19 09:56:59 2007
From: Dissent at pogowasright.org (Dissent)
Date: Fri, 19 Jan 2007 09:56:59 -0500 (EST)
Subject: [Dataloss] [update-TJX] Identity thieves hit pay dirt
In-Reply-To: <a98a91c0701190607k5f8d418h4537dd96544ff482@mail.gmail.com>
References: <MTE2OTIxNDY3Mi50cmFmZmlj.1169214672@dissimulo.com>
	<a98a91c0701190607k5f8d418h4537dd96544ff482@mail.gmail.com>
Message-ID: <MTE2OTIxODYxOS50cmFmZmlj.1169218619@dissimulo.com>

> Interesting. So second-hand (or third hand) confirmation of actual
> fraudulent use.

The Attorney General of Massachusetts is reporting that she, too, is
an ID theft victim of the TJX breach -- and since passing a mandatory
breach notification law in Massachusetts was already a hot issue
there, her experience may push things along:

http://www1.whdh.com/news/articles/local/BO40498/
http://www.townonline.com/somerville/homepage/8999008454127386623

Cheers,

/Dissent

-- 
Privacy-related news and resources: http://www.pogowasright.org
Privacy news headlines feed:
http://www.pogowasright.org/backend/pogowasright.rss


From lyger at attrition.org  Fri Jan 19 20:48:53 2007
From: lyger at attrition.org (lyger)
Date: Fri, 19 Jan 2007 20:48:53 -0500 (EST)
Subject: [Dataloss] (Update) Officials: Up to 35,
	000 exposed in UTD computer attack
Message-ID: <Pine.LNX.4.64.0701192047170.18254@forced.attrition.org>


http://www.wfaa.com/sharedcontent/dws/news/localnews/stories/012007dnmetutdhack.58085a1e.html

A computer attack at the University of Texas at Dallas is worse than 
officials first thought. Campus officials now say Social Security numbers 
and other personal information may have been exposed for up to 35,000 
faculty, current and former students, staff and others, putting them at 
risk of identify theft.

Officials said Friday that the names and Social Security numbers of 29,000 
library card holders were possibly exposed. That group mainly includes 
students, faculty and staff, along with a few hundred people who are not 
affiliated with UTD but have used its library.

UTD officials first reported the computer attack in December and said 
6,000 people were affected.

[...]

From rforno at infowarrior.org  Sat Jan 20 10:45:20 2007
From: rforno at infowarrior.org (Richard Forno)
Date: Sat, 20 Jan 2007 10:45:20 -0500
Subject: [Dataloss] Some common-sense digital privacy guidelines
Message-ID: <C1D7A340.5E194%rforno@infowarrior.org>

(not all-inclusive,but a helpful layperson's start........rf)

January 20, 2007
Your Money
Don?t Call. Don?t Write. Let Me Be.
By DAMON DARLIN
http://www.nytimes.com/2007/01/20/business/20money.html?_r=1&oref=slogin&pag
ewanted=print

The fears of the direct marketing industry came true. Once a do-not-call
list was created, people did register, in droves.

The list was created in 2003, not as a way to protect privacy, but to remove
a powerful irritant from the lives of Americans. The Federal Trade
Commission, which administers the list, says that more than 137 million
phone numbers have been placed on the list by people tired of interruptions
during dinner or their favorite TV show.

The popularity of the do-not-call list unleashed a demand for other opt-out
lists. A consumer can now opt out of the standard practice of their banks or
loan companies selling their information to others. Other opt-outs stop
credit card companies from soliciting consumers or end the flow of junk mail
and catalogs.

While most of the opt-outs are intended to make life less annoying, they can
also have the side effect of protecting personal information that can be
misused by identity thieves or unscrupulous merchants.

?Over the years, it has gotten so much easier to opt out,? said Ari
Schwartz, deputy director of the Center for Democracy and Technology, a
public interest group that lobbies Congress on privacy issues. ?There are
still gray areas.?

While financial companies have to provide an opportunity to opt out of
sharing personal information, other kinds of companies do not. Some that
tell you they will share the information do not offer the option to protect
personal information (other than not doing business with the company).

For those who just can?t take it anymore, here is a master list of where you
can take control:

PHONE SOLICITATIONS To stop them, go to donotcall.gov. Or call toll free,
(888)382-1222, from the number you are going to restrict.

Remember to register if you get a new phone number. You can register
cellphone numbers as well. A listing is good for five years, after which
you?ll have to repeat the process. But you need not worry about forgetting.
You will know when you start receiving sales calls again.

JUNK MAIL You can try to opt out of direct mail solicitations, but it will
probably not work very well. A private organization, the Direct Marketing
Association, handles that list and not every merchant with pages of hot
leads is a rule-abiding member.

If you want to give it a shot anyway, write the association, in care of the
Mail Preference Service at P.O. Box 643, Carmel, N.Y. 10512. There is an
online form at www.the-dma.org/consumers/offmailinglist.html. If you want to
get more mail, there is also a place to sign up to get on the lists.

E-MAIL Whatever you do, do not respond to an unsolicited e-mail message when
it gives you the option to opt out of receiving more e-mail. That is a trick
used by spammers to confirm they hit a live address. Once that happens, your
address goes to a prime list and is sold to other spammers. You may even
find legitimate businesses eventually using addresses on that list.

So how do you prevent spam? Unfortunately, other than spam filters, there
really is no good way.

You can try to make it harder for spammers to get your address in the first
place by never posting your address in public forums. Spammers employ
software to scrape the sites of anything with that @ symbol. Instead spell
it out in a unique way like ?the nameofthiscolumn at nytimes.com.?

CREDIT CARD OFFERS Almost as annoying as the direct marketing call is the
mailbox stuffed with credit card solicitations. The more you ignore their
offers, the more you will receive.

One way to stop the offers is to sign up for so many cards and run up such
high levels of debt that you become a credit untouchable. That is not a good
plan. Instead, call (888) 567-8688, but be ready to give out some personal
information like your Social Security number.

The major credit bureaus, like Experian, Equifax and TransUnion, that
collect information on your borrowing habits let you opt out of what they
call prescreened offers of credit at https://www.optoutprescreen.com. You
can do it for a period of five years or permanently.

Opting out of prescreened offers of credit might also be useful when you
apply for a mortgage. When you seek a loan, the credit bureaus notice and
they put you on a ?trigger list.? The information that you are a ripe
prospect is then sold to other lenders in as little time as 24 hours.
Suddenly, other lenders are calling.

?It hurts the image of our members,? said Harry Dinham, president of the
National Association of Mortgage Brokers. His group also objects because it
could be ?an avenue to identity theft.? He said, ?We actually don?t know who
they sell it to.?

Still, some callers may actually have better deals than the one your
mortgage broker or bank is offering. ?Do you want to opt out and never learn
how to save money,? asked Stuart Pratt, president of the Consumer Data
Industry Association, a trade group.

Will opting out protect your identity from thieves? Mr. Pratt said that
?lender data tells us that prescreened offers of credit result in lower
levels of fraud.? Nonetheless, he did recommend using a paper shredder on
the offers you do reject.

CREDIT FREEZE The ultimate opt-out for your credit is a credit freeze.
You?ll sometimes hear it recommended as a way to protect yourself from fraud
because once you sign up to have your credit report frozen, no company can
get access to your credit report without your expressed permission. That
means no one can open up a credit card or take out a loan in your name.

Think long and hard before you do this. It sounds great at first, but doing
so can backfire. You might be buying an expensive flat-screen TV at a
warehouse store and want to get the instant credit card to score another 5
percent discount. You will not be able to. But about half the states have
passed laws making credit reporting companies quickly unfreeze a report,
some in as little as five minutes.

Not that preventing the opening of one more store account is a bad thing.
Remember that everyone of those cards can hurt your credit score, which
determines what your interest rate is when you borrow money.

Use the credit freeze only if you are a true victim of identity theft, which
means that some criminal has your personal information and is opening up
credit card accounts, borrowing money or buying property with your credit
history.

If you suspect you may be a target, but have not been harmed yet, a better
form of protection is asking the credit bureaus to flag your report with a
fraud alert, which is supposed to make lenders take extra precautions.

OTHER OPT-OUTS Your personal information is accessible in less obvious ways.
For instance, your computer tracks where you have visited online.
DoubleClick, a company that collects data for online advertisers, offers a
way to prevent your computer from giving it information at
http://www.doubleclick.com/us/about-doubleclick/privacy/dart-adserving.asp.

But again, it is only a piecemeal solution. Other online advertising
companies will still put ?cookies? on your computer to collect the same
data. So the next-best solution is to frequently run software that cleans
out cookies. You can get Spyware Blaster, Spybot, or Ad-Aware at
www.download.com free.

Your personal information, including parts of your Social security number,
are available in publicly available data bases that you may never see. The
most common ones offer a way to opt out of a listing. Nexis, one of the
biggest, says you can opt out of its people-finding lists by going to
www.lexisnexis.com/terms/privacy/data/remove.asp. Nexis does not make it
easy because it requires that you prove you are a victim of identity theft
before it will consider your application.

The Center for Democracy and Technology provides addresses and forms for
other companies, like ChoicePoint, that do not let you opt out online
(http://opt-out.cdt.org).

REAL ESTATE FILINGS You have to file deeds with the local government office
and once you do, companies swoop in to compile lists of new homeowners from
the public records. That?s why you get the discount coupons from Home Depot
and other merchants right after you buy. Birth certificates and marriage
licenses are also scraped for data.

There is little you can do about it because the records are intended to be
public. Any good lawyer can show you how to make it a little harder for
personal information to be listed on a deed. But it will cost money, which
is probably not worth it if all you are trying to do is stop solicitations
from Swifty?s Mortgage Lending and Used Car Sales.

E-mail: yourmoney at nytimes.com



From adrian.sanabria at gmail.com  Sat Jan 20 11:16:47 2007
From: adrian.sanabria at gmail.com (Adrian Sanabria)
Date: Sat, 20 Jan 2007 11:16:47 -0500
Subject: [Dataloss] They Take it Seriously? Oh, Sure
In-Reply-To: <45A6472D.3060807@myitaz.com>
References: <C1CA5C73.5D4AD%rforno@infowarrior.org>
	<45A6472D.3060807@myitaz.com>
Message-ID: <cfa716210701200816i1dc7b14do5591a72a2eb42059@mail.gmail.com>

Maybe that's their problem. All employees should be required to read and
follow information security policies and procedures to protect data, and in
the real world, even when employees are required to read it (they often
don't even know the 150 page doc exists), they're likely to be in a
near-comatose drooling trance long before they finish reading 150 pages of
policies and standards.

The most effective way to do it that I've seen is through mandatory training
and awareness campaigns. Without fully analyzing the cause of all their
breaches, this theory is not much more than hot air, but it is, at the very
least, a likely contributor.

--Adrian

On 1/11/07, George Toft <george at myitaz.com> wrote:
>
> In UC's defense, they have a very aggressive information protection
> policy - something like 150 pages of policy/procedure designed to
> protect information as required by GLBA (it's been a while since I read
> it, so my page count might be off).
>
> I think they are the exception rather than the rule as they've done more
> than most to protect their data.
>
> George Toft, CISSP, MSIS
> My IT Department
> www.myITaz.com
> 623-203-1760
>
> Confidential data protection experts for the financial industry.
>
>
> Richard Forno wrote:
> > They Take it Seriously? Oh, Sure
> > January 9th, 2007 by Dan Gillmor
> >
> > (I originally wrote this for PR Week magazine.)
> >
> > Several weeks ago, UCLA acknowledged that some of its computers had been
> > hacked. Obeying a state law, it notified more than 800,000 people that
> their
> > personal data, including Social Security numbers, might have ended up in
> the
> > wrong hands.
> >
> > The fact that the data got loose wasn?t all that striking.
> Unfortunately,
> > that?s all too common. What struck me was this statement from a hapless
> UCLA
> > honcho: ?We have a responsibility to safeguard personal information, an
> > obligation that we take very seriously.?
> >
> > When and where have I heard that before? All kinds of times and places,
> > actually. It?s becoming a mantra that means almost nothing.
> >
> > Try this: Plug ?we take? and ?very seriously? into a Google News or
> Yahoo
> > News search. You?ll get hundreds of hits, albeit some repeats, where
> some
> > big institution - corporate, educational, government, whatever - makes a
> > giant blunder and then issues a ?we take (insert the violated policy)
> very
> > seriously? statement.
> >
> > < - >
> >
> > http://citmedia.org/blog/2007/01/09/they-take-it-seriously-oh-sure/
> >
> >
> > _______________________________________________
> > Dataloss Mailing List (dataloss at attrition.org)
> > http://attrition.org/dataloss
> > Tracking more than 143 million compromised records in 529 incidents over
> 6 years.
> >
> >
> >
> >
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
> Tracking more than 143 million compromised records in 530 incidents over 7
> years.
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20070120/d190980f/attachment.html 

From Dissent at pogowasright.org  Sat Jan 20 18:07:53 2007
From: Dissent at pogowasright.org (Dissent)
Date: Sat, 20 Jan 2007 18:07:53 -0500 (EST)
Subject: [Dataloss] School district leaves personnel records behind during
	renovations
Message-ID: <MTE2OTMzNDQ3My50cmFmZmlj.1169334473@dissimulo.com>

http://www.myrtlebeachonline.com/mld/myrtlebeachonline/news/local/16508366.htm

Boxes of personnel records - including the Social Security numbers of
thousands of teachers - were accidentally left behind by the
Greenville County school district when it vacated its office for
renovations, officials say.

The 10 boxes held lists of every teacher employed by the district
between 1972 and 1990, as well as their Social Security numbers,
district spokeswoman Oby Lyles said Friday. Several other boxes
contained personnel records as recent as 1998, Lyles said.

[...]


-- 
Privacy-related news and resources: http://www.pogowasright.org
Privacy news headlines feed:
http://www.pogowasright.org/backend/pogowasright.rss


From Dissent at pogowasright.org  Mon Jan 22 05:42:00 2007
From: Dissent at pogowasright.org (Dissent)
Date: Mon, 22 Jan 2007 05:42:00 -0500 (EST)
Subject: [Dataloss] City loses voters' vital information
Message-ID: <MTE2OTQ2MjUyMC50cmFmZmlj.1169462520@dissimulo.com>

http://www.suntimes.com/news/politics/222892,CST-NWS-data22.article

About 100 computer discs with 1.3 million Chicago voters' Social
Security numbers have been distributed to aldermen and ward
committeemen, and the whereabouts of at least an additional six CDs
with the same information are unknown, according to the Chicago Board
of Elections.

This follows another security lapse in October 2006, when voters'
Social Security numbers were available through the board's Web site.
But unlike the Web site flaw, which was fixed in a few minutes, it
will be difficult, if not impossible, for the Board of Elections to
retrieve sensitive data physically scattered on more than 100 discs
throughout the area.

The discs also contain voters' birth dates and addresses --
information that along with Social Security numbers can be used to
commit identity theft.

[...]

-- 
Privacy-related news and resources: http://www.pogowasright.org
Privacy news headlines feed:
http://www.pogowasright.org/backend/pogowasright.rss


From hbrown at knology.net  Mon Jan 22 07:11:32 2007
From: hbrown at knology.net (Henry Brown)
Date: Mon, 22 Jan 2007 06:11:32 -0600
Subject: [Dataloss] Interesting quote from the TJX data breach
Message-ID: <45B4A9F4.4050302@knology.net>

http://tinyurl.com/367gjt

"...Mike Cook, a co-founder of ID Analytics, a San Diego-based company 
that detects and prevents identity fraud, said only a small percentage 
of accounts involved in a data breach end up misused.

"If you are a consumer and you're part of the TJX breach, you are hoping 
it's 10 million people because the chance of your name being misused 
goes down considerably depending on the size of the data breach," Cook 
said. ..."


From Dissent at pogowasright.org  Tue Jan 23 10:05:31 2007
From: Dissent at pogowasright.org (Dissent)
Date: Tue, 23 Jan 2007 10:05:31 -0500 (EST)
Subject: [Dataloss] Xerox employees fear ID theft after laptop stolen
Message-ID: <MTE2OTU2NDczMS50cmFmZmlj.1169564731@dissimulo.com>

http://www.kgw.com/news-local/stories/kgw_012207_news_xerox_theft.cde8339.html

WILSONVILLE -- Some employees at a local Xerox plant are worried about
identity theft at a laptop was stolen from a manager?s car.

The UniteHere Local 14Z Union said a computer containing employee?s
personal information was stolen from a human resources manager?s car
in August.

Letters were sent out to about 297 employees four months later, the
union said.

Some of the employees affected said they experienced credit problems
before they were informed of the theft, according to the union.

[...]

-- 
Privacy-related news and resources: http://www.pogowasright.org
Privacy news headlines feed:
http://www.pogowasright.org/backend/pogowasright.rss


From Dissent at pogowasright.org  Tue Jan 23 11:35:26 2007
From: Dissent at pogowasright.org (Dissent)
Date: Tue, 23 Jan 2007 11:35:26 -0500 (EST)
Subject: [Dataloss] [update] Social Security data puts 1.3 mil. voters at
	risk: suit
Message-ID: <MTE2OTU3MDEyNi50cmFmZmlj.1169570126@dissimulo.com>

Out of curiosity:  Can the Board of Elections really use mass
advertising to satisfy the breach notification requirements -- or do
they have to make some effort to notify individually? Anyone have a
copy of IL's statute handy?

And anyone want to bet that the Bd. will use the 'no harm, no foul'
defense that's worked so well for Acxiom and Wells Fargo? I'm thinking
that they might even argue that they don't need to provide free credit
monitoring because it's already been three years since the breach.

/Dissent

---------------
http://www.suntimes.com/news/politics/224519,CST-NWS-data23.article

The release of more than 1.3 million registered voters' Social
Security numbers by the Chicago Board of Elections has triggered a
class action lawsuit, which was filed Monday in County Circuit Court.

Lead plaintiff in the suit is 43rd Ward aldermanic candidate Peter
Zelchenko, who discovered the security breach and who also uncovered a
similar problem last October on the board's Web site. The most recent
release of at least 100 compact discs to alderman and ward
committeemen, with another six discs unaccounted for, was revealed on
Monday in the Sun-Times.

The suit, filed by attorney Nicholas Kefalos, alleges the board
violated the Illinois Personal Information Protection Act and seeks
unspecified compensation for all Chicago voters whose Social Security
numbers were disclosed.

"Actual damages could be $50 or $100 for each person to at least
establish a credit watch," Kefalos said.

The CDs also included birth dates, phone numbers and addresses.

"You couldn't have come up with a better threat for identity fraud if
you had orchestrated it," Zelchenko said.

Law requires notification

But board spokesman Tom Leach said most of the CDs were distributed
three years ago, and that since then there has been "absolutely no
evidence" of identity theft.

"We don't want the message to get out that there should be panic in
the streets," Leach said.

The board is attempting to retrieve the discs.

Though required by law to notify voters of the breach, Leach said the
board will not do so individually, but will instead advertise.

So, right now, voters have no way of knowing whether their information
was exposed.

But since the board stopped collecting full Social Security numbers
about three years ago, those who registered earlier are at greater
risk.

Plaintiff's site may aid voters

Kefalos said that people who register with Zelchenko's Web site,
Re4m.org, will be notified if their Social Security numbers were
exposed as soon as the courts give permission.

He intends to file a similar suit in federal court today.

In a separate action, other class action lawsuits were filed against
the Chicago Board of Elections in Cook County and federal courts by
Meliza Aldea, Romeo Aldea and Robert Green, noting concerns about
privacy rights.

-- 
Privacy-related news and resources: http://www.pogowasright.org
Privacy news headlines feed:
http://www.pogowasright.org/backend/pogowasright.rss


From cwalsh at cwalsh.org  Tue Jan 23 12:56:36 2007
From: cwalsh at cwalsh.org (Chris Walsh)
Date: Tue, 23 Jan 2007 11:56:36 -0600
Subject: [Dataloss] [update] Social Security data puts 1.3 mil. voters
	at risk: suit
In-Reply-To: <MTE2OTU3MDEyNi50cmFmZmlj.1169570126@dissimulo.com>
References: <MTE2OTU3MDEyNi50cmFmZmlj.1169570126@dissimulo.com>
Message-ID: <20070123175619.GA27444@cwalsh.org>

Illinois' law is at http://www.ilga.gov/legislation/publicacts/fulltext.asp?Name=094-0036

In discussing form of notice, the law says that so-called substitute notice
may be used under certain conditions:

(c) For purposes of this Section, notice to consumers may
be provided by one of the following methods:
        (1) written notice;
        (2) electronic notice, if the notice provided is
    consistent with the provisions regarding electronic
    records and signatures for notices legally required to be
    in writing as set forth in Section 7001 of Title 15 of the
    United States Code; or
        (3) substitute notice, if the data collector
    demonstrates that the cost of providing notice would exceed
    $250,000 or that the affected class of subject persons to
    be notified exceeds 500,000, or the data collector does not
    have sufficient contact information. Substitute notice
    shall consist of all of the following: (i) email notice if
    the data collector has an email address for the subject
    persons; (ii) conspicuous posting of the notice on the data
    collector's web site page if the data collector maintains
    one; and (iii) notification to major statewide media.



From Dissent at pogowasright.org  Tue Jan 23 17:19:14 2007
From: Dissent at pogowasright.org (Dissent)
Date: Tue, 23 Jan 2007 17:19:14 -0500 (EST)
Subject: [Dataloss] Clay High School student hacks into Oregon schools data
Message-ID: <MTE2OTU5MDc1NC50cmFmZmlj.1169590754@dissimulo.com>

http://www.toledofreepress.com/?id=4718

Oregon City Schools Superintendent John Hall confirmed an information
security breech occurred Jan. 12 when a Clay High School student
obtained confidential student and staff information through
inappropriate means.

Hall has sent out letters notifying the local community about the
incident.

[...]

The administration learned the student had transferred the information
to portable 30-gigabyte storage device. That device has been
confiscated.

[...]

[Detective Janet Zale] confirmed that Oregon police are now in
possession of the student's portable storage device. From
investigation work she has completed, she has ascertained the
student's external device has district-wide personal information, such
as names, addresses, birthdays and Social Security numbers of
students, and information on Clay faculty and staff.

[...]

-- 
Privacy-related news and resources: http://www.pogowasright.org
Privacy news headlines feed:
http://www.pogowasright.org/backend/pogowasright.rss


From roy at rant-central.com  Tue Jan 23 18:01:29 2007
From: roy at rant-central.com (Roy M. Silvernail)
Date: Tue, 23 Jan 2007 18:01:29 -0500
Subject: [Dataloss] Clay High School student hacks into Oregon schools
 data
In-Reply-To: <MTE2OTU5MDc1NC50cmFmZmlj.1169590754@dissimulo.com>
References: <MTE2OTU5MDc1NC50cmFmZmlj.1169590754@dissimulo.com>
Message-ID: <45B693C9.8070003@rant-central.com>

Dissent wrote:
> http://www.toledofreepress.com/?id=4718
> 

> The administration learned the student had transferred the information
> to portable 30-gigabyte storage device. That device has been
> confiscated.

Heh. iPod, right?
-- 
Roy M. Silvernail is roy at rant-central.com, and you're not
"It's just this little chromium switch, here." - TFT
CRM114->procmail->/dev/null->bliss
http://www.rant-central.com

From Dissent at pogowasright.org  Wed Jan 24 01:06:04 2007
From: Dissent at pogowasright.org (Dissent)
Date: Wed, 24 Jan 2007 01:06:04 -0500 (EST)
Subject: [Dataloss] =?iso-8859-1?q?Insurer=92s_customer_data_was_swiped?=
Message-ID: <MTE2OTYxODc2NC50cmFmZmlj.1169618764@dissimulo.com>

http://www.columbusdispatch.com/business/business.php?story=241942

The personal information of tens of thousands of Nationwide
customers has been stolen.

The company said yesterday that a lockbox of backup tapes containing
the personal data of 28,279 Nationwide Health Plans customers, most
in central Ohio, was stolen from the Waymouth, Mass., office of
Concentra Preferred Systems.

They are among the data records of more than 100 million U.S.
citizens that have been compromised by security breaches since
February 2005, according to the Privacy Rights Clearinghouse.

In the Nationwide case, the tapes contained medical claim
information, health data and Social Security numbers.

[...]

-- 
Privacy-related news and resources: http://www.pogowasright.org
Privacy news headlines feed:
http://www.pogowasright.org/backend/pogowasright.rss


From george at myitaz.com  Wed Jan 24 01:49:32 2007
From: george at myitaz.com (George Toft)
Date: Tue, 23 Jan 2007 23:49:32 -0700
Subject: [Dataloss] Major breach of UCLA's computer files
In-Reply-To: <MTE2NTkwNzE5OC50cmFmZmlj.1165907198@dissimulo.com>
References: <MTE2NTkwNzE5OC50cmFmZmlj.1165907198@dissimulo.com>
Message-ID: <45B7017C.2020101@myitaz.com>

They made the CNN top 101 list (101 Dumbest Moments in Business)
http://money.cnn.com/galleries/2007/biz2/0701/gallery.101dumbest_2007/96.html

Highlight is that they estimate a $10M price tag to notify the affected 
individuals.

George Toft, CISSP, MSIS


Dissent wrote:
> http://www.latimes.com/news/local/la-me-ucla12dec12,0,7111141.story?coll=la-home-headlines
> 
> In what appears to be one of the largest computer security breaches
> ever at an American university, one or more hackers have gained access
> to a UCLA database containing personal information on about 800,000 of
> the university's current and former students, faculty and staff
> members, among others.
> 
> UCLA officials said the attack on a central campus database exposed
> records containing the names, Social Security numbers and birth dates
> ? the key elements of identity theft ? for at least some of those
> affected. The attempts to break into the database began in October of
> 2005 and ended Nov. 21, when the suspicious activity was detected and
> blocked, the officials said.
> 
> In a letter scheduled to be sent today to potential victims of the
> breach, acting Chancellor Norman Abrams said that although some Social
> Security numbers were obtained by the hackers, the university had no
> evidence that any of the information had been misused.
> 
> [...]
> 
> At UCLA, officials said Monday that the targeted database included
> records for the university's current and former students, faculty and
> staff, in some cases dating to the early 1990s. Others potentially
> affected included some applicants during the last five years who did
> not enroll at the university, as well as some parents of students or
> applicants who had applied for financial aid.
> 
> About 3,200 of those being notified are current or former staff and
> faculty of UC Merced and current or former staff of UC's Oakland
> headquarters. UCLA handles administrative processing for both groups.
> 
> Besides names, Social Security numbers and birth dates of those
> affected, the database includes home addresses and contact
> information, officials said. It does not contain driver's license
> numbers or credit card or banking information.
> 
> [...]
> 
> 

From Dissent at pogowasright.org  Wed Jan 24 15:15:24 2007
From: Dissent at pogowasright.org (Dissent)
Date: Wed, 24 Jan 2007 15:15:24 -0500 (EST)
Subject: [Dataloss] Stolen PC had student SSNs
Message-ID: <MTE2OTY2OTcyNC50cmFmZmlj.1169669724@dissimulo.com>

http://media.www.rutgersobserver.com/media/storage/paper822/news/2007/01/23/News/Stolen.Pc.Had.Student.Ssns-2669141.shtml

Computer owners at Rutgers-Newark now have more to worry about than
just viruses and busted hardware.

Gabriela Kutting, associate professor of political science, reported
her laptop stolen to Rutgers police Sept. 5, 2006. The laptop
contained the social security numbers of 200 R-N students. The
computer was taken from her office in Hill Hall despite having
locked her door, Kutting said.

Kutting's laptop is one of five incidents of computer theft reported
so far this academic year.

[...]


-- 
Privacy-related news and resources: http://www.pogowasright.org
Privacy news headlines feed:
http://www.pogowasright.org/backend/pogowasright.rss


From jericho at attrition.org  Thu Jan 25 03:53:50 2007
From: jericho at attrition.org (security curmudgeon)
Date: Thu, 25 Jan 2007 03:53:50 -0500 (EST)
Subject: [Dataloss] followup: Bankers association reports fraud resulted
 from hack of TJX customer data (fwd)
Message-ID: <Pine.LNX.4.64.0701250353150.30367@forced.attrition.org>



---------- Forwarded message ----------
From: InfoSec News <alerts at infosecnews.org>
Subject: [ISN] Bankers association reports fraud resulted from hack of TJX customer data

http://www.smh.com.au/news/Technology/Bankers-association-reports-fraud-resulted-from-hack-of-TJX-customer-data/2007/01/18/1168709865048.html

The Sydney Morning Herald
January 25, 2007

Customer data stolen from TJX Cos. by computer hackers has been used to 
make fraudulent debit card and credit card purchases in the United States 
and overseas, the Massachusetts Bankers Association said Wednesday.

The fraudulent purchases have been made in Florida, Georgia, and 
Louisiana, and overseas in Hong Kong and Sweden, the association said.

Nearly 60 banks have reported they've been contacted by credit and debit 
card companies about compromised cards, the association said. The number 
is likely to grow because fewer than half of the association's 205 banks 
have reported to it on the issue.

"We expect that this is going to continue and the fraud may widen," said 
association spokesman Bruce Spitzer. "This is just the first reports we 
have confirmed."

The state association's report of fraud is among the first in the country 
since TJX disclosed the breach last week. On Tuesday, the Vermont Bankers' 
Association said a bank it refused to name had been told by TJX that more 
than 1,600 of the bank's customers had their account numbers compromised.

Framingham-based TJX _ operator of T.J. Maxx and Marshalls discount 
stores, as well as HomeGoods and A.J. Wright in the U.S., Winners and 
HomeSense in Canada, and T.K. Maxx in Britain _ did not immediately return 
a call seeking comment Wednesday.

Last week, TJX said hackers had broken into a system that handles credit 
and debit card transactions, as well as checks and merchandise returns for 
customers in the U.S. and Puerto Rico and may involve customer accounts 
from the United Kingdom and Ireland.

The company said the stolen customer data included information from 2003 
transactions, as well as information from mid-May 2006 through December, 
when the company discovered the breach. TJX has refused to say how many 
customers had their data stolen or accessed.

Avivah Litan, a data security analyst for Garter Inc., said it may be 
difficult for the company to determine the scope of the breach because the 
thieves had a lot of time to sell and circulate the information before the 
hack was discovered.

"They can't put a wall around it," she said. "That's what so disconcerting 
about it."

Credit card companies have noted that consumers are not responsible for 
fraudulent purchases. Spitzer said state banks are notifying customers 
about fraudulent purchases and reissuing cards in some cases.

Spitzer said it's too early to know the number of fraudulent purchases, or 
their costs. But he said the cost to banks of reissuing hundreds of 
thousands of cards alone will be "enormous."

Copyright 2006 AP DIGITAL

From hbrown at knology.net  Thu Jan 25 07:37:01 2007
From: hbrown at knology.net (Henry Brown)
Date: Thu, 25 Jan 2007 06:37:01 -0600
Subject: [Dataloss] Followup/Continuation of TJX data Breech
Message-ID: <45B8A46D.5030903@knology.net>

 From the Boston Globe Jan 25, 2007

http://tinyurl.com/yns7vm

Community banks in New England have identified at least 200,000 credit 
and debit cards compromised by the TJX Cos. security breach, and several 
Massachusetts banks reported cases of fraud connected with card numbers 
stolen from the Framingham merchant's computer system.
...
The company initially said it delayed reporting at the request of law 
enforcement, but has since added that it was also a business decision.
...



From lyger at attrition.org  Thu Jan 25 07:55:54 2007
From: lyger at attrition.org (lyger)
Date: Thu, 25 Jan 2007 07:55:54 -0500 (EST)
Subject: [Dataloss] Follow-up to Clay High School Incident
Message-ID: <Pine.LNX.4.64.0701250752150.13112@forced.attrition.org>


(Roy Silvernail, you win the prize. It *was* an iPod...)

http://toledoblade.com/apps/pbcs.dll/article?AID=/20070125/NEWS03/701250345/-1/NEWS

A former Clay High School student who obtained sensitive staff and student 
information from school computers through an apparent security breach met 
with district officials and an Oregon police detective yesterday.

...

The student's iPod contained personal files from both students and staff, 
including birth dates, Social Security numbers, addresses, and phone 
numbers, an Oregon police report says.

[...]

From lyger at attrition.org  Thu Jan 25 07:58:36 2007
From: lyger at attrition.org (lyger)
Date: Thu, 25 Jan 2007 07:58:36 -0500 (EST)
Subject: [Dataloss] Ohio: Error puts nurses' personal data online
Message-ID: <Pine.LNX.4.64.0701250757040.13112@forced.attrition.org>


http://www.columbusdispatch.com/news-story.php?story=dispatch/2007/01/25/20070125-D1-05.html

The names and Social Security numbers of 3,031 newly licensed nurses were 
posted online twice in the past two months.

The Ohio Board of Nursing received a call last week from a nurse who said 
she found the list on the agency's Web site, said Betsy Houchen, the 
board's executive director.

[...]

From Dissent at pogowasright.org  Thu Jan 25 21:17:51 2007
From: Dissent at pogowasright.org (Dissent)
Date: Thu, 25 Jan 2007 21:17:51 -0500 (EST)
Subject: [Dataloss] State employee investigated in ID theft case
Message-ID: <MTE2OTc3Nzg3MS50cmFmZmlj.1169777871@dissimulo.com>

http://the.honoluluadvertiser.com/article/2007/Jan/25/br/br0713982546.html

Up to 11,500 current and former clients of the Wahiawa Women,
Infants and Childrens program are being notified that their personal
information may have compromised following the discovery of an ID
theft case.

The Department of Health has put an employee of the WIC office on
administrative leave and is investigating the security breach.

At least three families have had their information used illegally
and the state is looking into at least two more.

[...]

-- 
Privacy-related news and resources: http://www.pogowasright.org
Privacy news headlines feed:
http://www.pogowasright.org/backend/pogowasright.rss


From Dissent at pogowasright.org  Fri Jan 26 04:45:19 2007
From: Dissent at pogowasright.org (Dissent)
Date: Fri, 26 Jan 2007 04:45:19 -0500 (EST)
Subject: [Dataloss] Stolen Boeing laptop is recovered
Message-ID: <MTE2OTgwNDcxOS50cmFmZmlj.1169804719@dissimulo.com>

http://seattletimes.nwsource.com/html/businesstechnology/2003541873_bizbriefs26.html

A stolen Boeing laptop containing personal information on 382,000
workers and retirees has been recovered.

In an e-mail to employees, Senior Vice President Rick Stephens said
Boeing and a third-party computer-security consultant had confirmed
that the files with personally identifiable information were not
accessed after the theft.

[...]

-- 
Privacy-related news and resources: http://www.pogowasright.org
Privacy news headlines feed:
http://www.pogowasright.org/backend/pogowasright.rss


From Dissent at pogowasright.org  Fri Jan 26 09:54:24 2007
From: Dissent at pogowasright.org (Dissent)
Date: Fri, 26 Jan 2007 09:54:24 -0500 (EST)
Subject: [Dataloss] [update - Towers Perrin] Prudential Financial
Message-ID: <MTE2OTgyMzI2NC50cmFmZmlj.1169823264@dissimulo.com>

http://www.nj.com/business/ledger/index.ssf?/base/business-5/1169532666221410.xml&coll=1

Personal information about an unspecified number of current and
former Prudential Financial employees was on a handful of laptop
computers stolen from a consulting firm's New York offices,
Prudential told employees last week.

Towers Perrin, which provides actuarial services for Prudential's
pension program, said the information included employees' names and
Social Security numbers. Prudential, based in Newark, said a
percentage of its 23,000 domestic workers, some former employees and
a small number of retirees are affected.

[...] Prudential wasn't notified until Jan. 3 at the request of
authorities, who arrested the Towers Perrin employee Dec. 28.

DeFillippo said Prudential didn't get a complete list of affected
employees until Jan. 9 and a formal letter to those workers was sent
last week.


-- 
Privacy-related news and resources: http://www.pogowasright.org
Privacy news headlines feed:
http://www.pogowasright.org/backend/pogowasright.rss


From mhozven at tealeaf.com  Fri Jan 26 12:46:43 2007
From: mhozven at tealeaf.com (Max Hozven)
Date: Fri, 26 Jan 2007 09:46:43 -0800
Subject: [Dataloss] Stolen Boeing laptop is recovered
Message-ID: <771A26039D33ED489E23D9614DE630DD04AB8700@SFMAIL02.tealeaf.com>

Question:
If the laptop was booted with a Symantec "Ghost" floppy, then imaged to
a Ghost server, woudn't this
be undetectible, as no change of any type would be made to the laptop's
hard disk?

-Max 

-----Original Message-----
From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of Dissent
Sent: Friday, January 26, 2007 1:45 AM
To: dataloss at attrition.org
Subject: [Dataloss] Stolen Boeing laptop is recovered

http://seattletimes.nwsource.com/html/businesstechnology/2003541873_bizb
riefs26.html

A stolen Boeing laptop containing personal information on 382,000
workers and retirees has been recovered.

In an e-mail to employees, Senior Vice President Rick Stephens said
Boeing and a third-party computer-security consultant had confirmed that
the files with personally identifiable information were not accessed
after the theft.

[...]

--
Privacy-related news and resources: http://www.pogowasright.org Privacy
news headlines feed:
http://www.pogowasright.org/backend/pogowasright.rss

_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss Tracking more than 145 million compromised
records in 547 incidents over 7 years.



From Dissent at pogowasright.org  Fri Jan 26 14:55:57 2007
From: Dissent at pogowasright.org (Dissent)
Date: Fri, 26 Jan 2007 14:55:57 -0500 (EST)
Subject: [Dataloss] [Update - Towers Perrin] Random House, American Express?
Message-ID: <MTE2OTg0MTM1Ny50cmFmZmlj.1169841357@dissimulo.com>

So far, this is the only published reference I've found to Random
House and AmEx being affected by the Towers Perrin breach.  Maybe
more will be published within the next few days...

http://www.gawker.com/news/random-house/random-house-to-employees-oops-we-lost-your-social-our-bad-231384.php

[...]

Dear Random House Employee or former Employee:

I write to inform you about a matter of concern that came to our
attention recently. In 2003, Bertelsmann engaged the services of the
consulting firm Towers Perrin to work on a project on behalf of all
Bertelsmann companies in the United States, including Random House.
For the purposes of this project, Towers Perrin had access to
employee data, including names, Social Security numbers, addresses,
dates of birth and other information related to your employment, but
no bank or credit card information.

Bertelsmann was recently informed by Towers Perrin that computers
which may have contained this data were stolen from their offices on
approximately November 27, 2006. The suspect, an employee of Towers
Perrin, has subsequently been arrested, but the computers themselves
have not yet been retrieved. As an employee of record at Random
House in December 2004, your employee information may have been
included in this data on the stolen computers. Only individuals who
may have been affected by this incident are receiving information
regarding the possible data loss.

[...]

Update: All Amex employees apparently received a near-identical memo
yesterday; one suspects that "there's more to this than they're
letting on" (fwiw).


-- 
Privacy-related news and resources: http://www.pogowasright.org
Privacy news headlines feed:
http://www.pogowasright.org/backend/pogowasright.rss


From Dissent at pogowasright.org  Fri Jan 26 15:27:27 2007
From: Dissent at pogowasright.org (Dissent)
Date: Fri, 26 Jan 2007 15:27:27 -0500 (EST)
Subject: [Dataloss] INDOT employee info posted on internal computer drive
Message-ID: <MTE2OTg0MzI0Ny50cmFmZmlj.1169843247@dissimulo.com>

http://www.fortwayne.com/mld/newssentinel/16554895.htm

The names and Social Security numbers of about 4,000 employees of
the Indiana Department of Transportation were inadvertently posted
on an internal network computer drive, the agency said Friday.

In a letter sent to the workers Friday, INDOT Commissioner Karl
Browning said the file was available to any employee with computer
access and could have been viewed by a limited number of third-party
contractors with access to the drive. The file was posted on the
drive sometime between Sept. 6 and Dec. 4 last year.

[...]

-- 
Privacy-related news and resources: http://www.pogowasright.org
Privacy news headlines feed:
http://www.pogowasright.org/backend/pogowasright.rss


From Dissent at pogowasright.org  Fri Jan 26 16:02:03 2007
From: Dissent at pogowasright.org (Dissent)
Date: Fri, 26 Jan 2007 16:02:03 -0500 (EST)
Subject: [Dataloss] Computers stolen from college financial aid office
Message-ID: <MTE2OTg0NTMyMy50cmFmZmlj.1169845323@dissimulo.com>

http://www.dailypilot.com/articles/2007/01/26/front/doc45ba618886459435458713.txt

Two computers stolen from Vanguard University earlier this month
have put more than 5,000 financial aid applicants at risk for
identity theft, authorities said today.

[...]

University officials did not believe the computers kept financial
aid data on their hard drives, Westbrook said. But last Friday they
learned apparently the machines stored that information, including
social security numbers, dates of birth, phone numbers, driver?s
license numbers and lists of assets.

[...]

Anyone who applied for financial aid at Vanguard University for the
2005-2006 or 2006-2007 school years is now at risk, he said. The
5,105 affected include even prospective students who may not have
enrolled at Vanguard. Anyone applying now, however, is safe.

[...]

-- 
Privacy-related news and resources: http://www.pogowasright.org
Privacy news headlines feed:
http://www.pogowasright.org/backend/pogowasright.rss


From Dissent at pogowasright.org  Fri Jan 26 16:48:47 2007
From: Dissent at pogowasright.org (Dissent)
Date: Fri, 26 Jan 2007 16:48:47 -0500 (EST)
Subject: [Dataloss] Anthem Blue Cross Blue Shield customer information stolen
Message-ID: <MTE2OTg0ODEyNy50cmFmZmlj.1169848127@dissimulo.com>

http://www.wsls.com/servlet/Satellite?pagename=WSLS%2FMGArticle%2FSLS_BasicArticle&c=MGArticle&cid=1149192869390&path=!news!localnews

Anthem Blue Cross Blue Shield says information for about 50,000 of
its Virginia customers was stolen.

That information includes social security numbers and names.

Anthem says the information was on cassette tapes, being stored in a
lock box, at one of its vendors.

[...]


-- 
Privacy-related news and resources: http://www.pogowasright.org
Privacy news headlines feed:
http://www.pogowasright.org/backend/pogowasright.rss


From lyger at attrition.org  Fri Jan 26 19:11:01 2007
From: lyger at attrition.org (lyger)
Date: Fri, 26 Jan 2007 19:11:01 -0500 (EST)
Subject: [Dataloss] DLDOS: Significant Updates
Message-ID: <Pine.LNX.4.64.0701261903360.19863@forced.attrition.org>


A note to those who check or use the Data Loss Database - Open Source 
(DLDOS):

Several updates have been made in the "Stock Symbol" and "Breach Type" 
categories thanks to the efforts of list member Mike Walter.  About fifty 
stock symbol fields have been recently entered, and Mike has been going 
through the "Breach Type" column to help us break out "media" into "disk 
drives", "documents" and other subcategories.

Due to the recent additions and changes, we would urge anyone using the 
database to download a fresh copy as soon as possible.

http://attrition.org/dataloss/dldos.html

As always, comments, suggestions, and support are appreciated.

And thanks, Mike!

Lyger

From pascal.charest at gmail.com  Sat Jan 27 08:03:09 2007
From: pascal.charest at gmail.com (Pascal Charest)
Date: Sat, 27 Jan 2007 08:03:09 -0500
Subject: [Dataloss] Stolen Boeing laptop is recovered
In-Reply-To: <771A26039D33ED489E23D9614DE630DD04AB8700@SFMAIL02.tealeaf.com>
References: <771A26039D33ED489E23D9614DE630DD04AB8700@SFMAIL02.tealeaf.com>
Message-ID: <ba4e02df0701270503g579d782ex717c546dc04ec788@mail.gmail.com>

I can't remember if Symantec Ghost access the drive as read-only, preserving
the last access time, but doing a copy that does is quite trivial to do.

Take the hard-drive out, connect it through a read-only interface and copy
everything. Such interfaces are easy to find - any law enforcement
departement will have a couple of them since they must use them to gather
data from "evidence hard drive". Contacting their provider, or even building
your own...

I guess that the "third-party computer-security consultant" wrote something
in the order of "the last-access time was not changed by the thief
activities" in the report and it was interpreted as "not accessed".

As a thief, this would be one of the easiest way to "gather data" without
having it changed / repported by the corporation.



On 1/26/07, Max Hozven <mhozven at tealeaf.com> wrote:
>
> Question:
> If the laptop was booted with a Symantec "Ghost" floppy, then imaged to
> a Ghost server, woudn't this
> be undetectible, as no change of any type would be made to the laptop's
> hard disk?
>
> -Max
>
> -----Original Message-----
> From: dataloss-bounces at attrition.org
> [mailto:dataloss-bounces at attrition.org] On Behalf Of Dissent
> Sent: Friday, January 26, 2007 1:45 AM
> To: dataloss at attrition.org
> Subject: [Dataloss] Stolen Boeing laptop is recovered
>
> http://seattletimes.nwsource.com/html/businesstechnology/2003541873_bizb
> riefs26.html
>
> A stolen Boeing laptop containing personal information on 382,000
> workers and retirees has been recovered.
>
> In an e-mail to employees, Senior Vice President Rick Stephens said
> Boeing and a third-party computer-security consultant had confirmed that
> the files with personally identifiable information were not accessed
> after the theft.
>
> [...]
>
> --
> Privacy-related news and resources: http://www.pogowasright.org Privacy
> news headlines feed:
> http://www.pogowasright.org/backend/pogowasright.rss
>
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss Tracking more than 145 million compromised
> records in 547 incidents over 7 years.
>
>
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
> Tracking more than 145 million compromised records in 547 incidents over 7
> years.
>
>
>


-- 
Pascal Charest, OpenSource Consultant.
http://blog.pacharest.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20070127/f8e66b78/attachment.html 

From roy at rant-central.com  Sat Jan 27 12:37:25 2007
From: roy at rant-central.com (Roy M. Silvernail)
Date: Sat, 27 Jan 2007 12:37:25 -0500
Subject: [Dataloss] Stolen Boeing laptop is recovered
In-Reply-To: <ba4e02df0701270503g579d782ex717c546dc04ec788@mail.gmail.com>
References: <771A26039D33ED489E23D9614DE630DD04AB8700@SFMAIL02.tealeaf.com>
	<ba4e02df0701270503g579d782ex717c546dc04ec788@mail.gmail.com>
Message-ID: <45BB8DD5.8020005@rant-central.com>

Pascal Charest wrote:
> I can't remember if Symantec Ghost access the drive as read-only,
> preserving
> the last access time, but doing a copy that does is quite trivial to do.
> 
> Take the hard-drive out, connect it through a read-only interface and copy
> everything. Such interfaces are easy to find - any law enforcement
> departement will have a couple of them since they must use them to gather
> data from "evidence hard drive". Contacting their provider, or even
> building your own...

Or boot the box from your choice of Linux live CDs, plug in a large
external USB drive and do 'dd if=/dev/hda of=/mnt/sda1/chump_dump.img
bs=1M'.  As you say, trivial.

> I guess that the "third-party computer-security consultant" wrote something
> in the order of "the last-access time was not changed by the thief
> activities" in the report and it was interpreted as "not accessed".

I'd bet that *all* of the "data was not accessed" reports are due to this.

> As a thief, this would be one of the easiest way to "gather data" without
> having it changed / repported by the corporation.

Indeed.
-- 
Roy M. Silvernail is roy at rant-central.com, and you're not
"It's just this little chromium switch, here." - TFT
CRM114->procmail->/dev/null->bliss
http://www.rant-central.com

From lyger at attrition.org  Sat Jan 27 17:36:42 2007
From: lyger at attrition.org (lyger)
Date: Sat, 27 Jan 2007 17:36:42 -0500 (EST)
Subject: [Dataloss] Louisiana: Used Desk Contained Names & SSNs Of Former
	Bank Employees
Message-ID: <Pine.LNX.4.64.0701271735240.310@forced.attrition.org>


http://www.ksla.com/Global/story.asp?S=5996702&nav=0RY5

A warning to current Chase and former Bank One employees. Your name and 
social security number could have been left on a spread sheet which was 
left on a desk bought by a Bossier City woman.

[...]

Among the things found, a note book with bank employees names and 
extensions as well as a spread sheet, 165 pages long containing over 4,100 
employee names and Social Security Numbers. All were inside this desk 
which came from inside the former Bank One which in July of 2005 became 
what is now Chase bank.

[...]

From blitz at strikenet.kicks-ass.net  Sat Jan 27 18:24:28 2007
From: blitz at strikenet.kicks-ass.net (blitz)
Date: Sat, 27 Jan 2007 18:24:28 -0500
Subject: [Dataloss] Stolen Boeing laptop is recovered
In-Reply-To: <ba4e02df0701270503g579d782ex717c546dc04ec788@mail.gmail.co
 m>
References: <771A26039D33ED489E23D9614DE630DD04AB8700@SFMAIL02.tealeaf.com>
	<ba4e02df0701270503g579d782ex717c546dc04ec788@mail.gmail.com>
Message-ID: <7.0.1.0.2.20070127180740.042d9cb0@strikenet.kicks-ass.net>


As a thief, this would be one of the easiest way to "gather data" 
without having it changed / repported by the corporation.

Not only that, but he could then return it, even claim a reward, and 
profit even more. The company then reports, "It's been recovered!!! 
Hooray", we don't have to spend a lot of money and of course it 
wasn't accessed, so no reporting necessary, nor the costs of alerting victims.
In an appropriate time, data starts turning up, and people start 
getting victimized, and not being alerted on the first occurrence, 
they're in a quandary of how their PII got into the hands of the 
criminal-class.

I suspect this occurs a LOT, and contributes to difficulty of legal 
tracking and consumers rights being avenged in a court of law, but 
hey, what the hell, like Scott McNeily of Oracle said, "You have no 
privacy, get over it!"
What he fails to mention is he and his minions are profiting 
handsomely from violating your privacy, massively.

Its going to take REAL privacy legislation, even better than what the 
EU has, and a few Corporate clones doing some hard time before they 
will take it seriously. As I've said for so long, there's entirely 
TOO MANY faceless, shadowy corporations keeping our most personal 
information on file and for what reasons, not disclosed to us.
They should be put out of business, period, and the remaining ones 
should be operated under Draconian privacy measures, including full 
access by the citizenry to check and dispute entries with the power 
of the law on the citizens side!

Marc




-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20070127/4cad82e5/attachment.html 

From lyger at attrition.org  Sun Jan 28 01:53:26 2007
From: lyger at attrition.org (lyger)
Date: Sun, 28 Jan 2007 01:53:26 -0500 (EST)
Subject: [Dataloss] EIU computer, IDs stolen
Message-ID: <Pine.LNX.4.64.0701280152170.4773@forced.attrition.org>


http://www.jg-tc.com/articles/2007/01/28/news/news001.txt

Letters have been distributed to approximately 1,400 Eastern Illinois 
University students, notifying them that confidential information, 
including their Social Security numbers, were stored on a desktop computer 
recently stolen from the university's Student Life office.

The stolen files include the membership rosters and other data from the 
university's 23 fraternities and sororities.

[...]

From Dissent at pogowasright.org  Mon Jan 29 08:21:17 2007
From: Dissent at pogowasright.org (Dissent)
Date: Mon, 29 Jan 2007 08:21:17 -0500 (EST)
Subject: [Dataloss] Salina Regional Health Center
Message-ID: <MTE3MDA3Njg3Ny50cmFmZmlj.1170076877@dissimulo.com>

http://www.saljournal.com/?module=displaystory&story_id=9386&format=html

A laptop computer containing the names, social security numbers and
medical history of up to 1,100 patients is missing, putting them at
risk for identity theft, and Salina Regional Health Center officials
are offering a $2,000 reward for the laptop's return.

The hospital's computer was stolen along with a docking station,
printer, overhead projector and other computer equipment, plus a
small amount of prescription drugs, from the office of Veridian
Behavioral Health, 501 S. Santa Fe., Suite 300, earlier this month.

[...]

-- 
Privacy-related news and resources: http://www.pogowasright.org
Privacy news headlines feed:
http://www.pogowasright.org/backend/pogowasright.rss


From SSteele at infolocktech.com  Mon Jan 29 10:15:24 2007
From: SSteele at infolocktech.com (Sean Steele)
Date: Mon, 29 Jan 2007 10:15:24 -0500
Subject: [Dataloss] Stolen Boeing laptop is recovered
Message-ID: <90D8CEF754D7D9448BA11172BB50443204921FF3@orange.brnets.int>

> What [Scott McNeilly of Oracle] fails to mention is he and his minions
are
> profiting handsomely from violating your privacy, massively.

Marc, I'm not sure I follow this comment.  How exactly are they a)
violating my privacy and b) profiting from it?  Truly, I'm just
interested in digging into your train of thought on this one...

-Sean

From bkdelong at pobox.com  Mon Jan 29 10:23:06 2007
From: bkdelong at pobox.com (B.K. DeLong)
Date: Mon, 29 Jan 2007 10:23:06 -0500
Subject: [Dataloss] Stolen Boeing laptop is recovered
In-Reply-To: <7.0.1.0.2.20070127180740.042d9cb0@strikenet.kicks-ass.net>
References: <771A26039D33ED489E23D9614DE630DD04AB8700@SFMAIL02.tealeaf.com>
	<ba4e02df0701270503g579d782ex717c546dc04ec788@mail.gmail.com>
	<7.0.1.0.2.20070127180740.042d9cb0@strikenet.kicks-ass.net>
Message-ID: <a98a91c0701290723w7c15dd9dr5bf563e255956a24@mail.gmail.com>

On 1/27/07, blitz <blitz at strikenet.kicks-ass.net> wrote:

>  I suspect this occurs a LOT, and contributes to difficulty of legal
> tracking and consumers rights being avenged in a court of law, but hey, what
> the hell, like Scott McNeily of Oracle said, "You have no privacy, get over
> it!"
>  What he fails to mention is he and his minions are profiting handsomely
> from violating your privacy, massively.

That would be Scott McNealy from Sun:
http://www.wired.com/news/politics/0,1283,17538,00.html

-- 
B.K. DeLong (K3GRN)
bkdelong at pobox.com
+1.617.797.8471

http://www.wkdelong.org                    Son.
http://www.ianetsec.com                    Work.
http://www.bostonredcross.org             Volunteer.
http://www.carolingia.eastkingdom.org   Service.
http://bkdelong.livejournal.com             Play.


PGP Fingerprint:
38D4 D4D4 5819 8667 DFD5  A62D AF61 15FF 297D 67FE

FOAF:
http://foaf.brain-stream.org

From adam at homeport.org  Mon Jan 29 12:59:17 2007
From: adam at homeport.org (Adam Shostack)
Date: Mon, 29 Jan 2007 12:59:17 -0500
Subject: [Dataloss] Bank sends woman 75,000 statements
Message-ID: <20070129175917.GA17734@homeport.org>

http://news.bbc.co.uk/2/hi/uk_news/scotland/north_east/6310633.stm

An Aberdeen woman who asked for her bank statement was sent those of
75,000 other customers.
Stephanie McLaughlan, 22, was shocked when Halifax Bank of Scotland
(HBOS) sent her the unexpected financial details by mistake.

Via http://davi.poetry.org/blog/?p=1070

From blitz at strikenet.kicks-ass.net  Mon Jan 29 15:27:41 2007
From: blitz at strikenet.kicks-ass.net (blitz)
Date: Mon, 29 Jan 2007 15:27:41 -0500
Subject: [Dataloss] Stolen Boeing laptop is recovered
In-Reply-To: <a98a91c0701290723w7c15dd9dr5bf563e255956a24@mail.gmail.com
 >
References: <771A26039D33ED489E23D9614DE630DD04AB8700@SFMAIL02.tealeaf.com>
	<ba4e02df0701270503g579d782ex717c546dc04ec788@mail.gmail.com>
	<7.0.1.0.2.20070127180740.042d9cb0@strikenet.kicks-ass.net>
	<a98a91c0701290723w7c15dd9dr5bf563e255956a24@mail.gmail.com>
Message-ID: <7.0.1.0.2.20070129152648.0437bc28@strikenet.kicks-ass.net>

Sri, my bad...yes, SUN...lack of Caffeine no doubt...

At 10:23 1/29/2007, you wrote:
>On 1/27/07, blitz <blitz at strikenet.kicks-ass.net> wrote:
>
>>  I suspect this occurs a LOT, and contributes to difficulty of legal
>>tracking and consumers rights being avenged in a court of law, but hey, what
>>the hell, like Scott McNeily of Oracle said, "You have no privacy, get over
>>it!"
>>  What he fails to mention is he and his minions are profiting handsomely
>>from violating your privacy, massively.
>
>That would be Scott McNealy from Sun:
>http://www.wired.com/news/politics/0,1283,17538,00.html
>
>--
>B.K. DeLong (K3GRN)
>bkdelong at pobox.com
>+1.617.797.8471
>
>http://www.wkdelong.org                    Son.
>http://www.ianetsec.com                    Work.
>http://www.bostonredcross.org             Volunteer.
>http://www.carolingia.eastkingdom.org   Service.
>http://bkdelong.livejournal.com             Play.
>
>
>PGP Fingerprint:
>38D4 D4D4 5819 8667 DFD5  A62D AF61 15FF 297D 67FE
>
>FOAF:
>http://foaf.brain-stream.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20070129/b464ab3d/attachment.html 

From Dissent at pogowasright.org  Mon Jan 29 17:23:13 2007
From: Dissent at pogowasright.org (Dissent)
Date: Mon, 29 Jan 2007 17:23:13 -0500 (EST)
Subject: [Dataloss] Mendoza College of Business at the University of Notre
	Dame
Message-ID: <MTE3MDEwOTM5My50cmFmZmlj.1170109393@dissimulo.com>

Note: This is a different breach than the U. of Notre Dame breach
reported at the beginning of the month. The hyperlinked notification
letter is at http://www.technologyreview.com/media/notre_dame.pdf --
Dissent.

http://www.technologyreview.com/blog/posts.aspx?id=17512&author=garfinkel

Last week I got a letter in the mail from the Mendoza College of
Business at the University of Notre Dame. Apparently, the school had
put information about me, including my social-security number (SSN)
and demographic information, on the Internet. "We have no evidence
to date that this information was used inappropriately," the school
wrote, but I might want to take "prudent ... precautions" by
periodically checking my credit report with the three major bureaus.

What's so infuriating about this is that I never had anything to do
with the University of Notre Dame.

In 2001, I was thinking about going back to graduate school, so I
took the GMAT, LSAT, and GRE exams. I checked off the boxes that
said that my information could be forwarded to schools so that they
could recruit me. A few schools contacted me, and that was that. Or
so I thought. It seems that the Graduate Management Admissions
Council didn't just provide my test scores and demographic
information: it also provided my SSN.

But why did the Mendoza College of Business keep that information
for six years? And how did it make it available on the Internet?

I called Notre Dame to find out what had happened and was told that
a file of GMAT names, scores, SSNs, and other information had been
inadvertently left on a computer that was decommissioned. At some
later point in time this computer was turned back on and plugged
into the Internet, and it made the files available through some kind
of file-sharing program. Google picked up the files, indexed them,
and added them to its archive. How was this discovered? Somebody did
a Google search on his or her own name and found the jackpot of
personal information.

The woman I spoke with from Notre Dame said that the school had
looked at the log files on the computer, and there were no other
signs of access other than by the one person who had accessed his or
her files. I'm not sure that this makes sense because she said that
there was also no evidence that Google had accessed the files, and
clearly Google had. Besides, if the information was cached by
Google, bad guys could have downloaded it directly from the cache
and avoided leaving traces at Notre Dame.

[...]

-- 
Privacy-related news and resources: http://www.pogowasright.org
Privacy news headlines feed:
http://www.pogowasright.org/backend/pogowasright.rss


From Dissent at pogowasright.org  Mon Jan 29 18:50:48 2007
From: Dissent at pogowasright.org (Dissent)
Date: Mon, 29 Jan 2007 18:50:48 -0500 (EST)
Subject: [Dataloss] VT: State computer hacked, thousands at risk
Message-ID: <MTE3MDExNDY0OC50cmFmZmlj.1170114648@dissimulo.com>

http://www.wcax.com/Global/story.asp?S=6006557&nav=4QcS

A state computer containing the names, Social Security Numbers and
bank account information for 70,000 Vermonters has been hacked into
in an automated computer attack that puts their personal information
at risk for misuse, the state revealed Monday.

Human Services Secretary Cynthia LaWare said there is no indication
the information has been used illicitly, but she said it was
possible.

The state is planning to send letters to the affected individuals
Tuesday and Wednesday urging them to monitor their bank accounts. It
is also offering to pay for credit monitoring.

The Human Services computer was used as a tool to track
non-custodial parents who owe back child support. The state and a
number of banks exchanged financial information on the computer,
which was taken out of service in early December after technicians
discovered what they thought was a computer virus.

It remains offline, officials said.

About 12,000 of the affected individuals owed back child support.
The rest of the names _ about 58,800 people _ were supplied to the
state by the New England Federal Credit Union, which shared customer
information with the understanding that only the data on child
support debtors would be used.

New England Federal CEO David Bard said his organization provided
the extra names on two occassions, once in 2004 and once in 2005.
The 58,800 names represented almost the entire membership of the
Williston-based credit union, Bard said.

[...]

-- 
Privacy-related news and resources: http://www.pogowasright.org
Privacy news headlines feed:
http://www.pogowasright.org/backend/pogowasright.rss


From lyger at attrition.org  Mon Jan 29 21:29:44 2007
From: lyger at attrition.org (lyger)
Date: Mon, 29 Jan 2007 21:29:44 -0500 (EST)
Subject: [Dataloss] TJX: Class Action Suit
Message-ID: <Pine.LNX.4.64.0701292125550.9745@forced.attrition.org>


http://www.earthtimes.org/articles/show/news_press_release,51744.shtml

Consumers of T.J. Maxx, Marshalls, HomeGoods, and A.J. Wright Bring Class 
Action Suit for Loss of Credit Card Data; Filed by Berger & Montague, PC 
and Stern Shapiro Weissberg & Garin, LLP

The complaint charges that TJX was negligent for failing to maintain 
adequate computer data security of customer credit and debit card data, 
which was accessed and stolen by a computer hacker. As a result of TJX's 
actions, customer information was stolen from TJX's computer network that 
handles a wide range of financial information for millions of customers, 
including credit cards, debit cards linked to checking accounts, and 
transactions for returned merchandise. Although TJX discovered the data 
breach in mid- December, 2006, it did not publicly announce the intrusion 
until one month later when it issued a press release on January 17, 2007. 
The delay harmed class members in that it prevented them from taking 
appropriate measures to protect their accounts.

[...]

From lyger at attrition.org  Tue Jan 30 13:49:39 2007
From: lyger at attrition.org (lyger)
Date: Tue, 30 Jan 2007 13:49:39 -0500 (EST)
Subject: [Dataloss] Seattle VA breach?
Message-ID: <Pine.LNX.4.64.0701301347410.6821@forced.attrition.org>


Sent to attrition.org staff, author's contact information redacted:

"My name is Frank and I heard on the news last week that there was a 
breach of privacy by the Seattle branch of the US Department of Veterans 
affairs. Apparently a car was broken into and files were removed.  I am 
trying to verify this and have been unsuccessful.  Can you help?"

Anyone out there have any info?

Lyger

From Dissent at pogowasright.org  Tue Jan 30 14:13:02 2007
From: Dissent at pogowasright.org (Dissent)
Date: Tue, 30 Jan 2007 14:13:02 -0500 (EST)
Subject: [Dataloss] Seattle VA breach?
In-Reply-To: <Pine.LNX.4.64.0701301347410.6821@forced.attrition.org>
References: <Pine.LNX.4.64.0701301347410.6821@forced.attrition.org>
Message-ID: <MTE3MDE4NDM4Mi50cmFmZmlj.1170184382@dissimulo.com>

> Anyone out there have any info?
>
> Lyger

It didn't show up in my usual searches, but I found it once I knew
to look for it:

http://www.kitsapsun.com/bsun/local/article/0,2403,BSUN_19088_5297644,00.html


Veterans' Info Stolen Out of Car

By JOSH FARLEY, jfarley at kitsapsun.com
January 22, 2007

BREMERTON

A locked car that had folders of veterans' identifying information
was burglarized late Wednesday in downtown Bremerton, according to
the Bremerton Police Department and the Seattle office of the
federal Department of Veteran's Affairs.

The government-owned vehicle was broken into at a parking garage at
Burwell and Pacific, and four folders of veterans' information and a
government cell phone were taken, the veterans' affairs office said.

Bremerton police is investigating the car theft and the veterans
office "is taking aggressive steps to protect and assist those who
may be potentially affected," according to a press release.

Letters are being sent to the veterans which include information
about obtaining a free credit check.

"The director's office is also reviewing policies and procedures to
ensure they were followed," the press release said, "and will make
whatever changes may be necessary to bolster the safeguarding of
veterans' private information."


-- 
Privacy-related news and resources: http://www.pogowasright.org
Privacy news headlines feed:
http://www.pogowasright.org/backend/pogowasright.rss


From Dissent at pogowasright.org  Wed Jan 31 19:12:20 2007
From: Dissent at pogowasright.org (Dissent)
Date: Wed, 31 Jan 2007 19:12:20 -0500 (EST)
Subject: [Dataloss] Luxury Dealership Customers Id Theft
Message-ID: <MTE3MDI4ODc0MC50cmFmZmlj.1170288740@dissimulo.com>

http://cbs4.com/consumer/local_story_031172038.html

MIAMI GARDENS - Customers of a North-Dade luxury auto dealership
have been warned that their identities, bank accounts, even social
security numbers may have been compromised.

CBS4 News has learned that there's a criminal probe underway into
what happened at the Warren Henry automotive group, after a woman
walked in off the street and took off with a box of sensitive
customer data.

[...]

While another woman was engaged in conversation with sales personnel
in conversation, the suspect made her way to a back office and
grabbed a box containing the sensitive financial data of dozens of
customers who'd recently purchased fancy cars from the high-end
dealer.

The sources also say it's believed the document heist was well
orchestrated as the woman knew where to go abd what to grab. They
even had had a getaway car waiting for them, without a license tag
on the back so they couldn't be tracked.

As a result of the theft, Warren Henry has had to contact dozens of
customers to let them know their bank accounts, credit, and other
personal information may have been compromised.

[...]


-- 
Privacy-related news and resources: http://www.pogowasright.org
Privacy news headlines feed:
http://www.pogowasright.org/backend/pogowasright.rss