From lyger at attrition.org Tue Jul 3 14:23:40 2007 From: lyger at attrition.org (lyger) Date: Tue, 3 Jul 2007 14:23:40 +0000 (UTC) Subject: [Dataloss] FL: Fidelity says 2.3 million records stolen Message-ID: http://www.foxnews.com/story/0,2933,287862,00.html Fidelity National Information Services, a financial processing company, said Tuesday a subsidiary's employee stole 2.3 million consumer records containing credit card, bank account and other personal information. The employee sold the information a data broker who sold it to several direct marketing companies, but the data was not used in identity theft or other fraudulent financial activity, Fidelity said in a statement. [...] From lyger at attrition.org Tue Jul 3 16:46:33 2007 From: lyger at attrition.org (lyger) Date: Tue, 3 Jul 2007 16:46:33 +0000 (UTC) Subject: [Dataloss] (update) Fidelity National Information Services Announces Misappropriation... Message-ID: (More details than you can shake a stick at. It should also be noted that the "Fidelity" in this instance is NOT related to Fidelity Investments or their subsidiary, National Financial.) http://money.cnn.com/news/newsfeeds/articles/prnewswire/CLTU02603072007-1.htm Fidelity National Information Services, Inc. , announced today that its subsidiary, Certegy Check Services, Inc. ("Certegy"), a service provider to U.S. retail merchants, based in St. Petersburg, Florida, was victimized by a former employee who misappropriated and sold consumer information to a data broker who in turn sold a subset of that data to a limited number of direct marketing organizations. The incident does not involve any outside intrusion into, or compromise of, Certegy's technology systems. "As a result of this apparent theft, the consumers affected received marketing solicitations from the companies that bought the data," said Renz Nichols, President of Certegy Check Services. "We have no reason to believe that the theft resulted in any subsequent fraudulent activity or financial damage to the consumer, and we are taking the necessary steps to see that any further use of the data stops." Background Certegy maintains bank account information in connection with its check authorization business that helps merchants to decide whether to accept checks as payment for goods and services. In addition, Certegy maintains check and credit card information in connection with its gaming operations that are designed to assist casinos in providing their customers with access to funds. This theft came to light when one of Certegy's retail check processing customers alerted Certegy to a correlation between a small number of check transactions and the receipt by the retailer's customers of direct telephone solicitations and mailed marketing materials. Certegy launched an immediate investigation and was unable to detect any breach of its security systems and, thereafter, engaged a forensic investigator to validate its findings. Unable to detect any compromise in its firewalls and other system security measures, Certegy requested that the U.S. Secret Service contact the marketing companies in question to trace the source of the data. The Secret Service was able to identify the company supplying the information and, with further assistance from Certegy, determined that the company was owned and operated by a Certegy employee. The employee was a senior level database administrator who was entrusted with defining and enforcing data access rights. To avoid detection, the technician removed the information from Certegy's facility via physical processes; not electronic transmission. [...] From cwalsh at cwalsh.org Thu Jul 5 17:42:11 2007 From: cwalsh at cwalsh.org (Chris Walsh) Date: Thu, 5 Jul 2007 12:42:11 -0500 Subject: [Dataloss] New GAO Report on Data Breaches and ID Theft In-Reply-To: References: Message-ID: <20070705174206.GA32175@cwalsh.org> The Government Accountability Office today released our report on data breaches, identity theft, and breach notification, entitled "Personal Information: Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited; However, the Full Extent Is Unknown." The report can be accessed at http://www.gao.gov/new.items/d07737.pdf. From lyger at attrition.org Thu Jul 5 23:30:36 2007 From: lyger at attrition.org (lyger) Date: Thu, 5 Jul 2007 23:30:36 +0000 (UTC) Subject: [Dataloss] NM: Highlands Alerts 420 Students To Possibility Of ID Theft Message-ID: http://www.koat.com/news/13629937/detail.html Highlands University has notified 420 students that a break-in on campus could subject them to identity theft. An e-mail to the students told them a building on the Highlands campus had been broken into, and that affected offices might have had such personal information as Social Security numbers and credit card and bank account information. [...] From lyger at attrition.org Sun Jul 8 04:22:14 2007 From: lyger at attrition.org (lyger) Date: Sun, 8 Jul 2007 04:22:14 +0000 (UTC) Subject: [Dataloss] A downslide... has it finally happened? Message-ID: It's the 8th of July. In the past, we've (as in attrition.org) averaged about one reported data loss incident every day since the beginning of the year. As of now, we've had exactly two reported incidents since the beginning of this month. Not to say that other sources haven't seen them, but I'm personally enjoying the "vacation". Has anyone else noticed the less-frequent public notifications? Just curious... From d2d at attrition.org Mon Jul 9 14:43:48 2007 From: d2d at attrition.org (d2d) Date: Mon, 9 Jul 2007 14:43:48 +0000 (UTC) Subject: [Dataloss] CO: Girl Scouts council loses personal info in theft of tapes Message-ID: http://www.rockymountainnews.com/drmn/local/article/0,1299,DRMN_15_5621147,00.html The Girl Scouts Mile Hi Council has notified its members and their parents that they might be at risk for identity theft because of tapes stolen from a car June 27. [..] The tapes held personal information from the membership database, including names, addresses, phone numbers and the schools that members attend. Information from the years 2003-2007 is included in the membership database. In addition, a small number of credit-card numbers and Social Security numbers from the Girl Scout camp and event registration database also were stolen, Jones reported. [..] From corygould at gmail.com Mon Jul 9 13:30:55 2007 From: corygould at gmail.com (Cory Gould) Date: Mon, 9 Jul 2007 07:30:55 -0600 Subject: [Dataloss] Data destruction Message-ID: <878dfe630707090630w28e23fc7ua47de658ec51cb58@mail.gmail.com> Just wondering what others out there are using to destroy their media. We have a need to destroy both hard disk drives and magnetic tapes. We have investigated degaussing but I'm not comfortable with the process. I would much rather have the media physically destroyed. Appreciate the input. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070709/4f4c6131/attachment.html From lyger at attrition.org Mon Jul 9 18:46:55 2007 From: lyger at attrition.org (lyger) Date: Mon, 9 Jul 2007 18:46:55 +0000 (UTC) Subject: [Dataloss] Japan: Resona 'lost 980,000 customer records' Message-ID: http://www.yomiuri.co.jp/dy/national/20070710TDY02012.htm Resona Bank announced Monday it had lost records, including receipts, containing personal information of about 980,000 clients at 27 branches. Among the branches affected was the one in the Diet building housing the House of Representatives. The bank said it had not received any reports of illegal use of the information or withdrawals of cash as the records did not contain customers' passwords. However, the information lost did include names, account numbers and transaction details, a bank official said. [...] From jericho at attrition.org Mon Jul 9 20:14:33 2007 From: jericho at attrition.org (security curmudgeon) Date: Mon, 9 Jul 2007 20:14:33 +0000 (UTC) Subject: [Dataloss] follow-up: Astroglide Data Loss Could Result In $18 Million Fine Message-ID: ---------- Forwarded message ---------- From: Paul Ferguson [snip] In April 2007, Biofilm Inc. accidentally published on the Internet the names and addresses of over 200,000 customers who had requested a free sample of their popular sex lubricant Astroglide. This blog post highlights the fact that the leaked data could serve as highly effective bait for targeted phishing attacks and other kinds of scams. A full breakdown of numbers of requests for each state are released. These numbers are then used to estimate potential fines against Biofilm should state Attorneys General wish to get involved. [snip] More: http://paranoia.dubfire.net/2007/07/astroglide-data-loss-could-result-in-18.html From lyger at attrition.org Mon Jul 9 23:17:35 2007 From: lyger at attrition.org (lyger) Date: Mon, 9 Jul 2007 23:17:35 +0000 (UTC) Subject: [Dataloss] OH: Thousands Of Personal Records Stolen In Carjacking Message-ID: http://www.newsnet5.com/news/13649077/detail.html A carjacking that took place late last month led to the theft of thousands of records and the potential risk for identity theft. The carjacking happened on West 25th Street two weeks ago. The thieves got away with the car and thousands of sensitive records, reported chief investigator Duane Pohlman. [...] Within the car was a computer memory stick filled with names and sensitive personal information on nearly 3,000 people who have received energy assistance from a county weatherization program. "It contained their name, address, phone number and Social Security number," said Cuyahoga County director of development Paul Oyaski. [...] From jericho at attrition.org Tue Jul 10 06:38:43 2007 From: jericho at attrition.org (security curmudgeon) Date: Tue, 10 Jul 2007 06:38:43 +0000 (UTC) Subject: [Dataloss] follow-up: Employee tried to mask extent of latest VA data breach Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.govexec.com/story_page.cfm?articleid=37403 By Daniel Pulliam GovExec.com July 9, 2007 An information technology specialist at the Veterans Affairs Department misled investigators in an attempt to cover up the extent of a data breach early this year that jeopardized personal information on more than a million people, according to a recent audit report. In an interview with auditors, the specialist gave inaccurate information about the Jan. 22 loss of an external computer hard drive from VA's Birmingham, Ala., research facility, the report from the department's inspector general stated. The information ended up in a press release about the incident, the investigators found. The specialist also encrypted and deleted multiple files from his computer shortly after he reported the data missing, making it more difficult to determine what was stored on his desktop, the IG said. He initially denied this when confronted by investigators, the report said. But an IG computer forensic analysis prompted him to admit to taking actions to hide the extent of the missing data. As of February, the IT specialist, who was not named in the report, had been placed on administrative leave pending the outcome of the investigation. The VA did not respond to requests for an update Monday on the specialist's employment status. Michael Kussman, VA's undersecretary for health, concurred with the IG's recommendation that "appropriate administrative action [be] taken against the IT specialist for his inappropriate actions during the course of the investigation and for failing to properly safeguard personally identifiable information on his missing external hard drive." Kussman said the "target completion" date for this was Oct. 1, following a review of the evidence. [..] From hbrown at knology.net Tue Jul 10 13:23:15 2007 From: hbrown at knology.net (Henry Brown) Date: Tue, 10 Jul 2007 08:23:15 -0500 Subject: [Dataloss] ID theft probe in Southern California Message-ID: <46938843.2030308@knology.net> I.D. Theft Probe Focuses On O.C. Car Dealership (CBS) ORANGE, Calif. Investigators carted away 350 boxes of business records from an Orange car dealership as part of a probe into allegations that loan applications contained stolen identity information, an official said. Orange County District Attorney's office spokeswoman Susan Schroeder said it could take months to go through the materials, such as loan records, computers and hard drives from Douglas Nissan of Orange. The DA's office received complaints that "stolen ID was used to facilitate loan documents," Schroeder said. She said did not know if the allegations centered around individual customers who "all happened to shop" at Douglas or if any workers were involved. As to the number of potential victims, Schroeder said, "It's just too early to tell." "Basically what happened is that (party) A would come in for a loan document and fill it out with (party) B's information," she said. The victim may never know about it unless something happens like a default in payments, she said. The investigation began three months ago when the DA's office realized that a common thread in a rash of reports was Douglas Nissan, she said. "We believe that thousands of applications possibly have stolen identification," Schroeder told reporters. "We're in the beginning process of the investigation and we'll be looking at this to determine how many identities were stolen to process false applications." http://cbs2.com/local/local_story_191030940.html From lyger at attrition.org Tue Jul 10 14:36:23 2007 From: lyger at attrition.org (lyger) Date: Tue, 10 Jul 2007 14:36:23 +0000 (UTC) Subject: [Dataloss] TN: Man sentenced to five years for ID theft Message-ID: (For those keeping score at home, this would be DL-0296 in the Data Loss Database: http://attrition.org/dataloss/dldos.html) http://www.knoxnews.com/news/2007/jul/10/man-sentenced-five-years-id-theft/ NASHVILLE - A man convicted of trying to sell the Social Security numbers and other information for thousands of people to undercover agents was sentenced to five years in federal prison, authorities said. Binyamin Schwartz, 29, of Oak Park, Mich., was convicted of identity theft, aggravated identity theft, access device fraud and wire fraud. Schwartz gained access to the data in his work as a business software consultant for Sentry Insurance Company in Stevens Point, Wis., the U.S. Attorney's office in Nashville and the U.S. Secret Service announced in a news release. [...] From cwalsh at cwalsh.org Tue Jul 10 20:59:32 2007 From: cwalsh at cwalsh.org (Chris Walsh) Date: Tue, 10 Jul 2007 15:59:32 -0500 Subject: [Dataloss] TN: Man sentenced to five years for ID theft In-Reply-To: References: Message-ID: <20070710205919.GA28369@cwalsh.org> Speaking of inside baseball -- Primary source doc courtesy of NY is at: http://www.cwalsh.org/BreachInfo/primary_sources//pdfs/Sentry-20060628.PDF On Tue, Jul 10, 2007 at 02:36:23PM +0000, lyger wrote: > > (For those keeping score at home, this would be DL-0296 in the Data Loss > Database: http://attrition.org/dataloss/dldos.html) From lyger at attrition.org Wed Jul 11 01:01:18 2007 From: lyger at attrition.org (lyger) Date: Wed, 11 Jul 2007 01:01:18 +0000 (UTC) Subject: [Dataloss] TJX, Polo Data Surfaces in Credit Card Bust Message-ID: (So which card breaches can be attributed to which company? Inquiring minds (and the GAO) want to know... ;) ) http://www.eweek.com/article2/0,1895,2156263,00.asp After more than $75 million in bogus credit card charges, several Cuban nationals in Florida have been arrested with more than 200,000 credit card account numbers, many of which came from the TJX and Polo Ralph Lauren data breaches, according to U.S. Secret Service officials, commenting on the July 9 announced arrests. The numbers were sent to the Florida defendants, who specialize in manufacturing bogus credit cards complete with embossing, logos, holograms and properly encoded magnetic strips, from a group of Eastern European residents who specialize in collecting the stolen credit card numbers, the Secret Service said. That Eastern European group of fiduciary Fagans obtained those numbers from many different sources, but many of the numbers were traced back to two specific major retail data breaches: the 2006 TJX breach and a 2005 Polo Ralph Lauren breach, said a Secret Service case agent involved in the investigation and who asked that his name not be used. [...] From jericho at attrition.org Wed Jul 11 06:31:18 2007 From: jericho at attrition.org (security curmudgeon) Date: Wed, 11 Jul 2007 06:31:18 +0000 (UTC) Subject: [Dataloss] follow-up (Fidelity): The Cybercriminal Inside Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.forbes.com/business/2007/07/10/computer-security-internal-biz-biztech-cx_ag_0710mcafee.html By Andy Greenberg Forbes.com 07.10.07 The data breach that occurred at Fidelity National Information Services last week was a security professional's nightmare. And not just because of the amount of raw consumer data spilled onto the black market. By that measure, the 2.3 million users' files that were leaked can't compare with the 45 million customers' account information lost by retailer T.J. Maxx (nyse: TJX - news - people ) just last January. In Fidelity's case, the volume of the theft was less troubling than the source: one of the company's own staff. After the breach, Fidelity revealed that the culprit was an employee at the payment processing company, one whose job granted him access to the company's database. In fact, data breaches that come from internal issues arent unusual. According to Attrition.org's Data Loss Database, 104 of the 327 data breaches last year started inside companies, not in the hands of hackers. And Martin Carmichael, chief security officer at McAfee Software (nyse: MFE - news - people ), says that internal data breaches are more likely than external attacks to reveal key private information. But how to protect servers when every employee is a potential data thief? Carmichael spoke with Forbes.com about Fidelity's data debacle, how that company and other breach victims can recover, and the problem of controlling employees' access to data without paralyzing their performance altogether. Forbes.com: How should a company like Fidelity have protected itself from a data breach? Martin Carmichael: When we look at Fidelity, it's a common situation: Companies are focusing on the perimeter between the company network and the external network. In the press you read cases about hackers and Trojans that come in from the outside and devastate companies. But if you look at the statistics, that's not where the biggest losses occur. More often they happen when an inside person takes assets or information. So many companies are focused on perimeter security, when they should be asking, "What does our infrastructure look like? What are we doing to assure compliance within the boundaries of our firewall?", looking at that internal structure as well as that external structure. [..] From lyger at attrition.org Wed Jul 11 14:58:48 2007 From: lyger at attrition.org (lyger) Date: Wed, 11 Jul 2007 14:58:48 +0000 (UTC) Subject: [Dataloss] RI: Information on hospital customers stolen from parked car Message-ID: http://ww2.wpri.com/Global/story.asp?S=6774054 A Rhode Island hospital is warning several dozen customers to watch their credit accounts after a briefcase containing customer information including Social Security numbers was stolen from a parked car. Paperwork containing personal details from 79 customers of South County Hospital was left in a briefcase inside a car parked outside a Barnes & Noble store in Worcester, Mass., late last month, authorities said. Police say someone broke into the car and grabbed the briefcase. The theft happened after an employee of Medical Bureau of Economics Inc., a Massachusetts firm that handles hospital billing, picked up documents from a Narragansett office on June 29. That batch of paperwork contained details including names, addresses, Social Security numbers, phone numbers and a summary of hospital accounts. [...] From lyger at attrition.org Wed Jul 11 15:23:00 2007 From: lyger at attrition.org (lyger) Date: Wed, 11 Jul 2007 15:23:00 +0000 (UTC) Subject: [Dataloss] (update) OH: 675,000 more names on stolen data tape Message-ID: http://www.columbusdispatch.com/dispatch/content/local_news/stories/2007/07/11/more_data.html The number of people affected by missing state data more than doubled with the announcement today that Social Security numbers and other information on 675,000 additional taxpayers, former state workers, state vendors or others was on a backup computer tape stolen from an intern's car. That brings to more than 1 million the number of people and entities affected by the June 11 theft, including state workers, their dependents, taxpayers and welfare recipients. At a press conference, Gov. Ted Strickland announced that more people than first thought were among the groups affected. [...] From lyger at attrition.org Wed Jul 11 22:18:50 2007 From: lyger at attrition.org (lyger) Date: Wed, 11 Jul 2007 22:18:50 +0000 (UTC) Subject: [Dataloss] TX: Another A&M-CC professor misplaces students' information Message-ID: http://www.caller.com/news/2007/jul/11/another-m-cc-professor-misplaces-students-informat/ For the second time in two months, a Texas A&M University-Corpus Christi professor has misplaced information that includes students. social security numbers. College of Business officials are investigating adjunct faculty member Terrell Dahlman misplacing of a business law class roster containing the names and social security numbers of 49 students. Dahlman took a class roster out of a notebook Monday during the Business Law 3310 second summer session course he teaches to confirm a student.s presence in class, said Marshall Collins, assistant vice president for Marketing and Communications. [...] From dave at etiolated.org Wed Jul 11 23:17:11 2007 From: dave at etiolated.org (Dave) Date: Wed, 11 Jul 2007 19:17:11 -0400 Subject: [Dataloss] CA: Disney Movie Club members victimized in latest data-breach horror show Message-ID: <26fc42fe0707111617u48cc4ebbje0adc5c0143ac097@mail.gmail.com> http://www.networkworld.com/community/?q=node/17416 An undisclosed number of Disney Movie Club members have received letters informing them that their credit-card information was sold by an employee of a Disney contractor to a federal agent as part of an undercover sting operation, Network World has learned. The sting occurred sometime in May, while the letter - a copy of which was forwarded to Buzzblog by the security Web site attrition.org - is dated July 6. Why notification took that long is among this morning's unanswered questions (update below). The latest in a seemingly endless string of data-breach incidents involving major organizations, this one is being pinned on a third-party contractor, Alta Resources, according to the letter signed, "John Flynn, for the Disney Movie Club." The address on the Disney Movie Club stationery matches that of an Alta Resources P.O. Box in Neenah, Wis., so I'm presuming the verbiage comes from Alta Resources. [...] Dave http://etiolated.org From jericho at attrition.org Thu Jul 12 10:35:01 2007 From: jericho at attrition.org (security curmudgeon) Date: Thu, 12 Jul 2007 10:35:01 +0000 (UTC) Subject: [Dataloss] fringe / UK: Banks caught dumping customers' personal details in public waste bins Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.dailymail.co.uk/pages/live/articles/news/news.html?in_article_id=467604&in_page_id=1770 11th July 2007 A 'horrifying' number numbers of banks, shops and Government departments are said to be fuelling a ?1.7billion a year crime racket by failing to protect people's privacy. They have been caught dumping customers' details in public waste bins or leaving personal information for all to see online. Their actions have prompted 24,000 complaints to privacy watchdogs, who said the lapses left customers wide open to identity theft. Information commissioner Richard Thomas said: 'The roll call of banks, retailers, Government departments, public bodies and other organisations which have admitted serious security lapses is, frankly, horrifying.' [..] From lyger at attrition.org Fri Jul 13 11:38:28 2007 From: lyger at attrition.org (lyger) Date: Fri, 13 Jul 2007 11:38:28 +0000 (UTC) Subject: [Dataloss] CA: Confidential data revealed on Encinitas' Web site Message-ID: http://www.nctimes.com/articles/2007/07/13/news/coastal/3_22_297_12_07.txt Credit card or checking account information and addresses for nearly 1,200 people who had enrolled in Encinitas' youth recreation programs was inadvertently posted on the city's Web site, officials said Thursday. The data was in a public folder on the site for about three months before someone noticed the error, said Jace Schwarm, a risk manager for the city of Encinitas. She said the information was removed from the Web on June 26, immediately after the problem was reported. While the data was online, no one from outside the city opened the folder that contained the files, Schwarm said. [...] From lyger at attrition.org Fri Jul 13 19:06:58 2007 From: lyger at attrition.org (lyger) Date: Fri, 13 Jul 2007 19:06:58 +0000 (UTC) Subject: [Dataloss] MO: MSD worker fired in security breach Message-ID: http://www.stltoday.com/stltoday/news/stories.nsf/stlouiscitycounty/story/33EFD47679FB1BAF862573170067720F?OpenDocument The Metropolitan St. Louis Sewer District has fired an employee after executives learned the employee had downloaded Social Security numbers of about 1,600 current or former district employees to a home computer. The Social Security numbers were part of a computer file the district uses to make sure workers get the proper pay. The employee had worked more than 10 years in the finance department. Lance LeComb, a district spokesman, said the employee had insinuated to fellow workers that file could be used to retaliate against the district if that person was disciplined for poor performance. [...] From lyger at attrition.org Sat Jul 14 20:22:58 2007 From: lyger at attrition.org (lyger) Date: Sat, 14 Jul 2007 20:22:58 +0000 (UTC) Subject: [Dataloss] (update) Disney alerts movie-club members to privacy breach Message-ID: http://www.orlandosentinel.com/business/orl-disneyclub1407jul14,0,534745.story Credit-card information for an undisclosed number of Disney Movie Club members worldwide was reportedly offered for sale -- illegally -- by an employee of a sales account-processing company who was then arrested by federal agents. Disney sent letters last week to an undisclosed number of members of its movie club, warning them that their names and addresses, and their credit cards' types, numbers and expiration dates, were in the hands of a suspect arrested in a federal undercover sting. One of Disney's warning letters, dated July 6, was forwarded to the Orlando Sentinel on Friday. [.] David Haltinner, 25, of Wisconsin was arrested in the case in Wisconsin on May 24 and charged in Nashville, Tenn., with a federal felony of access-device fraud, according to federal officials. Details of the criminal complaint are sealed, however, and officials of the U.S. Secret Service, which ran the sting, and the U.S. Attorney's Office in Nashville have declined to offer details so far. [...] From hbrown at knology.net Sun Jul 15 11:40:12 2007 From: hbrown at knology.net (Henry Brown) Date: Sun, 15 Jul 2007 06:40:12 -0500 Subject: [Dataloss] follow up on Ohio State backup tape loss Message-ID: <469A079C.9060105@knology.net> From the Columbus Dispatch on July 14, 2007 http://tinyurl.com/yojy58 Workers on the state's new payroll and accounting system were told in April to remove Social Security numbers and other sensitive information from the main network but didn't do it, records released yesterday suggest. As a result, the data ended up on a computer backup tape that was stolen late June 10 or early June 11 from a state intern's car, affecting more than 1 million people or businesses and costing the state an estimated $2.2 million so far. ... Officials have said it was Miller who started the practice two or three years ago of sending backup data home nightly with interns on a rotating basis. The idea was to keep a copy of the data away from the office in case of a disaster, but the project policy last updated in April 2002 clearly said the information was to go home with the network administrator ... From lyger at attrition.org Mon Jul 16 11:43:35 2007 From: lyger at attrition.org (lyger) Date: Mon, 16 Jul 2007 11:43:35 +0000 (UTC) Subject: [Dataloss] Alert for Visa card security Message-ID: Courtesy InfoSecNews (http://www.infosecnews.org/) http://www.news.com.au/mercury/story/0,22884,22066995-5007221,00.html By DAVID KILLICK July 13, 2007 HUNDREDS of Tasmanian Visa card holders have been told to cut up their cards after a security breach in Sweden. Computer tapes containing card holders' details nationwide were among items in a car stolen from a Swedish data processing company in May. Many Australian financial institutions are affected, but only some are notifying customers. Islandstate Credit Union has written to card holders this week warning them to cancel cards and to report unauthorised transactions. "Your islandstate Visa card details may have been compromised on or after May 25, 2007, due to a possible data breach in Sweden," it says. "As a precaution your Visa card needs to be cancelled and a new card issued." Islandstate credit union spokeswoman Marsha Cadman said fewer than 5 per cent of the credit union's 80,000 customers were affected. [...] From hbrown at knology.net Mon Jul 16 12:09:25 2007 From: hbrown at knology.net (Henry Brown) Date: Mon, 16 Jul 2007 07:09:25 -0500 Subject: [Dataloss] Follow up to Pfizer data loss / breach Message-ID: <469B5FF5.7000401@knology.net> From Newsday.com Report: Pfizer waited weeks to notify employees of data breach Pfizer Inc. let several weeks pass before informing 17,000 current and former employees that their personal information had been posted to the Internet, according to a letter from the company. Connecticut Attorney General Richard Blumenthal released a copy of the letter Friday, telling The Day newspaper of New London that he will press Pfizer to explain the delay. The data, which included Social Security numbers and some additional information, was discovered on April 18 when a computer consultant found sensitive information on a peer-to-peer network. A Pfizer investigation determined the security breach had occurred about three weeks earlier when an employee's spouse used a company laptop computer to install unauthorized software and access a file-sharing network. ... http://tinyurl.com/33habe From MKEVHILL at aol.com Mon Jul 16 13:40:32 2007 From: MKEVHILL at aol.com (MKEVHILL at aol.com) Date: Mon, 16 Jul 2007 09:40:32 EDT Subject: [Dataloss] UT: College puts private info on Net Message-ID: _http://deseretnews.com/dn/view/0,1249,690192561,00.html_ (http://deseretnews.com/dn/view/0,1249,690192561,00.html) Barb, who asked that her last name not be used, frequently types her name into a search engine on the Internet to see where it might show up. It's one way to safeguard against identity theft. What she found earlier this month shocked her. Barb, a Westminster College alumna, found her name and the names of about 100 other students, former and current, printed in two files along with each student's Social Security number. "It was very alarming," she said. The files were on a student Web server used by Westminster students. The server is provided as a service by the college mostly for students to store items such as class projects. When Westminster was made aware of the situation, school executive director of communications Laura Murphy said the files were removed immediately. The college says it has taken several steps to remedy the situation and to determine what happened so there's no chance of a repeat. Although the investigation was still continuing Saturday, Murphy said it appeared initially the posting of the Social Security numbers was the result of someone's innocent mistake. She also noted the files were not in an area easily accessible by non-students, she said. However, she said the situation was being taken seriously. "We regret any inconvenience this may cause. We will do our best to make sure that information is safe-guarded," she said. "It's information that needs to be held in trust." Murphy did not know how long that information may have been posted. Furthermore, she said all of the students on the list had been contacted and Westminster had agreed to pay for credit monitoring to make sure no one obtained critical personal information and was trying to use it. As of Saturday there had been no reports of any of the information from the students on that list being compromised. Mike ************************************** Get a sneak peak of the all-new AOL at http://discover.aol.com/memed/aolcom30tour -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070716/7273d6f9/attachment.html From lyger at attrition.org Mon Jul 16 18:34:28 2007 From: lyger at attrition.org (lyger) Date: Mon, 16 Jul 2007 18:34:28 +0000 (UTC) Subject: [Dataloss] Canada: Confidential patient data sent to wrong company in Manitoba Message-ID: http://www.pcworld.ca/news/article/44d1f36c0a01040800f0541de8a732f1/pg1.htm A small Lockport, Manitoba-based distributor of herbal remedies has for the past 15 months been mistakenly receiving faxes containing confidential information belonging to hundreds of patients with Prudential Financial Inc.'s insurance group. The data exposed in the breach -- and faxed to the company by doctors and clinics across the U.S. -- included the patients' Social Security numbers, bank details and health care information. So far, at least, efforts to deal with the issue appear to have failed, said Jody Baxmeyer, vice president of marketing at North Regent RX, the company that's been receiving the faxes. The situation has been caused by North Regent's toll-free fax number, which is nearly identical to one used by Prudential to receive medical claims-related information from doctors, Baxmeyer said. In fact, the two numbers differ by only one digit, Baxmeyer said. [...] From lyger at attrition.org Mon Jul 16 23:43:49 2007 From: lyger at attrition.org (lyger) Date: Mon, 16 Jul 2007 23:43:49 +0000 (UTC) Subject: [Dataloss] (update) Missing TSA computer drive not protected Message-ID: http://www.star-telegram.com/464/story/170815.html The Transportation Security Administration did not follow White House instructions to protect sensitive information on a computer hard drive containing bank and payroll data for 100,000 employees that was discovered missing, the agency acknowledged to Congress. Authorities realized in May the storage device, an external hard drive, was missing from TSA headquarters. In a letter to Rep. Ed Markey, D-Mass., the agency said the drive contained historical payroll data, Social Security numbers, dates of birth, addresses, time and leave data, bank account and routing information, and details about financial allotments and deductions. [.] The lack of any encryption means any computer user who connects the drive to a laptop or desktop PC can view all the information without any special software tools. [...] From d2d at attrition.org Tue Jul 17 13:26:31 2007 From: d2d at attrition.org (d2d) Date: Tue, 17 Jul 2007 13:26:31 +0000 (UTC) Subject: [Dataloss] CO: HACKER ATTACK $HOCK Message-ID: http://www.nypost.com/seven/07172007/news/nationalnews/hacker_attack_hock_nationalnews_chuck_bennett_and_c_j__sullivan.htm Hackers raided a poorly secured Western Union database and stole the personal data of more than 20,000 customers, including 1,300 New Yorkers, the wire-transfer company admitted yesterday. The thieves got names, addresses, phone numbers and complete credit-card information after a breach sometime in late May, according to a letter sent to customers by James Keese, Western Union's privacy officer. The data was held in an "offline" file not accessible through westernunion.com, said company spokeswoman Sherry Johnson. "We are not aware of any ID theft or any kind of fraudulent use that was made from this information," she said and added that the FBI is investigating the incident. [..] From cwalsh at cwalsh.org Wed Jul 18 02:28:50 2007 From: cwalsh at cwalsh.org (Chris Walsh) Date: Tue, 17 Jul 2007 21:28:50 -0500 Subject: [Dataloss] Breach, undetected since '05, exposes data on Kingston customers Message-ID: July 17, 2007 (Computerworld) -- A September 2005 security breach that remained undetected until "recently" may have compromised the names, addresses and credit card details of roughly 27,000 online customers of computer memory vendor Kingston Technology Company Inc. The Fountain Valley, Calif.-based company began sending letters to affected customers informing them of the incident last week. According to a spokesman, Kingston's IT team "detected irregularities" in the company computer systems at some unspecified point in time and -- along with a team of forensic computer experts -- began investigating the issues. It was not until after that probe was completed and a final report released on May 22 that Kingston could confirm the scope of the intrusion and its impact. "After confirming what data was accessed and who was affected, Kingston had to gather the appropriate contact information and arrange for consumer protection services and materials to notify the impacted consumers," the spokesman said. But the company did not offer details on how or when the breach was discovered and how long it waited to notify customers about the potential compromise of data. Kingston, which had $3 billion in sales last year, also did not offer any explanation on the nature and scope of the breach itself or why it remained undetected for so long. The spokesman added that the breach is believed to have been perpetrated by an external attacker. [...] http://www.computerworld.com/action/article.do? command=printArticleBasic&articleId=9027220 From dave at etiolated.org Wed Jul 18 12:44:15 2007 From: dave at etiolated.org (Dave) Date: Wed, 18 Jul 2007 08:44:15 -0400 Subject: [Dataloss] LA: La. Security Breach Exposes Thousands To ID Theft Message-ID: <26fc42fe0707180544q7441cd69la9271b69cd559c78@mail.gmail.com> http://www.wdsu.com/news/13698832/detail.html In all, more than 80,000 names and Social Security numbers were accessible for perhaps as long as two years on an internal Internet website run by the Louisiana Board of Regents, the body that has oversight over HOW MANY students at WHICH universities. "Well, it's a recipe for identity theft if you have a name, a Social Security number, a date of birth and an address, you can create an identity that will lead to fraudulently bilking credit cards, tampering with bank accounts and the like," the FBI's James Bernazzani said. "Additionally, someone can apply for a driver's license or other photo identification. They can make counterfeit checks. They can apply for a job. They can get an apartment. They can do any number of these things with your identity," FBI cyber expert Kristy Green said. Most of the network was password-protected, but the area containing the most potentially dangerous data, including thousands of student Social Security numbers, was not. [..] From lyger at attrition.org Wed Jul 18 21:48:16 2007 From: lyger at attrition.org (lyger) Date: Wed, 18 Jul 2007 21:48:16 +0000 (UTC) Subject: [Dataloss] IN: 50 students' personal information leaked onto the Internet Message-ID: http://www.purdueexponent.org/index.php?module=article&story_id=6432 Purdue University is informing 50 people who were students in spring 2002 or fall 2004 that a Web page containing information about them was inadvertently available on the Internet. During a scan for Social Security numbers, the files - which were no longer in use - were discovered on a computer server connected to the Internet. The files contained names and Social Security numbers of students who were enrolled in an industrial engineering 500-level course. The page has been removed, and letters are in the mail to those potentially affected. [...] From lyger at attrition.org Thu Jul 19 12:04:02 2007 From: lyger at attrition.org (lyger) Date: Thu, 19 Jul 2007 12:04:02 +0000 (UTC) Subject: [Dataloss] OH: Internal errors blamed for Franklin employees Social Security scare Message-ID: http://www.timesreporter.com/index.php?ID=70390 The Social Security numbers of 1,800 present and former Jackson Local Schools' employees were at risk of public access on a county-maintained Web site. The personal data is now secure, school officials said Wednesday, and foul play is not suspected. "We do not believe it was a hacker or anything sinister. We feel confident this was not the result of criminal activity, but an internal error," said Larry Morgan, superintendent of Stark County Schools and chairman of the Stark-Portage Area Regional Computer Consortium, also known as SPARCC. The consortium is one of 23 information technology centers across the state that provides record-keeping and fiscal and data-processing capabilities for school districts. The Social Security numbers were accessible on the SPARCC Web site, which keeps data for 28 school districts and two educational service centers in Stark and Portage counties. [...] From dave at etiolated.org Thu Jul 19 17:16:45 2007 From: dave at etiolated.org (Dave) Date: Thu, 19 Jul 2007 13:16:45 -0400 Subject: [Dataloss] TX: Texas State Site Leaks Personal Data In-Reply-To: <26fc42fe0707191014y2b99f66p39e8a429b6f8d234@mail.gmail.com> References: <26fc42fe0707191014y2b99f66p39e8a429b6f8d234@mail.gmail.com> Message-ID: <26fc42fe0707191016r6c7db99bn42062a0b9ba97a5b@mail.gmail.com> http://www.pcworld.com/article/id,134765-c,onlineprivacy/article.html Troy Aikman may not be happy about it, but the State of Texas has made his address and social security number available via the Internet. Sensitive information on Aikman, formerly a star quarterback with the Dallas Cowboys, and thousands of others is available on the Texas Secretary of State's SOSDirect Web site, according to Steven Peisner, the president of fraud prevention vendor Sellitsafe Inc., who has provided IDG News Service with a half-dozen examples of social security numbers he was able to obtain from the site. As government pushes more and more documents online, Texas is one of many state and local governments across the U.S. that is now struggling to remove sensitive information so that it cannot be misused by criminals. Peisner found social security numbers on tax liens and on loan agreement notifications filed with the state, called Uniform Commercial Code (UCC) financing statements. [..] Dave Etiolated Consumer\Citizen http://etiolated.org From lyger at attrition.org Fri Jul 20 13:16:41 2007 From: lyger at attrition.org (lyger) Date: Fri, 20 Jul 2007 13:16:41 +0000 (UTC) Subject: [Dataloss] SAIC Warns of Possible Data Breach Message-ID: http://www.chron.com/disp/story.mpl/ap/fn/4984717.html SAN DIEGO - Military support contractor SAIC said Friday the personal information of more than half a million people may have been compromised when the company did not encrypt the data before transmitting it over the Internet. SAIC said it has not found any evidence that the information _ which included combinations of names, addresses, birth dates, Social Security numbers and health information _ was accessed by unauthorized people, but warned that the possibility of a breach exists. SAIC said it has fixed the security problems and advised potentially affected people. [...] From lyger at attrition.org Fri Jul 20 15:50:43 2007 From: lyger at attrition.org (lyger) Date: Fri, 20 Jul 2007 15:50:43 +0000 (UTC) Subject: [Dataloss] (SAIC update) 900, 000 health records possibly compromised Message-ID: http://www.armytimes.com/news/2007/07/military_saicdatabreach_070720w/ The personal health care records of close to 900,000 troops, family members and other government employees stored on a private defense contractor.s nonsecure computer server were exposed to compromise, the company announced Friday. SAIC said the information, maintained under several Tricare health care contracts with the Defense Department, included combinations of names, addresses, Social Security numbers, birth dates and/or "limited health information in the form of codes." It was stored on a single, SAIC-owned, nonsecure server "at a small SAIC location" and was in some cases transmitted over the Internet in an unencrypted form. The information was exposed while being processed, the company said. Although SAIC announced the data breach Friday, the company acknowledged it has known about the problems since May 29, when U.S. Air Forces Europe notified SAIC that it had detected "an unsecure transmission of personal information concerning uniformed service members and other individuals," according to a SAIC press release. [...] From tim424 at gmail.com Fri Jul 20 16:01:04 2007 From: tim424 at gmail.com (tim424) Date: Fri, 20 Jul 2007 11:01:04 -0500 Subject: [Dataloss] SAIC responses, Q&A Message-ID: <2780924f0707200901q3fdcf019rbbe2944c1feaad22@mail.gmail.com> http://www.saic.com/response/ Tim From macwheel99 at sigecom.net Fri Jul 20 16:59:57 2007 From: macwheel99 at sigecom.net (Al Mac) Date: Fri, 20 Jul 2007 11:59:57 -0500 Subject: [Dataloss] Australia Banking Breach Message-ID: <6.2.1.2.1.20070720115641.02ec6db0@mail.sigecom.net> An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070720/6120b322/attachment.html From lyger at attrition.org Fri Jul 20 23:45:55 2007 From: lyger at attrition.org (lyger) Date: Fri, 20 Jul 2007 23:45:55 +0000 (UTC) Subject: [Dataloss] (rant) What The Hell Was He Thinking? Message-ID: http://attrition.org/security/rant/z/privacy.html Fri Jul 20 17:40:29 EST 2007 Lyger and Jericho For those who haven't heard, a recent data loss incident involving the Louisiana Board of Regents was recently disclosed to the media. In short, about 80,000 Social Security numbers were inadvertently exposed over the internet, and the media seemed to be very quick in picking up on the story. An independent researcher by the name of Aaron Titus made this discovery, contacted a media source and made the disclosure. Fairly interesting. Here's the problem: Aaron Titus made a mistake. He asked for advice regarding responsible disclosure of a known vulnerability (i.e. an exposure of personal information in a public location), and then proceeded to ignore almost every bit of rational advice given to him. [..] Note that we redacted Aaron's email address in the email above. It is worth mentioning that we also redacted his work telephone number from the same email. We would really hate to invade his personal privacy since he values it so much, but with that said, why would a "privacy advocate" ask for advice regarding responsible disclosure, email us at attrition.org, receive our advice, and then do this: https://www.ssnbreach.org/ [...] From jericho at attrition.org Fri Jul 20 23:53:22 2007 From: jericho at attrition.org (security curmudgeon) Date: Fri, 20 Jul 2007 23:53:22 +0000 (UTC) Subject: [Dataloss] it wasn't just e-mailed data for the SAIC breach... Message-ID: http://www.saic.com/response/qa.html [..] The information was for work being done in connection with TRICARE, the health benefits program for the uniformed services, retirees and their families. The server was not behind a firewall and did not contain adequate password protections, which is in violation of SAIC policy. SAIC stopped using this server when security concerns were raised. [..] --- So the information was on an FTP server, not protected by firewall, and had inadequate passwords. Combine with that the fact they notified 580,000 people and this doesn't sound like the information "may" have been compromised... From lyger at attrition.org Sat Jul 21 19:06:26 2007 From: lyger at attrition.org (lyger) Date: Sat, 21 Jul 2007 19:06:26 +0000 (UTC) Subject: [Dataloss] MI: Hacker accesses personal information from U-M databases Message-ID: http://www.freep.com/apps/pbcs.dll/article?AID=/20070721/NEWS06/70721011/ The University of Michigan has notified 5,500 current and former students that a hacker gained access to personal information on two School of Education databases. University technology administrators noticed suspicious activity on a server on July 3 and the letters went out July 16. Kelly Cunningham, a university spokeswoman, said Saturday that the databases contained no financial information, such as credit card numbers, nor did they contain students. grades. The databases, however, did have names, addresses, some Social Security numbers and some birth dates, and in some cases, the school districts where former students were teaching. [...] From hbrown at knology.net Mon Jul 23 12:47:00 2007 From: hbrown at knology.net (Henry Brown) Date: Mon, 23 Jul 2007 07:47:00 -0500 Subject: [Dataloss] follow up on Ohio State dataloss Message-ID: <46A4A344.2000204@knology.net> From the Cincinnati Enquirer Firings follow data loss Report says cover-up hindered recovery COLUMBUS - A state tape containing confidential information on more than 800,000 Ohio residents might have been recovered if law enforcement had been notified sooner, Ohio Inspector General Thomas P. Charles said Friday. In his 35-page investigative report, Charles said a supervisor encouraged a college intern to keep sensitive details from police, or the tape might have been recovered from the trash. Charles recommended disciplinary action. State officials immediately accepted the resignation of Ohio Administrative Knowledge System (OAKS) Project Manager David White, fired intern Jared Ilovar and terminated a consulting contract with two Compuware supervisors. "In hindsight, administrators we interviewed universally agreed that they should have notified the patrol and other authorities at least 48 hours earlier," the report said. "Contributing to the failure to notify the Highway Patrol and other state officials in a timely manner was a complete breakdown in the reporting chain." ... http://tinyurl.com/yoone4 From dave at etiolated.org Mon Jul 23 15:36:38 2007 From: dave at etiolated.org (Dave) Date: Mon, 23 Jul 2007 11:36:38 -0400 Subject: [Dataloss] CT: State works to purge Defelice data Message-ID: <26fc42fe0707230836q18a08cf6t12202e7581e09286@mail.gmail.com> Courtesy pogowasright.org http://www.nhregister.com/site/news.cfm?newsid=18602579&BRD=1281&PAG=461&dept_id=590581&rfi=6 State officials were working with Google experts Tuesday to try to remove from the Internet the Social Security numbers of about 100 former employees of now-defunct L.G. Defelice Inc. The legislature's Transportation Committee inadvertently posted the private identity information on a General Assembly Web site last week. Sen. Donald DeFronzo, D-New Britain, the committee's co-chairman, said the Social Security numbers were posted as part of documents the panel received from the Department of Transportation. He said DOT officials were supposed to have blacked out all private information. The committee asked for Defelice's payroll information in preparation for a series of legislative hearings on the controversial Interstate 84 project in Cheshire and Waterbury. Defelice is accused of committing widespread and costly construction errors, including more than 200 flawed storm drains. [...] http://etiolated.org From dave at etiolated.org Mon Jul 23 15:38:12 2007 From: dave at etiolated.org (Dave) Date: Mon, 23 Jul 2007 11:38:12 -0400 Subject: [Dataloss] NE: Information Compromised Message-ID: <26fc42fe0707230838p26e9b2cdj72cc44bfc7162474@mail.gmail.com> Courtesy pogowasright.org http://www.wowt.com/news/headlines/8612447.html Dozens of Cricket cell phone customers are being told that their credit card information has been stolen from a southwest Omaha store. The message from Cricket has the Christophersons worried about their debit card information. Cricket revealed that paperwork for cell phone purchases was taken from the store at 134th and West Center. Three hundred customers have been notified that their credit or debit card information has been stolen. [...] http://etiolated.org From d2d at attrition.org Mon Jul 23 20:02:51 2007 From: d2d at attrition.org (d2d) Date: Mon, 23 Jul 2007 20:02:51 +0000 (UTC) Subject: [Dataloss] US: Fox News security hole exposes 1.5 million users' personal information Message-ID: * Disclaimer: This source isn't what we'd consider 'mainstream' http://wikinewsreports.blogspot.com/2007/07/fox-news-security-hole-exposes-15.html A security hole on the Fox News web server Sunday exposed sensitive content to the public, including login information that allowed hackers to access names, phone numbers, and email addresses of at least 1.5 million people. Wikinews.org has learned that an FTP server belonging to publishing company Ziff-Davis could be accessed with a username and password found on the Fox News site, with customer details among the internal data publicly available. The FTP site, used for collaboration between different global aspects of Ziff-Davis business, contains data ranging from expense sheets to resumes to opt-out lists used by customers who wish to avoid receiving unsolicited emails. Many of the compromised files make reference to Acxiom, a data management company that in 2003 experienced a similar theft of personal information. It is not believed that the files exposed by the Fox News oversight contain customer Social Security numbers or bank accounts, however, as was the case in the 2003 breach. However, telephone and address details appear included in the data. [..] From lyger at attrition.org Tue Jul 24 13:23:50 2007 From: lyger at attrition.org (lyger) Date: Tue, 24 Jul 2007 13:23:50 +0000 (UTC) Subject: [Dataloss] IN: Patient Information Exposed In Hospital Security Lapse Message-ID: http://www.theindychannel.com/news/13742066/detail.html A security lapse at St. Vincent Hospital in Indianapolis compromised the names, addresses and Social Security numbers of about 51,000 patients. St. Vincent notified patients by mail last week that personal information had been exposed, 6News' Cheryl Jackson reported. [.] St. Vincent officials said the problem happened when they subcontracted Verus Inc. to set up a program that would allow patients to pay bills online. "The Verus technician made a change to the Internet server, which left some of our patient information online, unprotected," said Johnny Smith, a spokesman for St. Vincent. [...] From hbrown at knology.net Tue Jul 24 14:35:45 2007 From: hbrown at knology.net (Henry Brown) Date: Tue, 24 Jul 2007 09:35:45 -0500 Subject: [Dataloss] medical data published on South Texas Web Site Message-ID: <46A60E41.5010009@knology.net> http://tinyurl.com/37xl5m Private medical information published on county Web site EDINBURG ? The names, Social Security numbers and treatment descriptions for 25 indigent patients were posted on the county?s Web site for nearly two months before Hidalgo County officials took them down Monday. The information ? included in documents linked to Commissioners Court?s May 29 meeting agenda ? specified medical procedures, costs and the personal information of those covered by the program. The information was removed from the county Web site Monday afternoon after The Monitor contacted county officials about the situation. Eduardo Olivarez, director of the county health and human services department, said he had no idea why the patients? personal information was published on the Web. He said the department is conducting an internal investigation into the matter. ?I?m not sure how it got there,? Olivarez said. ?I apologize. I just don?t know how it happened.? The services delivered to the indigent patients were for emergency room visits between September 2003 and December 2004. ... From lyger at attrition.org Wed Jul 25 19:25:26 2007 From: lyger at attrition.org (lyger) Date: Wed, 25 Jul 2007 19:25:26 +0000 (UTC) Subject: [Dataloss] Fidelity Nat'l widens scope of theft Message-ID: http://money.cnn.com/news/newsfeeds/articles/newstex/AFX-0013-18404346.htm NEW YORK (AP) - Fidelity National Information Services Inc. (NYSE:FIS) believes a former employee stole 8.5 million consumer records from the check authorizing company, more than 3 times the original estimate, according to a regulatory filing Wednesday. In Wednesday's Securities and Exchange Commission filing, Fidelity said about 5.7 million of the records included checking account information and about 1.5 million included credit card records. The new estimate is an increase of about 3.5 million checking account records and about 1.4 million credit card records over original projections. The company said it continues to believe that the records were only used for marketing purposes. [...] From lyger at attrition.org Thu Jul 26 13:03:08 2007 From: lyger at attrition.org (lyger) Date: Thu, 26 Jul 2007 13:03:08 +0000 (UTC) Subject: [Dataloss] UK: Security breach hits thousands Message-ID: http://icnewcastle.icnetwork.co.uk/chroniclelive/eveningchronicle/tm_headline=security-breach-hits-thousands&method=full&objectid=19522958&siteid=50081-name_page.html A COUNCIL computer blunder has led to a serious breach of security for credit and debit card holders on Tyneside. Police and security experts have been called in after details of thousands of people's cards were downloaded to an address which has been traced to the Middle East. As a result of the mistake, millions of financial records held by Newcastle City Council have been accessed and up to 54,000 individual card holders are affected. Information was placed in error on an open server site which could be accessed by outsiders instead of a secure network. The site was shut down as soon as the problem was discovered. [...] From lyger at attrition.org Thu Jul 26 17:26:45 2007 From: lyger at attrition.org (lyger) Date: Thu, 26 Jul 2007 17:26:45 +0000 (UTC) Subject: [Dataloss] Marines' personal data exposed on Web Message-ID: http://www.marinecorpstimes.com/news/2007/07/marine_data_exposed_070726/ Some Marines. personal information, including names and Social Security numbers, was inadvertently posted online recently, exposing more than 10,000 leathernecks to potential identity theft, the Corps announced. Under a research contract, Penn State University obtained from the Corps the personal information of Marines who had rifle range requalification records while attending Marine Corps Recruit Depot Parris Island, S.C., from January 2004 through December 2006. The data belonging to 10,554 Marines was "improperly posted" by Penn State, according to a Corps-wide message. [...] From jericho at attrition.org Fri Jul 27 00:06:08 2007 From: jericho at attrition.org (security curmudgeon) Date: Fri, 27 Jul 2007 00:06:08 +0000 (UTC) Subject: [Dataloss] fringe follow-up: Police Say LifeLock Coerced Unusable Confession from Identity Theft Suspect Message-ID: ---------- Forwarded message ---------- From: Paul Ferguson Via Threat Level. [snip] A man who stole the identity of LifeLock co-founder Todd Davis won't face criminal charges, police say, because LifeLock stepped in before the police could finish investigating the crime and coerced the suspect into making a videotaped confession that isn't admissible in court. Davis, you'll recall, publishes his Social Security number on LifeLock's web site and in the company's TV commercials to demonstrate how effective the company is in protecting the identity of its customers. Back in June I disclosed that Davis himself had become a victim of identity theft after someone used his Social Security number to obtain a $500 loan. The news only added to the scrutiny and criticism the company was already facing over the questionable background of its other founder Robert Maynard, Jr., who subsequently resigned amid that other controversy. [snip] More: http://blog.wired.com/27bstroke6/2007/07/police-say-life.html From lyger at attrition.org Fri Jul 27 00:32:11 2007 From: lyger at attrition.org (lyger) Date: Fri, 27 Jul 2007 00:32:11 +0000 (UTC) Subject: [Dataloss] fringe follow-up: Police Say LifeLock Coerced Unusable Confession from Identity Theft Suspect In-Reply-To: References: Message-ID: This makes my night. You can lay down on only so many railroad tracks before your shoelace gets caught... On Fri, 27 Jul 2007, security curmudgeon wrote: ": " ": " ": " ---------- Forwarded message ---------- ": " From: Paul Ferguson ": " ": " Via Threat Level. ": " ": " [snip] ": " ": " A man who stole the identity of LifeLock co-founder Todd Davis won't face ": " criminal charges, police say, because LifeLock stepped in before the ": " police could finish investigating the crime and coerced the suspect into ": " making a videotaped confession that isn't admissible in court. ": " ": " Davis, you'll recall, publishes his Social Security number on LifeLock's ": " web site and in the company's TV commercials to demonstrate how effective ": " the company is in protecting the identity of its customers. Back in June I ": " disclosed that Davis himself had become a victim of identity theft after ": " someone used his Social Security number to obtain a $500 loan. The news ": " only added to the scrutiny and criticism the company was already facing ": " over the questionable background of its other founder Robert Maynard, Jr., ": " who subsequently resigned amid that other controversy. ": " ": " [snip] ": " ": " More: ": " http://blog.wired.com/27bstroke6/2007/07/police-say-life.html From mhozven at tealeaf.com Fri Jul 27 00:36:38 2007 From: mhozven at tealeaf.com (Max Hozven) Date: Thu, 26 Jul 2007 17:36:38 -0700 Subject: [Dataloss] fringe follow-up: Police Say LifeLock Coerced Unusable Confession from Identity Theft Suspect In-Reply-To: Message-ID: <771A26039D33ED489E23D9614DE630DD06479845@SFMAIL02.tealeaf.com> Reminds me of a quote that a politician made a while back: "...bring 'em on." -Max -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of lyger Sent: Thursday, July 26, 2007 5:32 PM To: dataloss at attrition.org Subject: Re: [Dataloss] fringe follow-up: Police Say LifeLock Coerced Unusable Confession from Identity Theft Suspect This makes my night. You can lay down on only so many railroad tracks before your shoelace gets caught... On Fri, 27 Jul 2007, security curmudgeon wrote: ": " ": " ": " ---------- Forwarded message ---------- ": " From: Paul Ferguson ": " ": " Via Threat Level. ": " ": " [snip] ": " ": " A man who stole the identity of LifeLock co-founder Todd Davis won't face ": " criminal charges, police say, because LifeLock stepped in before the ": " police could finish investigating the crime and coerced the suspect into ": " making a videotaped confession that isn't admissible in court. ": " ": " Davis, you'll recall, publishes his Social Security number on LifeLock's ": " web site and in the company's TV commercials to demonstrate how effective ": " the company is in protecting the identity of its customers. Back in June I ": " disclosed that Davis himself had become a victim of identity theft after ": " someone used his Social Security number to obtain a $500 loan. The news ": " only added to the scrutiny and criticism the company was already facing ": " over the questionable background of its other founder Robert Maynard, Jr., ": " who subsequently resigned amid that other controversy. ": " ": " [snip] ": " ": " More: ": " http://blog.wired.com/27bstroke6/2007/07/police-say-life.html _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tracking more than 220 million compromised records in 734 incidents over 7 years. From jericho at attrition.org Fri Jul 27 08:39:43 2007 From: jericho at attrition.org (security curmudgeon) Date: Fri, 27 Jul 2007 08:39:43 +0000 (UTC) Subject: [Dataloss] .jp: Aflac Reports Laptop Detailing 152, 000 Clients Stolen Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.bloomberg.com/apps/news?pid=20601101&sid=afw8zxz12Koo By Hugh Son July 26, 2007 (Bloomberg) -- Aflac Inc., the world's largest seller of supplemental health insurance, said a laptop containing information on 152,000 customers in Japan was stolen from an employee of an insurance agency there. The laptop contained the clients' names, addresses, birth dates, and policy details, according to Laura Kane, a spokeswoman at Aflac's headquarters in Columbus, Georgia. It was used by a worker of Tokyo-based Tsusan Company and stolen on a commuter train July 17. Aflac wanted to send letters apologizing to policyholders before alerting the press, she said. ``All the information was encrypted and password-protected, so it would be very difficult for any third-party to access it,'' Kane said today. ``Obviously we've reported this to the police and they are making every effort to find the missing laptop.'' [..] From lyger at attrition.org Fri Jul 27 13:18:17 2007 From: lyger at attrition.org (lyger) Date: Fri, 27 Jul 2007 13:18:17 +0000 (UTC) Subject: [Dataloss] PA: 5, 000 student loan customers' info on stolen laptop Message-ID: http://www.post-gazette.com/pg/07208/804836-96.stm The theft of one laptop computer has resulted in compromising the personal information of more than 5,000 student loan customers. American Education Services -- the revenue-generating arm of the Pennsylvania Higher Education Assistance Agency -- has sent letters to 5,184 student loan customers telling them that their personal information was on a laptop stolen in a burglary at a subcontractor's headquarters in Livermore, Calif. The subcontractor is Vista Financial Inc., a subsidiary of Performant Financial Corp. The information, which was not encrypted, included name, address, phone number, e-mail address and Social Security number. [...] From d2d at attrition.org Fri Jul 27 13:36:46 2007 From: d2d at attrition.org (d2d) Date: Fri, 27 Jul 2007 13:36:46 +0000 (UTC) Subject: [Dataloss] WI: CESA breach Message-ID: Courtesy pogowasright.org http://privacy.wi.gov/databreaches/databreaches.jsp http://www.pogowasright.org/article.php?story=20070726163120167 "Wisconsin's Office of Privacy Protection is reporting a breach on July 23rd involving CESA affecting 300+ individuals including current employees, past employees, terminated employees and vendors. Information includes Name, Address, Date of Birth, Social Security Number, Bank Routing Info." From d2d at attrition.org Fri Jul 27 13:39:11 2007 From: d2d at attrition.org (d2d) Date: Fri, 27 Jul 2007 13:39:11 +0000 (UTC) Subject: [Dataloss] NY: City Harvest Says Donor Information Could Be At Risk After Security Breach Message-ID: ( note: NH disclosure letter shows over 700 in NH affected http://doj.nh.gov/consumer/pdf/cityharvest.pdf ) Courtesy, pogowasright.org http://www.ny1.com/ny1/content/index.jsp?stid=8&aid=72018 It's a charitable organization dedicated to reaching out to hungry New Yorkers, but after a potential breach of the organization's information system City Harvest is also reaching out to its donors with a warning that their personal information may have been compromised. .I would have to say that I was surprised. I wasn.t expecting it,. said Rajath Vikram, an assignment editor at NY1. Vikram received a letter from City Harvest that read in part, .We are currently investigating a potential improper access of systems that contained credit card information of our donors for donations made prior to April 25th 2007.. [..] From chris at cwalsh.org Sat Jul 28 03:29:44 2007 From: chris at cwalsh.org (Chris Walsh) Date: Fri, 27 Jul 2007 22:29:44 -0500 Subject: [Dataloss] UK: Security breach hits thousands In-Reply-To: References: Message-ID: Some more details: A security blunder at Newcastle City Council has exposed the credit and debit card details of up to 54,000 people online. The breach was discovered on 19 July after the council hired an independent security expert to try and crack its systems. The security exercise found an encrypted file containing names, addresses, and credit and debit card numbers had been mistakenly placed on an insecure server. An internal investigation also revealed the file with all the card details had been accessed and uploaded to a computer IP address registered in Israel. Newcastle City Council claims there is no indication of any fraud on the affected cards. The file contained details of payments for council tax, business rates, parking fines and rents for more than a year between February 2006 and April 2007. The council has informed the banks, police and the Information Commissioner about the breach and said a full investigation into the security breach is underway. [...] http://software.silicon.com/security/0,39024655,39167978,00.htm On Jul 26, 2007, at 8:03 AM, lyger wrote: > > http://icnewcastle.icnetwork.co.uk/chroniclelive/eveningchronicle/ > tm_headline=security-breach-hits- > thousands&method=full&objectid=19522958&siteid=50081-name_page.html > > A COUNCIL computer blunder has led to a serious breach of security for > credit and debit card holders on Tyneside. > > Police and security experts have been called in after details of > thousands > of people's cards were downloaded to an address which has been > traced to > the Middle East. > > As a result of the mistake, millions of financial records held by > Newcastle City Council have been accessed and up to 54,000 > individual card > holders are affected. > > Information was placed in error on an open server site which could be > accessed by outsiders instead of a secure network. The site was > shut down > as soon as the problem was discovered. > > [...] > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 220 million compromised records in 734 incidents > over 7 years. From lyger at attrition.org Sun Jul 29 02:23:35 2007 From: lyger at attrition.org (lyger) Date: Sun, 29 Jul 2007 02:23:35 +0000 (UTC) Subject: [Dataloss] CA: Yuba County data stolen Message-ID: http://www.appeal-democrat.com/news/county_51837___article.html/information_brown.html Yuba County scrambled this week to contact 70,000 people whose names and personal information were on a laptop computer stolen from the new Child Support Services office in Linda. County officials said the stolen laptop contained Social Security numbers, birth dates, driver's license numbers and other private information on 70,000 people, including 30,000 children, whose cases were opened prior to May 2001. The laptop was being used as a backup system for the county.s computer system, said county spokesman Russ Brown. The computer requires double passwords for access, so officials are hoping the information inside remains safe. [...] From lyger at attrition.org Sun Jul 29 03:02:37 2007 From: lyger at attrition.org (lyger) Date: Sun, 29 Jul 2007 03:02:37 +0000 (UTC) Subject: [Dataloss] VA: Virginia Beach Employees' Identities Compromised After Fraud Investigation Message-ID: http://www.wtkr.com/Global/story.asp?S=6850947 Virginia Beach investigators are urging certain school and city employees to be on the look out for any sign of identity theft after a police investigation revealed compromised personal information from a benefit plan. On Tuesday, police went to a house in the 3000 block of Glastonbury Drive in Virginia Beach. There, they found a list with names and social security numbers of school employees. A former school employee who had this information has been charged with prescription fraud. Virginia Beach school spokeswoman Nancy Socia says about 2,000 employees with the city and the school system are affected. It is an optional plan that employees can enroll in. [...]