From lyger at attrition.org Fri Jun 1 17:05:44 2007 From: lyger at attrition.org (lyger) Date: Fri, 1 Jun 2007 17:05:44 +0000 (UTC) Subject: [Dataloss] CA: Fresno County searches for disk with employees' personal info Message-ID: http://www.fresnobee.com/384/story/51223.html County officials are looking for a missing computer disk that contained the names, addresses, Social Security numbers and other personal information of thousands of home health care workers and their clients. The disk was lost last week after the county sent it by courier to a software vendor's office in San Jose to determine workers' eligibility for health care benefits, county officials said. "We've been doing this for three years and there has never been a glitch. But it's missing and we don't know what happened," said Kristin Bengyel, executive director of the county's program that oversees 10,000 home-care workers. [...] From d2d at attrition.org Fri Jun 1 20:43:00 2007 From: d2d at attrition.org (d2d) Date: Fri, 1 Jun 2007 20:43:00 +0000 (UTC) Subject: [Dataloss] FL: Credit union paying for ID theft protection after info error Message-ID: http://charlotte.bizjournals.com/jacksonville/stories/2007/05/28/daily24.html Jax Federal Credit Union is paying for two years' worth of identity theft protection for thousands of its members after their Social Security numbers ended up on the Internet. JFCU, which has about 36,000 members, was transmitting information to a printer for a preapproved auto loan mailing when the information was picked up by Google from the printer's Web site. JFCU normally transmits information on an encrypted disk delivered by courier, but when the printer couldn't open the disk, the information was sent again, but wasn't encrypted and included Social Security numbers and account numbers. "Our procedures weren't followed and errors were made and unfortunately there was some exposure," said Angie Coleman-Rao, vice president of marketing for JFCU. The credit union notified Google, which removed the file and all references to it, and doesn't think anyone gained access to the information. But JFCU is offering two years of identity theft protection from LifeLock to each of the nearly 7,500 members whose information was on the file. The service normally costs $110 a year, though JFCU was able to get a discount. [...] From d2d at attrition.org Sat Jun 2 00:09:43 2007 From: d2d at attrition.org (d2d) Date: Sat, 2 Jun 2007 00:09:43 +0000 (UTC) Subject: [Dataloss] GB: Bank loses details on 62,000 customers in post Message-ID: http://www.theherald.co.uk/news/news/display.var.1443290.0.0.php Financial details of thousands of bank customers have been lost in the post. Bank of Scotland yesterday apologised to 62,000 customers after it confirmed that their mortgage details have been reported missing. A computer disc containing details of the mortgage accounts failed to reach the main credit reference agencies for a routine monthly update. The bank said the disc, which was sent in the normal post with Royal Mail, has been reported as a lost item but claimed it was "almost impossible" that any financial fraud could be committed with the limited information held on the disc. It contains the names, addresses, dates of birth and mortgage account numbers of each customer, but does not include bank account details, PINs, passwords or bank transaction information. [..] From lyger at attrition.org Sat Jun 2 02:50:25 2007 From: lyger at attrition.org (lyger) Date: Sat, 2 Jun 2007 02:50:25 +0000 (UTC) Subject: [Dataloss] IL: NU Contacting 4,000 After Security Breach Message-ID: http://cbs2chicago.com/local/local_story_152220639.html Northwestern University is attempting to contact about 4,000 students and applicants after it was discovered that files containing their personal information had become available online, the school said Friday. The personal information was stored on a computer at the Integrated Graduate Program in the Life Sciences, the school said in a statement. The names and other data were for people who attended or applied to the program from 1991 to 2007. The breach was recently discovered and the affected computer has been shut down, according to the university's statement. It did not specify when the security breach occurred or how much time elapsed before it was discovered. [...] From d2d at attrition.org Mon Jun 4 02:16:19 2007 From: d2d at attrition.org (d2d) Date: Mon, 4 Jun 2007 02:16:19 +0000 (UTC) Subject: [Dataloss] AL: Some Gadsden State student records scattered on driveway Message-ID: Courtesy pogowasright.org http://www.al.com/newsflash/regional/index.ssf?/base/news-29/1180904393189240.xml&storylist=alabamanews Some Gadsden State Community College records containing personal information on some 400 students were found scattered across the driveway of an Anniston business. Students taking an Art Appreciation class at the Ayers Campus between 2005 and 2006 had their names, grades and Social Security numbers scattered across the driveway. [..] From lyger at attrition.org Mon Jun 4 19:39:20 2007 From: lyger at attrition.org (lyger) Date: Mon, 4 Jun 2007 19:39:20 +0000 (UTC) Subject: [Dataloss] WA: Stevens Hospital Notifies Patients... Message-ID: http://home.businesswire.com/portal/site/google/index.jsp?ndmViewId=news_view&newsId=20070604006259&newsLang=en Stevens Hospital is notifying patients that some patient names and other identifying information were accessible on the Internet following a lapse in a subcontractor.s computer security. The records' privacy was restored after the hospital coordinated with the subcontractor and a search engine to block access to the information. No patient care, medical record or credit card information was involved, but the accessible information did include patients. names, addresses and Social Security numbers. Stevens believes that fewer than 550 patient records were affected, and those patients are being notified. "Our patients' privacy is our highest concern, along with their health and well-being," said Mike Carter, the hospital.s president and chief executive officer. "Once we learned of the situation, we took swift, strong action to restore the security of their personal information." [...] From jericho at attrition.org Tue Jun 5 20:30:14 2007 From: jericho at attrition.org (security curmudgeon) Date: Tue, 5 Jun 2007 20:30:14 +0000 (UTC) Subject: [Dataloss] Is LifeLock an identity theft protection service people can trust? Message-ID: http://www.bloggernews.net/17429 This post was written by Ed Dickson on 5 June, 2007 (09:07) | All News, Blogosphere News 106 Views Ray Stern, of the New Phoenix Times, published a scary story about an identity theft protection service, called LifeLock. The article suggested that LifeLock was founded on stories that are questionable, and run by a Robert Maynard Jr., who seems to have a few skeletons hiding in his closet. [..] From jericho at attrition.org Wed Jun 6 05:44:00 2007 From: jericho at attrition.org (security curmudgeon) Date: Wed, 6 Jun 2007 05:44:00 +0000 (UTC) Subject: [Dataloss] follow-up: TJX chief apologizes for data breach Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.boston.com/business/ticker/2007/06/tjx_chief_apolo.html By Jenn Abelson, Globe staff June 5, 2007 ATLANTA -- At her first shareholder meeting as chief executive of TJX Cos., Carol Meyerowitz apologized for the Framingham merchant's recent security breach that involved the theft of at least 45.7 million credit and debit card numbers and said she wished the incident -- the biggest loss of personal data reported -- never happened. Meyerowitz, who took over the helm of the company in January, said increasingly sophisticated cyber criminals are a global and complex problem for government agencies, hospitals, universities, and retailers who have all suffered attacks in recent years. Despite having security measures in place, TJX said hackers still managed to get into its systems. "But we had locks," Meyerowitz said. It was one of the first times TJX held its annual shareholder meeting outside of its hometown Framingham. Only a handful of shareholders attended yesterday's meeting and none asked about the security breach. The company refused questions from the media. A company spokeswoman said the shareholder meeting coincided with a yearly off-site trip by the board of directors. This year Atlanta was selected because it is one of TJX's largest markets and the company operates a distribution center in a nearby town. [..] From d2d at attrition.org Thu Jun 7 03:13:24 2007 From: d2d at attrition.org (d2d) Date: Thu, 7 Jun 2007 03:13:24 +0000 (UTC) Subject: [Dataloss] WI: Students breach personal data Message-ID: http://www.jsonline.com/story/index.aspx?id=616364 Cedarburg High School students used a school computer to access confidential data of current and former School District employees that had not been properly secured on the district computer network, Superintendent Daryl Herrick said Tuesday. The students obtained names, addresses and Social Security numbers and might have accessed personal bank account information, he said. Herrick issued a statement about the computer breach after Police Chief Tom Frank confirmed that district officials had asked his department to investigate. [..] From hbrown at knology.net Thu Jun 7 10:55:49 2007 From: hbrown at knology.net (Henry Brown) Date: Thu, 07 Jun 2007 05:55:49 -0500 Subject: [Dataloss] Credit card fraud/cloning Message-ID: <4667E435.6090302@knology.net> http://www.al.com/news/huntsvilletimes/index.ssf?/base/news/118120774430360.xml&coll=1 400 may be victims of credit fraud As many as 400 people and banking institutions may be victims in a credit card or debit card cloning operation, Huntsville police said in a news release Wednesday. The investigation involves hundreds of cases in Alabama and Georgia in which the card numbers were stolen after the cards were used at Huntsville restaurants and carry-out businesses, police said. Police investigators and the FBI have surveillance videos from businesses in Alabama and the Atlanta area where suspects were seen using the card numbers, Huntsville Public Safety Director Rex Reynolds said in the release. ... From jericho at attrition.org Thu Jun 7 11:13:50 2007 From: jericho at attrition.org (security curmudgeon) Date: Thu, 7 Jun 2007 11:13:50 +0000 (UTC) Subject: [Dataloss] follow-up: Mass. credit union bills TJX $590k for breach-related costs Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9023778 By Jaikumar Vijayan June 06, 2007 Computerworld HarborOne Credit Union in Brockton, Mass., has sent The TJX Companies Inc. an invoice for $590,000 for what the financial institution says it incurred in actual costs and reputational damage as a result of the data compromise disclosed by the retailer in January. The bill was sent to TJX on April 30, but the company so far has not responded or commented on it in any fashion, said James Blake, the president and CEO of the 100,000-member, $1.4 billion credit union. "The bill was for both direct operational costs that we incurred reissuing new debit cards to our customers, as well as the costs to us from a reputational standpoint," he said. According to Blake, the TJX breach resulted in HarborOne having to block and reissue about 9,000 cards at a cost of around $90,000. The remaining $500,000 is what Blake believes the breach cost the credit union in terms of brand damage. "We had to notify customers of the fact that their account was breached. There were some questions on their part whether or not we were responsible [for the breach] when in fact it was TJX's responsibility," Blake said. [..] From lyger at attrition.org Thu Jun 7 21:00:26 2007 From: lyger at attrition.org (lyger) Date: Thu, 7 Jun 2007 21:00:26 +0000 (UTC) Subject: [Dataloss] CT: Medical papers found in trash bin may lead to fines Message-ID: http://www.acorn-online.com/news/publish/greenwich/18807.shtml A box left in a trash bin could end up leaving some local doctors a little lighter in the wallet. The Greenwich Post was given a box filled medical documents from the Dearfield Medical Building that may have been improperly disposed of. The box was discovered at 4 Dearfield Drive inside a trash bin in May and contains information about lab tests and insurance approvals as well as other medical issues. These documents are not medical charts, but do contain patient names and contact information. According the United States Department of Health and Human Services, under the privacy regulations for the Health Insurance Portability and Accountability Act (HIPAA), documents such as the ones in the trash bin are supposed to be kept confidential and then shredded when disposed of, not just thrown out in a box. [...] From d2d at attrition.org Fri Jun 8 14:37:13 2007 From: d2d at attrition.org (d2d) Date: Fri, 8 Jun 2007 14:37:13 +0000 (UTC) Subject: [Dataloss] VA: University Of Virginia Alerts Current And Former Faculty That Sensitive Information Has Been Exposed Message-ID: Courtesy ESI : http://www.adamdodge.com/esi/ http://www.virginia.edu/uvatoday/newsRelease.php?id=2217 The University of Virginia has discovered a security breach in one of its computer applications that resulted in exposure of sensitive information belonging to current and former U.Va. faculty members. The information included names, Social Security numbers and dates of birth. No credit card, bank account or salary information was involved in the incident. As soon as this breach was discovered, the vulnerability was corrected and a thorough investigation was instituted. This criminal investigation is being conducted by University Police in consultation with the FBI and the University?s computing and audit professionals. The investigation has revealed that on 54 separate days between May 20, 2005 and April 19, 2007, hackers tapped into the records of 5,735 faculty members. No suspects have been identified. No data pertaining to students or the University?s non-faculty employees were exposed. [..] From lyger at attrition.org Fri Jun 8 17:21:49 2007 From: lyger at attrition.org (lyger) Date: Fri, 8 Jun 2007 17:21:49 +0000 (UTC) Subject: [Dataloss] FISMA amendment could redefine personally identifiable info Message-ID: http://www.fcw.com/article102939-06-08-07-Web A new Senate bill could redefine how agencies report and handle breaches of sensitive information. Sen. Norm Coleman (R-Minn.) introduced the Federal Agency Data Breach Protection Act June 7. An amendment to the Federal Information Security Management Act, the bill would give more policy-defining power to the Office of Management and Budget and broaden the definition of personally identifiable information. Coleman wants OMB to establish specific policies, procedures and standards for agencies to follow in the event of a data breach. Also, the bill would broaden the powers of agency chief information and chief human capital officers to enforce compliance and assess damage to federal personal property, respectively. The bill also would broaden the definition of personally identifiable information to include education; criminal, medical and employment history; and financial transactions. Sensitive information would also include name, Social Security number, birth date and place, mother's maiden name, biometric records and "any other personal information that is linked or linkable to the individual," according to the bill. [...] From lyger at attrition.org Fri Jun 8 18:00:08 2007 From: lyger at attrition.org (lyger) Date: Fri, 8 Jun 2007 18:00:08 +0000 (UTC) Subject: [Dataloss] IA: UI notifies graduate program students, faculty about security breach Message-ID: http://www.press-citizen.com/apps/pbcs.dll/article?AID=/20070608/NEWS01/70608007/1079 Students and faculty associated with a University of Iowa graduate program are being notified this week about a Web-site security breach. UI has sent letters to about 1,000 current students and applicants to the Molecular and Cellular Biology program and to 100 faculty members, said John Keller, UI Associate Provost and Dean of the Graduate College. [...] "We are deeply concerned that this happened," Keller said. "We apologize, and we want our faculty, students and prospective students to know that we are working expeditiously to correct this problem. We have notified the appropriate UI and law enforcement officials, and we are evaluating our systems to identify additional ways to protect our Web sites. [...] From adam at homeport.org Sat Jun 9 18:30:37 2007 From: adam at homeport.org (Adam Shostack) Date: Sat, 9 Jun 2007 14:30:37 -0400 Subject: [Dataloss] [ji@tla.org: IBM Lost Tape(s)] Message-ID: <20070609183037.GA18311@homeport.org> ----- Forwarded message from John Ioannidis ----- X-Spam-Status: No, score=0.0 required=2.5 tests=HOMEPORT_REV_2007052401_01 autolearn=disabled version=3.1.7-deb Date: Sat, 09 Jun 2007 03:31:53 -0400 From: John Ioannidis To: cryptography mailing list Subject: IBM Lost Tape(s) Apparently, last February IBM lost some tapes with employee data. Yesterday, I received a notification from them, which I scanned and put (slightly redacted) in http://www.tla.org/private/ibmloss1.pdf for your amusement. Now, I haven't worked for IBM in a long time, and since then I have moved about a dozen times. I'm pretty sure quite a few people are in that situation. I wonder how much it cost them to find current addresses for everybody so we could be notified. /ji --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com ----- End forwarded message ----- From d2d at attrition.org Sat Jun 9 21:30:25 2007 From: d2d at attrition.org (d2d) Date: Sat, 9 Jun 2007 21:30:25 +0000 (UTC) Subject: [Dataloss] CA: Hard drive stolen from Concordia Message-ID: http://www.cjob.com/news/index.aspx?src=loc&rem=67336 Police are looking in to the theft of a computer hard drive from the Concordia Hospital on May 14th. The Winnipeg Regional Health Authority's computer contained images and slides of diagnostic imaging tests for more than three thousand patients. Its believed by the WRHA that the computer was stolen as a peice of equipment - and not for the information it contained. They add unless the theives were doctors, the slides on the computer would most likely mean nothing. [...] From lyger at attrition.org Sat Jun 9 21:34:08 2007 From: lyger at attrition.org (lyger) Date: Sat, 9 Jun 2007 21:34:08 +0000 (UTC) Subject: [Dataloss] NH: Security breach exposes Concord Hospital patient data Message-ID: (different than the one just posted by d2d) http://www.concordmonitor.com/apps/pbcs.dll/article?AID=/20070609/NEWS03/70609002/1030 A security lapse exposed the personal information of more than 9,000 Concord Hospital patients and insurers, leaving their names, addresses, dates of birth and social security numbers unprotected on the internet "for a period of time," the Concord Monitor has learned. The hospital notified patients of the problem today, more than a week after the hospital found out about the security lapse from a subcontractor that handles its online billing, according to a hospital statement released to the Monitor. No credit card information was exposed and, to the hospital's knowledge, no personal health information was at risk or compromised, according to a statement released to the the Monitor yesterday afternoon. [...] From d2d at attrition.org Mon Jun 11 19:50:44 2007 From: d2d at attrition.org (d2d) Date: Mon, 11 Jun 2007 19:50:44 +0000 (UTC) Subject: [Dataloss] Pfizer: 17,000 Employees Suffer Privacy Breach Message-ID: Courtesy abrandt _at_ gmac.com http://www.pharmalot.com/2007/06/pfizer-17000-employees-suffer-privacy-breach http://doj.nh.gov/consumer/pdf/Pfizer2.pdf You read it here first. The June 1 letter from Lisa Goldman in Pfizer.s privacy office has been arriving in mail boxes over the past few days, and the news for thousands of current and former employees isn't good - there was an unauthorized breach of privacy data, including names and social security numbers. The drugmaker is offering a free year.s worth of credit monitoring. Here's an excerpt: "The information was stored on a Pfizer laptop computer that was provided to a Pfizer colleague for use in her home. Due to the the unauthorized installation of certain file sharing software on the laptop, files stored in the laptop containing names, social security numbers, and in some instances, addresses and bonus information of approximately 17,000 present and former Pfizer colleagues, were exposed to one or more third parties. Our investigation revealed that certain files containing your data were accessed and copied.. [..] From lyger at attrition.org Tue Jun 12 02:31:52 2007 From: lyger at attrition.org (lyger) Date: Tue, 12 Jun 2007 02:31:52 +0000 (UTC) Subject: [Dataloss] MI: Flash drive containing students' SSNs stolen from GVSU Message-ID: http://www.woodtv.com/Global/story.asp?S=6643715&nav=0Rce A flash drive containing some confidential information was stolen from Lake Huron Hall on Grand Valley State University's Allendale Campus on May 24. About 3,000 social security numbers of current and former students were on the flash drive, stolen from the English department. Mary Eileen Lyon, of GVSU News and Information Services, said GVSU students need not worry about being affected unless they have received a letter from the university, as letters have been sent to all students whose identities may be in jeopardy. [...] From lyger at attrition.org Wed Jun 13 21:17:53 2007 From: lyger at attrition.org (lyger) Date: Wed, 13 Jun 2007 21:17:53 +0000 (UTC) Subject: [Dataloss] UK: Eden computer theft investigated Message-ID: http://news.bbc.co.uk/2/hi/uk_news/england/cornwall/6750891.stm The theft of a laptop computer containing the personal details of hundreds of staff at Cornwall's Eden Project is being investigated. The computer contains the names, addresses, bank details, National Insurance numbers and pay rates of 500 employees at the attraction. It was stolen from a car of an employee who works for Moorepay Ltd, who handle the attraction's payroll. [...] From d2d at attrition.org Thu Jun 14 14:32:08 2007 From: d2d at attrition.org (d2d) Date: Thu, 14 Jun 2007 14:32:08 +0000 (UTC) Subject: [Dataloss] VA: Lynchburg employees personal information accidentally posted on the internet Message-ID: http://www.wdbj7.com/Global/story.asp?S=6654961&nav=rmoiyadz The personal information of 12-hundred Lynchburg city employees and retirees was accidentally posted on the city's website among that information employee's prescription medications. According to the city's Human Resources Director, the information was put online May 2, but it wasn't until two weeks later on June 4 that the mistake was discovered and was immediately removed. [..] More details (printable page URL, as the regular URL doesn't work in FF): http://www.wsls.com/servlet/Satellite?pagename=Common%2FMGArticle%2FPrintVersion&c=MGArticle&cid=1173351619994&image=80x60wsls.gif&oasDN=wsls.com&oasPN=%21news%21localnews From lyger at attrition.org Thu Jun 14 15:51:47 2007 From: lyger at attrition.org (lyger) Date: Thu, 14 Jun 2007 15:51:47 +0000 (UTC) Subject: [Dataloss] Canada: Personal banking info goes missing Message-ID: http://www.nanaimobulletin.com/portals-code/list.cgi?paper=51&cat=23&id=1005555&more=0 Personal and financial information of about 120,000 Coastal Community Credit Union members could be in jeopardy. Data tapes that the credit union moves from site to site to do computer backups were stolen from the courier company that transports them, said Garth Sheane, CCCU president and CEO. But the credit union is confident the thieves cannot access the information on the tapes, as specialized commercial software is needed. [...] The tapes contain files with selected personal and financial information, such as name, address, date of birth, social insurance number, member number, ATM/debit card number, credit card number, and/or balances. [...] From lyger at attrition.org Thu Jun 14 22:21:38 2007 From: lyger at attrition.org (lyger) Date: Thu, 14 Jun 2007 22:21:38 +0000 (UTC) Subject: [Dataloss] Personal information of Georgia Tech students, alums exposed Message-ID: http://www.accessnorthga.com/news/hall/newfullstory.asp?ID=114993 An electronic file containing the personal information of about 23,000 current and former Georgia Tech students was exposed briefly, university officials said Thursday. The information was mostly demographic data and included no Social Security numbers or credit card numbers, but it did include birthdays, Georgia Tech spokesman Matt Nagel said. [...] From lyger at attrition.org Fri Jun 15 15:15:43 2007 From: lyger at attrition.org (lyger) Date: Fri, 15 Jun 2007 15:15:43 +0000 (UTC) Subject: [Dataloss] OH: Stolen computer tape holds all state employees' IDs Message-ID: http://www.columbusdispatch.com/dispatch/content/flash/stories/2007/06/15/data_stolen.html A backup computer storage device with the names and Social Security numbers of every state worker was stolen out of a state intern's car on Sunday night, Gov. Ted Strickland announced this morning. Strickland said it would require a significant level of expertise and multiple computer programs to access the personal information of the more than 60,000 state workers. "We have no reason to believe there's any breach of security at this time, and we think it is unlikely that a breach will occur," he said at a press conference. [...] From jericho at attrition.org Fri Jun 15 07:04:42 2007 From: jericho at attrition.org (security curmudgeon) Date: Fri, 15 Jun 2007 07:04:42 +0000 (UTC) Subject: [Dataloss] follow-up: VA sets aside $20 million to handle latest data breach Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.govexec.com/story_page.cfm?articleid=37191 By Daniel Pulliam govexec.com June 14, 2007 The Veterans Affairs Department has set aside more than $20 million to respond to its latest data breach, the agency's top technology officer said Thursday. The department does not expect to spend the full $20 million, but designated that much because the breach potentially puts the identities of nearly a million physicians and VA patients at risk, said Bob Howard, the department's chief information officer. Howard spoke at The E-Gov Institute's Government Health IT Conference and Exhibition in Washington. "We have no evidence that [information is at risk]. None whatsoever, but we don't take the chance," Howard said. "The attitude of the VA right now is if we think we've put anybody's information at risk, then we need to step up to the plate and try to remedy that." The breach occurred in January, when a hard drive went missing from a Birmingham, Ala., VA medical research facility. The drive contained highly sensitive information on nearly all U.S. physicians and medical data for more than a half million VA patients. Any physician who billed Medicaid and Medicare through 2004 could be affected. The hard drive has not been recovered. The VA estimates that about half of the 1.3 million doctors whose information was on the hard drive, and 254,000 veterans, are potentially at risk. This group was notified by mail at the end of May. The letters noted that VA is providing credit monitoring services through a General Services Administration blanket purchase agreement from the multiple award schedules program. [..] From MKEVHILL at aol.com Fri Jun 15 15:26:15 2007 From: MKEVHILL at aol.com (MKEVHILL at aol.com) Date: Fri, 15 Jun 2007 11:26:15 EDT Subject: [Dataloss] OH: Stolen computer tape holds all state employees' IDs Message-ID: Correct me if I'm wrong, but the fact that a company losses data is the definition of a data breach. So when the Governor of Ohio says: ?We have no reason to believe there's any breach of security at this time, and we think it is unlikely that a breach will occur,? that in fact a breach has already occurred since he announced that data has been stolen. Thanks for your help, Mike ************************************** See what's free at http://www.aol.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070615/273f9821/attachment.html From vhinderer at lexsi.com Fri Jun 15 11:58:55 2007 From: vhinderer at lexsi.com (HINDERER Vincent) Date: Fri, 15 Jun 2007 13:58:55 +0200 Subject: [Dataloss] Website Exposed More Than Paris Hilton Message-ID: The operators of an X-rated Paris Hilton web site exposed the credit card numbers and identities of about 750 subscribers who signed up after the site recently returned online in the face of a federal court injunction, The Smoking Gun has learned. After a tip from a visitor who read TSG's June 11 story about the re-launching of the site, parisexposed.com, a reporter was able to easily access the subscriber list by changing a few characters in the web address for the site's sign-up page. Included in the lengthy list are a subscriber's name, e-mail address, password, phone number, mailing address, and credit card number. [snip] More: http://www.thesmokinggun.com/archive/years/2007/0613071exposed1.html (Thanks to Ferg on [funsec] mailing-list) -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/ _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. From david.mckee at entaq.com Fri Jun 15 15:37:57 2007 From: david.mckee at entaq.com (David McKee) Date: Fri, 15 Jun 2007 10:37:57 -0500 Subject: [Dataloss] OH: Stolen computer tape holds all state employees'IDs In-Reply-To: References: Message-ID: To reflect back on another politician, "It depends on what your definition of is (breach), is." :-) David McKee ++++++CONFIDENTIALITY NOTICE++++++ The information in this email may be confidential and/or privileged. This email is intended to be reviewed by only the individual or organization named above. If you are not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any review, dissemination or copying of this email and its attachments, if any, or the information contained herein is prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. _____ From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of MKEVHILL at aol.com Sent: Friday, June 15, 2007 10:26 AM To: dataloss at attrition.org Subject: Re: [Dataloss] OH: Stolen computer tape holds all state employees'IDs Correct me if I'm wrong, but the fact that a company losses data is the definition of a data breach. So when the Governor of Ohio says: "We have no reason to believe there's any breach of security at this time, and we think it is unlikely that a breach will occur," that in fact a breach has already occurred since he announced that data has been stolen. Thanks for your help, Mike _____ See what's free at AOL.com . -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070615/8dff98dc/attachment.html From bkdelong at pobox.com Fri Jun 15 15:38:41 2007 From: bkdelong at pobox.com (B.K. DeLong) Date: Fri, 15 Jun 2007 11:38:41 -0400 Subject: [Dataloss] OH: Stolen computer tape holds all state employees' IDs In-Reply-To: References: Message-ID: Ahhh, semantics and politics - two best friends. On 6/15/07, MKEVHILL at aol.com wrote: > > > > > > Correct me if I'm wrong, but the fact that a company losses data is the > definition of a data breach. So when the Governor of Ohio says: > > "We have no reason to believe there's any breach of security at this time, > and we think it is unlikely that a breach will occur," > > that in fact a breach has already occurred since he announced that data has > been stolen. > > > Thanks for your help, > > Mike > > > ________________________________ > See what's free at AOL.com. > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 209 million compromised records in 700 incidents over 7 > years. > > -- B.K. DeLong (K3GRN) bkdelong at pobox.com +1.617.797.8471 http://www.wkdelong.org Son. http://www.ianetsec.com Work. http://www.bostonredcross.org Volunteer. http://www.carolingia.eastkingdom.org Service. http://bkdelong.livejournal.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org From hbrown at knology.net Sun Jun 17 09:41:46 2007 From: hbrown at knology.net (Henry Brown) Date: Sun, 17 Jun 2007 04:41:46 -0500 Subject: [Dataloss] Hospital Billing Department MISTAKE Message-ID: <467501DA.4010702@knology.net> http://www.tampabays10.com/news/local/article.aspx?storyid=57004 Pt Richey, Florida - Joseph Dietrich says his son should never have received bills in the mail for a pre-employment drug screening visit. It's something that should have been sent to his employer. And among the stack there's something else he was surprised to see, information about others who were also tested, "Like 17 of them here with the social security numbers." He says the personal details were sent by University Community Hospital. ... From lyger at attrition.org Sun Jun 17 18:07:14 2007 From: lyger at attrition.org (lyger) Date: Sun, 17 Jun 2007 18:07:14 +0000 (UTC) Subject: [Dataloss] OH: Strickland says additional information was on stolen storage device Message-ID: http://zanesvilletimesrecorder.com/apps/pbcs.dll/article?AID=/20070616/UPDATES01/70616002/1002/NEWS01 Information about thousands of teachers, vendors, school districts and local governments that conduct electronic transactions with the state are on a backup computer storage device stolen from the car of a state agency intern, Gov. Ted Strickland said Saturday. Strickland announced the device was missing on Friday. It also included the names and Social Security numbers of all 64,000 state employees. Strickland again said that he has no reason to believe the information . which can be used to steal from people by taking their identity - has been compromised because accessing it requires special equipment and expertise. He also has issued an executive order to change the procedures for handling state data. The latest files discovered to be missing include 2,685 records of school district and local government names and bank account information; 159,708 records of Medicaid providers and their bank account information - the state is assuming it includes all providers; and the names and account numbers of 1,031 state employees who are teachers in the State Teachers Retirement System, the governor's office said. [...] From d2d at attrition.org Mon Jun 18 13:55:42 2007 From: d2d at attrition.org (d2d) Date: Mon, 18 Jun 2007 13:55:42 +0000 (UTC) Subject: [Dataloss] TX: Identity theft may be problem for TAMUCC students Message-ID: http://www.kristv.com/Global/story.asp?S=6667387&nav=menu192_2 The personal information of thousands of students at Texas A&M Corpus Christi was recently lost in a foreign country. A professor vacationing off the coast of Africa took the data with him on a small computer storage device. That device is missing, and Friday night, university officials are conceding that the personal information of just about every student on campus in 2006 is out there somewhere. Dr. Blair Sterba-Boatwright is the chairman of the math department at the university. He is an active traveler and outdoor photographer. His most recent trip was to Madagascar off the coast of Africa. University officials said he took with him a flash drive, containing the personal data of some 8,000 students to do some work while on vacation, but this week, the school is telling students that the flash drive was lost in Madascar, and officials said the device, "may have contained files with personally identifiable student information, including social security numbers." [..] From lyger at attrition.org Tue Jun 19 12:51:47 2007 From: lyger at attrition.org (lyger) Date: Tue, 19 Jun 2007 12:51:47 +0000 (UTC) Subject: [Dataloss] PA: Computer Breach Exposes Students' Social Security Numbers Message-ID: (Note that the media source was directly involved in the data disclosure...) Courtesy Mike Hill (MKEVHILL_at_aol.com) (http://www.wnep.com/Global/story.asp?S=6675365&nav=menu158_2) The News-Item confirms one of its employees gained unauthorized access to the Shamokin Area School District's computer database. It is the same system that stores student's personal information, including social security numbers. That newspaper employee brought the security flaw to the attention of school officials. "Oh my god, people's identities are shot," Sol Bidding said, describing his first reaction when he learned of the breach. It leaves open the idea that anyone could have hacked their way into the system. Superintendent James Zack sent a letter home to parents stating "Your son/daughter/student's Standardized Assessment scores, local assessment scores and Social Security numbers were contained in the system. We are writing to you so that you can take steps to protect yourself from the possibility of identity theft." [...] From lyger at attrition.org Wed Jun 20 18:59:42 2007 From: lyger at attrition.org (lyger) Date: Wed, 20 Jun 2007 18:59:42 +0000 (UTC) Subject: [Dataloss] NH: (followup) Concord Hospital dumps billing company after data breach Message-ID: http://www.wcax.com/Global/story.asp?S=6686414&nav=4QcS Associated Press - June 20, 2007 2:25 PM ET CONCORD, N.H. (AP) - Concord Hospital has fired the Washington-based company that was managed its online billing system and left the personal information of more than nine thousand patients unprotected on the internet for more than a month. Hospital officials now are asking for an audit to verify that Verus Incorporated has removed all of its patient information from its servers. [...] From lyger at attrition.org Wed Jun 20 21:29:25 2007 From: lyger at attrition.org (lyger) Date: Wed, 20 Jun 2007 21:29:25 +0000 (UTC) Subject: [Dataloss] OH: (followup) Governor: Stolen tape had information on 225, 000 taypayers [sic] Message-ID: (this reminds me of the USDA breach where the numbers shifted almost daily for a week...) http://www.newarkadvocate.com/apps/pbcs.dll/article?AID=/20070620/UPDATES01/70620023/1002/ COLUMBUS (AP) . A sensitive computer backup tape with personal information on 64,000 state employees and family members stolen from an intern's car also has the names and Social Security numbers of 225,000 taxpayers, Gov. Ted Strickland said Wednesday. The tape contained information on taxpayers who have not cashed state income tax refund checks in 2005, 2006 and through May 29, 2007, Strickland said in what has become a nearly daily release of new information contained on the tape since the first disclosure Friday. The administration continues to maintain that it does not believe the information has been accessed because it would require specific hardware, software and expertise. [...] From MKEVHILL at aol.com Thu Jun 21 03:02:19 2007 From: MKEVHILL at aol.com (MKEVHILL at aol.com) Date: Wed, 20 Jun 2007 23:02:19 EDT Subject: [Dataloss] TX: American pilots protest security breach on company Web site Message-ID: _http://www.dallasnews.com/sharedcontent/APStories/stories/D8PSQQN80.html_ (http://www.dallasnews.com/sharedcontent/APStories/stories/D8PSQQN80.html) Personal information including Social Security numbers of more than 300 pilots and other employees at American Airlines, including the chief executive, was exposed on a company Web site, according to the pilots' union. The company said it determined that only pilots and union officials saw the information on a password-protected internal site. Union officials said that by searching the site for "AA" and "medical," the roughly 200 results included a 2002 document with personal information on 315 current and former pilots and about 50 others, including CEO Gerard Arpey and his predecessor, Donald Carty. Union President Ralph Hunter said he called Mark Burdette, the company's vice president of employee relations, to report the breach. "I told him what his Social Security number was and where I got it," Hunter said. "He agreed with me that we had a big problem." American, a unit of AMR Corp., disabled the site's search function. Mike Hill ************************************** See what's free at http://www.aol.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070620/137c11e0/attachment.html From jericho at attrition.org Fri Jun 22 10:15:32 2007 From: jericho at attrition.org (security curmudgeon) Date: Fri, 22 Jun 2007 10:15:32 +0000 (UTC) Subject: [Dataloss] IG: Justice inconsistent in reporting of data breaches Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.govexec.com/dailyfed/0607/061807p1.htm By Daniel Pulliam June 18, 2007 Officials at the Justice Department have failed to report certain computer security incidents within the time frame required by the Office of Management and Budget, according to an audit report released Monday. The 142-page report [1] from Justice's inspector general office found that the department had not consistently implemented a July 2006 OMB requirement [2] that agencies report data breaches involving the loss of personally identifiable information within one hour of discovery. Recent computer security incidents, including the Veterans Affairs Department's May 2006 loss of 26.5 million records containing sensitive information on veterans, prompted the requirement. Two of nine agencies within the department had not updated their policies and procedures to include the new OMB requirement, the IG found. And an analysis of nearly 200 computer security incidents from July to November 2006 found that officials failed to consistently report the loss of personally identifiable information within one hour to the department's Computer Emergency Readiness Team. The audit found that none of the incidents were reported within one hour to the Homeland Security Department's Computer Emergency Readiness Team, or US-CERT, as required by OMB. Auditors also found that none of the department's component agencies have established procedures for notifying people who could be affected by the loss of personal information. "We believe that the lack of procedures could cause delays in notifying individuals whose information has been compromised, increasing the individuals' risk of falling victim to fraud or identity theft," the report stated. In addition, the IG found that officials at the nine Justice agencies believed their employees followed the proper internal reporting procedures when issuing notifications of security incidents. But the information technology staff of the FBI was not always doing so in practice, the auditors found. Incident reports are sent to two separate offices at the FBI, yet only one is required to relay them to the Justice team, the IG noted. The result is that some incidents do not get reported, the report stated. On a more positive note, the IG found that several Justice agencies have taken extra steps to minimize unauthorized access to sensitive information and to educate employees on reporting requirements. These include posting security information on their intranet sites or on employee computer monitors upon login. The IG urged officials to consider adopting these procedures across the department. Justice officials told the IG that reporting within an hour is not practical. They also said the guidance on reporting to US-CERT -- the organization responsible for coordinating the response to computer security incidents governmentwide -- is not clear on whether reports must arrive within the same hour as those to the Justice readiness team. But officials concurred with the IG's eight recommendations to help improve the department's procedures, including one to clarify the deadlines for reporting incidents. The department also agreed to instruct agencies on proper reporting of incidents with classified information, and is developing reporting measures for ensuring that all agencies meet established time frames. Additionally, officials are developing procedures for notifying people affected by a loss of personal information. [1] http://www.usdoj.gov/oig/reports/plus/e0705/final.pdf [2] http://govexec.com/dailyfed/0706/071406p1.htm From lyger at attrition.org Fri Jun 22 14:11:49 2007 From: lyger at attrition.org (lyger) Date: Fri, 22 Jun 2007 14:11:49 +0000 (UTC) Subject: [Dataloss] (update) Report prepared in Strickland transition warned of data risk Message-ID: (Look Ma, now it's half a million...) http://www.bucyrustelegraphforum.com/apps/pbcs.dll/article?AID=/20070622/UPDATES01/70622002/1002/ COLUMBUS, Ohio (AP) - Months before a computer device containing the Social Security numbers and other personal information of more than 500,000 Ohioans was stolen from an intern's car, the state was warned it was vulnerable to data theft, The Columbus Dispatch reported Friday. Before he took office in January, Gov. Ted Strickland asked teams of experts to evaluate key areas of state government and submit findings and recommendations. The team studying the Office of Information Technology concluded the state had .little to no policy guidance or standards. for protecting Social Security numbers and other sensitive information, according to a report prepared as part of Strickland.s transition team. "Ohio's lack of a robust, unified privacy/security capacity lays it open to the type of data spills and breaches that have been plaguing the government and the corporate sectors in increasing numbers over the past few years," the report said. [...] From lyger at attrition.org Mon Jun 25 15:40:03 2007 From: lyger at attrition.org (lyger) Date: Mon, 25 Jun 2007 15:40:03 +0000 (UTC) Subject: [Dataloss] (update) CA: Health-worker data disk remains missing Message-ID: http://www.fresnobee.com/263/story/68632.html Fresno County still hasn't found a missing computer disk that contains the personal information for thousands of home health-care workers. The disk, with data used to determine workers' eligibility for health-care benefits, was lost more than a month ago after it was sent via a courier to a software vendor's office in San Jose. "There is still nothing to point out what happened to it or where it is," County Administrative Officer Bart Bohn said. "It hasn't been found, it hasn't been detected and it hasn't surfaced, but we continue to try and find out where it is." County officials have determined, however, that the disk only contained information pertaining to the home health-care workers -- including their names, addresses and Social Security numbers. Officials previously said the disk also had information pertaining to the 10,000 elderly, blind and disabled clients served through the county's In-Home Supportive Services program. [...] From lyger at attrition.org Mon Jun 25 16:26:31 2007 From: lyger at attrition.org (lyger) Date: Mon, 25 Jun 2007 16:26:31 +0000 (UTC) Subject: [Dataloss] OH: State reports another theft of personal data Message-ID: http://www.middletownjournal.com/hp/content/oh/story/news/state/2007/06/25/ddn062507bwcweb.html The Ohio Bureau of Workers' Compensation disclosed Monday that a laptop was stolen nearly a month ago containing Social Security numbers and other personal data on 439 injured workers. The BWC disclosure comes on the heels of news that a back-up data tape with personal information on more than 400,000 Ohioans was stolen from a part-time intern's car earlier this month. The BWC laptop was stolen from the home of bureau auditor May 30 in Columbus. It wasn't until Gov. Ted Strickland ordered state agencies to beef up their data security policies on June 15 that BWC security officials started to review what personal data may have been on the laptop. BWC Administrator Marsha Ryan wasn't told about the laptop theft until June 15. [...] From dave at etiolated.org Tue Jun 26 15:29:32 2007 From: dave at etiolated.org (Dave) Date: Tue, 26 Jun 2007 11:29:32 -0400 Subject: [Dataloss] MS: Thousands Of Pharmacy Records Left Behind Closed Winn Dixie Message-ID: <26fc42fe0706260829x76280f8bh17b2f0181191a2ba@mail.gmail.com> Courtesy pogowasright.org http://www.wlox.com/Global/story.asp?S=6694881&nav=6DJI "I received a anonymous call from a gentleman, and first I thought that it was con call, so I listened for a while and he seemed sincere." He was sincere enough for Patricia Kendrick to rush to the old Pascagoula Winn Dixie store to see if what the man said was true. "My medical records, my prescription records mainly, was behind the Winn Dixie Store that been shut down for a couple of years," Kendrick said. "He handed me my slip that had blown down the road, along with several prescriptions from local doctors." Kendrick's telephone number, social security number and address were on the papers. Hers was part of a huge pile of patient profiles, empty drug containers and prescription papers. So Kendrick called the authorities. "Thousands and thousand of records," Pascagoula Compliance Officer David Groves said, as he looked through the piles of papers. [...] Dave http://etiolated.org From lyger at attrition.org Tue Jun 26 22:34:21 2007 From: lyger at attrition.org (lyger) Date: Tue, 26 Jun 2007 22:34:21 +0000 (UTC) Subject: [Dataloss] (semi-OT) The struggle to protect enterprise data Message-ID: >From security curmudgeon (jericho_at_attrition.org) From: InfoSec News http://www.infoworld.com/article/07/06/25/26FEdataprotection_1.html By Matt Hines June 25, 2007 Long ago, when businesses kept sensitive information locked away in file cabinets and safes, it was relatively cheap and easy to store valuable data and control who had access to it. Today, enterprises invest millions in security, storage, and compliance technologies -- all in the name of increasing visibility into where vital electronic information lives and how it is being defended. Despite those efforts, most experts and customers admit that in most companies the process of tracking down every piece of valuable company data -- and applying the appropriate tools to shield information from unwanted access or misuse -- remains in its beginning stages. The heart of the matter is visibility. Enterprises feel uncertain whether todays technologies are providing an accurate sense of where things stand or are merely creating a false sense of security. Seeing blind spots When forensic experts called in by businesses to investigate external data breaches and insider threats tell their stories, the traumatic events that lead to brand-trashing headlines and regulatory punishment are most often based in the business lack of knowledge of where its sensitive data is. Enterprises are improving their ability to safeguard the stockpiles of sensitive information they know about, admit investigators, but many remain blind to additional stores of important data or the flawed processes they use to transmit information electronically. Both problems leave them vulnerable to leaks and attacks. "In almost every case we've investigated where companies have experienced a serious data breach, the reality is that the companies didn't know they had the information where it was stolen from until it's too late and the data has been taken," says Bryan Sartin, vice president of investigative response at Cybertrust, a provider of managed security services that lists risk assessment among its specialties. [..] From lyger at attrition.org Wed Jun 27 13:22:37 2007 From: lyger at attrition.org (lyger) Date: Wed, 27 Jun 2007 13:22:37 +0000 (UTC) Subject: [Dataloss] WI: 65,000 Milwaukee PC Customers May Be at Risk Message-ID: http://www.todaystmj4.com/news/local/8202232.html The credit card information of 65,000 customers who've used Milwaukee PC may have been compromised. The staff at the computer retailer and service center noticed a file in their server and was concerned that file could contain customers' credit card numbers and personal information. No one has reported their information stolen yet, but Milwaukee PC isn't taking any chances. [...] From dshettler at gmail.com Wed Jun 27 17:36:24 2007 From: dshettler at gmail.com (David Shettler) Date: Wed, 27 Jun 2007 13:36:24 -0400 Subject: [Dataloss] OH: BGSU security breach Message-ID: <26fc42fe0706271036j3fa6dc30pc478df1565d9d399@mail.gmail.com> http://abclocal.go.com/wtvg/story?section=local&id=5427364 Bowling Green State University is notifying current and former students of accounting professor Dr. W. David Albrecht that a computer flash drive with information about them has been lost. Files on the portable storage device contained Social Security numbers for 199 students from his classes in 1992, and the names, grades and University identification numbers but not the Social Security numbers for approximately 1,600 other students. There is no indication that any information on the missing flash drive has been accessed in any way, and there was no system breach or hacking of the University's computer systems. The University has sent letters to those affected and has posted a notice on its Web site encouraging current and former students who may have taken Albrecht's classes to contact the BGSU College of Business Administration. BGSU has been monitoring its systems and processes for evidence that information contained on the lost flash drive is being misused, but no such evidence has yet been uncovered. [..] Dave http://etiolated.org From lyger at attrition.org Wed Jun 27 18:17:57 2007 From: lyger at attrition.org (lyger) Date: Wed, 27 Jun 2007 18:17:57 +0000 (UTC) Subject: [Dataloss] TX: (update) Not all officers told about theft of laptop with personal data Message-ID: (previous story here: http://attrition.org/dataloss/2007/05/tcleose01.html) From: MKEVHILL_at_aol.com http://www.kltv.com/Global/story.asp?S=6701764&nav=1TjD SAN ANTONIO, Texas (AP) - When a laptop containing the personal information of law enforcement officers in Texas was stolen, not all officers were properly notified. Productivity Center told the state's law enforcement agencies of the theft last month at a Houston office. It left the information up to each agency to tell officers. But many officers say they received word through the grapevine and not from official channels. The laptop contained files with the Social Security numbers, driver's license numbers and other sensitive information for the roughly 230,000 licensed Texas peace officers. So far, it seems the thieves didn't know what was in the laptop. Mike From lyger at attrition.org Wed Jun 27 22:02:09 2007 From: lyger at attrition.org (lyger) Date: Wed, 27 Jun 2007 22:02:09 +0000 (UTC) Subject: [Dataloss] CA: Criminal Probe Launched Into Computer Hacking of Vet School Admissions Info Message-ID: http://www.news.ucdavis.edu/search/news_detail.lasso?id=8225 A criminal investigation into the apparent hacking and misuse of computerized veterinary medical school admissions records has been launched by the University of California, Davis, Police Department, in cooperation with the Sacramento Valley High Tech Crimes Task Force. On June 15, the university determined that its computer-security safeguards had been breached and someone had gained access to the personal information of an estimated 1,120 applicants to the School of Veterinary Medicine for the 2007-2008 school year, including 131 accepted students. The hacker had accessed information including the applicants' names, birth dates and, in most cases, Social Security numbers. The security breach became apparent when applicants who had recently been admitted to the School of Veterinary Medicine attempted to set up campus computer accounts and were notified that accounts had already been established in their names. Further investigation revealed that the records of 375 veterinary medical school applicants for the 2004-2005 school year -- seven of them admitted students -- also might have been illegally accessed. [...] From lyger at attrition.org Fri Jun 29 19:26:56 2007 From: lyger at attrition.org (lyger) Date: Fri, 29 Jun 2007 19:26:56 +0000 (UTC) Subject: [Dataloss] WV: Stolen Computers Leave Harrison County School Workers at Risk for ID Theft Message-ID: (Excellent example of delayed notification... stolen in February, notified in June?) http://www.wtrf.com/story.cfm?func=viewstory&storyid=25748 Someone has stolen several computers that contained the personal information, including social security numbers, of several Harrison County school employees. The Attorney General's Office said the thefts happened last February at MSI Risk Management in Charleston, which handles workers comp claims for the school board. MSI recently notified the Harrison County School Board that the computers had been stolen. [...] From hbrown at knology.net Sat Jun 30 21:39:51 2007 From: hbrown at knology.net (Henry Brown) Date: Sat, 30 Jun 2007 16:39:51 -0500 Subject: [Dataloss] follow up on Birmingham data loss in Jan 07 Message-ID: <4686CDA7.7000005@knology.net> An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070630/b3d0d82f/attachment.html