From lyger at attrition.org Thu Mar 1 07:34:20 2007 From: lyger at attrition.org (lyger) Date: Thu, 1 Mar 2007 07:34:20 -0500 (EST) Subject: [Dataloss] Tokyo University of Science loses personal info on 8, 800 students, graduates Message-ID: http://mdn.mainichi-msn.co.jp/national/news/20070301p2a00m0na026000c.html Tokyo University of Science has lost personal information on about 8,800 students and graduates, including their names, addresses and scores, university officials said Thursday. A 56-year-old associate professor, who leads the alumni organization of the university's pharmaceutical faculty, took an external hard disk containing the information out of the institution on the night of Feb. 24, according to officials. [...] From lyger at attrition.org Thu Mar 1 14:14:06 2007 From: lyger at attrition.org (lyger) Date: Thu, 1 Mar 2007 14:14:06 -0500 (EST) Subject: [Dataloss] Canada: SickKids notifies study participants of stolen laptop Message-ID: http://www.newswire.ca/en/releases/archive/March2007/01/c5924.html The Hospital for Sick Children (SickKids) is notifying patients that have participated in 10 different research studies about a stolen laptop that contained their personal health information. The laptop was stolen on January 4, 2007 from the car of a physician who was doing data analysis. SickKids reported the incident to Ontario's Information and Privacy Commissioner (IPC) and is working in full cooperation with the IPC in an independent review of this incident. The laptop was password protected and it is not likely that the data could be easily understood by someone who lacks clinical training. Patient care is not affected by this incident since the stolen laptop contained research data and not patient charts. [...] From Dissent at pogowasright.org Thu Mar 1 18:18:58 2007 From: Dissent at pogowasright.org (Dissent) Date: Thu, 01 Mar 2007 18:18:58 -0500 Subject: [Dataloss] Records of 2, 000 Westerly Hospital patients posted online Message-ID: <7.0.0.16.2.20070301181749.0267f5e8@nowhere.org> http://www.boston.com/news/local/rhode_island/articles/2007/03/01/records_of_2000_westerly_hospital_patients_posted_online/ WESTERLY, R.I. --Two-thousand patients at Westerly Hospital had their names, Social Security numbers and medical records posted on a publicly accessible Web site, and the hospital said it doesn't know who did it. "We don't know why it happened. We don't know how it happened. But we will," hospital President and CEO Charles Kinney told The Westerly Sun. The Web site included detailed information about patients' surgical procedures and medical histories, as well as people's home addresses and insurance information. The hospital said not all its patients are affected, and the breach likely only extended to patients seen during certain days in January. The Sun reported patients it contacted had been at the hospital on three separate days. Westerly Police learned of the problem on Wednesday afternoon when a woman looked up her phone number on the Internet search engine Google and found a link to the site. Police called the hospital, then the FBI and State Police. The hospital worked with several Internet companies, including Yahoo Inc., to take the site down, and it was taken offline five hours later, according to the Sun. It's not clear how long the site was up or how many people saw the information. Kinney said there was a breach in the hospital's computer database system that allowed hackers to access the information. The hospital plans to send a letter to every affected patient as soon as possible, Kinney said. Messages left with the FBI, State Police and Westerly police were not immediately returned Thursday. -- Main site: http://www.pogowasright.org Main RSS feed: http://www.pogowasright.org/backend/pogowasright.rss Breaches RSS feed: http://www.pogowasright.org/backend/breaches.rss From beth at sandstorm.net Fri Mar 2 14:19:40 2007 From: beth at sandstorm.net (Beth Rosenberg) Date: Fri, 02 Mar 2007 14:19:40 -0500 Subject: [Dataloss] TJX Caginess...Or, I'd Love to Find Out about the Technology Involved Message-ID: <45E878CC.8000104@sandstorm.net> I've been scrambling around the web looking for more information about the TJX breach than I'm finding. I don't care about the figures of how many people were affected, but rather about the technology the company was using, and how the breachers were able to go through it so easily: What kinds of servers? Firewalls? Network configurations? Anything that would lead me to figure out how so many holes could have been so open without anyone noticing, or at least coming public with it. Any pointers would be immensely helpful... Thanks. -------------- next part -------------- A non-text attachment was scrubbed... Name: beth.vcf Type: text/x-vcard Size: 202 bytes Desc: not available Url : http://attrition.org/pipermail/dataloss/attachments/20070302/440c81c4/attachment.vcf From lyger at attrition.org Fri Mar 2 22:19:37 2007 From: lyger at attrition.org (lyger) Date: Fri, 2 Mar 2007 22:19:37 -0500 (EST) Subject: [Dataloss] CO: Metro State Computer With SS Numbers Stolen Message-ID: http://cbs4denver.com/consumer/local_story_061205155.html College of Denver is working with the Denver and Auraria Police in the investigation of a theft of a computer stolen from campus that contained the names and Social Security numbers of 988 former students. The laptop computer was stolen from its docking station in the late afternoon of Feb. 28 from a Metro State faculty member's office on the Auraria Campus. The case remains under investigation. The stolen computer contained roster information of students enrolled in the faculty member's classes from the beginning of the 1999 fall semester to the end of the 2002 fall semester. The stolen computer was password protected. [...] From Dissent at pogowasright.org Sat Mar 3 07:56:49 2007 From: Dissent at pogowasright.org (Dissent) Date: Sat, 03 Mar 2007 07:56:49 -0500 Subject: [Dataloss] Hackers swipe seed company's customers' data Message-ID: <7.0.0.16.2.20070303075456.02677548@nowhere.org> http://kennebecjournal.mainetoday.com/news/local/3676190.html WINSLOW -- The Web site of Johnny's Selected Seeds has been hacked by an intruder, resulting in the theft of thousands of private records and credit card numbers, a company official said Friday. Bruce Harrington, the company's director of sales and marketing, said 11,500 credit card accounts were stolen electronically in February. "This is a violation, this is a criminal act and it's on us," Harrington said. "We are a victim here; it wasn't like we had credit card information ready for the taking." [...] Of the total number of accounts that were breached, about 20 of the credit cards were used fraudulently, Harrington said. He said the last known Internet Service Provider to register action involving the Johnny's case was somewhere in the United Kingdom. Harrington said the security system was hacked in a very sophisticated, methodical way. "Essentially what happened is that criminals gained access to our internal systems and gathered enough information to allow them to then gain access to our Web site," Harrington said. The company's "server farm" in Kentucky was the target, he said. [...] -- Main site: http://www.pogowasright.org Main RSS feed: http://www.pogowasright.org/backend/pogowasright.rss Breaches RSS feed: http://www.pogowasright.org/backend/breaches.rss From cwalsh at cwalsh.org Sun Mar 4 21:22:56 2007 From: cwalsh at cwalsh.org (Chris Walsh) Date: Sun, 4 Mar 2007 20:22:56 -0600 Subject: [Dataloss] TJX Caginess...Or, I'd Love to Find Out about the Technology Involved In-Reply-To: <45E878CC.8000104@sandstorm.net> References: <45E878CC.8000104@sandstorm.net> Message-ID: <68522FCC-AD60-4D57-91DE-B3F59523419A@cwalsh.org> Do not interpret the links below as a claim by me about anything. I just use Google. http://softwarefinder.mbtmag.com/software/378-18214/Point-of-Sale-POS- Systems/Fujitsu-GlobalSTORE.html http://www.digitaltransactions.net/newsstory.cfm?newsid=889 On Mar 2, 2007, at 1:19 PM, Beth Rosenberg wrote: > I've been scrambling around the web looking for more information > about the TJX breach than I'm finding. I don't care about the > figures of how many people were affected, but rather about the > technology the company was using, and how the breachers were able > to go through it so easily: From cwalsh at cwalsh.org Mon Mar 5 21:21:19 2007 From: cwalsh at cwalsh.org (Chris Walsh) Date: Mon, 5 Mar 2007 20:21:19 -0600 Subject: [Dataloss] Primary sources from NY Message-ID: <4A79714A-CCE2-4DD9-9C33-294F746C08FC@cwalsh.org> Folks: http://www.cwalsh.org/BreachInfo/primary_sources/firmlist.html contains a bunch of links (currently 139) to documents I obtained from NY regarding breaches reported to the Consumer Protection Board there. It's interesting to see the actual letters sent out to people, as well as some of the reported details. This page is generated daily, so as I (sporadically -- don't think this is a daily thing) add documents, the page will grow. There is also a (very cheesy) search interface at http:// www.cwalsh.org/cgi-bin/docview.pl So, if you wanted to see all the docs sent in by entities with 'bank' in their name, you could. From dbloys at door.net Tue Mar 6 09:19:55 2007 From: dbloys at door.net (David Bloys) Date: Tue, 6 Mar 2007 08:19:55 -0600 Subject: [Dataloss] Computer World -Texas counties illegally posting Social Security numbers online, AG says Message-ID: <037901c75ffa$84dd3220$0202a8c0@Office> Computer World Texas counties illegally posting Social Security numbers online, AG says County, district clerks are pushing for legislation to make the practice legal HYPERLINK "http://www.computerworld.com/action/article.do?command=viewArticleBasic&art icleId=9012221&pageNumber=1"http://www.computerworld.com/action/article.do?c ommand=viewArticleBasic&articleId=9012221&pageNumber=1 -- Internal Virus Database is out-of-date. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.18.1/691 - Release Date: 02/17/2007 5:06 PM -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070306/cb726fbb/attachment.html From Dissent at pogowasright.org Wed Mar 7 11:40:24 2007 From: Dissent at pogowasright.org (Dissent) Date: Wed, 07 Mar 2007 11:40:24 -0500 Subject: [Dataloss] Google shock for Los Rios Message-ID: <7.0.0.16.2.20070307113828.026088d0@nowhere.org> http://www.sacbee.com/101/story/133870.html A community college student who was "Googling" himself last month found some disconcerting information when he typed his name into the popular Internet search engine. A Los Rios Community College District database popped up that included his name, birth date and Social Security number. The file also contained data on about 2,000 other students. [...] In the case of Los Rios, staff members were testing a new online application system and "just grabbed some files" to upload, said Williams, the college spokeswoman. "Google had come along and indexed this little test batch," Williams said. "The data was on what we thought was a secure part of our Web server." The data involved 2,000 of the school's 78,000 students. That was in October. More than three months had passed before a Los Rios student contacted the school about finding the personal data file on Google. [...] -- Main site: http://www.pogowasright.org Main RSS feed: http://www.pogowasright.org/backend/pogowasright.rss Breaches RSS feed: http://www.pogowasright.org/backend/breaches.rss From lyger at attrition.org Wed Mar 7 14:48:42 2007 From: lyger at attrition.org (lyger) Date: Wed, 7 Mar 2007 14:48:42 -0500 (EST) Subject: [Dataloss] Census Bureau admits privacy breach Message-ID: http://seattlepi.nwsource.com/national/1155AP_Census_Data_Mix_up.html The Census Bureau inadvertently posted personal information from 302 households on a public Internet site multiple times over a five-month period, the bureau said Wednesday. The information included names, addresses, phone numbers, birth dates and family income ranges, said Ruth Cymber, the agency's director of communications. No Social Security numbers were posted, and there is no evidence that the data was misused, Cymber said. But, she added, posting the information violated bureau policies and federal law. [...] From lyger at attrition.org Thu Mar 8 19:47:54 2007 From: lyger at attrition.org (lyger) Date: Thu, 8 Mar 2007 19:47:54 -0500 (EST) Subject: [Dataloss] FTC Unveils Practical Suggestions for Businesses on Safeguarding Personal Information Message-ID: http://www.ftc.gov/opa/2007/03/businessguidance_pii.htm The Federal Trade Commission is offering a new guide for businesses with practical suggestions on safeguarding sensitive data. The 24-page brochure can help businesses of all sizes protect their customers. and employees. personal information. FTC Chairman Deborah Platt Majoras unveiled the guide today at the Privacy Summit of the International Association of Privacy Professionals in Washington, DC, where she received the Privacy Leadership Award on behalf of the agency. "Information security cannot be an afterthought for businesses," said Majoras. "Consumers expect and deserve to have their sensitive personal information kept secure." [...] From jericho at attrition.org Fri Mar 9 03:48:13 2007 From: jericho at attrition.org (security curmudgeon) Date: Fri, 9 Mar 2007 03:48:13 -0500 (EST) Subject: [Dataloss] follow-up: School hires new head of technology after data thefts (fwd) Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.ohio.com/mld/beaconjournal/news/state/16859941.htm Associated Press Mar. 08, 2007 ATHENS, Ohio - Ohio University hired a new technology chief who will be in charge of computer systems that hackers once breached, compromising personal information of alumni, students and staff. The university announced Wednesday that Brice Bible, 45, will become chief information officer April 16. He currently is interim chief information officer and assistant vice president for information technology at the University of Tennessee at Knoxville. Bible will take over for OU's interim technology chief, Shawn Ostermann. He held the job while the university searched for a permanent replacement for Bill Sams, who stepped down last year. The university last April discovered breaches in four computer systems, exposing about 367,000 files containing Social Security numbers, names, medical records and home addresses. The university later revised those numbers, stating that about 173,000 people's files were affected. The school fired two administrators over the electronic break-ins and spent millions to upgrade computer security. There have been no proven cases of identity theft or fraud linked to the data thefts, university officials have said. [..] From lyger at attrition.org Fri Mar 9 22:48:55 2007 From: lyger at attrition.org (lyger) Date: Fri, 9 Mar 2007 22:48:55 -0500 (EST) Subject: [Dataloss] Data on Border Soldiers Stolen Message-ID: http://www.tuscaloosanews.com/article/20070309/APA/703092833 A computer hard drive containing Social Security numbers and other personal information on nearly 1,300 California National Guard troops deployed to the U.S.-Mexico border has apparently been stolen. The hard drive was reported missing Feb. 23 from the Guard's border mission headquarters inside San Diego Naval Base, said California National Guard spokesman Lt. Col. Jon Siepmann. It contains home addresses, birth dates and other identifying information for all soldiers serving long-term assignments on the border. The Guard notified the soldiers Feb. 28 that their information had been compromised. It advised them to begin checking credit statements and take other protective measures. [...] From lyger at attrition.org Sun Mar 11 12:09:59 2007 From: lyger at attrition.org (lyger) Date: Sun, 11 Mar 2007 12:09:59 -0500 (UTC) Subject: [Dataloss] Another computer security breach at U of Idaho Message-ID: Via Fergie's Tech Blog (http://fergdawg.blogspot.com/) http://www.klewtv.com/news/6411372.html The University of Idaho says a data file posted to the school's web site may have put at risk the personal information of approximately 2,700 university employees. It's the third time in almost a year that the personal information of people affiliated with the school has been compromised. UI officials said in a news release Friday that, to date, there is no indication that "the information was successfully read or used for any purpose other than the reason for which it was created." [...] From lyger at attrition.org Mon Mar 12 16:58:04 2007 From: lyger at attrition.org (lyger) Date: Mon, 12 Mar 2007 16:58:04 +0000 (UTC) Subject: [Dataloss] NC: Loss, theft of personai data reported Message-ID: http://www.newsobserver.com/102/story/552644.html Recent laws requiring businesses and governments to inform consumers when their personal information may have been lost or stolen have helped uncover more than 100 security breaches in North Carolina. A total of 103 breaches that involved information about more than 500,000 North Carolina consumers have been reported since the laws took effect in 2005 and 2006, state Attorney General Roy Cooper said in a news release today. Of those breaches, half involved the theft of laptops, computers or other equipment containing personal information. Nearly 20 percent of breaches were caused by unauthorized release or display of information, and nearly 18 percent were the result of hackers. [...] From Dissent at pogowasright.org Tue Mar 13 17:50:10 2007 From: Dissent at pogowasright.org (Dissent) Date: Tue, 13 Mar 2007 13:50:10 -0400 Subject: [Dataloss] Hackers Get Bum Rap For Corporate America's Digital Delinquency Message-ID: <7.0.0.16.2.20070313134824.05e16e60@nowhere.org> http://www.sciencedaily.com/releases/2007/03/070313114354.htm If Phil Howard's calculations prove true, by year's end the 2 billionth personal record -- some American's social-security or credit-card number, academic grades or medical history -- will become compromised, and it's corporate America, not rogue hackers, who are primarily to blame. By his reckoning, electronic records in the United States are bleeding at the rate of 6 million a month in 2007, up some 200,000 a month from last year. Howard, an assistant professor of communication at the University of Washington, bases his projections on a review of breached-record incidents as reported in major U.S. news media from 1980 to 2006. The total through last year stood at 1.9 billion -- or roughly nine records per American adult. [...] -- Main site: http://www.pogowasright.org Main RSS feed: http://www.pogowasright.org/backend/pogowasright.rss Breaches RSS feed: http://www.pogowasright.org/backend/breaches.rss From adam at homeport.org Tue Mar 13 19:05:59 2007 From: adam at homeport.org (Adam Shostack) Date: Tue, 13 Mar 2007 15:05:59 -0400 Subject: [Dataloss] Hackers Get Bum Rap For Corporate America's Digital Delinquency In-Reply-To: <7.0.0.16.2.20070313134824.05e16e60@nowhere.org> References: <7.0.0.16.2.20070313134824.05e16e60@nowhere.org> Message-ID: <20070313190559.GB27234@homeport.org> This is exciting stuff, and is an example of how research can be done when we share data. He's making his data available--it's largely, but not entirely, driven by the attrition data set. See http://www.wiareport.org/index.php/43/6-million-personal-records-compromised-each-month-2-billion-in-total-by-december#more-43 Adam On Tue, Mar 13, 2007 at 01:50:10PM -0400, Dissent wrote: | http://www.sciencedaily.com/releases/2007/03/070313114354.htm | | | If Phil Howard's calculations prove true, by year's end the 2 | billionth personal record -- some American's social-security or | credit-card number, academic grades or medical history -- will become | compromised, and it's corporate America, not rogue hackers, who are | primarily to blame. By his reckoning, electronic records in the | United States are bleeding at the rate of 6 million a month in 2007, | up some 200,000 a month from last year. | | Howard, an assistant professor of communication at the University of | Washington, bases his projections on a review of breached-record | incidents as reported in major U.S. news media from 1980 to 2006. The | total through last year stood at 1.9 billion -- or roughly nine | records per American adult. | | [...] | | | -- | Main site: http://www.pogowasright.org | Main RSS feed: http://www.pogowasright.org/backend/pogowasright.rss | Breaches RSS feed: http://www.pogowasright.org/backend/breaches.rss | | _______________________________________________ | Dataloss Mailing List (dataloss at attrition.org) | http://attrition.org/dataloss | Tracking more than 149 million compromised records in 598 incidents over 7 years. From ADAIL at sunocoinc.com Tue Mar 13 19:11:07 2007 From: ADAIL at sunocoinc.com (DAIL, ANDY) Date: Tue, 13 Mar 2007 15:11:07 -0400 Subject: [Dataloss] Hackers Get Bum Rap For Corporate America's DigitalDelinquency In-Reply-To: <20070313190559.GB27234@homeport.org> Message-ID: <8CA58E707BB1C44385FA71D02B7A1C8EC70A17@mds3aex0e.USISUNOCOINC.com> This is an interesting point as well. [snippet] The data problem is growing every day as well. Dan Geer points out that three years ago the per capita data production rate on the planet (including all of those people who make less than a dollar a day) was 800 Mbytes. That was three years ago, and data production rates are basically doubling every 18 months. It seems that the problem is getting bigger and bigger even as we're only barely coming to grips with it. [/snippet] http://www.cigital.com/silverbullet/shows/silverbullet-002-dgeer.pdf -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Adam Shostack Sent: Tuesday, March 13, 2007 2:06 PM To: Dissent Cc: dataloss at attrition.org Subject: Re: [Dataloss] Hackers Get Bum Rap For Corporate America's DigitalDelinquency This is exciting stuff, and is an example of how research can be done when we share data. He's making his data available--it's largely, but not entirely, driven by the attrition data set. See http://www.wiareport.org/index.php/43/6-million-personal-records-comprom ised-each-month-2-billion-in-total-by-december#more-43 Adam On Tue, Mar 13, 2007 at 01:50:10PM -0400, Dissent wrote: | http://www.sciencedaily.com/releases/2007/03/070313114354.htm | | | If Phil Howard's calculations prove true, by year's end the 2 | billionth personal record -- some American's social-security or | credit-card number, academic grades or medical history -- will become | compromised, and it's corporate America, not rogue hackers, who are | primarily to blame. By his reckoning, electronic records in the | United States are bleeding at the rate of 6 million a month in 2007, | up some 200,000 a month from last year. | | Howard, an assistant professor of communication at the University of | Washington, bases his projections on a review of breached-record | incidents as reported in major U.S. news media from 1980 to 2006. The | total through last year stood at 1.9 billion -- or roughly nine | records per American adult. | | [...] | | | -- | Main site: http://www.pogowasright.org | Main RSS feed: http://www.pogowasright.org/backend/pogowasright.rss | Breaches RSS feed: http://www.pogowasright.org/backend/breaches.rss | | _______________________________________________ | Dataloss Mailing List (dataloss at attrition.org) | http://attrition.org/dataloss Tracking more than 149 million | compromised records in 598 incidents over 7 years. _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tracking more than 149 million compromised records in 598 incidents over 7 years. This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments. From cwalsh at cwalsh.org Wed Mar 14 01:06:50 2007 From: cwalsh at cwalsh.org (Chris Walsh) Date: Tue, 13 Mar 2007 20:06:50 -0500 Subject: [Dataloss] Hackers Get Bum Rap For Corporate America's Digital Delinquency In-Reply-To: <20070313190559.GB27234@homeport.org> References: <7.0.0.16.2.20070313134824.05e16e60@nowhere.org> <20070313190559.GB27234@homeport.org> Message-ID: <11221997-A54C-41CA-A8D7-044ED2B62B42@cwalsh.org> Freaking awesome! I notice that in the endnotes they make explicit mention of the PITA it is to even know what an incident is, and to count affected records. Glad I'm not alone in that belief!! On Mar 13, 2007, at 2:05 PM, Adam Shostack wrote: > This is exciting stuff, and is an example of how research can be done > when we share data. He's making his data available--it's largely, but > not entirely, driven by the attrition data set. > From Dissent at pogowasright.org Wed Mar 14 11:15:14 2007 From: Dissent at pogowasright.org (Dissent) Date: Wed, 14 Mar 2007 07:15:14 -0400 Subject: [Dataloss] Medical Data on Empire Blue Cross Members May Be Lost Message-ID: <7.0.0.16.2.20070314071208.05dd0cd8@nowhere.org> http://www.nytimes.com/2007/03/14/business/14insure.html?_r=1&n=Top%2fReference%2fTimes%20Topics%2fSubjects%2fP%2fPrivacy&oref=slogin WellPoint, one of the nation's largest health insurers, has begun notifying 75,000 members of its Empire Blue Cross and Blue Shield unit in New York that a compact disc holding their vital medical and other personal information had disappeared. The information was on an unencrypted disc that a subcontractor recently sent to Magellan Behavioral Services, a company in Avon, Conn., that specializes in monitoring and coordinating mental health and substance abuse treatments for insurance companies. Empire began notifying the affected consumers by mail on Saturday that their records ? including their names, Social Security numbers, health plan identification numbers and description of medical services back to 2003 ? had been lost. The company says it will provide 12 months of free credit monitoring by Equifax Credit Watch for any of those health plan members who fear that they may fall victim to identity theft. Before shipping the information to Magellan, the coding and passwords that protect the privacy of the information was removed by a Magellan subcontractor, Lisa Ann Greiner, an Empire spokeswoman, said yesterday. Janlori Goldman, the director of the Health Privacy Center, a nonprofit organization in Washington, said the error was "an egregious breach of privacy." She said that insurance companies were responsible under a federal privacy law for ensuring that their contractors use adequate security procedures. Ms. Greiner said that the subcontractor, Health Data Management Services, worked for Magellan, not Empire. "If any contract was breached, we are going to take direct action," she said. [...] -- Main site: http://www.pogowasright.org Main RSS feed: http://www.pogowasright.org/backend/pogowasright.rss Breaches RSS feed: http://www.pogowasright.org/backend/breaches.rss From rforno at infowarrior.org Wed Mar 14 15:36:00 2007 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 14 Mar 2007 10:36:00 -0500 Subject: [Dataloss] The Smart Card Alliance Thinks Privacy Is Bunk Message-ID: The Smart Card Alliance Thinks Privacy Is Bunk A spokesman for the Smart Card Alliance says: Privacy concerns are all perception and hype and no substance but carry considerable weight with state legislators because no one wants to be accused of being soft on privacy. That?s Randy Vanderhoof, the Smart Card Alliance?s executive director, quoted in a Federal Computer Week article on the collapsing REAL ID Act/national ID plan. He was speaking of Congressman Tom Allen?s (D-ME) bill to restore the 9/11 Commission-inspired ID provisions of the Intelligence Reform and Terrorism Prevention Act of 2004. Mr. Vanderhoof and the Smart Card Alliance couldn?t appear more dismissive, ignorant, and unserious about issues that are a core problem preventing uptake of its products. http://www.techliberation.com/archives/042151.php From ADAIL at sunocoinc.com Wed Mar 14 17:41:00 2007 From: ADAIL at sunocoinc.com (DAIL, ANDY) Date: Wed, 14 Mar 2007 13:41:00 -0400 Subject: [Dataloss] The Smart Card Alliance Thinks Privacy Is Bunk In-Reply-To: Message-ID: <8CA58E707BB1C44385FA71D02B7A1C8EC70A22@mds3aex0e.USISUNOCOINC.com> Yeah.. Well. Technically, so is the reputation of my business..I can't put a specific value on it, but I certainly know when it's become worthless. Data Security is much like air. It's just not noticeable until it's absent...then it's a dire emergency. -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Richard Forno Sent: Wednesday, March 14, 2007 10:36 AM To: dataloss at attrition.org Subject: [Dataloss] The Smart Card Alliance Thinks Privacy Is Bunk The Smart Card Alliance Thinks Privacy Is Bunk A spokesman for the Smart Card Alliance says: Privacy concerns are all perception and hype and no substance This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments. From Dissent at pogowasright.org Wed Mar 14 17:58:00 2007 From: Dissent at pogowasright.org (Dissent) Date: Wed, 14 Mar 2007 13:58:00 -0400 Subject: [Dataloss] Hackers Get Bum Rap For Corporate America's Digital Delinquency In-Reply-To: <20070313190559.GB27234@homeport.org> References: <7.0.0.16.2.20070313134824.05e16e60@nowhere.org> <20070313190559.GB27234@homeport.org> Message-ID: <7.0.0.16.2.20070314135626.05e44148@cotse.net> At 03:05 PM 3/13/2007, Adam Shostack wrote: > >This is exciting stuff, and is an example of how research can be done >when we share data. He's making his data available--it's largely, but >not entirely, driven by the attrition data set. > >See >http://www.wiareport.org/index.php/43/6-million-personal-records-compr >omised-each-month-2-billion-in-total-by-december#more-43 > Yep. For those on the "left coast," he'll be presenting this research at Stanford Law on Monday, March 19th: http://cyberlaw.stanford.edu/node/5167 /Dissent -- Main site: http://www.pogowasright.org Main RSS feed: http://www.pogowasright.org/backend/pogowasright.rss Breaches RSS feed: http://www.pogowasright.org/backend/breaches.rss From byurcik at ncsa.uiuc.edu Wed Mar 14 20:32:40 2007 From: byurcik at ncsa.uiuc.edu (Bill Yurcik) Date: Wed, 14 Mar 2007 15:32:40 -0500 (CDT) Subject: [Dataloss] seriously flawed U Washington breach study gets press making claims Message-ID: "Hackers Get a Bum Rap for Corporate America's Digital Delinquency" University of Washington News and Information (03/12/07) http://uwnews.washington.edu/ni/article.asp?articleID=31264 I saw this press announcement of a study (also included in summary at end of this Email) getting publicity and it looks seriously flawed. The academics searched news articles about computer breaches going back to 1980 and then make claims. (1) the authors, who are not techies (communications and geography academics), should realize that there are significant disincentives for any organization to have breaches of any type publicly reported - this makes any aggregate news data about breaches they assembled extremely suspect. for instance, the authors claim there were *zero* breaches each year for the years 1988-91, 1993-94; less than 10 breaches each year from 1995-1999; and less than 25 breaches each year from 2000-2004. this does not pass the smell test!!! (2) I would also argue only since state breach disclosure laws have started to provide accurate data on "privacy breaches" can one begin to make claims - there is not valid data before state disclosure laws kicked in. Even state breach disclosure data is relatively new to being analyzed and not perfect since there is still non-reporting and disclosures are not publicly recorded although the press does pick up a significant portion of the disclosures between organizations and the parties affected. Also there are skewing effects due to state breach disclosure laws not being uniform and having different technical requirements such as who must report, what they must report, etc. (3) The study in question mixes news events with recent reports to comply with state disclosure laws so this changes any statistical analysis (multiple sources from different distributions) I am very disappointed to see this poor scholarship/analysis especially that it is getting press (primarily due to the University of Washington's public relations). Of course consider the source where the study will evemtually be published is not at the forefront in this area, "Journal of Computer-Mediated Communication", however, due dilligence should have sent the editors of JCMC to seek out some of us from this dataloss list for peer-review. any feedback in agreement or disagreement? Cheers! - Bill Yurcik --- "Hackers Get a Bum Rap for Corporate America's Digital Delinquency" University of Washington News and Information (03/12/07) http://uwnews.washington.edu/ni/article.asp?articleID=31264 University of Washington communications professor Phil Howard conducted a review of data-breach incidents reported in major U.S. news outlets between 1980 and 2006 and found that organizational flaws in businesses, not hackers, should receive the most blame. "The surprising part is how much of those violations are organizationally prompted--they're not about lone wolf hackers doing their thing with malicious intent," Howard says. His study revealed that malicious intrusions represent only 31 percent of 550 confirmed incidents, while mismanagement, such as missing or stolen hardware, insider abuse or theft, administrative errors, or accidental exposure of data online was responsible for 60 percent of the incidents reported. State laws that require companies to report breaches enabled the study to be done with greater accuracy. "We've actually been able to get a much better snapshot of the spectrum of privacy violations," says Howard. The study also found that while universities make up less than 1 percent of the total records lost, they make up 30 percent of the reported incidents. Corporate America claims that market forces should be allowed to solve the problem of data breaches and reporting them, but Howard believes that this strategy is not sufficient, especially since identity theft is the nation's fastest growing crime. He also believes that states seem more capable of passing laws on the matter than the federal government. --- From ADAIL at sunocoinc.com Wed Mar 14 21:08:21 2007 From: ADAIL at sunocoinc.com (DAIL, ANDY) Date: Wed, 14 Mar 2007 17:08:21 -0400 Subject: [Dataloss] Electronic Copiers Now Potential Source of Identity Theft In-Reply-To: Message-ID: <8CA58E707BB1C44385FA71D02B7A1C8EC70A2C@mds3aex0e.USISUNOCOINC.com> Just lovely..Imagine what gets copied in a University's Financial Aid office alone.. http://www.cnn.com/2007/TECH/ptech/03/14/photocopier.risks.ap/index.html SAN JOSE, California (AP) -- Consumers are bombarded with warnings about identity theft. Publicized threats range from mailbox thieves and lost laptops to the higher-tech methods of e-mail scams and corporate data invasions. Now, experts are warning that photocopiers could be a culprit as well. That's because most digital copiers manufactured in the past five years have disk drives -- the same kind of data-storage mechanism found in computers -- to reproduce documents. As a result, the seemingly innocuous machines that are commonly used to spit out copies of tax returns for millions of Americans can retain the data being scanned. If the data on the copier's disk aren't protected with encryption or an overwrite mechanism, and if someone with malicious motives gets access to the machine, industry experts say sensitive information from original documents could get into the wrong hands. Some copier makers are now adding security features, but many of the digital machines already found in public venues or business offices are likely still open targets, said Ed McLaughlin, president of Sharp Document Solutions Company of America. "You actually have a better chance at winning 10 straight rolls of roulette than getting those hard drives on copiers rewritten," he said. Sharp issued a warning about photocopier vulnerabilities Wednesday -- just ahead of tax time. The company, one of the leading makers of photocopiers, commissioned a consumer survey that indicated more than half of Americans did not know copiers carried this data security risk. The telephone survey of 1,005 adults, conducted in January, also showed that 55 percent of Americans plan to make photocopies and printouts of their tax returns and related documents. Of that segment, half planned to make the copies outside their homes -- at offices, libraries and copy shops. An additional 13 percent said they plan to have their tax preparers make copies. Although industry and security experts were unable to point to any known incidents of identity thieves using copiers to steal information, they said the potential was very real. "It is a valid concern and most people don't know about it," said Keith Kmetz, analyst at market researcher IDC. "Copying wasn't like this before." Added Paul DeMatteis, a security consultant and teacher at the John Jay College of Criminal Justice at the City University of New York: "We know there are bad people out there. Just because this is difficult to detect doesn't mean it isn't being exploited." Daniel Katz-Braunschweig, a chief consultant at DataIXL, a business consulting firm, includes digital copiers among his list of data holes corporations should try to protect. He couldn't specify names but said a few of his company clients did learn about the vulnerability after their copiers were resold and the new owners -- in good faith -- notified them of the data residing on the disks. Sharp was among the first to begin offering, a few years ago, a security kit for its machines to encrypt and overwrite the images being scanned, so that data aren't stored on the hard disks indefinitely. Xerox Corp. said in October it would start making a similar security feature standard across all of its digital copiers. Randy Cusick, a technical marketing manager at Xerox, said many entities dealing with sensitive information, such as government agencies, financial institutions, and defense contractors, already have policies to make sure copier disks themselves or the data stored on them are secured or not unwittingly passed along in a machine resale. Smaller businesses and everyday consumers are less likely to know about the risk, but should, he said. Sharp recommends that consumers take precautions, such as asking their tax preparers or the copy shops they are using about whether their copier machines have data security installed. This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments. From bkdelong at pobox.com Wed Mar 14 21:35:18 2007 From: bkdelong at pobox.com (B.K. DeLong) Date: Wed, 14 Mar 2007 17:35:18 -0400 Subject: [Dataloss] seriously flawed U Washington breach study gets press making claims In-Reply-To: References: Message-ID: Some good insight, Bill. The key thing with getting the word out, (though there are a number of journalists on this list), is to set this study to a Google Alert and email your points to any reporters who cover said. It wouldn't hurt to get a few more sharp folks to "sign on" to the points. Of course, certain vendors may fan the flames by pointing out that corporations need to buy more products and services but hopefully that trend continues to be less useful the more educated everyone becomes. On 3/14/07, Bill Yurcik wrote: > > "Hackers Get a Bum Rap for Corporate America's Digital Delinquency" > University of Washington News and Information (03/12/07) > http://uwnews.washington.edu/ni/article.asp?articleID=31264 > > I saw this press announcement of a study (also included in summary at end > of this Email) getting publicity and it looks seriously flawed. The > academics searched news articles about computer breaches going back to > 1980 and then make claims. > > (1) the authors, who are not techies (communications and geography > academics), should realize that there are significant disincentives for > any organization to have breaches of any type publicly reported - this > makes any aggregate news data about breaches they assembled extremely > suspect. > > for instance, the authors claim there were *zero* breaches each year for > the years 1988-91, 1993-94; less than 10 breaches each year from > 1995-1999; and less than 25 breaches each year from 2000-2004. > this does not pass the smell test!!! > > (2) I would also argue only since state breach disclosure laws have > started to provide accurate data on "privacy breaches" can one begin to > make claims - there is not valid data before state disclosure laws kicked > in. Even state breach disclosure data is relatively new to being > analyzed and not perfect since there is still non-reporting and > disclosures are not publicly recorded although the press does pick up a > significant portion of the disclosures between organizations and the > parties affected. Also there are skewing effects due to state > breach disclosure laws not being uniform and having different technical > requirements such as who must report, what they must report, etc. > > (3) The study in question mixes news events with > recent reports to comply with state disclosure laws so this changes any > statistical analysis (multiple sources from different distributions) > > I am very disappointed to see this poor scholarship/analysis > especially that it is getting press (primarily due to the University of > Washington's public relations). Of course consider the source where the > study will evemtually be published is not at the forefront in > this area, "Journal of Computer-Mediated Communication", however, due > dilligence should have sent the editors of JCMC to seek out some of us > from this dataloss list for peer-review. > > any feedback in agreement or disagreement? > > Cheers! - Bill Yurcik > > --- > > "Hackers Get a Bum Rap for Corporate America's Digital Delinquency" > University of Washington News and Information (03/12/07) > http://uwnews.washington.edu/ni/article.asp?articleID=31264 > > University of Washington communications professor Phil Howard conducted a > review of data-breach incidents reported in major U.S. news outlets between > 1980 and 2006 and found that organizational flaws in businesses, not > hackers, should receive the most blame. "The surprising part is how much > of those violations are organizationally prompted--they're not about lone > wolf hackers doing their thing with malicious intent," Howard says. His > study revealed that malicious intrusions represent only 31 percent of 550 > confirmed incidents, while mismanagement, such as missing or stolen > hardware, insider abuse or theft, administrative errors, or accidental > exposure of data online was responsible for 60 percent of the incidents > reported. State laws that require companies to report breaches enabled the > study to be done with greater accuracy. "We've actually been able to get a > much better snapshot of the spectrum of privacy violations," says Howard. > The study also found that while universities make up less than 1 percent of > the total records lost, they make up 30 percent of the reported incidents. > Corporate America claims that market forces should be allowed to solve the > problem of data breaches and reporting them, but Howard believes that this > strategy is not sufficient, especially since identity theft is the nation's > fastest growing crime. He also believes that states seem more capable of > passing laws on the matter than the federal government. > > --- > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 149 million compromised records in 598 incidents over 7 years. > -- B.K. DeLong (K3GRN) bkdelong at pobox.com +1.617.797.8471 http://www.wkdelong.org Son. http://www.ianetsec.com Work. http://www.bostonredcross.org Volunteer. http://www.carolingia.eastkingdom.org Service. http://bkdelong.livejournal.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org From james at iqbio.net Wed Mar 14 21:44:16 2007 From: james at iqbio.net (James Childers) Date: Wed, 14 Mar 2007 14:44:16 -0700 Subject: [Dataloss] seriously flawed U Washington breach study getspress making claims In-Reply-To: References: Message-ID: <88677D8E4FBE2A4C9CEF9FBF8F38E70519FE0D@prometheus.HQ.IQBIO.NET> Bill, Don't be too quick to knock "vendors fanning the flames". We need a to get a serious bon-fire going to get people to realize what is actually going on and to secure the data to which they have been entrusted. Bring on the gasoline. Only when the "market" truly decides people actually need to secure their data will they do so - and this usually happens when the Government makes an example out of someone or some company (Martha Stewart, Enron, etc...) and people are shocked out of their complacency - DON'T be that guy should be the motto. Until then the best we can do is "Educate the Consumer". This is Capitalism at its best - Find a need and fill it. Just don't make outrageous claims or promote snake oil. Having a better mousetrap that works as advertised is not necessarily a bad thing. James (Jim) Childers President / Owner Artemis Solutions Group (USA) BioCert(r) - iQBio(tm) - BioSaf(r) www.iqbio.com -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of B.K. DeLong Sent: Wednesday, March 14, 2007 2:35 PM To: Bill Yurcik Cc: dataloss at attrition.org Subject: Re: [Dataloss] seriously flawed U Washington breach study getspress making claims Some good insight, Bill. The key thing with getting the word out, (though there are a number of journalists on this list), is to set this study to a Google Alert and email your points to any reporters who cover said. It wouldn't hurt to get a few more sharp folks to "sign on" to the points. Of course, certain vendors may fan the flames by pointing out that corporations need to buy more products and services but hopefully that trend continues to be less useful the more educated everyone becomes. On 3/14/07, Bill Yurcik wrote: > > "Hackers Get a Bum Rap for Corporate America's Digital Delinquency" > University of Washington News and Information (03/12/07) > http://uwnews.washington.edu/ni/article.asp?articleID=31264 > > I saw this press announcement of a study (also included in summary at end > of this Email) getting publicity and it looks seriously flawed. The > academics searched news articles about computer breaches going back to > 1980 and then make claims. > > (1) the authors, who are not techies (communications and geography > academics), should realize that there are significant disincentives for > any organization to have breaches of any type publicly reported - this > makes any aggregate news data about breaches they assembled extremely > suspect. > > for instance, the authors claim there were *zero* breaches each year for > the years 1988-91, 1993-94; less than 10 breaches each year from > 1995-1999; and less than 25 breaches each year from 2000-2004. > this does not pass the smell test!!! > > (2) I would also argue only since state breach disclosure laws have > started to provide accurate data on "privacy breaches" can one begin to > make claims - there is not valid data before state disclosure laws kicked > in. Even state breach disclosure data is relatively new to being > analyzed and not perfect since there is still non-reporting and > disclosures are not publicly recorded although the press does pick up a > significant portion of the disclosures between organizations and the > parties affected. Also there are skewing effects due to state > breach disclosure laws not being uniform and having different technical > requirements such as who must report, what they must report, etc. > > (3) The study in question mixes news events with > recent reports to comply with state disclosure laws so this changes any > statistical analysis (multiple sources from different distributions) > > I am very disappointed to see this poor scholarship/analysis > especially that it is getting press (primarily due to the University of > Washington's public relations). Of course consider the source where the > study will evemtually be published is not at the forefront in > this area, "Journal of Computer-Mediated Communication", however, due > dilligence should have sent the editors of JCMC to seek out some of us > from this dataloss list for peer-review. > > any feedback in agreement or disagreement? > > Cheers! - Bill Yurcik > > --- > > "Hackers Get a Bum Rap for Corporate America's Digital Delinquency" > University of Washington News and Information (03/12/07) > http://uwnews.washington.edu/ni/article.asp?articleID=31264 > > University of Washington communications professor Phil Howard conducted a > review of data-breach incidents reported in major U.S. news outlets between > 1980 and 2006 and found that organizational flaws in businesses, not > hackers, should receive the most blame. "The surprising part is how much > of those violations are organizationally prompted--they're not about lone > wolf hackers doing their thing with malicious intent," Howard says. His > study revealed that malicious intrusions represent only 31 percent of 550 > confirmed incidents, while mismanagement, such as missing or stolen > hardware, insider abuse or theft, administrative errors, or accidental > exposure of data online was responsible for 60 percent of the incidents > reported. State laws that require companies to report breaches enabled the > study to be done with greater accuracy. "We've actually been able to get a > much better snapshot of the spectrum of privacy violations," says Howard. > The study also found that while universities make up less than 1 percent of > the total records lost, they make up 30 percent of the reported incidents. > Corporate America claims that market forces should be allowed to solve the > problem of data breaches and reporting them, but Howard believes that this > strategy is not sufficient, especially since identity theft is the nation's > fastest growing crime. He also believes that states seem more capable of > passing laws on the matter than the federal government. > > --- > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 149 million compromised records in 598 incidents over 7 years. > -- B.K. DeLong (K3GRN) bkdelong at pobox.com +1.617.797.8471 http://www.wkdelong.org Son. http://www.ianetsec.com Work. http://www.bostonredcross.org Volunteer. http://www.carolingia.eastkingdom.org Service. http://bkdelong.livejournal.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tracking more than 149 million compromised records in 598 incidents over 7 years. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Dissent at pogowasright.org Wed Mar 14 22:03:45 2007 From: Dissent at pogowasright.org (Dissent) Date: Wed, 14 Mar 2007 18:03:45 -0400 Subject: [Dataloss] [Update] Empire Blue Cross Blue Shield CD Found Message-ID: <7.0.0.16.2.20070314180202.05e08f08@nowhere.org> http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=104&STORY=/www/story/03-14-2007/0004546462&EDATE= Empire Blue Cross Blue Shield was just informed that Magellan Behavioral Health Services has located the CD sent via UPS by Health Data Management Solutions (HDMS), a third party vendor to Magellan, an Empire benefit program administrator, that included some members' personal health information. The CD was lost in transit and was located this afternoon. Although there was no indication that the CD had been stolen, last week Empire sent a letter to inform affected groups and members who may have been impacted. While we understood it was possible the CD would be found, to be cautious, Empire accelerated member notification as our members' security and trust are our highest priority. [...] -- Main site: http://www.pogowasright.org Main RSS feed: http://www.pogowasright.org/backend/pogowasright.rss Breaches RSS feed: http://www.pogowasright.org/backend/breaches.rss From adam at homeport.org Wed Mar 14 22:00:22 2007 From: adam at homeport.org (Adam Shostack) Date: Wed, 14 Mar 2007 18:00:22 -0400 Subject: [Dataloss] seriously flawed U Washington breach study gets press making claims In-Reply-To: References: Message-ID: <20070314220022.GA13097@homeport.org> My read of the full study is that they acknowledge these some of these weaknesses (especially the spike in reports), consider the reasons, and also discuss the issue of how 'hackers' are portrayed in the media reasonably well. On the other hand, they could definetly have been more clear about the difference between 0 breaches and 0 reported breaches. Adam On Wed, Mar 14, 2007 at 03:32:40PM -0500, Bill Yurcik wrote: | | "Hackers Get a Bum Rap for Corporate America's Digital Delinquency" | University of Washington News and Information (03/12/07) | http://uwnews.washington.edu/ni/article.asp?articleID=31264 | | I saw this press announcement of a study (also included in summary at end | of this Email) getting publicity and it looks seriously flawed. The | academics searched news articles about computer breaches going back to | 1980 and then make claims. | | (1) the authors, who are not techies (communications and geography | academics), should realize that there are significant disincentives for | any organization to have breaches of any type publicly reported - this | makes any aggregate news data about breaches they assembled extremely | suspect. | | for instance, the authors claim there were *zero* breaches each year for | the years 1988-91, 1993-94; less than 10 breaches each year from | 1995-1999; and less than 25 breaches each year from 2000-2004. | this does not pass the smell test!!! | | (2) I would also argue only since state breach disclosure laws have | started to provide accurate data on "privacy breaches" can one begin to | make claims - there is not valid data before state disclosure laws kicked | in. Even state breach disclosure data is relatively new to being | analyzed and not perfect since there is still non-reporting and | disclosures are not publicly recorded although the press does pick up a | significant portion of the disclosures between organizations and the | parties affected. Also there are skewing effects due to state | breach disclosure laws not being uniform and having different technical | requirements such as who must report, what they must report, etc. | | (3) The study in question mixes news events with | recent reports to comply with state disclosure laws so this changes any | statistical analysis (multiple sources from different distributions) | | I am very disappointed to see this poor scholarship/analysis | especially that it is getting press (primarily due to the University of | Washington's public relations). Of course consider the source where the | study will evemtually be published is not at the forefront in | this area, "Journal of Computer-Mediated Communication", however, due | dilligence should have sent the editors of JCMC to seek out some of us | from this dataloss list for peer-review. | | any feedback in agreement or disagreement? | | Cheers! - Bill Yurcik | | --- | | "Hackers Get a Bum Rap for Corporate America's Digital Delinquency" | University of Washington News and Information (03/12/07) | http://uwnews.washington.edu/ni/article.asp?articleID=31264 | | University of Washington communications professor Phil Howard conducted a | review of data-breach incidents reported in major U.S. news outlets between | 1980 and 2006 and found that organizational flaws in businesses, not | hackers, should receive the most blame. "The surprising part is how much | of those violations are organizationally prompted--they're not about lone | wolf hackers doing their thing with malicious intent," Howard says. His | study revealed that malicious intrusions represent only 31 percent of 550 | confirmed incidents, while mismanagement, such as missing or stolen | hardware, insider abuse or theft, administrative errors, or accidental | exposure of data online was responsible for 60 percent of the incidents | reported. State laws that require companies to report breaches enabled the | study to be done with greater accuracy. "We've actually been able to get a | much better snapshot of the spectrum of privacy violations," says Howard. | The study also found that while universities make up less than 1 percent of | the total records lost, they make up 30 percent of the reported incidents. | Corporate America claims that market forces should be allowed to solve the | problem of data breaches and reporting them, but Howard believes that this | strategy is not sufficient, especially since identity theft is the nation's | fastest growing crime. He also believes that states seem more capable of | passing laws on the matter than the federal government. | | --- | _______________________________________________ | Dataloss Mailing List (dataloss at attrition.org) | http://attrition.org/dataloss | Tracking more than 149 million compromised records in 598 incidents over 7 years. From byurcik at ncsa.uiuc.edu Wed Mar 14 22:35:33 2007 From: byurcik at ncsa.uiuc.edu (Bill Yurcik) Date: Wed, 14 Mar 2007 17:35:33 -0500 (CDT) Subject: [Dataloss] seriously flawed U Washington breach study In-Reply-To: <20070314220022.GA13097@homeport.org> References: <20070314220022.GA13097@homeport.org> Message-ID: On Wed, 14 Mar 2007, Adam Shostack wrote: > On the other hand, they could definetly have been more clear about the > difference between 0 breaches and 0 reported breaches. the authors did not identify (maybe because they did not recognize) how incredibly bad their data is (years of data that are not even close), they then went on to make bold claims! trash-in trash-out > On Wed, Mar 14, 2007 at 03:32:40PM -0500, Bill Yurcik wrote: > | > | "Hackers Get a Bum Rap for Corporate America's Digital Delinquency" > | University of Washington News and Information (03/12/07) > | http://uwnews.washington.edu/ni/article.asp?articleID=31264 > | > | I saw this press announcement of a study (also included in summary at end > | of this Email) getting publicity and it looks seriously flawed. The > | academics searched news articles about computer breaches going back to > | 1980 and then make claims. > | > | (1) the authors, who are not techies (communications and geography > | academics), should realize that there are significant disincentives for > | any organization to have breaches of any type publicly reported - this > | makes any aggregate news data about breaches they assembled extremely > | suspect. > | > | for instance, the authors claim there were *zero* breaches each year for > | the years 1988-91, 1993-94; less than 10 breaches each year from > | 1995-1999; and less than 25 breaches each year from 2000-2004. > | this does not pass the smell test!!! > | > | (2) I would also argue only since state breach disclosure laws have > | started to provide accurate data on "privacy breaches" can one begin to > | make claims - there is not valid data before state disclosure laws kicked > | in. Even state breach disclosure data is relatively new to being > | analyzed and not perfect since there is still non-reporting and > | disclosures are not publicly recorded although the press does pick up a > | significant portion of the disclosures between organizations and the > | parties affected. Also there are skewing effects due to state > | breach disclosure laws not being uniform and having different technical > | requirements such as who must report, what they must report, etc. > | > | (3) The study in question mixes news events with > | recent reports to comply with state disclosure laws so this changes any > | statistical analysis (multiple sources from different distributions) > | > | I am very disappointed to see this poor scholarship/analysis > | especially that it is getting press (primarily due to the University of > | Washington's public relations). Of course consider the source where the > | study will evemtually be published is not at the forefront in > | this area, "Journal of Computer-Mediated Communication", however, due > | dilligence should have sent the editors of JCMC to seek out some of us > | from this dataloss list for peer-review. > | > | any feedback in agreement or disagreement? > | > | Cheers! - Bill Yurcik > | > | --- > | > | "Hackers Get a Bum Rap for Corporate America's Digital Delinquency" > | University of Washington News and Information (03/12/07) > | http://uwnews.washington.edu/ni/article.asp?articleID=31264 > | > | University of Washington communications professor Phil Howard conducted a > | review of data-breach incidents reported in major U.S. news outlets between > | 1980 and 2006 and found that organizational flaws in businesses, not > | hackers, should receive the most blame. "The surprising part is how much > | of those violations are organizationally prompted--they're not about lone > | wolf hackers doing their thing with malicious intent," Howard says. His > | study revealed that malicious intrusions represent only 31 percent of 550 > | confirmed incidents, while mismanagement, such as missing or stolen > | hardware, insider abuse or theft, administrative errors, or accidental > | exposure of data online was responsible for 60 percent of the incidents > | reported. State laws that require companies to report breaches enabled the > | study to be done with greater accuracy. "We've actually been able to get a > | much better snapshot of the spectrum of privacy violations," says Howard. > | The study also found that while universities make up less than 1 percent of > | the total records lost, they make up 30 percent of the reported incidents. > | Corporate America claims that market forces should be allowed to solve the > | problem of data breaches and reporting them, but Howard believes that this > | strategy is not sufficient, especially since identity theft is the nation's > | fastest growing crime. He also believes that states seem more capable of > | passing laws on the matter than the federal government. > | > | --- > | _______________________________________________ > | Dataloss Mailing List (dataloss at attrition.org) > | http://attrition.org/dataloss > | Tracking more than 149 million compromised records in 598 incidents over 7 years. > From adam at homeport.org Wed Mar 14 23:17:01 2007 From: adam at homeport.org (Adam Shostack) Date: Wed, 14 Mar 2007 19:17:01 -0400 Subject: [Dataloss] seriously flawed U Washington breach study In-Reply-To: References: <20070314220022.GA13097@homeport.org> Message-ID: <20070314231701.GA15435@homeport.org> On Wed, Mar 14, 2007 at 05:35:33PM -0500, Bill Yurcik wrote: | | On Wed, 14 Mar 2007, Adam Shostack wrote: | > On the other hand, they could definetly have been more clear about the | > difference between 0 breaches and 0 reported breaches. | | the authors did not identify (maybe because they did not recognize) how | incredibly bad their data is (years of data that are not even close), | they then went on to make bold claims! trash-in trash-out On "page 22 of 31," starting from line 37: > Several factors might explain the pattern of increasing incidents > and volume of compromised data over time. First, there is the > possibility that the results are skewed due to the relative growth > of new, fresh news stories devoted to this issue, and the loss of > older stories that disappeared from news archives as time > passed. Perhaps there have always been hundreds of incidents every > year, but only in recent years has the severity of the problem been > reported in the news. If this were the case, we would expect to see > a gradually decaying pattern with greater number of reported cases > in 2006 than in 2005, 2004, and so on. However, the dramatic > difference in reported incidents between later years and early years > suggests that this effect does not adequately explain ... So I'm confused by your claim that they don't recognize the issue. Adam | > On Wed, Mar 14, 2007 at 03:32:40PM -0500, Bill Yurcik wrote: | > | | > | "Hackers Get a Bum Rap for Corporate America's Digital Delinquency" | > | University of Washington News and Information (03/12/07) | > | http://uwnews.washington.edu/ni/article.asp?articleID=31264 | > | | > | I saw this press announcement of a study (also included in summary at end | > | of this Email) getting publicity and it looks seriously flawed. The | > | academics searched news articles about computer breaches going back to | > | 1980 and then make claims. | > | | > | (1) the authors, who are not techies (communications and geography | > | academics), should realize that there are significant disincentives for | > | any organization to have breaches of any type publicly reported - this | > | makes any aggregate news data about breaches they assembled extremely | > | suspect. | > | | > | for instance, the authors claim there were *zero* breaches each year for | > | the years 1988-91, 1993-94; less than 10 breaches each year from | > | 1995-1999; and less than 25 breaches each year from 2000-2004. | > | this does not pass the smell test!!! | > | | > | (2) I would also argue only since state breach disclosure laws have | > | started to provide accurate data on "privacy breaches" can one begin to | > | make claims - there is not valid data before state disclosure laws kicked | > | in. Even state breach disclosure data is relatively new to being | > | analyzed and not perfect since there is still non-reporting and | > | disclosures are not publicly recorded although the press does pick up a | > | significant portion of the disclosures between organizations and the | > | parties affected. Also there are skewing effects due to state | > | breach disclosure laws not being uniform and having different technical | > | requirements such as who must report, what they must report, etc. | > | | > | (3) The study in question mixes news events with | > | recent reports to comply with state disclosure laws so this changes any | > | statistical analysis (multiple sources from different distributions) | > | | > | I am very disappointed to see this poor scholarship/analysis | > | especially that it is getting press (primarily due to the University of | > | Washington's public relations). Of course consider the source where the | > | study will evemtually be published is not at the forefront in | > | this area, "Journal of Computer-Mediated Communication", however, due | > | dilligence should have sent the editors of JCMC to seek out some of us | > | from this dataloss list for peer-review. | > | | > | any feedback in agreement or disagreement? | > | | > | Cheers! - Bill Yurcik | > | | > | --- | > | | > | "Hackers Get a Bum Rap for Corporate America's Digital Delinquency" | > | University of Washington News and Information (03/12/07) | > | http://uwnews.washington.edu/ni/article.asp?articleID=31264 | > | | > | University of Washington communications professor Phil Howard conducted a | > | review of data-breach incidents reported in major U.S. news outlets between | > | 1980 and 2006 and found that organizational flaws in businesses, not | > | hackers, should receive the most blame. "The surprising part is how much | > | of those violations are organizationally prompted--they're not about lone | > | wolf hackers doing their thing with malicious intent," Howard says. His | > | study revealed that malicious intrusions represent only 31 percent of 550 | > | confirmed incidents, while mismanagement, such as missing or stolen | > | hardware, insider abuse or theft, administrative errors, or accidental | > | exposure of data online was responsible for 60 percent of the incidents | > | reported. State laws that require companies to report breaches enabled the | > | study to be done with greater accuracy. "We've actually been able to get a | > | much better snapshot of the spectrum of privacy violations," says Howard. | > | The study also found that while universities make up less than 1 percent of | > | the total records lost, they make up 30 percent of the reported incidents. | > | Corporate America claims that market forces should be allowed to solve the | > | problem of data breaches and reporting them, but Howard believes that this | > | strategy is not sufficient, especially since identity theft is the nation's | > | fastest growing crime. He also believes that states seem more capable of | > | passing laws on the matter than the federal government. | > | | > | --- | > | _______________________________________________ | > | Dataloss Mailing List (dataloss at attrition.org) | > | http://attrition.org/dataloss | > | Tracking more than 149 million compromised records in 598 incidents over 7 years. | > | _______________________________________________ | Dataloss Mailing List (dataloss at attrition.org) | http://attrition.org/dataloss | Tracking more than 149 million compromised records in 598 incidents over 7 years. From cwalsh at cwalsh.org Thu Mar 15 11:31:01 2007 From: cwalsh at cwalsh.org (Chris Walsh) Date: Thu, 15 Mar 2007 06:31:01 -0500 Subject: [Dataloss] seriously flawed U Washington breach study In-Reply-To: References: <20070314220022.GA13097@homeport.org> Message-ID: <20070315113052.GA12807@cwalsh.org> Bill Yurcik wrote: "the press does pick up a significant portion of the disclosures between organizations and the parties affected." Two questions: Q1: What do you mean by "significant"? Q2: If the answer to Q1 depends in any way on the (unobserved) total number of communications between breached entity and parties affected, how do you know your statement is true? That is, how do you test it as a hypothesis? I read the quoted material as saying "The press has revealed a large proportion of breaches for which disclosure has occurred". Well, ascertaining the numerator is easy in principle: Google+LexisNexis --> a number. The denominator is the hard one. Is it 95% of the iceberg? Is it 5%? Is the visible part of the iceberg just like the submerged part, so from an analytical standpoint it doesn't matter? I think that we know of a more than 5% or reported breaches, but that the ones we don't know about are different in analytically meaningful ways. I can think of a way to sort of prove it, even. The more important question is whether the breaches that are never even reported to anyone "look like" the ones we have info on. Impossible, using current data, to answer. cw From byurcik at ncsa.uiuc.edu Thu Mar 15 16:28:58 2007 From: byurcik at ncsa.uiuc.edu (Bill Yurcik) Date: Thu, 15 Mar 2007 11:28:58 -0500 (CDT) Subject: [Dataloss] seriously flawed U Washington breach study In-Reply-To: <20070315113052.GA12807@cwalsh.org> References: <20070314220022.GA13097@homeport.org> <20070315113052.GA12807@cwalsh.org> Message-ID: > Bill Yurcik wrote: > "the press does pick up a significant portion of the disclosures between > organizations and the parties affected." > > Q1: What do you mean by "significant"? significant to mean there are hundreds of disclosures now being reported by the press. of course these are a skewed sample of events the press finds out about and thinks are worthy of reporting . Also there is nonuniformity between state disclosure laws, non-reporting, etc that further skews the sample. > The more important question is whether the breaches that are never even > reported to anyone "look like" the ones we have info on. Impossible, > using current data, to answer. good point, I agree 100%, no way to know about the total breach situation with current information! However, at least now we do have some data to analyze and in the future as technology, privacy laws, cyber-law enforcement, and privacy lawsuits all mature then we will know more. Cheers! - Bill Yurcik From Kim_Nash at ziffdavis.com Thu Mar 15 16:49:49 2007 From: Kim_Nash at ziffdavis.com (Nash, Kim) Date: Thu, 15 Mar 2007 12:49:49 -0400 Subject: [Dataloss] seriously flawed U Washington breach study References: <20070314220022.GA13097@homeport.org><20070315113052.GA12807@cwalsh.org> Message-ID: However, at least now we do have some data to analyze and in the future as technology, privacy laws, cyber-law enforcement, and privacy lawsuits all mature then we will know more. ================= I suppose you guys have seen this, from FTC. They're inviting public comments, as well. http://www.ftc.gov/opa/2007/02/authentication.htm --kim -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070315/10dbb362/attachment.html From byurcik at ncsa.uiuc.edu Thu Mar 15 16:54:39 2007 From: byurcik at ncsa.uiuc.edu (Bill Yurcik) Date: Thu, 15 Mar 2007 11:54:39 -0500 (CDT) Subject: [Dataloss] seriously flawed U Washington breach study In-Reply-To: <20070314231701.GA15435@homeport.org> References: <20070314220022.GA13097@homeport.org> <20070314231701.GA15435@homeport.org> Message-ID: Adam: not much to confuse really, in the clip from the paper below the authors say the breach events were either lost from archives or they did not search well enough or media selection of which events to report is an explanation, well the simple fact is breach events were not being reported in the media to be found by the authors prior to the state breach disclosure laws which recently were legislated. thus the authors miss this primary point that breach events were not being announced by organizations to then be reported by the media. its a simple point but a dominant one that would appear to explain the dearth of events used in their study upon which they later make claims. > *zero* breaches each year for the years 1988-91, 1993-94; less than 10 > breaches each year from 1995-1999; and less than 25 breaches each year > from 2000-2004. Chris Walsh and I just had a thread on dataloss where we agreed that *even with* the recent data from state breach disclosure laws it is still hard to make general claims about breach disclosures although the situation is better with the data not worse. Cheers! - Bill Yurcik On Wed, 14 Mar 2007, Adam Shostack wrote: >> On "page 22 of 31," starting from line 37: >> >> Several factors might explain the pattern of increasing incidents >> and volume of compromised data over time. First, there is the >> possibility that the results are skewed due to the relative growth >> of new, fresh news stories devoted to this issue, and the loss of >> older stories that disappeared from news archives as time >> passed. Perhaps there have always been hundreds of incidents every >> year, but only in recent years has the severity of the problem been >> reported in the news. If this were the case, we would expect to see >> a gradually decaying pattern with greater number of reported cases >> in 2006 than in 2005, 2004, and so on. However, the dramatic >> difference in reported incidents between later years and early years >> suggests that this effect does not adequately explain ... >> >> So I'm confused by your claim that they don't recognize the issue. > On Wed, Mar 14, 2007 at 05:35:33PM -0500, Bill Yurcik wrote: > | > | the authors did not identify (maybe because they did not recognize) how > | incredibly bad their data is (years of data that are not even close), > | they then went on to make bold claims! trash-in trash-out From jneister at axistechnologyllc.com Thu Mar 15 17:35:54 2007 From: jneister at axistechnologyllc.com (Jim Neister) Date: Thu, 15 Mar 2007 13:35:54 -0400 Subject: [Dataloss] seriously flawed U Washington breach study In-Reply-To: References: <20070314220022.GA13097@homeport.org><20070314231701.GA15435@homeport.org> Message-ID: All good points. And...perhaps the thousands and thousands of people who have been victims of ID theft were never able to find out from where the thieves obtained their personal information, and thus what story can be reported by the media? -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Bill Yurcik Sent: Thursday, March 15, 2007 12:55 PM To: dataloss at attrition.org Subject: Re: [Dataloss] seriously flawed U Washington breach study Adam: not much to confuse really, in the clip from the paper below the authors say the breach events were either lost from archives or they did not search well enough or media selection of which events to report is an explanation, well the simple fact is breach events were not being reported in the media to be found by the authors prior to the state breach disclosure laws which recently were legislated. thus the authors miss this primary point that breach events were not being announced by organizations to then be reported by the media. its a simple point but a dominant one that would appear to explain the dearth of events used in their study upon which they later make claims. > *zero* breaches each year for the years 1988-91, 1993-94; less than 10 > breaches each year from 1995-1999; and less than 25 breaches each year > from 2000-2004. Chris Walsh and I just had a thread on dataloss where we agreed that *even with* the recent data from state breach disclosure laws it is still hard to make general claims about breach disclosures although the situation is better with the data not worse. Cheers! - Bill Yurcik On Wed, 14 Mar 2007, Adam Shostack wrote: >> On "page 22 of 31," starting from line 37: >> >> Several factors might explain the pattern of increasing incidents >> and volume of compromised data over time. First, there is the >> possibility that the results are skewed due to the relative growth >> of new, fresh news stories devoted to this issue, and the loss of >> older stories that disappeared from news archives as time >> passed. Perhaps there have always been hundreds of incidents every >> year, but only in recent years has the severity of the problem been >> reported in the news. If this were the case, we would expect to see >> a gradually decaying pattern with greater number of reported cases >> in 2006 than in 2005, 2004, and so on. However, the dramatic >> difference in reported incidents between later years and early years >> suggests that this effect does not adequately explain ... >> >> So I'm confused by your claim that they don't recognize the issue. > On Wed, Mar 14, 2007 at 05:35:33PM -0500, Bill Yurcik wrote: > | > | the authors did not identify (maybe because they did not recognize) how > | incredibly bad their data is (years of data that are not even close), > | they then went on to make bold claims! trash-in trash-out _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tracking more than 149 million compromised records in 598 incidents over 7 years. From adam at homeport.org Fri Mar 16 00:16:39 2007 From: adam at homeport.org (Adam Shostack) Date: Thu, 15 Mar 2007 20:16:39 -0400 Subject: [Dataloss] seriously flawed U Washington breach study In-Reply-To: References: <20070314220022.GA13097@homeport.org> <20070314231701.GA15435@homeport.org> Message-ID: <20070316001639.GA28773@homeport.org> What I'm saying is that the paper has more in it. It's not particularly snip-friendly, but it's a reasonably easy 30 page read. "The fourth possibility, and the most plausible one, is that mandatory reporting legislation has exposed both the severity of the problem and the common circumstances of organizational mismanagement." I agree that we're far from knowing the totality of circumstances, and my read of the paper is that the authors understood that. Adam On Thu, Mar 15, 2007 at 11:54:39AM -0500, Bill Yurcik wrote: | | Adam: | not much to confuse really, | in the clip from the paper below the authors say the breach events | were either lost from archives or they did not search well enough | or media selection of which events to report is an explanation, | well the simple fact is breach events were not being reported in | the media to be found by the authors prior to the state | breach disclosure laws which recently were legislated. | | thus the authors miss this primary point that breach | events were not being announced by organizations to then be | reported by the media. its a simple point but a dominant one that | would appear to explain the dearth of events used in their study | upon which they later make claims. | | > *zero* breaches each year for the years 1988-91, 1993-94; less than 10 | > breaches each year from 1995-1999; and less than 25 breaches each year | > from 2000-2004. | | Chris Walsh and I just had a thread on dataloss where we | agreed that *even with* the recent data from state breach disclosure | laws it is still hard to make general claims about breach disclosures | although the situation is better with the data not worse. | | Cheers! - Bill Yurcik | | On Wed, 14 Mar 2007, Adam Shostack wrote: | >> On "page 22 of 31," starting from line 37: | >> | >> Several factors might explain the pattern of increasing incidents | >> and volume of compromised data over time. First, there is the | >> possibility that the results are skewed due to the relative growth | >> of new, fresh news stories devoted to this issue, and the loss of | >> older stories that disappeared from news archives as time | >> passed. Perhaps there have always been hundreds of incidents every | >> year, but only in recent years has the severity of the problem been | >> reported in the news. If this were the case, we would expect to see | >> a gradually decaying pattern with greater number of reported cases | >> in 2006 than in 2005, 2004, and so on. However, the dramatic | >> difference in reported incidents between later years and early years | >> suggests that this effect does not adequately explain ... | >> | >> So I'm confused by your claim that they don't recognize the issue. | | > On Wed, Mar 14, 2007 at 05:35:33PM -0500, Bill Yurcik wrote: | > | | > | the authors did not identify (maybe because they did not recognize) how | > | incredibly bad their data is (years of data that are not even close), | > | they then went on to make bold claims! trash-in trash-out | | | _______________________________________________ | Dataloss Mailing List (dataloss at attrition.org) | http://attrition.org/dataloss | Tracking more than 149 million compromised records in 598 incidents over 7 years. From lyger at attrition.org Fri Mar 16 23:30:57 2007 From: lyger at attrition.org (lyger) Date: Fri, 16 Mar 2007 23:30:57 +0000 (UTC) Subject: [Dataloss] OH: Laptop with city school employees' information stolen Message-ID: http://www.springfieldnewssun.com/hp/content/oh/story/news/local/2007/03/16/sns031707laptop.html Nearly 2,000 current and former employees of Springfield City Schools are being notified their personal information was on a stolen laptop belonging to the state auditor's office. The information includes the names and social security numbers of 1,950 employees who received paychecks on two dates in 2004 . Jan. 30 and Dec. 17 . and Dec. 19, 2003, according to school payroll supervisor Rebecca Scovill. [...] From lyger at attrition.org Sat Mar 17 03:01:22 2007 From: lyger at attrition.org (lyger) Date: Sat, 17 Mar 2007 03:01:22 +0000 (UTC) Subject: [Dataloss] Dr. Howard at Stanford Law for SV residents Message-ID: (forwarded due to accidential deletion from moderation queue) From: Saundra Kae Rubel Cc: dataloss at attrition.org Date: Fri, 16 Mar 2007 19:50:41 -0700 Subject: Dr. Howard at Stanford Law for SV residents Hi For those who live in the San Francisco Bay Area, Dr. Howard will be presenting his findings at the Center for Internet and Society at Stanford Law on Monday Mar 19, 2007. See more at: http://cyberlaw.stanford.edu/node/5167 Saundra Kae Rubel, CIPP International Data Protection, Privacy and Security Breach Consultant From lyger at attrition.org Sun Mar 18 17:07:02 2007 From: lyger at attrition.org (lyger) Date: Sun, 18 Mar 2007 17:07:02 +0000 (UTC) Subject: [Dataloss] JP: Dai Nippon Printing reports client data theft Message-ID: Thanks to Chris Walsh for the link, other info can be found here: http://www.pogowasright.org/article.php?story=20070317210055265 http://www.reuters.com/article/technology-media-telco-SP/idUST2997420070312 Japan's Dai Nippon Printing Co. (7912.T: Quote, Profile, Research) said on Monday a former contract worker stole nearly 9 million pieces of private data on customers from 43 clients including Toyota Motor Corp. (7203.T: Quote, Profile, Research). Dai Nippon, one of Japan's largest commerical printing companies, said the confidential information included names, addresses and credit card numbers intended for use in direct mailing and other printing services. [...] But further investigation since then led to the discovery of new leaks and the stolen data total increased to 8,637,405 pieces of data. Dai Nippon said there were no reports of the newly discovered pieces of stolen data being passed on to a third party. The stolen data includes about 1.5 million articles on customers of American Home Assurance Co., 1.2 million on UFJ Nicos Co. (8583.T: Quote, Profile, Research)., 580,000 on Aeon Co (8267.T: Quote, Profile, Research). and 270,000 on customers of auto giant Toyota Motor. [...] From hbrown at knology.net Mon Mar 19 11:40:28 2007 From: hbrown at knology.net (Henry Brown) Date: Mon, 19 Mar 2007 06:40:28 -0500 Subject: [Dataloss] Federal Contractor Leaves Documents on Sidewalk Message-ID: <45FE76AC.2050000@knology.net> From the Idaho Busines Review http://tinyurl.com/2zlfu2 People walking in front of the 8th Street Wine Co. in downtown Boise the morning of March 2 noticed three inconspicuous barrels sitting on the sidewalk. These barrels were full of thousands of sensitive documents belonging to the U.S. Air Force and to Science Applications International Corp. ? the company responsible for moving them to the curb from an upstairs office on Broad Street. ... Many of the documents were stamped with notices that they were not for public dissemination. ... Science Applications International had also thrown out its own internal documents, including printed copies of e-mail and performance evaluations ... From jericho at attrition.org Mon Mar 19 13:49:22 2007 From: jericho at attrition.org (security curmudgeon) Date: Mon, 19 Mar 2007 13:49:22 +0000 (UTC) Subject: [Dataloss] Pressure grows for UK data loss disclosure Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://software.silicon.com/security/0,39024655,39166396,00.htm By Will Sturgeon 16 March 2007 The UK is in desperate need of revisions to laws that govern the disclosure of information relating to data loss or theft, according to security experts. Currently UK organisations that lose sensitive customer or employee data, or expose it to others, do not have to disclose details of the breach - even to those affected. Now, in the wake of recent data losses, security experts have called on UK legislators to bring laws in line with US law SB 1386, which was introduced in California in 2003 and has spread to 34 states, requiring full disclosure. Martin Carmichael, CSO at McAfee, told silicon.com: "I think companies should be accountable. Accountability is a vital part of security and if a company has a data breach I think they should be prepared to talk about it. "I am surprised the UK doesn't have anything in place like SB 1386." [..] From jericho at attrition.org Mon Mar 19 13:49:42 2007 From: jericho at attrition.org (security curmudgeon) Date: Mon, 19 Mar 2007 13:49:42 +0000 (UTC) Subject: [Dataloss] Data Security Breaches Spur New Products At Trade Show Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.washingtonpost.com/wp-dyn/content/article/2007/03/18/AR2007031801072.html By Cecilia Kang Washington Post Staff Writer March 19, 2007 There was the stolen laptop that put the identities of millions of veterans and soldiers at risk. Then flooding shut down part of the IRS building, prompting a scramble for electronic files and equipment. In the wake of such publicized mishaps, security and privacy issues are taking center stage at this year's FOSE trade show, Washington's largest convention for federal, state and local government information technology contractors, as a host of companies peddle new products and services aimed at sealing and protecting the government's data and networks. The two-day show at the Washington Convention Center begins tomorrow, and organizers hope to draw 20,000 people. The event comes as government spending is likely to be more restrained compared with that of previous years. In the past two years, the rate of growth in spending on office technologies has steadily declined and is projected to increase only slightly over the next year, said Bill Loomis, an analyst at Stifel Nicolaus. The Office of Management and Budget has allocated $65.5 billion for information technology for the government in fiscal 2008, up 2.6 percent from President Bush's 2007 request of $63.8 billion. [..] From Dissent at pogowasright.org Tue Mar 20 12:33:07 2007 From: Dissent at pogowasright.org (Dissent) Date: Tue, 20 Mar 2007 08:33:07 -0400 Subject: [Dataloss] [update] 71, 000 people have personal information hacked in Indiana Message-ID: <7.0.0.16.2.20070320083145.02657940@pogowasright.org> Updates http://attrition.org/dataloss/2007/02/indiana01.html http://www.southbendtribune.com/apps/pbcs.dll/article?AID=/20070319/News01/70320010 A hacker has accessed the personal information of thousands of people across the state of Indiana. The state says the hacker got into a state database of licensed nursing assistants and home health aides. Earlier this year WSBT News reported a hacker accessed 5,600 credit card numbers from the state's website. The state performed an audit and discovered the same hacker got into the database of nursing assistants. [...] -- Main site: http://www.pogowasright.org Main RSS feed: http://www.pogowasright.org/backend/pogowasright.rss Breaches RSS feed: http://www.pogowasright.org/backend/breaches.rss From macwheel99 at sigecom.net Tue Mar 20 16:18:51 2007 From: macwheel99 at sigecom.net (Al Mac) Date: Tue, 20 Mar 2007 10:18:51 -0600 Subject: [Dataloss] Health Resources, Evansville Indiana Message-ID: <6.2.1.2.1.20070320101807.03d195d0@mail.sigecom.net> Health Resources, Inc. (HRI) https://www.hri-dho.com/home.aspx provides medical insurance to co-workers & HRI just sent us notification of a potential security breach of our private health information (PHI) on their website, including our name, address, social security number, dependent names and birthdates. The risk was that when one person in our group of employers accessed the site for our PHI info, we could also get at that info on others within the same group. This affected 2,031 people from approx Jan 24, 2007 to Feb 6, 2007. They doing the usual stuff, real sorry, fixing, sending info how we can put credit alert on ourselves, get credit report etc.,what to look for I have not yet seen anything in the news media about this.. - Al Macintyre From lyger at attrition.org Wed Mar 21 11:38:51 2007 From: lyger at attrition.org (lyger) Date: Wed, 21 Mar 2007 11:38:51 +0000 (UTC) Subject: [Dataloss] Private Tax Files Stolen From SoCo Accounting Firm Message-ID: http://cbs5.com/business/local_story_079213034.html The private financial records of thousands of people are potentially at risk for identity theft after thieves stole three years' worth of tax returns from a Santa Rosa accounting firm. Tax Service Plus has alerted up to 4,000 of its clients that all of their private financial records have been stolen. The records contained Social Security numbers, addresses, credit card information, and documents with signatures. [...] From Dissent at pogowasright.org Wed Mar 21 12:14:02 2007 From: Dissent at pogowasright.org (Dissent) Date: Wed, 21 Mar 2007 08:14:02 -0400 Subject: [Dataloss] HSBC Australia exposes sensitive customer data Message-ID: <7.0.0.16.2.20070321081256.04ed4d58@nowhere.org> http://www.computerworld.com.au/index.php/id;582756140 More than 100 HSBC Australia customers had their banking details, names and home addresses, as well as other personal financial information exposed today in a serious security breach by staff. The extraordinary breach was exacerbated by the sheer volume of documents and sensitive nature of the information that was exposed. The documents, which were found on an early morning peak hour train in Sydney, left HSBC customers dangerously exposed as the paperwork listed customer names and addresses along with their banking details such as branch and account numbers. Computerworld sighted up to 50 letters of approval for mortgages which included property values, repayment information, even deposits with six digit cheques that had been photocopied. In addition to personal customer information there was training material that featured customer black lists. [...] -- Main site: http://www.pogowasright.org Main RSS feed: http://www.pogowasright.org/backend/pogowasright.rss Breaches RSS feed: http://www.pogowasright.org/backend/breaches.rss From Dissent at pogowasright.org Wed Mar 21 12:07:41 2007 From: Dissent at pogowasright.org (Dissent) Date: Wed, 21 Mar 2007 08:07:41 -0400 Subject: [Dataloss] Lockport city unions angry over Social Security disclosure Message-ID: <7.0.0.16.2.20070321080432.04edddd0@nowhere.org> http://www.lockportjournal.com/local/local_story_080030706.html Unionized municipal workers in the city are upset that a Freedom of Information request the city clerk recently fulfilled included employees' Social Security numbers. For a story that ran March 14 on city workers' salaries, the Union-Sun & Journal received a list of city employee pay and benefits. Also accidentally included in the documents sent to the newspaper by City Clerk Richard Mullaney were the workers' Social Security numbers. The City of Lockport Union Partnership, a group consisting of five city unions ? the police Hickory Club, CSEA, City of Lockport Department Heads Association, Lockport Professional Firefighters Association and AFSCME ? sent a press release Tuesday afternoon critical of the city for making the mistake and the paper for not returning the documents, citing identity theft concerns. "Over the past week or so, a local newspaper chose a convenient target ? the employees of the City of Lockport ? upon which to lay blame for the taxes we all pay. In its zeal to assist the newspaper, the leadership of the city quickly provided the salary, pension, health care costs and ... the Social Security numbers for all city employees," the unions' release said. "The reporter who received the information and had it in her possession for an estimated three days failed ethically by not returning the information immediately." Tim Marren, the US&J's managing editor, said the reporter who wrote the story, Joyce Miles, didn't realize that Social Security numbers were on the documents until after the story ran, and that the paper hadn't asked for those numbers in its Freedom of Information request. The numbers were blacked out after Mullaney notified Miles of the error, Marren said, and the documents were then shredded at the request of City Attorney John Ottaviano. [...] -- Main site: http://www.pogowasright.org Main RSS feed: http://www.pogowasright.org/backend/pogowasright.rss Breaches RSS feed: http://www.pogowasright.org/backend/breaches.rss From Dissent at pogowasright.org Wed Mar 21 15:28:55 2007 From: Dissent at pogowasright.org (Dissent) Date: Wed, 21 Mar 2007 11:28:55 -0400 Subject: [Dataloss] [follow-up] Stolen TJX Data Used in $8M Scheme; arrests Message-ID: <7.0.0.16.2.20070321112310.0252b228@nowhere.org> http://www.eweek.com/article2/0,1895,2106149,00.asp Information stolen from the systems of massive retailer TJX was being used fraudulently in November 2006 in an $8 million gift card scheme, one month before TJX officials said they learned of the breach, according to Florida law enforcement officials. The significance of this new TJX detail?discovered as Florida authorities issued arrest warrants for 10 suspects and took six of them into custody?is not clear, but it might yield clues as to how TJX learned of the breach. [...] -- Main site: http://www.pogowasright.org Main RSS feed: http://www.pogowasright.org/backend/pogowasright.rss Breaches RSS feed: http://www.pogowasright.org/backend/breaches.rss From Dissent at pogowasright.org Fri Mar 23 17:25:46 2007 From: Dissent at pogowasright.org (Dissent) Date: Fri, 23 Mar 2007 13:25:46 -0400 Subject: [Dataloss] [follow-up] Indiana web site breach a prank? Message-ID: <7.0.0.16.2.20070323132409.0219fc10@nowhere.org> http://www.theindychannel.com/news/11334932/detail.html INDIANAPOLIS -- A state Web site security breach in which thousands of Social Security numbers and credit card numbers were exposed may have been a prank by a teenager, the Indiana Office of Technology said Thursday. Investigators have identified a teen they believe hacked into IN.gov and gained access to Social Security numbers for 71,000 health-care workers and credit card information of about 5,600 people and businesses, the office said. [...] -- Main site: http://www.pogowasright.org Main RSS feed: http://www.pogowasright.org/backend/pogowasright.rss Breaches RSS feed: http://www.pogowasright.org/backend/breaches.rss From lyger at attrition.org Fri Mar 23 20:47:09 2007 From: lyger at attrition.org (lyger) Date: Fri, 23 Mar 2007 20:47:09 +0000 (UTC) Subject: [Dataloss] Authenex intrusion? Message-ID: Just wondering if anyone has heard about an intrusion at Authenex? A source who wishes to remain anonymous heard something about an email coming from one of their servers that had allegedly been hacked. Authenex provides encryption solutions, so I can see where there may be a possible future dataloss connection there... From Dissent at pogowasright.org Sat Mar 24 00:08:25 2007 From: Dissent at pogowasright.org (Dissent) Date: Fri, 23 Mar 2007 20:08:25 -0400 Subject: [Dataloss] KHPA informing consumers of an alleged loss of data CD Message-ID: <7.0.0.16.2.20070323200555.02369ce8@nowhere.org> Sounds more like data misplacement than loss, and wouldn't post it to DL at this time, unless you want to...? Giving you the whole article, because as I read it, it seems like overkill...? Don't even have numbers... http://www.49abcnews.com/news/2007/mar/23/khpa_informing_consumers_alleged_loss_data_cd/ The Kansas Health Policy Authority (KHPA) began notifying a small number of individuals that a computer disk containing information about their health records and identity may have been lost within the agency. A letter sent to the affected individuals should be received in the mail Friday. The password-protected disk was mailed to the KHPA by a company that helps process information about people receiving benefits. KHPA did receive the package with the disk, but the disk did not reach the person who was supposed to receive it. There is no evidence that the disk went beyond our office, the password was broken, or any information was taken off the disk. "The security of our customers' personal information is a serious matter and of the utmost concern to KHPA. We will continue to investigate this incident, and we have begun to further strengthen our standards of security," said Marci Nielsen, PhD, MPH, Executive Director of KHPA. "At this point, we have no reason to believe the CD has been taken for anyone's personal gain through use of the personal information contained on the CD." The KHPA's offices are secure. Employees and visitors must enter with a pass key or pass by a receptionist. Visitors are always escorted. KHPA is taking every step to ensure that individuals' information is kept private and is not compromised Friday and in the future. KHPA has conducted its own investigation, and as a result, is changing how it manages mail and other processes. Even though KHPA has a privacy officer, the agency will hire an additional person to help protect the privacy and security of customers' information. "The Board's Executive Committee was informed of this issue once we became aware of the situation. As an added precaution, I asked the Kansas Attorney General and the Kansas Bureau of Investigation to conduct an investigation. Their findings support our belief that the disk has been lost within the agency, and it is nothing more than simple human error," said Nielsen. Although KHPA does not believe someone outside the office has gained access to the information on the disk, the letter sent to individuals today includes steps as to what they can do to protect their private health and identity information. For individuals who have been affected by this lost data disk, a support line has been established at 785.296.3981. As a precaution, individuals who call for additional information will be asked to provide the customer identification number listed on the letter. -- Main site: http://www.pogowasright.org Main RSS feed: http://www.pogowasright.org/backend/pogowasright.rss Breaches RSS feed: http://www.pogowasright.org/backend/breaches.rss From lyger at attrition.org Sat Mar 24 00:38:56 2007 From: lyger at attrition.org (lyger) Date: Sat, 24 Mar 2007 00:38:56 +0000 (UTC) Subject: [Dataloss] KHPA informing consumers of an alleged loss of data CD In-Reply-To: <7.0.0.16.2.20070323200555.02369ce8@nowhere.org> References: <7.0.0.16.2.20070323200555.02369ce8@nowhere.org> Message-ID: ATTENTION ALL LIST MEMBERS: Please disregard the email previously sent by Dissent. The text of said communication is confidential, and use by any person who is not the intended recipient is prohibited. Any person who receives this communication in error is requested to immediately destroy the text of this communication without copying or further dissemination. Your cooperation is appreciated. The prior private communication was brought to you by the letter L, the number 9, and the NSA. http://attrition.org/security/rants/z/disclaimers.html On Fri, 23 Mar 2007, Dissent wrote: ": " Sounds more like data misplacement than loss, and wouldn't post it to ": " DL at this time, unless you want to...? Giving you the whole ": " article, because as I read it, it seems like overkill...? Don't even ": " have numbers... ": " ": " http://www.49abcnews.com/news/2007/mar/23/khpa_informing_consumers_alleged_loss_data_cd/ ": " ": " ": " The Kansas Health Policy Authority (KHPA) began notifying a small ": " number of individuals that a computer disk containing information ": " about their health records and identity may have been lost within the ": " agency. A letter sent to the affected individuals should be received ": " in the mail Friday. From lyger at attrition.org Sat Mar 24 02:57:46 2007 From: lyger at attrition.org (lyger) Date: Sat, 24 Mar 2007 02:57:46 +0000 (UTC) Subject: [Dataloss] WA: Hard drives containing hundreds of patient files stolen Message-ID: http://www.komotv.com/news/consumer/6678947.html KOMO 4 News has learned a thief or thieves have stolen computer hard drives with personal files on hundreds of local patients. Police aren't saying much, but it appears to involve someone that has access to offices in the building. This week, Swedish Urology Group notified hundreds of patients and former patients about potential identity theft at its office in Seattle. "I'm worried about my social security number and my credit rating," said one patient who wished to be identified by her first name, Kaye, out of privacy concerns. She got the letter yesterday. [...] From lyger at attrition.org Sat Mar 24 10:57:40 2007 From: lyger at attrition.org (lyger) Date: Sat, 24 Mar 2007 10:57:40 +0000 (UTC) Subject: [Dataloss] WA: Group Health laptops missing, 31, 000 identities at risk Message-ID: (Verified with KOMO TV that this is a different incident that the Swedish Urology Group theft reported earlier) http://www.komotv.com/news/6681342.html Group Health Cooperative Health Care System said Friday two of its laptop computers containing the personal information of 31,000 people are missing. The computers are said to contain the names, addresses, social security numbers and Group Health ID numbers of local patients and employees. Group Health said the information is password protected, and that the company has not found any evidence that indicates the laptops were stolen or the information is being misused. [...] From lyger at attrition.org Mon Mar 26 22:50:54 2007 From: lyger at attrition.org (lyger) Date: Mon, 26 Mar 2007 22:50:54 +0000 (UTC) Subject: [Dataloss] Laptop computer containing info on 16, 000 Fort Monroe employees stolen Message-ID: http://www.wavy.com/Global/story.asp?S=6282161&nav=23ii A laptop computer containing the names, Social Security numbers and payroll information for as many as 16,000 civilian employees at Fort Monroe was stolen from one of the employee's personal vehicle, officials said Monday. The computer was password protected, Army officials said, and did not contain bank account or bank routing information. The potentially affected employees all work at the U.S. Army Training and Doctrine Command, which has Fort Monroe as its headquarters. [...] From Dissent at pogowasright.org Tue Mar 27 11:43:01 2007 From: Dissent at pogowasright.org (Dissent) Date: Tue, 27 Mar 2007 07:43:01 -0400 Subject: [Dataloss] Halifax mortgage data stolen Message-ID: <7.0.0.16.2.20070327073437.02367440@nowhere.org> http://www.silicon.com/financialservices/0,3800010322,39166555,00.htm UK high street bank Halifax has admitted stolen documents from one of its employees contained data on 13,000 mortgage customers. The documents were in a briefcase stolen from the locked car of an employee last week and the bank yesterday started writing to affected customers, after first reporting the breach to the Financial Services Authority (FSA) and the police. Around 1,800 of the 13,000 customer records exposed by the theft included name, address, mortgage account number and account balance. The remainder included name, mortgage account number and approval status. According to a spokesman for Halifax: "It would be almost impossible for any fraud to be committed with the information on the printout." [...] -- Main site: http://www.pogowasright.org Main RSS feed: http://www.pogowasright.org/backend/pogowasright.rss Breaches RSS feed: http://www.pogowasright.org/backend/breaches.rss From lyger at attrition.org Tue Mar 27 21:56:57 2007 From: lyger at attrition.org (lyger) Date: Tue, 27 Mar 2007 21:56:57 +0000 (UTC) Subject: [Dataloss] Louisiana: SS numbers accessed Message-ID: http://www.iberianet.com/articles/2007/03/27/news/news/news15.txt Rosters containing information, including Social Security numbers, of about 380 St. Mary Parish public school employees were accessed March 19 by a Yahoo! Web page search engine crawler. St. Mary Parish schools Superintendent Donald Aguillard said the crawler violated the school district Web page by accessing a database that stored 2002 through 2004 staff development rosters. "These files were previously secure," Aguillard said. "Yahoo!'s new aggressive Web crawler infiltrated the public server and our technology department responded immediately to the breach in security by addressing the following: Contacting Yahoo! and demanding that our information be stricken from cached files, notified all workshop participants of the possibility that their personal information was revealed, while also contacting the Web page archiving services and demanding the removal of our cached pages." [...] From Dissent at pogowasright.org Wed Mar 28 00:21:39 2007 From: Dissent at pogowasright.org (Dissent) Date: Tue, 27 Mar 2007 20:21:39 -0400 Subject: [Dataloss] Stolen NHS laptop contained details of 11,500 children Message-ID: <7.0.0.16.2.20070327201911.022caf90@nowhere.org> http://www.computerworlduk.com/management/security/data-control/news/index.cfm?newsid=2376 An NHS primary care trust has launched an investigation after a laptop containing names, addresses and dates of birth of 11,500 children was stolen from its offices. Nottinghamshire Teaching PCT chief executive Wendy Saviour said three laptop computers were stolen on Wednesday 21 March, one of which held the data on child patients aged between eight months and eight years. "We are working closely with the police to investigate this theft and to recover the stolen computers," Saviour said. "There was no health information or other details on the stolen computer. The information was protected by a password, which reduces the chances of anyone being able to see the information." [...] -- Main site: http://www.pogowasright.org Main RSS feed: http://www.pogowasright.org/backend/pogowasright.rss Breaches RSS feed: http://www.pogowasright.org/backend/breaches.rss From Troy.Casey at per-se.com Wed Mar 28 12:45:42 2007 From: Troy.Casey at per-se.com (Casey, Troy # Atlanta) Date: Wed, 28 Mar 2007 08:45:42 -0400 Subject: [Dataloss] Louisiana: SS numbers accessed In-Reply-To: Message-ID: <324D9F7B57D2C143A7CF16A9CECAD25340BD6D@EXCHANGE2.dsa.int> "'These files were previously secure,' Aguillard said..." ..."previously" apparently meaning "before our web server was booted up". Obviously the site did not require a password before allowing a web session to 'violate' or 'infiltrate' the records containing the SSNs of the school employees. Which directives to use in HTML to turn away web crawlers has been well known to qualified webmasters for years, so that's no excuse either...not that the web crawler should have been able to access employee data without authenticating in the first place. Just another example of careless "stewardship" of people's private information? It goes beyond carelessness when you deliberately put private information on the Web and then don't protect it. This sort of blunder becomes more unforgiveable every day, but we have no law under which these willful privacy violations can be prosecuted - until someone's already been harmed. I'm too discouraged to even rant on about this stuff anymore. Our country does not take privacy seriously and apparently has no will to do so in the future either. -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of lyger Sent: Tuesday, March 27, 2007 5:57 PM To: dataloss at attrition.org Subject: [Dataloss] Louisiana: SS numbers accessed http://www.iberianet.com/articles/2007/03/27/news/news/news15.txt Rosters containing information, including Social Security numbers, of about 380 St. Mary Parish public school employees were accessed March 19 by a Yahoo! Web page search engine crawler. St. Mary Parish schools Superintendent Donald Aguillard said the crawler violated the school district Web page by accessing a database that stored 2002 through 2004 staff development rosters. "These files were previously secure," Aguillard said. "Yahoo!'s new aggressive Web crawler infiltrated the public server and our technology department responded immediately to the breach in security by addressing the following: Contacting Yahoo! and demanding that our information be stricken from cached files, notified all workshop participants of the possibility that their personal information was revealed, while also contacting the Web page archiving services and demanding the removal of our cached pages." [...] _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tracking more than 158 million compromised records in 605 incidents over 7 years. From lyger at attrition.org Thu Mar 29 02:06:15 2007 From: lyger at attrition.org (lyger) Date: Thu, 29 Mar 2007 02:06:15 +0000 (UTC) Subject: [Dataloss] TJX breach involved 45.7m cards, company reports Message-ID: (Keep in mind that these are credit card NUMBERS, and not PEOPLE... people often have more than one card. Attrition's Dataloss Database (DLDOS) will be updated accordingly) http://www.boston.com/business/ticker/2007/03/tjx_breach_invo.html At least 45.7 million credit and debit card numbers were stolen by hackers who broke into the computer systems at the TJX Cos. in Framingham and the United Kingdom and siphoned off data over a period of several years, making it the biggest breach of personal data ever reported, according to security specialists. TJX, the Framingham discounter that operates the T.J. Maxx and Marshalls clothing chains, also reported in a regulatory filing yesterday that another 455,000 customers who returned merchandise without receipts had their personal data stolen, including drivers' license numbers. "It's the biggest card heist ever," said Avivah Litan, vice president of Gartner Inc. "This was obviously done over a long period of time, in many locations. It's done considerable damage." [...] From bkdelong at pobox.com Thu Mar 29 02:13:08 2007 From: bkdelong at pobox.com (B.K. DeLong) Date: Wed, 28 Mar 2007 22:13:08 -0400 Subject: [Dataloss] TJX breach involved 45.7m cards, company reports In-Reply-To: References: Message-ID: Finally. Glad we finally know. On 3/28/07, lyger wrote: > > (Keep in mind that these are credit card NUMBERS, and not PEOPLE... people > often have more than one card. Attrition's Dataloss Database (DLDOS) will > be updated accordingly) > > http://www.boston.com/business/ticker/2007/03/tjx_breach_invo.html > > At least 45.7 million credit and debit card numbers were stolen by hackers > who broke into the computer systems at the TJX Cos. in Framingham and the > United Kingdom and siphoned off data over a period of several years, > making it the biggest breach of personal data ever reported, according to > security specialists. > > TJX, the Framingham discounter that operates the T.J. Maxx and Marshalls > clothing chains, also reported in a regulatory filing yesterday that > another 455,000 customers who returned merchandise without receipts had > their personal data stolen, including drivers' license numbers. "It's the > biggest card heist ever," said Avivah Litan, vice president of Gartner > Inc. "This was obviously done over a long period of time, in many > locations. It's done considerable damage." > > [...] > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 158 million compromised records in 609 incidents over 7 years. > -- B.K. DeLong (K3GRN) bkdelong at pobox.com +1.617.797.8471 http://www.wkdelong.org Son. http://www.ianetsec.com Work. http://www.bostonredcross.org Volunteer. http://www.carolingia.eastkingdom.org Service. http://bkdelong.livejournal.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org From ADAIL at sunocoinc.com Thu Mar 29 13:43:03 2007 From: ADAIL at sunocoinc.com (DAIL, ANDY) Date: Thu, 29 Mar 2007 09:43:03 -0400 Subject: [Dataloss] TJX breach involved 45.7m cards, company reports In-Reply-To: Message-ID: <8CA58E707BB1C44385FA71D02B7A1C8EC70A74@mds3aex0e.USISUNOCOINC.com> At $30 per card, that's close to $1.3B just in re-issuance costs, in addition to any fines or lawsuits. They'll never be able to account for the cost of lost business. I'd wager a comprehensive PCI-DSS program looks like a bargain, in hindsight. -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of B.K. DeLong Sent: Wednesday, March 28, 2007 9:13 PM To: lyger Cc: dataloss at attrition.org Subject: Re: [Dataloss] TJX breach involved 45.7m cards, company reports Finally. Glad we finally know. On 3/28/07, lyger wrote: > > (Keep in mind that these are credit card NUMBERS, and not PEOPLE... > people often have more than one card. Attrition's Dataloss Database > (DLDOS) will be updated accordingly) > > http://www.boston.com/business/ticker/2007/03/tjx_breach_invo.html > > At least 45.7 million credit and debit card numbers were stolen by > hackers who broke into the computer systems at the TJX Cos. in > Framingham and the United Kingdom and siphoned off data over a period > of several years, making it the biggest breach of personal data ever > reported, according to security specialists. > > TJX, the Framingham discounter that operates the T.J. Maxx and > Marshalls clothing chains, also reported in a regulatory filing > yesterday that another 455,000 customers who returned merchandise > without receipts had their personal data stolen, including drivers' > license numbers. "It's the biggest card heist ever," said Avivah > Litan, vice president of Gartner Inc. "This was obviously done over a > long period of time, in many locations. It's done considerable > damage." > > [...] > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss Tracking more than 158 million > compromised records in 609 incidents over 7 years. > -- B.K. DeLong (K3GRN) bkdelong at pobox.com +1.617.797.8471 http://www.wkdelong.org Son. http://www.ianetsec.com Work. http://www.bostonredcross.org Volunteer. http://www.carolingia.eastkingdom.org Service. http://bkdelong.livejournal.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tracking more than 158 million compromised records in 609 incidents over 7 years. This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments. From bkdelong at pobox.com Thu Mar 29 14:48:38 2007 From: bkdelong at pobox.com (B.K. DeLong) Date: Thu, 29 Mar 2007 10:48:38 -0400 Subject: [Dataloss] CC companies not disclosing actions against PCI DSS violators Message-ID: A bit of a rant follows.... I don't know about anyone else on this list but I've been talking to many, many organizations who don't see the risk of non-compliance with PCI due to action being taken. Except action is being taken - large fines are being levied and, in some cases, companies ARE losing processing privileges. The problem is that because the relationship between the credit card companies, processors and merchants are private contracts....there is no reason for the companies to disclose actions taken and obviously there are no laws stating disclosure of action being disclosed. I'm wondering if any of the state data breach reporting laws have tried or do require mention as to whether a credit card company took action when credit card information was lost in a breach. Come to think of it, does the information protected under PCI DSS and Data breach laws overlap? Vendors - you want people to take PCI more seriously? Push for even a generic disclosure - "there have been 200 fines in the past two years"; "20 companies have been fined this quarter totaling $20M in fines"; 15 companies lost processing privileges for 30 days to 6 mo with 5 of them being Fortune 500" etc (or whatever) Reporters - while covering all these data breaches, press the companies where CC info was involved in the breach as to whether action was taken by their credit card company as required by the PCI DSS. Everyone else - has anyone seen data about a breach involving credit cards where the price of goods may have gone up to cover an undisclosed fine? Or where the company had a "glitch" in processing a credit card for a period of time. What about states without breach disclosure laws? From an information security perspective, my senior management isn't going to deign complying with PCI DSS if all they have to do is pay a fine or deal with a short processing restriction period (which can be explained as technical difficulties), if there's no chance of the bigger, more detrimental effect of public shame and loss of reputation. -- B.K. DeLong (K3GRN) bkdelong at pobox.com +1.617.797.8471 http://www.wkdelong.org Son. http://www.ianetsec.com Work. http://www.bostonredcross.org Volunteer. http://www.carolingia.eastkingdom.org Service. http://bkdelong.livejournal.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org From adam at homeport.org Thu Mar 29 14:33:54 2007 From: adam at homeport.org (Adam Shostack) Date: Thu, 29 Mar 2007 10:33:54 -0400 Subject: [Dataloss] TJX breach involved 45.7m cards, company reports In-Reply-To: References: Message-ID: <20070329143354.GA8886@homeport.org> Largest breach? What about Axciom at 1.6 billion records? On Thu, Mar 29, 2007 at 02:06:15AM +0000, lyger wrote: | | (Keep in mind that these are credit card NUMBERS, and not PEOPLE... people | often have more than one card. Attrition's Dataloss Database (DLDOS) will | be updated accordingly) | | http://www.boston.com/business/ticker/2007/03/tjx_breach_invo.html | | At least 45.7 million credit and debit card numbers were stolen by hackers | who broke into the computer systems at the TJX Cos. in Framingham and the | United Kingdom and siphoned off data over a period of several years, | making it the biggest breach of personal data ever reported, according to | security specialists. | | TJX, the Framingham discounter that operates the T.J. Maxx and Marshalls | clothing chains, also reported in a regulatory filing yesterday that | another 455,000 customers who returned merchandise without receipts had | their personal data stolen, including drivers' license numbers. "It's the | biggest card heist ever," said Avivah Litan, vice president of Gartner | Inc. "This was obviously done over a long period of time, in many | locations. It's done considerable damage." | | [...] | _______________________________________________ | Dataloss Mailing List (dataloss at attrition.org) | http://attrition.org/dataloss | Tracking more than 158 million compromised records in 609 incidents over 7 years. From bkdelong at pobox.com Thu Mar 29 15:32:38 2007 From: bkdelong at pobox.com (B.K. DeLong) Date: Thu, 29 Mar 2007 11:32:38 -0400 Subject: [Dataloss] TJX breach involved 45.7m cards, company reports In-Reply-To: <8CA58E707BB1C44385FA71D02B7A1C8EC70A74@mds3aex0e.USISUNOCOINC.com> References: <8CA58E707BB1C44385FA71D02B7A1C8EC70A74@mds3aex0e.USISUNOCOINC.com> Message-ID: Don't forget there's probably a PCI fine as well as the possibility of loss of processing rights. Though, that would kill TJX, (not that they're not hurting already). On 3/29/07, DAIL, ANDY wrote: > > At $30 per card, that's close to $1.3B just in re-issuance costs, in > addition to any fines or lawsuits. They'll never be able to account for > the cost of lost business. > > I'd wager a comprehensive PCI-DSS program looks like a bargain, in > hindsight. > > > -----Original Message----- > From: dataloss-bounces at attrition.org > [mailto:dataloss-bounces at attrition.org] On Behalf Of B.K. DeLong > Sent: Wednesday, March 28, 2007 9:13 PM > To: lyger > Cc: dataloss at attrition.org > Subject: Re: [Dataloss] TJX breach involved 45.7m cards, company reports > > > Finally. Glad we finally know. > > On 3/28/07, lyger wrote: > > > > (Keep in mind that these are credit card NUMBERS, and not PEOPLE... > > people often have more than one card. Attrition's Dataloss Database > > (DLDOS) will be updated accordingly) > > > > http://www.boston.com/business/ticker/2007/03/tjx_breach_invo.html > > > > At least 45.7 million credit and debit card numbers were stolen by > > hackers who broke into the computer systems at the TJX Cos. in > > Framingham and the United Kingdom and siphoned off data over a period > > of several years, making it the biggest breach of personal data ever > > reported, according to security specialists. > > > > TJX, the Framingham discounter that operates the T.J. Maxx and > > Marshalls clothing chains, also reported in a regulatory filing > > yesterday that another 455,000 customers who returned merchandise > > without receipts had their personal data stolen, including drivers' > > license numbers. "It's the biggest card heist ever," said Avivah > > Litan, vice president of Gartner Inc. "This was obviously done over a > > long period of time, in many locations. It's done considerable > > damage." > > > > [...] > > _______________________________________________ > > Dataloss Mailing List (dataloss at attrition.org) > > http://attrition.org/dataloss Tracking more than 158 million > > compromised records in 609 incidents over 7 years. > > > > > -- > B.K. DeLong (K3GRN) > bkdelong at pobox.com > +1.617.797.8471 > > http://www.wkdelong.org Son. > http://www.ianetsec.com Work. > http://www.bostonredcross.org Volunteer. > http://www.carolingia.eastkingdom.org Service. > http://bkdelong.livejournal.com Play. > > > PGP Fingerprint: > 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE > > FOAF: > http://foaf.brain-stream.org > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss Tracking more than 158 million compromised > records in 609 incidents over 7 years. > > This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments. > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 203 million compromised records in 609 incidents over 7 years. > -- B.K. DeLong (K3GRN) bkdelong at pobox.com +1.617.797.8471 http://www.wkdelong.org Son. http://www.ianetsec.com Work. http://www.bostonredcross.org Volunteer. http://www.carolingia.eastkingdom.org Service. http://bkdelong.livejournal.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org From james_ritchie at sbcglobal.net Thu Mar 29 15:45:44 2007 From: james_ritchie at sbcglobal.net (James Ritchie) Date: Thu, 29 Mar 2007 11:45:44 -0400 Subject: [Dataloss] TJX breach involved 45.7m cards, company reports In-Reply-To: References: <8CA58E707BB1C44385FA71D02B7A1C8EC70A74@mds3aex0e.USISUNOCOINC.com> Message-ID: <460BDF28.2050808@sbcglobal.net> FTC will eventually get involved with a suit of unfair business practice as well for failure to take appropriate security measures to protect sensitive information. Choice Point and CardSystems settled with the FTC for $10 million in civil penalties and $5 million for consumer redress. Both of these companies also have to have an external audit performed every 2 years, for 20 years, by an independent security expert to attest to their controls on the systems. B.K. DeLong wrote: > Don't forget there's probably a PCI fine as well as the possibility of > loss of processing rights. Though, that would kill TJX, (not that > they're not hurting already). > > On 3/29/07, DAIL, ANDY wrote: > >> At $30 per card, that's close to $1.3B just in re-issuance costs, in >> addition to any fines or lawsuits. They'll never be able to account for >> the cost of lost business. >> >> I'd wager a comprehensive PCI-DSS program looks like a bargain, in >> hindsight. >> >> >> -----Original Message----- >> From: dataloss-bounces at attrition.org >> [mailto:dataloss-bounces at attrition.org] On Behalf Of B.K. DeLong >> Sent: Wednesday, March 28, 2007 9:13 PM >> To: lyger >> Cc: dataloss at attrition.org >> Subject: Re: [Dataloss] TJX breach involved 45.7m cards, company reports >> >> >> Finally. Glad we finally know. >> >> On 3/28/07, lyger wrote: >> >>> (Keep in mind that these are credit card NUMBERS, and not PEOPLE... >>> people often have more than one card. Attrition's Dataloss Database >>> (DLDOS) will be updated accordingly) >>> >>> http://www.boston.com/business/ticker/2007/03/tjx_breach_invo.html >>> >>> At least 45.7 million credit and debit card numbers were stolen by >>> hackers who broke into the computer systems at the TJX Cos. in >>> Framingham and the United Kingdom and siphoned off data over a period >>> of several years, making it the biggest breach of personal data ever >>> reported, according to security specialists. >>> >>> TJX, the Framingham discounter that operates the T.J. Maxx and >>> Marshalls clothing chains, also reported in a regulatory filing >>> yesterday that another 455,000 customers who returned merchandise >>> without receipts had their personal data stolen, including drivers' >>> license numbers. "It's the biggest card heist ever," said Avivah >>> Litan, vice president of Gartner Inc. "This was obviously done over a >>> long period of time, in many locations. It's done considerable >>> damage." >>> >>> [...] >>> _______________________________________________ >>> Dataloss Mailing List (dataloss at attrition.org) >>> http://attrition.org/dataloss Tracking more than 158 million >>> compromised records in 609 incidents over 7 years. >>> >>> >> -- >> B.K. DeLong (K3GRN) >> bkdelong at pobox.com >> +1.617.797.8471 >> >> http://www.wkdelong.org Son. >> http://www.ianetsec.com Work. >> http://www.bostonredcross.org Volunteer. >> http://www.carolingia.eastkingdom.org Service. >> http://bkdelong.livejournal.com Play. >> >> >> PGP Fingerprint: >> 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE >> >> FOAF: >> http://foaf.brain-stream.org >> _______________________________________________ >> Dataloss Mailing List (dataloss at attrition.org) >> http://attrition.org/dataloss Tracking more than 158 million compromised >> records in 609 incidents over 7 years. >> >> This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments. >> _______________________________________________ >> Dataloss Mailing List (dataloss at attrition.org) >> http://attrition.org/dataloss >> Tracking more than 203 million compromised records in 609 incidents over 7 years. >> >> > > > -- James Ritchie CISA, MCSE, MCP+I, M-CIW-D, CIW-CI, Inet+, Network+, A+ Attachments with this email, not explicitly referenced, should not be opened. Always scan your email and their associated attachments for viruses prior to opening. This message and any accompanying documents are confidential and may contain information covered under the Privacy Act, 5 USC 552(a), the Health Insurance Portability and Accountability Act (PL 104-191), or the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521 and its various implementing regulations and must be protected in accordance with those provisions. Unauthorized disclosure or failure to maintain the confidentiality of the information may result in civil or criminal sanctions. This e-mail is strictly confidential and intended solely for the addressee. Should you not be the intended addressee you have no right to any information contained in this e-mail. If you received this message by mistake you are kindly requested to inform us of this and to destroy the message. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070329/e3e782a0/attachment.html From lyger at attrition.org Thu Mar 29 16:50:18 2007 From: lyger at attrition.org (lyger) Date: Thu, 29 Mar 2007 16:50:18 +0000 (UTC) Subject: [Dataloss] TJX breach involved 45.7m cards, company reports Message-ID: (forwarded for snippage purposes) From: adrian.sanabria at gmail.com To: B.K. DeLong , "DAIL, ANDY" Cc: dataloss at attrition.org Date: Thu, 29 Mar 2007 16:04:13 +0000 Subject: Re: [Dataloss] TJX breach involved 45.7m cards, company reports Consider though, that they're saying 75 percent of the data was masked or expired. In my opinion, if someone steals the CCN of the Capital One card I had back in the 90s, it shouldn't be counted in the official compromise numbers. Sent via BlackBerry from Cingular Wireless -----Original Message----- From: "B.K. DeLong" Date: Thu, 29 Mar 2007 11:32:38 To:"DAIL, ANDY" Cc:dataloss at attrition.org Subject: Re: [Dataloss] TJX breach involved 45.7m cards, company reports Don't forget there's probably a PCI fine as well as the possibility of loss of processing rights. Though, that would kill TJX, (not that they're not hurting already). On 3/29/07, DAIL, ANDY wrote: > > At $30 per card, that's close to $1.3B just in re-issuance costs, in > addition to any fines or lawsuits. They'll never be able to account for > the cost of lost business. > > I'd wager a comprehensive PCI-DSS program looks like a bargain, in > hindsight. From lyger at attrition.org Thu Mar 29 17:06:29 2007 From: lyger at attrition.org (lyger) Date: Thu, 29 Mar 2007 17:06:29 +0000 (UTC) Subject: [Dataloss] TX: RadioShack customers' personal info found in dumpster Message-ID: http://sanantonio.bizjournals.com/dallas/stories/2007/03/26/daily28.html Thousands of payment slips showing the credit card numbers and other personal information of RadioShack employees was found in a dumpster behind a Corpus Christi-area RadioShack, a news station reported Wednesday. According to the KZTV report, a man rummaging through trash behind a RadioShack store in Portland, Texas, found nearly 20 boxes of discarded records. [...] From dissent at pogowasright.org Thu Mar 29 18:17:15 2007 From: dissent at pogowasright.org (dissent at pogowasright.org) Date: Thu, 29 Mar 2007 12:17:15 -0600 Subject: [Dataloss] [follow-up] Nottinghamshire laptop recovered Message-ID: <24455.1175192235@pogowasright.org> An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070329/4d9abde6/attachment.html From Dissent at pogowasright.org Fri Mar 30 11:37:01 2007 From: Dissent at pogowasright.org (Dissent) Date: Fri, 30 Mar 2007 07:37:01 -0400 Subject: [Dataloss] Child support data may be at risk Message-ID: <7.0.0.16.2.20070330073533.0235e2d8@nowhere.org> http://www.latimes.com/technology/la-me-idtheft30mar30,1,5712063.story?coll=la-headlines-technology In the weeks after three laptops went missing from a Los Angeles County Child Support Services office, officials sent letters to 243,000 clients in Los Angeles, Orange and San Diego counties, warning that their personal information ? including Social Security numbers ? might be at risk. The computers were stored at the secured Child Support Services Department headquarters in the City of Commerce but went missing sometime during the weekend of Feb. 24, officials said. One of the laptops, which sat in a docking station on an employee's desk, was ordinarily used by a staffer to access client data in the department's regional computer system. The agency locates divorced parents who are delinquent in providing financial support to their children. It also establishes paternity and collects and distributes child support payments to families. An investigation by child support officials found that the missing computers probably contained fewer than 1,000 records. But the department notified all 243,000 people potentially affected by the breach so they could take precautions to protect their private information. The Los Angeles County Sheriff's Department is investigating the incident as an apparent theft. "We really had questions about whether we should send the letter, to be honest," said department director Philip Browning. "The likelihood of somebody being able to use that information for identity theft is so remote, it seems like an abundance of caution." The potentially compromised last names and Social Security numbers of an estimated 275 Los Angeles County child support clients, plus 600 from Orange and San Diego counties, were the most serious concerns, Browning said. Of the 243,000, about 130,500 Social Security numbers ? most without names attached ? could be compromised, said Al Brusewitz, the county's chief information security officer. About 12,000 individuals' names and addresses could be made available, and more than 101,000 child support case numbers could be affected. Agency officials stressed that sensitive information is almost always saved to the department server rather than on computer hard drives. "There is a very strong possibility that there was no personal information of any of our paid participants in the laptops," said department special assistant Lisa Garrett. [...] -- Main site: http://www.pogowasright.org Main RSS feed: http://www.pogowasright.org/backend/pogowasright.rss Breaches RSS feed: http://www.pogowasright.org/backend/breaches.rss From lyger at attrition.org Fri Mar 30 17:49:28 2007 From: lyger at attrition.org (lyger) Date: Fri, 30 Mar 2007 17:49:28 +0000 (UTC) Subject: [Dataloss] Navy Laptops With Sailor Info Stolen Message-ID: http://www.military.com/features/0,15240,130657,00.html Three password protected laptop computers have been identified as missing from the Navy College Office located on Naval Station San Diego. While the Navy College Office does not have complete information about what information was on the laptops, Personally Identifiable Information (PII) may be on the computers, including Sailors' names, rates and ratings, social security numbers, and college course information. This potential compromise of information could impact Sailors and former Sailors homeported on San Diego ships from January 2003 to October 2005 and who were enrolled in the Navy College Program for Afloat College Education. The Naval Criminal Investigative Service (NCIS) is investigating the incident as a possible theft, working with the San Diego police department to recover the computers. [...] From lyger at attrition.org Fri Mar 30 19:43:06 2007 From: lyger at attrition.org (lyger) Date: Fri, 30 Mar 2007 19:43:06 +0000 (UTC) Subject: [Dataloss] Students' personal information stolen from UM-Western office Message-ID: http://www.havredailynews.com/articles/2007/03/30/local_headlines/state.txt Between 400 and 500 current and former University of Montana-Western students are at risk of identity theft after a computer disk containing their Social Security numbers and other personal information was stolen from a professor's office this week, school officials said. The stolen information belonged to students enrolled in the TRIO Student Support Services program, which offers financial and personal counseling and other assistance. [...]