From twidman at identityfraud.com Tue May 1 02:12:06 2007 From: twidman at identityfraud.com (Tom Widman) Date: Mon, 30 Apr 2007 19:12:06 -0700 Subject: [Dataloss] slightly OT: LifeLock Identity Theft In-Reply-To: Message-ID: <200705010211.l412BsKo029261@nlpi015.sbcis.sbc.com> The lifelock program is interesting and while I have some familiarity, I don't have all the details. >From what I see, the LifeLock product can help reduce the chances of one becoming a victim of ID Theft, although marginally, since managing credit bureau fraud alerts (which is what it does) only addresses part of the problem. There are many other types of ID Theft that occur that have nothing to do with credit. Thus, in my view, the "product" guarantee is off-base since fraud alerts don't stop 60-80% of other types of frauds (depending on whose statistics you view). However, the guarantee of $1 million is unique and ideally makes up for the other types of fraud that can and do occur, if these other types of fraud are covered since they unrelated to the product. My concern for lifelock is about consumer marketing practices and properly conveying what your product does, and also practicing what you preach. For example, this is from their Terms and Conditions: 1. Your Account: You agree that you are who you say you are when you enroll and that you will not purposely engage in behavior that will put your Identity at unnecessary risk, such as leaving your PIN or passwords in obvious places, publishing your Social Security Number, etc. __ I think other vendors do not post their SSN's because from a risk and prudence standpoint, it is irresponsible. It's not good for Doctors to tell you to stop smoking cigarettes while they continue to smoke them. Since lifelock does not cover the exposure the CEO is engaging (and advertising), I believe they are increasing their own consumer liability exposure. BUT, I must admit that from a marketing standpoint, it garners excellent attention. We try to track the various offers since we are one of the pioneers in the identity protection space, having started development back in 1997. Identity protection is a very young industry with a lot of variety between offerings. We promote risk management that essentially says, do the best you can at prevention and have some remedies in place when id theft occurs, whether prevention & remedies are from lifelock, a homeowners insurer, Equifax, or us, etc. it is simply prudent to engage certain solutions. T Widman -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of dataloss-request at attrition.org Sent: Monday, April 30, 2007 4:52 PM To: dataloss at attrition.org Subject: Dataloss Digest, Vol 15, Issue 3 Send Dataloss mailing list submissions to dataloss at attrition.org To subscribe or unsubscribe via the World Wide Web, visit https://attrition.org/mailman/listinfo/dataloss or, via email, send a message with subject or body 'help' to dataloss-request at attrition.org You can reach the person managing the list at dataloss-owner at attrition.org When replying, please edit your Subject line so it is more specific than "Re: Contents of Dataloss digest..." Today's Topics: 1. Texas AG: CVS Dumped Customers' Records (lyger) 2. Wireless Security Puts IRS Data at Risk (Richard Forno) 3. Hackers, laptop thieves compromise personal information of 17, 500 at Ohio State in separate incidents (lyger) 4. UCSF computer server with research subject information is stolen (lyger) 5. Personal data of NMSU students posted online (lyger) 6. Los Alamos warns workers about identity theft (lyger) 7. Federal Database Exposes Social Security Numbers (lyger) 8. (update) Fed Breach Leaks Social Security Numbers (lyger) 9. (update) Fed breach leaks Social Security numbers (lyger) 10. USDA Narrows List to 38,700... (lyger) 11. Counter Strike Struck (rwise29210 at gmail.com) 12. Does a data loss of one count if she is famous? It just isn't for "Ordinary People" anymore. (rwise29210 at gmail.com) 13. Administravia: List Reminders and Changes (lyger) 14. Neiman says employee data stolen (lyger) 15. Baltimore Co. Laptop Stolen With Personal Info (lyger) 16. The cost of doing business? (Rodney Wise) 17. (update) Darwin Professional Underwriters - Tech-404.com (lyger) 18. Ceridian accidentally leaks data from NY firm (lyger) 19. Re: Ceridian accidentally leaks data from NY firm (Patrick Hack) 20. Re: Ceridian accidentally leaks data from NY firm (Katie Felten) 21. slightly OT: LifeLock Identity Theft Protection (security curmudgeon) 22. Re: slightly OT: LifeLock Identity Theft Protection (security curmudgeon) 23. Re: slightly OT: LifeLock Identity Theft Protection (Chris Walsh) 24. 175 told of possible computer security incident at Purdue (lyger) 25. Caterpillar Says Employee Data Stolen (lyger) 26. FEMA's 'Unfortunate' Privacy Disaster (lyger) 27. NY AG settles first data breach case (Chris Walsh) 28. N. Texas Company Posted Private Information Online (lyger) 29. Is it just about credit? (Rodney Wise) 30. Re: Is it just about credit? (question 1 / health care) (security curmudgeon) 31. Re: Is it just about credit? (question 1 / health care) (nepen) 32. UNM says some employee information on stolen laptop (lyger) 33. Re: Is it just about credit? (question 1 / health care) (Rodney Wise) 34. Re: Is it just about credit? (question 1 / health care) (nepen) 35. Re: The cost of doing business? (J Beebe) 36. Re: Is it just about credit? (Al Mac) 37. Re: Is it just about credit? (Chris Walsh) 38. Re: Is it just about credit? (question 1 / health care) (Adam Shostack) 39. (update) Stolen Caterpillar laptop contained employees personal information (lyger) ---------------------------------------------------------------------- Message: 1 Date: Tue, 17 Apr 2007 22:33:18 +0000 (UTC) From: lyger Subject: [Dataloss] Texas AG: CVS Dumped Customers' Records To: dataloss at attrition.org Message-ID: Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed http://www.forbes.com/feeds/ap/2007/04/17/ap3621733.html Texas Attorney General Greg Abbott sued CVS Corp. on Tuesday, alleging pharmacy employees dumped credit card numbers, medical information and other sensitive material from more than 1,000 customers into a garbage container. The Rhode Island company was accused of failing to protect its customers from identity theft at the store in Liberty, about 45 miles northeast of Houston. The lawsuit alleges employees dumped the records behind a store that apparently was being vacated by CVS (nyse: CVS - news - people ). CVS did not immediately return a telephone call seeking comment Tuesday. [...] ------------------------------ Message: 2 Date: Tue, 17 Apr 2007 23:20:10 -0400 From: Richard Forno Subject: [Dataloss] Wireless Security Puts IRS Data at Risk To: Infowarrior List , "dataloss at attrition.org" Message-ID: Content-Type: text/plain; charset="US-ASCII" Would somebody kindly explain WTF the IRS is using wireless networking anywhere in their IT environment??? -rf April 17, 2007 Wireless Security Puts IRS Data at Risk By THE ASSOCIATED PRESS http://www.nytimes.com/aponline/technology/AP-IRS-Wireless-Security.html?_r= 1&oref=slogin&pagewanted=print Filed at 10:57 p.m. ET WASHINGTON (AP) -- Internal Revenue Service offices across the nation that use wireless technology are still vulnerable to hackers, according to the latest assessment of the agency's security policies released Tuesday. Despite efforts to improve wireless security the past four years, the Inspector General's assessment of 20 buildings in 10 cities discovered four separate locations at which hackers could have easily gained access to IRS computers using wireless technology. There was no evidence that the computers were connected to the IRS network at the time and no signs that any hacking had occurred, the report said. ''However, anyone with a wireless detection tool could pick up the wireless signal and gain access to the computer,'' wrote Michael Phillips, the Inspector General. And if an employee had been connected to the IRS network, ''a hacker conceivably could gain access to the IRS network,'' which contains sensitive financial data of more than 226 million taxpayers, he added. The vulnerabilities were discovered in Denver and at three other IRS facilities in Texas and Florida. Wireless networks are created by linking computers using hardware called routers. The devices enable wireless laptop or mobile device users, such as Treos, to send signals back and forth to each other. Data can be encrypted, but the report said that software available on the Internet can decode the encryption. The inspector general's office said it used inexpensive wireless equipment and software freely available on the Internet to scan the facilities for wireless signals. According to the report, the IRS also is not effectively monitoring its uses of wireless technology. As of May 2006, the agency had scanned fewer than 6 percent of all IRS offices - mainly in the Washington, D.C., and Baltimore metropolitan areas. The inspector general's office recommended increased of the IRS network for unapproved wireless devices and educating employees about security risks. The report said the agency agreed with the IG's recommendations and will implement them. ------------------------------ Message: 3 Date: Wed, 18 Apr 2007 19:22:09 +0000 (UTC) From: lyger Subject: [Dataloss] Hackers, laptop thieves compromise personal information of 17, 500 at Ohio State in separate incidents To: dataloss at attrition.org Message-ID: Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed (update: another unrelated incident exposes another 3,500) http://scmagazine.com/us/news/article/651562/hackers-laptop-thieves-compromi se-personal-information-17500-ohio-state-separate-incidents/ On March 31 or April 1, a hacker using a foreign web address cracked a university firewall and accessed the names, Social Security numbers, employee ID numbers and birth dates of more than 14,000 current and former staff members, according to a university statement. [...] In an unrelated incident, the personal information of about 3,500 current and former chemistry students was compromised when two laptop computers were stolen from the home of a university professor on Feb. 24. The laptops were likely not the target of the burglary, and were stolen with a number of other household items, according to Lynch. Records stored in the laptops contained names, Social Security numbers and grades, according to the university. [...] ------------------------------ Message: 4 Date: Thu, 19 Apr 2007 01:51:53 +0000 (UTC) From: lyger Subject: [Dataloss] UCSF computer server with research subject information is stolen To: dataloss at attrition.org Message-ID: Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed http://pub.ucsf.edu/newsservices/releases/200704189/ A computer file server containing research subject information related to studies on causes and cures for different types of cancer was stolen from a locked UCSF office on March 30, 2007. The server contained files with names, contact information, and social security numbers for study subjects and potential study subjects. For some individuals, the files also included personal health information. [...] Notification letters were sent Monday, April 16, to about 3,000 individuals. Using backup files, UCSF officials are conducting an extensive analysis of the server data to determine as quickly as possible all the names involved in this incident. [...] ------------------------------ Message: 5 Date: Thu, 19 Apr 2007 15:48:23 +0000 (UTC) From: lyger Subject: [Dataloss] Personal data of NMSU students posted online To: dataloss at attrition.org Message-ID: Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed http://www.freenewmexican.com/news/60444.html The names and Social Security numbers of more than 5,600 New Mexico State University students were accidentally posted on the school's Web site, but officials say odds are minimal that any students' identities were compromised. The information was in a public section of the site for nearly two hours on April 5 before the mistake was caught. The file was accessed by 14 computers and all of their IP addresses have been tracked, said Mrinal Virnave, NMSU's director of enterprise application services. Virnave said the file contained the names and Social Security numbers of students who registered online to attend their commencement ceremonies from 2003 to 2005, meaning most of the names and numbers are of former students. [...] ------------------------------ Message: 6 Date: Fri, 20 Apr 2007 15:38:20 +0000 (UTC) From: lyger Subject: [Dataloss] Los Alamos warns workers about identity theft To: dataloss at attrition.org Message-ID: Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed http://www.freenewmexican.com/news/60494.html Los Alamos National Laboratory warned employees about protecting themselves against identity theft after the names and Social Security numbers of 550 lab workers were posted on a Web site run by a subcontractor working on a security system. An April 5 letter to the employees from Jan A. Van Prooyen, the lab's acting deputy director, said the problem was discovered the previous week when a lab employee happened upon the Web site of a software services company that had been hired years before. Clicking a link and entering a password provided online led to a table that included names, and in some cases, Social Security numbers, of people who entered certain lab sites around 1998, the letter said. [...] ------------------------------ Message: 7 Date: Fri, 20 Apr 2007 21:11:44 +0000 (UTC) From: lyger Subject: [Dataloss] Federal Database Exposes Social Security Numbers To: dataloss at attrition.org Message-ID: Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed http://www.nytimes.com/2007/04/20/washington/20cnd-data.html?_r=1&hp=&adxnnl =1&oref=slogin&adxnnlx=1177103032-yUYrfkNKmHsZVZ/hqNZWCw The Social Security numbers of tens of thousands of people who received loans or other financial assistance from two Agriculture Department programs were disclosed for years in a publicly available database, raising concerns about identity theft and other privacy violations. Officials at the Agriculture Department and the Census Bureau, which maintains the database, were evidently unaware that the Social Security numbers were accessible in the database until they were notified last week by a farmer from Illinois, who stumbled across the database on the Internet. [...] Ms. Bergmeier said she was able to identify almost 30,000 records in the database that contained Social Security numbers. [...] ------------------------------ Message: 8 Date: Sat, 21 Apr 2007 00:40:18 +0000 (UTC) From: lyger Subject: [Dataloss] (update) Fed Breach Leaks Social Security Numbers To: dataloss at attrition.org Message-ID: Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed (Original numbers reported almost 30,000, now 150,000. Updated) http://www.forbes.com/feeds/ap/2007/04/20/ap3637323.html The Social Security numbers of up to 150,000 people who received Agriculture Department grants have been posted on a government Web site since 1996, but they were taken down last week. Free credit monitoring is being offered to those affected. The security breach was only noticed last week and promptly closed, the Agriculture Department and Census Bureau announced Friday. The Agriculture data that included Social Security numbers were removed from the Web on April 13 and similar data from 32 other agencies were taken down April 17 as a precaution, said Agriculture spokeswoman Terri Teuber. [...] ------------------------------ Message: 9 Date: Sat, 21 Apr 2007 05:18:23 +0000 (UTC) From: lyger Subject: [Dataloss] (update) Fed breach leaks Social Security numbers To: dataloss at attrition.org Message-ID: Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed (first 30K, then 150K, now 63K... hope everybody has erasers handy...) http://origin.denverpost.com/nationworld/ci_5714663 The Social Security numbers of 63,000 people who received Agriculture Department grants have been posted on a government Web site since 1996, but they were taken down last week. Free credit monitoring is being offered to those affected. The security breach was only noticed last week and promptly closed, the Agriculture Department and Census Bureau announced Friday. The Agriculture data that included Social Security numbers were removed from the Web on April 13 and similar data from 32 other agencies were taken down April 17 as a precaution, said Agriculture spokeswoman Terri Teuber. [...] The department originally said Friday the Social Security numbers of 105,000 to 150,000 individuals had been entered into federal databases open to the public since 1981. But by Friday evening, after they calculated how many people had been entered more than once, USDA announced that 63,000 individuals had their Social Security numbers exposed. The data has only been posted on the Internet by the Census Bureau since 1996. [...] ------------------------------ Message: 10 Date: Mon, 23 Apr 2007 20:07:36 +0000 (UTC) From: lyger Subject: [Dataloss] USDA Narrows List to 38,700... To: dataloss at attrition.org Message-ID: Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed (yet another newly revised total...) http://www.usda.gov/wps/portal/!ut/p/_s.7_0_A/7_0_1OB?contentidonly=true&con tentid=2007/04/0110.xml The U.S. Department of Agriculture (USDA) has narrowed to approximately 38,700 the number of people whose private identification information was accessible to the public on a government-wide website. USDA takes seriously its responsibility to protect private information and after learning of the potential exposure, immediately took action to remove the information from the website. USDA is also offering credit monitoring services to protect the personal accounts of affected individuals, due to the potential that information was downloaded prior to removal. There is no evidence that this information has been misused. [...] ------------------------------ Message: 11 Date: Mon, 23 Apr 2007 10:55:45 -0400 From: Subject: [Dataloss] Counter Strike Struck To: Message-ID: <00c501c785b7$792d4db0$6401a8c0 at xp1> Content-Type: text/plain; charset="iso-8859-1" I haven't seen this on the list. Sorry if it is a repost. Rodney Wise http://pplrwise.blogspot.com Counter Strike firm in credit card hack claim Hacker, customers accuse Valve of coverup By Chris Williams ? More by this author Published Thursday 19th April 2007 11:09 GMT Receive the days biggest stories by email http://www.theregister.co.uk/2007/04/19/valve_steam_hack/ Valve Software, the company behind Counter Strike and Half Life, has been accused of covering up a hack of its servers which allegedly exposed the credit card details of thousands of customers. A hacker calling himself MaddoxX has trumpeted details of the claimed break-in on his website, and threatened to publish more credit card information if Valve do not "come with something good". Customers say Valve has known about the alleged security breach since April 8 at the latest. A customer told us he raised the hacker's claims on Valve's Steampowered.com forums, but a company moderator quickly stepped in to delete it, writing, "Please do not re-post that thread. Valve are aware of the issue and are investigating. Making threads on the issue will not help." Sources say a dozen threads about the matter have been suppressed on Valve's official forums. In the meantime the firm has made no attempt to contact the thousands of cyber cafe owners potentially affected. A large file posted on a file sharing site appears to back up the hacker's claims of breaking into the server of Valve's distribution network, Steam. It contains sensitive financial information including Valve's current assets, full details of five credit card transactions from March 12 with the threat of exposing more, and details of how to set up a fake cyber cafe certificate for multiplayer Counter Strike. The 14MB plus directory is essentially a "rip" of the cyber cafe content delivery platform, Steam Cafe, and contains all the files to access Valve's Central Authentication Server. We contacted MaddoxX via email. He claimed he first gained access to Steam this January, and said that although the cyber cafe customer database is not linked to the standard customer list, he has access to that too. Valve have not contacted him, he said, but have approached his hosting provider to take down the page which announces the hack, so far without success. The hacker says it's not his intention to steal information. He told us: "I just came accross the login details when I was browsing some stuff. The access to their whole customer database was more like luck, but still a hack because the login details are inside some files. They changed the logins now and made it not possible anymore to get the details from the files. The [credit card] details itself are stored in a MySQL database where I still have access to." "It is just to show how lax they are with their security. I want a full excuse from VALVe on their site that they did NOT inform anyone about this. I've got several e-mails from cafe owners and they said VALVe hasn't even said shit to them...so you can see how they threat their customers." One cyber cafe owner contacted by The Register said: "Why has it taken days if not weeks before they told us if there is even the slightest possibility someone has our CC details then we should have been told?" Valve did not return repeated requests for comment.? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070423/bd30c0b4/attach ment-0001.html ------------------------------ Message: 12 Date: Mon, 23 Apr 2007 11:06:32 -0400 From: Subject: [Dataloss] Does a data loss of one count if she is famous? It just isn't for "Ordinary People" anymore. To: Message-ID: <00ef01c785b8$fabe9860$6401a8c0 at xp1> Content-Type: text/plain; charset="iso-8859-1" Thieves take laptop with Smith photos April 20, 2007 By Alan J. Keays Herald Staff The head of Edgewood Studios in Rutland is looking for the return of a stolen laptop containing some valuable information, including unreleased images of Anna Nicole Smith, the star of his most recent film. "There are photographs in there that are not to be released," Giancola said Thursday afternoon in a phone interview from the offices of his Rutland-based movie production studio. "There is stuff that we have that is just not cleared for release." Police said burglars early Thursday broke into Edgewood Studios, at Howe Center, a large complex of offices and businesses just outside Rutland's downtown. Several other businesses in the complex were also burglarized. Police have made no arrest. Although the thieves did not steal all that much from his studio, the laptop contained a great deal of "proprietary material," including future movie scripts, plot lines, phone numbers and e-mail addresses, Giancola said. The laptop also contained unreleased photos of Smith, who before her death of a drug overdose in February played a starring a role in the studio's soon-to-be-released movie, "Illegal Aliens." "We're trying to find the laptop because it has material that has proprietary information to Edgewood Studios," Giancola said. "We're really hoping to get that laptop back because of the copyrighted material that was on it." "Illegal Aliens" is set to be released on DVD next month. The movie, filmed in September 2005 in Rutland, has generated international interest following the media attention that accompanied Smith's death. "What we're most concerned about is 'Illegal Aliens' kind of stuff, and that movie is not being released until May 1," Giancola said. "There's another movie called 'Zombie Town' and that movie's not going to be released probably until Halloween and there's material from that on (the laptop) and we don't want that out there, either." Surveillance video suggested the burglars did not target the laptop for theft because of its connection to Smith. Instead, Giancola said, it appeared the burglars were on a "drunken rampage," smashing the front door and two inside doors at the studio. Giancola said the value of the stolen items and the cost of repairing damage would amount to a couple of thousand dollars. However, he said, a dollar amount cannot be placed on the value of the "proprietary material" that was on the stolen laptop, including the Smith photos. "The intellectual property is way more valuable than any of the physical equipment we have," Giancola said. Contact Alan J. Keays at alan.keays at rutlandherald.com. Rodney Wise For New stories about ID Theft and Data Loss by Compaines visit: http://pplrwise.blogspot.com See what is happening to your information -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070423/4d2ba8dd/attach ment-0001.html ------------------------------ Message: 13 Date: Tue, 24 Apr 2007 03:55:22 +0000 (UTC) From: lyger Subject: [Dataloss] Administravia: List Reminders and Changes To: dataloss at attrition.org Message-ID: Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Greetings all, I'll try to be as brief as I can. The Data Loss Mail List would like to remind subscribers and posters that list topics should adhere to the following guidelines: Data Loss is a non-commercial mail list that covers topics such as news releases regarding large-scale personal data loss and personal data theft incidents. Discussion about incidents, indictments, legislation, and recovery of lost or stolen personal data is encouraged. Advertisements or endorsements for commercial products and/or services, on or off list, are not allowed. Isolated personal incidents regarding identity theft are not considered to be topical. Discussion is welcome about items that are topical. Please contact me directly with any questions or concerns about list content. Thanks, Lyger ------------------------------ Message: 14 Date: Tue, 24 Apr 2007 17:04:46 +0000 (UTC) From: lyger Subject: [Dataloss] Neiman says employee data stolen To: dataloss at attrition.org Message-ID: Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed http://www.wfaa.com/sharedcontent/dws/bus/stories/042507dnbusneiman.40beadd. html The Neiman Marcus Group said Tuesday that computer equipment containing files with sensitive information of nearly 160,000 current and former employees has been stolen. The files were owned by a pension consultant and contained 2-year-old data that was current as of Aug. 30, 2005. Information included each person.s name, address, social security number, date of birth, period of employment and salary information. Employees hired after Aug. 30, 2005 are not affected. [...] ------------------------------ Message: 15 Date: Tue, 24 Apr 2007 22:41:30 +0000 (UTC) From: lyger Subject: [Dataloss] Baltimore Co. Laptop Stolen With Personal Info To: dataloss at attrition.org Message-ID: Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed http://wjz.com/local/local_story_114155042.html A laptop containing the personal information of about 6,000 people was stolen from a Baltimore County health center, a health department spokeswoman said Tuesday. The computer did not contain medical information but did have names, date of birth, social security numbers, telephone numbers and emergency contact information. The personal information was from patients who were seen at the clinic between Jan. 1, 2004 and April 12. [...] ------------------------------ Message: 16 Date: Wed, 25 Apr 2007 06:59:07 -0400 From: "Rodney Wise" Subject: [Dataloss] The cost of doing business? To: dataloss at attrition.org Message-ID: <24e2acc50704250359yaf861b5wd847586701bfda85 at mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Bank groups in 3 states plan to sue TJX over data theft http://www.mercurynews.com/businessheadlines/ci_5745507 The Associated Press Article Launched: 04/25/2007 01:50:15 AM PDT BOSTON (AP) - Bank associations in Massachusetts, Connecticut and Maine said Tuesday that they will sue TJX over a data theft that exposed at least 45 million credit and debit cards to potential fraud. Banks have been saddled with costs to replace cards and cover fraudulent charges tied to the theft from TJX, the owner of nearly 2,500 discount stores including T.J. Maxx and Marshalls. On Jan. 17, Framingham, Mass.-based TJX disclosed a breach of its computer systems by an unknown hacker or hackers who accessed card data from transactions as long ago as late 2002. On March 28, TJX said at least 45.7 million of its shoppers' cards had been compromised. -- Rodney Wise http://pplriwse.blogspot.com ------------------------------ Message: 17 Date: Wed, 25 Apr 2007 20:13:02 +0000 (UTC) From: lyger Subject: [Dataloss] (update) Darwin Professional Underwriters - Tech-404.com To: dataloss at attrition.org Message-ID: Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed For anyone interested in the follow-up: Darwin Professional Underwriters, which operates the website Tech-404.com, has come to an agreement with attrition.org regarding the use of our Data Loss web page and RSS feed. In return for use of attrition.org's RSS service and/or web page, Darwin has graciously agreed to make a contribution to the Open Source Vulnerability Database (http://osvdb.org) in order to further promote security awareness. We appreciate Darwin's willingness to work with us to help resolve this matter and we wish them the best in their future endeavors. Lyger ------------------------------ Message: 18 Date: Thu, 26 Apr 2007 16:01:31 +0000 (UTC) From: lyger Subject: [Dataloss] Ceridian accidentally leaks data from NY firm To: dataloss at attrition.org Message-ID: Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed http://twincities.bizjournals.com/twincities/stories/2007/04/23/daily36.html Payroll processing firm Ceridian Corp. accidentally leaked employee data from a New York advertising firm on a Web site, the company confirmed Thursday. Bloomington-based Ceridian (NYSE: CEN) notified New York advertising company Innovation Interactive last week , after it learned that it had inadvertently leaked ID and bank-account data on 150 employees, company spokesman Pete Stoddart said. Ceridian said a former employee accidentally posted the information on a personal Web site. The employee took the data by accident after leaving the company in March 2006. [...] ------------------------------ Message: 19 Date: Thu, 26 Apr 2007 11:15:28 -0500 From: "Patrick Hack" Subject: Re: [Dataloss] Ceridian accidentally leaks data from NY firm To: Message-ID: <463089CF.E11B.0075.0 at 4thebank.com> Content-Type: text/plain; charset="us-ascii" Just wondering, how do you 'Accidentally' take private customer information as you're leaving employment and 'Accidentally' post it to your personal web site? This sure sounds like straight-up data theft to me. P. Hack >>> lyger 4/26/2007 11:01 AM >>> http://twincities.bizjournals.com/twincities/stories/2007/04/23/daily36.html Payroll processing firm Ceridian Corp. accidentally leaked employee data from a New York advertising firm on a Web site, the company confirmed Thursday. Bloomington-based Ceridian (NYSE: CEN) notified New York advertising company Innovation Interactive last week , after it learned that it had inadvertently leaked ID and bank-account data on 150 employees, company spokesman Pete Stoddart said. Ceridian said a former employee accidentally posted the information on a personal Web site. The employee took the data by accident after leaving the company in March 2006. [...] _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tracking more than 207 million compromised records in 634 incidents over 7 years. CONFIDENTIALITY NOTICE: This email message is private, confidential property of the sender, and the materials may be privileged communications intended solely for the receipt, use, benefit, and information of the intended recipient indicated above. If you are not the intended recipient, you are hereby notified that any review, disclosure,distribution, copying or taking of any other action in reference to the contents of this message is strictly prohibited, and may result in legal liability on your part. If you have received this message in error, please notify the sender immediately and delete this message from your system. We believe that this email and any attachments are free of any virus or other defect that might affect any computer system that it is received and opened in, however, it is the responsibility of the recipient to ensure that it is virus free and the sender accepts no responsibility for any loss or damage. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070426/b48707ee/attach ment-0001.html ------------------------------ Message: 20 Date: Thu, 26 Apr 2007 12:27:25 -0500 From: "Katie Felten" Subject: Re: [Dataloss] Ceridian accidentally leaks data from NY firm To: "'Patrick Hack'" , Message-ID: <000801c78828$29df7c10$7d9e7430$@com> Content-Type: text/plain; charset="us-ascii" P, my thoughts exactly when I read this article this morning Katie Felten, CITRMS Data Security & Privacy Specialist Certified Identity Theft Risk Management Specialist www.getsmartcomply.com K Felten & Associates, LLC N78W14573 Appleton Ave #297 Menomonee Falls, WI 53051 Direct 262-227-0772 Katie at k-felten.com From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Patrick Hack Sent: Thursday, April 26, 2007 11:15 AM To: dataloss at attrition.org Subject: Re: [Dataloss] Ceridian accidentally leaks data from NY firm Just wondering, how do you 'Accidentally' take private customer information as you're leaving employment and 'Accidentally' post it to your personal web site? This sure sounds like straight-up data theft to me. P. Hack >>> lyger 4/26/2007 11:01 AM >>> http://twincities.bizjournals.com/twincities/stories/2007/04/23/daily36.html Payroll processing firm Ceridian Corp. accidentally leaked employee data from a New York advertising firm on a Web site, the company confirmed Thursday. Bloomington-based Ceridian (NYSE: CEN) notified New York advertising company Innovation Interactive last week , after it learned that it had inadvertently leaked ID and bank-account data on 150 employees, company spokesman Pete Stoddart said. Ceridian said a former employee accidentally posted the information on a personal Web site. The employee took the data by accident after leaving the company in March 2006. [...] _______________________________________________ Dataloss Mailing List (dataloss@ attrition.org) http://attrition.org/dataloss Tracking more than 207 million compromised records in 634 incidents over 7 years. CONFIDENTIALITY NOTICE: This email message is private, confidential property of the sender, and the materials may be privileged communications intended solely for the receipt, use, benefit, and information of the intended recipient indicated above. If you are not the intended recipient, you are hereby notified that any review, disclosure,distribution, copying or taking of any other action in reference to the contents of this message is strictly prohibited, and may result in legal liability on your part. If you have received this message in error, please notify the sender immediately and delete this message from your system. We believe that this email and any attachments are free of any virus or other defect that might affect any computer system that it is received and opened in, however, it is the responsibility of the recipient to ensure that it is virus free and the sender accepts no responsibility for any loss or damage. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070426/ae2665fa/attach ment-0001.html ------------------------------ Message: 21 Date: Thu, 26 Apr 2007 23:37:58 +0000 (UTC) From: security curmudgeon Subject: [Dataloss] slightly OT: LifeLock Identity Theft Protection To: dataloss at attrition.org Message-ID: Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed http://www.lifelock.com/ My name is Todd Davis This is my social security number 457-55-5462 "I'm Todd Davis, CEO of LifeLock. Yes, that really is my social security number. No I'm not crazy. I'm just sure our system works. Just like we have with mine, LifeLock will make your personal information useless to a criminal. And it's GUARANTEED." Here at LifeLock, We Guarantee Your Good Name. No one else does because no one else can. http://www.lifelock.com/our-guarantee $1 Million Guarantee Our $1 Million Guarantee Our Guarantee is simple. If you are our client when someone steals your personal information and subsequently misuses it, we will reimburse any and all direct expenses that you incur and pay for professionals with the proper expertise. The maximum amount that we will pay is $1 million over the life of the incident. We provide this guarantee because we are so confident in our product. Direct expenses include lost wages, long-distance calls, postage and other miscellaneous costs in addition to any funds that are actually stolen from you or a third party that holds you responsible. If you need an attorney to help resolve the claims, we will select them and manage the case on your behalf. Your request must not be fraudulent and you must tell us of the event within 30 days of first learning of it. How the Guarantee Works: If your Identity is used by a third party without your consent, we will do the following: 1. We will pay any direct expenses you incur subject to the terms below. Usually, we will advance these costs on your behalf. If we do that, you must assign your guarantee request to any such re-imbursement by any third party. For example, if your bank charges you fees because someone else used your credit card and it took you over your limit, we will ensure that you are reimbursed that money promptly. If the bank doesn't do it, then we will and if and when the professionals we hire to assist you get the bank to refund the money, you agree that it will be sent to us or that, if paid directly to you, that you will send it to us as soon as you receive it. 2. If the amount involved is over $1,000, we reserve the right to investigate the guarantee request and conclude that the claim is valid. For instance, if you are arrested for bank fraud and you assert that you did not commit the crime and that someone else stole your identity to commit the crime, we will investigate your assertion. If we are confident that you did not commit the crime, we will advance any legal fees, bail or other costs required to get you out of jail and back to your life. We will perform our investigation with all due haste and we will render our decision as quickly as we can. The standard we will use is that if any reasonable person would come to the conclusion that you are not responsible, we will as well. Once we are comfortable that you are innocent due to Identity Theft that occurred while you are our client, we will advance all fees and costs as discussed above. Note that we do not necessarily require that you are found innocent by the authorities before performing on our guarantee. 3. If it turns out that our investigation is wrong and that you misrepresented a loss or that you weren't our client when it happened, you agree to pay us back any amount we have advanced or incurred on your behalf upon demand, including any costs we incur to collect the money from you. Being found guilty of the crime which you attributed to Identity theft is sufficient evidence to conclude that we are entitled to recover all amounts advanced or paid on your behalf as described above. 4. Should we, however, decline your guarantee request and you are found innocent due to the fact that someone used your Identity to commit the crime, we will then honor our guarantee and pay you$10,000 for the hardship you suffered. You agree that we are not liable for any additional costs or awards for any reason. That's it. No more fancy language. ------------------------------ Message: 22 Date: Fri, 27 Apr 2007 01:59:19 +0000 (UTC) From: security curmudgeon Subject: Re: [Dataloss] slightly OT: LifeLock Identity Theft Protection To: dataloss at attrition.org Message-ID: Content-Type: TEXT/PLAIN; charset=US-ASCII On Thu, 26 Apr 2007, security curmudgeon wrote: : http://www.lifelock.com/ : : My name is Todd Davis : This is my social security number 457-55-5462 My post was not an endorsement of lifelock.com, Todd Davis or anything else. This post was made because I found it surprising that a CEO would post his own social security number "proving" his own service, something that other services don't do. Attrition does not have any affiliation with lifelock.com or any other company/service that provides identity theft protection. Until earlier this evening, neither Lyger nor myself had heard of lifelock.com despite their "million dollar advertising campaign" (from what we were later told). If anyone has any comments, criticisms or rebuttal of my post, we will selectively post them if they are fair, reasonable and cite their sources. By reading this mail you absolve myself and attrition.org of any wrongdoing, pinkie swear you will eat a twinkie before midnight and will print and shred this message if it was not intended for you. - Jericho ------------------------------ Message: 23 Date: Thu, 26 Apr 2007 20:21:24 -0500 From: Chris Walsh Subject: Re: [Dataloss] slightly OT: LifeLock Identity Theft Protection To: security curmudgeon Cc: dataloss at attrition.org Message-ID: Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Great. Now lyger's gonna have to send out a notification letter to the guy. Couldn't you have ROT13'd the email to avoid this? :^) Chris On Apr 26, 2007, at 6:37 PM, security curmudgeon wrote: > > http://www.lifelock.com/ > > My name is Todd Davis > This is my social security number 457-55-5462 > > "I'm Todd Davis, CEO of LifeLock. Yes, that really is my social > security > number. No I'm not crazy. I'm just sure our system works. Just like we > have with mine, LifeLock will make your personal information > useless to a > criminal. And it's GUARANTEED." ------------------------------ Message: 24 Date: Fri, 27 Apr 2007 15:22:29 +0000 (UTC) From: lyger Subject: [Dataloss] 175 told of possible computer security incident at Purdue To: dataloss at attrition.org Message-ID: Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed (from April 24, 2007) http://news.uns.purdue.edu/x/2007a/070424KsanderEngineer.html Purdue University is informing 175 people who were students in fall 2001 that a Web page containing information about them was inadvertently available on the Internet. The page, which was no longer in use but was on a computer server connected to the Internet, contained names and Social Security numbers of students who were enrolled in a freshman engineering honors course and were scheduling to meet with advisers. Although forgotten, the page had been indexed by Internet search engines and consequently was available to individuals searching the Web. The page has been removed and, at Purdue's request, Yahoo and Google have removed the page from their indexes and cache. Letters are in the mail to those potentially affected. [...] ------------------------------ Message: 25 Date: Sat, 28 Apr 2007 01:47:50 +0000 (UTC) From: lyger Subject: [Dataloss] Caterpillar Says Employee Data Stolen To: dataloss at attrition.org Message-ID: Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed (if anyone can find verifiable details on number affected or type of information, please let us know) http://www.sfgate.com/cgi-bin/article.cgi?f=/n/a/2007/04/27/financial/f17255 8D76.DTL&type=business Caterpillar Inc. said late Friday that a laptop computer containing personal data on employees was stolen from a benefits consultant that works with the company. Caterpillar spokesman Rusty Dunn declined to provide many details Friday. "This is an open investigation and we're not prepared to get into any specifics," Dunn said. He said one laptop computer was stolen earlier this month, but didn't say where the theft took place or identify the consultant. Dunn declined to say how many employees were affected. [...] ------------------------------ Message: 26 Date: Sat, 28 Apr 2007 02:12:56 +0000 (UTC) From: lyger Subject: [Dataloss] FEMA's 'Unfortunate' Privacy Disaster To: dataloss at attrition.org Message-ID: Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed >From April 23, 2007 http://www.washingtonpost.com/wp-dyn/content/article/2007/04/22/AR2007042201 362.html Sometimes when they are not busy dealing with natural disasters, FEMA folks just make up their own. We got this letter the other day from Glenn M. Cannon, assistant administrator in the Disaster Operations Directorate. "Dear Disaster Generalist," he wrote to about 2,300 people on April 16, "an unfortunate administrative processing error at FEMA . . . has resulted in the printing of Social Security numbers on the outside address labels of Disaster Assistance Employee (DAE) . . . reappointment letters." The mail distribution center mishandled the letters, he said, creating this "unintentional release of Privacy Act information." [...] ------------------------------ Message: 27 Date: Fri, 27 Apr 2007 22:45:03 -0500 From: Chris Walsh Subject: [Dataloss] NY AG settles first data breach case To: dataloss at attrition.org Message-ID: <738474A5-36BC-4B2E-9A52-AADE095DDDE1 at cwalsh.org> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed By Sharon Gaudin InformationWeek April 27, 2007 01:32 PM The New York Attorney General has obtained the first settlement under the state's new security breach notification law. Attorney General Andrew Cuomo announced Thursday that it has reached an agreement with CS Stars LLC, a Chicago-based claims management company, to implement precautionary procedures, comply with New York's notification law in the event of another security breach, and pay $60,000 to the AG's office for investigation costs. On May 9, 2006, an employee at CS Stars noticed that a computer was missing that held personal information, including the names, addresses, and Social Security numbers of recipients of workers' compensation benefits, according to the AG's office. The New York Special Funds Conservation Committee, a not-for-profit organization created to assist in providing benefits to workers under the New York Workers' Compensation Law, was the owner of the data contained in the missing computer. It was not until June 29, 2006 that CS Stars first notified Special Funds of the security breach, the AG's office reported. On the same date, the company notified the FBI, as well. The FBI instructed the company to not send out any notifications to people who might be affected by the data breach because it might impede their investigation. According to the AG's release, CS Stars notified the Attorney General's office, the Consumer Protection Board, and the state office of Cyber Security about the breach on June 30, 2006. Then on July 18, the company, with the permission of the FBI, the company began sending out notices to the approximately 540,000 potentially affected New York consumers notifying them of the security breach. [...] Via http://www.informationweek.com/news/showArticle.jhtml? articleID=199202218 ------------------------------ Message: 28 Date: Sat, 28 Apr 2007 21:47:15 +0000 (UTC) From: lyger Subject: [Dataloss] N. Texas Company Posted Private Information Online To: dataloss at attrition.org Message-ID: Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed http://www.nbc5i.com/money/13207482/detail.html A North Texas company posted online the private information of hundreds of job applicants, NBC 5 reported. Couriers On Demand, run by Kyle Bowers, made available for public viewing names, addresses, phone numbers, Social Security numbers and drivers license numbers on its Web site, NBC 5 reported. Attorney Cami Boyd, who specializes in data privacy, said the company should have been encrypting its data behind a secure firewall. Without taking those precautions, she said, it is in violation of state law and federal law. [...] ------------------------------ Message: 29 Date: Sun, 29 Apr 2007 07:36:44 -0400 From: "Rodney Wise" Subject: [Dataloss] Is it just about credit? To: dataloss at attrition.org Message-ID: <24e2acc50704290436u343d7975y1645480e00c9cd9e at mail.gmail.com> Content-Type: text/plain; charset="iso-8859-1" (In his best Columbo accent).... There is just one more thing mam... I am having trouble understanding a few things... gee do ya think you could help me out here? I have a few questions for discussion by the group. I have seen time and time again that companies that have been compromised have offered credit munitioning to help REDUCE any monetary damages that might be gained from lawsuits. It is not just about credit. You can lodk it down for your life and still have problems. Question 1 Is is just about your credit? If someone gets you SSN or SIN (Canida) they can do a lot more than get cash. If they get medical treatment for ... I don't know ... a heart problem of even... HIV do you think you will ever get insurance again? Question 2 What about death and taxes? Well if you are in the US without the proper permissions to be here in most situations you MUST have 2 forms of identity to gain employment. A SSN AND a drivers license number. If they have YOUR SSN and get employment that can put you in another tax bracket owing more money than the job they are doing will be deducting for taxes. What if that happens multiple times? There is NO verification process in place that will tell an employer that it is not you. It will just verify it is a valid number. Lets go one more step further... I get your Driver License Number from a check you give me. I make $5/hr at a retail store and see several of these a day, I can sell this for about $50 (read 10 hours of work) for each one. You are flying to that city where what happens there stays there and use your DLN as your ID. OOPS I forgot to tell you I used your number when I got pulled over for a DUI. YOU now have a crimanl record. Question 3 3. How does credit monitoring help these problems? Question 4 What does the federal government REQUIRE businesses to do to help reduce data theft? Five thing. 1.Take Stock ... like and inventory of your data 2. Scale Down... What do you REALLY need 3.Lock it down... Protect it 4. Pitch it... READ SHRED 5. Plan Ahead... create a written plan http://www.ftc.gov/bcp/edu/pubs/business/privacy/bus69.pdf Question 4 If you read the publication, is this too much to ask of the companies we willingly give our data to? Rodney Wise http://pplriwse.blogspot.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070429/95858e29/attach ment-0001.html ------------------------------ Message: 30 Date: Sun, 29 Apr 2007 17:39:20 +0000 (UTC) From: security curmudgeon Subject: Re: [Dataloss] Is it just about credit? (question 1 / health care) To: dataloss at attrition.org Message-ID: Content-Type: TEXT/PLAIN; charset=US-ASCII : Question 1 : Is is just about your credit? : : If someone gets you SSN or SIN (Canida) they can do a lot more than get : cash. If they get medical treatment for ... I don't know ... a heart : problem of even... HIV do you think you will ever get insurance again? Hopefully someone in the health care industry can speak up on this but a few points. Many (most? all?) hospitals require photo ID for everything now. While we know that a bad guy can do a full identity theft, including getting a new license or birth certificate, it does require a dedicated person. They ask for the photo ID with insurance card, which you'd also have to get issued. Some hospitals actually train their staff (a full class) on handling photo ID, recognizing aspects that would be suspicious (birth date, etc) and how to respond. This has lead to some cases where the person using a stolen identity recived medical treatment, walked out of the hospital all better, only to be arrested immediately as the hospital staff watched (they knew what was going on but wouldn't deny treatment of course). Some hospitals use computer systems that have routines specifically designed to flag possible identity theft. Various incidents (most related to billing I assume) will flag a record with a potential identity theft marker which is visible to any hospital employee who loads the record. Employees are trained to act normal and provide treatment but call a special security number (internal to the hospital) and trained security staff respond. This leads one to wonder if the DMV when re-issuing a license might notice discrepancies. Eye color goes from blue to brown, hair color, height, weight .. how many changes before someone says "wait"? ------------------------------ Message: 31 Date: Sun, 29 Apr 2007 18:36:50 +0000 (UTC) From: nepen Subject: Re: [Dataloss] Is it just about credit? (question 1 / health care) To: dataloss at attrition.org Message-ID: Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed On Sun, 29 Apr 2007, security curmudgeon wrote: > > : Question 1 > : Is is just about your credit? > : > : If someone gets you SSN or SIN (Canida) they can do a lot more than get > : cash. If they get medical treatment for ... I don't know ... a heart > : problem of even... HIV do you think you will ever get insurance again? > > Hopefully someone in the health care industry can speak up on this but a > few points. > > Many (most? all?) hospitals require photo ID for everything now. While we > know that a bad guy can do a full identity theft, including getting a new > license or birth certificate, it does require a dedicated person. They ask > for the photo ID with insurance card, which you'd also have to get issued. > Some hospitals actually train their staff (a full class) on handling photo > ID, recognizing aspects that would be suspicious (birth date, etc) and how > to respond. This has lead to some cases where the person using a stolen > identity recived medical treatment, walked out of the hospital all better, > only to be arrested immediately as the hospital staff watched (they knew > what was going on but wouldn't deny treatment of course). Just a note, but back when I had absolutely no way to prove who I was, the ER would treat me. This was post 9-11, and the hospital had significantly upgraded their security procedures. ERs have charity care programs, however, for those who cannot pay, and they are [or mine was] retroactive. If you state that you cannot pay upon arriving, they will set up an appointment for you. I don't really see an issue there with ID theft unless someone is deliberately attempting to keep their particular ailment off of their own record. The requirements for these programs [at least here] are relatively loose, but usually last only one year, at which time you must re-file. You may be able to pull it off for minor problems that are put through Fast-Track [but charity care, at least in my state, covers that 100%], but if you go in with heart problems you may wake up 10 hours later handcuffed to your bed after your open-heart surgery. > This leads one to wonder if the DMV when re-issuing a license might notice > discrepancies. Eye color goes from blue to brown, hair color, height, > weight .. how many changes before someone says "wait"? That's the beauty of contact lenses [particularly blue to brown--brown to blue not so easy to pull off], hair and weight don't seem like big issues, and depending upon the age of the person, a one or two inch height discrepancy doesn't seem like a big deal. My mother had no problems getting her license--she went when I went--and she's changed her hair colour, weight, and height. If I'd have given her a pair of blue contact lenses, I'd doubt they'd have even noticed. Her previous license had no photo. Though at the NJ DMV, I was able to receive my ID and /bypass/ their "6 point identification system" which requires a certain amount of documents worth a certain number of points, adding up to 6, before you're able to get a license or photo ID. I was also able to do this at the SSA. This was all relatively recently--this month, in fact. All the SSA required was a note from my doctor--who simply wrote everything I told him to write when it came to my description--in lieu of their new post-9/11 requirements. For my birth certificate: I never had to get out of the car. It seems to me that everyone now has to juggle leniency for those who have fallen through the cracks with vigilance for those who are exploiting the system. I spent hours worrying about how I would be able to get my new Social Security Card or meet the DMV's 6 points, and I had absolutely no problem doing either. It was incredibly easy. It seems like this transitioning issue, where they are accommodating people unable to meet the new requirements, might be the easiest point of abuse. nepen ------------------------------ Message: 32 Date: Sun, 29 Apr 2007 19:43:46 +0000 (UTC) From: lyger Subject: [Dataloss] UNM says some employee information on stolen laptop To: dataloss at attrition.org Message-ID: Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed http://kob.com/article/stories/S72768.shtml?cat=517 University of New Mexico officials say personal information for 3,000 employees may have been stored on a laptop computer that was stolen. The university notified the employees by e-mail that some personal information may have been on a laptop taken Wednesday from a San Francisco office. University officials learned of the theft Friday from an outside consultant working on UNM's human resource and payroll systems. [...] ------------------------------ Message: 33 Date: Sun, 29 Apr 2007 18:51:24 -0400 From: "Rodney Wise" Subject: Re: [Dataloss] Is it just about credit? (question 1 / health care) To: "security curmudgeon" Cc: dataloss at attrition.org Message-ID: <24e2acc50704291551x683b6e86off6a59e2455c90df at mail.gmail.com> Content-Type: text/plain; charset="iso-8859-1" I guess the basic question is: As people who are aware of data breeches how can we alert others that is is NOT just about credit. Rodney On 4/29/07, security curmudgeon wrote: > > > : Question 1 > : Is is just about your credit? > : > : If someone gets you SSN or SIN (Canida) they can do a lot more than get > : cash. If they get medical treatment for ... I don't know ... a heart > : problem of even... HIV do you think you will ever get insurance again? > > Hopefully someone in the health care industry can speak up on this but a > few points. > > Many (most? all?) hospitals require photo ID for everything now. While we > know that a bad guy can do a full identity theft, including getting a new > license or birth certificate, it does require a dedicated person. They ask > for the photo ID with insurance card, which you'd also have to get issued. > Some hospitals actually train their staff (a full class) on handling photo > ID, recognizing aspects that would be suspicious (birth date, etc) and how > to respond. This has lead to some cases where the person using a stolen > identity recived medical treatment, walked out of the hospital all better, > only to be arrested immediately as the hospital staff watched (they knew > what was going on but wouldn't deny treatment of course). > > Some hospitals use computer systems that have routines specifically > designed to flag possible identity theft. Various incidents (most related > to billing I assume) will flag a record with a potential identity theft > marker which is visible to any hospital employee who loads the record. > Employees are trained to act normal and provide treatment but call a > special security number (internal to the hospital) and trained security > staff respond. > > This leads one to wonder if the DMV when re-issuing a license might notice > discrepancies. Eye color goes from blue to brown, hair color, height, > weight .. how many changes before someone says "wait"? > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 207 million compromised records in 634 incidents over 7 > years. > -- Rodney Wise http://pplriwse.blogspot.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070429/95212b4b/attach ment-0001.html ------------------------------ Message: 34 Date: Sun, 29 Apr 2007 23:32:01 +0000 (UTC) From: nepen Subject: Re: [Dataloss] Is it just about credit? (question 1 / health care) To: dataloss at attrition.org Message-ID: Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed On Sun, 29 Apr 2007, Rodney Wise wrote: > I guess the basic question is: > > As people who are aware of data breeches how can we alert others that is is > NOT just about credit. > > Rodney Simple: Research the potential results of dataloss that do not involve identity theft/credit issues, write about these new ideas, and put the information out there. Notsosimple: Hope for interest, particularly if there is some sort of marketable protection against these other outcomes. Sadly, the ability for someone to profit from offering services to protect against these potential non-credit-related outcomes of dataloss events may have an effect on whether or not there is much interest in them. Research, write, publish: Create awareness and cross your fingers? nepen ------------------------------ Message: 35 Date: Sun, 29 Apr 2007 19:27:59 -0700 From: J Beebe Subject: Re: [Dataloss] The cost of doing business? To: dataloss at attrition.org Message-ID: <20070430022820.KICS24310.fed1rmmtao104.cox.net at fed1rmimpo01.cox.net> Content-Type: text/plain; charset="us-ascii"; format=flowed Here's a link to the complaint filed by the Mass. Bankers Assoc. It notes that they and the other 2 bankers assocs. are asking for "tens of millions of dollars." https://www.massbankers.org/pdfs/DataBreachSuitNR5.pdf Should be interesting. JB At 03:59 AM 4/25/2007, Rodney Wise wrote: >Bank groups in 3 states plan to sue TJX over data theft >http://www.mercurynews.com/businessheadlines/ci_5745507 >The Associated Press >Article Launched: 04/25/2007 01:50:15 AM PDT > >BOSTON (AP) - Bank associations in Massachusetts, Connecticut and >Maine said Tuesday that they will sue TJX over a data theft that >exposed at least 45 million credit and debit cards to potential fraud. > >Banks have been saddled with costs to replace cards and cover >fraudulent charges tied to the theft from TJX, the owner of nearly >2,500 discount stores including T.J. Maxx and Marshalls. > >On Jan. 17, Framingham, Mass.-based TJX disclosed a breach of its >computer systems by an unknown hacker or hackers who accessed card >data from transactions as long ago as late 2002. >On March 28, TJX said at least 45.7 million of its shoppers' cards had >been compromised. >-- >Rodney Wise >http://pplriwse.blogspot.com >_______________________________________________ >Dataloss Mailing List (dataloss at attrition.org) >http://attrition.org/dataloss >Tracking more than 207 million compromised records in 630 incidents >over 7 years. > > >-- >No virus found in this incoming message. >Checked by AVG Free Edition. >Version: 7.5.463 / Virus Database: 269.5.10/774 - Release Date: >4/23/2007 5:26 PM ------------------------------ Message: 36 Date: Sun, 29 Apr 2007 20:41:43 -0500 From: Al Mac Subject: Re: [Dataloss] Is it just about credit? To: "Data Loss Incidents" Message-ID: <6.2.1.2.1.20070429195335.02a52360 at mail.sigecom.net> Content-Type: text/plain; charset="us-ascii"; format=flowed How difficult is it for the criminal underworld to manufacture fake driver's licenses? The photo-id looks exactly like the person carrying it (it is their photo), but the identity is whoever identity they stole. Such an id can be used to help get a job, get medical treatment, anything such a fake id is used for. Does not matter if thumb print on there, because fake-id has photo and thumb print of the crook instead of the real person who has the real-id-license that was issued by the state DMV. You right that the DMV record ought to have eye color, hair color etc. But one of the types of data theft has been entire DMV data bases. Crooks in the fake-id business can then match identity to be stolen with person needing fake id with similar characteristics ... eye color, hair color, gender, approx age, etc. This will cease to work when the photo-id gets scanned in some place to compare it to the official copy in DMV records, unless crooks have the sophistication to also mess with the official records, or the communication between police car check point and official records. I expect it will be pretty rare for people running around with fake-ids to have the kinds of hacker skills to real-time spoof whatever is done to validate photo or thumb print on the fake-id. A small fortune is spent on protecting the nation's currency from counterfeiting, but yet there still are people who get away with passing counterfeit money. Nothing like that expense can be incurred to protect individual states from not having fraudulent driver's licenses and other identification in circulation. A while back, the state of Colorado sorted employee tax reporting data by SSN to get a count of how many different places same SSN being used ... I think the biggest was like 50 or 100 employers had someone simultaneously working there with same SSN. We can reasonably assume that if other US states were to do this, that they might get similar numbers. Bigger in the more populated states. Similar story other nations. The feds have done this with critical infrastructure ... people working at Pentagon, Nuclear weapons facilities, etc. & yes found lots of fraudulent identities there. We can hope most of them are people who just need a job, not many potential terrorists in the bunch. Is there a serious risk that the states will crack down on the real people, in whose names those 50 other people using their SSN? Or is there temptation for states to look the other way, since this is tax money being paid for services that the fake SSN holders may be less likely to claim than valid SSN holders? You may be better off with a bunch of people paying extra taxes in your name, than only one of them. Except with how easy it is to fraudulently claim income tax refund, which is big problem for IRS, and also the person in whoever name this got done. More risks than you said. You don't even get on the plane at airport to go home, because your identity was used by someone stopped by the police, let go on minimal bail, supposed to return for court date, never did. Now you have the legal expense of proving you not whoever that is running around the country committing more crimes in your name. Let's suppose the real Rodney Wise is in the hospital for serious treatment, and while there, persons with fake identity for Rodney Wise steal his car, sell it, occupy his home, sell everything there, get second mortgage on it, sell house, run up ungodly bills, clean out bank accounts. Real Rodney gets out of hospital & try to go home, be arrested as intruder in home now belong someone else. This has happened to people in nations where possession is 9/10 of law. Credit monitoring helps with some of the problems but we need more. Some day, DNA testing will be as rapid as stick some skin cells or spit into a gadget that will say "You born in nation X, legally in nation Y, have a blood relative criminal Z" and we pray that long before that reality the data bases locked down with good support for people to correct errors about themselves.. - Al Macintyre ------------------------------ Message: 37 Date: Sun, 29 Apr 2007 23:47:24 -0500 From: Chris Walsh Subject: Re: [Dataloss] Is it just about credit? To: Data Loss Incidents Message-ID: <9E72B570-5BCC-4F3C-B9D2-0D6DDD7EF078 at cwalsh.org> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Here in IL, we just had a high-profile federal bust of some folks who were allegedly selling fake drivers' licenses and fake SocSec cards as a combo pack for $300. This was in a section of Chicago with many undocumented workers. Reports are that this is undoubtedly so the buyers can work in the US, but of course the news coverage says that the sellers don't exactly care why someone is looking for ID as long as they have the $$. In this particular instance, the Feds say they acted because the gang allegedly selling these IDs had murdered someone who tried to go into competition with them. Clearly, then, the cost of production of these IDs is less than the $300, or else the dead guy would have been no threat since he could not possibly undercut the gang. On Apr 29, 2007, at 8:41 PM, Al Mac wrote: > How difficult is it for the criminal underworld to manufacture fake > driver's licenses? ------------------------------ Message: 38 Date: Mon, 30 Apr 2007 11:15:00 -0400 From: Adam Shostack Subject: Re: [Dataloss] Is it just about credit? (question 1 / health care) To: Rodney Wise Cc: security curmudgeon , dataloss at attrition.org Message-ID: <20070430151500.GB8860 at homeport.org> Content-Type: text/plain; charset=us-ascii On Sun, Apr 29, 2007 at 06:51:24PM -0400, Rodney Wise wrote: | I guess the basic question is: | | As people who are aware of data breeches how can we alert others that is is NOT | just about credit. We used to use words like 'privacy' or 'data protection.' To Jericho's point, I'd argue that the problem is central medical databases, and upgrading the trusted third parties to control what goes in them is just poor thinking. Adam | | On 4/29/07, security curmudgeon wrote: | | | : Question 1 | : Is is just about your credit? | : | : If someone gets you SSN or SIN (Canida) they can do a lot more than get | : cash. If they get medical treatment for ... I don't know ... a heart | : problem of even... HIV do you think you will ever get insurance again? | | Hopefully someone in the health care industry can speak up on this but a | few points. | | Many (most? all?) hospitals require photo ID for everything now. While we | know that a bad guy can do a full identity theft, including getting a new | license or birth certificate, it does require a dedicated person. They ask | for the photo ID with insurance card, which you'd also have to get issued. | Some hospitals actually train their staff (a full class) on handling photo | ID, recognizing aspects that would be suspicious (birth date, etc) and how | to respond. This has lead to some cases where the person using a stolen | identity recived medical treatment, walked out of the hospital all better, | only to be arrested immediately as the hospital staff watched (they knew | what was going on but wouldn't deny treatment of course). | | Some hospitals use computer systems that have routines specifically | designed to flag possible identity theft. Various incidents (most related | to billing I assume) will flag a record with a potential identity theft | marker which is visible to any hospital employee who loads the record. | Employees are trained to act normal and provide treatment but call a | special security number (internal to the hospital) and trained security | staff respond. | | This leads one to wonder if the DMV when re-issuing a license might notice | discrepancies. Eye color goes from blue to brown, hair color, height, | weight .. how many changes before someone says "wait"? | | _______________________________________________ | Dataloss Mailing List (dataloss at attrition.org) | http://attrition.org/dataloss | Tracking more than 207 million compromised records in 634 incidents over 7 | years. | | | | | -- | Rodney Wise | http://pplriwse.blogspot.com | _______________________________________________ | Dataloss Mailing List (dataloss at attrition.org) | http://attrition.org/dataloss | Tracking more than 207 million compromised records in 634 incidents over 7 years. ------------------------------ Message: 39 Date: Mon, 30 Apr 2007 23:51:50 +0000 (UTC) From: lyger Subject: [Dataloss] (update) Stolen Caterpillar laptop contained employees personal information To: dataloss at attrition.org Message-ID: Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed (now disclosed that SSNs were on the stolen laptop. other reports have also disclosed that the laptop belonged to an "SBA Inc." located in Georgia.) http://www.wjbc.com/wire2/news/01943_Caterpillar-Data-WEB_145542.htm Caterpillar Incorporated told employees in a letter that a laptop stolen this month contained current and former workers' Social Security numbers, banking information and addresses. Peoria-based Caterpillar has declined to say how many of its roughly 95-thousand employees were affected but has set up a call center to answer their questions. [...] ------------------------------ _______________________________________________ Dataloss mailing list Dataloss at attrition.org https://attrition.org/mailman/listinfo/dataloss End of Dataloss Digest, Vol 15, Issue 3 *************************************** From rforno at infowarrior.org Tue May 1 13:46:13 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 01 May 2007 09:46:13 -0400 Subject: [Dataloss] YouTube Shocker: Chase Bank Records Found In Trash Message-ID: YouTube Shocker: Chase Bank Records Found In Trash Video Exploits Security Lapses With Customer Info (CBS) NEW YORK A bank error that's certainly not in your favor has found its way onto the Internet, and now officials say very personal information of thousands of Chase Bank customers could find its way into the hands of identity thieves. A new YouTube video flaunting the personal information of Chase Bank customers is getting a lot of attention. The video shows a person holding numerous confidential financial documents of bank customers, and pointing out information that is supposed to be protected by the bank. "Social Security Numbers here as well as date of birth," one person could be heard saying on the video, pointing to one of the documents. Bank statements, credit reports and other personal documents were seen being unearthed in the video. < - > http://wcbstv.com/topstories/local_story_121055435.html From lyger at attrition.org Tue May 1 19:04:29 2007 From: lyger at attrition.org (lyger) Date: Tue, 1 May 2007 19:04:29 +0000 (UTC) Subject: [Dataloss] JP Morgan client data loss Message-ID: http://www.financialnews-us.com/?page=ushome&contentid=2347681605 JP Morgan Chase has alerted thousands of its Chicago-area millionaire clients, as well as some of its own employees, that it can not locate a computer tape containing their account information and Social Security numbers. The tape, which was in a locked container, was being transported from a bank location to an off-site facility last month when it went astray, a JP Morgan spokesman said. [...] From lyger at attrition.org Tue May 1 19:10:06 2007 From: lyger at attrition.org (lyger) Date: Tue, 1 May 2007 19:10:06 +0000 (UTC) Subject: [Dataloss] IL: Data about 139 officers left on donated computer Message-ID: http://www.news-gazette.com/news/local/2007/05/01/data_about__officers_left_on_donated Names and Social Security numbers for 139 Champaign police officers were left on a computer donated to charity. The city notified those in the database that their personal information may have been unintentionally released, but city staff members do not believe the data was compromised, according to Information Technologies Director Fred Halenar. A computer from the police department contained the data, he said. Last year, the city donated 50 computers. Of those, five were donated to the Champaign Consortium, including the one in question. Halenar said the concern was, "Even though we don't think (the personal information) was compromised, we still must take measures to see it doesn't happen again. [...] From george at georgetoft.com Tue May 1 23:25:41 2007 From: george at georgetoft.com (George Toft) Date: Tue, 01 May 2007 16:25:41 -0700 Subject: [Dataloss] YouTube Shocker: Chase Bank Records Found In Trash In-Reply-To: References: Message-ID: <4637CC75.1010809@georgetoft.com> The URL for the video, since the news station did not include it: http://www.youtube.com/watch?v=G_8xRnzQqME George Toft, CISSP, MSIS 623-203-1760 Richard Forno wrote: > YouTube Shocker: Chase Bank Records Found In Trash > Video Exploits Security Lapses With Customer Info > > > (CBS) NEW YORK A bank error that's certainly not in your favor has found its > way onto the Internet, and now officials say very personal information of > thousands of Chase Bank customers could find its way into the hands of > identity thieves. > > A new YouTube video flaunting the personal information of Chase Bank > customers is getting a lot of attention. The video shows a person holding > numerous confidential financial documents of bank customers, and pointing > out information that is supposed to be protected by the bank. > > "Social Security Numbers here as well as date of birth," one person could be > heard saying on the video, pointing to one of the documents. > > Bank statements, credit reports and other personal documents were seen being > unearthed in the video. > > < - > > > http://wcbstv.com/topstories/local_story_121055435.html > > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 207 million compromised records in 634 incidents over 7 years. > > From vhinderer at lexsi.com Wed May 2 12:38:15 2007 From: vhinderer at lexsi.com (HINDERER Vincent) Date: Wed, 2 May 2007 14:38:15 +0200 Subject: [Dataloss] Astroglide exposes 250k onto Net In-Reply-To: <4637CC75.1010809@georgetoft.com> References: <4637CC75.1010809@georgetoft.com> Message-ID: Hi all, Maybe I haven't looked carefully, but couldn't find the recent Astroglide data breach in Dataloss/Privacy Clearinghouse records: See : http://news.google.com/nwshp?ie=UTF-8&oe=UTF-8&hl=en&tab=wn&q=astroglide or here for example http://blog.wired.com/27bstroke6/2007/04/sex_lube_makers.html (for French speaking folks: http://cert.lexsi.com/weblog/index.php/2007/04/30/141-donnees-personnell es-glissantes ) ---------------------------------------- Vincent HINDERER ---------------------------------------- CERT - LEXSI http://cert.lexsi.com/weblog/ From lyger at attrition.org Wed May 2 15:10:37 2007 From: lyger at attrition.org (lyger) Date: Wed, 2 May 2007 15:10:37 +0000 (UTC) Subject: [Dataloss] Astroglide exposes 250k onto Net In-Reply-To: References: <4637CC75.1010809@georgetoft.com> Message-ID: The primary reason we chose not to list the Astroglide incident on Attrition's web page and database is because it appears that the only records exposed were customers' names and addresses. While some may argue that names and addresses are "personal information" (and while the exposure may be embarassing to some people), for most people that information is publicly available through the White Pages (offline and online). On Wed, 2 May 2007, HINDERER Vincent wrote: ": " ": " Hi all, ": " ": " Maybe I haven't looked carefully, but couldn't find the recent ": " Astroglide data breach in Dataloss/Privacy Clearinghouse records: ": " ": " See : ": " http://news.google.com/nwshp?ie=UTF-8&oe=UTF-8&hl=en&tab=wn&q=astroglide ": " or here for example ": " http://blog.wired.com/27bstroke6/2007/04/sex_lube_makers.html ": " ": " ": " (for French speaking folks: ": " http://cert.lexsi.com/weblog/index.php/2007/04/30/141-donnees-personnell ": " es-glissantes ) From lyger at attrition.org Wed May 2 21:44:53 2007 From: lyger at attrition.org (lyger) Date: Wed, 2 May 2007 21:44:53 +0000 (UTC) Subject: [Dataloss] UK: Hospital staff warned after theft Message-ID: http://www.channel4.com/news/articles/society/health/hospital+staff+warned+after+theft/491592 A computer containing the bank details of thousands of hospital staff has been stolen from an NHS building, it has been revealed. The computer contains bank and personal information about staff at the Royal Cornwall Hospitals NHS Trust but does contain any patient records. The details of around 5,000 employees who work at the trust's three sites - the Royal Cornwall Hospital in Truro, the West Cornwall Hospital in Penzance and St Michael's Hospital in Hayle - are understood to be on the database. [...] From lyger at attrition.org Wed May 2 22:08:37 2007 From: lyger at attrition.org (lyger) Date: Wed, 2 May 2007 22:08:37 +0000 (UTC) Subject: [Dataloss] Canada: Charges for document dump? Message-ID: http://www.winnipegfreepress.com/local/story/3955565p-4568048c.html A McPhillips Street insurance company could face suspension as an MPI broker and possible legal charges after hundreds of customers' personal documents were discarded in a Dumpster last weekend. Manitoba Public Insurance is investigating why Weston Travel and Insurance Agencies did not properly destroy car insurance applications, filled-out travel itineraries and forms containing credit card numbers, home insurance information and valid Manitoba licence plates. MPI spokesman Brian Smiley said MPI has a clear confidentiality policy that requires all brokers to shred documents and protect client privacy before personal information is disposed. He said MPI will review their disposal practices and Weston Travel and Insurance Agencies might have to suspend their business as a result. [...] From lyger at attrition.org Thu May 3 11:56:10 2007 From: lyger at attrition.org (lyger) Date: Thu, 3 May 2007 11:56:10 +0000 (UTC) Subject: [Dataloss] MD: DNR names, Social Security numbers are missing Message-ID: http://www.baltimoresun.com/news/local/bal-dnrstory0503,0,2665140.story?coll=bal-local-headlines A thumb drive containing the names and Social Security numbers of about 1,400 past and present employees of the state Department of Natural Resources is missing and presumed lost. The miniature computer storage device, used by an employee of the agency's Information Technology unit to take work home with him, was reported missing about a week ago, said Eric Schwaab, DNR deputy secretary. Those whose information was lost -- primarily law enforcement officers -- were told of the security breach by telephone and were given written updates, Schwaab said. [...] From lyger at attrition.org Thu May 3 11:58:39 2007 From: lyger at attrition.org (lyger) Date: Thu, 3 May 2007 11:58:39 +0000 (UTC) Subject: [Dataloss] TX: Students' personal information posted on campus computers Message-ID: http://abclocal.go.com/ktrk/story?section=local&id=5268451 There is a warning for hundreds of students at Montgomery College. You may be at risk for identity theft. The discovery was made by students at the campus just outside of Conroe. Students found a list of all graduating seniors on a computer drive that is publicly accessible on all campus computers. On that list of names was also personal and sensitive information, including social security numbers and addresses. School officials say it was posted on the public shared drive accidentally by a new employee, who has now been disciplined. [...] From lyger at attrition.org Thu May 3 13:47:06 2007 From: lyger at attrition.org (lyger) Date: Thu, 3 May 2007 13:47:06 +0000 (UTC) Subject: [Dataloss] LA: Stolen laptop may hold ID numbers Message-ID: http://media.www.lsureveille.com/media/storage/paper868/news/2007/05/03/News/Stolen.Laptop.May.Hold.Id.Numbers-2892874.shtml An Information Technology investigation has revealed that a laptop stolen from a faculty member's Baton Rouge home may contain personally identifiable information for about 750 University students. But University officials released a notification letter to potentially affected students April 15 - more than 10 days after receiving news of the theft. The faculty member notified University officials April 4, but officials did not contact LSUPD. The laptop is owned by the E.J. Ourso College of Business, and may have included students' Social Security numbers, full names and grades, according to a notification letter The Daily Reveille obtained Tuesday. The letter was signed by Brian Nichols, chief IT security and police officer, and Robert Sumichrast, dean of the E.J. Ourso College of Business. [...] From cwalsh at cwalsh.org Fri May 4 19:45:02 2007 From: cwalsh at cwalsh.org (Chris Walsh) Date: Fri, 4 May 2007 14:45:02 -0500 Subject: [Dataloss] TJX in WSJ In-Reply-To: References: Message-ID: <20070504194450.GA3980@cwalsh.org> http://online.wsj.com/article_email/article_print/SB117824446226991797-lMyQjAxMDE3NzA4NDIwNDQ0Wj.html Provides some detail on what may have happened. From bkdelong at pobox.com Fri May 4 19:48:53 2007 From: bkdelong at pobox.com (B.K. DeLong) Date: Fri, 4 May 2007 15:48:53 -0400 Subject: [Dataloss] TJX in WSJ In-Reply-To: <20070504194450.GA3980@cwalsh.org> References: <20070504194450.GA3980@cwalsh.org> Message-ID: Have we heard if anyone was fired or resigned as a result of the incident and subsequent legal action? It will be fascinating to watch the wireless security market after this disclosure. On 5/4/07, Chris Walsh wrote: > > > http://online.wsj.com/article_email/article_print/SB117824446226991797-lMyQjAxMDE3NzA4NDIwNDQ0Wj.html > > Provides some detail on what may have happened. > > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 207 million compromised records in 646 incidents over 7 > years. > -- B.K. DeLong (K3GRN) bkdelong at pobox.com +1.617.797.8471 http://www.wkdelong.org Son. http://www.ianetsec.com Work. http://www.bostonredcross.org Volunteer. http://www.carolingia.eastkingdom.org Service. http://bkdelong.livejournal.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070504/08324ea3/attachment.html From jericho at attrition.org Sat May 5 05:57:22 2007 From: jericho at attrition.org (security curmudgeon) Date: Sat, 5 May 2007 05:57:22 +0000 (UTC) Subject: [Dataloss] TSA Hard Drive With Employee Data Is Reported Stolen Message-ID: ---------- Forwarded message ---------- From: Richard M. Smith http://www.washingtonpost.com/wp-dyn/content/article/2007/05/04/AR2007050402152_pf.html TSA Hard Drive With Employee Data Is Reported Stolen By Spencer S. Hsu Washington Post Staff Writer Saturday, May 5, 2007; A09 The FBI and the Secret Service have opened a criminal investigation into the apparent theft of a computer hard drive containing personal, payroll and bank information of 100,000 current and former workers with the Transportation Security Administration, including airport security officers and federal air marshals, the TSA said yesterday. In a written statement released after business hours, the TSA said it learned Thursday that the drive was missing from a secure area of its human resources office at its Crystal City headquarters. The TSA employs about 50,000 people, including 43,000 airport guards and thousands of air marshals, who are federal law enforcement officers. A TSA spokesman said the loss occurred in recent days and will not pose a significant risk of security breaches in sensitive areas patrolled by workers at airports, ports and rail yards. Access to such areas requires additional credentials that use unique physical identifiers such as fingerprints, said the official, who spoke on the condition of anonymity to discuss security protocols. The hard drive, which contained payroll data from January 2002 to August 2005, included employee names, Social Security numbers, birth dates, and bank account and routing information. The TSA began notifying employees of the loss at the close of business yesterday "out of an abundance of caution," offering free credit-monitoring services and advising workers to alert their financial institutions. "TSA has no evidence that an unauthorized individual is using your personal information, but we bring this incident to your attention so that you can be alert to signs of any possible misuse of your identity," stated the letter, signed by TSA Administrator Kip Hawley. "We apologize that your information may be subject to unauthorized access, and I deeply regret this incident." The episode is the latest high-profile data theft to strike the government or the private sector, although its impact on a domestic security agency with law enforcement responsibilities may pose added risks. CardSystems Solutions and the owner of retail chains T.J. Maxx and Marshalls have disclosed large breaches of credit card information on millions of consumers. The Department of Veterans Affairs lost a laptop last year with information for more than 26.5 million military personnel, although it was recovered with no evidence of copying. Since 2003, 19 federal agencies have reported 788 incidents of data theft or loss, affecting thousands of employees and the public. Rep. Bennie Thompson (D-Miss.), chairman of the House Homeland Security Committee, said he was briefed by the department, adding, "For an agency suffering from morale problems, this is a terrible and unfortunate blow." The panel will probably hold hearings, said Rep. Sheila Jackson-Lee (D-Tex.), who chairs a subcommittee overseeing the TSA. "This organization responsible for the nation's security has had a massive security breach. Whether it is known what the breach was or how it occurred, it did occur and this raises enormous concerns," Lee said. "We will be in a posture of quickly looking for answers." From lyger at attrition.org Sat May 5 15:07:15 2007 From: lyger at attrition.org (lyger) Date: Sat, 5 May 2007 15:07:15 +0000 (UTC) Subject: [Dataloss] UK: Laptop theft risk to M&S staff IDs Message-ID: http://www.channel4.com/news/articles/uk/laptop+theft+risk+to+ms+staff+ids/499687 More than 20,000 staff at Marks & Spencer have been told they may be at risk of identity crime after a laptop computer was stolen, it has been reported. The retailer has written to 26,000 present employees in its final salary pension scheme warning they are at risk if the data is accessed by criminals. BBC Radio 4 said salary details, addresses, dates of birth, national insurance and phone numbers were on the machine, which was stolen from a printing firm. From macwheel99 at sigecom.net Sun May 6 01:24:43 2007 From: macwheel99 at sigecom.net (Al Mac) Date: Sat, 05 May 2007 20:24:43 -0500 Subject: [Dataloss] OT? GAO: Data breach Notification; Lessons Learned Message-ID: <6.2.1.2.1.20070505202028.042de320@mail.sigecom.net> An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070505/cc7a85fc/attachment.html From jericho at attrition.org Sun May 6 17:43:47 2007 From: jericho at attrition.org (jericho at attrition.org) Date: Sun, 6 May 2007 19:43:47 +0200 Subject: [Dataloss] ilhknaxunamaafyb Message-ID: <20070506174720.E92C2859B3@forced.attrition.org> The message could not be delivered -------------- next part -------------- A non-text attachment was scrubbed... Name: document.zip Type: application/octet-stream Size: 29076 bytes Desc: not available Url : http://attrition.org/pipermail/dataloss/attachments/20070506/51f4ffca/attachment-0001.obj From jericho at attrition.org Sun May 6 18:43:04 2007 From: jericho at attrition.org (security curmudgeon) Date: Sun, 6 May 2007 18:43:04 +0000 (UTC) Subject: [Dataloss] Apologies for the last mail.. Message-ID: The latest wave of worm laden mail that spoofs addresses managed to catch a jericho@ -> dataloss@ trust relationship which let an attachment go out to the list. This happened a few years back on ISN and we have removed all list addresses from being able to post w/o approval. From phystarus19 at earthlink.net Mon May 7 13:07:46 2007 From: phystarus19 at earthlink.net (richard titus) Date: Mon, 7 May 2007 09:07:46 -0400 Subject: [Dataloss] OT? GAO: Data breach Notification; Lessons Learned Message-ID: <380-2200751713746966@earthlink.net> The current push to allow Federal employees to work from home or from remote locations clearly needs to be reexamined for its data security implications. richard ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ----- Original Message ----- From: Al Mac To: Data Loss Incidents Sent: 5/5/2007 11:22:15 PM Subject: [Dataloss] OT? GAO: Data breach Notification; Lessons Learned I predict, that in the future, some of these lessons may be learned again. Privacy: Lessons Learned about Data Breach Notification. GAO-07-657, April 30. Much of this concerns internal prompt notification, like to law enforcement and within organizational hierarchy, getting correct names & addresses of who to notify and other legal complications. The GAO report includes a summary of data breach incidents at 6 gov agencies (Depts of Agriculture, Defense, Education, Health+Human services, Transportation and Veteran's Administration) ... any here we did not already know about? * 2006 Jan Farm Services FOIA contractor oops on 80,000 tobacco producers * 2006 Mar Navy Marine Corps thumb drive lost 207,570 individuals * 2006 May VA employee home burglarized affecting 26.5 million * 2006 June National Student Loan CD lost in transit on 13,756 individuals * 2006 June HHS contractor employee laptop stolen 49,572 Medicare beneficiaries * 2006 Dec DoT laptop stolen from car parked in FL 133,000 commercial drivers & FAA pilot licensees http://www.gao.gov/cgi-bin/getrpt?GAO-07-657 Highlights - http://www.gao.gov/highlights/d07657high.pdf GAO conclusions specifically on VA data breaches. http://www.gao.gov/highlights/d07532thigh.pdf -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070507/1733f62f/attachment.html From lyger at attrition.org Mon May 7 16:03:21 2007 From: lyger at attrition.org (lyger) Date: Mon, 7 May 2007 16:03:21 +0000 (UTC) Subject: [Dataloss] Indiana: State site may have accidentally released Social Security numbers Message-ID: http://www.southbendtribune.com/apps/pbcs.dll/article?AID=/20070507/News01/70507025 The state Department of Administration may have inadvertently disclosed the Social Security numbers of dozens of people involved with women- or minority-owned businesses, officials said today. A Department of Administration employee was uploading a list of certified women or minority business enterprises to the department's Web site near the end of the working day last Wednesday, said Anthony Green, deputy commissioner and general counsel. The employee inadvertently also put the tax identification numbers of the businesses online, a mistake that was noticed by another employee and corrected Thursday morning. Some businesses and sole proprietorships use the owner's Social Security number as a tax ID, so the department sent out letters warning people that their Social Security number may have been seen online during the period of about 12 hours, Green said. [...] From macwheel99 at sigecom.net Mon May 7 15:49:36 2007 From: macwheel99 at sigecom.net (Al Mac) Date: Mon, 07 May 2007 10:49:36 -0500 Subject: [Dataloss] OT? GAO: Data breach Notification; Lessons Learned In-Reply-To: <380-2200751713746966@earthlink.net> References: <380-2200751713746966@earthlink.net> Message-ID: <6.2.1.2.1.20070507102235.03dcf9f0@mail.sigecom.net> An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070507/61901bfd/attachment.html From lyger at attrition.org Tue May 8 03:47:43 2007 From: lyger at attrition.org (lyger) Date: Tue, 8 May 2007 03:47:43 +0000 (UTC) Subject: [Dataloss] OT: Woman, 83, allegedly made to smoke crack in return for personal information Message-ID: (while this is admittedly off-topic for the general purpose of this list, we at attrition.org certainly hope that this "attack vector" doesn't become more common on a widespread scale...) http://www.theolympian.com/131/story/99999.html A woman forced an 83-year-old housemate to smoke crack cocaine so she could steal personal information to get a credit card in her name and run up more than $3,000 in charges, authorities said. Pasco County sheriff's investigators have accused Theresa M. Stanley-Morgan, 41, of getting the older woman to smoke the drug at least twice to make it easier to exploit her financially. Stanley-Morgan was arrested April 28. She admitted to investigators that she used Shirley Hathaway's name, birth date and Social Security number to open the account, a sheriff's report said. [...] From hbrown at knology.net Tue May 8 10:47:34 2007 From: hbrown at knology.net (Henry Brown) Date: Tue, 08 May 2007 05:47:34 -0500 Subject: [Dataloss] Computer tapes missing for 2 weeks Message-ID: <46405546.7040802@knology.net> http://www.chron.com/disp/story.mpl/front/4783956.html Vendor misplaces tapes with sensitive state data AUSTIN ? Computer tapes from a state agency that contain millions of records with sensitive personal data, including Social Security numbers and wages, were missing for more than two weeks before being found Monday by a private vendor. The 14 missing tapes contain employment information that is used to verify Medicaid claims to ensure that the clients aren't covered by private insurance. While the information was not compromised, the episode exposed serious flaws in the way contractors handle the data. Officials with the Health and Human Services Commission weren't notified that the records were missing for more than a week after the box should have arrived at the vendor's office. State officials promised to institute new procedures, including a way to track shipments handled by couriers. "We want to be able to track those records at every point in the process," said Stephanie Goodman, an HHSC spokeswoman. The data was not encrypted, but Goodman said it would have been extremely difficult for someone to access the 9 million records on the tapes without appropriate knowledge of the computer code. Goodman said she did not know exactly how many Social Security numbers are in the records. ... From lyger at attrition.org Tue May 8 16:28:57 2007 From: lyger at attrition.org (lyger) Date: Tue, 8 May 2007 16:28:57 +0000 (UTC) Subject: [Dataloss] Missouri: MU computer attack leaves 22,000 vulnerable Message-ID: http://www.columbiatribune.com/2007/May/20070507News054.asp A recent attack on the University of Missouri system computer database allowed an unknown hacker, or several hackers, to retrieve 22,396 names and Social Security numbers of individuals associated with the university. The people affected by the security breach are employees of any campus in the UM system during the 2004 calendar year who were also current or former students at the Columbia campus. The hacker accessed the information through a Web page used to make queries about the status of trouble reports to the information technology help desk, based in Columbia. [...] From macwheel99 at sigecom.net Tue May 8 15:48:21 2007 From: macwheel99 at sigecom.net (Al Mac) Date: Tue, 08 May 2007 10:48:21 -0500 Subject: [Dataloss] OT? PCI Education Steak & Shake Message-ID: <6.2.1.2.1.20070508103436.02f530a0@mail.sigecom.net> OT because we have no info on any cyber security incident, but of interest what is considered to be state-of-art when it comes to preventing certain kinds of incidents. Steak & Shake restaurant chain has had to beef up its computer security because a rapid increase in their credit card transaction volume has taken them to more stingent tiers of PCI standards. The article shows us what hoops the chain had to jump through to meet the standards. What we do not see here is a perspective on security rules enforcement to avoid more incidents like TJX. There are also some statements in the article that I would take issue with. They imply stronger security than my understanding of reality. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=291415&source=rss_topic17 From macwheel99 at sigecom.net Tue May 8 04:07:53 2007 From: macwheel99 at sigecom.net (Al Mac) Date: Mon, 07 May 2007 23:07:53 -0500 Subject: [Dataloss] OT? US Gov cyber insecurity incidents Message-ID: <6.2.1.2.1.20070507222415.02a14d60@mail.sigecom.net> Here's the report card (PDF) that The House Committee on Oversight and Government Reform issues each year on cyber security at various government agencies. http://republicans.oversight.house.gov/Media/PDFs/FY06FISMA.pdf In the wake of the VA incident, The House Committee on Oversight and Government Reform asked all federal agencies for details on any other incidents involving loss of personal sensitive information. They learned about 788 incidents Jan 2003-July 2006. By my math, that's more than one every other day on average. I saw an article about this & went hunting for original source (url below). Well looks like this data was gathered about a year ago, but then in some cases more info came out that showed the data was incomplete. Every federal angency has computer security breaches. They do not always know what data has been lost. The vast majority of the breaches are the loss of hardware, such as theft of laptops. Many of the breaches are by private contractors. Dept of Agriculture 8 incidents Dept of Commerce 297 incidents Dept of Defence 43 incidents Dept of Education 41 incidents Dept of Energy 7 incidents Dept of Health & Human Services 24 incidents Dept of Homeland Security 6 incidents but the committee continues to ask hard questions http://www.sans.org/newsletters/newsbites/newsbites.php?vol=9&issue=36&rss=Y#sID202 Dept of Housing and Urban Development 1 incident Dept of Interior 8 incidents Dept of Justice 2 incidents Dept of Labor 3 incidents Dept of State 1 incident but got grade F for cyber security from House Commitee on Oversight etc. http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1251763,00.html Dept of Transportation 1 incident ... a subsequent FOIA inquiry found out a ton of other incidents Dept of Treasury 340 incidents Dept of Veteran Affairs ... hundreds of incidents Office of Personnel Management 3 incidents Social Security Administration 3 incidents example incidents are given on each agency http://209.85.165.104/search?q=cache:etHfNZnxgEUJ:oversight.house.gov/Documents/20061013145352-82231.pdf+Oversight+Reform+compromise+sensitive&hl=en&ct=clnk&cd=2&gl=us Systemic failure at the White House protecting classified information.. http://oversight.house.gov/story.asp?ID=1264 From Matt.Kehoe at sephora.com Tue May 8 19:51:45 2007 From: Matt.Kehoe at sephora.com (Kehoe, Matt) Date: Tue, 8 May 2007 12:51:45 -0700 Subject: [Dataloss] OT? PCI Education Steak & Shake In-Reply-To: <6.2.1.2.1.20070508103436.02f530a0@mail.sigecom.net> References: <6.2.1.2.1.20070508103436.02f530a0@mail.sigecom.net> Message-ID: Having just gone through this, the biggest gotcha is that tier 1 retailers need a "3rd party assessment" which means you cant just execute compliance from within.... PCI standards still leave much to be desired, but it's a good step forward for retailing in general... -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Al Mac Sent: Tuesday, May 08, 2007 8:48 AM To: Data Loss Incidents Subject: [Dataloss] OT? PCI Education Steak & Shake OT because we have no info on any cyber security incident, but of interest what is considered to be state-of-art when it comes to preventing certain kinds of incidents. Steak & Shake restaurant chain has had to beef up its computer security because a rapid increase in their credit card transaction volume has taken them to more stingent tiers of PCI standards. The article shows us what hoops the chain had to jump through to meet the standards. What we do not see here is a perspective on security rules enforcement to avoid more incidents like TJX. There are also some statements in the article that I would take issue with. They imply stronger security than my understanding of reality. http://www.computerworld.com/action/article.do?command=viewArticleBasic& articleId=291415&source=rss_topic17 _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tracking more than 207 million compromised records in 649 incidents over 7 years. From blitz at strikenet.kicks-ass.net Tue May 8 20:32:44 2007 From: blitz at strikenet.kicks-ass.net (blitz) Date: Tue, 08 May 2007 16:32:44 -0400 Subject: [Dataloss] OT? PCI Education Steak & Shake In-Reply-To: References: <6.2.1.2.1.20070508103436.02f530a0@mail.sigecom.net> Message-ID: <4640DE6C.70808@strikenet.kicks-ass.net> Only a fool would let the fox guard the hen house...YES, there most certainly needs to be third party oversight. Just like the SEC watches the stock market, */AND/* with similar powers of enforcement. Kehoe, Matt wrote: > Having just gone through this, the biggest gotcha is that tier 1 > retailers need a "3rd party assessment" which means you cant just > execute compliance from within.... > > PCI standards still leave much to be desired, but it's a good step > forward for retailing in general... > > -----Original Message----- > From: dataloss-bounces at attrition.org > [mailto:dataloss-bounces at attrition.org] On Behalf Of Al Mac > Sent: Tuesday, May 08, 2007 8:48 AM > To: Data Loss Incidents > Subject: [Dataloss] OT? PCI Education Steak & Shake > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070508/17363849/attachment.html From garrison.clint at gmail.com Tue May 8 20:42:36 2007 From: garrison.clint at gmail.com (Clint P. Garrison MBA, CISSP, QSA) Date: Tue, 8 May 2007 15:42:36 -0500 Subject: [Dataloss] OT? PCI Education Steak & Shake In-Reply-To: References: <6.2.1.2.1.20070508103436.02f530a0@mail.sigecom.net> Message-ID: <32caad8c0705081342i5aa53b4dqa8f34d5d76266c70@mail.gmail.com> Actually that is not correct... Visa and AmEx allows Level 1 merchants' internal auditors perform the PCI assessment, but a company officer has to sign off on it. Mastercards' Level 1 merchants have to have a QSA perform the assessment. If you are referring to the quarterly (external) scans, you would be correct. They have to be done by an ASV. Clint P. Garrison On 5/8/07, Kehoe, Matt wrote: > Having just gone through this, the biggest gotcha is that tier 1 > retailers need a "3rd party assessment" which means you cant just > execute compliance from within.... > > PCI standards still leave much to be desired, but it's a good step > forward for retailing in general... > > -----Original Message----- > From: dataloss-bounces at attrition.org > [mailto:dataloss-bounces at attrition.org] On Behalf Of Al Mac > Sent: Tuesday, May 08, 2007 8:48 AM > To: Data Loss Incidents > Subject: [Dataloss] OT? PCI Education Steak & Shake > > OT because we have no info on any cyber security incident, but of > interest what is considered to be state-of-art when it comes to > preventing certain kinds of incidents. > > Steak & Shake restaurant chain has had to beef up its computer security > because a rapid increase in their credit card transaction volume has > taken them to more stingent tiers of PCI standards. The article shows > us what hoops the chain had to jump through to meet the standards. > > What we do not see here is a perspective on security rules enforcement > to avoid more incidents like TJX. There are also some statements in the > article that I would take issue with. They imply stronger security than > my understanding of reality. > > http://www.computerworld.com/action/article.do?command=viewArticleBasic& > articleId=291415&source=rss_topic17 > > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss Tracking more than 207 million compromised > records in 649 incidents over 7 years. > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 207 million compromised records in 649 incidents over 7 years. > From lyger at attrition.org Wed May 9 00:58:09 2007 From: lyger at attrition.org (lyger) Date: Wed, 9 May 2007 00:58:09 +0000 (UTC) Subject: [Dataloss] UK: Standard Life customers are hit by breach in security Message-ID: (good thing they didn't have only 600 customers... a 50% impact rate would have looked a lot worse in the media...) http://news.scotsman.com/uk.cfm?id=716812007 STANDARD Life has admitted that up to 300 customers may have been affected by a security breach in which personal information was sent to others by mistake. The blunder, described as a "one-off error" in its information systems, caused some customers to receive policy documents meant for others. It is the latest in a series of data protection breaches by big companies. [...] "Less than 0.2 per cent of our valued investors have been impacted by this. We have acted swiftly to make investors aware of the error." A letter explaining the error was sent to hundreds of customers over the weekend. It is thought to have affected people recently applying for new ISA policies and the data included names, addresses and policy numbers but not personal financial information, such as income or tax codes. [...] From adam at homeport.org Wed May 9 01:29:10 2007 From: adam at homeport.org (Adam Shostack) Date: Tue, 8 May 2007 21:29:10 -0400 Subject: [Dataloss] UK: Standard Life customers are hit by breach in security In-Reply-To: References: Message-ID: <20070509012910.GA631@homeport.org> They're just doing this so that their demands for more personal information don't seem so scary. Adam On Wed, May 09, 2007 at 12:58:09AM +0000, lyger wrote: | | (good thing they didn't have only 600 customers... a 50% impact rate would | have looked a lot worse in the media...) | | http://news.scotsman.com/uk.cfm?id=716812007 | | STANDARD Life has admitted that up to 300 customers may have been affected | by a security breach in which personal information was sent to others by | mistake. | | The blunder, described as a "one-off error" in its information systems, | caused some customers to receive policy documents meant for others. It is | the latest in a series of data protection breaches by big companies. | | [...] | | "Less than 0.2 per cent of our valued investors have been impacted by | this. We have acted swiftly to make investors aware of the error." | | A letter explaining the error was sent to hundreds of customers over the | weekend. | | It is thought to have affected people recently applying for new ISA | policies and the data included names, addresses and policy numbers but not | personal financial information, such as income or tax codes. | | [...] | _______________________________________________ | Dataloss Mailing List (dataloss at attrition.org) | http://attrition.org/dataloss | Tracking more than 207 million compromised records in 649 incidents over 7 years. From adam at homeport.org Wed May 9 01:39:18 2007 From: adam at homeport.org (Adam Shostack) Date: Tue, 8 May 2007 21:39:18 -0400 Subject: [Dataloss] UK: Standard Life customers are hit by breach in security In-Reply-To: <20070509012910.GA631@homeport.org> References: <20070509012910.GA631@homeport.org> Message-ID: <20070509013918.GA1024@homeport.org> (That's really strange--I was trying to reply to the Linden labs message. Context: http://blog.secondlife.com/2007/05/04/age-and-indentity-verification-in-second-life/ and http://blog.secondlife.com/2007/05/07/more-on-identity-verification/ On Tue, May 08, 2007 at 09:29:10PM -0400, Adam Shostack wrote: | They're just doing this so that their demands for more personal | information don't seem so scary. | | Adam | | | On Wed, May 09, 2007 at 12:58:09AM +0000, lyger wrote: | | | | (good thing they didn't have only 600 customers... a 50% impact rate would | | have looked a lot worse in the media...) | | | | http://news.scotsman.com/uk.cfm?id=716812007 | | | | STANDARD Life has admitted that up to 300 customers may have been affected | | by a security breach in which personal information was sent to others by | | mistake. | | | | The blunder, described as a "one-off error" in its information systems, | | caused some customers to receive policy documents meant for others. It is | | the latest in a series of data protection breaches by big companies. | | | | [...] | | | | "Less than 0.2 per cent of our valued investors have been impacted by | | this. We have acted swiftly to make investors aware of the error." | | | | A letter explaining the error was sent to hundreds of customers over the | | weekend. | | | | It is thought to have affected people recently applying for new ISA | | policies and the data included names, addresses and policy numbers but not | | personal financial information, such as income or tax codes. | | | | [...] | | _______________________________________________ | | Dataloss Mailing List (dataloss at attrition.org) | | http://attrition.org/dataloss | | Tracking more than 207 million compromised records in 649 incidents over 7 years. | _______________________________________________ | Dataloss Mailing List (dataloss at attrition.org) | http://attrition.org/dataloss | Tracking more than 207 million compromised records in 649 incidents over 7 years. From ADAIL at sunocoinc.com Wed May 9 14:34:55 2007 From: ADAIL at sunocoinc.com (DAIL, ANDY) Date: Wed, 9 May 2007 10:34:55 -0400 Subject: [Dataloss] OT? PCI Education Steak & Shake In-Reply-To: <32caad8c0705081342i5aa53b4dqa8f34d5d76266c70@mail.gmail.com> Message-ID: <8CA58E707BB1C44385FA71D02B7A1C8E02499B79@mds3aex0e.USISUNOCOINC.com> Visa, in their letter announcing the PCI Advisory board formation, determined that all auditors who perform on-site audits must be a QSA. http://usa.visa.com/merchants/risk_management/cisp_assessors.html. The authorization for internal auditors to perform the task was under the old CISP program (pre-PCI 1.0). The assertion may still hold true, but if a Level 1 does a self-assessment and then suffers a breach, Visa would likely invalidate their audit and fine them heavily. Of course, almost no company accepts only Visa, and not MasterCard, so it's probably moot. -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Clint P. Garrison MBA, CISSP, QSA Sent: Tuesday, May 08, 2007 3:43 PM To: Kehoe, Matt Cc: Data Loss Incidents Subject: Re: [Dataloss] OT? PCI Education Steak & Shake Actually that is not correct... Visa and AmEx allows Level 1 merchants' internal auditors perform the PCI assessment, but a company officer has to sign off on it. Mastercards' Level 1 merchants have to have a QSA perform the assessment. If you are referring to the quarterly (external) scans, you would be correct. They have to be done by an ASV. Clint P. Garrison On 5/8/07, Kehoe, Matt wrote: > Having just gone through this, the biggest gotcha is that tier 1 > retailers need a "3rd party assessment" which means you cant just > execute compliance from within.... > > PCI standards still leave much to be desired, but it's a good step > forward for retailing in general... > > -----Original Message----- > From: dataloss-bounces at attrition.org > [mailto:dataloss-bounces at attrition.org] On Behalf Of Al Mac > Sent: Tuesday, May 08, 2007 8:48 AM > To: Data Loss Incidents > Subject: [Dataloss] OT? PCI Education Steak & Shake > > OT because we have no info on any cyber security incident, but of > interest what is considered to be state-of-art when it comes to > preventing certain kinds of incidents. > > Steak & Shake restaurant chain has had to beef up its computer > security because a rapid increase in their credit card transaction > volume has taken them to more stingent tiers of PCI standards. The > article shows us what hoops the chain had to jump through to meet the > standards. > > What we do not see here is a perspective on security rules enforcement > to avoid more incidents like TJX. There are also some statements in > the article that I would take issue with. They imply stronger > security than my understanding of reality. > > http://www.computerworld.com/action/article.do?command=viewArticleBasi > c& > articleId=291415&source=rss_topic17 > > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss Tracking more than 207 million > compromised records in 649 incidents over 7 years. > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss Tracking more than 207 million > compromised records in 649 incidents over 7 years. > _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tracking more than 207 million compromised records in 649 incidents over 7 years. This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments. From lyger at attrition.org Wed May 9 14:56:03 2007 From: lyger at attrition.org (lyger) Date: Wed, 9 May 2007 14:56:03 +0000 (UTC) Subject: [Dataloss] UK: Laptop containing Southend children's social services case notes bought on eBay Message-ID: http://www.computerworlduk.com/management/security/data-control/news/index.cfm?newsid=2950 Southend-on-Sea borough council is reviewing its procedures after a laptop computer containing social services case notes on local children turned up on the eBay auction website. The council disposes of its used computers through not-for-profit organisation Revitalise, which employs disabled people who work with IT technicians to recondition used computer equipment for cheap resale to schools and voluntary groups. A council spokesperson said the laptop had .gone missing. from Revitalise, but the council had not been aware of the loss until the individual who bought the machine on eBay found the social services information and reported the matter to the council. The data found on the machine is understood to include fostering, adoption and child protection information dating from between 1999 and 2003. [...] From hbrown at knology.net Thu May 10 10:11:45 2007 From: hbrown at knology.net (Henry Brown) Date: Thu, 10 May 2007 05:11:45 -0500 Subject: [Dataloss] 10,000 accounts "hijacked" Message-ID: <4642EFE1.6030206@knology.net> From Stockholm Sweden http://www.thelocal.se/7245/20070509/ Fraudsters hijack SEB credit cards Credit and debit card numbers belonging to at least 10,000 SEB customers could have been hijacked by fraudsters, the bank has admitted. "Other banks are hit by this too," bank spokeswoman Kerstin Ottosson said. Eurocard announced on Tuesday that 1,000 customers were hit by a similar fraud attempt. SEB received the first indications that something was amiss about ten days ago. The bank says that hackers broke into a national computer system handling card payments for shops, hotels and other retailers. Ottosson said that card information should never be stored by payment systems, but said in this case it had been. "That's a criminal act, pure and simple," she said. The card numbers allowed the frausters to buy goods over the internet and to forge new cards. "We've seen customers already hit by such thefts. A normal customer can't protect themselves against this. But our customers will not lose out financially," she said. All SEB customers whose card numbers might have come into the wrong hands will receive a letter from the bank asking them to block the card and order a new one. From lyger at attrition.org Thu May 10 15:44:24 2007 From: lyger at attrition.org (lyger) Date: Thu, 10 May 2007 15:44:24 +0000 (UTC) Subject: [Dataloss] NY: Highland Hospital Security Breach Message-ID: http://www.13wham.com/news/local/story.aspx?content_id=d70aed97-d001-4e3f-990d-50f9d8e32769 Highland Hospital is warning its patients of a security breach. A hospital spokesperson told us two computers containing patient information were stolen from one of its business offices last month. Over 13,000 people are affected. The computers have been recovered and the hospital says there is no evidence that the theives got any personal information. [...] From lyger at attrition.org Sat May 12 01:56:10 2007 From: lyger at attrition.org (lyger) Date: Sat, 12 May 2007 01:56:10 +0000 (UTC) Subject: [Dataloss] CA: Personal data missing from UCI Medical Center Message-ID: http://www.ocregister.com/ocregister/homepage/abox/article_1690870.php Police are investigating the disappearance of medical files containing personal information for nearly 300 patients from UCI Medical Center, university officials said Thursday. About 1,600 file boxes stored in an off-site university warehouse were discovered missing in the last two months. The files are generally held in storage for seven years according to state law prior to being destroyed, officials said. The missing boxes represent about 2 percent of the hospital's records stored at the facility. Some of the files included patients' names, addresses, Social Security numbers and medical record numbers. University police were notified March 6 when the first boxes were discovered missing. [...] From lyger at attrition.org Sat May 12 05:58:54 2007 From: lyger at attrition.org (lyger) Date: Sat, 12 May 2007 05:58:54 +0000 (UTC) Subject: [Dataloss] IN: College reports computer security breach Message-ID: http://www.goshennews.com/local/local_story_132001116.html >From May 5 to 7, a Goshen College computer was remotely accessed by a "hacker" with the suspected motivation of using the system to send spam e-mails, Goshen College officials said Friday. The improper access involved a database containing information on about 7,300 current or prospective students, from fall 2003 to the present, as well as some of their parents. The breach of the college's computer security systems may have allowed a hacker to view the names, addresses, birth dates, Social Security numbers and phone numbers of students and some information on some parents. [...] From lyger at attrition.org Sun May 13 06:52:56 2007 From: lyger at attrition.org (lyger) Date: Sun, 13 May 2007 06:52:56 +0000 (UTC) Subject: [Dataloss] UT: Data found on surplus computers Message-ID: http://deseretnews.com/dn/view/0,1249,660220231,00.html Utah State Auditor Auston Johnson conducted a "sting" operation a year ago that found important information - including Social Security and credit card numbers - on a handful of state surplus computers that were heading toward public sale. But Johnson decided to write what is known as "letter audits" to the seven state department heads on whose computers such sensitive information was found, instead of issuing a normal public audit, because Johnson didn't want to alert owners of state surplus computers that such sensitive information may be on their machines' hard drives. "We were not out for a big publicity splash, but to fix a problem," Johnson said Friday. "And we have high confidence that the problem has been fixed and that no state surplus computers have this information on them now." [...] From lyger at attrition.org Mon May 14 22:24:19 2007 From: lyger at attrition.org (lyger) Date: Mon, 14 May 2007 22:24:19 +0000 (UTC) Subject: [Dataloss] NV: CCSN Warns 200, 000 Students Their Info Possibly Stolen Message-ID: http://www.klas-tv.com/Global/story.asp?S=6512881 The Community College of Southern Nevada is warning nearly 200,000 current and past students that their names and social security numbers may have been stolen... months ago. CCSN president Richard Carter says it's not certain whether anything was actually stolen from the school's computer system, but he says a virus was detected in February. [...] From baforestal at earthlink.net Tue May 15 14:36:28 2007 From: baforestal at earthlink.net (Bruce Forestal) Date: Tue, 15 May 2007 09:36:28 -0500 Subject: [Dataloss] House of Representatives in Texas vote to include PCI Requirements in State Law - Pending State Senate Approval Message-ID: <4396B93F-A96E-4FC1-AB59-23C161C5C67E@earthlink.net> "The state's House of Representatives last week voted 139-0 in favor of a bill that would formally codify PCI requirements into a state law that merchants would be obliged to comply with if passed. Under HB 3222 a breached entity will have to reimburse banks and credit unions the cost associated with blocking and reissuing cards if the merchant was not PCI compliant at the time of the compromise. It also provides a safe harbor against such liability for companies who are PCI compliant and get breached. The proposal needs to win approval in the state Senate before it becomes law." "According to the language of the bill, "A business that, in the regular course of business, collects, maintains, or stores sensitive personal information in connection with an access device must comply with payment card industry data security standards." The bill would allow a financial institution in the state to request a breached entity to provide certification of its compliance with PCI specified controls. HB 3222 would require the certification to be issued by a PCI-approved auditor no earlier than 90-days before the breach." http://www.computerworld.com/action/article.do? command=viewArticleBasic&articleId=9019361&source=NLT_VVR&nlid=37 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070515/f7cf3c17/attachment.html From lyger at attrition.org Tue May 15 17:28:04 2007 From: lyger at attrition.org (lyger) Date: Tue, 15 May 2007 17:28:04 +0000 (UTC) Subject: [Dataloss] New Data Loss Site: etiolated.org Message-ID: Courtesy David Shettler. List members are invited to visit the site and provide feedback. Data courtesy attrition.org's Data Loss Data Base - Open Source (DLDOS). http://www.etiolated.org/ Features: Full-text search of company names, event summaries, comments using a lucere port Main RSS feed Dynamic graphs on the main page HTML/CSS validates fine Users can add references, incident summaries, and comments (all searchable minus references) From dshettler at gmail.com Wed May 16 02:07:21 2007 From: dshettler at gmail.com (David Shettler) Date: Tue, 15 May 2007 22:07:21 -0400 Subject: [Dataloss] New Data Loss Site: etiolated.org In-Reply-To: References: Message-ID: <26fc42fe0705151907l339668cdwbe9ffea23ce28d33@mail.gmail.com> Feedback can be directed to me at this gmail address, or dave at etiolated.org There may be some bugs, as some have already discovered. Suggestions/Criticisms are rather welcome -- needed in fact. Dave www.etiolated.org On 5/15/07, lyger wrote: > > > Courtesy David Shettler. List members are invited to visit the site and > provide feedback. Data courtesy attrition.org's Data Loss Data Base - > Open Source (DLDOS). > > http://www.etiolated.org/ > > Features: > > Full-text search of company names, event summaries, comments using a > lucere > port > > Main RSS feed > > Dynamic graphs on the main page > > HTML/CSS validates fine > > Users can add references, incident summaries, and comments (all searchable > minus references) > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 208 million compromised records in 657 incidents over 7 > years. > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070515/1aeff95a/attachment.html From fergdawg at netzero.net Wed May 16 02:24:43 2007 From: fergdawg at netzero.net (Fergie) Date: Wed, 16 May 2007 02:24:43 GMT Subject: [Dataloss] New Data Loss Site: etiolated.org Message-ID: <20070515.192524.784.349311@webmail24.lax.untd.com> An embedded and charset-unspecified text was scrubbed... Name: not available Url: http://attrition.org/pipermail/dataloss/attachments/20070515/f2353b2f/attachment.ksh From lyger at attrition.org Wed May 16 11:59:44 2007 From: lyger at attrition.org (lyger) Date: Wed, 16 May 2007 11:59:44 +0000 (UTC) Subject: [Dataloss] IBM contractor loses employee data Message-ID: Courtesy Dave Shettler: http://www.infoworld.com/article/07/05/15/IBM-contractor-loses-employee-data_1.html An unnamed IBM vendor has lost tapes containing sensitive information on IBM employees, the computer maker confirmed Tuesday. The tapes went missing in transit from a contractor's vehicle on Feb. 23 near the intersection of Interstate 287 and 684 -- just a few miles south of IBM's Armonk, New York, headquarters, said IBM spokesman Fred McNeese. "We've investigated the incident and concluded that the tape loss was inadvertent." IBM has run an ad in the local newspaper -- the Westchester Journal News -- seeking help in retrieving the tapes but has been unable to recover them. "We don't know what happened to the tapes," McNeese said. [...] From lyger at attrition.org Wed May 16 23:08:49 2007 From: lyger at attrition.org (lyger) Date: Wed, 16 May 2007 23:08:49 +0000 (UTC) Subject: [Dataloss] IN: IPS student records compromised Message-ID: http://www.indystar.com/apps/pbcs.dll/article?AID=/20070516/LOCAL/70516042 Records for thousands of Indianapolis Public Schools students were accidentally posted to the Internet, exposing their grades, personal details and other confidential information to anyone surfing the Web. Within minutes of being told about the problem by a Star reporter, IPS officials began working to fix the problem and said by this afternoon the records had been protected. The district is investigating how the records were released. [...] From MKEVHILL at aol.com Thu May 17 01:43:32 2007 From: MKEVHILL at aol.com (MKEVHILL at aol.com) Date: Wed, 16 May 2007 21:43:32 EDT Subject: [Dataloss] TX: Doctor/Dentist Office Caught Tossing Medical Records Message-ID: _http://www.woai.com/mostpopular/story.aspx?content_id=d0fe7166-c56c-4c01-a68e -b3c8dfbc474d_ (http://www.woai.com/mostpopular/story.aspx?content_id=d0fe7166-c56c-4c01-a68e-b3c8dfbc474d) News Four WOAI Trouble Shooter Brian Collister exposed a doctor?s office throwing away private medical information without shredding it. News 4's biggest concern is that so much personal information could easily fall into the hands of an identity thief. The Henwood Family Medicine and Dentistry on Guilbeau Rd and is run by Beverly Henwood, a physician, and Robbie Henwood, a dentist. ************************************** See what's free at http://www.aol.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070516/bf3530f7/attachment.html From dave at etiolated.org Thu May 17 02:31:46 2007 From: dave at etiolated.org (Dave) Date: Wed, 16 May 2007 22:31:46 -0400 Subject: [Dataloss] GA: Security breach involves recent births - 140, 000 notified Message-ID: <26fc42fe0705161931k40a419ffhf1152eed2d266f70@mail.gmail.com> http://www.ajc.com/metro/content/metro/stories/2007/05/16/0517meshrecords.html http://health.state.ga.us/pdfs/message-20070514.pdf by Gayle White The Atlanta Journal-Constitution Published on: 05/17/07 State officials are warning parents of 140,000 Georgia babies that a security lapse has exposed some of their personal and medical information to the risk of fraud. The Georgia Department of Human Resources mailed letters Wednesday to all parents of infants born in Georgia between April 1, 2006, and March 16, 2007, saying that paper records containing their Social Security numbers and information about their medical histories were improperly discarded. The records do not contain names or addresses, said Stuart Brown, director of the state's Division of Public Health. He said there is no evidence that information from the records has been used improperly. [...] From lyger at attrition.org Thu May 17 02:45:28 2007 From: lyger at attrition.org (lyger) Date: Thu, 17 May 2007 02:45:28 +0000 (UTC) Subject: [Dataloss] GA: Security breach involves recent births - 140, 000 notified In-Reply-To: <26fc42fe0705161931k40a419ffhf1152eed2d266f70@mail.gmail.com> References: <26fc42fe0705161931k40a419ffhf1152eed2d266f70@mail.gmail.com> Message-ID: And now for tonight's edition of "things that make you go 'hmm'..." If the records didn't contain names or addresses, then how did the Georgia Department of Human Resources match up 140,000 medical records and SSNs of infants to their parents mailing addresses so quickly? And if it wasn't "quickly", then how long did they know about the breach before the notification process began? Yes, I know... there's them new-fangled things called "computers". Am I missing something or might there be more to this than currently reported? On Wed, 16 May 2007, Dave wrote: ": " http://www.ajc.com/metro/content/metro/stories/2007/05/16/0517meshrecords.html ": " http://health.state.ga.us/pdfs/message-20070514.pdf ": " ": " by Gayle White ": " The Atlanta Journal-Constitution ": " Published on: 05/17/07 ": " ": " State officials are warning parents of 140,000 Georgia babies that a ": " security lapse has exposed some of their personal and medical ": " information to the risk of fraud. ": " ": " The Georgia Department of Human Resources mailed letters Wednesday to ": " all parents of infants born in Georgia between April 1, 2006, and ": " March 16, 2007, saying that paper records containing their Social ": " Security numbers and information about their medical histories were ": " improperly discarded. ": " ": " The records do not contain names or addresses, said Stuart Brown, ": " director of the state's Division of Public Health. He said there is ": " no evidence that information from the records has been used ": " improperly. ": " ": " [...] From nekramer at mindtheater.net Thu May 17 06:43:39 2007 From: nekramer at mindtheater.net (Nancy Kramer) Date: Thu, 17 May 2007 02:43:39 -0400 Subject: [Dataloss] GA: Security breach involves recent births - 140, 000 notified In-Reply-To: References: <26fc42fe0705161931k40a419ffhf1152eed2d266f70@mail.gmail.com> Message-ID: <6.0.1.1.2.20070517024122.07a770f0@mail.mindtheater.net> If they used SSN for the key to a file that contained parents name and address as well as the baby's SSN it wouldn't be very hard. One SQL query on the joined files and you would have the info. Regards, Nancy Kramer At 10:45 PM 5/16/2007, lyger wrote: >And now for tonight's edition of "things that make you go 'hmm'..." > >If the records didn't contain names or addresses, then how did the Georgia >Department of Human Resources match up 140,000 medical records and SSNs of >infants to their parents mailing addresses so quickly? And if it wasn't >"quickly", then how long did they know about the breach before the >notification process began? > >Yes, I know... there's them new-fangled things called "computers". Am I >missing something or might there be more to this than currently reported? > > >On Wed, 16 May 2007, Dave wrote: > >": " >http://www.ajc.com/metro/content/metro/stories/2007/05/16/0517meshrecords.html >": " http://health.state.ga.us/pdfs/message-20070514.pdf >": " >": " by Gayle White >": " The Atlanta Journal-Constitution >": " Published on: 05/17/07 >": " >": " State officials are warning parents of 140,000 Georgia babies that a >": " security lapse has exposed some of their personal and medical >": " information to the risk of fraud. >": " >": " The Georgia Department of Human Resources mailed letters Wednesday to >": " all parents of infants born in Georgia between April 1, 2006, and >": " March 16, 2007, saying that paper records containing their Social >": " Security numbers and information about their medical histories were >": " improperly discarded. >": " >": " The records do not contain names or addresses, said Stuart Brown, >": " director of the state's Division of Public Health. He said there is >": " no evidence that information from the records has been used >": " improperly. >": " >": " [...] >_______________________________________________ >Dataloss Mailing List (dataloss at attrition.org) >http://attrition.org/dataloss >Tracking more than 208 million compromised records in 658 incidents over 7 >years. > > > >-- >No virus found in this incoming message. >Checked by AVG Free Edition. >Version: 7.5.467 / Virus Database: 269.7.1/805 - Release Date: 5/15/2007 >10:47 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.467 / Virus Database: 269.7.1/805 - Release Date: 5/15/2007 10:47 AM From cwalsh at cwalsh.org Thu May 17 14:32:56 2007 From: cwalsh at cwalsh.org (Chris Walsh) Date: Thu, 17 May 2007 09:32:56 -0500 Subject: [Dataloss] GA: Security breach involves recent births - 140, 000 notified In-Reply-To: <6.0.1.1.2.20070517024122.07a770f0@mail.mindtheater.net> References: <6.0.1.1.2.20070517024122.07a770f0@mail.mindtheater.net> Message-ID: <20070517143239.GA14094@cwalsh.org> On Thu, May 17, 2007 at 02:43:39AM -0400, Nancy Kramer wrote: > If they used SSN for the key to a file that contained parents name and > address as well as the baby's SSN it wouldn't be very hard. One > SQL query on the joined files and you would have the info. > No need to select on SSN. All babies w/in the interval were affected. Select on birthday and notify the mother at the address she provided when she was admitted. cw From lyger at attrition.org Thu May 17 19:37:31 2007 From: lyger at attrition.org (lyger) Date: Thu, 17 May 2007 19:37:31 +0000 (UTC) Subject: [Dataloss] Report of laptop theft worries Detroit city workers Message-ID: http://www.detnews.com/apps/pbcs.dll/article?AID=/20070517/METRO01/705170357/1006 Some city Water and Sewerage Department workers said they were concerned after reports were aired in a television report that a laptop containing personal information about city workers had been stolen. However, George Ellenwood, a spokesman for the city Water and Sewerage Department, said he had not heard or seen any confirmation of a story that ran earlier in the day on WXYZ-TV (Channel 7). Ellenwood said if any information would be released to employees it would come from the city's Human Resources Department. [...] From lyger at attrition.org Thu May 17 22:07:43 2007 From: lyger at attrition.org (lyger) Date: Thu, 17 May 2007 22:07:43 +0000 (UTC) Subject: [Dataloss] NJ: Alcatel-Lucent loses employee data Message-ID: http://www.abcmoney.co.uk/news/17200773596.htm Telecom and networking equipment maker Alcatel-Lucent said Thursday that a computer disk containing personal information about Lucent employees, retirees and their dependents was lost. The disk was prepared by Hewitt Associates for delivery by UPS to Aon Corp., another vendor, and was lost or stolen some time between April 5 and May 3. The disk included Lucent employees' names, addresses, Social Security numbers, birth dates and salary information. [...] From rwise29210 at gmail.com Fri May 18 07:44:17 2007 From: rwise29210 at gmail.com (rwise29210 at gmail.com) Date: Fri, 18 May 2007 03:44:17 -0400 Subject: [Dataloss] GA: Security breach involves recent births - 140, 000 notified References: <6.0.1.1.2.20070517024122.07a770f0@mail.mindtheater.net> <20070517143239.GA14094@cwalsh.org> Message-ID: <03f701c79920$583c79b0$6401a8c0@xp1> I looked at the PDF. That is the lamest nonapoligy apoligy I have EVER seen! How can we puiblisize these events like this? People need to know that Georgia really doesn't care enough to even offer at least credit monitoring. Rodney Wise For New stories about ID Theft and Data Loss by Compaines visit: http://pplrwise.blogspot.com See what is happening to your information ----- Original Message ----- From: "Chris Walsh" To: "Nancy Kramer" Cc: Sent: Thursday, May 17, 2007 10:32 AM Subject: Re: [Dataloss] GA: Security breach involves recent births - 140,000 notified > On Thu, May 17, 2007 at 02:43:39AM -0400, Nancy Kramer wrote: >> If they used SSN for the key to a file that contained parents name and >> address as well as the baby's SSN it wouldn't be very hard. One >> SQL query on the joined files and you would have the info. >> > > No need to select on SSN. All babies w/in the interval were affected. > > Select on birthday and notify the mother at the address she provided when > she was admitted. > > > cw > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 208 million compromised records in 658 incidents over 7 > years. From jericho at attrition.org Sat May 19 01:12:40 2007 From: jericho at attrition.org (security curmudgeon) Date: Sat, 19 May 2007 01:12:40 +0000 (UTC) Subject: [Dataloss] UK: Security Concerns Affect Web Visa Applications Message-ID: ---------- Forwarded message ---------- From: Fergie [snip] Online applications for some UK visas have been suspended amid claims a security loophole left personal data vulnerable to identity thieves, it was reported last night. IT systems covering India, Russia and Nigeria were affected and up to 50,000 Indian travellers could have been exposed to having their personal details stolen. Home addresses, dates of birth and passport numbers were all said to be accessible for more than a year, creating what the Tories said was a security breach open to being exploited by terrorists. The Information Commissioner, the government's data privacy watchdog demanded a "full explanation" from the Foreign Office over the apparent breach - to which it was alerted a year ago. [snip] More: http://news.scotsman.com/uk.cfm?id=772752007 From lyger at attrition.org Sat May 19 03:18:31 2007 From: lyger at attrition.org (lyger) Date: Sat, 19 May 2007 03:18:31 +0000 (UTC) Subject: [Dataloss] TX: Thousands of police at risk Message-ID: (Not sure about magnitude, pretty sure more details will be revealed over/after the weekend) http://www.khou.com/news/local/crime/stories/khou070518_tj_copcomputer.81e7d778.html Police tell us to guard our personal information closely. But it is the police who are now at risk. The trouble starts at the northwest side offices of Productivity Center. On May 9, burglars hit the building and several others in the area. They took numerous desktop and laptop computers. One of the laptops contained the database of all Texas Law Enforcement Officers. Their Social Security numbers, birth dates, driver's license numbers, ect. [...] From lyger at attrition.org Sat May 19 19:02:41 2007 From: lyger at attrition.org (lyger) Date: Sat, 19 May 2007 19:02:41 +0000 (UTC) Subject: [Dataloss] AZ: Substitute teachers' Social Security numbers stolen in car break-in Message-ID: http://www.yumasun.com/news/numbers_34114___article.html/jones_security.html The Social Security numbers of 91 Yuma Elementary School District 1 substitute teachers were stolen May 7 when a district employee's car was broken into. In addition to the car owner's purse and some personal items, a briefcase containing employee information reports was in car when the break-in occurred, according to Kerry Jones, chief financial officer for District 1. Jones said the reports detailed the payroll hours the 91 substitutes had worked during a two-week period. He said no money was taken and the reports did not list bank account numbers. However, he said the theft of the Social Security information was a cause for caution. [...] From lyger at attrition.org Sat May 19 19:04:50 2007 From: lyger at attrition.org (lyger) Date: Sat, 19 May 2007 19:04:50 +0000 (UTC) Subject: [Dataloss] NY: Personal Information of up to 90, 000 Compromised at Stony Brook Message-ID: http://www.sbindependent.org/node/1850 The personal information of 90,000 people in a Stony Brook University database was accidentally posted to Google left there until it was discovered almost two weeks later. According to a website set up by the university, Social Security numbers and university ID numbers of faculty, staff, students, alumni, and other members of the community were visible on Google after they were posted to a Health Sciences Library web server on April 11. [...] From lyger at attrition.org Sat May 19 19:22:49 2007 From: lyger at attrition.org (lyger) Date: Sat, 19 May 2007 19:22:49 +0000 (UTC) Subject: [Dataloss] IL: State computer security breached Message-ID: http://www.sj-r.com/sections/news/stories/114739.asp The state's professional-regulation department is notifying roughly 300,000 licensees and applicants that a computer server with some of their personal data was breached early this year, a spokeswoman for the agency said Friday. Potentially at risk for identity theft are banking and real-estate professionals whose licensing information - including addresses, tax numbers and Social Security numbers - were kept on the storage server, said Sue Hofer, spokeswoman for the Illinois Department of Financial and Professional Regulation. The individuals will receive letters advising them how to monitor their credit histories to determine if they have been victimized, she said, adding that it will take about a week to get all the letters out. [...] From cwalsh at cwalsh.org Sat May 19 23:13:50 2007 From: cwalsh at cwalsh.org (Chris Walsh) Date: Sat, 19 May 2007 18:13:50 -0500 Subject: [Dataloss] NY: Personal Information of up to 90, 000 Compromised at Stony Brook In-Reply-To: References: Message-ID: <3F30FE0C-7107-42A6-9133-CA2669BE95C0@cwalsh.org> Not the first time this has hit SUNY (although not Stony Brook): http://www.cwalsh.org/BreachInfo/primary_sources//pdfs/SUNY-20060221.pdf On May 19, 2007, at 2:04 PM, lyger wrote: > > http://www.sbindependent.org/node/1850 > > The personal information of 90,000 people in a Stony Brook University > database was accidentally posted to Google left there until it was > discovered almost two weeks later. > > According to a website set up by the university, Social Security > numbers > and university ID numbers of faculty, staff, students, alumni, and > other > members of the community were visible on Google after they were > posted to > a Health Sciences Library web server on April 11. > > [...] > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 208 million compromised records in 658 incidents > over 7 years. From lyger at attrition.org Sun May 20 11:50:12 2007 From: lyger at attrition.org (lyger) Date: Sun, 20 May 2007 11:50:12 +0000 (UTC) Subject: [Dataloss] IL: Stolen laptop contains NU alumni data Message-ID: http://www.chicagotribune.com/news/local/chicago/chi-laptop_20may20,1,6443490.story?coll=chi-newslocalchicago-hed&ctrack=1&cset=true A laptop computer belonging to Northwestern University's financial aid office in Chicago recently was stolen, and the Social Security numbers of some alumni may have been compromised, school officials said. In a letter dated May 11, Associate Provost Michael E. Mills contacted an undisclosed number of potential victims, informing them one of the computer's files contained their names and Social Security numbers. University spokesman Al Cubbage said on Saturday there is no evidence any of the personal information on the laptop has been accessed. [...] From d2d at attrition.org Mon May 21 18:31:07 2007 From: d2d at attrition.org (d2d) Date: Mon, 21 May 2007 18:31:07 +0000 (UTC) Subject: [Dataloss] NJ: Columbia Bank says online hackers breached security Message-ID: http://www.northjersey.com/page.php?qstr=eXJpcnk3ZjczN2Y3dnFlZUVFeXkzJmZnYmVsN2Y3dnFlZUVFeXk3MTM4Njk2JnlyaXJ5N2Y3MTdmN3ZxZWVFRXl5Mg== Columbia Bank, which has the largest share of deposits in Fair Lawn, has notified its online banking customers of a security breach that could make them vulnerable to identity theft. A hacker or hackers gained access to customers names and Social Security numbers. The intrusion affected all of our customers who have online banking, Chief Executive Officer Raymond G. Hallock said Monday in a phone conservation. Account numbers and passwords were not accessed, Hallock said. [...] From bkdelong at pobox.com Mon May 21 18:48:39 2007 From: bkdelong at pobox.com (B.K. DeLong) Date: Mon, 21 May 2007 14:48:39 -0400 Subject: [Dataloss] NJ: Columbia Bank says online hackers breached security In-Reply-To: References: Message-ID: On 5/21/07, d2d wrote: > > > Account numbers and passwords were not accessed, Hallock said. > It effects all customers but none of this information was accessed. And how is that possible? Encrypted databases? NPI Obfuscation? Statements like these have the undertone of "just trust us...we know nothing happened". -- B.K. DeLong (K3GRN) bkdelong at pobox.com +1.617.797.8471 http://www.wkdelong.org Son. http://www.ianetsec.com Work. http://www.bostonredcross.org Volunteer. http://www.carolingia.eastkingdom.org Service. http://bkdelong.livejournal.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070521/19677bd8/attachment.html From d2d at attrition.org Tue May 22 12:40:15 2007 From: d2d at attrition.org (d2d) Date: Tue, 22 May 2007 12:40:15 +0000 (UTC) Subject: [Dataloss] PA: UPMC mailing exposes patients to identity theft risk Message-ID: http://www.post-gazette.com/pg/07142/787898-28.stm Another mishap at the University of Pittsburgh Medical Center involving Social Security numbers has exposed thousands of patients to the threat of identity theft. The incident involves donor solicitation letters the medical center mailed to about 6,000 former patients on May 7. The mailing included donor response cards, most of which "inadvertently" contained a tracking code that included the recipient's Social Security number visible through the envelope window, spokesman Frank Raczkiewicz said. UPMC said it believed the risk of identity theft was "very low" and knew of no theft or misuse of personal information tied to the mailing. [..] From d2d at attrition.org Tue May 22 18:08:37 2007 From: d2d at attrition.org (d2d) Date: Tue, 22 May 2007 18:08:37 +0000 (UTC) Subject: [Dataloss] CO: Computer Hacker Gains Access To CU Students' Personal Info Message-ID: http://www.thedenverchannel.com/news/13366476/detail.html The names and Social Security numbers of thousands of students at the University of Colorado Boulder have been exposed by a computer hacker, the university announced Tuesday. A school official in Boulder say a computer worm attacked a computer server used by the College of Arts and Sciences. The hacker was then able to have access to the vital information for 45,000 students who were enrolled at CU Boulder from 2002 to the present. IT security investigators said they do not believe the hacker who launched the worm was looking for personal data, but rather was attempting to take control of the machine to allow it to infiltrate other computers both on-and-off campus. [..] From jericho at attrition.org Tue May 22 22:01:06 2007 From: jericho at attrition.org (security curmudgeon) Date: Tue, 22 May 2007 22:01:06 +0000 (UTC) Subject: [Dataloss] NH federal judge over-rules privacy law - 1st Amendment protects reselling medical records. Message-ID: Courtesy David Farber and the IP list: ---------- Forwarded message ---------- From: David Farber Begin forwarded message: From: Ethan Ackerman Date: May 22, 2007 5:30:43 PM EDT To: David Farber Subject: NH federal judge over-rules privacy law - 1st Amendment protects reselling medical records. Greetings Dave, The New Hampshire Legislature recently enacted a law that bars pharmacies, insurance companies, and similar entities from transferring or using both patient-identifiable data and prescriber-identifiable data for certain commercial purposes. The law was enacted to protect patient privacy, prescriber privacy, and to prevent drug industry 'targeting' of doctors who prescribed generics. It was promptly challenged by 2 data-mining companies who buy up prescription records from pharmacies and resell the info to drug manufacturers, and on April 30th was overturned by US District Court Judge Paul Barbadoro. Judge Barbadoro ruled that the data-miners had a 1st Amendment right to resell the prescription records and the State of New Hampshire violated that right in passing this law. http://www.washingtonpost.com/wp-dyn/content/article/2007/05/21/AR2007052101701.html has a "big picture" treatment of the issue which mentions the case. It also looks like the state plans to appeal - http://www.citizen.com/apps/pbcs.dll/article?AID=/20070504/NEWS0201/70504029/-1/CITIZEN From fergdawg at netzero.net Wed May 23 05:01:39 2007 From: fergdawg at netzero.net (Fergie) Date: Wed, 23 May 2007 05:01:39 GMT Subject: [Dataloss] Worker mistakenly sends personal email database Message-ID: <20070522.220235.15664.2960811@webmail32.lax.untd.com> An embedded and charset-unspecified text was scrubbed... Name: not available Url: http://attrition.org/pipermail/dataloss/attachments/20070523/879f5f76/attachment.ksh From lyger at attrition.org Wed May 23 22:02:47 2007 From: lyger at attrition.org (lyger) Date: Wed, 23 May 2007 22:02:47 +0000 (UTC) Subject: [Dataloss] IL: Papers with personal info found in Check into Cash's trash Message-ID: http://www.news-gazette.com/news/local/2007/05/23/papers_with_personal_info_found_in_check_into_cashs_trash File boxes stuffed with documents containing the personal information of payday loan customers were found in a local trash bin Tuesday morning. The trash bin off North Prospect Avenue contained documents from Check into Cash, a company that issues payday advance loans. The bin, in an alley adjacent to the shopping center in which Check into Cash is located, contained boxes filled with hundreds of papers, such as consumer loan documents, account registers, collection notes, customer history reports and customer information sheets. They included Social Security numbers, addresses, photocopies of driver's licenses and other personal information. The News-Gazette confirmed the bin's contents on Tuesday morning after receiving a tip about the documents on Monday afternoon. [...] From lyger at attrition.org Thu May 24 18:24:08 2007 From: lyger at attrition.org (lyger) Date: Thu, 24 May 2007 18:24:08 +0000 (UTC) Subject: [Dataloss] TX: WISD officials investigating reported student hacking of district computers Message-ID: http://www.wacotrib.com/news/content/news/stories/2007/05/23/05232007wacwisdhack.html Waco Independent School District police are investigating whether sensitive student and staff personal information was compromised when two high school seniors recently hacked into the district's computer network. Waco ISD spokesman Dale Caffey said district police have executed a search warrant and seized the seniors' personal computers and electronic storage devices. He said it was not known whether the district's 15,400 students' and 2,000 employees' personal information was compromised, possibly leaving them vulnerable to identity theft. However, student Social Security numbers were on the server that was accessed by the hackers, he said. [...] From MKEVHILL at aol.com Thu May 24 18:28:28 2007 From: MKEVHILL at aol.com (MKEVHILL at aol.com) Date: Thu, 24 May 2007 14:28:28 EDT Subject: [Dataloss] IN: MasterCard security breach bad news for some. Message-ID: _http://www.wthr.com/Global/story.asp?S=6555715&nav=9Tai_ (http://www.wthr.com/Global/story.asp?S=6555715&nav=9Tai) Indianapolis - MasterCard is warning its member banks about a rash of thefts from the bank accounts of card holders, some here in Central Indiana. Kristin is good about checking her checking account. "I check the account online every day." And good thing. When she logged on Tuesday she found it had insufficient funds. "I was like, what's going on?" Kristin said. Kristin has a MasterCard debit card and her bank, Sky Bank, blames a security breach. ************************************** See what's free at http://www.aol.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070524/30f35688/attachment.html From jericho at attrition.org Fri May 25 01:07:28 2007 From: jericho at attrition.org (security curmudgeon) Date: Fri, 25 May 2007 01:07:28 +0000 (UTC) Subject: [Dataloss] Perspective: Who says security breaches are small potatoes? Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://news.com.com/Who+says+security+breaches+are+small+potatoes/2010-1029_3-6185856.html By Eric J. Sinrod May 23, 2007 perspective - The impact of computer security breaches is not hypothetical. The financial consequences are real and can be immediate. The economic cost of unauthorized computer intrusions is illustrated in the first-quarter earnings report posted by TJX Companies. By way of background, TJX refers to itself as the leading off-price retailer of apparel and home fashions within the United States and globally. TJX operates 830 T.J. Maxx, 763 Marshalls, 271 HomeGoods, 127 A.J. Wright stores, and 35 Bob's Stores in the United States. TJX also states that it operates 185 Winners and 69 HomeSense stores in Canada, as well as 211 T.K. Maxx stores in Europe. According to its first-quarter earnings report, TJX suffered unauthorized intrusions into portions of its computer systems that process and store information related to credit card, debit card, and check and "unreceipted" merchandise return transactions that were discovered during the fourth quarter of the prior fiscal year. TJX has been investigating the intrusions with the assistance of computer security and incident response experts. Management believes customer information was stolen and that this information primarily relates to portions of transactions at its stores (not including Bob's Stores) from 2003 through part of 2004, and from mid- to late 2006. The financial upshot is that TJX recorded an after-tax charge of approximately $12 million for costs incurred during the first quarter relating to the intrusions. That's in addition to an after-tax charge of approximately $3 million for costs recorded during the prior fourth quarter. The charges include costs to investigate and contain the intrusions, as well as to strengthen computer security and systems. It also includes costs relating to communications with customers and for technical, legal and other related charges. The company continues to experience ongoing costs related to the intrusions, but still cannot estimate a range or its potential exposure. Such costs and losses, it says, could wind up being material to TJX's results. Without knowing whether TJX took adequate steps to try to prevent the intrusions before they occurred, there are obvious lessons here. Plainly, companies of all types should want to avoid the costs of investigations, customer communications, and technical, legal and monitoring costs--not to mention potential exposure for related losses--which arise from computer system breaches. Thus, companies should educate themselves now, if they have not done so already, as to how best to strengthen their computer security. Breach prevention bears a cost. But that expense pales in comparison to what a company will spend after a breach takes place. Better to be penny-wise rather than pound-foolish, and companies would be smart on the front-end to take steps that prevent breaches from ever occurring -=- Biography Eric J. Sinrod is a partner in the San Francisco office of Duane Morris. His focus includes information technology and intellectual-property disputes. To receive his weekly columns, send an e-mail to ejsinrod (at) duanemorris.com with "Subscribe" in the subject line. The views expressed in this column do not necessarily reflect those of Sinrod's law firm or its individual partners. From jericho at attrition.org Fri May 25 06:22:36 2007 From: jericho at attrition.org (security curmudgeon) Date: Fri, 25 May 2007 06:22:36 +0000 (UTC) Subject: [Dataloss] followup: CO University of Colorado at Boulder Message-ID: ---------- Forwarded message ---------- From: InfoSec News Subject: [ISN] University Blames Security Breach On Un-patched Symantec Bug http://www.informationweek.com/news/showArticle.jhtml?articleID=199701978 By Sharon Gaudin InformationWeek May 24, 2007 The University of Colorado at Boulder said sensitive information on 44,998 students was exposed because a worm attacked the network through an un-patched bug in Symantec's anti-virus software. A server in the university's College of Arts and Sciences' Academic Advising Center held the names and Social Security numbers of students enrolled at CU-Boulder from 2002 to the present, according to an online advisory. On May 12, the university's IT security investigators discovered that the worm entered the server through the vulnerability, which the IT staff had failed to patch, the university reported. Investigators said they did not believe the hacker behind the worm was after the personal information, but instead was using the flaw as an entryway to other computers on the university network. "The server's security settings were not properly configured and its sensitive data had not been fully protected," said Bobby Schnabel, CU-Boulder vice provost for technology, in a written statement. "Through a combination of human and technical errors, these personal data were exposed, although we have no evidence that they were extracted." A Symantec spokesman told InformationWeek that they have been trying to get in touch with the university's IT team but have not yet talked to them to get details about the attack or even to find out what vulnerability was involved. "We hate to see any customer with a problem," he said. "We encourage customers to post patches as soon as possible." Todd Gleeson, a dean CU-Boulder, said in a statement that he wants the College of Arts and Sciences IT operations to be placed under the direct control of the university's larger IT department. He said all of the students affected by the breach are being notified through letters mailed to their homes. "We have also taken steps to ensure that all sensitive personal data has been removed from our Academic Advising Center servers," said Gleeson. "I want to assure our past and present students that we have taken strong measures to protect our advising center computers and our students' personal information." Students who are looking for more information about protecting themselves following a data exposure can go to the advisory Web site. From bkdelong at pobox.com Fri May 25 13:23:15 2007 From: bkdelong at pobox.com (B.K. DeLong) Date: Fri, 25 May 2007 09:23:15 -0400 Subject: [Dataloss] followup: CO University of Colorado at Boulder In-Reply-To: References: Message-ID: Ouch - an unpatched bug in so-called SECURITY software? Isn't such software supposed to work against issues that lead to data breaches? On 5/25/07, security curmudgeon wrote: > > > ---------- Forwarded message ---------- > From: InfoSec News > Subject: [ISN] University Blames Security Breach On Un-patched Symantec > Bug > > http://www.informationweek.com/news/showArticle.jhtml?articleID=199701978 > > By Sharon Gaudin > InformationWeek > May 24, 2007 > > The University of Colorado at Boulder said sensitive information on 44,998 > students was exposed because a worm attacked the network through an > un-patched bug in Symantec's anti-virus software. > > A server in the university's College of Arts and Sciences' Academic > Advising Center held the names and Social Security numbers of students > enrolled at CU-Boulder from 2002 to the present, according to an online > advisory. > > On May 12, the university's IT security investigators discovered that the > worm entered the server through the vulnerability, which the IT staff had > failed to patch, the university reported. Investigators said they did not > believe the hacker behind the worm was after the personal information, but > instead was using the flaw as an entryway to other computers on the > university network. > > "The server's security settings were not properly configured and its > sensitive data had not been fully protected," said Bobby Schnabel, > CU-Boulder vice provost for technology, in a written statement. "Through a > combination of human and technical errors, these personal data were > exposed, although we have no evidence that they were extracted." > > A Symantec spokesman told InformationWeek that they have been trying to > get in touch with the university's IT team but have not yet talked to them > to get details about the attack or even to find out what vulnerability was > involved. "We hate to see any customer with a problem," he said. "We > encourage customers to post patches as soon as possible." > > Todd Gleeson, a dean CU-Boulder, said in a statement that he wants the > College of Arts and Sciences IT operations to be placed under the direct > control of the university's larger IT department. He said all of the > students affected by the breach are being notified through letters mailed > to their homes. > > "We have also taken steps to ensure that all sensitive personal data has > been removed from our Academic Advising Center servers," said Gleeson. "I > want to assure our past and present students that we have taken strong > measures to protect our advising center computers and our students' > personal information." > > Students who are looking for more information about protecting themselves > following a data exposure can go to the advisory Web site. > > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 208 million compromised records in 670 incidents over 7 > years. > -- B.K. DeLong (K3GRN) bkdelong at pobox.com +1.617.797.8471 http://www.wkdelong.org Son. http://www.ianetsec.com Work. http://www.bostonredcross.org Volunteer. http://www.carolingia.eastkingdom.org Service. http://bkdelong.livejournal.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070525/57e129bd/attachment.html From lyger at attrition.org Fri May 25 14:18:57 2007 From: lyger at attrition.org (lyger) Date: Fri, 25 May 2007 14:18:57 +0000 (UTC) Subject: [Dataloss] IL: Debit card security breach at restaurant Message-ID: http://www.sj-r.com/sections/news/stories/115219.asp Kyle Donaldson learned the hard way that his debit card account information had been compromised. When he tried to pay for $20 worth of gasoline at a convenience store this week, "the card had been canceled on me," said the Springfield resident, who eventually paid with a credit card. Several local bank executives confirmed Thursday that they have alerted customers, and begun issuing new debit cards in some cases, after someone apparently broke into the customer database of a Springfield chain restaurant. The chain was not identified, but they said the security breach involved Visa debit cards and apparently affected institutions throughout the community. The FBI has been notified. [...] From jericho at attrition.org Fri May 25 18:07:05 2007 From: jericho at attrition.org (security curmudgeon) Date: Fri, 25 May 2007 18:07:05 +0000 (UTC) Subject: [Dataloss] followup: CO University of Colorado at Boulder In-Reply-To: References: Message-ID: : Ouch - an unpatched bug in so-called SECURITY software? Isn't such : software supposed to work against issues that lead to data breaches? The state of security software is just as dismal as any other product line from other vendors though. Search your favorite vulnerability database (VDB) for any of the big security vendor names like CA, Symantec or Cisco. The results should be an eye opener to anyone who continues to use these products. It's obviously unfortunate, most people are better off having them, as they do provide a significant level of protection from various threats. But when they are used as attack vectors, the vendors should be ashamed. Customers need to hold them to higher standards. From dano at well.com Fri May 25 14:36:18 2007 From: dano at well.com (dano) Date: Fri, 25 May 2007 07:36:18 -0700 Subject: [Dataloss] CA: Los Angeles restaurant credit card skimming Message-ID: Los Angeles waitress accused of "skimming" credit cards, "...only a small fry in the operation..." Ex-waitress allegedly swiped identities More than $16,000 in false charges were made using numbers stolen at a West L.A. eatery. By Stuart Silverstein Times Staff Writer May 22, 2007 A waitress who worked at a Hamburger Hamlet restaurant last year has been accused of picking up more than tips from her customers. The former waitress also made off with the credit or debit card numbers of at least half a dozen patrons - and possibly as many as 40, the Los Angeles city attorney's office said Monday. Already, about $16,300 in unauthorized charges have been linked to the scam. A telltale clue that helped the restaurant and investigators zero in on the waitress: She would make quick visits to the restroom after picking up customers' charge cards, apparently to swipe them through a palm-sized device that recorded the confidential numbers. "One of our team members was behaving a little suspiciously, I'd guess you'd say," said Greg Hernandez, an executive vice president for the eight-restaurant Hamlet Restaurant Group. April DuBoise, 27, of Los Angeles, is charged with nine identity theft and fraud-related counts, along with five counts of grand theft, said Jonathan Diamond of the city attorney's office. DuBoise worked for the chain's West Los Angeles location on South Sepulveda Boulevard over a six-week period in February and March of 2006. She is to be arraigned June 25 in Los Angeles County Superior Court. If convicted, DuBoise could face up to 12 years in jail and $12,000 in fines. But investigators said DuBoise was essentially a small fry in the operation. They said she pocketed only $200 from the scam. They say that a key figure in the case, who remains at large, was an unidentified man who provided DuBoise with the device, known as a "wedge," to skim the card numbers. He promised to give her $10 for each card number she delivered - but vanished, officials said, before paying off his full debt to the waitress. Investigators said the roughly $16,300 in bogus charges that have been identified showed up on the statements of six of the restaurant's customers. Evidence suggests that 35 to 40 cardholders were victimized, and the total dollar amount of unauthorized charges can only be guessed. The investigation began when Citigroup, which issued some of the cards, received complaints about unauthorized charges showing up on customers' statements. The company contacted the U.S. Secret Service, and eventually the office of City Atty. Rocky Delgadillo joined the investigation. Authorities enlisted the restaurant chain's cooperation after noticing that all of the cardholders had dined at the West Los Angeles location. (Its name, like the rest of the chain's outlets, was changed to Hamlet Restaurant and Bar last summer.) Investigators said receipts showed that DuBoise was the server on six compromised cards. And managers, they said, also then realized that DuBoise had the strange habit of trekking to the restroom after picking up customers' cards. Investigators say consumers should check their financial statements regularly and report bogus charges immediately, to curb identity theft. Authorities also recommended that consumers watch out for other strange behavior related to charge cards - such as a server who hurries to the bathroom with a card. "That would be something that would look sort of suspicious to me," said Wayne Williams, deputy special agent in charge of the Los Angeles field office of the Secret Service. From lyger at attrition.org Fri May 25 20:08:38 2007 From: lyger at attrition.org (lyger) Date: Fri, 25 May 2007 20:08:38 +0000 (UTC) Subject: [Dataloss] NY: Laptop with confidential information is recovered Message-ID: http://blog.syracuse.com/news/2007/05/laptop_with_confidential_infor.html The laptop stolen from the Booker T. Washington Community Center in Auburn was recovered Friday after a 16-year-old female tried to trade it at a pawn shop, city police said. Cayuga County officials had issued a credit-fraud alert Wednesday because the laptop computer holds personal information from individuals who applied for Family Health Plus or Child Health Plus state health insurance program benefits. "None of the data was compromised," said Wayne Allen, county manager. [...] From cwalsh at cwalsh.org Fri May 25 22:26:36 2007 From: cwalsh at cwalsh.org (Chris Walsh) Date: Fri, 25 May 2007 17:26:36 -0500 Subject: [Dataloss] IL: Debit card security breach at restaurant In-Reply-To: References: Message-ID: It was IHOP. From the (I kid you not) "This Just In..." section: http://www.sj-r.com/extras/breaking/index.asp#2772 IHOP upgrades credit card security after outside hack Last Updated 5/25/2007 2:50:18 PM The owner of a Springfield restaurant said today hackers who broke into the restaurant's computer network and compromised debit-card information were from outside the business, and that security has been upgraded. Gene Rupnik, who owns the International House of Pancakes on Dirksen Parkway, confirmed the restaurant was the source of some of the debit- card alerts that have gone out from local banks in the past week. He also said, as far as he knows, none of the customers suffered financial losses as a result of the security breach. "I am assured now we are completely and totally protected," said Rupnik, who also owns the Day's Inn and Microtel Inn & Suites in Springfield. Rupnik said, while this is the first time it has happened to one of his businesses, authorities have advised him they are looking into the possibility the problem goes beyond his restaurant, and perhaps beyond Springfield. "It's retailers at risk, or any kind of business that accepts credit cards," said Rupnik. Rupnik said customer credit and debit-card information is not stored at the restaurant, and that he learned of the security breach from the company that processes the transactions. He said an audit also eliminated the possibility of employee involvement. The FBI has been notified of the security breach but has declined to confirm whether there is an investigation. On May 25, 2007, at 9:18 AM, lyger wrote: > > http://www.sj-r.com/sections/news/stories/115219.asp [...] > > The chain was not identified, but they said the security breach > involved > Visa debit cards and apparently affected institutions throughout the > community. The FBI has been notified. From jericho at attrition.org Fri May 25 23:44:29 2007 From: jericho at attrition.org (security curmudgeon) Date: Fri, 25 May 2007 23:44:29 +0000 (UTC) Subject: [Dataloss] U.S. Dept. of Energy Reports Losing 1, 400 Laptops in Six Years Message-ID: Courtesy Fergie ---------- Forwarded message ---------- Via GCN.com. [snip] The Energy Department notified Congress yesterday that it has lost 1,427 laptop PCs over the past six years. The department said none of the laptops contained classified information. The figure represents approximately two percent of its current inventory of laptop computers, or approximately 71,874 units used either by agency personnel or contractors. The Energy Department statement broke down the missing laptops by year, with 144 reported missing for 2001, 248 in 2002, 256 in 2003, 258 in 2004, 223 in 2005 and 205 in 2006. Another 81 laptops were identified as missing, though the years those went missing were not disclosed. The agency revealed the information in response to a Freedom of Information Act request filed by WTOP, a Washington, D.C., news radio station. [snip] More: http://www.gcn.com/online/vol1_no1/44344-1.html From bkdelong at pobox.com Sat May 26 00:23:00 2007 From: bkdelong at pobox.com (B.K. DeLong) Date: Fri, 25 May 2007 20:23:00 -0400 Subject: [Dataloss] U.S. Dept. of Energy Reports Losing 1, 400 Laptops in Six Years In-Reply-To: References: Message-ID: Oh phew, no classified information. That's a nice misleading statement who knows WHAT was on those machines. On 5/25/07, security curmudgeon wrote: > > > Courtesy Fergie > > ---------- Forwarded message ---------- > > Via GCN.com. > > [snip] > > The Energy Department notified Congress yesterday that it has lost 1,427 > laptop PCs over the past six years. The department said none of the > laptops contained classified information. > > The figure represents approximately two percent of its current inventory > of laptop computers, or approximately 71,874 units used either by agency > personnel or contractors. > > The Energy Department statement broke down the missing laptops by year, > with 144 reported missing for 2001, 248 in 2002, 256 in 2003, 258 in 2004, > 223 in 2005 and 205 in 2006. Another 81 laptops were identified as > missing, though the years those went missing were not disclosed. The > agency revealed the information in response to a Freedom of Information > Act request filed by WTOP, a Washington, D.C., news radio station. > > [snip] > > More: > http://www.gcn.com/online/vol1_no1/44344-1.html > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 208 million compromised records in 675 incidents over 7 > years. > -- B.K. DeLong (K3GRN) bkdelong at pobox.com +1.617.797.8471 http://www.wkdelong.org Son. http://www.ianetsec.com Work. http://www.bostonredcross.org Volunteer. http://www.carolingia.eastkingdom.org Service. http://bkdelong.livejournal.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070525/ba40fac6/attachment.html From MKEVHILL at aol.com Sat May 26 14:12:02 2007 From: MKEVHILL at aol.com (MKEVHILL at aol.com) Date: Sat, 26 May 2007 10:12:02 EDT Subject: [Dataloss] TN: Medical records found in trash outside Rockwood medical building Message-ID: _http://www.wate.com/Global/story.asp?S=6566130&nav=0RYv_ (http://www.wate.com/Global/story.asp?S=6566130&nav=0RYv) ROCKWOOD (WATE) -- Medical waste, including medical records, was piled several feet high outside a Rockwood doctor's office on Thursday. The records contained personal information such as names, addresses and Social Security numbers that could patients at risk of identity theft. Just behind the Chamberlain Professional Building, 6 News found what looked like a mound of useless trash, but a closer look revealed patient records among the garbage. Detective Steve Hritz said his office has gotten a few calls about the mess. He came to check on it and couldn't believe his eyes. "I'm shocked, I mean, our police officers, we have our physicals done down here," Hritz said. "And our medical records could be out here somewhere." Hritz said all the information a thief needs to assume your identity was in the pile. ************************************** See what's free at http://www.aol.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070526/cd7adcf1/attachment.html From chris at cwalsh.org Sat May 26 19:24:12 2007 From: chris at cwalsh.org (Chris Walsh) Date: Sat, 26 May 2007 14:24:12 -0500 Subject: [Dataloss] North Carolina breach data Message-ID: I wrote up a short note regarding data breaches in North Carolina, and overlap with those reported to NY. http://www.emergentchaos.com/archives/2007/05/ venn_and_the_art_of_empir.html Data from North Carolina in this handy PDF: http://www.cwalsh.org/ BreachInfo/primary_sources/pdfs/NC/NC-Log-Extract-20070525.PDF From jericho at attrition.org Sat May 26 19:26:09 2007 From: jericho at attrition.org (security curmudgeon) Date: Sat, 26 May 2007 19:26:09 +0000 (UTC) Subject: [Dataloss] NC DOT Security Breach Affects 25,000 Employees Message-ID: Courtesy Fergie ---------- Forwarded message ---------- Via WRAL.com (props, Pogo Was Right). [snip] A computer server holding the names and Social Security numbers of about 25,000 North Carolina Department of Transportation employees, contractors and other state employees had a security breach, officials announced Friday. The breach affects employees who were issued identification badges from 1997 until 2006. Officials have no evidence that the personal information was accessed, according to the DOT. People who used their employee identification number instead of their Social Security number are not at risk. The department is working to contact the affected individuals by mail, and the State Bureau of Investigation has also been notified. Individuals who detect a problem with any of the personal information listed above should notify local law enforcement and contact one of the three credit bureaus to place a 90-day fraud alert on their credit report. [snip] More: http://www.wral.com/news/local/story/1446009/ From bkdelong at pobox.com Sat May 26 20:06:36 2007 From: bkdelong at pobox.com (B.K. DeLong) Date: Sat, 26 May 2007 16:06:36 -0400 Subject: [Dataloss] North Carolina breach data In-Reply-To: References: Message-ID: Chris - We're lucky there are researchers like you and Adam taking the time - and money - to do this and share it with the public. Thanks for keeping us posted. On 5/26/07, Chris Walsh wrote: > > I wrote up a short note regarding data breaches in North Carolina, > and overlap with those reported to NY. > > http://www.emergentchaos.com/archives/2007/05/ > venn_and_the_art_of_empir.html > > Data from North Carolina in this handy PDF: http://www.cwalsh.org/ > BreachInfo/primary_sources/pdfs/NC/NC-Log-Extract-20070525.PDF > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 208 million compromised records in 675 incidents over 7 > years. > -- B.K. DeLong (K3GRN) bkdelong at pobox.com +1.617.797.8471 http://www.wkdelong.org Son. http://www.ianetsec.com Work. http://www.bostonredcross.org Volunteer. http://www.carolingia.eastkingdom.org Service. http://bkdelong.livejournal.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070526/d5754c25/attachment.html From d2d at attrition.org Sat May 26 23:59:06 2007 From: d2d at attrition.org (d2d) Date: Sat, 26 May 2007 23:59:06 +0000 (UTC) Subject: [Dataloss] TN: Social Security numbers mistakenly released by CoverTN Message-ID: http://www.dicksonherald.com/apps/pbcs.dll/article?AID=/20070526/NEWS0204/70526003 A computer error at the state's new Cover Tennessee health insurance program caused some applicants' Social Security numbers to become visible to others, officials said Friday. About 279 applicants from mid-February to early March may have been affected, she said. Spokeswoman Emily Richard said if employers applying to the CoverTN program for small businesses chose not to print out their forms from the Web site, their information could have been added to the next user's printout request. [..] From adam at homeport.org Sat May 26 23:46:31 2007 From: adam at homeport.org (Adam Shostack) Date: Sat, 26 May 2007 19:46:31 -0400 Subject: [Dataloss] North Carolina breach data In-Reply-To: References: Message-ID: <20070526234631.GA28010@homeport.org> To be fair, to date, the money is all from Chris. On Sat, May 26, 2007 at 04:06:36PM -0400, B.K. DeLong wrote: | Chris - | | We're lucky there are researchers like you and Adam taking the time - and money | - to do this and share it with the public. | | Thanks for keeping us posted. | | On 5/26/07, Chris Walsh wrote: | | I wrote up a short note regarding data breaches in North Carolina, | and overlap with those reported to NY. | | http://www.emergentchaos.com/archives/2007/05/ | venn_and_the_art_of_empir.html | | Data from North Carolina in this handy PDF: http://www.cwalsh.org/ | BreachInfo/primary_sources/pdfs/NC/NC-Log-Extract-20070525.PDF | _______________________________________________ | Dataloss Mailing List (dataloss at attrition.org) | http://attrition.org/dataloss | Tracking more than 208 million compromised records in 675 incidents over 7 | years. | | | | | -- | B.K. DeLong (K3GRN) | bkdelong at pobox.com | +1.617.797.8471 | | http://www.wkdelong.org Son. | http://www.ianetsec.com Work. | http://www.bostonredcross.org Volunteer. | http://www.carolingia.eastkingdom.org Service. | http://bkdelong.livejournal.com Play. | | | PGP Fingerprint: | 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE | | FOAF: | http://foaf.brain-stream.org | _______________________________________________ | Dataloss Mailing List (dataloss at attrition.org) | http://attrition.org/dataloss | Tracking more than 208 million compromised records in 675 incidents over 7 years. From d2d at attrition.org Sun May 27 11:49:49 2007 From: d2d at attrition.org (d2d) Date: Sun, 27 May 2007 11:49:49 +0000 (UTC) Subject: [Dataloss] OH: Franklin County blocks online records due to security concerns Message-ID: http://www.wtol.com/Global/story.asp?S=6574415 The Franklin County recorder's office has shut down links to online mortgage documents out of concern that some contained Social Security numbers vulnerable to identity thieves. A statement on the site says the images have been removed until a further audit can be completed and the numbers can be masked. Most of the documents of concern are from the 1990s. The links to the mortgage documents were removed Friday. Hamilton County has already run into trouble with Social Security numbers online. Eight people were indicted last year on charges they gleaned the numbers from a county Web site and used them to ring up about a half-million dollars in fraudulent spending. [..] From d2d at attrition.org Mon May 28 13:04:11 2007 From: d2d at attrition.org (d2d) Date: Mon, 28 May 2007 13:04:11 +0000 (UTC) Subject: [Dataloss] MN: St. Paul / Files stolen, and identities used Message-ID: (may require registration) http://www.twincities.com/localnews/ci_6003652?nclick_check=1 (should bypass registration) http://www.google.com/news/url?sa=t&ct=us/5-0&fp=465a85490a2e87c1&ei=5NJaRs62F5i4pQKszL31DA&url=http%3A//www.twincities.com/localnews/ci_6003652&cid=0 Kelsey Tape's Social Security number and other personal data were stolen April 2 from the College of St. Catherine. But until April 16, the college didn't tell her and 18 other students that their identities may be at risk. Tape says someone as far away as Texas is using her Social Security number to apply for credit cards. St. Catherine's says it went "beyond what state and federal laws require to ensure the safety and security of students' information." Officials won't say much more, citing an open police investigation. That's left some students and families frustrated as they seek answers to exactly what happened and why they weren't notified for two weeks. [..] From lyger at attrition.org Wed May 30 02:55:36 2007 From: lyger at attrition.org (lyger) Date: Wed, 30 May 2007 02:55:36 +0000 (UTC) Subject: [Dataloss] Etiolated.org Updates Message-ID: (I strongly encourage all list subscribers to check out this site. This is what we *hoped* could be done with attrition's data loss dataset. The initial site went live in nine days and is now less than three weeks old.) Courtesy Dave Shettler of Etiolated.org: Etiolated.org Changes/Enhancements == Search == Search functionality has been drastically expanded, utilizing a lucene-like backend. Searches can be as complicated as: org_type:Edu AND org_type:Med AND date:[20060401 TO 20070528] AND records:[1000 TO *] Which would get you a list of all breaches at educational institutions associated with medicine that occurred between march 1st, 2006 and may 28th, 2007 with lost records totaling over 1000. For a detailed list of options see http://www.etiolated.org/research == Custom RSS Feeds == Each search now produces a custom RSS feed. For example, for an RSS feed of all educational institution breaches, search for: org_type:Edu And in the header of the results table that follows, you'll see the feed icon that links to the custom RSS feed. == Custom Search-based Graphs == Any search you run can now have a dynamically generated graph produced based on the results. Run a search like those above, click on "Graph Results", choose a title for your graph, set a couple simple parameters, and you'll have your search results in a very visual way. Right click the graph, save as, and use the image as you please. Images won't persist, so if you intend to link to it you are better off saving it someplace where it won't vanish. == Coming Soon == See breaches pinpointed on a pretty map! Dave (dave at etiolated.org) From jericho at attrition.org Wed May 30 05:29:35 2007 From: jericho at attrition.org (security curmudgeon) Date: Wed, 30 May 2007 05:29:35 +0000 (UTC) Subject: [Dataloss] Plug the holes in your cone of silence Message-ID: Courtesy ISN: ---------- Forwarded message ---------- From: InfoSec News http://www.theage.com.au/news/security/plug-the-holes-in-your-cone-of-silence/2007/05/28/1180205158743.html By Cynthia Karena May 29, 2007 DATA loss is a significant factor in modern business, dependent as it is now on electronic systems. And it occurs in many ways, some inadvertent, some through stupidity and some criminal. One organisation accidentally puts its sensitive market research report online before it has been approved; another can't find data that has been requested by a government department. Others lose laptops, unwittingly send confidential information in emails, or give contractors too much access to internal data. This is lost data and its impact on a business can range from financial loss, to damage to its reputation, potential loss of customers, or even imprisonment if there is a breach of corporate governance. [..] And then there is the human factor. "Data loss occurs primarily because of people," says Mr Baar. "Most information loss is through inappropriate behaviour - someone talking about it in the pub or a lift, for instance. People could go to a cafe with, say, patient records and leave them behind." [..] "Everybody always underestimates the likelihood of data theft. It is usually unreported, which (distorts data on occurrences) but given the choice of attempting to hack an organisation from the outside or getting inside to its soft centre, you would always take the easiest option. External hacking is uncommon now, because it is too difficult. It's easier to find an insider through money or threats," Mr Baar says. What about disgruntled employees taking information with them when they leave the company? Mr Lancaster says data needs to be locked down. Departments should be able to retrieve only their own documents. Finally, says Mr Walls, organisations should not reveal their security controls to their own personnel. From lyger at attrition.org Wed May 30 11:53:26 2007 From: lyger at attrition.org (lyger) Date: Wed, 30 May 2007 11:53:26 +0000 (UTC) Subject: [Dataloss] Canada: Patient information cards sold at auction Message-ID: http://www.canada.com/saskatoonstarphoenix/news/story.html?id=5831dc77-c822-4f09-b606-3b8d24cdc28f The Saskatoon Health Region apologized Tuesday after more than 2,000 patient information cards that were supposed to be treated as "very confidential" were accidentally sold at an auction of health region surplus material rather than shredded. The plastic cards are used to make imprints on documents for patient records. The cards contain names, dates of birth, addresses, religious affiliations, health card numbers and the names of the patient's doctor. They were used between January and May of this year for day surgery patients and outpatients at City Hospital. [...] From ron.simmons at gmail.com Wed May 30 15:36:13 2007 From: ron.simmons at gmail.com (Ron Simmons) Date: Wed, 30 May 2007 08:36:13 -0700 Subject: [Dataloss] Priority One Credit Union's Security Breach Message-ID: <40cb95d20705300836n3b8f5e6t1ae9416aee80f82c@mail.gmail.com> Tuesday, May 29, 2007 5:15 PM PT Posted by Steve Bass http://blogs.pcworld.com/tipsandtweaks/archives/004505.html 'm watching my credit union account like a hawk. That's because Priority OneCredit Union -- the one I use -- had a security breach that was stunning. They recently sent election ballots to members. Printed on the outside of the envelope were some numbers. The first was our account number. That might not have been enough to help with anyone intent on identity theft, so they also printed my social security number on the envelope. I received a letter of apology the other day. They told me they deeply regretted the inconvenience. (See Important Security Message to Members.) --------------------------------------------- Posted on the CU Web site by Charles R. Wiggington, Sr. CEO/President http://www.priorityonecu.org/whatsnew.shtml During the last week, we mailed our election ballots to members. Unfortunately, an error occurred during the distribution of this ballot, and personal information was inadvertently included above your address on the envelope. This information was not printed in a format that would be immediately recognizable, and we have no indication your personal information has been accessed or misused in any way. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070530/46a165e8/attachment.html From lyger at attrition.org Thu May 31 16:54:30 2007 From: lyger at attrition.org (lyger) Date: Thu, 31 May 2007 16:54:30 +0000 (UTC) Subject: [Dataloss] ChoicePoint Settles With 44 States Message-ID: http://www.forbes.com/feeds/ap/2007/05/31/ap3775185.html ChoicePoint Inc. said Thursday it settled with 44 states over allegations it failed to adequately secure consumers' personal information related to a breach of its database that it disclosed in 2005. The Alpharetta, Ga.-based consumer data provider has agreed to adopt significantly stronger security measures, including written certification and, in some cases, onsite visits by ChoicePoint (nyse: CPS - news - people ) to ensure the legitimacy of companies before they are allowed access to personally identifiable information. [...] From lyger at attrition.org Thu May 31 17:36:44 2007 From: lyger at attrition.org (lyger) Date: Thu, 31 May 2007 17:36:44 +0000 (UTC) Subject: [Dataloss] (follow-up) Ex-San Jose medical manager pleads guilty to stealing personal data Message-ID: http://www.mercurynews.com/breakingnews/ci_6029308?nclick_check=1 A former San Jose medical manager has pleaded guilty to stealing a computer and a CD that contained personal medical information of about 200,000 patients, a state Department of Justice spokeswoman said today. Joseph Nathaniel Harris, 44, of Riverside, faces 10 years in prison and a $250,000 fine when he is sentenced in September. Harris managed the San Jose Medical Group's McKee branch from August 2004 to September 2004. San Jose Medical Group Chief Executive Ernie Wallerstein reported the theft of two Dell computers and the disk in March 2005. The loss prompted the physician's group to send a letter to about 185,000 current and former patients alerting them of the stolen material. [...]