[Dataloss] slightly OT: LifeLock Identity Theft
Tom Widman
twidman at identityfraud.com
Tue May 1 02:12:06 UTC 2007
The lifelock program is interesting and while I have some familiarity, I
don't have all the details.
>From what I see, the LifeLock product can help reduce the chances of one
becoming a victim of ID Theft, although marginally, since managing credit
bureau fraud alerts (which is what it does) only addresses part of the
problem. There are many other types of ID Theft that occur that have nothing
to do with credit. Thus, in my view, the "product" guarantee is off-base
since fraud alerts don't stop 60-80% of other types of frauds (depending on
whose statistics you view). However, the guarantee of $1 million is unique
and ideally makes up for the other types of fraud that can and do occur, if
these other types of fraud are covered since they unrelated to the product.
My concern for lifelock is about consumer marketing practices and properly
conveying what your product does, and also practicing what you preach.
For example, this is from their Terms and Conditions:
1. Your Account: You agree that you are who you say you are when you enroll
and that you will not purposely engage in behavior that will put your
Identity at unnecessary risk, such as leaving your PIN or passwords in
obvious places, publishing your Social Security Number, etc.
__
I think other vendors do not post their SSN's because from a risk and
prudence standpoint, it is irresponsible. It's not good for Doctors to tell
you to stop smoking cigarettes while they continue to smoke them. Since
lifelock does not cover the exposure the CEO is engaging (and advertising),
I believe they are increasing their own consumer liability exposure. BUT, I
must admit that from a marketing standpoint, it garners excellent attention.
We try to track the various offers since we are one of the pioneers in the
identity protection space, having started development back in 1997. Identity
protection is a very young industry with a lot of variety between offerings.
We promote risk management that essentially says, do the best you can at
prevention and have some remedies in place when id theft occurs, whether
prevention & remedies are from lifelock, a homeowners insurer, Equifax, or
us, etc. it is simply prudent to engage certain solutions.
T Widman
-----Original Message-----
From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org]
On Behalf Of dataloss-request at attrition.org
Sent: Monday, April 30, 2007 4:52 PM
To: dataloss at attrition.org
Subject: Dataloss Digest, Vol 15, Issue 3
Send Dataloss mailing list submissions to
dataloss at attrition.org
To subscribe or unsubscribe via the World Wide Web, visit
https://attrition.org/mailman/listinfo/dataloss
or, via email, send a message with subject or body 'help' to
dataloss-request at attrition.org
You can reach the person managing the list at
dataloss-owner at attrition.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Dataloss digest..."
Today's Topics:
1. Texas AG: CVS Dumped Customers' Records (lyger)
2. Wireless Security Puts IRS Data at Risk (Richard Forno)
3. Hackers, laptop thieves compromise personal information of
17, 500 at Ohio State in separate incidents (lyger)
4. UCSF computer server with research subject information is
stolen (lyger)
5. Personal data of NMSU students posted online (lyger)
6. Los Alamos warns workers about identity theft (lyger)
7. Federal Database Exposes Social Security Numbers (lyger)
8. (update) Fed Breach Leaks Social Security Numbers (lyger)
9. (update) Fed breach leaks Social Security numbers (lyger)
10. USDA Narrows List to 38,700... (lyger)
11. Counter Strike Struck (rwise29210 at gmail.com)
12. Does a data loss of one count if she is famous? It just isn't
for "Ordinary People" anymore. (rwise29210 at gmail.com)
13. Administravia: List Reminders and Changes (lyger)
14. Neiman says employee data stolen (lyger)
15. Baltimore Co. Laptop Stolen With Personal Info (lyger)
16. The cost of doing business? (Rodney Wise)
17. (update) Darwin Professional Underwriters - Tech-404.com (lyger)
18. Ceridian accidentally leaks data from NY firm (lyger)
19. Re: Ceridian accidentally leaks data from NY firm (Patrick Hack)
20. Re: Ceridian accidentally leaks data from NY firm (Katie Felten)
21. slightly OT: LifeLock Identity Theft Protection
(security curmudgeon)
22. Re: slightly OT: LifeLock Identity Theft Protection
(security curmudgeon)
23. Re: slightly OT: LifeLock Identity Theft Protection (Chris Walsh)
24. 175 told of possible computer security incident at Purdue (lyger)
25. Caterpillar Says Employee Data Stolen (lyger)
26. FEMA's 'Unfortunate' Privacy Disaster (lyger)
27. NY AG settles first data breach case (Chris Walsh)
28. N. Texas Company Posted Private Information Online (lyger)
29. Is it just about credit? (Rodney Wise)
30. Re: Is it just about credit? (question 1 / health care)
(security curmudgeon)
31. Re: Is it just about credit? (question 1 / health care) (nepen)
32. UNM says some employee information on stolen laptop (lyger)
33. Re: Is it just about credit? (question 1 / health care)
(Rodney Wise)
34. Re: Is it just about credit? (question 1 / health care) (nepen)
35. Re: The cost of doing business? (J Beebe)
36. Re: Is it just about credit? (Al Mac)
37. Re: Is it just about credit? (Chris Walsh)
38. Re: Is it just about credit? (question 1 / health care)
(Adam Shostack)
39. (update) Stolen Caterpillar laptop contained employees
personal information (lyger)
----------------------------------------------------------------------
Message: 1
Date: Tue, 17 Apr 2007 22:33:18 +0000 (UTC)
From: lyger <lyger at attrition.org>
Subject: [Dataloss] Texas AG: CVS Dumped Customers' Records
To: dataloss at attrition.org
Message-ID: <Pine.LNX.4.64.0704172232340.553 at forced.attrition.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
http://www.forbes.com/feeds/ap/2007/04/17/ap3621733.html
Texas Attorney General Greg Abbott sued CVS Corp. on Tuesday, alleging
pharmacy employees dumped credit card numbers, medical information and
other sensitive material from more than 1,000 customers into a garbage
container.
The Rhode Island company was accused of failing to protect its customers
from identity theft at the store in Liberty, about 45 miles northeast of
Houston. The lawsuit alleges employees dumped the records behind a store
that apparently was being vacated by CVS (nyse: CVS - news - people ).
CVS did not immediately return a telephone call seeking comment Tuesday.
[...]
------------------------------
Message: 2
Date: Tue, 17 Apr 2007 23:20:10 -0400
From: Richard Forno <rforno at infowarrior.org>
Subject: [Dataloss] Wireless Security Puts IRS Data at Risk
To: Infowarrior List <infowarrior at attrition.org>,
"dataloss at attrition.org" <dataloss at attrition.org>
Message-ID: <C24B06AA.63F41%rforno at infowarrior.org>
Content-Type: text/plain; charset="US-ASCII"
Would somebody kindly explain WTF the IRS is using wireless networking
anywhere in their IT environment??? -rf
April 17, 2007
Wireless Security Puts IRS Data at Risk
By THE ASSOCIATED PRESS
http://www.nytimes.com/aponline/technology/AP-IRS-Wireless-Security.html?_r=
1&oref=slogin&pagewanted=print
Filed at 10:57 p.m. ET
WASHINGTON (AP) -- Internal Revenue Service offices across the nation that
use wireless technology are still vulnerable to hackers, according to the
latest assessment of the agency's security policies released Tuesday.
Despite efforts to improve wireless security the past four years, the
Inspector General's assessment of 20 buildings in 10 cities discovered four
separate locations at which hackers could have easily gained access to IRS
computers using wireless technology.
There was no evidence that the computers were connected to the IRS network
at the time and no signs that any hacking had occurred, the report said.
''However, anyone with a wireless detection tool could pick up the wireless
signal and gain access to the computer,'' wrote Michael Phillips, the
Inspector General.
And if an employee had been connected to the IRS network, ''a hacker
conceivably could gain access to the IRS network,'' which contains sensitive
financial data of more than 226 million taxpayers, he added.
The vulnerabilities were discovered in Denver and at three other IRS
facilities in Texas and Florida.
Wireless networks are created by linking computers using hardware called
routers. The devices enable wireless laptop or mobile device users, such as
Treos, to send signals back and forth to each other. Data can be encrypted,
but the report said that software available on the Internet can decode the
encryption.
The inspector general's office said it used inexpensive wireless equipment
and software freely available on the Internet to scan the facilities for
wireless signals.
According to the report, the IRS also is not effectively monitoring its uses
of wireless technology. As of May 2006, the agency had scanned fewer than 6
percent of all IRS offices - mainly in the Washington, D.C., and Baltimore
metropolitan areas.
The inspector general's office recommended increased of the IRS network for
unapproved wireless devices and educating employees about security risks.
The report said the agency agreed with the IG's recommendations and will
implement them.
------------------------------
Message: 3
Date: Wed, 18 Apr 2007 19:22:09 +0000 (UTC)
From: lyger <lyger at attrition.org>
Subject: [Dataloss] Hackers, laptop thieves compromise personal
information of 17, 500 at Ohio State in separate incidents
To: dataloss at attrition.org
Message-ID: <Pine.LNX.4.64.0704181920380.13877 at forced.attrition.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
(update: another unrelated incident exposes another 3,500)
http://scmagazine.com/us/news/article/651562/hackers-laptop-thieves-compromi
se-personal-information-17500-ohio-state-separate-incidents/
On March 31 or April 1, a hacker using a foreign web address cracked a
university firewall and accessed the names, Social Security numbers,
employee ID numbers and birth dates of more than 14,000 current and former
staff members, according to a university statement.
[...]
In an unrelated incident, the personal information of about 3,500 current
and former chemistry students was compromised when two laptop computers
were stolen from the home of a university professor on Feb. 24.
The laptops were likely not the target of the burglary, and were stolen
with a number of other household items, according to Lynch.
Records stored in the laptops contained names, Social Security numbers and
grades, according to the university.
[...]
------------------------------
Message: 4
Date: Thu, 19 Apr 2007 01:51:53 +0000 (UTC)
From: lyger <lyger at attrition.org>
Subject: [Dataloss] UCSF computer server with research subject
information is stolen
To: dataloss at attrition.org
Message-ID: <Pine.LNX.4.64.0704190150560.9570 at forced.attrition.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
http://pub.ucsf.edu/newsservices/releases/200704189/
A computer file server containing research subject information related to
studies on causes and cures for different types of cancer was stolen from
a locked UCSF office on March 30, 2007.
The server contained files with names, contact information, and social
security numbers for study subjects and potential study subjects. For some
individuals, the files also included personal health information.
[...]
Notification letters were sent Monday, April 16, to about 3,000
individuals. Using backup files, UCSF officials are conducting an
extensive analysis of the server data to determine as quickly as possible
all the names involved in this incident.
[...]
------------------------------
Message: 5
Date: Thu, 19 Apr 2007 15:48:23 +0000 (UTC)
From: lyger <lyger at attrition.org>
Subject: [Dataloss] Personal data of NMSU students posted online
To: dataloss at attrition.org
Message-ID: <Pine.LNX.4.64.0704191547200.16494 at forced.attrition.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
http://www.freenewmexican.com/news/60444.html
The names and Social Security numbers of more than 5,600 New Mexico State
University students were accidentally posted on the school's Web site, but
officials say odds are minimal that any students' identities were
compromised.
The information was in a public section of the site for nearly two hours
on April 5 before the mistake was caught.
The file was accessed by 14 computers and all of their IP addresses have
been tracked, said Mrinal Virnave, NMSU's director of enterprise
application services.
Virnave said the file contained the names and Social Security numbers of
students who registered online to attend their commencement ceremonies
from 2003 to 2005, meaning most of the names and numbers are of former
students.
[...]
------------------------------
Message: 6
Date: Fri, 20 Apr 2007 15:38:20 +0000 (UTC)
From: lyger <lyger at attrition.org>
Subject: [Dataloss] Los Alamos warns workers about identity theft
To: dataloss at attrition.org
Message-ID: <Pine.LNX.4.64.0704201537030.9592 at forced.attrition.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
http://www.freenewmexican.com/news/60494.html
Los Alamos National Laboratory warned employees about protecting
themselves against identity theft after the names and Social Security
numbers of 550 lab workers were posted on a Web site run by a
subcontractor working on a security system.
An April 5 letter to the employees from Jan A. Van Prooyen, the lab's
acting deputy director, said the problem was discovered the previous week
when a lab employee happened upon the Web site of a software services
company that had been hired years before.
Clicking a link and entering a password provided online led to a table
that included names, and in some cases, Social Security numbers, of people
who entered certain lab sites around 1998, the letter said.
[...]
------------------------------
Message: 7
Date: Fri, 20 Apr 2007 21:11:44 +0000 (UTC)
From: lyger <lyger at attrition.org>
Subject: [Dataloss] Federal Database Exposes Social Security Numbers
To: dataloss at attrition.org
Message-ID: <Pine.LNX.4.64.0704202106210.3039 at forced.attrition.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
http://www.nytimes.com/2007/04/20/washington/20cnd-data.html?_r=1&hp=&adxnnl
=1&oref=slogin&adxnnlx=1177103032-yUYrfkNKmHsZVZ/hqNZWCw
The Social Security numbers of tens of thousands of people who received
loans or other financial assistance from two Agriculture Department
programs were disclosed for years in a publicly available database,
raising concerns about identity theft and other privacy violations.
Officials at the Agriculture Department and the Census Bureau, which
maintains the database, were evidently unaware that the Social Security
numbers were accessible in the database until they were notified last week
by a farmer from Illinois, who stumbled across the database on the
Internet.
[...]
Ms. Bergmeier said she was able to identify almost 30,000 records in the
database that contained Social Security numbers.
[...]
------------------------------
Message: 8
Date: Sat, 21 Apr 2007 00:40:18 +0000 (UTC)
From: lyger <lyger at attrition.org>
Subject: [Dataloss] (update) Fed Breach Leaks Social Security Numbers
To: dataloss at attrition.org
Message-ID: <Pine.LNX.4.64.0704210038210.9225 at forced.attrition.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
(Original numbers reported almost 30,000, now 150,000. Updated)
http://www.forbes.com/feeds/ap/2007/04/20/ap3637323.html
The Social Security numbers of up to 150,000 people who received
Agriculture Department grants have been posted on a government Web site
since 1996, but they were taken down last week.
Free credit monitoring is being offered to those affected.
The security breach was only noticed last week and promptly closed, the
Agriculture Department and Census Bureau announced Friday.
The Agriculture data that included Social Security numbers were removed
from the Web on April 13 and similar data from 32 other agencies were
taken down April 17 as a precaution, said Agriculture spokeswoman Terri
Teuber.
[...]
------------------------------
Message: 9
Date: Sat, 21 Apr 2007 05:18:23 +0000 (UTC)
From: lyger <lyger at attrition.org>
Subject: [Dataloss] (update) Fed breach leaks Social Security numbers
To: dataloss at attrition.org
Message-ID: <Pine.LNX.4.64.0704210516170.19230 at forced.attrition.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
(first 30K, then 150K, now 63K... hope everybody has erasers handy...)
http://origin.denverpost.com/nationworld/ci_5714663
The Social Security numbers of 63,000 people who received Agriculture
Department grants have been posted on a government Web site since 1996,
but they were taken down last week. Free credit monitoring is being
offered to those affected.
The security breach was only noticed last week and promptly closed, the
Agriculture Department and Census Bureau announced Friday.
The Agriculture data that included Social Security numbers were removed
from the Web on April 13 and similar data from 32 other agencies were
taken down April 17 as a precaution, said Agriculture spokeswoman Terri
Teuber.
[...]
The department originally said Friday the Social Security numbers of
105,000 to 150,000 individuals had been entered into federal databases
open to the public since 1981. But by Friday evening, after they
calculated how many people had been entered more than once, USDA announced
that 63,000 individuals had their Social Security numbers exposed. The
data has only been posted on the Internet by the Census Bureau since 1996.
[...]
------------------------------
Message: 10
Date: Mon, 23 Apr 2007 20:07:36 +0000 (UTC)
From: lyger <lyger at attrition.org>
Subject: [Dataloss] USDA Narrows List to 38,700...
To: dataloss at attrition.org
Message-ID: <Pine.LNX.4.64.0704232005540.26783 at forced.attrition.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
(yet another newly revised total...)
http://www.usda.gov/wps/portal/!ut/p/_s.7_0_A/7_0_1OB?contentidonly=true&con
tentid=2007/04/0110.xml
The U.S. Department of Agriculture (USDA) has narrowed to approximately
38,700 the number of people whose private identification information was
accessible to the public on a government-wide website. USDA takes
seriously its responsibility to protect private information and after
learning of the potential exposure, immediately took action to remove the
information from the website. USDA is also offering credit monitoring
services to protect the personal accounts of affected individuals, due to
the potential that information was downloaded prior to removal. There is
no evidence that this information has been misused.
[...]
------------------------------
Message: 11
Date: Mon, 23 Apr 2007 10:55:45 -0400
From: <rwise29210 at gmail.com>
Subject: [Dataloss] Counter Strike Struck
To: <dataloss at attrition.org>
Message-ID: <00c501c785b7$792d4db0$6401a8c0 at xp1>
Content-Type: text/plain; charset="iso-8859-1"
I haven't seen this on the list. Sorry if it is a repost.
Rodney Wise
http://pplrwise.blogspot.com
Counter Strike firm in credit card hack claim
Hacker, customers accuse Valve of coverup
By Chris Williams ? More by this author
Published Thursday 19th April 2007 11:09 GMT
Receive the days biggest stories by email
http://www.theregister.co.uk/2007/04/19/valve_steam_hack/
Valve Software, the company behind Counter Strike and Half Life, has been
accused of covering up a hack of its servers which allegedly exposed the
credit card details of thousands of customers.
A hacker calling himself MaddoxX has trumpeted details of the claimed
break-in on his website, and threatened to publish more credit card
information if Valve do not "come with something good".
Customers say Valve has known about the alleged security breach since April
8 at the latest.
A customer told us he raised the hacker's claims on Valve's Steampowered.com
forums, but a company moderator quickly stepped in to delete it, writing,
"Please do not re-post that thread. Valve are aware of the issue and are
investigating. Making threads on the issue will not help."
Sources say a dozen threads about the matter have been suppressed on Valve's
official forums. In the meantime the firm has made no attempt to contact the
thousands of cyber cafe owners potentially affected.
A large file posted on a file sharing site appears to back up the hacker's
claims of breaking into the server of Valve's distribution network, Steam.
It contains sensitive financial information including Valve's current
assets, full details of five credit card transactions from March 12 with the
threat of exposing more, and details of how to set up a fake cyber cafe
certificate for multiplayer Counter Strike. The 14MB plus directory is
essentially a "rip" of the cyber cafe content delivery platform, Steam Cafe,
and contains all the files to access Valve's Central Authentication Server.
We contacted MaddoxX via email. He claimed he first gained access to Steam
this January, and said that although the cyber cafe customer database is not
linked to the standard customer list, he has access to that too. Valve have
not contacted him, he said, but have approached his hosting provider to take
down the page which announces the hack, so far without success.
The hacker says it's not his intention to steal information. He told us: "I
just came accross the login details when I was browsing some stuff. The
access to their whole customer database was more like luck, but still a hack
because the login details are inside some files. They changed the logins now
and made it not possible anymore to get the details from the files. The
[credit card] details itself are stored in a MySQL database where I still
have access to."
"It is just to show how lax they are with their security. I want a full
excuse from VALVe on their site that they did NOT inform anyone about this.
I've got several e-mails from cafe owners and they said VALVe hasn't even
said shit to them...so you can see how they threat their customers."
One cyber cafe owner contacted by The Register said: "Why has it taken days
if not weeks before they told us if there is even the slightest possibility
someone has our CC details then we should have been told?"
Valve did not return repeated requests for comment.?
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://attrition.org/pipermail/dataloss/attachments/20070423/bd30c0b4/attach
ment-0001.html
------------------------------
Message: 12
Date: Mon, 23 Apr 2007 11:06:32 -0400
From: <rwise29210 at gmail.com>
Subject: [Dataloss] Does a data loss of one count if she is famous? It
just isn't for "Ordinary People" anymore.
To: <dataloss at attrition.org>
Message-ID: <00ef01c785b8$fabe9860$6401a8c0 at xp1>
Content-Type: text/plain; charset="iso-8859-1"
Thieves take laptop with Smith photos
April 20, 2007
By Alan J. Keays Herald Staff
The head of Edgewood Studios in Rutland is looking for the return of a
stolen laptop containing some valuable information, including unreleased
images of Anna Nicole Smith, the star of his most recent film.
"There are photographs in there that are not to be released," Giancola
said Thursday afternoon in a phone interview from the offices of his
Rutland-based movie production studio. "There is stuff that we have that is
just not cleared for release."
Police said burglars early Thursday broke into Edgewood Studios, at
Howe Center, a large complex of offices and businesses just outside
Rutland's downtown. Several other businesses in the complex were also
burglarized.
Police have made no arrest. Although the thieves did not steal all
that much from his studio, the laptop contained a great deal of "proprietary
material," including future movie scripts, plot lines, phone numbers and
e-mail addresses, Giancola said.
The laptop also contained unreleased photos of Smith, who before her
death of a drug overdose in February played a starring a role in the
studio's soon-to-be-released movie, "Illegal Aliens."
"We're trying to find the laptop because it has material that has
proprietary information to Edgewood Studios," Giancola said. "We're really
hoping to get that laptop back because of the copyrighted material that was
on it."
"Illegal Aliens" is set to be released on DVD next month. The movie,
filmed in September 2005 in Rutland, has generated international interest
following the media attention that accompanied Smith's death.
"What we're most concerned about is 'Illegal Aliens' kind of stuff,
and that movie is not being released until May 1," Giancola said. "There's
another movie called 'Zombie Town' and that movie's not going to be released
probably until Halloween and there's material from that on (the laptop) and
we don't want that out there, either."
Surveillance video suggested the burglars did not target the laptop
for theft because of its connection to Smith.
Instead, Giancola said, it appeared the burglars were on a "drunken
rampage," smashing the front door and two inside doors at the studio.
Giancola said the value of the stolen items and the cost of repairing
damage would amount to a couple of thousand dollars. However, he said, a
dollar amount cannot be placed on the value of the "proprietary material"
that was on the stolen laptop, including the Smith photos.
"The intellectual property is way more valuable than any of the
physical equipment we have," Giancola said.
Contact Alan J. Keays at alan.keays at rutlandherald.com.
Rodney Wise
For New stories about ID Theft and Data Loss by Compaines visit:
http://pplrwise.blogspot.com
See what is happening to your information
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://attrition.org/pipermail/dataloss/attachments/20070423/4d2ba8dd/attach
ment-0001.html
------------------------------
Message: 13
Date: Tue, 24 Apr 2007 03:55:22 +0000 (UTC)
From: lyger <lyger at attrition.org>
Subject: [Dataloss] Administravia: List Reminders and Changes
To: dataloss at attrition.org
Message-ID: <Pine.LNX.4.64.0704240342430.18420 at forced.attrition.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Greetings all,
I'll try to be as brief as I can. The Data Loss Mail List would like to
remind subscribers and posters that list topics should adhere to the
following guidelines:
Data Loss is a non-commercial mail list that covers topics such as news
releases regarding large-scale personal data loss and personal data theft
incidents. Discussion about incidents, indictments, legislation, and
recovery of lost or stolen personal data is encouraged. Advertisements or
endorsements for commercial products and/or services, on or off list, are
not allowed.
Isolated personal incidents regarding identity theft are not considered to
be topical. Discussion is welcome about items that are topical. Please
contact me directly with any questions or concerns about list content.
Thanks,
Lyger
------------------------------
Message: 14
Date: Tue, 24 Apr 2007 17:04:46 +0000 (UTC)
From: lyger <lyger at attrition.org>
Subject: [Dataloss] Neiman says employee data stolen
To: dataloss at attrition.org
Message-ID: <Pine.LNX.4.64.0704241704010.8512 at forced.attrition.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
http://www.wfaa.com/sharedcontent/dws/bus/stories/042507dnbusneiman.40beadd.
html
The Neiman Marcus Group said Tuesday that computer equipment containing
files with sensitive information of nearly 160,000 current and former
employees has been stolen.
The files were owned by a pension consultant and contained 2-year-old data
that was current as of Aug. 30, 2005. Information included each person.s
name, address, social security number, date of birth, period of employment
and salary information.
Employees hired after Aug. 30, 2005 are not affected.
[...]
------------------------------
Message: 15
Date: Tue, 24 Apr 2007 22:41:30 +0000 (UTC)
From: lyger <lyger at attrition.org>
Subject: [Dataloss] Baltimore Co. Laptop Stolen With Personal Info
To: dataloss at attrition.org
Message-ID: <Pine.LNX.4.64.0704242240320.28984 at forced.attrition.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
http://wjz.com/local/local_story_114155042.html
A laptop containing the personal information of about 6,000 people was
stolen from a Baltimore County health center, a health department
spokeswoman said Tuesday.
The computer did not contain medical information but did have names, date
of birth, social security numbers, telephone numbers and emergency contact
information. The personal information was from patients who were seen at
the clinic between Jan. 1, 2004 and April 12.
[...]
------------------------------
Message: 16
Date: Wed, 25 Apr 2007 06:59:07 -0400
From: "Rodney Wise" <rwise29210 at gmail.com>
Subject: [Dataloss] The cost of doing business?
To: dataloss at attrition.org
Message-ID:
<24e2acc50704250359yaf861b5wd847586701bfda85 at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Bank groups in 3 states plan to sue TJX over data theft
http://www.mercurynews.com/businessheadlines/ci_5745507
The Associated Press
Article Launched: 04/25/2007 01:50:15 AM PDT
BOSTON (AP) - Bank associations in Massachusetts, Connecticut and
Maine said Tuesday that they will sue TJX over a data theft that
exposed at least 45 million credit and debit cards to potential fraud.
Banks have been saddled with costs to replace cards and cover
fraudulent charges tied to the theft from TJX, the owner of nearly
2,500 discount stores including T.J. Maxx and Marshalls.
On Jan. 17, Framingham, Mass.-based TJX disclosed a breach of its
computer systems by an unknown hacker or hackers who accessed card
data from transactions as long ago as late 2002.
On March 28, TJX said at least 45.7 million of its shoppers' cards had
been compromised.
--
Rodney Wise
http://pplriwse.blogspot.com
------------------------------
Message: 17
Date: Wed, 25 Apr 2007 20:13:02 +0000 (UTC)
From: lyger <lyger at attrition.org>
Subject: [Dataloss] (update) Darwin Professional Underwriters -
Tech-404.com
To: dataloss at attrition.org
Message-ID: <Pine.LNX.4.64.0704252010300.14262 at forced.attrition.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
For anyone interested in the follow-up:
Darwin Professional Underwriters, which operates the website Tech-404.com,
has come to an agreement with attrition.org regarding the use of our Data
Loss web page and RSS feed. In return for use of attrition.org's RSS
service and/or web page, Darwin has graciously agreed to make a
contribution to the Open Source Vulnerability Database (http://osvdb.org)
in order to further promote security awareness.
We appreciate Darwin's willingness to work with us to help resolve this
matter and we wish them the best in their future endeavors.
Lyger
------------------------------
Message: 18
Date: Thu, 26 Apr 2007 16:01:31 +0000 (UTC)
From: lyger <lyger at attrition.org>
Subject: [Dataloss] Ceridian accidentally leaks data from NY firm
To: dataloss at attrition.org
Message-ID: <Pine.LNX.4.64.0704261558210.9828 at forced.attrition.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
http://twincities.bizjournals.com/twincities/stories/2007/04/23/daily36.html
Payroll processing firm Ceridian Corp. accidentally leaked employee data
from a New York advertising firm on a Web site, the company confirmed
Thursday.
Bloomington-based Ceridian (NYSE: CEN) notified New York advertising
company Innovation Interactive last week , after it learned that it had
inadvertently leaked ID and bank-account data on 150 employees, company
spokesman Pete Stoddart said.
Ceridian said a former employee accidentally posted the information on a
personal Web site. The employee took the data by accident after leaving
the company in March 2006.
[...]
------------------------------
Message: 19
Date: Thu, 26 Apr 2007 11:15:28 -0500
From: "Patrick Hack" <Phack at 4thebank.com>
Subject: Re: [Dataloss] Ceridian accidentally leaks data from NY firm
To: <dataloss at attrition.org>
Message-ID: <463089CF.E11B.0075.0 at 4thebank.com>
Content-Type: text/plain; charset="us-ascii"
Just wondering, how do you 'Accidentally' take private customer
information as you're leaving employment and 'Accidentally' post it to
your personal web site? This sure sounds like straight-up data theft to
me.
P. Hack
>>> lyger <lyger at attrition.org> 4/26/2007 11:01 AM >>>
http://twincities.bizjournals.com/twincities/stories/2007/04/23/daily36.html
Payroll processing firm Ceridian Corp. accidentally leaked employee
data
from a New York advertising firm on a Web site, the company confirmed
Thursday.
Bloomington-based Ceridian (NYSE: CEN) notified New York advertising
company Innovation Interactive last week , after it learned that it had
inadvertently leaked ID and bank-account data on 150 employees, company
spokesman Pete Stoddart said.
Ceridian said a former employee accidentally posted the information on
a
personal Web site. The employee took the data by accident after leaving
the company in March 2006.
[...]
_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss
Tracking more than 207 million compromised records in 634 incidents
over 7 years.
CONFIDENTIALITY NOTICE: This email message is private,
confidential property of the sender, and the materials
may be privileged communications intended solely for
the receipt, use, benefit, and information of the intended
recipient indicated above. If you are not the intended
recipient, you are hereby notified that any review,
disclosure,distribution, copying or taking of any
other action in reference to the contents of this message
is strictly prohibited, and may result in legal liability
on your part. If you have received this message in error,
please notify the sender immediately and delete this
message from your system. We believe that this email
and any attachments are free of any virus or other defect
that might affect any computer system that it is received
and opened in, however, it is the responsibility of the
recipient to ensure that it is virus free and the sender
accepts no responsibility for any loss or damage.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://attrition.org/pipermail/dataloss/attachments/20070426/b48707ee/attach
ment-0001.html
------------------------------
Message: 20
Date: Thu, 26 Apr 2007 12:27:25 -0500
From: "Katie Felten" <kfelten at gmail.com>
Subject: Re: [Dataloss] Ceridian accidentally leaks data from NY firm
To: "'Patrick Hack'" <Phack at 4thebank.com>, <dataloss at attrition.org>
Message-ID: <000801c78828$29df7c10$7d9e7430$@com>
Content-Type: text/plain; charset="us-ascii"
P, my thoughts exactly when I read this article this morning
Katie Felten, CITRMS
Data Security & Privacy Specialist
Certified Identity Theft Risk Management Specialist
www.getsmartcomply.com
K Felten & Associates, LLC
N78W14573 Appleton Ave #297
Menomonee Falls, WI 53051
Direct 262-227-0772
Katie at k-felten.com
From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org]
On Behalf Of Patrick Hack
Sent: Thursday, April 26, 2007 11:15 AM
To: dataloss at attrition.org
Subject: Re: [Dataloss] Ceridian accidentally leaks data from NY firm
Just wondering, how do you 'Accidentally' take private customer information
as you're leaving employment and 'Accidentally' post it to your personal web
site? This sure sounds like straight-up data theft to me.
P. Hack
>>> lyger <lyger at attrition.org> 4/26/2007 11:01 AM >>>
http://twincities.bizjournals.com/twincities/stories/2007/04/23/daily36.html
Payroll processing firm Ceridian Corp. accidentally leaked employee data
from a New York advertising firm on a Web site, the company confirmed
Thursday.
Bloomington-based Ceridian (NYSE: CEN) notified New York advertising
company Innovation Interactive last week , after it learned that it had
inadvertently leaked ID and bank-account data on 150 employees, company
spokesman Pete Stoddart said.
Ceridian said a former employee accidentally posted the information on a
personal Web site. The employee took the data by accident after leaving
the company in March 2006.
[...]
_______________________________________________
Dataloss Mailing List (dataloss@ attrition.org)
http://attrition.org/dataloss
Tracking more than 207 million compromised records in 634 incidents over 7
years.
CONFIDENTIALITY NOTICE: This email message is private, confidential property
of the sender, and the materials may be privileged communications intended
solely for the receipt, use, benefit, and information of the intended
recipient indicated above. If you are not the intended recipient, you are
hereby notified that any review, disclosure,distribution, copying or taking
of any other action in reference to the contents of this message is strictly
prohibited, and may result in legal liability on your part. If you have
received this message in error, please notify the sender immediately and
delete this message from your system. We believe that this email and any
attachments are free of any virus or other defect that might affect any
computer system that it is received and opened in, however, it is the
responsibility of the recipient to ensure that it is virus free and the
sender accepts no responsibility for any loss or damage.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://attrition.org/pipermail/dataloss/attachments/20070426/ae2665fa/attach
ment-0001.html
------------------------------
Message: 21
Date: Thu, 26 Apr 2007 23:37:58 +0000 (UTC)
From: security curmudgeon <jericho at attrition.org>
Subject: [Dataloss] slightly OT: LifeLock Identity Theft Protection
To: dataloss at attrition.org
Message-ID: <Pine.LNX.4.64.0704262336290.6752 at forced.attrition.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
http://www.lifelock.com/
My name is Todd Davis
This is my social security number 457-55-5462
"I'm Todd Davis, CEO of LifeLock. Yes, that really is my social security
number. No I'm not crazy. I'm just sure our system works. Just like we
have with mine, LifeLock will make your personal information useless to a
criminal. And it's GUARANTEED."
Here at LifeLock, We Guarantee Your Good Name.
No one else does because no one else can.
http://www.lifelock.com/our-guarantee
$1 Million Guarantee
Our $1 Million Guarantee
Our Guarantee is simple. If you are our client when someone steals your
personal information and subsequently misuses it, we will reimburse any
and all direct expenses that you incur and pay for professionals with the
proper expertise. The maximum amount that we will pay is $1 million over
the life of the incident. We provide this guarantee because we are so
confident in our product. Direct expenses include lost wages,
long-distance calls, postage and other miscellaneous costs in addition to
any funds that are actually stolen from you or a third party that holds
you responsible. If you need an attorney to help resolve the claims, we
will select them and manage the case on your behalf.
Your request must not be fraudulent and you must tell us of the event
within 30 days of first learning of it.
How the Guarantee Works:
If your Identity is used by a third party without your consent, we will do
the following:
1. We will pay any direct expenses you incur subject to the terms
below. Usually, we will advance these costs on your behalf. If we do that,
you must assign your guarantee request to any such re-imbursement by any
third party. For example, if your bank charges you fees because someone
else used your credit card and it took you over your limit, we will ensure
that you are reimbursed that money promptly. If the bank doesn't do it,
then we will and if and when the professionals we hire to assist you get
the bank to refund the money, you agree that it will be sent to us or
that, if paid directly to you, that you will send it to us as soon as you
receive it.
2. If the amount involved is over $1,000, we reserve the right to
investigate the guarantee request and conclude that the claim is valid.
For instance, if you are arrested for bank fraud and you assert that you
did not commit the crime and that someone else stole your identity to
commit the crime, we will investigate your assertion. If we are confident
that you did not commit the crime, we will advance any legal fees, bail or
other costs required to get you out of jail and back to your life. We will
perform our investigation with all due haste and we will render our
decision as quickly as we can. The standard we will use is that if any
reasonable person would come to the conclusion that you are not
responsible, we will as well. Once we are comfortable that you are
innocent due to Identity Theft that occurred while you are our client, we
will advance all fees and costs as discussed above. Note that we do not
necessarily require that you are found innocent by the authorities before
performing on our guarantee.
3. If it turns out that our investigation is wrong and that you
misrepresented a loss or that you weren't our client when it happened, you
agree to pay us back any amount we have advanced or incurred on your
behalf upon demand, including any costs we incur to collect the money from
you. Being found guilty of the crime which you attributed to Identity
theft is sufficient evidence to conclude that we are entitled to recover
all amounts advanced or paid on your behalf as described above.
4. Should we, however, decline your guarantee request and you are found
innocent due to the fact that someone used your Identity to commit the
crime, we will then honor our guarantee and pay you$10,000 for the
hardship you suffered. You agree that we are not liable for any additional
costs or awards for any reason.
That's it. No more fancy language.
------------------------------
Message: 22
Date: Fri, 27 Apr 2007 01:59:19 +0000 (UTC)
From: security curmudgeon <jericho at attrition.org>
Subject: Re: [Dataloss] slightly OT: LifeLock Identity Theft
Protection
To: dataloss at attrition.org
Message-ID: <Pine.LNX.4.64.0704270153530.6752 at forced.attrition.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Thu, 26 Apr 2007, security curmudgeon wrote:
: http://www.lifelock.com/
:
: My name is Todd Davis
: This is my social security number 457-55-5462
My post was not an endorsement of lifelock.com, Todd Davis or anything
else. This post was made because I found it surprising that a CEO would
post his own social security number "proving" his own service, something
that other services don't do.
Attrition does not have any affiliation with lifelock.com or any other
company/service that provides identity theft protection. Until earlier
this evening, neither Lyger nor myself had heard of lifelock.com despite
their "million dollar advertising campaign" (from what we were later
told).
If anyone has any comments, criticisms or rebuttal of my post, we will
selectively post them if they are fair, reasonable and cite their sources.
By reading this mail you absolve myself and attrition.org of any
wrongdoing, pinkie swear you will eat a twinkie before midnight and will
print and shred this message if it was not intended for you.
- Jericho
------------------------------
Message: 23
Date: Thu, 26 Apr 2007 20:21:24 -0500
From: Chris Walsh <chris at cwalsh.org>
Subject: Re: [Dataloss] slightly OT: LifeLock Identity Theft
Protection
To: security curmudgeon <jericho at attrition.org>
Cc: dataloss at attrition.org
Message-ID: <F948F5A7-6D3C-4E15-B9B1-F9464F7AAE75 at cwalsh.org>
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Great.
Now lyger's gonna have to send out a notification letter to the guy.
Couldn't you have ROT13'd the email to avoid this?
:^)
Chris
On Apr 26, 2007, at 6:37 PM, security curmudgeon wrote:
>
> http://www.lifelock.com/
>
> My name is Todd Davis
> This is my social security number 457-55-5462
>
> "I'm Todd Davis, CEO of LifeLock. Yes, that really is my social
> security
> number. No I'm not crazy. I'm just sure our system works. Just like we
> have with mine, LifeLock will make your personal information
> useless to a
> criminal. And it's GUARANTEED."
------------------------------
Message: 24
Date: Fri, 27 Apr 2007 15:22:29 +0000 (UTC)
From: lyger <lyger at attrition.org>
Subject: [Dataloss] 175 told of possible computer security incident at
Purdue
To: dataloss at attrition.org
Message-ID: <Pine.LNX.4.64.0704271521320.1933 at forced.attrition.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
(from April 24, 2007)
http://news.uns.purdue.edu/x/2007a/070424KsanderEngineer.html
Purdue University is informing 175 people who were students in fall 2001
that a Web page containing information about them was inadvertently
available on the Internet.
The page, which was no longer in use but was on a computer server
connected to the Internet, contained names and Social Security numbers of
students who were enrolled in a freshman engineering honors course and
were scheduling to meet with advisers. Although forgotten, the page had
been indexed by Internet search engines and consequently was available to
individuals searching the Web.
The page has been removed and, at Purdue's request, Yahoo and Google have
removed the page from their indexes and cache. Letters are in the mail to
those potentially affected.
[...]
------------------------------
Message: 25
Date: Sat, 28 Apr 2007 01:47:50 +0000 (UTC)
From: lyger <lyger at attrition.org>
Subject: [Dataloss] Caterpillar Says Employee Data Stolen
To: dataloss at attrition.org
Message-ID: <Pine.LNX.4.64.0704280146040.21501 at forced.attrition.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
(if anyone can find verifiable details on number affected or type of
information, please let us know)
http://www.sfgate.com/cgi-bin/article.cgi?f=/n/a/2007/04/27/financial/f17255
8D76.DTL&type=business
Caterpillar Inc. said late Friday that a laptop computer containing
personal data on employees was stolen from a benefits consultant that
works with the company.
Caterpillar spokesman Rusty Dunn declined to provide many details Friday.
"This is an open investigation and we're not prepared to get into any
specifics," Dunn said.
He said one laptop computer was stolen earlier this month, but didn't say
where the theft took place or identify the consultant.
Dunn declined to say how many employees were affected.
[...]
------------------------------
Message: 26
Date: Sat, 28 Apr 2007 02:12:56 +0000 (UTC)
From: lyger <lyger at attrition.org>
Subject: [Dataloss] FEMA's 'Unfortunate' Privacy Disaster
To: dataloss at attrition.org
Message-ID: <Pine.LNX.4.64.0704280211580.21501 at forced.attrition.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
>From April 23, 2007
http://www.washingtonpost.com/wp-dyn/content/article/2007/04/22/AR2007042201
362.html
Sometimes when they are not busy dealing with natural disasters, FEMA
folks just make up their own. We got this letter the other day from Glenn
M. Cannon, assistant administrator in the Disaster Operations Directorate.
"Dear Disaster Generalist," he wrote to about 2,300 people on April 16,
"an unfortunate administrative processing error at FEMA . . . has resulted
in the printing of Social Security numbers on the outside address labels
of Disaster Assistance Employee (DAE) . . . reappointment letters."
The mail distribution center mishandled the letters, he said, creating
this "unintentional release of Privacy Act information."
[...]
------------------------------
Message: 27
Date: Fri, 27 Apr 2007 22:45:03 -0500
From: Chris Walsh <chris at cwalsh.org>
Subject: [Dataloss] NY AG settles first data breach case
To: dataloss at attrition.org
Message-ID: <738474A5-36BC-4B2E-9A52-AADE095DDDE1 at cwalsh.org>
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
By Sharon Gaudin
InformationWeek
April 27, 2007 01:32 PM
The New York Attorney General has obtained the first settlement under
the state's new security breach notification law.
Attorney General Andrew Cuomo announced Thursday that it has reached
an agreement with CS Stars LLC, a Chicago-based claims management
company, to implement precautionary procedures, comply with New
York's notification law in the event of another security breach, and
pay $60,000 to the AG's office for investigation costs.
On May 9, 2006, an employee at CS Stars noticed that a computer was
missing that held personal information, including the names,
addresses, and Social Security numbers of recipients of workers'
compensation benefits, according to the AG's office. The New York
Special Funds Conservation Committee, a not-for-profit organization
created to assist in providing benefits to workers under the New York
Workers' Compensation Law, was the owner of the data contained in the
missing computer.
It was not until June 29, 2006 that CS Stars first notified Special
Funds of the security breach, the AG's office reported. On the same
date, the company notified the FBI, as well. The FBI instructed the
company to not send out any notifications to people who might be
affected by the data breach because it might impede their investigation.
According to the AG's release, CS Stars notified the Attorney
General's office, the Consumer Protection Board, and the state office
of Cyber Security about the breach on June 30, 2006. Then on July 18,
the company, with the permission of the FBI, the company began
sending out notices to the approximately 540,000 potentially affected
New York consumers notifying them of the security breach.
[...]
Via http://www.informationweek.com/news/showArticle.jhtml?
articleID=199202218
------------------------------
Message: 28
Date: Sat, 28 Apr 2007 21:47:15 +0000 (UTC)
From: lyger <lyger at attrition.org>
Subject: [Dataloss] N. Texas Company Posted Private Information Online
To: dataloss at attrition.org
Message-ID: <Pine.LNX.4.64.0704282145530.6533 at forced.attrition.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
http://www.nbc5i.com/money/13207482/detail.html
A North Texas company posted online the private information of hundreds of
job applicants, NBC 5 reported.
Couriers On Demand, run by Kyle Bowers, made available for public viewing
names, addresses, phone numbers, Social Security numbers and drivers
license numbers on its Web site, NBC 5 reported.
Attorney Cami Boyd, who specializes in data privacy, said the company
should have been encrypting its data behind a secure firewall. Without
taking those precautions, she said, it is in violation of state law and
federal law.
[...]
------------------------------
Message: 29
Date: Sun, 29 Apr 2007 07:36:44 -0400
From: "Rodney Wise" <rwise29210 at gmail.com>
Subject: [Dataloss] Is it just about credit?
To: dataloss at attrition.org
Message-ID:
<24e2acc50704290436u343d7975y1645480e00c9cd9e at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
(In his best Columbo accent).... There is just one more thing mam... I am
having trouble understanding a few things... gee do ya think you could help
me out here?
I have a few questions for discussion by the group. I have seen time and
time again that companies that have been compromised have offered credit
munitioning to help REDUCE any monetary damages that might be gained from
lawsuits. It is not just about credit. You can lodk it down for your life
and still have problems.
Question 1
Is is just about your credit?
If someone gets you SSN or SIN (Canida) they can do a lot more than get
cash. If they get medical treatment for ... I don't know ... a heart problem
of even... HIV do you think you will ever get insurance again?
Question 2
What about death and taxes?
Well if you are in the US without the proper permissions to be here in most
situations you MUST have 2 forms of identity to gain employment. A SSN AND a
drivers license number. If they have YOUR SSN and get employment that can
put you in another tax bracket owing more money than the job they are doing
will be deducting for taxes.
What if that happens multiple times? There is NO verification process in
place that will tell an employer that it is not you. It will just verify it
is a valid number.
Lets go one more step further...
I get your Driver License Number from a check you give me. I make $5/hr at a
retail store and see several of these a day, I can sell this for about $50
(read 10 hours of work) for each one. You are flying to that city where what
happens there stays there and use your DLN as your ID. OOPS I forgot to tell
you I used your number when I got pulled over for a DUI. YOU now have a
crimanl record.
Question 3
3. How does credit monitoring help these problems?
Question 4
What does the federal government REQUIRE businesses to do to help reduce
data theft?
Five thing.
1.Take Stock ... like and inventory of your data
2. Scale Down... What do you REALLY need
3.Lock it down... Protect it
4. Pitch it... READ SHRED
5. Plan Ahead... create a written plan
http://www.ftc.gov/bcp/edu/pubs/business/privacy/bus69.pdf
Question 4
If you read the publication, is this too much to ask of the companies we
willingly give our data to?
Rodney Wise
http://pplriwse.blogspot.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://attrition.org/pipermail/dataloss/attachments/20070429/95858e29/attach
ment-0001.html
------------------------------
Message: 30
Date: Sun, 29 Apr 2007 17:39:20 +0000 (UTC)
From: security curmudgeon <jericho at attrition.org>
Subject: Re: [Dataloss] Is it just about credit? (question 1 / health
care)
To: dataloss at attrition.org
Message-ID: <Pine.LNX.4.64.0704291727340.28887 at forced.attrition.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII
: Question 1
: Is is just about your credit?
:
: If someone gets you SSN or SIN (Canida) they can do a lot more than get
: cash. If they get medical treatment for ... I don't know ... a heart
: problem of even... HIV do you think you will ever get insurance again?
Hopefully someone in the health care industry can speak up on this but a
few points.
Many (most? all?) hospitals require photo ID for everything now. While we
know that a bad guy can do a full identity theft, including getting a new
license or birth certificate, it does require a dedicated person. They ask
for the photo ID with insurance card, which you'd also have to get issued.
Some hospitals actually train their staff (a full class) on handling photo
ID, recognizing aspects that would be suspicious (birth date, etc) and how
to respond. This has lead to some cases where the person using a stolen
identity recived medical treatment, walked out of the hospital all better,
only to be arrested immediately as the hospital staff watched (they knew
what was going on but wouldn't deny treatment of course).
Some hospitals use computer systems that have routines specifically
designed to flag possible identity theft. Various incidents (most related
to billing I assume) will flag a record with a potential identity theft
marker which is visible to any hospital employee who loads the record.
Employees are trained to act normal and provide treatment but call a
special security number (internal to the hospital) and trained security
staff respond.
This leads one to wonder if the DMV when re-issuing a license might notice
discrepancies. Eye color goes from blue to brown, hair color, height,
weight .. how many changes before someone says "wait"?
------------------------------
Message: 31
Date: Sun, 29 Apr 2007 18:36:50 +0000 (UTC)
From: nepen <nepen at attrition.org>
Subject: Re: [Dataloss] Is it just about credit? (question 1 / health
care)
To: dataloss at attrition.org
Message-ID: <Pine.LNX.4.64.0704291758540.23987 at forced.attrition.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
On Sun, 29 Apr 2007, security curmudgeon wrote:
>
> : Question 1
> : Is is just about your credit?
> :
> : If someone gets you SSN or SIN (Canida) they can do a lot more than get
> : cash. If they get medical treatment for ... I don't know ... a heart
> : problem of even... HIV do you think you will ever get insurance again?
>
> Hopefully someone in the health care industry can speak up on this but a
> few points.
>
> Many (most? all?) hospitals require photo ID for everything now. While we
> know that a bad guy can do a full identity theft, including getting a new
> license or birth certificate, it does require a dedicated person. They ask
> for the photo ID with insurance card, which you'd also have to get issued.
> Some hospitals actually train their staff (a full class) on handling photo
> ID, recognizing aspects that would be suspicious (birth date, etc) and how
> to respond. This has lead to some cases where the person using a stolen
> identity recived medical treatment, walked out of the hospital all better,
> only to be arrested immediately as the hospital staff watched (they knew
> what was going on but wouldn't deny treatment of course).
Just a note, but back when I had absolutely no way to prove who I was, the
ER would treat me. This was post 9-11, and the hospital had significantly
upgraded their security procedures.
ERs have charity care programs, however, for those who cannot pay, and
they are [or mine was] retroactive. If you state that you cannot pay upon
arriving, they will set up an appointment for you. I don't really see an
issue there with ID theft unless someone is deliberately attempting to
keep their particular ailment off of their own record. The requirements
for these programs [at least here] are relatively loose, but usually last
only one year, at which time you must re-file.
You may be able to pull it off for minor problems that are put through
Fast-Track [but charity care, at least in my state, covers that 100%], but
if you go in with heart problems you may wake up 10 hours later handcuffed
to your bed after your open-heart surgery.
> This leads one to wonder if the DMV when re-issuing a license might notice
> discrepancies. Eye color goes from blue to brown, hair color, height,
> weight .. how many changes before someone says "wait"?
That's the beauty of contact lenses [particularly blue to brown--brown to
blue not so easy to pull off], hair and weight don't seem like big issues,
and depending upon the age of the person, a one or two inch height
discrepancy doesn't seem like a big deal.
My mother had no problems getting her license--she went when I went--and
she's changed her hair colour, weight, and height. If I'd have given her a
pair of blue contact lenses, I'd doubt they'd have even noticed. Her
previous license had no photo.
Though at the NJ DMV, I was able to receive my ID and /bypass/ their "6
point identification system" which requires a certain amount of documents
worth a certain number of points, adding up to 6, before you're able to
get a license or photo ID. I was also able to do this at the SSA. This was
all relatively recently--this month, in fact. All the SSA required was a
note from my doctor--who simply wrote everything I told him to write when
it came to my description--in lieu of their new post-9/11 requirements.
For my birth certificate: I never had to get out of the car.
It seems to me that everyone now has to juggle leniency for those who have
fallen through the cracks with vigilance for those who are exploiting the
system. I spent hours worrying about how I would be able to get my new
Social Security Card or meet the DMV's 6 points, and I had absolutely no
problem doing either. It was incredibly easy.
It seems like this transitioning issue, where they are accommodating
people unable to meet the new requirements, might be the easiest point of
abuse.
nepen
------------------------------
Message: 32
Date: Sun, 29 Apr 2007 19:43:46 +0000 (UTC)
From: lyger <lyger at attrition.org>
Subject: [Dataloss] UNM says some employee information on stolen
laptop
To: dataloss at attrition.org
Message-ID: <Pine.LNX.4.64.0704291943030.31072 at forced.attrition.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
http://kob.com/article/stories/S72768.shtml?cat=517
University of New Mexico officials say personal information for 3,000
employees may have been stored on a laptop computer that was stolen.
The university notified the employees by e-mail that some personal
information may have been on a laptop taken Wednesday from a San Francisco
office.
University officials learned of the theft Friday from an outside
consultant working on UNM's human resource and payroll systems.
[...]
------------------------------
Message: 33
Date: Sun, 29 Apr 2007 18:51:24 -0400
From: "Rodney Wise" <rwise29210 at gmail.com>
Subject: Re: [Dataloss] Is it just about credit? (question 1 / health
care)
To: "security curmudgeon" <jericho at attrition.org>
Cc: dataloss at attrition.org
Message-ID:
<24e2acc50704291551x683b6e86off6a59e2455c90df at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
I guess the basic question is:
As people who are aware of data breeches how can we alert others that is is
NOT just about credit.
Rodney
On 4/29/07, security curmudgeon <jericho at attrition.org> wrote:
>
>
> : Question 1
> : Is is just about your credit?
> :
> : If someone gets you SSN or SIN (Canida) they can do a lot more than get
> : cash. If they get medical treatment for ... I don't know ... a heart
> : problem of even... HIV do you think you will ever get insurance again?
>
> Hopefully someone in the health care industry can speak up on this but a
> few points.
>
> Many (most? all?) hospitals require photo ID for everything now. While we
> know that a bad guy can do a full identity theft, including getting a new
> license or birth certificate, it does require a dedicated person. They ask
> for the photo ID with insurance card, which you'd also have to get issued.
> Some hospitals actually train their staff (a full class) on handling photo
> ID, recognizing aspects that would be suspicious (birth date, etc) and how
> to respond. This has lead to some cases where the person using a stolen
> identity recived medical treatment, walked out of the hospital all better,
> only to be arrested immediately as the hospital staff watched (they knew
> what was going on but wouldn't deny treatment of course).
>
> Some hospitals use computer systems that have routines specifically
> designed to flag possible identity theft. Various incidents (most related
> to billing I assume) will flag a record with a potential identity theft
> marker which is visible to any hospital employee who loads the record.
> Employees are trained to act normal and provide treatment but call a
> special security number (internal to the hospital) and trained security
> staff respond.
>
> This leads one to wonder if the DMV when re-issuing a license might notice
> discrepancies. Eye color goes from blue to brown, hair color, height,
> weight .. how many changes before someone says "wait"?
>
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
> Tracking more than 207 million compromised records in 634 incidents over 7
> years.
>
--
Rodney Wise
http://pplriwse.blogspot.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://attrition.org/pipermail/dataloss/attachments/20070429/95212b4b/attach
ment-0001.html
------------------------------
Message: 34
Date: Sun, 29 Apr 2007 23:32:01 +0000 (UTC)
From: nepen <nepen at attrition.org>
Subject: Re: [Dataloss] Is it just about credit? (question 1 / health
care)
To: dataloss at attrition.org
Message-ID: <Pine.LNX.4.64.0704292309010.9463 at forced.attrition.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
On Sun, 29 Apr 2007, Rodney Wise wrote:
> I guess the basic question is:
>
> As people who are aware of data breeches how can we alert others that is
is
> NOT just about credit.
>
> Rodney
Simple: Research the potential results of dataloss that do not involve
identity theft/credit issues, write about these new ideas, and put the
information out there.
Notsosimple: Hope for interest, particularly if there is some sort of
marketable protection against these other outcomes. Sadly, the ability for
someone to profit from offering services to protect against these
potential non-credit-related outcomes of dataloss events may have an
effect on whether or not there is much interest in them.
Research, write, publish: Create awareness and cross your fingers?
nepen
------------------------------
Message: 35
Date: Sun, 29 Apr 2007 19:27:59 -0700
From: J Beebe <j.beebe at cox.net>
Subject: Re: [Dataloss] The cost of doing business?
To: dataloss at attrition.org
Message-ID:
<20070430022820.KICS24310.fed1rmmtao104.cox.net at fed1rmimpo01.cox.net>
Content-Type: text/plain; charset="us-ascii"; format=flowed
Here's a link to the complaint filed by the Mass. Bankers Assoc.
It notes that they and the other 2 bankers assocs. are asking for
"tens of millions of dollars."
https://www.massbankers.org/pdfs/DataBreachSuitNR5.pdf
Should be interesting.
JB
At 03:59 AM 4/25/2007, Rodney Wise wrote:
>Bank groups in 3 states plan to sue TJX over data theft
>http://www.mercurynews.com/businessheadlines/ci_5745507
>The Associated Press
>Article Launched: 04/25/2007 01:50:15 AM PDT
>
>BOSTON (AP) - Bank associations in Massachusetts, Connecticut and
>Maine said Tuesday that they will sue TJX over a data theft that
>exposed at least 45 million credit and debit cards to potential fraud.
>
>Banks have been saddled with costs to replace cards and cover
>fraudulent charges tied to the theft from TJX, the owner of nearly
>2,500 discount stores including T.J. Maxx and Marshalls.
>
>On Jan. 17, Framingham, Mass.-based TJX disclosed a breach of its
>computer systems by an unknown hacker or hackers who accessed card
>data from transactions as long ago as late 2002.
>On March 28, TJX said at least 45.7 million of its shoppers' cards had
>been compromised.
>--
>Rodney Wise
>http://pplriwse.blogspot.com
>_______________________________________________
>Dataloss Mailing List (dataloss at attrition.org)
>http://attrition.org/dataloss
>Tracking more than 207 million compromised records in 630 incidents
>over 7 years.
>
>
>--
>No virus found in this incoming message.
>Checked by AVG Free Edition.
>Version: 7.5.463 / Virus Database: 269.5.10/774 - Release Date:
>4/23/2007 5:26 PM
------------------------------
Message: 36
Date: Sun, 29 Apr 2007 20:41:43 -0500
From: Al Mac <macwheel99 at sigecom.net>
Subject: Re: [Dataloss] Is it just about credit?
To: "Data Loss Incidents" <dataloss at attrition.org>
Message-ID: <6.2.1.2.1.20070429195335.02a52360 at mail.sigecom.net>
Content-Type: text/plain; charset="us-ascii"; format=flowed
How difficult is it for the criminal underworld to manufacture fake
driver's licenses?
The photo-id looks exactly like the person carrying it (it is their photo),
but the identity is whoever identity they stole. Such an id can be used to
help get a job, get medical treatment, anything such a fake id is used for.
Does not matter if thumb print on there, because fake-id has photo and
thumb print of the crook instead of the real person who has the
real-id-license that was issued by the state DMV.
You right that the DMV record ought to have eye color, hair color etc.
But one of the types of data theft has been entire DMV data bases.
Crooks in the fake-id business can then match identity to be stolen with
person needing fake id with similar characteristics ... eye color, hair
color, gender, approx age, etc.
This will cease to work when the photo-id gets scanned in some place to
compare it to the official copy in DMV records, unless crooks have the
sophistication to also mess with the official records, or the communication
between police car check point and official records. I expect it will be
pretty rare for people running around with fake-ids to have the kinds of
hacker skills to real-time spoof whatever is done to validate photo or
thumb print on the fake-id.
A small fortune is spent on protecting the nation's currency from
counterfeiting, but yet there still are people who get away with passing
counterfeit money. Nothing like that expense can be incurred to protect
individual states from not having fraudulent driver's licenses and other
identification in circulation.
A while back, the state of Colorado sorted employee tax reporting data by
SSN to get a count of how many different places same SSN being used ... I
think the biggest was like 50 or 100 employers had someone simultaneously
working there with same SSN. We can reasonably assume that if other US
states were to do this, that they might get similar numbers. Bigger in the
more populated states. Similar story other nations.
The feds have done this with critical infrastructure ... people working at
Pentagon, Nuclear weapons facilities, etc. & yes found lots of fraudulent
identities there. We can hope most of them are people who just need a job,
not many potential terrorists in the bunch.
Is there a serious risk that the states will crack down on the real people,
in whose names those 50 other people using their SSN? Or is there
temptation for states to look the other way, since this is tax money being
paid for services that the fake SSN holders may be less likely to claim
than valid SSN holders?
You may be better off with a bunch of people paying extra taxes in your
name, than only one of them. Except with how easy it is to fraudulently
claim income tax refund, which is big problem for IRS, and also the person
in whoever name this got done.
More risks than you said.
You don't even get on the plane at airport to go home, because your
identity was used by someone stopped by the police, let go on minimal bail,
supposed to return for court date, never did. Now you have the legal
expense of proving you not whoever that is running around the country
committing more crimes in your name.
Let's suppose the real Rodney Wise is in the hospital for serious
treatment, and while there, persons with fake identity for Rodney Wise
steal his car, sell it, occupy his home, sell everything there, get second
mortgage on it, sell house, run up ungodly bills, clean out bank
accounts. Real Rodney gets out of hospital & try to go home, be arrested
as intruder in home now belong someone else. This has happened to people
in nations where possession is 9/10 of law.
Credit monitoring helps with some of the problems but we need more.
Some day, DNA testing will be as rapid as stick some skin cells or spit
into a gadget that will say "You born in nation X, legally in nation Y,
have a blood relative criminal Z" and we pray that long before that reality
the data bases locked down with good support for people to correct errors
about themselves..
-
Al Macintyre
------------------------------
Message: 37
Date: Sun, 29 Apr 2007 23:47:24 -0500
From: Chris Walsh <chris at cwalsh.org>
Subject: Re: [Dataloss] Is it just about credit?
To: Data Loss Incidents <dataloss at attrition.org>
Message-ID: <9E72B570-5BCC-4F3C-B9D2-0D6DDD7EF078 at cwalsh.org>
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Here in IL, we just had a high-profile federal bust of some folks who
were allegedly selling fake drivers' licenses and fake SocSec cards
as a combo pack for $300. This was in a section of Chicago with many
undocumented workers. Reports are that this is undoubtedly so the
buyers can work in the US, but of course the news coverage says that
the sellers don't exactly care why someone is looking for ID as long
as they have the $$.
In this particular instance, the Feds say they acted because the gang
allegedly selling these IDs had murdered someone who tried to go into
competition with them. Clearly, then, the cost of production of
these IDs is less than the $300, or else the dead guy would have been
no threat since he could not possibly undercut the gang.
On Apr 29, 2007, at 8:41 PM, Al Mac wrote:
> How difficult is it for the criminal underworld to manufacture fake
> driver's licenses?
------------------------------
Message: 38
Date: Mon, 30 Apr 2007 11:15:00 -0400
From: Adam Shostack <adam at homeport.org>
Subject: Re: [Dataloss] Is it just about credit? (question 1 / health
care)
To: Rodney Wise <rwise29210 at gmail.com>
Cc: security curmudgeon <jericho at attrition.org>,
dataloss at attrition.org
Message-ID: <20070430151500.GB8860 at homeport.org>
Content-Type: text/plain; charset=us-ascii
On Sun, Apr 29, 2007 at 06:51:24PM -0400, Rodney Wise wrote:
| I guess the basic question is:
|
| As people who are aware of data breeches how can we alert others that is
is NOT
| just about credit.
We used to use words like 'privacy' or 'data protection.' To
Jericho's point, I'd argue that the problem is central medical
databases, and upgrading the trusted third parties to control what
goes in them is just poor thinking.
Adam
|
| On 4/29/07, security curmudgeon <jericho at attrition.org> wrote:
|
|
| : Question 1
| : Is is just about your credit?
| :
| : If someone gets you SSN or SIN (Canida) they can do a lot more than
get
| : cash. If they get medical treatment for ... I don't know ... a heart
| : problem of even... HIV do you think you will ever get insurance
again?
|
| Hopefully someone in the health care industry can speak up on this but
a
| few points.
|
| Many (most? all?) hospitals require photo ID for everything now. While
we
| know that a bad guy can do a full identity theft, including getting a
new
| license or birth certificate, it does require a dedicated person. They
ask
| for the photo ID with insurance card, which you'd also have to get
issued.
| Some hospitals actually train their staff (a full class) on handling
photo
| ID, recognizing aspects that would be suspicious (birth date, etc) and
how
| to respond. This has lead to some cases where the person using a
stolen
| identity recived medical treatment, walked out of the hospital all
better,
| only to be arrested immediately as the hospital staff watched (they
knew
| what was going on but wouldn't deny treatment of course).
|
| Some hospitals use computer systems that have routines specifically
| designed to flag possible identity theft. Various incidents (most
related
| to billing I assume) will flag a record with a potential identity
theft
| marker which is visible to any hospital employee who loads the record.
| Employees are trained to act normal and provide treatment but call a
| special security number (internal to the hospital) and trained
security
| staff respond.
|
| This leads one to wonder if the DMV when re-issuing a license might
notice
| discrepancies. Eye color goes from blue to brown, hair color, height,
| weight .. how many changes before someone says "wait"?
|
| _______________________________________________
| Dataloss Mailing List (dataloss at attrition.org)
| http://attrition.org/dataloss
| Tracking more than 207 million compromised records in 634 incidents
over 7
| years.
|
|
|
|
| --
| Rodney Wise
| http://pplriwse.blogspot.com
| _______________________________________________
| Dataloss Mailing List (dataloss at attrition.org)
| http://attrition.org/dataloss
| Tracking more than 207 million compromised records in 634 incidents over 7
years.
------------------------------
Message: 39
Date: Mon, 30 Apr 2007 23:51:50 +0000 (UTC)
From: lyger <lyger at attrition.org>
Subject: [Dataloss] (update) Stolen Caterpillar laptop contained
employees personal information
To: dataloss at attrition.org
Message-ID: <Pine.LNX.4.64.0704302349010.20529 at forced.attrition.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
(now disclosed that SSNs were on the stolen laptop. other reports have
also disclosed that the laptop belonged to an "SBA Inc." located in
Georgia.)
http://www.wjbc.com/wire2/news/01943_Caterpillar-Data-WEB_145542.htm
Caterpillar Incorporated told employees in a letter that a laptop stolen
this month contained current and former workers' Social Security numbers,
banking information and addresses. Peoria-based Caterpillar has declined
to say how many of its roughly 95-thousand employees were affected but has
set up a call center to answer their questions.
[...]
------------------------------
_______________________________________________
Dataloss mailing list
Dataloss at attrition.org
https://attrition.org/mailman/listinfo/dataloss
End of Dataloss Digest, Vol 15, Issue 3
***************************************
More information about the Dataloss
mailing list