[Dataloss] slightly OT: LifeLock Identity Theft

Tom Widman twidman at identityfraud.com
Tue May 1 02:12:06 UTC 2007


The lifelock program is interesting and while I have some familiarity, I
don't have all the details. 

>From what I see, the LifeLock product can help reduce the chances of one
becoming a victim of ID Theft, although marginally, since managing credit
bureau fraud alerts (which is what it does) only addresses part of the
problem. There are many other types of ID Theft that occur that have nothing
to do with credit. Thus, in my view, the "product" guarantee is off-base
since fraud alerts don't stop 60-80% of other types of frauds (depending on
whose statistics you view). However, the guarantee of $1 million is unique
and ideally makes up for the other types of fraud that can and do occur, if
these other types of fraud are covered since they unrelated to the product.
My concern for lifelock is about consumer marketing practices and properly
conveying what your product does, and also practicing what you preach.

For example, this is from their Terms and Conditions:

1. Your Account:  You agree that you are who you say you are when you enroll
and that you will not purposely engage in behavior that will put your
Identity at unnecessary risk, such as leaving your PIN or passwords in
obvious places, publishing your Social Security Number, etc.  
__

I think other vendors do not post their SSN's because from a risk and
prudence standpoint, it is irresponsible. It's not good for Doctors to tell
you to stop smoking cigarettes while they continue to smoke them. Since
lifelock does not cover the exposure the CEO is engaging (and advertising),
I believe they are increasing their own consumer liability exposure. BUT, I
must admit that from a marketing standpoint, it garners excellent attention.


We try to track the various offers since we are one of the pioneers in the
identity protection space, having started development back in 1997. Identity
protection is a very young industry with a lot of variety between offerings.
We promote risk management that essentially says, do the best you can at
prevention and have some remedies in place when id theft occurs, whether
prevention & remedies are from lifelock, a homeowners insurer, Equifax, or
us, etc. it is simply prudent to engage certain solutions.

T Widman


-----Original Message-----
From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org]
On Behalf Of dataloss-request at attrition.org
Sent: Monday, April 30, 2007 4:52 PM
To: dataloss at attrition.org
Subject: Dataloss Digest, Vol 15, Issue 3

Send Dataloss mailing list submissions to
	dataloss at attrition.org

To subscribe or unsubscribe via the World Wide Web, visit
	https://attrition.org/mailman/listinfo/dataloss
or, via email, send a message with subject or body 'help' to
	dataloss-request at attrition.org

You can reach the person managing the list at
	dataloss-owner at attrition.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Dataloss digest..."


Today's Topics:

   1. Texas AG: CVS Dumped Customers' Records (lyger)
   2. Wireless Security Puts IRS Data at Risk (Richard Forno)
   3. Hackers, laptop thieves compromise personal information of
      17, 500 at Ohio State in separate incidents (lyger)
   4. UCSF computer server with research subject information	is
      stolen (lyger)
   5. Personal data of NMSU students posted online (lyger)
   6. Los Alamos warns workers about identity theft (lyger)
   7. Federal Database Exposes Social Security Numbers (lyger)
   8. (update) Fed Breach Leaks Social Security Numbers (lyger)
   9. (update) Fed breach leaks Social Security numbers (lyger)
  10. USDA Narrows List to 38,700... (lyger)
  11. Counter Strike Struck (rwise29210 at gmail.com)
  12. Does a data loss of one count if she is famous? It just	isn't
      for "Ordinary People" anymore. (rwise29210 at gmail.com)
  13. Administravia: List Reminders and Changes (lyger)
  14. Neiman says employee data stolen (lyger)
  15. Baltimore Co. Laptop Stolen With Personal Info (lyger)
  16. The cost of doing business? (Rodney Wise)
  17. (update) Darwin Professional Underwriters - Tech-404.com (lyger)
  18. Ceridian accidentally leaks data from NY firm (lyger)
  19. Re: Ceridian accidentally leaks data from NY firm (Patrick Hack)
  20. Re: Ceridian accidentally leaks data from NY firm (Katie Felten)
  21. slightly OT: LifeLock Identity Theft Protection
      (security curmudgeon)
  22. Re: slightly OT: LifeLock Identity Theft Protection
      (security curmudgeon)
  23. Re: slightly OT: LifeLock Identity Theft Protection (Chris Walsh)
  24. 175 told of possible computer security incident at Purdue (lyger)
  25. Caterpillar Says Employee Data Stolen (lyger)
  26. FEMA's 'Unfortunate' Privacy Disaster (lyger)
  27. NY AG settles first data breach case (Chris Walsh)
  28. N. Texas Company Posted Private Information Online (lyger)
  29. Is it just about credit? (Rodney Wise)
  30. Re: Is it just about credit? (question 1 / health care)
      (security curmudgeon)
  31. Re: Is it just about credit? (question 1 / health care) (nepen)
  32. UNM says some employee information on stolen laptop (lyger)
  33. Re: Is it just about credit? (question 1 / health care)
      (Rodney Wise)
  34. Re: Is it just about credit? (question 1 / health care) (nepen)
  35. Re: The cost of doing business? (J Beebe)
  36. Re: Is it just about credit? (Al Mac)
  37. Re: Is it just about credit? (Chris Walsh)
  38. Re: Is it just about credit? (question 1 / health care)
      (Adam Shostack)
  39. (update) Stolen Caterpillar laptop contained employees
      personal information (lyger)


----------------------------------------------------------------------

Message: 1
Date: Tue, 17 Apr 2007 22:33:18 +0000 (UTC)
From: lyger <lyger at attrition.org>
Subject: [Dataloss] Texas AG: CVS Dumped Customers' Records
To: dataloss at attrition.org
Message-ID: <Pine.LNX.4.64.0704172232340.553 at forced.attrition.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed


http://www.forbes.com/feeds/ap/2007/04/17/ap3621733.html

Texas Attorney General Greg Abbott sued CVS Corp. on Tuesday, alleging 
pharmacy employees dumped credit card numbers, medical information and 
other sensitive material from more than 1,000 customers into a garbage 
container.

The Rhode Island company was accused of failing to protect its customers 
from identity theft at the store in Liberty, about 45 miles northeast of 
Houston. The lawsuit alleges employees dumped the records behind a store 
that apparently was being vacated by CVS (nyse: CVS - news - people ).

CVS did not immediately return a telephone call seeking comment Tuesday.

[...]


------------------------------

Message: 2
Date: Tue, 17 Apr 2007 23:20:10 -0400
From: Richard Forno <rforno at infowarrior.org>
Subject: [Dataloss] Wireless Security Puts IRS Data at Risk
To: Infowarrior List <infowarrior at attrition.org>,
	"dataloss at attrition.org" <dataloss at attrition.org>
Message-ID: <C24B06AA.63F41%rforno at infowarrior.org>
Content-Type: text/plain;	charset="US-ASCII"


Would somebody kindly explain WTF the IRS is using wireless networking
anywhere in their IT environment???  -rf



April 17, 2007
Wireless Security Puts IRS Data at Risk
By THE ASSOCIATED PRESS
http://www.nytimes.com/aponline/technology/AP-IRS-Wireless-Security.html?_r=
1&oref=slogin&pagewanted=print

Filed at 10:57 p.m. ET

WASHINGTON (AP) -- Internal Revenue Service offices across the nation that
use wireless technology are still vulnerable to hackers, according to the
latest assessment of the agency's security policies released Tuesday.

Despite efforts to improve wireless security the past four years, the
Inspector General's assessment of 20 buildings in 10 cities discovered four
separate locations at which hackers could have easily gained access to IRS
computers using wireless technology.

There was no evidence that the computers were connected to the IRS network
at the time and no signs that any hacking had occurred, the report said.

''However, anyone with a wireless detection tool could pick up the wireless
signal and gain access to the computer,'' wrote Michael Phillips, the
Inspector General.

And if an employee had been connected to the IRS network, ''a hacker
conceivably could gain access to the IRS network,'' which contains sensitive
financial data of more than 226 million taxpayers, he added.

The vulnerabilities were discovered in Denver and at three other IRS
facilities in Texas and Florida.

Wireless networks are created by linking computers using hardware called
routers. The devices enable wireless laptop or mobile device users, such as
Treos, to send signals back and forth to each other. Data can be encrypted,
but the report said that software available on the Internet can decode the
encryption.

The inspector general's office said it used inexpensive wireless equipment
and software freely available on the Internet to scan the facilities for
wireless signals.

According to the report, the IRS also is not effectively monitoring its uses
of wireless technology. As of May 2006, the agency had scanned fewer than 6
percent of all IRS offices - mainly in the Washington, D.C., and Baltimore
metropolitan areas.

The inspector general's office recommended increased of the IRS network for
unapproved wireless devices and educating employees about security risks.
The report said the agency agreed with the IG's recommendations and will
implement them.




------------------------------

Message: 3
Date: Wed, 18 Apr 2007 19:22:09 +0000 (UTC)
From: lyger <lyger at attrition.org>
Subject: [Dataloss] Hackers, laptop thieves compromise personal
	information of 17, 500 at Ohio State in separate incidents
To: dataloss at attrition.org
Message-ID: <Pine.LNX.4.64.0704181920380.13877 at forced.attrition.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed


(update: another unrelated incident exposes another 3,500)

http://scmagazine.com/us/news/article/651562/hackers-laptop-thieves-compromi
se-personal-information-17500-ohio-state-separate-incidents/

On March 31 or April 1, a hacker using a foreign web address cracked a 
university firewall and accessed the names, Social Security numbers, 
employee ID numbers and birth dates of more than 14,000 current and former 
staff members, according to a university statement.

[...]

In an unrelated incident, the personal information of about 3,500 current 
and former chemistry students was compromised when two laptop computers 
were stolen from the home of a university professor on Feb. 24.

The laptops were likely not the target of the burglary, and were stolen 
with a number of other household items, according to Lynch.

Records stored in the laptops contained names, Social Security numbers and 
grades, according to the university.

[...]


------------------------------

Message: 4
Date: Thu, 19 Apr 2007 01:51:53 +0000 (UTC)
From: lyger <lyger at attrition.org>
Subject: [Dataloss] UCSF computer server with research subject
	information	is stolen
To: dataloss at attrition.org
Message-ID: <Pine.LNX.4.64.0704190150560.9570 at forced.attrition.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed


http://pub.ucsf.edu/newsservices/releases/200704189/

A computer file server containing research subject information related to 
studies on causes and cures for different types of cancer was stolen from 
a locked UCSF office on March 30, 2007.

The server contained files with names, contact information, and social 
security numbers for study subjects and potential study subjects. For some 
individuals, the files also included personal health information.

[...]

Notification letters were sent Monday, April 16, to about 3,000 
individuals. Using backup files, UCSF officials are conducting an 
extensive analysis of the server data to determine as quickly as possible 
all the names involved in this incident.

[...]


------------------------------

Message: 5
Date: Thu, 19 Apr 2007 15:48:23 +0000 (UTC)
From: lyger <lyger at attrition.org>
Subject: [Dataloss] Personal data of NMSU students posted online
To: dataloss at attrition.org
Message-ID: <Pine.LNX.4.64.0704191547200.16494 at forced.attrition.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed


http://www.freenewmexican.com/news/60444.html

The names and Social Security numbers of more than 5,600 New Mexico State 
University students were accidentally posted on the school's Web site, but 
officials say odds are minimal that any students' identities were 
compromised.

The information was in a public section of the site for nearly two hours 
on April 5 before the mistake was caught.

The file was accessed by 14 computers and all of their IP addresses have 
been tracked, said Mrinal Virnave, NMSU's director of enterprise 
application services.

Virnave said the file contained the names and Social Security numbers of 
students who registered online to attend their commencement ceremonies 
from 2003 to 2005, meaning most of the names and numbers are of former 
students.

[...]


------------------------------

Message: 6
Date: Fri, 20 Apr 2007 15:38:20 +0000 (UTC)
From: lyger <lyger at attrition.org>
Subject: [Dataloss] Los Alamos warns workers about identity theft
To: dataloss at attrition.org
Message-ID: <Pine.LNX.4.64.0704201537030.9592 at forced.attrition.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed


http://www.freenewmexican.com/news/60494.html

Los Alamos National Laboratory warned employees about protecting 
themselves against identity theft after the names and Social Security 
numbers of 550 lab workers were posted on a Web site run by a 
subcontractor working on a security system.

An April 5 letter to the employees from Jan A. Van Prooyen, the lab's 
acting deputy director, said the problem was discovered the previous week 
when a lab employee happened upon the Web site of a software services 
company that had been hired years before.

Clicking a link and entering a password provided online led to a table 
that included names, and in some cases, Social Security numbers, of people 
who entered certain lab sites around 1998, the letter said.

[...]


------------------------------

Message: 7
Date: Fri, 20 Apr 2007 21:11:44 +0000 (UTC)
From: lyger <lyger at attrition.org>
Subject: [Dataloss] Federal Database Exposes Social Security Numbers
To: dataloss at attrition.org
Message-ID: <Pine.LNX.4.64.0704202106210.3039 at forced.attrition.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed


http://www.nytimes.com/2007/04/20/washington/20cnd-data.html?_r=1&hp=&adxnnl
=1&oref=slogin&adxnnlx=1177103032-yUYrfkNKmHsZVZ/hqNZWCw

The Social Security numbers of tens of thousands of people who received 
loans or other financial assistance from two Agriculture Department 
programs were disclosed for years in a publicly available database, 
raising concerns about identity theft and other privacy violations.

Officials at the Agriculture Department and the Census Bureau, which 
maintains the database, were evidently unaware that the Social Security 
numbers were accessible in the database until they were notified last week 
by a farmer from Illinois, who stumbled across the database on the 
Internet.

[...]

Ms. Bergmeier said she was able to identify almost 30,000 records in the 
database that contained Social Security numbers.

[...]


------------------------------

Message: 8
Date: Sat, 21 Apr 2007 00:40:18 +0000 (UTC)
From: lyger <lyger at attrition.org>
Subject: [Dataloss] (update) Fed Breach Leaks Social Security Numbers
To: dataloss at attrition.org
Message-ID: <Pine.LNX.4.64.0704210038210.9225 at forced.attrition.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed


(Original numbers reported almost 30,000, now 150,000.  Updated)

http://www.forbes.com/feeds/ap/2007/04/20/ap3637323.html

The Social Security numbers of up to 150,000 people who received 
Agriculture Department grants have been posted on a government Web site 
since 1996, but they were taken down last week.

Free credit monitoring is being offered to those affected.

The security breach was only noticed last week and promptly closed, the 
Agriculture Department and Census Bureau announced Friday.

The Agriculture data that included Social Security numbers were removed 
from the Web on April 13 and similar data from 32 other agencies were 
taken down April 17 as a precaution, said Agriculture spokeswoman Terri 
Teuber.

[...]



------------------------------

Message: 9
Date: Sat, 21 Apr 2007 05:18:23 +0000 (UTC)
From: lyger <lyger at attrition.org>
Subject: [Dataloss] (update) Fed breach leaks Social Security numbers
To: dataloss at attrition.org
Message-ID: <Pine.LNX.4.64.0704210516170.19230 at forced.attrition.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed


(first 30K, then 150K, now 63K... hope everybody has erasers handy...)

http://origin.denverpost.com/nationworld/ci_5714663

The Social Security numbers of 63,000 people who received Agriculture 
Department grants have been posted on a government Web site since 1996, 
but they were taken down last week. Free credit monitoring is being 
offered to those affected.

The security breach was only noticed last week and promptly closed, the 
Agriculture Department and Census Bureau announced Friday.

The Agriculture data that included Social Security numbers were removed 
from the Web on April 13 and similar data from 32 other agencies were 
taken down April 17 as a precaution, said Agriculture spokeswoman Terri 
Teuber.

[...]

The department originally said Friday the Social Security numbers of 
105,000 to 150,000 individuals had been entered into federal databases 
open to the public since 1981. But by Friday evening, after they 
calculated how many people had been entered more than once, USDA announced 
that 63,000 individuals had their Social Security numbers exposed. The 
data has only been posted on the Internet by the Census Bureau since 1996.

[...]


------------------------------

Message: 10
Date: Mon, 23 Apr 2007 20:07:36 +0000 (UTC)
From: lyger <lyger at attrition.org>
Subject: [Dataloss] USDA Narrows List to 38,700...
To: dataloss at attrition.org
Message-ID: <Pine.LNX.4.64.0704232005540.26783 at forced.attrition.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed


(yet another newly revised total...)

http://www.usda.gov/wps/portal/!ut/p/_s.7_0_A/7_0_1OB?contentidonly=true&con
tentid=2007/04/0110.xml

The U.S. Department of Agriculture (USDA) has narrowed to approximately 
38,700 the number of people whose private identification information was 
accessible to the public on a government-wide website. USDA takes 
seriously its responsibility to protect private information and after 
learning of the potential exposure, immediately took action to remove the 
information from the website. USDA is also offering credit monitoring 
services to protect the personal accounts of affected individuals, due to 
the potential that information was downloaded prior to removal. There is 
no evidence that this information has been misused.

[...]


------------------------------

Message: 11
Date: Mon, 23 Apr 2007 10:55:45 -0400
From: <rwise29210 at gmail.com>
Subject: [Dataloss] Counter Strike Struck
To: <dataloss at attrition.org>
Message-ID: <00c501c785b7$792d4db0$6401a8c0 at xp1>
Content-Type: text/plain; charset="iso-8859-1"

I haven't seen this on the list. Sorry if it is a repost.
Rodney Wise

http://pplrwise.blogspot.com

Counter Strike firm in credit card hack claim
Hacker, customers accuse Valve of coverup
By Chris Williams ? More by this author
Published Thursday 19th April 2007 11:09 GMT
Receive the days biggest stories by email 

http://www.theregister.co.uk/2007/04/19/valve_steam_hack/

Valve Software, the company behind Counter Strike and Half Life, has been
accused of covering up a hack of its servers which allegedly exposed the
credit card details of thousands of customers.

A hacker calling himself MaddoxX has trumpeted details of the claimed
break-in on his website, and threatened to publish more credit card
information if Valve do not "come with something good".

Customers say Valve has known about the alleged security breach since April
8 at the latest.

A customer told us he raised the hacker's claims on Valve's Steampowered.com
forums, but a company moderator quickly stepped in to delete it, writing,
"Please do not re-post that thread. Valve are aware of the issue and are
investigating. Making threads on the issue will not help."

Sources say a dozen threads about the matter have been suppressed on Valve's
official forums. In the meantime the firm has made no attempt to contact the
thousands of cyber cafe owners potentially affected.

A large file posted on a file sharing site appears to back up the hacker's
claims of breaking into the server of Valve's distribution network, Steam.
It contains sensitive financial information including Valve's current
assets, full details of five credit card transactions from March 12 with the
threat of exposing more, and details of how to set up a fake cyber cafe
certificate for multiplayer Counter Strike. The 14MB plus directory is
essentially a "rip" of the cyber cafe content delivery platform, Steam Cafe,
and contains all the files to access Valve's Central Authentication Server.

We contacted MaddoxX via email. He claimed he first gained access to Steam
this January, and said that although the cyber cafe customer database is not
linked to the standard customer list, he has access to that too. Valve have
not contacted him, he said, but have approached his hosting provider to take
down the page which announces the hack, so far without success.

The hacker says it's not his intention to steal information. He told us: "I
just came accross the login details when I was browsing some stuff. The
access to their whole customer database was more like luck, but still a hack
because the login details are inside some files. They changed the logins now
and made it not possible anymore to get the details from the files. The
[credit card] details itself are stored in a MySQL database where I still
have access to."

"It is just to show how lax they are with their security. I want a full
excuse from VALVe on their site that they did NOT inform anyone about this.
I've got several e-mails from cafe owners and they said VALVe hasn't even
said shit to them...so you can see how they threat their customers."

One cyber cafe owner contacted by The Register said: "Why has it taken days
if not weeks before they told us if there is even the slightest possibility
someone has our CC details then we should have been told?"

Valve did not return repeated requests for comment.?


-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://attrition.org/pipermail/dataloss/attachments/20070423/bd30c0b4/attach
ment-0001.html 

------------------------------

Message: 12
Date: Mon, 23 Apr 2007 11:06:32 -0400
From: <rwise29210 at gmail.com>
Subject: [Dataloss] Does a data loss of one count if she is famous? It
	just	isn't for "Ordinary People" anymore.
To: <dataloss at attrition.org>
Message-ID: <00ef01c785b8$fabe9860$6401a8c0 at xp1>
Content-Type: text/plain; charset="iso-8859-1"

      Thieves take laptop with Smith photos

      April 20, 2007 

      By Alan J. Keays Herald Staff 
     
      The head of Edgewood Studios in Rutland is looking for the return of a
stolen laptop containing some valuable information, including unreleased
images of Anna Nicole Smith, the star of his most recent film.

      "There are photographs in there that are not to be released," Giancola
said Thursday afternoon in a phone interview from the offices of his
Rutland-based movie production studio. "There is stuff that we have that is
just not cleared for release."

      Police said burglars early Thursday broke into Edgewood Studios, at
Howe Center, a large complex of offices and businesses just outside
Rutland's downtown. Several other businesses in the complex were also
burglarized.

      Police have made no arrest. Although the thieves did not steal all
that much from his studio, the laptop contained a great deal of "proprietary
material," including future movie scripts, plot lines, phone numbers and
e-mail addresses, Giancola said.


      The laptop also contained unreleased photos of Smith, who before her
death of a drug overdose in February played a starring a role in the
studio's soon-to-be-released movie, "Illegal Aliens."

      "We're trying to find the laptop because it has material that has
proprietary information to Edgewood Studios," Giancola said. "We're really
hoping to get that laptop back because of the copyrighted material that was
on it."

      "Illegal Aliens" is set to be released on DVD next month. The movie,
filmed in September 2005 in Rutland, has generated international interest
following the media attention that accompanied Smith's death.

      "What we're most concerned about is 'Illegal Aliens' kind of stuff,
and that movie is not being released until May 1," Giancola said. "There's
another movie called 'Zombie Town' and that movie's not going to be released
probably until Halloween and there's material from that on (the laptop) and
we don't want that out there, either."

      Surveillance video suggested the burglars did not target the laptop
for theft because of its connection to Smith.

      Instead, Giancola said, it appeared the burglars were on a "drunken
rampage," smashing the front door and two inside doors at the studio.

      Giancola said the value of the stolen items and the cost of repairing
damage would amount to a couple of thousand dollars. However, he said, a
dollar amount cannot be placed on the value of the "proprietary material"
that was on the stolen laptop, including the Smith photos.

      "The intellectual property is way more valuable than any of the
physical equipment we have," Giancola said.

      Contact Alan J. Keays at alan.keays at rutlandherald.com.

     


Rodney Wise

For New stories about ID Theft and Data Loss by Compaines visit:
http://pplrwise.blogspot.com
See what is happening to your information

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://attrition.org/pipermail/dataloss/attachments/20070423/4d2ba8dd/attach
ment-0001.html 

------------------------------

Message: 13
Date: Tue, 24 Apr 2007 03:55:22 +0000 (UTC)
From: lyger <lyger at attrition.org>
Subject: [Dataloss] Administravia: List Reminders and Changes
To: dataloss at attrition.org
Message-ID: <Pine.LNX.4.64.0704240342430.18420 at forced.attrition.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed


Greetings all,

I'll try to be as brief as I can.  The Data Loss Mail List would like to 
remind subscribers and posters that list topics should adhere to the 
following guidelines:

Data Loss is a non-commercial mail list that covers topics such as news 
releases regarding large-scale personal data loss and personal data theft 
incidents. Discussion about incidents, indictments, legislation, and 
recovery of lost or stolen personal data is encouraged. Advertisements or 
endorsements for commercial products and/or services, on or off list, are 
not allowed.

Isolated personal incidents regarding identity theft are not considered to 
be topical.  Discussion is welcome about items that are topical.  Please 
contact me directly with any questions or concerns about list content.

Thanks,

Lyger


------------------------------

Message: 14
Date: Tue, 24 Apr 2007 17:04:46 +0000 (UTC)
From: lyger <lyger at attrition.org>
Subject: [Dataloss] Neiman says employee data stolen
To: dataloss at attrition.org
Message-ID: <Pine.LNX.4.64.0704241704010.8512 at forced.attrition.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed


http://www.wfaa.com/sharedcontent/dws/bus/stories/042507dnbusneiman.40beadd.
html

The Neiman Marcus Group said Tuesday that computer equipment containing 
files with sensitive information of nearly 160,000 current and former 
employees has been stolen.

The files were owned by a pension consultant and contained 2-year-old data 
that was current as of Aug. 30, 2005. Information included each person.s 
name, address, social security number, date of birth, period of employment 
and salary information.

Employees hired after Aug. 30, 2005 are not affected.

[...]


------------------------------

Message: 15
Date: Tue, 24 Apr 2007 22:41:30 +0000 (UTC)
From: lyger <lyger at attrition.org>
Subject: [Dataloss] Baltimore Co. Laptop Stolen With Personal Info
To: dataloss at attrition.org
Message-ID: <Pine.LNX.4.64.0704242240320.28984 at forced.attrition.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed


http://wjz.com/local/local_story_114155042.html

A laptop containing the personal information of about 6,000 people was 
stolen from a Baltimore County health center, a health department 
spokeswoman said Tuesday.

The computer did not contain medical information but did have names, date 
of birth, social security numbers, telephone numbers and emergency contact 
information. The personal information was from patients who were seen at 
the clinic between Jan. 1, 2004 and April 12.

[...]


------------------------------

Message: 16
Date: Wed, 25 Apr 2007 06:59:07 -0400
From: "Rodney Wise" <rwise29210 at gmail.com>
Subject: [Dataloss] The cost of doing business?
To: dataloss at attrition.org
Message-ID:
	<24e2acc50704250359yaf861b5wd847586701bfda85 at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Bank groups in 3 states plan to sue TJX over data theft
http://www.mercurynews.com/businessheadlines/ci_5745507
The Associated Press
Article Launched: 04/25/2007 01:50:15 AM PDT

BOSTON (AP) - Bank associations in Massachusetts, Connecticut and
Maine said Tuesday that they will sue TJX over a data theft that
exposed at least 45 million credit and debit cards to potential fraud.

Banks have been saddled with costs to replace cards and cover
fraudulent charges tied to the theft from TJX, the owner of nearly
2,500 discount stores including T.J. Maxx and Marshalls.

On Jan. 17, Framingham, Mass.-based TJX disclosed a breach of its
computer systems by an unknown hacker or hackers who accessed card
data from transactions as long ago as late 2002.
On March 28, TJX said at least 45.7 million of its shoppers' cards had
been compromised.
-- 
Rodney Wise
http://pplriwse.blogspot.com


------------------------------

Message: 17
Date: Wed, 25 Apr 2007 20:13:02 +0000 (UTC)
From: lyger <lyger at attrition.org>
Subject: [Dataloss] (update) Darwin Professional Underwriters -
	Tech-404.com
To: dataloss at attrition.org
Message-ID: <Pine.LNX.4.64.0704252010300.14262 at forced.attrition.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed


For anyone interested in the follow-up:

Darwin Professional Underwriters, which operates the website Tech-404.com, 
has come to an agreement with attrition.org regarding the use of our Data 
Loss web page and RSS feed. In return for use of attrition.org's RSS 
service and/or web page, Darwin has graciously agreed to make a 
contribution to the Open Source Vulnerability Database (http://osvdb.org) 
in order to further promote security awareness.

We appreciate Darwin's willingness to work with us to help resolve this 
matter and we wish them the best in their future endeavors.

Lyger


------------------------------

Message: 18
Date: Thu, 26 Apr 2007 16:01:31 +0000 (UTC)
From: lyger <lyger at attrition.org>
Subject: [Dataloss] Ceridian accidentally leaks data from NY firm
To: dataloss at attrition.org
Message-ID: <Pine.LNX.4.64.0704261558210.9828 at forced.attrition.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed


http://twincities.bizjournals.com/twincities/stories/2007/04/23/daily36.html

Payroll processing firm Ceridian Corp. accidentally leaked employee data 
from a New York advertising firm on a Web site, the company confirmed 
Thursday.

Bloomington-based Ceridian (NYSE: CEN) notified New York advertising 
company Innovation Interactive last week , after it learned that it had 
inadvertently leaked ID and bank-account data on 150 employees, company 
spokesman Pete Stoddart said.

Ceridian said a former employee accidentally posted the information on a 
personal Web site. The employee took the data by accident after leaving 
the company in March 2006.

[...]


------------------------------

Message: 19
Date: Thu, 26 Apr 2007 11:15:28 -0500
From: "Patrick Hack" <Phack at 4thebank.com>
Subject: Re: [Dataloss] Ceridian accidentally leaks data from NY firm
To: <dataloss at attrition.org>
Message-ID: <463089CF.E11B.0075.0 at 4thebank.com>
Content-Type: text/plain; charset="us-ascii"

Just wondering, how do you 'Accidentally' take private customer
information as you're leaving employment and 'Accidentally' post it to
your personal web site?  This sure sounds like straight-up data theft to
me.
 
P. Hack

>>> lyger <lyger at attrition.org> 4/26/2007 11:01 AM >>>

http://twincities.bizjournals.com/twincities/stories/2007/04/23/daily36.html


Payroll processing firm Ceridian Corp. accidentally leaked employee
data 
from a New York advertising firm on a Web site, the company confirmed 
Thursday.

Bloomington-based Ceridian (NYSE: CEN) notified New York advertising 
company Innovation Interactive last week , after it learned that it had

inadvertently leaked ID and bank-account data on 150 employees, company

spokesman Pete Stoddart said.

Ceridian said a former employee accidentally posted the information on
a 
personal Web site. The employee took the data by accident after leaving

the company in March 2006.

[...]
_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss 
Tracking more than 207 million compromised records in 634 incidents
over 7 years.


CONFIDENTIALITY NOTICE: This email message is private,
confidential property of the sender, and the materials
may be privileged communications intended solely for
the receipt, use, benefit, and information of the intended
recipient indicated above. If you are not the intended
recipient, you are hereby notified that any review,
disclosure,distribution, copying or taking of any
other action in reference to the contents of this message
is strictly prohibited, and may result in legal liability
on your part. If you have received this message in error,
please notify the sender immediately and delete this
message from your system. We believe that this email
and any attachments are free of any virus or other defect
that might affect any computer system that it is received
and opened in, however, it is the responsibility of the
recipient to ensure that it is virus free and the sender
accepts no responsibility for any loss or damage.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://attrition.org/pipermail/dataloss/attachments/20070426/b48707ee/attach
ment-0001.html 

------------------------------

Message: 20
Date: Thu, 26 Apr 2007 12:27:25 -0500
From: "Katie Felten" <kfelten at gmail.com>
Subject: Re: [Dataloss] Ceridian accidentally leaks data from NY firm
To: "'Patrick Hack'" <Phack at 4thebank.com>,	<dataloss at attrition.org>
Message-ID: <000801c78828$29df7c10$7d9e7430$@com>
Content-Type: text/plain; charset="us-ascii"

P, my thoughts exactly when I read this article this morning

Katie Felten, CITRMS

Data Security & Privacy Specialist

Certified Identity Theft Risk Management Specialist 

 

www.getsmartcomply.com 

 

K Felten & Associates, LLC

N78W14573 Appleton Ave #297

Menomonee Falls, WI 53051

Direct   262-227-0772

Katie at k-felten.com

 

From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org]
On Behalf Of Patrick Hack
Sent: Thursday, April 26, 2007 11:15 AM
To: dataloss at attrition.org
Subject: Re: [Dataloss] Ceridian accidentally leaks data from NY firm

 

Just wondering, how do you 'Accidentally' take private customer information
as you're leaving employment and 'Accidentally' post it to your personal web
site?  This sure sounds like straight-up data theft to me.

 

P. Hack

>>> lyger <lyger at attrition.org> 4/26/2007 11:01 AM >>>

http://twincities.bizjournals.com/twincities/stories/2007/04/23/daily36.html

Payroll processing firm Ceridian Corp. accidentally leaked employee data 
from a New York advertising firm on a Web site, the company confirmed 
Thursday.

Bloomington-based Ceridian (NYSE: CEN) notified New York advertising 
company Innovation Interactive last week , after it learned that it had 
inadvertently leaked ID and bank-account data on 150 employees, company 
spokesman Pete Stoddart said.

Ceridian said a former employee accidentally posted the information on a 
personal Web site. The employee took the data by accident after leaving 
the company in March 2006.

[...]
_______________________________________________
Dataloss Mailing List (dataloss@ attrition.org)
http://attrition.org/dataloss
Tracking more than 207 million compromised records in 634 incidents over 7
years.


CONFIDENTIALITY NOTICE: This email message is private, confidential property
of the sender, and the materials may be privileged communications intended
solely for the receipt, use, benefit, and information of the intended
recipient indicated above. If you are not the intended recipient, you are
hereby notified that any review, disclosure,distribution, copying or taking
of any other action in reference to the contents of this message is strictly
prohibited, and may result in legal liability on your part. If you have
received this message in error, please notify the sender immediately and
delete this message from your system. We believe that this email and any
attachments are free of any virus or other defect that might affect any
computer system that it is received and opened in, however, it is the
responsibility of the recipient to ensure that it is virus free and the
sender accepts no responsibility for any loss or damage. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://attrition.org/pipermail/dataloss/attachments/20070426/ae2665fa/attach
ment-0001.html 

------------------------------

Message: 21
Date: Thu, 26 Apr 2007 23:37:58 +0000 (UTC)
From: security curmudgeon <jericho at attrition.org>
Subject: [Dataloss] slightly OT: LifeLock Identity Theft Protection
To: dataloss at attrition.org
Message-ID: <Pine.LNX.4.64.0704262336290.6752 at forced.attrition.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed


http://www.lifelock.com/

My name is Todd Davis
This is my social security number 457-55-5462

"I'm Todd Davis, CEO of LifeLock. Yes, that really is my social security 
number. No I'm not crazy. I'm just sure our system works. Just like we 
have with mine, LifeLock will make your personal information useless to a 
criminal. And it's GUARANTEED."

Here at LifeLock, We Guarantee Your Good Name.
No one else does because no one else can.

http://www.lifelock.com/our-guarantee

$1 Million Guarantee

Our $1 Million Guarantee

Our Guarantee is simple. If you are our client when someone steals your 
personal information and subsequently misuses it, we will reimburse any 
and all direct expenses that you incur and pay for professionals with the 
proper expertise. The maximum amount that we will pay is $1 million over 
the life of the incident.  We provide this guarantee because we are so 
confident in our product. Direct expenses include lost wages, 
long-distance calls, postage and other miscellaneous costs in addition to 
any funds that are actually stolen from you or a third party that holds 
you responsible. If you need an attorney to help resolve the claims, we 
will select them and manage the case on your behalf.

Your request must not be fraudulent and you must tell us of the event 
within 30 days of first learning of it.

How the Guarantee Works:

If your Identity is used by a third party without your consent, we will do 
the following:

    1. We will pay any direct expenses you incur subject to the terms 
below. Usually, we will advance these costs on your behalf. If we do that, 
you must assign your guarantee request to any such re-imbursement by any 
third party. For example, if your bank charges you fees because someone 
else used your credit card and it took you over your limit, we will ensure 
that you are reimbursed that money promptly. If the bank doesn't do it, 
then we will and if and when the professionals we hire to assist you get 
the bank to refund the money, you agree that it will be sent to us or 
that, if paid directly to you, that you will send it to us as soon as you 
receive it.
    2. If the amount involved is over $1,000, we reserve the right to 
investigate the guarantee request and conclude that the claim is valid. 
For instance, if you are arrested for bank fraud and you assert that you 
did not commit the crime and that someone else stole your identity to 
commit the crime, we will investigate your assertion. If we are confident 
that you did not commit the crime, we will advance any legal fees, bail or 
other costs required to get you out of jail and back to your life. We will 
perform our investigation with all due haste and we will render our 
decision as quickly as we can. The standard we will use is that if any 
reasonable person would come to the conclusion that you are not 
responsible, we will as well. Once we are comfortable that you are 
innocent due to Identity Theft that occurred while you are our client, we 
will advance all fees and costs as discussed above. Note that we do not 
necessarily require that you are found innocent by the authorities before 
performing on our guarantee.
    3. If it turns out that our investigation is wrong and that you 
misrepresented a loss or that you weren't our client when it happened, you 
agree to pay us back any amount we have advanced or incurred on your 
behalf upon demand, including any costs we incur to collect the money from 
you. Being found guilty of the crime which you attributed to Identity 
theft is sufficient evidence to conclude that we are entitled to recover 
all amounts advanced or paid on your behalf as described above.
    4. Should we, however, decline your guarantee request and you are found 
innocent due to the fact that someone used your Identity to commit the 
crime, we will then honor our guarantee and pay you$10,000 for the 
hardship you suffered. You agree that we are not liable for any additional 
costs or awards for any reason.

That's it.  No more fancy language.


------------------------------

Message: 22
Date: Fri, 27 Apr 2007 01:59:19 +0000 (UTC)
From: security curmudgeon <jericho at attrition.org>
Subject: Re: [Dataloss] slightly OT: LifeLock Identity Theft
	Protection
To: dataloss at attrition.org
Message-ID: <Pine.LNX.4.64.0704270153530.6752 at forced.attrition.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII



On Thu, 26 Apr 2007, security curmudgeon wrote:

: http://www.lifelock.com/
: 
: My name is Todd Davis
: This is my social security number 457-55-5462

My post was not an endorsement of lifelock.com, Todd Davis or anything 
else. This post was made because I found it surprising that a CEO would 
post his own social security number "proving" his own service, something 
that other services don't do.

Attrition does not have any affiliation with lifelock.com or any other 
company/service that provides identity theft protection. Until earlier 
this evening, neither Lyger nor myself had heard of lifelock.com despite 
their "million dollar advertising campaign" (from what we were later 
told).

If anyone has any comments, criticisms or rebuttal of my post, we will 
selectively post them if they are fair, reasonable and cite their sources.

By reading this mail you absolve myself and attrition.org of any 
wrongdoing, pinkie swear you will eat a twinkie before midnight and will 
print and shred this message if it was not intended for you.

- Jericho


------------------------------

Message: 23
Date: Thu, 26 Apr 2007 20:21:24 -0500
From: Chris Walsh <chris at cwalsh.org>
Subject: Re: [Dataloss] slightly OT: LifeLock Identity Theft
	Protection
To: security curmudgeon <jericho at attrition.org>
Cc: dataloss at attrition.org
Message-ID: <F948F5A7-6D3C-4E15-B9B1-F9464F7AAE75 at cwalsh.org>
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed

Great.

Now lyger's gonna have to send out a notification letter to the guy.

Couldn't you have ROT13'd the email to avoid this?

:^)

Chris
On Apr 26, 2007, at 6:37 PM, security curmudgeon wrote:

>
> http://www.lifelock.com/
>
> My name is Todd Davis
> This is my social security number 457-55-5462
>
> "I'm Todd Davis, CEO of LifeLock. Yes, that really is my social  
> security
> number. No I'm not crazy. I'm just sure our system works. Just like we
> have with mine, LifeLock will make your personal information  
> useless to a
> criminal. And it's GUARANTEED."



------------------------------

Message: 24
Date: Fri, 27 Apr 2007 15:22:29 +0000 (UTC)
From: lyger <lyger at attrition.org>
Subject: [Dataloss] 175 told of possible computer security incident at
	Purdue
To: dataloss at attrition.org
Message-ID: <Pine.LNX.4.64.0704271521320.1933 at forced.attrition.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed


(from April 24, 2007)

http://news.uns.purdue.edu/x/2007a/070424KsanderEngineer.html

Purdue University is informing 175 people who were students in fall 2001 
that a Web page containing information about them was inadvertently 
available on the Internet.

The page, which was no longer in use but was on a computer server 
connected to the Internet, contained names and Social Security numbers of 
students who were enrolled in a freshman engineering honors course and 
were scheduling to meet with advisers. Although forgotten, the page had 
been indexed by Internet search engines and consequently was available to 
individuals searching the Web.

The page has been removed and, at Purdue's request, Yahoo and Google have 
removed the page from their indexes and cache. Letters are in the mail to 
those potentially affected.

[...]


------------------------------

Message: 25
Date: Sat, 28 Apr 2007 01:47:50 +0000 (UTC)
From: lyger <lyger at attrition.org>
Subject: [Dataloss] Caterpillar Says Employee Data Stolen
To: dataloss at attrition.org
Message-ID: <Pine.LNX.4.64.0704280146040.21501 at forced.attrition.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed


(if anyone can find verifiable details on number affected or type of 
information, please let us know)

http://www.sfgate.com/cgi-bin/article.cgi?f=/n/a/2007/04/27/financial/f17255
8D76.DTL&type=business

Caterpillar Inc. said late Friday that a laptop computer containing 
personal data on employees was stolen from a benefits consultant that 
works with the company.

Caterpillar spokesman Rusty Dunn declined to provide many details Friday.

"This is an open investigation and we're not prepared to get into any 
specifics," Dunn said.

He said one laptop computer was stolen earlier this month, but didn't say 
where the theft took place or identify the consultant.

Dunn declined to say how many employees were affected.

[...]


------------------------------

Message: 26
Date: Sat, 28 Apr 2007 02:12:56 +0000 (UTC)
From: lyger <lyger at attrition.org>
Subject: [Dataloss] FEMA's 'Unfortunate' Privacy Disaster
To: dataloss at attrition.org
Message-ID: <Pine.LNX.4.64.0704280211580.21501 at forced.attrition.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed


>From April 23, 2007

http://www.washingtonpost.com/wp-dyn/content/article/2007/04/22/AR2007042201
362.html

Sometimes when they are not busy dealing with natural disasters, FEMA 
folks just make up their own. We got this letter the other day from Glenn 
M. Cannon, assistant administrator in the Disaster Operations Directorate.

"Dear Disaster Generalist," he wrote to about 2,300 people on April 16, 
"an unfortunate administrative processing error at FEMA . . . has resulted 
in the printing of Social Security numbers on the outside address labels 
of Disaster Assistance Employee (DAE) . . . reappointment letters."

The mail distribution center mishandled the letters, he said, creating 
this "unintentional release of Privacy Act information."

[...]


------------------------------

Message: 27
Date: Fri, 27 Apr 2007 22:45:03 -0500
From: Chris Walsh <chris at cwalsh.org>
Subject: [Dataloss] NY AG settles first data breach case
To: dataloss at attrition.org
Message-ID: <738474A5-36BC-4B2E-9A52-AADE095DDDE1 at cwalsh.org>
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed

By Sharon Gaudin
InformationWeek
April 27, 2007 01:32 PM

The New York Attorney General has obtained the first settlement under  
the state's new security breach notification law.

Attorney General Andrew Cuomo announced Thursday that it has reached  
an agreement with CS Stars LLC, a Chicago-based claims management  
company, to implement precautionary procedures, comply with New  
York's notification law in the event of another security breach, and  
pay $60,000 to the AG's office for investigation costs.

On May 9, 2006, an employee at CS Stars noticed that a computer was  
missing that held personal information, including the names,  
addresses, and Social Security numbers of recipients of workers'  
compensation benefits, according to the AG's office. The New York  
Special Funds Conservation Committee, a not-for-profit organization  
created to assist in providing benefits to workers under the New York  
Workers' Compensation Law, was the owner of the data contained in the  
missing computer.

It was not until June 29, 2006 that CS Stars first notified Special  
Funds of the security breach, the AG's office reported. On the same  
date, the company notified the FBI, as well. The FBI instructed the  
company to not send out any notifications to people who might be  
affected by the data breach because it might impede their investigation.

According to the AG's release, CS Stars notified the Attorney  
General's office, the Consumer Protection Board, and the state office  
of Cyber Security about the breach on June 30, 2006. Then on July 18,  
the company, with the permission of the FBI, the company began  
sending out notices to the approximately 540,000 potentially affected  
New York consumers notifying them of the security breach.

[...]

Via http://www.informationweek.com/news/showArticle.jhtml? 
articleID=199202218




------------------------------

Message: 28
Date: Sat, 28 Apr 2007 21:47:15 +0000 (UTC)
From: lyger <lyger at attrition.org>
Subject: [Dataloss] N. Texas Company Posted Private Information Online
To: dataloss at attrition.org
Message-ID: <Pine.LNX.4.64.0704282145530.6533 at forced.attrition.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed


http://www.nbc5i.com/money/13207482/detail.html

A North Texas company posted online the private information of hundreds of 
job applicants, NBC 5 reported.

Couriers On Demand, run by Kyle Bowers, made available for public viewing 
names, addresses, phone numbers, Social Security numbers and drivers 
license numbers on its Web site, NBC 5 reported.

Attorney Cami Boyd, who specializes in data privacy, said the company 
should have been encrypting its data behind a secure firewall. Without 
taking those precautions, she said, it is in violation of state law and 
federal law.

[...]


------------------------------

Message: 29
Date: Sun, 29 Apr 2007 07:36:44 -0400
From: "Rodney Wise" <rwise29210 at gmail.com>
Subject: [Dataloss] Is it just about credit?
To: dataloss at attrition.org
Message-ID:
	<24e2acc50704290436u343d7975y1645480e00c9cd9e at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

(In his best Columbo accent).... There is just one more thing mam... I am
having trouble understanding a few things... gee do ya think you could help
me out here?

I have a few questions for discussion by the group. I have seen time and
time again that companies that have been compromised have offered credit
munitioning to help REDUCE any monetary damages that might be gained from
lawsuits. It is not just about credit. You can lodk it down for your life
and still have problems.

Question 1
Is is just about your credit?

If someone gets you SSN or SIN (Canida) they can do a lot more than get
cash. If they get medical treatment for ... I don't know ... a heart problem
of even... HIV do you think you will ever get insurance again?

Question 2
What about death and taxes?

 Well if you are in the US without the proper permissions to be here in most
situations you MUST have 2 forms of identity to gain employment. A SSN AND a
drivers license number. If they have YOUR SSN and get employment that can
put you in another tax bracket owing more money than the job they are doing
will be deducting for taxes.

What if that happens multiple times? There is NO verification process in
place that will tell an employer that it is not you. It will just verify it
is a valid number.

Lets go one more step further...

I get your Driver License Number from a check you give me. I make $5/hr at a
retail store and see several of these a day, I can sell this for about $50
(read 10 hours of work) for each one. You are flying to that city where what
happens there stays there and use your DLN as your ID. OOPS I forgot to tell
you I used your number when I got pulled over for a DUI. YOU now have a
crimanl record.

Question 3
3. How does credit monitoring help these problems?

Question 4
What does the federal government REQUIRE businesses to do to help reduce
data theft?
Five thing.
1.Take Stock ... like and inventory of your data
2. Scale Down... What do you REALLY need
3.Lock it down... Protect it
4. Pitch it... READ SHRED
5. Plan Ahead... create a written plan
http://www.ftc.gov/bcp/edu/pubs/business/privacy/bus69.pdf

Question 4

If you read the publication, is this too much to ask of the companies we
willingly give our data to?


Rodney Wise
http://pplriwse.blogspot.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://attrition.org/pipermail/dataloss/attachments/20070429/95858e29/attach
ment-0001.html 

------------------------------

Message: 30
Date: Sun, 29 Apr 2007 17:39:20 +0000 (UTC)
From: security curmudgeon <jericho at attrition.org>
Subject: Re: [Dataloss] Is it just about credit? (question 1 / health
	care)
To: dataloss at attrition.org
Message-ID: <Pine.LNX.4.64.0704291727340.28887 at forced.attrition.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII


: Question 1
: Is is just about your credit?
: 
: If someone gets you SSN or SIN (Canida) they can do a lot more than get 
: cash. If they get medical treatment for ... I don't know ... a heart 
: problem of even... HIV do you think you will ever get insurance again?

Hopefully someone in the health care industry can speak up on this but a 
few points.

Many (most? all?) hospitals require photo ID for everything now. While we 
know that a bad guy can do a full identity theft, including getting a new 
license or birth certificate, it does require a dedicated person. They ask 
for the photo ID with insurance card, which you'd also have to get issued. 
Some hospitals actually train their staff (a full class) on handling photo 
ID, recognizing aspects that would be suspicious (birth date, etc) and how 
to respond. This has lead to some cases where the person using a stolen 
identity recived medical treatment, walked out of the hospital all better, 
only to be arrested immediately as the hospital staff watched (they knew 
what was going on but wouldn't deny treatment of course).

Some hospitals use computer systems that have routines specifically 
designed to flag possible identity theft. Various incidents (most related 
to billing I assume) will flag a record with a potential identity theft 
marker which is visible to any hospital employee who loads the record. 
Employees are trained to act normal and provide treatment but call a 
special security number (internal to the hospital) and trained security 
staff respond.

This leads one to wonder if the DMV when re-issuing a license might notice 
discrepancies. Eye color goes from blue to brown, hair color, height, 
weight .. how many changes before someone says "wait"?



------------------------------

Message: 31
Date: Sun, 29 Apr 2007 18:36:50 +0000 (UTC)
From: nepen <nepen at attrition.org>
Subject: Re: [Dataloss] Is it just about credit? (question 1 / health
	care)
To: dataloss at attrition.org
Message-ID: <Pine.LNX.4.64.0704291758540.23987 at forced.attrition.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed


On Sun, 29 Apr 2007, security curmudgeon wrote:

>
> : Question 1
> : Is is just about your credit?
> :
> : If someone gets you SSN or SIN (Canida) they can do a lot more than get
> : cash. If they get medical treatment for ... I don't know ... a heart
> : problem of even... HIV do you think you will ever get insurance again?
>
> Hopefully someone in the health care industry can speak up on this but a
> few points.
>
> Many (most? all?) hospitals require photo ID for everything now. While we
> know that a bad guy can do a full identity theft, including getting a new
> license or birth certificate, it does require a dedicated person. They ask
> for the photo ID with insurance card, which you'd also have to get issued.
> Some hospitals actually train their staff (a full class) on handling photo
> ID, recognizing aspects that would be suspicious (birth date, etc) and how
> to respond. This has lead to some cases where the person using a stolen
> identity recived medical treatment, walked out of the hospital all better,
> only to be arrested immediately as the hospital staff watched (they knew
> what was going on but wouldn't deny treatment of course).


Just a note, but back when I had absolutely no way to prove who I was, the
ER would treat me. This was post 9-11, and the hospital had significantly
upgraded their security procedures.

ERs have charity care programs, however, for those who cannot pay, and
they are [or mine was] retroactive. If you state that you cannot pay upon
arriving, they will set up an appointment for you. I don't really see an
issue there with ID theft unless someone is deliberately attempting to
keep their particular ailment off of their own record. The requirements
for these programs [at least here] are relatively loose, but usually last
only one year, at which time you must re-file.

You may be able to pull it off for minor problems that are put through
Fast-Track [but charity care, at least in my state, covers that 100%], but
if you go in with heart problems you may wake up 10 hours later handcuffed
to your bed after your open-heart surgery.


> This leads one to wonder if the DMV when re-issuing a license might notice
> discrepancies. Eye color goes from blue to brown, hair color, height,
> weight .. how many changes before someone says "wait"?

That's the beauty of contact lenses [particularly blue to brown--brown to
blue not so easy to pull off], hair and weight don't seem like big issues,
and depending upon the age of the person, a one or two inch height
discrepancy doesn't seem like a big deal.

My mother had no problems getting her license--she went when I went--and
she's changed her hair colour, weight, and height. If I'd have given her a
pair of blue contact lenses, I'd doubt they'd have even noticed. Her
previous license had no photo.

Though at the NJ DMV, I was able to receive my ID and /bypass/ their "6
point identification system" which requires a certain amount of documents
worth a certain number of points, adding up to 6, before you're able to
get a license or photo ID. I was also able to do this at the SSA. This was
all relatively recently--this month, in fact. All the SSA required was a
note from my doctor--who simply wrote everything I told him to write when
it came to my description--in lieu of their new post-9/11 requirements.

For my birth certificate: I never had to get out of the car.

It seems to me that everyone now has to juggle leniency for those who have
fallen through the cracks with vigilance for those who are exploiting the
system. I spent hours worrying about how I would be able to get my new
Social Security Card or meet the DMV's 6 points, and I had absolutely no
problem doing either. It was incredibly easy.

It seems like this transitioning issue, where they are accommodating
people unable to meet the new requirements, might be the easiest point of
abuse.


nepen


------------------------------

Message: 32
Date: Sun, 29 Apr 2007 19:43:46 +0000 (UTC)
From: lyger <lyger at attrition.org>
Subject: [Dataloss] UNM says some employee information on stolen
	laptop
To: dataloss at attrition.org
Message-ID: <Pine.LNX.4.64.0704291943030.31072 at forced.attrition.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed


http://kob.com/article/stories/S72768.shtml?cat=517

University of New Mexico officials say personal information for 3,000 
employees may have been stored on a laptop computer that was stolen.

The university notified the employees by e-mail that some personal 
information may have been on a laptop taken Wednesday from a San Francisco 
office.

University officials learned of the theft Friday from an outside 
consultant working on UNM's human resource and payroll systems.

[...]


------------------------------

Message: 33
Date: Sun, 29 Apr 2007 18:51:24 -0400
From: "Rodney Wise" <rwise29210 at gmail.com>
Subject: Re: [Dataloss] Is it just about credit? (question 1 / health
	care)
To: "security curmudgeon" <jericho at attrition.org>
Cc: dataloss at attrition.org
Message-ID:
	<24e2acc50704291551x683b6e86off6a59e2455c90df at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

I guess the basic question is:

As people who are aware of data breeches how can we alert others that is is
NOT just about credit.

Rodney


On 4/29/07, security curmudgeon <jericho at attrition.org> wrote:
>
>
> : Question 1
> : Is is just about your credit?
> :
> : If someone gets you SSN or SIN (Canida) they can do a lot more than get
> : cash. If they get medical treatment for ... I don't know ... a heart
> : problem of even... HIV do you think you will ever get insurance again?
>
> Hopefully someone in the health care industry can speak up on this but a
> few points.
>
> Many (most? all?) hospitals require photo ID for everything now. While we
> know that a bad guy can do a full identity theft, including getting a new
> license or birth certificate, it does require a dedicated person. They ask
> for the photo ID with insurance card, which you'd also have to get issued.
> Some hospitals actually train their staff (a full class) on handling photo
> ID, recognizing aspects that would be suspicious (birth date, etc) and how
> to respond. This has lead to some cases where the person using a stolen
> identity recived medical treatment, walked out of the hospital all better,
> only to be arrested immediately as the hospital staff watched (they knew
> what was going on but wouldn't deny treatment of course).
>
> Some hospitals use computer systems that have routines specifically
> designed to flag possible identity theft. Various incidents (most related
> to billing I assume) will flag a record with a potential identity theft
> marker which is visible to any hospital employee who loads the record.
> Employees are trained to act normal and provide treatment but call a
> special security number (internal to the hospital) and trained security
> staff respond.
>
> This leads one to wonder if the DMV when re-issuing a license might notice
> discrepancies. Eye color goes from blue to brown, hair color, height,
> weight .. how many changes before someone says "wait"?
>
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
> Tracking more than 207 million compromised records in 634 incidents over 7
> years.
>



-- 
Rodney Wise
http://pplriwse.blogspot.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://attrition.org/pipermail/dataloss/attachments/20070429/95212b4b/attach
ment-0001.html 

------------------------------

Message: 34
Date: Sun, 29 Apr 2007 23:32:01 +0000 (UTC)
From: nepen <nepen at attrition.org>
Subject: Re: [Dataloss] Is it just about credit? (question 1 / health
	care)
To: dataloss at attrition.org
Message-ID: <Pine.LNX.4.64.0704292309010.9463 at forced.attrition.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed


On Sun, 29 Apr 2007, Rodney Wise wrote:

> I guess the basic question is:
>
> As people who are aware of data breeches how can we alert others that is
is
> NOT just about credit.
>
> Rodney

Simple: Research the potential results of dataloss that do not involve
identity theft/credit issues, write about these new ideas, and put the
information out there.

Notsosimple: Hope for interest, particularly if there is some sort of
marketable protection against these other outcomes. Sadly, the ability for
someone to profit from offering services to protect against these
potential non-credit-related outcomes of dataloss events may have an
effect on whether or not there is much interest in them.

Research, write, publish: Create awareness and cross your fingers?


nepen







------------------------------

Message: 35
Date: Sun, 29 Apr 2007 19:27:59 -0700
From: J Beebe <j.beebe at cox.net>
Subject: Re: [Dataloss] The cost of doing business?
To: dataloss at attrition.org
Message-ID:
	
<20070430022820.KICS24310.fed1rmmtao104.cox.net at fed1rmimpo01.cox.net>
Content-Type: text/plain; charset="us-ascii"; format=flowed

Here's a link to the complaint filed by the Mass. Bankers Assoc.
It notes that they and the other 2 bankers assocs. are asking for
"tens of millions of dollars."
https://www.massbankers.org/pdfs/DataBreachSuitNR5.pdf

Should be interesting.
JB

At 03:59 AM 4/25/2007, Rodney Wise wrote:
>Bank groups in 3 states plan to sue TJX over data theft
>http://www.mercurynews.com/businessheadlines/ci_5745507
>The Associated Press
>Article Launched: 04/25/2007 01:50:15 AM PDT
>
>BOSTON (AP) - Bank associations in Massachusetts, Connecticut and
>Maine said Tuesday that they will sue TJX over a data theft that
>exposed at least 45 million credit and debit cards to potential fraud.
>
>Banks have been saddled with costs to replace cards and cover
>fraudulent charges tied to the theft from TJX, the owner of nearly
>2,500 discount stores including T.J. Maxx and Marshalls.
>
>On Jan. 17, Framingham, Mass.-based TJX disclosed a breach of its
>computer systems by an unknown hacker or hackers who accessed card
>data from transactions as long ago as late 2002.
>On March 28, TJX said at least 45.7 million of its shoppers' cards had
>been compromised.
>--
>Rodney Wise
>http://pplriwse.blogspot.com
>_______________________________________________
>Dataloss Mailing List (dataloss at attrition.org)
>http://attrition.org/dataloss
>Tracking more than 207 million compromised records in 630 incidents 
>over 7 years.
>
>
>--
>No virus found in this incoming message.
>Checked by AVG Free Edition.
>Version: 7.5.463 / Virus Database: 269.5.10/774 - Release Date: 
>4/23/2007 5:26 PM



------------------------------

Message: 36
Date: Sun, 29 Apr 2007 20:41:43 -0500
From: Al Mac <macwheel99 at sigecom.net>
Subject: Re: [Dataloss] Is it just about credit?
To: "Data Loss Incidents" <dataloss at attrition.org>
Message-ID: <6.2.1.2.1.20070429195335.02a52360 at mail.sigecom.net>
Content-Type: text/plain; charset="us-ascii"; format=flowed

How difficult is it for the criminal underworld to manufacture fake 
driver's licenses?
The photo-id looks exactly like the person carrying it (it is their photo), 
but the identity is whoever identity they stole.  Such an id can be used to 
help get a job, get medical treatment, anything such a fake id is used for.
Does not matter if thumb print on there, because fake-id has photo and 
thumb print of the crook instead of the real person who has the 
real-id-license that was issued by the state DMV.

You right that the DMV record ought to have eye color, hair color etc.
But one of the types of data theft has been entire DMV data bases.
Crooks in the fake-id business can then match identity to be stolen with 
person needing fake id with similar characteristics ... eye color, hair 
color, gender, approx age, etc.

This will cease to work when the photo-id gets scanned in some place to 
compare it to the official copy in DMV records, unless crooks have the 
sophistication to also mess with the official records, or the communication 
between police car check point and official records.  I expect it will be 
pretty rare for people running around with fake-ids to have the kinds of 
hacker skills to real-time spoof whatever is done to validate photo or 
thumb print on the fake-id.

A small fortune is spent on protecting the nation's currency from 
counterfeiting, but yet there still are people who get away with passing 
counterfeit money.  Nothing like that expense can be incurred to protect 
individual states from not having fraudulent driver's licenses and other 
identification in circulation.

A while back, the state of Colorado sorted employee tax reporting data by 
SSN to get a count of how many different places same SSN being used ... I 
think the biggest was like 50 or 100 employers had someone simultaneously 
working there with same SSN.  We can reasonably assume that if other US 
states were to do this, that they might get similar numbers.  Bigger in the 
more populated states.  Similar story other nations.

The feds have done this with critical infrastructure ... people working at 
Pentagon, Nuclear weapons facilities, etc. & yes found lots of fraudulent 
identities there.  We can hope most of them are people who just need a job, 
not many potential terrorists in the bunch.

Is there a serious risk that the states will crack down on the real people, 
in whose names those 50 other people using their SSN?  Or is there 
temptation for states to look the other way, since this is tax money being 
paid for services that the fake SSN holders may be less likely to claim 
than valid SSN holders?

You may be better off with a bunch of people paying extra taxes in your 
name, than only one of them.  Except with how easy it is to fraudulently 
claim income tax refund, which is big problem for IRS, and also the person 
in whoever name this got done.

More risks than you said.

You don't even get on the plane at airport to go home, because your 
identity was used by someone stopped by the police, let go on minimal bail, 
supposed to return for court date, never did.  Now you have the legal 
expense of proving you not whoever that is running around the country 
committing more crimes in your name.

Let's suppose the real Rodney Wise is in the hospital for serious 
treatment, and while there, persons with fake identity for Rodney Wise 
steal his car, sell it, occupy his home, sell everything there, get second 
mortgage on it, sell house, run up ungodly bills, clean out bank 
accounts.  Real Rodney gets out of hospital & try to go home, be arrested 
as intruder in home now belong someone else.  This has happened to people 
in nations where possession is 9/10 of law.

Credit monitoring helps with some of the problems but we need more.

Some day, DNA testing will be as rapid as stick some skin cells or spit 
into a gadget that will say "You born in nation X, legally in nation Y, 
have a blood relative criminal Z" and we pray that long before that reality 
the data bases locked down with good support for people to correct errors 
about themselves..

-
Al Macintyre




------------------------------

Message: 37
Date: Sun, 29 Apr 2007 23:47:24 -0500
From: Chris Walsh <chris at cwalsh.org>
Subject: Re: [Dataloss] Is it just about credit?
To: Data Loss Incidents <dataloss at attrition.org>
Message-ID: <9E72B570-5BCC-4F3C-B9D2-0D6DDD7EF078 at cwalsh.org>
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed

Here in IL, we just had a high-profile federal bust of some folks who  
were allegedly selling fake drivers' licenses and fake SocSec cards  
as a combo pack for $300.  This was in a section of Chicago with many  
undocumented workers.  Reports are that this is undoubtedly so the  
buyers can work in the US, but of course the news coverage says that  
the sellers don't exactly care why someone is looking for ID as long  
as they have the $$.

In this particular instance, the Feds say they acted because the gang  
allegedly selling these IDs had murdered someone who tried to go into  
competition with them.  Clearly, then, the cost of production of  
these IDs is less than the $300, or else the dead guy would have been  
no threat since he could not possibly undercut the gang.



On Apr 29, 2007, at 8:41 PM, Al Mac wrote:

> How difficult is it for the criminal underworld to manufacture fake
> driver's licenses?



------------------------------

Message: 38
Date: Mon, 30 Apr 2007 11:15:00 -0400
From: Adam Shostack <adam at homeport.org>
Subject: Re: [Dataloss] Is it just about credit? (question 1 / health
	care)
To: Rodney Wise <rwise29210 at gmail.com>
Cc: security curmudgeon <jericho at attrition.org>,
	dataloss at attrition.org
Message-ID: <20070430151500.GB8860 at homeport.org>
Content-Type: text/plain; charset=us-ascii

On Sun, Apr 29, 2007 at 06:51:24PM -0400, Rodney Wise wrote:
| I guess the basic question is:
|  
| As people who are aware of data breeches how can we alert others that is
is NOT
| just about credit.

We used to use words like 'privacy' or 'data protection.'  To
Jericho's point, I'd argue that the problem is central medical
databases, and upgrading the trusted third parties to control what
goes in them is just poor thinking.

Adam


|  
| On 4/29/07, security curmudgeon <jericho at attrition.org> wrote:
| 
| 
|     : Question 1
|     : Is is just about your credit?
|     :
|     : If someone gets you SSN or SIN (Canida) they can do a lot more than
get
|     : cash. If they get medical treatment for ... I don't know ... a heart
|     : problem of even... HIV do you think you will ever get insurance
again?
| 
|     Hopefully someone in the health care industry can speak up on this but
a
|     few points.
| 
|     Many (most? all?) hospitals require photo ID for everything now. While
we
|     know that a bad guy can do a full identity theft, including getting a
new
|     license or birth certificate, it does require a dedicated person. They
ask
|     for the photo ID with insurance card, which you'd also have to get
issued.
|     Some hospitals actually train their staff (a full class) on handling
photo
|     ID, recognizing aspects that would be suspicious (birth date, etc) and
how
|     to respond. This has lead to some cases where the person using a
stolen
|     identity recived medical treatment, walked out of the hospital all
better,
|     only to be arrested immediately as the hospital staff watched (they
knew
|     what was going on but wouldn't deny treatment of course).
| 
|     Some hospitals use computer systems that have routines specifically
|     designed to flag possible identity theft. Various incidents (most
related
|     to billing I assume) will flag a record with a potential identity
theft
|     marker which is visible to any hospital employee who loads the record.
|     Employees are trained to act normal and provide treatment but call a
|     special security number (internal to the hospital) and trained
security
|     staff respond.
| 
|     This leads one to wonder if the DMV when re-issuing a license might
notice
|     discrepancies. Eye color goes from blue to brown, hair color, height,
|     weight .. how many changes before someone says "wait"?
| 
|     _______________________________________________
|     Dataloss Mailing List (dataloss at attrition.org)
|     http://attrition.org/dataloss
|     Tracking more than 207 million compromised records in 634 incidents
over 7
|     years.
| 
| 
| 
| 
| --
| Rodney Wise
| http://pplriwse.blogspot.com

| _______________________________________________
| Dataloss Mailing List (dataloss at attrition.org)
| http://attrition.org/dataloss
| Tracking more than 207 million compromised records in 634 incidents over 7
years.



------------------------------

Message: 39
Date: Mon, 30 Apr 2007 23:51:50 +0000 (UTC)
From: lyger <lyger at attrition.org>
Subject: [Dataloss] (update) Stolen Caterpillar laptop contained
	employees personal information
To: dataloss at attrition.org
Message-ID: <Pine.LNX.4.64.0704302349010.20529 at forced.attrition.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed


(now disclosed that SSNs were on the stolen laptop. other reports have 
also disclosed that the laptop belonged to an "SBA Inc." located in 
Georgia.)

http://www.wjbc.com/wire2/news/01943_Caterpillar-Data-WEB_145542.htm

Caterpillar Incorporated told employees in a letter that a laptop stolen 
this month contained current and former workers' Social Security numbers, 
banking information and addresses. Peoria-based Caterpillar has declined 
to say how many of its roughly 95-thousand employees were affected but has 
set up a call center to answer their questions.

[...]


------------------------------


_______________________________________________
Dataloss mailing list
Dataloss at attrition.org
https://attrition.org/mailman/listinfo/dataloss


End of Dataloss Digest, Vol 15, Issue 3
***************************************



More information about the Dataloss mailing list