From jericho at attrition.org Thu Nov 1 06:50:39 2007 From: jericho at attrition.org (security curmudgeon) Date: Thu, 1 Nov 2007 06:50:39 +0000 (UTC) Subject: [Dataloss] The cost of data breaches (ironic and annoying spam) Message-ID: It's wonderful to see companies sending unsolicited e-mail (spam) pushing their products, citing a resource that gets a significant portion of their information from attrition.org. ---------- Forwarded message ---------- From: Centennial Software Date: Thu, 01 Nov 2007 06:19:57 +1100 Subject: The cost of data breaches What are you doing to protect your data? Did you know that the total number of records containing sensitive personal information involved in security breaches over the past two years is approaching 170 million?* In just the last month, 40 security breaches were reported which resulted in data loss of more than 7 million records. Are you doing everything possible to avoid adding to these statistics? If you care about protecting your company's data, you need Centennial DeviceWall to lock down unauthorized file transfers from corporate PCs to portable storage devices. [..] * www.privacyrights.org From lyger at attrition.org Thu Nov 1 12:03:15 2007 From: lyger at attrition.org (lyger) Date: Thu, 1 Nov 2007 12:03:15 +0000 (UTC) Subject: [Dataloss] (update) Hartford Financial misplaces back-up tapes with personal data on policy holders Message-ID: (additional information including an updated number of total affected) From: security curmudgeon Date: Thu, 1 Nov 2007 10:37:37 +0000 (UTC) ---------- Forwarded message ---------- From: InfoSec News http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9044801 By Jaikumar Vijayan October 30, 2007 Computerworld The Hartford Financial Services Group Inc. has notified about 237,000 policy holders of a potential compromise of their personal data. The warning followed the loss of three backup tapes containing the names, addresses, Social Security numbers and driver's license numbers of customers of the company's personnel lines claims center. The tapes were discovered to be missing on Sept. 27. So far, there is no evidence that the tapes were stolen or that the information has been misused, a company spokeswoman said. Hartford Financial Services has no idea if the tapes were misplaced while in transit to another location or if they went missing inside the company. But the information contained on them could only be read with "the use of sophisticated and expensive equipment," she added. [..] From hbrown at knology.net Thu Nov 1 13:53:33 2007 From: hbrown at knology.net (Henry Brown) Date: Thu, 01 Nov 2007 08:53:33 -0500 Subject: [Dataloss] Dumpster Diving in KY Message-ID: <4729DA5D.3090406@knology.net> From LegalNewsline.com http://tinyurl.com/227coq FRANKFORT, Ky. - Kentucky Attorney General Greg Stumbo recently went through the trash of some businesses around the state and did not like what he found. Stumbo said Tuesday that 33 of the 121 businesses that had their garbage inspected threw away personal information of more than 1,250 people, violating state laws that require such information to be shredded or destroyed in another method. "Consumers face an increased risk of identity theft or loss of privacy when their personal information is not destroyed when records are discarded," Stumbo said. "There have been numerous accounts in the past few years of dumpster-diving by identity thieves. It is vitally important that businesses take care to destroy consumers' personal information when disposing of records." Of the 33, 14 threw away the sensitive information -- like Social Security numbers, bank and credit card account numbers, birth dates, driver's license or personal ID card numbers, loan numbers, customer account numbers, insurance policy numbers, medical insurance policy and group numbers and personal medical information -- of almost 1,000 people. The 33 businesses have been notified by the Office of Consumer Protection, which is requesting extra information from the 14 that threw out sensitive information. Stumbo says he will ask the businesses to develop or strengthen policies to ensure compliance with state law. ... From lyger at attrition.org Thu Nov 1 17:41:34 2007 From: lyger at attrition.org (lyger) Date: Thu, 1 Nov 2007 17:41:34 +0000 (UTC) Subject: [Dataloss] (commentary) Inadvertent exposure at root of most breaches? Message-ID: >From David Litchfield's Weblog: http://www.davidlitchfield.com/blog/archives/00000022.htm I've been analysing publicised breaches as part of my research for my upcoming talk at the Information Security Decisions conference in Chicago next Tuesday. Since January 1st 2007, the single largest contributing cause to electronic breaches is not hacking or insider malice but simply inadvertent exposure. Here are the details. [...] From lyger at attrition.org Fri Nov 2 02:03:22 2007 From: lyger at attrition.org (lyger) Date: Fri, 2 Nov 2007 02:03:22 +0000 (UTC) Subject: [Dataloss] NY: CUNY Urges Students To Check Bank Accounts After Laptop Theft Message-ID: http://www.ny1.com/ny1/content/index.jsp?stid=8&aid=75183 CUNY officials are urging students to double check their bank accounts, after a broken laptop containing personal information was taken from the school's financial aid office. According to CUNY, the computer contained social security numbers, but the files were password protected. There have been no reports of any breaches, but school officials have contacted the nearly 20,000 students who may be affected just in case. Officials have not pin-pointed the exact date the computer went missing. [...] From jericho at attrition.org Mon Nov 5 11:03:26 2007 From: jericho at attrition.org (security curmudgeon) Date: Mon, 5 Nov 2007 11:03:26 +0000 (UTC) Subject: [Dataloss] Handling Goofs Cause Many Data Leaks Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.eweek.com/article2/0,1895,2211531,00.asp By Lisa Vaas eWeek November 2, 2007 A sizable chunk of business data is being lost electronically in simple misconfiguration mistakes. Since January 2005, there have been 167.7 million records containing sensitive personal information exposed by security breaches, according to a running total kept by the Privacy Rights Clearinghouse. The question is, How does this information get out there? Loss or theft of a physical object forms by far the largest hole in data security. According to an analysis (PDF) done recently by David Litchfield of Next Generation Security Software, based in Surrey, England, 43 percent of records lost since Jan. 1 slipped out of organizations on paper, computers, laptops, disks or backup media. Other researchers put the figure higher for records that were exposed due to lost or stolen computers or mediasecurity expert Chris Walsh has analyzed New York data sets and puts the figure closer to 99 percent. [..] From lyger at attrition.org Mon Nov 5 13:17:02 2007 From: lyger at attrition.org (lyger) Date: Mon, 5 Nov 2007 13:17:02 +0000 (UTC) Subject: [Dataloss] UK: Lost CD may put pension holders in peril Message-ID: http://www.theregister.co.uk/2007/11/05/standard_life_lost_cd_security_flap/ Thousands of customers of UK insurer Standard Life have been left at risk of fraud after their personal details were lost by HM Revenue & Customs (HMRC). Data on 15,000 pension policy holders, sent in a CD from HMRC offices in Newcastle to Standard Life's Edinburgh headquarters by courier, never arrived. The lost disc contained names, national insurance numbers, dates of birth, addresses, and pension data. Information such as this would easily lend itself to abuse by crooks if it fell into the wrong hands. Providing fraudsters were able to read the disc they might be able to apply for loans or credit cards under false names. [...] From lyger at attrition.org Tue Nov 6 12:21:05 2007 From: lyger at attrition.org (lyger) Date: Tue, 6 Nov 2007 12:21:05 +0000 (UTC) Subject: [Dataloss] AL: Personal information sent to wrong families Message-ID: http://www.al.com/news/press-register/index.ssf?/base/news/119434413578700.xml&coll=3 The personal information, including the names, ages and Social Security numbers of more than 1,500 families enrolled in the state's ALL Kids health care coverage program, were accidentally sent to the wrong families last week, officials with the Alabama Department of Public Health confirmed Monday. "We sent out a letter Friday afternoon to the 1,554 affected families alerting them that some of their confidential information might have been released," said Cathy Caldwell, director of the health insurance program. "It wasn't released to the general public. It was within the 1,554 families. Some of them got each others' information." John Wible, general counsel for the health department, said the agency does not expect to face legal action, but "it's definitely a breach of confidentiality." [...] From lyger at attrition.org Tue Nov 6 12:23:13 2007 From: lyger at attrition.org (lyger) Date: Tue, 6 Nov 2007 12:23:13 +0000 (UTC) Subject: [Dataloss] MT: Bank notifies customers of laptop theft Message-ID: http://www.paradisepost.com/ci_7379845 A laptop with customers' personal information including names, addresses, social security numbers and bank account numbers was stolen from Butte Community Bank sometime in October. A notice form the bank dated Oct. 24 was sent to customers whose personal information was believed to be on the laptop. The notice states the laptop was stolen earlier that month. Customers including The Post, did not receive notification until the first week in November. According to the notice the data on the stolen laptop was protected by a password intended to prevent unauthorized individuals from accessing the private information. The circumstances of the theft suggested the thief was interested only in the laptop and not the bank's information, according to the bank's notice. A concerned customer and Post employee Katie Stecher said she received the notice this weekend. She called the bank with concerns regarding the safety of her account. [...] From lyger at attrition.org Tue Nov 6 20:25:11 2007 From: lyger at attrition.org (lyger) Date: Tue, 6 Nov 2007 20:25:11 +0000 (UTC) Subject: [Dataloss] MT: MSU notifies students, staff of security breaches Message-ID: (somewhere in Montana, somebody is having a bad, bad week...) http://www.billingsgazette.net/articles/2007/11/06/news/state/20-breach.txt Montana State University is informing 271 people that their Social Security numbers may have been exposed in one of three separate data security breaches. On Nov. 2, it was determined that a stolen data storage device contained the Social Security numbers of 216 students and employees who lived in on-campus housing from 1998 to the spring of 2007. In a separate incident that also occurred on Nov. 2, an independent security analyst informed university data security staff that an Excel spreadsheet with the names and Social Security numbers of 42 people - mostly new hires during the summer of 2006 - was available on the MSU Web site. The spreadsheet was immediately removed. While investigating the Excel spreadsheet incident, MSU data-security staff discovered another Excel spreadsheet with the Social Security numbers of 13 people affiliated with the Department of Computer Science on the university's Web site. It, too, was immediately removed. [...] From lyger at attrition.org Thu Nov 8 00:54:14 2007 From: lyger at attrition.org (lyger) Date: Thu, 8 Nov 2007 00:54:14 +0000 (UTC) Subject: [Dataloss] NC: 28K in Jeopardy of ID Theft Because of Lost Laptop Message-ID: http://www.wbtv.com/news/topstories/11094071.html 28,000 people could now have their identity in jeopardy because of a missing laptop. It's called a Panasonic Tough Book. It was lost at CMC Northeast on Sunday. [.] They are offering a $500 reward for anyone who can get them this computer back. There are 28,000 names, addresses and social security numbers on that computer. What happened was a paramedic left the computer on the back bumper of the ambulance right here at CMC Northeast and then drove away. The computer hasn't been seen since. [...] From jericho at attrition.org Thu Nov 8 15:16:07 2007 From: jericho at attrition.org (security curmudgeon) Date: Thu, 8 Nov 2007 15:16:07 +0000 (UTC) Subject: [Dataloss] follow-up: Salesforce tight-lipped after phishing attack Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://news.zdnet.co.uk/security/0,1000000189,39290616,00.htm By Tom Espiner ZDNet.co.uk 07 Nov 2007 Salesforce.com is refusing to reveal details of a security breach caused when one of its employees surrendered their password in a phishing attack against the company. Details of Salesforce.com's customers were stolen as a result of the password being surrended, the CRM services company admitted to customers on Monday. But, when contacted by ZDNet.co.uk, the company refused to say whether any UK customers had been affected, whether any financial damage had occurred, and whether any disciplinary action had been taken against any employees as a result of the security incident. It offered no other comment on the matter. Salesforce.com first noticed a possible security breach when it saw a rise in phishing attacks directed against customers "a couple of months ago". Upon investigation, the company found that one of its employees had been "tricked" into disclosing a password, allowing a customer list to be stolen, according to Monday's letter, which was sent to customers by executive vice president of technology Parker Harris. [..] From jericho at attrition.org Thu Nov 8 15:16:43 2007 From: jericho at attrition.org (security curmudgeon) Date: Thu, 8 Nov 2007 15:16:43 +0000 (UTC) Subject: [Dataloss] follow-up: MSU reveals fourth personal-data security breach in one month Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.bozemandailychronicle.com/articles/2007/11/07/news/15security.txt By Gail Schontzler Chronicle Staff Writer November 07, 2007 Montana State University is sending letters to 271 students and MSU employees to warn them that their Social Security numbers might have been exposed because of three separate security breaches. One breach dates to 2002. Another involves an MSU employee's stolen laptop computer. MSU announced the latest breaches in a news release Tuesday, four weeks after another security breach that affected 1,400 people. There's no evidence that anyone's personal information has been stolen by identity thieves, but MSU can't prove that didn't happen, said Jim Rimpau, the university's chief information officer. University officials wanted to act conservatively and alert people so they could check on their credit reports to make sure no one had stolen their personal information. What a horrible couple of weeks it's been, Rimpau said. [..] From bkdelong at pobox.com Fri Nov 9 19:26:12 2007 From: bkdelong at pobox.com (bkdelong at pobox.com) Date: Fri, 9 Nov 2007 11:26:12 -0800 Subject: [Dataloss] Check out my Favorites on StumbleUpon Message-ID: <58c2f1e73211cf6f47cfe977acc069fe@smtp.stumbleupon.com> StumbleUpon Discover new web sites Connect now & http://www.stumbleupon.com/redirect.php?t=j&u=1575664&d=http%3A%2F%2Fwww.stumbleupon.com%2Fjoin.php%3Ffriend%3D2573062%26emailcode%3D8o3z4gj5bh1jff64&l=1&c=8o3z4gj5bh1jff64 B.K. wants to Share his Favorites with you He likes44 pages He has2 fans Join StumbleUpon and discover your friends' Favorites. Suddenly the Web is fun again :) -&B.K. & bkdelong at pobox.com Discover my Favorites & http://www.stumbleupon.com/redirect.php?t=j&u=1575664&d=http%3A%2F%2Fwww.stumbleupon.com%2Fjoin.php%3Ffriend%3D2573062%26emailcode%3D8o3z4gj5bh1jff64&l=2&c=8o3z4gj5bh1jff64 About StumbleUpon StumbleUpon allows you to channel surf the internet and discover great websites and web content you might never have found. Whether it's a website, video, picture, game, blog, or wiki, StumbleUpon helps you find interesting stuff recommended by like-minded people with just a single click of the Stumble! button. Learn More http://www.stumbleupon.com/redirect.php?t=j&u=1575664&l=3&c=8o3z4gj5bh1jff64 If you do not wish to receive future e-mail invitations to join StumbleUpon, please click here http://www.stumbleupon.com/redirect.php?t=j&u=1575664&d=http%3A%2F%2Fwww.stumbleupon.com%2Fnotifications.php%3Femailcode%3D8o3z4gj5bh1jff64&l=4&c=8o3z4gj5bh1jff64 . (c) StumbleUpon 2001-2007 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20071109/799b1f81/attachment.html From bkdelong at pobox.com Fri Nov 9 19:48:29 2007 From: bkdelong at pobox.com (B.K. DeLong) Date: Fri, 9 Nov 2007 14:48:29 -0500 Subject: [Dataloss] Check out my Favorites on StumbleUpon In-Reply-To: <58c2f1e73211cf6f47cfe977acc069fe@smtp.stumbleupon.com> References: <58c2f1e73211cf6f47cfe977acc069fe@smtp.stumbleupon.com> Message-ID: Ah, the joys of predatory social networks. Apologies folks. StumbleUpon just autospammed my entire email list. I would have only added those currently on the service. On Nov 9, 2007 2:26 PM, wrote: > > > > > > StumbleUpon > > Discover new web sites > -- B.K. DeLong (K3GRN) bkdelong at pobox.com +1.617.797.8471 http://www.wkdelong.org Son. http://www.ianetsec.com Work. http://www.bostonredcross.org Volunteer. http://www.carolingia.eastkingdom.org Service. http://bkdelong.livejournal.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org From lyger at attrition.org Mon Nov 12 12:49:11 2007 From: lyger at attrition.org (lyger) Date: Mon, 12 Nov 2007 12:49:11 +0000 (UTC) Subject: [Dataloss] CDs containing state workers' information missing in Nevada Message-ID: http://www.lasvegassun.com/sunbin/stories/nevada/2007/nov/11/111110005.html Hundreds of CDs containing payroll information about state employees, including Social Security numbers, have either been lost or stolen over the last three years, state Personnel Director Todd Rich said. Rich said his department sent a total of more than 13,000 CDs to 80 agencies for review every two-week pay period over the last three years. He said as many as 470 are still missing. "We haven't had any notification from anybody that, `Hey, my identity has been stolen,'" Rich told the Nevada Appeal. He said it would be up to Attorney General Catherine Cortez Masto whether to issue a breach notification. If so, he said, it would be done by agencies with missing discs. [...] From lyger at attrition.org Tue Nov 13 13:54:20 2007 From: lyger at attrition.org (lyger) Date: Tue, 13 Nov 2007 13:54:20 +0000 (UTC) Subject: [Dataloss] UK: Foreign Office in website security breach Message-ID: http://www.24dash.com/centralgovernment/29252.htm The Foreign Office broke data protection rules by failing to ensure its UK visas website was secure, the privacy watchdog said today. A security breach meant the personal data of visa applicants was visible to other people visiting the website, the Information Commissioner's Office (ICO) found. The Foreign and Commonwealth Office (FCO) has now signed a formal undertaking to comply with the Data Protection Act. It follows an investigation by the ICO, sparked in May when the security breach on the visa processing website came to light. [...] From lyger at attrition.org Tue Nov 13 13:56:51 2007 From: lyger at attrition.org (lyger) Date: Tue, 13 Nov 2007 13:56:51 +0000 (UTC) Subject: [Dataloss] CA: Mortgage Company Investigates Customer Data Breach Message-ID: http://www.my58.com/news/14579242/detail.html Countrywide Home Loans investigated personal data from its customers left unattended outside a West Sacramento post office Monday, company officials said. "Information just sitting there. Anyone could walk up and open the envelopes," concerned citizen Dorian Dunlap said. "I don't understand why any lending institution would be that irresponsible." Dunlap said she photographed stacks of envelopes from Countrywide Home Loans left unattended outside a west Sacramento post office Monday and reported it to KCRA 3. The U.S. Post Office spokesman Ralph Petty said the practice of customers leaving mail next to a full mail box is common, but not encouraged. [...] From vhinderer at lexsi.com Tue Nov 13 17:52:54 2007 From: vhinderer at lexsi.com (HINDERER Vincent) Date: Tue, 13 Nov 2007 18:52:54 +0100 Subject: [Dataloss] TR: [funsec] Attackers Snatch Member Data from 92 NonprofitOrganizations Message-ID: -----Message d'origine----- De?: funsec-bounces at linuxbox.org [mailto:funsec-bounces at linuxbox.org] De la part de Paul Ferguson Envoy??: mardi 13 novembre 2007 01:55 ??: funsec at linuxbox.org Objet?: [funsec] Attackers Snatch Member Data from 92 NonprofitOrganizations -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Via eWeek. [snip] Attackers have stolen passwords and accounts from 92 nonprofits by infiltrating systems at Convio, the leading online marketing company for nonprofits. Affected nonprofit organizations include the American Museum of Natural History, Working Assets, CARE and Free Press. According to a letter sent by Convio to one of the affected organizations, the e-mail addresses and member passwords were downloaded without authorization from 92 GetActive clients between Oct. 23 and Nov. 1. GetActive is an application that Convio acquired with the nonprofit eCRM software company, also named GetActive, in February. The attacker or attackers had prepared to steal the same information from another 62 GetActive clients, but the attempt was foiled when Convio discovered the breach late in the day on Nov. 1. [snip] More: http://www.eweek.com/article2/0,1759,2215792,00.asp - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFHOPXsq1pz9mNUZTMRAgJMAKC/6IZze14UT8Bjq5QoT8e2A7z2fACgjB8R wKrSAKJ0Fx9n5sy/vT/TkBM= =ZS5z -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/ _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. From lyger at attrition.org Tue Nov 13 18:50:13 2007 From: lyger at attrition.org (lyger) Date: Tue, 13 Nov 2007 18:50:13 +0000 (UTC) Subject: [Dataloss] PA: Report: Bank employee may have released customer information Message-ID: http://www.bizjournals.com/philadelphia/stories/2007/11/12/daily13.html Commerce Bancorp Inc. said Tuesday that an employee may have given out confidential customer information. According to a Philadelphia television station NBC-10, Commerce sent a letter to customers warning them that the employee had access to such personal information as names, addresses, social security numbers and account numbers. A spokesman for the Cherry Hill, N.J.-based bank said only a small segment of its 3 million customers were affected. [...] From lyger at attrition.org Wed Nov 14 02:10:07 2007 From: lyger at attrition.org (lyger) Date: Wed, 14 Nov 2007 02:10:07 +0000 (UTC) Subject: [Dataloss] follow-up: Convio and UConn Message-ID: http://www.zwire.com/site/news.cfm?newsid=19018393&BRD=985&PAG=461&dept_id=161556&rfi=6 Information about 10 online donors to the University of Connecticut Foundation - including their names, addresses, and the last four digits and expiration dates of their credit cards - was accessed through a vendor's security breach between Oct. 23 and Nov. 1. About 89,000 other people had only their e-mail addresses accessed without authorization, UConn Foundation spokesman John Sponauer said. The foundation was one of 92 clients of the vendor, Convio, affected by the breach, Sponauer said. [...] From jericho at attrition.org Thu Nov 15 07:51:51 2007 From: jericho at attrition.org (security curmudgeon) Date: Thu, 15 Nov 2007 07:51:51 +0000 (UTC) Subject: [Dataloss] follow-up: TJX's Projected Breach Costs Increase to $216M Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.eweek.com/article2/0,1895,2216942,00.asp By Evan Schuman eWeek.com November 14, 2007 Court filings have estimated that the data from some 96 million credit cards was accessed during the incidents. In a footnote in its Nov. 13 earnings announcement, TJX increased its estimate of pre-tax charges for the world's worst credit card data breach to $216 million. Back in August, it had projected only a $168 million pre-tax hit. The data breach consisted of extensive cyber-thief activity within TJX's network from 2003 through June 2004 and then again from mid-May 2006 through mid-December 2006, TJX said. Court filings have estimated that the data from some 96 million credit cards was accessed during the incidents. [..] From lyger at attrition.org Thu Nov 15 14:48:45 2007 From: lyger at attrition.org (lyger) Date: Thu, 15 Nov 2007 14:48:45 +0000 (UTC) Subject: [Dataloss] IN: VA laptops, patient info stolen Message-ID: http://www.indystar.com/apps/pbcs.dll/article?AID=/20071115/LOCAL/711150543 Police are investigating the theft of three computers from the Veterans Administration hospital in Indianapolis. Officials say one of the computers contained files on about 12,000 patients. The VA says the computers were stolen from locked offices at the Roudebush VA Medical Center on Saturday. [...] From lyger at attrition.org Thu Nov 15 15:24:07 2007 From: lyger at attrition.org (lyger) Date: Thu, 15 Nov 2007 15:24:07 +0000 (UTC) Subject: [Dataloss] Canada: Children's patient info stolen from Edmonton hospital Message-ID: http://www.cbc.ca/canada/edmonton/story/2007/11/13/glenrose-breach.html Alberta's privacy commissioner is investigating another security breach involving personal patient information, this time stolen from a pediatrician's office, CBC News has learned. The doctor at the Glenrose Rehabilitation Hospital had the medical information of 270 children stored on a computer memory stick. She put the tiny device in her purse and locked it in her office drawer, but the purse was stolen on Aug. 16. "The records we were concerned with were personal health number, name, date of service at Glenrose and diagnosis," confirmed Steve Buick, spokesman for Capital Health. "Not enough clinical detail, but enough that a parent might naturally be concerned." [...] From lyger at attrition.org Thu Nov 15 17:49:39 2007 From: lyger at attrition.org (lyger) Date: Thu, 15 Nov 2007 17:49:39 +0000 (UTC) Subject: [Dataloss] follow-up: Certegy data theft leads to plea agreement Message-ID: http://www.bizjournals.com/tampabay/stories/2007/11/12/daily38.html William Sullivan, a former database analyst at Certegy Check Services Inc., has agreed to plead guilty to federal fraud and conspiracy charges in connection with the theft of data from the St. Petersburg firm. According to a plea agreement filed in U.S. District Court for the Middle District of Florida in Tampa, Sullivan conspired with an unindicted co-conspirator to exceed his authorized access to databases at Certegy, using the unauthorized access to misappropriate consumer information. Sullivan was paid for giving the stolen information to the co-conspirator, who then resold the information to others, including direct marketers, the plea agreement said. The scheme was broader than initially disclosed July 3 by Jacksonville-based Fidelity National Information Services Inc. (NYSE: FIS), which acquired Certegy in February 2006. [...] From lyger at attrition.org Fri Nov 16 16:51:07 2007 From: lyger at attrition.org (lyger) Date: Fri, 16 Nov 2007 16:51:07 +0000 (UTC) Subject: [Dataloss] NJ: Stolen PCs hold personal data on hundreds Message-ID: http://www.nj.com/news/bridgeton/index.ssf?/base/news-2/119519076964280.xml&coll=10 Computers containing the personal information of between 500 to 1,000 clients of A.J. Falciani Realty Company were taken in a burglary Wednesday night, police said Thursday. Many of the stolen computers store the names, addresses, Social Security numbers, dates of birth, telephone numbers and other information on the company's clients. Albert Falciani, who owns and operates the East Oak Road business, told officers the computers contain about seven years worth of data. In addition, a lock box that held listings of code lock information was taken. [...] From lyger at attrition.org Fri Nov 16 17:15:22 2007 From: lyger at attrition.org (lyger) Date: Fri, 16 Nov 2007 17:15:22 +0000 (UTC) Subject: [Dataloss] KS: 128 students' social security numbers exposed on Web site Message-ID: http://media.www.kstatecollegian.com/media/storage/paper1022/news/2007/11/16/TodaysNews/128-Students.Social.Security.Numbers.Exposed.On.Web.Site-3107518.shtml K-State's Office of International Programs and International Student Center are notifying 128 international students that their Social Security numbers were exposed through a K-State Web site. The students, who were in the English Language Program, had their information "inadvertently exposed" through a K-State Web site that started with a routine server upgrade in November 2006 that extended about one year, according to a Media Relations and Marketing press release Thursday. Only international students were affected because the exposed Social Security numbers came from test scores on the English language proficiency test, said Lynn Carlin, interim vice provost for Information Technology Services. All data has been removed from the Web site. "We don't have any evidence that the students' information has been misused," she said. [...] From lyger at attrition.org Fri Nov 16 22:15:05 2007 From: lyger at attrition.org (lyger) Date: Fri, 16 Nov 2007 22:15:05 +0000 (UTC) Subject: [Dataloss] Canada: Stolen laptop holds personal info of Atlantic Canadians Message-ID: http://www.cbc.ca/canada/prince-edward-island/story/2007/11/16/pe-stolen.html A Government of Canada computer was recently stolen from the home of a civil servant in Ottawa, but the effects of the theft are being felt in Atlantic Canada. The laptop contained the personal information of 1,600 people, mostly Atlantic Canadians. The majority of the people 1,100 receive old age pensions. The others affected are their spouses and some government employees. The stolen computer contains such personal information as social insurance numbers, bank account numbers, birthdates and credit details. [...] From jericho at attrition.org Sat Nov 17 04:08:39 2007 From: jericho at attrition.org (security curmudgeon) Date: Sat, 17 Nov 2007 04:08:39 +0000 (UTC) Subject: [Dataloss] follow-up: California Man Arrested in Theft of 1.8M Social Security Numbers from Veterans Message-ID: ---------- Forwarded message ---------- From: Paul Ferguson Via The OC Register (Props, Pogo Was Right). [snip] A man who purchased $5,600 in jewelry at a store in Tustin using three fraudulent credit cards, one belonging to actor Marlon Wayans, was arrested Thursday in Los Angeles after a months-long investigation, said Tustin police Lt. John Strain. The investigation also uncovered from his home computer about 1.8 million Social Security numbers from the U.S. Department of Veteran Affairs, where Kim had been employed as an auditor. Veterans Affairs' officials have said only 185,000 numbers are at risk because many were repeated in the file. Tae Kim, 28, was booked at Orange County Jail and is being held in lieu of $1 million bail after being arrested at 5 p.m. Thursday at a car wash in Koreatown, police said. On April 7, two Asian men identified as Kim and Justin Hong, purchased jewelry from Jewelry Exchange at 15732 Tustin Village Way using three skimmed cards belong to three different victims, one of whom was actor Marlon Wayans, Strain said. [snip] More: http://www.ocregister.com/news/kim-numbers-affairs-1924451-security-social From lyger at attrition.org Sat Nov 17 17:29:52 2007 From: lyger at attrition.org (lyger) Date: Sat, 17 Nov 2007 17:29:52 +0000 (UTC) Subject: [Dataloss] OH: Laptop with workers' personal information stolen from auditors Message-ID: http://www.daytondailynews.com/n/content/oh/story/news/local/2007/11/16/ddn111707battelle.html A laptop stolen from a Kettering auditing firm contained personal information on employees of up to 10 businesses, including Springfield-based Ohio Masonic Home, officials said Friday. Battelle & Battelle LLC would not disclose the number of individuals affected by the theft but Masonic Home officials said 600 of its employees' information was stored in the laptop. Battelle was conducting the home's pension plan audit when the laptop was stolen last month from an employee's vehicle. [...] From hbrown at knology.net Sun Nov 18 21:26:14 2007 From: hbrown at knology.net (Henry Brown) Date: Sun, 18 Nov 2007 15:26:14 -0600 Subject: [Dataloss] Data Loss at VA AGAIN Message-ID: <4740ADF6.2000001@knology.net> http://tinyurl.com/35qqw9 Deja vu all over again at VA November 16, 2007 (Computerworld) -- In what's become a fairly familiar routine for them of late, the U.S. Department of Veterans Affairs is investigating a potential data breach -- the theft of three computers containing personal data on potentially 12,000 individuals. Two desktop PCs and one laptop containing that data were stolen from a medical facility in Roudebush, Indiana -- ironically enough, on Veterans Day. The records belong to patients who were treated at the hospital and include Social Security numbers and other personally identifiable information. "It appears from this most recent breach that there are still some in the VA, even some responsible for the security of such data, who don't realize the importance of the security of the names and data of our veterans," Congressman Steve Buyer (R-Ind) said in a prepared statement. According to Buyer, the VA notified his office of the breach on Thursday and are working on ascertaining the names and data of the people who might have been affected by the theft. [...] From hbrown at knology.net Mon Nov 19 13:32:53 2007 From: hbrown at knology.net (Henry Brown) Date: Mon, 19 Nov 2007 07:32:53 -0600 Subject: [Dataloss] Japanese embassy laptops stolen in Belgium Message-ID: <47419085.1040204@knology.net> http://www.yomiuri.co.jp/dy/world/20071115TDY02303.htm Eleven laptop computers were stolen from the Japanese Embassy in central Brussels earlier this month, leading to fears that personal information on about 12,700 Japanese living in Belgium may have been exposed, the embassy said Wednesday. The robbery is believed to have taken place early Nov. 3. Security guards alerted by an alarm found the lock broken on the seventh-floor entrance to the embassy in an office building. Some of the stolen computers held electronic data on matters such as the expats' residence certification, overseas voting registration and passport information, according to the embassy. The residence certification contains details such as a person's name, birthdate, permanent address in Japan, occupation, family information and passport number. From mhill at idtexperts.com Tue Nov 20 16:06:19 2007 From: mhill at idtexperts.com (Michael Hill, CITRMS) Date: Tue, 20 Nov 2007 11:06:19 -0500 Subject: [Dataloss] TX: Personal Information Found In McKinney Dumpster Message-ID: <007e01c82b8f$4a6d1680$6501a8c0@mkevhill> http://cbs11tv.com/local/mckinney.dumpster.texas.2.571626.html A North Texas business reacted quickly today after learning someone in its office had inadvertently thrown files with personal information in a McKinney trash dumpster. A CBS 11 viewer found the documents and emailed us about them. They contained Social Security Numbers, bank statements, real estate contracts and more. One of the names on the documents was Herb McJunkin's. He wasn't very happy about it. "It should have been shredded," he said. After we called McKinney Police to tell them about it, the company realized its mistake. State law requires companies to properly dispose of their documents. If they don't, they could face up to $50,000 in fines. CVS Pharmacy, Radio Shack, E-Z Pawn, and Lifetime Fitness are just some of the companies that have gotten in trouble under the two-year-old law. If you come across files with personal information in a dumpster, you're urged to call the Texas Attorney General's office. Michael Hill Certified Identity Theft Risk Management Specialist IDT Consultants 404-216-3751 "If You Think You're Not At Risk, Think Again!" -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20071120/833e6000/attachment.html From lyger at attrition.org Tue Nov 20 16:40:56 2007 From: lyger at attrition.org (lyger) Date: Tue, 20 Nov 2007 16:40:56 +0000 (UTC) Subject: [Dataloss] Data on 15m benefits claims 'lost by Customs' Message-ID: Courtesy WK and InfoSec News: http://www.telegraph.co.uk/news/main.jhtml?xml=/news/2007/11/20/ncustoms220.xml By Emma Henry and agencies 20/11/2007 The head of Revenue & Customs has resigned after his department lost the details of as many as 15 million child benefit claimants in what is believed to be one of the world's biggest ID protection failures. Paul Gray quit ahead of a Commons statement this afternoon by Chancellor Alistair Darling on "a major operational problem". It is understood the information was stored on discs, which went missing in transit and have not yet been recovered. The Metropolitan Police are investigating The data includes names, home addresses, dates of birth, National Insurance numbers and bank details of millions of child benefit recipients. [...] From lyger at attrition.org Tue Nov 20 18:31:18 2007 From: lyger at attrition.org (lyger) Date: Tue, 20 Nov 2007 18:31:18 +0000 (UTC) Subject: [Dataloss] (update) Missing: 25 million child benefit records Message-ID: http://www.silicon.com/research/specialreports/digitaldefences/0,3800014341,39169217,00.htm CDs containing the confidential personal details of 25 million child benefit recipients have been lost by HM Revenue & Customs (HMRC). The records contain the names, addresses, dates of birth and National Insurance numbers of the entire HMRC child benefit database, which also includes the bank account details of more than seven million parents, guardians and carers. Two password-protected CDs containing the child benefit information were sent unrecorded and unregistered by a junior HMRC official through courier TNT to the National Audit Office on 18 October but never arrived and have not been found. The missing CDs were not reported to senior HMRC management until 8 November and the Chancellor of the Exchequer Alistair Darling was then notified on 10 November. [...] From jericho at attrition.org Wed Nov 21 10:57:50 2007 From: jericho at attrition.org (security curmudgeon) Date: Wed, 21 Nov 2007 10:57:50 +0000 (UTC) Subject: [Dataloss] follow-up: TJX consumer settlement sale offer draws scorn Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.theregister.co.uk/2007/11/20/tjx_settlement_offer_kerfuffle/ By John Leyden 20th November 2007 Law enforcement officials have poured cold water on plans by TJX to hold a one-day sale for customers as part of a proposed settlement for a consumer class-action case against the security incident-afflicted retailer. TJX faces consumer and bank class action lawsuits over the exposure of an estimated 45.7m customer records as the result of a security breach that lasted for two distinct six month periods between 2003 and December 2006. Hackers broke into a system that stored data on credit card, debit card, cheque, and return details in an attack blamed on a poorly secured wireless network in one of its stores. Subsequent credit card frauds have being traced to data swiped as a result of these breaches and a number of arrests have been made. [..] From lyger at attrition.org Wed Nov 21 12:49:29 2007 From: lyger at attrition.org (lyger) Date: Wed, 21 Nov 2007 12:49:29 +0000 (UTC) Subject: [Dataloss] FL: Social Security numbers of former UF students leaked on Web site Message-ID: http://www.alligator.org/articles/2007/11/21/news/campus/ssn.txt More than 400 former UF students might have been put at risk for identity theft after their Social Security numbers were posted on UF's Computing & Networking Services Web site. [.] All the individuals were former students of Richard Elnicki, a professor of information systems and operations management, and had taken classes ISM 4220 or ISM 4330 with him between 1998 and 2001, the release stated. Many of the files had been online since 1998. The release stated that the files were on a Computer & Networking Services server that required a password to upload files, though the public could download the files without a password. [...] From mhill at idtexperts.com Thu Nov 22 01:45:30 2007 From: mhill at idtexperts.com (Michael Hill, CITRMS) Date: Wed, 21 Nov 2007 20:45:30 -0500 Subject: [Dataloss] Insurer inadvertently posted physician SSNs Message-ID: <004101c82ca9$5e5bd170$6501a8c0@mkevhill> http://www.crainsnewyork.com/apps/pbcs.dll/article?AID=/20071120/FREE/71120008/1049 United Healthcare posted the social security numbers of doctors at Columbia University's faculty practice on a public Web site in a breach of security that exposed the doctors to identity theft. The sensitive information was loaded on Oct. 31 and taken down Nov. 2. United posted the taxpayer identification numbers, some of which were Social Security numbers, alongside the names of 993 providers at Columbia who participate in the insurer's network. The list was supposed to be accessible to Columbia employees during the current open enrollment period. A United spokesman said the tax ID "inadvertently" included social security numbers, which were removed once the insurer was informed of the error. A forensic analysis showed there were some non-Columbia computers that downloaded the information, says the spokesman. The Web page was viewed 157 times before the ID information was removed. He adds that United also is trying to determine "from a technology perspective" how the breach occurred. United notified the New York state Attorney General's office of the incident. The insurer has written to the Columbia doctors to apologize. The providers can have their credit reports monitored by Equifax, which will alert them if a credit check is performed. Subsequently, Columbia's faculty practice organization will closely monitor whether its doctors become the victims of identity theft. A spokeswoman for the university said that although only a small subset of the FPO's doctors had their SS numbers publicly displayed, the breach was "very serious" and has made the doctors unhappy. United complied with Columbia's request to notify the doctors, sent a company representative onsite to answer the doctors' questions, and provided one-year protection from Equifax. Columbia's legal department will monitor whether fraud occurs. For now, most of the information appears to have been accessed by "legitimate Columbia addresses," says the spokeswoman. Michael Hill Certified Identity Theft Risk Management Specialist IDT Consultants 404-216-3751 "If You Think You're Not At Risk, Think Again!" -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20071121/98076b15/attachment.html From jericho at attrition.org Thu Nov 22 20:12:50 2007 From: jericho at attrition.org (security curmudgeon) Date: Thu, 22 Nov 2007 20:12:50 +0000 (UTC) Subject: [Dataloss] "Is that a lot?" Message-ID: ---------- Forwarded message ---------- From: Adam Shostack I'm drinking my morning coffee and getting ready to head off for Thanksgiving, and ended up banging out a blog post that I think many of you might enjoy. "Is 2,100 breaches of security a lot?" http://www.emergentchaos.com/archives/2007/11/is_2100_breaches_of_secur.html Happy Thanksgiving! Adam From lyger at attrition.org Sun Nov 25 20:36:14 2007 From: lyger at attrition.org (lyger) Date: Sun, 25 Nov 2007 20:36:14 +0000 (UTC) Subject: [Dataloss] Ireland: AIB error led 15, 000 customers to get details of other accounts Message-ID: http://www.ireland.com/newspaper/frontpage/2007/1123/1195682121693.html?via=me A significant error at AIB bank earlier this month led it to send 15,000 notifications to its customers containing the private bank account details of other individuals. A total of 11,000 AIB customers are affected by the move, writes John Downes. Last night, it also emerged that some of the bank account details sent to AIB customers in recent days relate not just to AIB accounts, but also reveal the names and bank account details of customers with other banks. It is understood that as many as 7,500 of the notices contained the names, addresses and full bank account numbers of AIB customers. This means these details, contained in notices relating to "inward" payments, are now in the possession of other customers of the bank. [...] From jericho at attrition.org Mon Nov 26 10:30:44 2007 From: jericho at attrition.org (security curmudgeon) Date: Mon, 26 Nov 2007 10:30:44 +0000 (UTC) Subject: [Dataloss] N.L. police probe security breach of patient information Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.cbc.ca/canada/newfoundland-labrador/story/2007/11/24/security-breach.html CBC News November 24, 2007 Officials in Newfoundland and Labrador are investigating a computer security breach involving sensitive patient information that may have been accessed through the internet. The data, including lab test results for infectious diseases such as HIV and hepatitis along with patient names and health numbers, was stored on a government desktop computer, said Health Minister Ross Wiseman. The computer was unplugged and taken to the home of a consultant working for the Provincial Public Health Laboratory, something Wiseman said should never have happened. "That was an inappropriate use. Obviously individual computers that are available for work are there for the workplace only," he told CBC News. [..] From macwheel99 at wowway.com Mon Nov 26 19:06:43 2007 From: macwheel99 at wowway.com (Al Mac Wheel) Date: Mon, 26 Nov 2007 13:06:43 -0600 Subject: [Dataloss] (update) Visa approved TXJ non-compliance with PCI Message-ID: <6.2.1.2.1.20071126130235.027c5bb0@pop3.mail.wowway.com> http://www.eweek.com/article2/0,1895,2215022,00.asp [ ] Credit card company Visa knew in late 2005 of the extensive security problems at TJX, but decided to give the retailer permission to remain non-compliant through Dec. 31, 2008, according to documents filed in federal court on Nov. 8. The Dec. 29, 2005, letter from Joseph Majka, a fraud control vice president for Visa, was written months after cyber-thieves had already secretly infiltrated TJX's systems, starting the work that would ultimately become the worst data breach in credit card history. [ ] - Al Mac From hbrown at knology.net Tue Nov 27 11:37:27 2007 From: hbrown at knology.net (Henry Brown) Date: Tue, 27 Nov 2007 05:37:27 -0600 Subject: [Dataloss] 30,000 Dutch Credit card details stolen Message-ID: <474C0177.7020505@knology.net> http://www.first.org/newsroom/globalsecurity/176842.html 30,000 Dutch Telsell-customer creditcard details stolen from Telsell computers, Telsell claims not their responsibility Customers of the television-sales organization TelSell can not only tele-shop while relaxing in their lazy chair, they also have a good chance to be robbed, while in that same chair. Earlier this year the details of over 30,000 creditcards have been stolen from Telsell?s computersystems. The details are from customers who in the past ordered Telsell products, including slimming belts, fitness equipment and figure-correction underwear. With the card details cybercriminals can relatively easy make illegal transfers, where the victims are served the bill. The Dutch company Telsell has been aware of this theft since 6 months, but never informed those customers at risk. The company decided take the credit card organization, looking at Telsell for recovery of the stolen amounts, to court. This has been discovered in procedural legal documents, obtained by the Telegraaf, the largest Dutch newspaper. According to these papers, last May hackers managed to break into, and compromize Telsell?s computersystems, copying over fifteenthousand Visa card details and around sixteenthousand Mastercard details. What is unusual is that Telsell decided not to fore-warn its possibly affected customers. If they had been warned in time, customers could have checked their creditcard accounts for irregularities. Anyone who does not notice illegitimate transfers in their own account statements timely, will not receive any financial compensation. The even more unsual explanation by Telsell is: ?It is not our resonsibility to warn our customers? Yesterday the company Telsell refused to comment. Also it is not clear whether sufficient measures have been taken to avoid a repeat of the computer systems compromize. Original article in Dutch http://www.telegraaf.nl/binnenland/2622436/Telsell-klanten_dupe_roof.html?p=3,1 From lyger at attrition.org Wed Nov 28 19:59:12 2007 From: lyger at attrition.org (lyger) Date: Wed, 28 Nov 2007 19:59:12 +0000 (UTC) Subject: [Dataloss] (update) IN: $10,000 reward for missing VA computers Message-ID: http://www.indystar.com/apps/pbcs.dll/article?AID=/20071128/LOCAL/71128044 The FBI is offering a $10,000 reward for information about three computers stolen from the Roudebush Veterans Affairs Medical Center earlier this month. The computers contained the names, Social Security numbers, and dates of service of about 12,000 veterans. They were stolen from an unlocked treatment room over Veterans Day weekend. The stolen equipment included two Dell Optiplex GX260 desktop computers and a Toshiba 6000 laptop computer, as well as two computer monitors, a printer and a keyboard. [...] From jericho at attrition.org Thu Nov 29 07:41:19 2007 From: jericho at attrition.org (security curmudgeon) Date: Thu, 29 Nov 2007 07:41:19 +0000 (UTC) Subject: [Dataloss] follow-up: TJX e-mails tell the tale Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://news.bostonherald.com/business/general/view.bg?articleid=1047504 By Donna Goodison November 28, 2007 Executives at TJX Cos., which in January revealed a massive security breach that put millions of its customers personal information at risk, knew two years ago that the companys wireless payment network was vulnerable to attack, according to court documents. In 2005, TJX officials also discussed the need to update the companys wireless network security to a more secure WiFi protected access (WPA) system and whether it could be deferred to save money, according to e-mail exchanges between TJX employees. The e-mails were included in court documents filed in a lawsuit brought by a group of banks against TJX. The security breach, the nations largest, began in mid-2005 and was discovered by TJX in late 2006. TJX has since been accused of failing to safeguard customers information and faces a myriad of lawsuits. Canadian officials who conducted their own investigation said criminals hacked into TJXs wireless networks while outside two Marshalls stores in Miami. The e-mails reveal TJX executives concerns about the network. [..] From jericho at attrition.org Thu Nov 29 07:41:58 2007 From: jericho at attrition.org (security curmudgeon) Date: Thu, 29 Nov 2007 07:41:58 +0000 (UTC) Subject: [Dataloss] Security Breach Costs Jump 30% Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.baselinemag.com/article2/0,1540,2223732,00.asp By Deborah Gage Baseline November 28, 2007 The cost of recovering from a single data breach now averages $6.3 million-that's up 31 percent since 2006 and nearly 90 percent since 2005, according to the Ponemon Institute, which studies privacy and information management. Two-thirds of that cost is spent recovering business that's lost after a breach, a cost that has risen 30 percent since last year. More customers stop doing business with a company after their information is exposed, and it's getting more expensive to replace them. "As consumers and end users get more educated, I think there's less tolerance," says John Dasher, the director of product management for PGP, which, along with Vontu, co-sponsored the Ponemon study. Companies known to have suffered a breach were contacted by Ponemon, and 35 agreed to respond. The companies surveyed were from 16 industries and lost anywhere from 4,000 to 125,000 records. They spent an average of $197 per lost record investigating the breach, notifying customers, restoring security infrastructures and recovering lost business. [..] From lyger at attrition.org Fri Nov 30 17:04:20 2007 From: lyger at attrition.org (lyger) Date: Fri, 30 Nov 2007 17:04:20 +0000 (UTC) Subject: [Dataloss] (update) TJX reaches $40m settlement with Visa over data breach Message-ID: http://www.boston.com/business/ticker/2007/11/tjx_reaches_40m.html Framingham retailer TJX Cos. said this morning it has reached an agreement with payment card network Visa USA Inc. to fund up to $40.9 million for payments to certain banks following a massive breach of TJX's computer systems through last year. Under the terms of the agreement, TJX, the parent of discount chains including TJ Maxx and Marshalls, said banks that issued Visa payment cards potentially affected by the computer breach could receive payments in return for agreeing not to sue or take other steps against TJX and banks such as Fifth Third Bancorp of Ohio that process its transactions. Roughly 100 million credit- and debit-card accounts were compromised in the intrusion first disclosed in January, the largest in history. [...] From jericho at attrition.org Fri Nov 30 22:12:16 2007 From: jericho at attrition.org (security curmudgeon) Date: Fri, 30 Nov 2007 22:12:16 +0000 (UTC) Subject: [Dataloss] fringe: Hacker Breaches Marketing Software Maker Message-ID: So far, there is no proof or evidence that PII was compromised. However, some of the articles and quotes from Convio are suspicious to me. ".. had to do with passwords and e-mail addresses and not anything more severe". When you log in to the site as one of the clients, it seems odd that the page would not show a little more information about the account, be it a name, login ID or something. - jericho ---------- Forwarded message ---------- From: Joel Baumgartner AUSTIN (AP) -- A marketing software company serving nonprofits across the country including The American Red Cross said Tuesday that a hacker stole e-mail addresses and password information from its clients' databases. Tad Druart, a spokesman for Austin-based Convio Inc., said the company has notified federal authorities of a data breach between Oct. 23 and Nov. 1. The hacker used an employee's password to get at the data, Druart said. No Social Security numbers or bank account information was stolen, Druart said. He said the company immediately notified the 92 companies affected, though he would not name them, and it wasn't known how much information was compromised. Red Cross spokeswoman Stephanie Millian confirmed that roughly 278,000 e-mail addresses and a smaller number of passwords were taken from a Red Cross blood drive Web site that ran on Convio's software. She said the Red Cross notified affected users Nov. 14. "We were fortunate in that this had to do with passwords and e-mail addresses and not anything more severe," Millian said. Convio, which has filed papers to prepare for an initial public offering, has 1,200 clients. Only clients using a program called GetActive, which Convio acquired in March, were affected by the hacker, Druart said. It was the first time the company's online security has been compromised, he added. Convio said it continues to investigate the breach and has hired outside security experts and taken other measures to prevent future attacks.