From lyger at attrition.org Sat Sep 1 01:32:07 2007 From: lyger at attrition.org (lyger) Date: Sat, 1 Sep 2007 01:32:07 +0000 (UTC) Subject: [Dataloss] Canada: Sick Kids doctor loses data on 3,300 patients Message-ID: past related article: http://attrition.org/dataloss/2007/03/sickkids01.html http://www.thestar.com/living/article/251904 Six weeks after Ontario's privacy commissioner ordered the Hospital for Sick Children not to remove electronic health records from the hospital, a doctor lost an external hard drive containing such records at the country's busiest airport. The hard drive, lost at Pearson International on April 21, contained personal health data on 3,300 patients who had received eye examinations or eye treatment at the hospital. The files included patient names, dates of birth, diagnoses, ophthalmologic images, and photographs of eyes and eye injuries. Helen Simeon, director of public affairs at Sick Kids, said it took months to reconstruct the information and affected patients were not notified of the security breach until a letter was sent Aug. 28. [...] From rforno at infowarrior.org Sun Sep 2 19:56:10 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sun, 02 Sep 2007 15:56:10 -0400 Subject: [Dataloss] CMU Privacy Study Request For Participation Message-ID: (c/o IP List) Carnegie Mellon University researchers are conducting a web-based survey about online privacy concerns. If you complete this survey, you could win a $250 gift certificate for Amazon.com! Odds of winning depend on the number of entrants but are guaranteed 1:1000 or better. The study takes about 15 minutes. To participate in this survey, go to: http://cups.cs.cmu.edu/survey-0807/ Thank you for your participation! From lyger at attrition.org Sun Sep 2 23:45:39 2007 From: lyger at attrition.org (lyger) Date: Sun, 2 Sep 2007 23:45:39 +0000 (UTC) Subject: [Dataloss] MD: Computer with patient info stolen Message-ID: http://www.imedinews.ge/en/news_read/61668 Johns Hopkins Hospital in Baltimore waited for five weeks before notifying patients that a computer containing their personal data had been stolen. Hospital officials told The Baltimore Sun the desktop computer, which was taken from an office in mid-July, contained names, addresses, Social Security numbers and other important details for 5,783 patients. [...] From lyger at attrition.org Tue Sep 4 11:52:40 2007 From: lyger at attrition.org (lyger) Date: Tue, 4 Sep 2007 11:52:40 +0000 (UTC) Subject: [Dataloss] FL: Lost luggage has info on 61 school workers Message-ID: http://www.floridatoday.com/apps/pbcs.dll/article?AID=/20070904/NEWS01/709040325/1006 A missing piece of luggage belonging to a state auditor contains the personal information of 61 Brevard Public Schools employees and had district personnel scrambling before the holiday weekend began to notify people that their names and Social Security numbers might be compromised. The bag went missing during an Aug. 19 Delta Airlines flight somewhere between Pensacola, Atlanta and Melbourne, school district personnel and an officials with the State Auditor General's office said. "We are well aware of the horror stories from identity thefts and we are hoping none of these employees will suffer that experience," Schools Superintendent Richard DiPatri said. "We are working with the auditor general to get to the bottom of this situation as quickly as possible." [...] From lyger at attrition.org Tue Sep 4 12:52:59 2007 From: lyger at attrition.org (lyger) Date: Tue, 4 Sep 2007 12:52:59 +0000 (UTC) Subject: [Dataloss] MI: Pfizer workers' identities at risk Message-ID: http://www.detnews.com/apps/pbcs.dll/article?AID=/20070904/BIZ/709040369/1003/METRO Some 34,000 Pfizer Inc. workers, including some current and former employees in Michigan, are at risk for identity theft, according to a letter to employees obtained by The Detroit News. According to the Aug. 24 letter, a security breach may have caused employees' names, Social Security numbers, addresses, dates of birth, phone numbers, bank account numbers, credit card information, signatures and other personal information to be publicly exposed. The breach occurred late last year when a Pfizer employee removed copies of confidential information from a Pfizer computer system without the company's knowledge or approval. Pfizer didn't become aware of the breach until July 10. [...] From george at georgetoft.com Tue Sep 4 13:40:04 2007 From: george at georgetoft.com (George Toft) Date: Tue, 04 Sep 2007 06:40:04 -0700 Subject: [Dataloss] AT&T laptop theft exposes employee data In-Reply-To: References: Message-ID: <46DD6034.7000605@georgetoft.com> My wife got her letter. AT&T is now predicting the future as they "have no evidence that your personal information has been, or will be, used for unauthorized purposes." George Toft, CISSP lyger wrote: > http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=networking_and_internet&articleId=9033813&taxonomyId=16 > > AT&T and Maryland's Department of the Environment have become the latest > organizations to find out first hand why security analysts for some time > now have advocated the use of encryption to protect sensitive data on > laptops and other mobile devices. > > A laptop containing unencrypted personal data on current and former > employees of the AT&T Corp. was stolen recently from the car of an > employee of a professional services firm doing work for the company. That > theft prompted the company to notify an unspecified number of individuals > about the potential compromise of their Social Security numbers, names and > other personal details. > > A spokesman for AT&T today confirmed the July 27 incident and said it > affected only employees of the former AT&T Corp. acquired by SBC > Communications Inc. in 2005. No data involving employees of SBC, Bell > South or Cingular was affected, the spokesman said. > > [...] > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor your > traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml > > From lyger at attrition.org Tue Sep 4 16:16:32 2007 From: lyger at attrition.org (lyger) Date: Tue, 4 Sep 2007 16:16:32 +0000 (UTC) Subject: [Dataloss] (update) MD: Stolen Hopkins computer is returned Message-ID: http://www.baltimoresun.com/news/health/bal-computer0904,0,500185.story?coll=bal_sports_promo A stolen computer containing the personal records of 5,783 patients with cancer was returned to Johns Hopkins Hospital over the weekend, a hospital spokesman said. The computer was given to Johns Hopkins security personnel on Sunday afternoon by Michael Mastracci, a Baltimore lawyer who says he learned of its whereabouts from a client and arranged to have it turned over to him. An initial investigation suggests the data on the computer, which includes patients' names, Social Security numbers, birth dates, medical histories and other personal information, was not compromised, Hopkins officials said. Inspection of the computer after it was returned indicated it was probably never turned on after it was stolen and found no evidence anyone sought or gained access to the database information on the computer's hard drive, officials said. [...] From lyger at attrition.org Wed Sep 5 12:54:54 2007 From: lyger at attrition.org (lyger) Date: Wed, 5 Sep 2007 12:54:54 +0000 (UTC) Subject: [Dataloss] (update) OR: Ex-worker sues hospital in data loss Message-ID: http://www.oregonlive.com/business/oregonian/index.ssf?/base/business/1188960930183820.xml&coll=7 The Providence Health System employee who took home the computerized records of 365,000 patients that were later stolen from his van has sued the hospital, saying he was fired because he reported the theft to authorities. The security breach has been reckoned the largest in state history. Steven Shields, who was a Providence information systems analyst, says in his lawsuit that he was told to take the records to his Milwaukie home. The records were on 10 computer disks and data tapes in a bag that Shields left in his van when he parked it in his driveway Dec. 30, 2005. [.] Shields is asking in his suit for at least $1 million in back wages and damages for "pain, suffering, humiliation, anger, lost sleep, lost enjoyment in life, anxiety, depression and skin disorders." [...] From adam at homeport.org Wed Sep 5 14:54:15 2007 From: adam at homeport.org (Adam Shostack) Date: Wed, 5 Sep 2007 10:54:15 -0400 Subject: [Dataloss] AT&T laptop theft exposes employee data In-Reply-To: <46DD6034.7000605@georgetoft.com> References: <46DD6034.7000605@georgetoft.com> Message-ID: <20070905145415.GA7129@homeport.org> "Have you ever had your employer blatantly mispredict the future to cover their own ass? You will. And the company that will bring it to you..." On Tue, Sep 04, 2007 at 06:40:04AM -0700, George Toft wrote: | My wife got her letter. AT&T is now predicting the future as they "have | no evidence that your personal information has been, or will be, used | for unauthorized purposes." | | George Toft, CISSP | | | | | lyger wrote: | > http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=networking_and_internet&articleId=9033813&taxonomyId=16 | > | > AT&T and Maryland's Department of the Environment have become the latest | > organizations to find out first hand why security analysts for some time | > now have advocated the use of encryption to protect sensitive data on | > laptops and other mobile devices. | > | > A laptop containing unencrypted personal data on current and former | > employees of the AT&T Corp. was stolen recently from the car of an | > employee of a professional services firm doing work for the company. That | > theft prompted the company to notify an unspecified number of individuals | > about the potential compromise of their Social Security numbers, names and | > other personal details. | > | > A spokesman for AT&T today confirmed the July 27 incident and said it | > affected only employees of the former AT&T Corp. acquired by SBC | > Communications Inc. in 2005. No data involving employees of SBC, Bell | > South or Cingular was affected, the spokesman said. | > | > [...] | > _______________________________________________ | > Dataloss Mailing List (dataloss at attrition.org) | > http://attrition.org/dataloss | > | > Tenable Network Security offers data leakage and compliance monitoring | > solutions for large and small networks. Scan your network and monitor your | > traffic to find the data needing protection before it leaks out! | > http://www.tenablesecurity.com/products/compliance.shtml | > | > | _______________________________________________ | Dataloss Mailing List (dataloss at attrition.org) | http://attrition.org/dataloss | | Tenable Network Security offers data leakage and compliance monitoring | solutions for large and small networks. Scan your network and monitor your | traffic to find the data needing protection before it leaks out! | http://www.tenablesecurity.com/products/compliance.shtml From evan.francen at gmail.com Thu Sep 6 16:50:20 2007 From: evan.francen at gmail.com (Evan Francen) Date: Thu, 6 Sep 2007 11:50:20 -0500 Subject: [Dataloss] Family Video Stores Private Information in Public Restrooms Message-ID: <530c940709060950p2b8cabf4n6641056c4e0da7ee@mail.gmail.com> http://breachblog.com/2007/09/05/family-video-stores-private-information-in-public-restrooms.aspx Breach Description: A former store manager reports that she worked at several Family Video stores and every one of them stored confidential information regarding employees and job applicants in public restrooms. "Officials at the corporate office for Family Video said they are fixing the problem and it is against their policy to keep private information in boxes in the bathroom." "They also said this is not just a problem in Pennsylvania, but at Family Video stores in other states as well, and they are making sure to notify all stores so the private information is not stored where the public has access." "Officials at Family Video did report the boxes in the Johnstown location were sitting on a shelf 8 feet from the ground, and in order for anyone to gain access to the files they would likely have to stand on something to get into them." From lyger at attrition.org Thu Sep 6 22:23:41 2007 From: lyger at attrition.org (lyger) Date: Thu, 6 Sep 2007 22:23:41 +0000 (UTC) Subject: [Dataloss] SC: USC investigates student information found on the Web Message-ID: http://www.charlotte.com/205/story/266353.html The University of South Carolina is looking into what it called an "accidental disclosure" of private student information on the Internet, school spokesman Russ McKinney said Thursday. The information wasn't on the Web long before the school realized what happened and took immediate steps to remove it, McKinney said. The university is trying to determine exactly what type of information was released, the length of time it was on the Internet and who might have accessed it. McKinney said. The breach involved 1,482 students, he said. [...] From lyger at attrition.org Thu Sep 6 23:50:38 2007 From: lyger at attrition.org (lyger) Date: Thu, 6 Sep 2007 23:50:38 +0000 (UTC) Subject: [Dataloss] MA: Data loss notification (fwd) Message-ID: The following was sent to attrition.org anonymously. The North Shore Emergency Action Coalition was set up to prepare for a potential bird flu epidemic amongst other emergency issues and is made up of Departments of Health for NE Massachusetts. ---------- Forwarded message ---------- Date: Sep 6, 2007 1:43 PM Subject: Security Alert To: Dear Volunteers: I have some unfortunate news to share with you regarding our volunteer database. Our Computer Engineer has informed the Coalition that a flash drive, possibly containing volunteer information he was transferring from a work computer to a home back-up computer, has been lost. The flash drive was not stolen. It was misplaced and it is possible that it was accidentally thrown away. The volunteer information may have been deleted from the flash drive before it was lost, but the engineer cannot be certain that it was. Although the risk of a problem from this situation is low, it does still exist. Therefore, we are notifying you so that you may take action to protect your information. Below are three links with information on how to protect your identity in situations where information has been lost or stolen. This process is free of charge. http://www.ftc.gov/bcp/conline/pubs/alerts/infocompalrt.shtm http://www.ftc.gov/bcp/edu/microsites/idtheft/consumers/compromised.html http://www.ftc.gov/bcp/edu/microsites/idtheft/consumers/detect.html The Coalition understands the vital relationship it has with its volunteers, one that is based on mutual respect and trust. We deeply regret this problem and are actively re-examining security controls so that this situation will not happen again. We need you, your expertise, and your commitment. We are beginning a new series of trainings and have reinforced our recruitment efforts. It is our genuine hope that you will continue on this path with us in spite of this recent occurrence. Please e-mail me with any questions or concerns at . Your e-mails will be discussed by the Coalition and you will receive a response. My sincerest apologies. Joanne Scott North Shore-Cape Ann Emergency Preparedness Coalition Chair From hbrown at knology.net Fri Sep 7 11:25:58 2007 From: hbrown at knology.net (Henry Brown) Date: Fri, 07 Sep 2007 06:25:58 -0500 Subject: [Dataloss] follow up & political fall out from CT tax department laptop theft Message-ID: <46E13546.3020007@knology.net> START PERSONAL COMMENTARY... Somewhat AMAZING, at least to me, the responses when "POWERFUL" people are at risk for data loss END PERSONAL COMMENTARY From the Hartford CT Courant http://tinyurl.com/35vt73 Laptop Theft Response Attacked Lawmakers At Risk Of Identity Theft By CHRISTOPHER KEATING | Capitol Bureau Chief September 6, 2007 At least two prominent Democratic legislators and more than 70 state tax department employees are among Connecticut taxpayers at risk of identity theft because their Social Security numbers were on a stolen tax-department laptop computer. A spokesman for Gov. M. Jodi Rell called the breach "inexcusable," and tax officials Wednesday said the state would pay for identity-theft protection for the 106,000 taxpayers whose names are on the computer. (...) From hbrown at knology.net Fri Sep 7 11:11:13 2007 From: hbrown at knology.net (Henry Brown) Date: Fri, 07 Sep 2007 06:11:13 -0500 Subject: [Dataloss] De Anza College data on stolen laptop Message-ID: <46E131D1.4090401@knology.net> http://www.nbc11.com/news/14063454/detail.html More Than 4,000 De Anza Students At Risk For ID Theft, School Says Math Teacher's Stolen Laptop Contained Vital Information CUPERTINO, Calif. -- De Anza College announced Thursday that thousands of former students might be at risk for identity fraud after an instructor's laptop computer, containing students' personal information, was stolen last month. The Cupertino community college is attempting to contact 4,375 students and former students of the mathematics instructor to inform them that their personal information may be at risk. The computer contained the students' names, addresses, grades and in many cases Social Security numbers. "Probably the bulk of them are Social Security numbers," said Foothill-De Anza Community College District spokeswoman Becky Bartindale. (...) From lyger at attrition.org Sat Sep 8 02:14:20 2007 From: lyger at attrition.org (lyger) Date: Sat, 8 Sep 2007 02:14:20 +0000 (UTC) Subject: [Dataloss] McKesson: Stolen Computers Contain Patient Information Message-ID: http://www.informationweek.com/news/showArticle.jhtml?articleID=201804872 Health-care services company, McKesson, is alerting thousands of its patients that their personal information is at risk after two of its computers were stolen from an office. The company, which helps pharmaceutical manufacturers set up assistance programs for patients in need, sent out a letter alerting patients that the computers were stolen on July 18. The names of the people being alerted were on one of the two PCs, but it's not known how much of their accompanying identifying information was also contained on the machines. "Your personal information may have been on one of the two computers that were stolen from a McKesson office," wrote Patrick Blake, president of McKesson Specialty Pharmaceutical, in the letter to one patient. "At this point, we have not determined if your personal information was on either stolen computer. However, we are taking the precaution of notifying every patient whose information might have been on the computers, just to be safe." [...] From lyger at attrition.org Mon Sep 10 13:16:43 2007 From: lyger at attrition.org (lyger) Date: Mon, 10 Sep 2007 13:16:43 +0000 (UTC) Subject: [Dataloss] IN: Purdue University warns of possible computer security breach Message-ID: http://www.jconline.com/apps/pbcs.dll/article?AID=/20070910/NEWS09/70910012 Purdue University is warning 111 people who were students in the fall of 2004 that information about them was inadvertently posted on the Internet. The information was in a document that contained the names and Social Security numbers of students in the Animal Sciences 102 class. The page was no longer in use but was on a computer server connected to the Internet. The document was found recently through an internal search and reported to the chief information security officer at Purdue. Purdue has removed page from the Internet and mailed letters to those who may have been affected. [...] From hbrown at knology.net Mon Sep 10 14:09:17 2007 From: hbrown at knology.net (Henry Brown) Date: Mon, 10 Sep 2007 09:09:17 -0500 Subject: [Dataloss] Laptops missing in Connecticut Message-ID: <46E5500D.9010502@knology.net> Report: 28 State Laptops Gone Missing In Past Year http://www.nbc30.com/news/14073607/detail.html HARTFORD, Conn. -- More than two dozen state-owned laptop computers have been reported lost or stolen since July 2006 from government offices, classrooms, employees' vehicles and their homes, according to state records. The latest incident, a theft reported on Aug. 17, prompted the state to offer free identity-theft coverage to the 106,000 taxpayers whose names and Social Security numbers were on the computer. However, another 28 state-owned laptops also have been reported missing since July 2006, the Journal Inquirer newspaper of Manchester reported. Their combined value exceeds $62,000. According to records from Comptroller Nancy Wyman's office, some of the stolen laptop computers belonged to the state departments of consumer protection and environmental protection, and to Southern Connecticut State University. Other missing laptop computers belonged to the University of Connecticut, Connecticut Judicial Branch and state Department of Education, the newspaper reported. House Majority Leader Christopher Donovan, D-Meriden, whose personal information was on the computer reported stolen Aug. 17, said he wants the state Department of Revenue Services to release more details about the theft. "We need to find out what's going on, how this could happen, to make sure this doesn't happen again," he said. The laptop computer was among several items reported stolen from a state worker's vehicle in Suffolk County, N.Y., although that employee's name and title has not been released. Sara Kaufman, a spokeswoman for the Department of Revenue Services, said she could not release details because of the ongoing police investigations in New York and Connecticut. From lyger at attrition.org Mon Sep 10 22:01:31 2007 From: lyger at attrition.org (lyger) Date: Mon, 10 Sep 2007 22:01:31 +0000 (UTC) Subject: [Dataloss] (update) OH: Almost 67,000 more names on stolen tape Message-ID: http://www.columbusdispatch.com/live/content/local_news/stories/2007/09/10/moredata.html The names and Social Security numbers of more than 66,600 more individuals, including former state workers, were on a computer backup tape stolen from a state intern's car in June, officials said today. The revelation brings to more than 1.3 million the number of individuals, businesses and other entities whose sensitive information is on the tape. The new names evidently were missed in an extensive state review of a duplicate of the missing device. The state will pay for one year of identity-theft protection and prevention services for those individuals. Already more than 212,000 have enrolled at a cost to the state of nearly $2 million. [...] From jericho at attrition.org Tue Sep 11 08:26:00 2007 From: jericho at attrition.org (security curmudgeon) Date: Tue, 11 Sep 2007 08:26:00 +0000 (UTC) Subject: [Dataloss] follow-up: TJX. Un-answered questions. Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://blogs.zdnet.com/threatchaos/?p=474 Posted by Richard Stiennon September 9th, 2007 Repercussions from the biggest reported data breach incident in history are still being felt. Last months arrest of a dealer in stolen credit cards in Istanbul is just one example of how information stolen from TJX Companies is still being used by criminals. As I prepare for a talk I am giving at tomorrows Security Standard event in Chicago I realize that TJX, the holding company that owns TJ Maxx, Marshalls, and a bunch of other retail operations is being less than transparent about the breach they first announced last January 17. According to TJXs official communications through their press releases and an SEC filing they first become aware of the presence of unauthorized software on their computer systems on December 18 and they reported it for the first time to Federal authorities on December 22nd. There have been several speculative articles about how the breach occurred but never explicit descriptions from TJX. One article in the Wall Street Journal claims that the thieves broke in via a poorly setup wireless access point in a Marhsalls store tein St. Paul, Minnesota. Another less circulated story is that thieves broke into multiple TJ Maxx stores via kiosks that were kept in the back of the store for accepting job applications. I believe that there were multiple incidents over a period of at least four years and that TJX had such bad security procedures that it was open season on their data by many hackers. Question number one that I would love to hear the answer to: Exactly how and when did these breaches occur? [..] From evan.francen at gmail.com Tue Sep 11 16:39:16 2007 From: evan.francen at gmail.com (Evan Francen) Date: Tue, 11 Sep 2007 11:39:16 -0500 Subject: [Dataloss] Computers stolen from welfare office Message-ID: <530c940709110939v12dbc7amea2b48fb2439f7a8@mail.gmail.com> http://www.pennlive.com/midstate/patriotnews/article121468.ece " Two computers containing the mental health histories of more than 300,000 medical-assistance recipients were stolen from a state Public Welfare Department office last month, a spokesman for Gov. Ed Rendell confirmed Monday." From evan.francen at gmail.com Wed Sep 12 02:09:07 2007 From: evan.francen at gmail.com (Evan Francen) Date: Tue, 11 Sep 2007 21:09:07 -0500 Subject: [Dataloss] Gander Mountain Missing Computer Contains 112, 000 Credit Card Numbers Message-ID: <530c940709111909l3d7c5aa7vf827c3cf8781d511@mail.gmail.com> http://breachblog.com/2007/09/11/gander-mountain-missing-computer-contains-112000-credit-card-numbers.aspx "Gander Mountain Company (Nasdaq: GMTN) today announced that computer equipment, containing certain customer transaction information relating to a single store in Pennsylvania, is missing and may have been stolen. The transaction data relates only to customers who conducted business with the Gander Mountain store located in Greensburg, PA during the period from July 2002 through June 2007." "The stored transaction information may have included: Approximately 112,000 credit card numbers with expiration date but without any other associated information. Approximately 10,000 transaction records may have included the credit card number, expiration date and customer name. For the approximately 5,100 credit card customers who returned merchandise or did a lay-away purchase at the store during this period, the information also may have included an address. For the approximately 650 customers who purchased by check and returned merchandise without a receipt or put merchandise on layaway by check payment, the information may have contained a name, address, driver's license number and date of birth. " From lyger at attrition.org Wed Sep 12 15:39:57 2007 From: lyger at attrition.org (lyger) Date: Wed, 12 Sep 2007 15:39:57 +0000 (UTC) Subject: [Dataloss] UK: Doctor's laptop contain patient information stolen Message-ID: http://www.theboltonnews.co.uk/display.var.1683695.0.doctors_laptop_contain_patient_information_stolen.php CONFIDENTIAL patient information has been stolen from the home of a GP. Burglars broke into Dr Thomas Lynch's family home in the early hours of July 16, stealing, among other things, the Dunstan Medical Centre's practice laptop. The laptop contained confidential information about the thousands of people who are patients at the Tonge Fold GP's surgery. But doctors at the practice insist any information stored on the computer is "held under the strictest multiple password security and unauthorised access would be highly unlikely". [...] From evan.francen at gmail.com Wed Sep 12 17:37:24 2007 From: evan.francen at gmail.com (Evan Francen) Date: Wed, 12 Sep 2007 12:37:24 -0500 Subject: [Dataloss] Amerchoice, Lost CD, 67000 Affected Message-ID: <530c940709121037n5814f46ag6fa39d4c66b152a@mail.gmail.com> http://breachblog.com/2007/09/12/amerchoice-lost-cd-67000-affected.aspx Breach Description: A compact disc (CD) containing confidential member information was shipped from the Americhoice office in Nashville to another Americhoice office in Knoxville. The CD was lost in transit and the data on it was not encrypted. "According to AmeriChoice, on July 19 a single CD was sent overnight by UPS from its office in Nashville to Knoxville. But it didn't make it." "We regret that this occurred, certainly, and we do take the privacy and security of our member's personal information very seriously. And we have taken steps that we believe will prevent this kind of occurrence from happening again," AmeriChoice Vice President of Public Relations Steven Matthews explains." From d2d at attrition.org Wed Sep 12 23:38:14 2007 From: d2d at attrition.org (d2d) Date: Wed, 12 Sep 2007 23:38:14 +0000 (UTC) Subject: [Dataloss] VA: Voxant Breach Message-ID: Courtesy the Granite State (http://doj.nh.gov/consumer/pdf/Voxant.pdf) The Voxant online ecommerce store server was hacked on or about June 20, 2007 using what appeared to be a typical phishing scheme. The server is seperate from our primary business at www.voxant.com. We immediately took the affected server offline, removed the offending phising pages, ... ...encrypted credit card numbers could have been accessed in our ecommerce system during the original incident. Although the credit card numbers were encrypted, we found that the encryption key was not well protected... ...Data in our database up through June 19-20 could have been affected, representing approximately 4,500 US customers... From lyger at attrition.org Thu Sep 13 18:39:05 2007 From: lyger at attrition.org (lyger) Date: Thu, 13 Sep 2007 18:39:05 +0000 (UTC) Subject: [Dataloss] (update) FL: Airport police hold man in baggage thefts Message-ID: http://www.floridatoday.com/apps/pbcs.dll/article?AID=/20070913/BREAKINGNEWS/70913046&template=news0308 The case of a missing piece of luggage that contained the personal information of 61 school district personnel has apparently been solved. Melbourne International Airport police arrested a 44-year-old defense subcontractor from California on charges of stealing luggage from the airport - including the bag that belonged to a state auditor who was reviewing documents of Brevard Public School employees. Scott Price of Valencia, Calif., is in the Brevard County Jail, facing at least two charges of grand theft. Price works for Sargeant Fletcher Inc., a subcontractor for area defense companies, according to police. [...] From hbrown at knology.net Fri Sep 14 09:22:42 2007 From: hbrown at knology.net (Henry Brown) Date: Fri, 14 Sep 2007 04:22:42 -0500 Subject: [Dataloss] California Data Breech Bill Message-ID: <46EA52E2.5050500@knology.net> a followup: http://tinyurl.com/3e4dtv US state moves closer to passing data breach law Jim Carr Sep 13 2007 09:38 California is a single signature away from passing a closely watched US bill that would require retailers to reimburse banks and credit unions for the costs of data breaches. The California State Assembly this week unanimously ratified amendments to its assembly bill added by the state senate a week ago. The bill, known as the Consumer Data Protection Act, now requires just the signature of California Governor Arnold Schwarzenegger to become law. He is expected to sign the bill, and Keri Bailey, a state legislative and regulatory lobbyist for the California Credit Union League, said if he does - and he has until about mid-October to do so - California will become the second state with such a law; Minnesota has already passed similar legislation. The latest California bill will have the same effect on data breach laws as the state's data breach notification law , Mari Frank, an expert on identity theft, said. "Every time California has passed a privacy law, it has a ripple effect across the country," said Frank. "California has taken the initiative on all of these - it was the first state to pass security breach legislation in 2003 - and California is one of few states that even has privacy in its constitution." The original bill mandated that a breached retailer or government agency reimburse affected banks and credit unions for all costs incurred when alerting customers of the breach and reissuing cards. It also required retailers to disclose complete details about breaches and explicitly prohibit retailers from retaining a variety of authentication data stored on the magnetic stripes on the back of credit and debit cards. The amended bill narrows the scope of potential reimbursement liability, noted Bailey. Merchants who suffer a breach but who followed accepted security guidelines may be excused from reimbursing the financial institutions impacted by a breach, she explained. Reimbursement could have a significant negative impact on retailers who suffer a breach, she said. From lyger at attrition.org Fri Sep 14 14:53:21 2007 From: lyger at attrition.org (lyger) Date: Fri, 14 Sep 2007 14:53:21 +0000 (UTC) Subject: [Dataloss] NE: TD Ameritrade says someone stole customer information Message-ID: http://www.chicagotribune.com/business/chi-070914-data-theft,0,337951.story TD Ameritrade Holding Corp. said Friday one of its databases was hacked and contact information for its more than 6.3 million customers was stolen. A spokeswoman for the Omaha-based brokerage said more sensitive information in the same database, including Social Security numbers and account numbers, does not appear to have been taken. The company would not share many details of its investigation, including when the hack took place, because it is still looking into the theft and is cooperating with investigators from the FBI. [...] From jericho at attrition.org Sat Sep 15 06:15:48 2007 From: jericho at attrition.org (security curmudgeon) Date: Sat, 15 Sep 2007 06:15:48 +0000 (UTC) Subject: [Dataloss] follow-up: Leader in TJX Fraud Gets 5-Year Sentence Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://online.wsj.com/article/SB118973246548127272.html By Joseph Pereira The Wall Street Journal September 14, 2007 Irving Escobar, a ring leader in a TJX Cos.-linked credit-card fraud, was sentenced to five years in prison and has been ordered to pay nearly $600,000 in restitution for damages resulting from stolen financial information, Florida officials said. The sentencing follows a guilty plea by Mr. Escobar, 19 years old, of Miami, to charges that he participated in a 10-person operation that used counterfeit cards bearing the stolen credit-card data of hundreds of TJX customers to purchase approximately $3 million in goods and gift cards. The penalty is the stiffest handed down so far in the case. The thefts were carried out at a string of Wal-Mart and Sam's Club stores in Florida during the second half of 2006, authorities said. Some of the merchandise was bought with gift cards that had previously been purchased with the fraudulent credit cards, a modern-day version of money laundering, officials said. [..] From lyger at attrition.org Sat Sep 15 20:25:39 2007 From: lyger at attrition.org (lyger) Date: Sat, 15 Sep 2007 20:25:39 +0000 (UTC) Subject: [Dataloss] TN: Technical glitch could make personal data for some TTU students vulnerable Message-ID: http://www.herald-citizen.com/NF/omf.wnm/herald/news_story.html?rkey=0046193+cr=gdn Some 3,100 current or past Tennessee Tech University students who owe the university money were notified today that some of their personal data may have been compromised. On Tuesday, Sept. 11, a technical problem in the way student bills are printed resulted in the chance that some student social security numbers and personal identification numbers may have been sent to another student's address. While the university suspects the number of records made vulnerable is relatively small, campus officials preferred to err on the side of warning all 3,100 individuals who might have been mailed a bill on that date. Within a day after the problem was identified, the university e-mailed letters to those affected, notifying them of the problem and outlining steps to help prevent possible fraud. [...] From lyger at attrition.org Sun Sep 16 00:13:47 2007 From: lyger at attrition.org (lyger) Date: Sun, 16 Sep 2007 00:13:47 +0000 (UTC) Subject: [Dataloss] (of interest) Important information about your TD AMERITRADE account Message-ID: (anonymously forwarded to attrition.org for informational purposes) > September 14, 2007 > You do not need to make any changes to your TD AMERITRADE accounts or to > change the way you do business with us. > Dear , > Let me tell you why I am sending you this email. While investigating client > reports about the industry-wide issue of investment-related SPAM, we recently > discovered and eliminated unauthorized code from our systems. This code > allowed certain client information stored in one of our databases, including > email addresses, to be retrieved by an external source. > Please be assured that UserIDs and passwords are not included in this > database, and we can confirm that your assets remain secure at TD AMERITRADE. > What we want you to know: > Once we discovered the unauthorized code, we took immediate action to > eliminate it. We are confident that we have identified the means by which the > information was accessed and have taken appropriate steps to prevent this > from reoccurring. > You continue to be covered by our Asset Protection Guarantee, which protects > you and your assets from any unauthorized activity that may occur in your > account through no fault of your own. If you lose cash or securities as a > result of such activity, we will reimburse you for the cash or shares of > securities you lost. > While Social Security Numbers are stored in this particular database, we have > no evidence to establish that they were retrieved or used to commit identity > theft. To further protect you, we have hired ID Analytics, which specializes > in identity risk, to investigate and monitor potential identity theft. ID > Analytics provides identity risk services to many of the country's largest > banks and telecommunication companies, as well as government agencies. > Following its initial evaluation, ID Analytics found no evidence of identity > theft as a result of this data breach. We will retain its services on an > ongoing basis to support your TD AMERITRADE accounts and to monitor for > evidence of identity theft. We will alert and advise you if any is found. As > always, we encourage you to remain alert in guarding your personal > information, regularly review your account statements and monitor your credit > activity from the major reporting agencies. > For more information on protecting yourself against the possibility of > security threats, please visit our online Security Center. > We sincerely apologize to you for this situation and want to assure you that > protecting the security and privacy of your assets and information remains a > top priority. We have made and will continue to make significant investments > in security software, systems and procedures, and we will remain vigilant > about protecting you. > We want to answer any questions and address any concerns that you may have > about this matter. For more information, including a list of Frequently Asked > Questions (FAQs) and an additional message from me, please go to www.amtd.com > or contact Client Services. Please note that we are anticipating increased > call volume during this period, which may lead to long wait times. We > encourage you to review the FAQs and, if you have a question, to log on to > your account and send us a secure email. Once again, please be assured that > your assets are secure at TD AMERITRADE. > Sincerely, > Joe Moglia > CEO > TD AMERITRADE > TD AMERITRADE understands the importance of protecting your privacy. We are > sending you this notification to inform you of important information > regarding your account. If you've elected to opt out of receiving marketing > communications from us, we will honor your request to unsubscribe from future > emails now. > TD AMERITRADE, Inc., member FINRA/SIPC. TD AMERITRADE is a trademark jointly > owned by TD AMERITRADE IP Company, Inc. and The Toronto-Dominion Bank. ? 2007 > TD AMERITRADE IP Company, Inc. All rights reserved. Used with permission. > Distributed by: TD AMERITRADE, Inc., 1005 North Ameritrade Place, Bellevue, > NE 68005 > TDA 9649 EM 09/07 From lyger at attrition.org Mon Sep 17 01:10:23 2007 From: lyger at attrition.org (lyger) Date: Mon, 17 Sep 2007 01:10:23 +0000 (UTC) Subject: [Dataloss] UK: Bank details of employees stolen Message-ID: http://www.eveningstar.co.uk/content/eveningstar/news/story.aspx?brand=ESTOnline&category=News&tBrand=ESTOnline&tCategory=News&itemid=IPED16%20Sep%202007%2013%3A01%3A09%3A003 A MAJOR security operation is underway after private financial details of more than 1,000 employees at a Suffolk council were stolen from the home of one of its senior officers. Bank and national insurance details of 1,380 people on St Edmundsbury Borough Council's payroll were stored on a laptop computer stolen from the home of a council worker on September 6. An investigation is currently underway and all employees are being urged to check their bank accounts on a daily basis amid fears over fraud. [...] From jericho at attrition.org Mon Sep 17 08:14:47 2007 From: jericho at attrition.org (security curmudgeon) Date: Mon, 17 Sep 2007 08:14:47 +0000 (UTC) Subject: [Dataloss] UK: Loans website suffers security breach Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.itpro.co.uk/security/news/124958/loans-website-suffers-security-breach.html By Miya Knights and Rene Millman 14th September 2007 UK online loans company, Loans.co.uk has said it suffered a security breach that has resulted in customer details being passed to other loan companies without authorisation. The company said it recently learned of the breach and has contacted affected customers, although it would not say how many were affected. It did say sensitive information including names, addresses and dates of birth was compromised however. "We have no evidence to suggest that this information has been used for any purpose other than marketing activity," said the company in a statement. "The individuals are people who applied to us for a loan, but we are not aware of any existing customers' details being provided." The company has offered customers involved a year's free subscription to credit reference agency, Credit Expert so they might check if any fraudulent claims or applications are made using their details. [..] From lyger at attrition.org Mon Sep 17 21:39:52 2007 From: lyger at attrition.org (lyger) Date: Mon, 17 Sep 2007 21:39:52 +0000 (UTC) Subject: [Dataloss] Attorney Alleges Ameritrade Knew Of Security Breach A Year Ago Message-ID: http://www.informationweek.com/security/showArticle.jhtml?articleID=201807006 An attorney launching a class-action lawsuit against TD Ameritrade Holding alleges the online brokerage knew a hacker had access to a customer database as far back as a year ago. Last Friday, Ameritrade e-mailed account holders and put a public advisory on its Web site alerting users that a hacker broke into one of its databases and stole personally identifying information for some of its 6.3 million customers. The company said names, e-mail addresses, phone numbers, and home addresses were taken in the data breach. Client assets, along with user IDs, personal identification numbers, and passwords, were not stored in the compromised database. However, the advisory noted that it's unclear if account numbers, dates of birth, and Social Security numbers were stolen. Ameritrade did not say when the hackers got into the database or how long they remained there. Kim Hillyer, a spokeswoman for Ameritrade, said in an interview that all of the company's 6.3 million accounts that were opened before July 18 of this year were breached. She would not say when the company first learned that there had been a breach, only offering that "they had been investigating client reports of spam for some time." [...] From jericho at attrition.org Wed Sep 19 07:58:07 2007 From: jericho at attrition.org (security curmudgeon) Date: Wed, 19 Sep 2007 07:58:07 +0000 (UTC) Subject: [Dataloss] Call for worldwide breach notification laws Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.siliconrepublic.com/news/news.nv?storyid=single9222 By John Kennedy 17.09.2007 High profile security breaches such as the theft of financial details of more than 46.7 million TK Maxx customers and the burgeoning level of personal data held by business has led to the chief security strategist of a major software firm calling for unified and stringent international laws requiring firms to reveal breaches as they occur. Chief security strategist at Citrix Kurt Roemer said that governments, including Ireland, should establish laws requiring organisations to notify individuals in the event that their personal information is compromised in a data security breach. In March of this year it emerged that details of 45.7 million customers of US retailer TJX (known here in Ireland as TK Maxx) were stolen. The data was accessed on TJX?s systems in the UK and in Massachusetts over a 16-month period and the data accessed covered credit and debit card transactions dating as far back as December 2002. Such breaches have prompted governments around the world to consider implementing stringent breach notification laws. [..] From lyger at attrition.org Wed Sep 19 11:50:16 2007 From: lyger at attrition.org (lyger) Date: Wed, 19 Sep 2007 11:50:16 +0000 (UTC) Subject: [Dataloss] MI: Sensitive patient data stolen from nursing building Message-ID: http://media.www.michigandaily.com/media/storage/paper851/news/2007/09/19/Crime/Sensitive.Patient.Data.Stolen.From.Nursing.Building-2977434.shtml Since 8,585 tapes were stolen from the School of Nursing two weeks ago - the third data theft in the last year - University officials are stressing the importance of protecting against data theft. The tapes were used as backups for the school's computer database. They contained patient information like social security numbers and patient names and addresses. One of the most important steps to take in cases of theft is quickly reporting it to the University's Information Technology Security Services office, said Paul Howell, the University's chief information technology security officer. [...] From jericho at attrition.org Wed Sep 19 17:32:45 2007 From: jericho at attrition.org (security curmudgeon) Date: Wed, 19 Sep 2007 17:32:45 +0000 (UTC) Subject: [Dataloss] follow-up: Ameritrade leak looks to have started in late '05, much earlier than reported Message-ID: http://www.networkworld.com/community/node/19720 Ameritrade leak looks to have started in late '05, much earlier than reported Submitted by Paul McNamara on Wed, 09/19/2007 - 1:17pm. E-mails obtained by Network World show that Ameritrade received explicit and repeated warnings from an IT security expert starting Jan. 9, 2006 that its customer data had apparently been compromised, placing the start of the breach much earlier than previously reported and likely pushing it into 2005. Nevertheless, the company insisted for the next 20 months that a flood of stock-related spam being received by numerous clients was not indicative of a more serious problem. Following that January 2006 e-mail, subsequent warnings from multiple sources -- including a column this May by my Network World colleague Mark Gibbs -- also failed to prompt the company to alert its clients. Only last Friday did Ameritrade publicly acknowledge that "unauthorized code" on its systems had "allowed certain information stored in one of our databases, including e-mail addresses, to be retrieved by an external source." More than 6 million customer accounts were exposed, although Ameritrade contends there has been no known identity fraud associated with the breach. "I warned Ameritrade of a security breach in January of 2006, which means that it likely occurred in mid- to late-2005," says Joshua Fritsch, who sent the Jan. 9, 2006 e-mail and provided copies of his exchange with Ameritrade to Network World. Fritsch has 15 years of experience in networking, including "security design and management for a global financial firm." [..] From lyger at attrition.org Wed Sep 19 18:46:31 2007 From: lyger at attrition.org (lyger) Date: Wed, 19 Sep 2007 18:46:31 +0000 (UTC) Subject: [Dataloss] KS: KU investigating release of private information Message-ID: http://www2.ljworld.com/news/2007/sep/19/ku_investigating_release_private_information/ A number of documents containing Kansas University student, faculty and staff personal information were sent Tuesday to the Lawrence Journal-World. The information was accompanied by an anonymous letter, which said that the documents were recovered from the recycling and trash in the Mathematics Department at Kansas University. The letter, which purports to be from former department teaching assistants and current employees of the KU Recycling Center, said that several attempts to make the math department take better care of the information have gone unheeded. [.] The records sent to the Journal-World, and possibly two other area media outlets according to an accompanying letter, included student exams, student change of grade forms, class rosters, copies of health insurance cards, copies of immigration forms as well as a copy of a Social Security card. [...] From lyger at attrition.org Fri Sep 21 15:28:52 2007 From: lyger at attrition.org (lyger) Date: Fri, 21 Sep 2007 15:28:52 +0000 (UTC) Subject: [Dataloss] OH: City: Stolen computers held personal information on 3, 500 people Message-ID: http://www.wtol.com/Global/story.asp?S=7108269 The city of Columbus is offering identity-theft protection services to more than 3,000 people whose Social Security numbers were on three computers stolen from a warehouse. The theft affected people who had signed up for the city's Mobile Tool Library, which lends power tools, lawn mowers and supplies. [...] From lyger at attrition.org Sat Sep 22 00:12:18 2007 From: lyger at attrition.org (lyger) Date: Sat, 22 Sep 2007 00:12:18 +0000 (UTC) Subject: [Dataloss] Mortgage Data Leaked Over P2P File Network Message-ID: (courtesy Fergie's Tech Blog: http://fergdawg.blogspot.com/) Via Yahoo! News (AP). [snip] Three spreadsheets containing more than 5,000 Social Security numbers and other personal details about customers of ABN Amro Mortgage Group were inadvertently leaked over an online file-sharing network by a former employee. Tiversa Inc., a Pittsburgh company that offers data-leakage protection services, traced the origins of the ABN data to a Florida computer with the BearShare software installed. BearShare, LimeWire and scores of other programs are designed to distribute and find songs, movies and other files over the Gnutella file-sharing network. Tiversa Chief Executive Robert Boback said file-sharing programs are commonly misconfigured to share documents their owners never intended to make public. [snip] More: http://news.yahoo.com/s/ap/20070921/ap_on_hi_te/file_sharing_leak - - ferg From lyger at attrition.org Sat Sep 22 17:35:26 2007 From: lyger at attrition.org (lyger) Date: Sat, 22 Sep 2007 17:35:26 +0000 (UTC) Subject: [Dataloss] TJX settles data theft class-action suit Message-ID: http://www.nashuatelegraph.com/apps/pbcs.dll/article?AID=/20070922/BUSINESS/309220010/-1/style The TJX Cos. Inc. announced Friday it has settled class action lawsuits in the United States, Canada and Puerto Rico related to a massive security breach of customer data that affected at least 45 million credit and debit cards. The announcement did not specify the amount, but noted that its estimated costs were included in a $107 million reserve included in its second-quarter report for fiscal 2008 and its estimate of $21 million in future costs expected in fiscal 2009. [...] From jericho at attrition.org Sun Sep 23 09:18:38 2007 From: jericho at attrition.org (security curmudgeon) Date: Sun, 23 Sep 2007 09:18:38 +0000 (UTC) Subject: [Dataloss] follow-up: Connecticut Sues Consultant, Accenture, Over Lost Data Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.informationweek.com/news/showArticle.jhtml?articleID=201807932 By Sharon Gaudin InformationWeek September 20, 2007 The State of Connecticut is suing its own computer consultant, Accenture, for losing personally identifying information on 58 residents and hundreds of state bank accounts and purchasing cards. Connecticut attorney general Richard Blumenthal announced he is suing the company for illegal negligence, unauthorized use of state property, and breach of contract. He filed the suit on behalf of state comptroller Nancy Wyman, whose office contracted with Accenture. "Accenture deserves censure -- to be held accountable for allowing valuable secret data to be stolen and putting at risk state taxpayers, bank accounts, and purchasing cards," Blumenthal said in a statement. "Accenture acted unconscionably and illegally. It breached its commitment to keep confidential this highly sensitive financial information. The company broke its contractual promises and duty of care to safeguard the secrecy of sensitive data. It misappropriated state property -- taking significant valuable data for its own use without permission or authority." Accenture released a statement saying the company is reviewing the matter. [..] From lyger at attrition.org Mon Sep 24 23:18:03 2007 From: lyger at attrition.org (lyger) Date: Mon, 24 Sep 2007 23:18:03 +0000 (UTC) Subject: [Dataloss] UT: Workforce Services laptop with personal information stolen Message-ID: http://deseretnews.com/article/1,5143,695212876,00.html A laptop computer containing a spreadsheet with the the Social Security numbers and other personal information of about 2,000 people was reported stolen today by the Utah Department of Workforce Services. The computer is password-protected, making it less likely an unauthorized person would be able to access its contents, according to a DWS press release. DWS is reviewing its policies with all employees to prevent a similar theft in the future. [...] From lyger at attrition.org Tue Sep 25 13:00:49 2007 From: lyger at attrition.org (lyger) Date: Tue, 25 Sep 2007 13:00:49 +0000 (UTC) Subject: [Dataloss] Report on TJX breach expected today Message-ID: http://www.boston.com/business/globe/articles/2007/09/25/report_on_tjx_breach_expected_today/ Two Canadian privacy agencies are expected to release today the results of a joint investigation into the security breach at TJX Cos. in which hackers stole more than 45.7 million credit and debit card numbers. The Privacy Commissioner of Canada and the Information and Privacy Commissioner of Alberta are expected to summarize their findings into how intruders breached the computer system using wireless technology outside of a Marshalls store in the United States, according to privacy officials briefed on the report. The Canadian groups report also includes recommendations for TJX to better protect its systems. The report is expected in Montreal on the opening day of the 29th International Conference of Data Protection and Privacy Commissioners. [...] From cwalsh at cwalsh.org Tue Sep 25 14:48:38 2007 From: cwalsh at cwalsh.org (Chris Walsh) Date: Tue, 25 Sep 2007 09:48:38 -0500 Subject: [Dataloss] Report on TJX breach expected today In-Reply-To: References: Message-ID: <20070925144824.GA14689@cwalsh.org> Report is at http://www.oipc.ab.ca/ims/client/upload/Investigation%20Report%20P2007_IR_0061.pdf From avery.sawaba at gmail.com Tue Sep 25 15:17:07 2007 From: avery.sawaba at gmail.com (Avery Sawaba) Date: Tue, 25 Sep 2007 11:17:07 -0400 Subject: [Dataloss] Report on TJX breach expected today In-Reply-To: References: Message-ID: I was on the teleconference call, but hit *1 too late to ask my question. Reading the report that Chris sent the link to, one of the big questions that stood out was that, although they explain that wireless networks were upgraded to WPA in September 2005 to fix the WEP security issue, they don't explain how the intruders continued to access their networks even after the "locks were changed". Most of the comments were Canadian specific, but a lot of American journalists were on the line asking questions. The only thing I heard that was truly new news to me was that the breach originated at two Marshalls stores in Miami. I still have to wonder whether or not all the intrusions were through the same stores via the same methods though, and I can't help but doubt it. --Sawaba On 9/25/07, lyger wrote: > > http://www.boston.com/business/globe/articles/2007/09/25/report_on_tjx_breach_expected_today/ > > Two Canadian privacy agencies are expected to release today the results of > a joint investigation into the security breach at TJX Cos. in which > hackers stole more than 45.7 million credit and debit card numbers. > > The Privacy Commissioner of Canada and the Information and Privacy > Commissioner of Alberta are expected to summarize their findings into how > intruders breached the computer system using wireless technology outside > of a Marshalls store in the United States, according to privacy officials > briefed on the report. > > The Canadian groups report also includes recommendations for TJX to better > protect its systems. The report is expected in Montreal on the opening day > of the 29th International Conference of Data Protection and Privacy > Commissioners. > > [...] > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor your > traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml > From lyger at attrition.org Tue Sep 25 21:52:36 2007 From: lyger at attrition.org (lyger) Date: Tue, 25 Sep 2007 21:52:36 +0000 (UTC) Subject: [Dataloss] Apparent Ebay Hacker Posts Credit Card Numbers of Ebay Users Message-ID: http://www.associatedcontent.com/article/392758/apparent_ebay_hacker_posts_credit_card.html Early this morning, a series of new threads appeared on Ebay's Trust & Safety Discussion Board, in which the personal information of hundreds of Ebay users was posted. This information included credit card account numbers, as well as the 3 digit security code on credit cards. The information was reportedly available on the discussion board for about an hour and a half, despite the fact that many users reported the violation within fifteen minutes of the first posting. While at this point it is unclear to many users exactly what happened, those who frequent the Trust & Safety discussion forum on Ebay first noticed new threads appearing, with each thread containing the personal information and credit card account numbers of Ebay users. Over a short period of time, the number of threads steadily increased, until Ebay was finally forced to shut down the discussion board. [...] From lyger at attrition.org Tue Sep 25 22:20:07 2007 From: lyger at attrition.org (lyger) Date: Tue, 25 Sep 2007 22:20:07 +0000 (UTC) Subject: [Dataloss] (update) eBay forum mysteriously leaks account details on 1, 200 users Message-ID: http://www.theregister.co.uk/2007/09/25/ebay_account_details_published/ Hackers brazenly posted sensitive information including home addresses and phone numbers for 1,200 eBay users to an official online forum dedicated to fraud prevention on the auction site. The information - which also included user names and email, and possibly their credit card numbers and three-digit CVV2 numbers - was visible for more than an hour to anyone visiting the forum. The miscreants appeared to create a script that caused each user to log in and post information associated with the person who owned the account. The script spit out about 15 posts per minute, starting around 5:45 a.m. California time. An eBay spokeswoman said the posts were not the result of a security breach on eBay and that the credit card numbers contained in the posts were not those eBay or PayPal had on file for those users. eBay representatives have begun contacting all users whose information was posted to head off any further fraud and to learn more about the attack. [...] From avery.sawaba at gmail.com Wed Sep 26 04:21:48 2007 From: avery.sawaba at gmail.com (Avery Sawaba) Date: Wed, 26 Sep 2007 00:21:48 -0400 Subject: [Dataloss] (update) eBay forum mysteriously leaks account details on 1, 200 users In-Reply-To: References: Message-ID: If this information is accurate, this is a BIG deal, as NOONE should EVER be storing CVV2 information. Ebay would be in big trouble with VISA, Mastercard, etc, as this is one of the most capital sins in credit card handling practices. You only use security codes for real-time verification. It should never be stored. Apologies for all the CAPS, and I hope this is all faked data. Scary to think a big name like Ebay would be foolish enough to save CVV2/CVC2 codes. --Sawaba On 9/25/07, lyger wrote: > > http://www.theregister.co.uk/2007/09/25/ebay_account_details_published/ > > Hackers brazenly posted sensitive information including home addresses and > phone numbers for 1,200 eBay users to an official online forum dedicated > to fraud prevention on the auction site. > > The information - which also included user names and email, and possibly > their credit card numbers and three-digit CVV2 numbers - was visible for > more than an hour to anyone visiting the forum. The miscreants appeared to > create a script that caused each user to log in and post information > associated with the person who owned the account. The script spit out > about 15 posts per minute, starting around 5:45 a.m. California time. > > An eBay spokeswoman said the posts were not the result of a security > breach on eBay and that the credit card numbers contained in the posts > were not those eBay or PayPal had on file for those users. eBay > representatives have begun contacting all users whose information was > posted to head off any further fraud and to learn more about the attack. > > [...] > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor your > traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml > From 1and1 at canadaballoons.com Wed Sep 26 12:39:47 2007 From: 1and1 at canadaballoons.com (Arsen Shirokov) Date: Wed, 26 Sep 2007 08:39:47 -0400 Subject: [Dataloss] (update) eBay forum mysteriously leaks account details on 1, 200 users In-Reply-To: References: Message-ID: <6c1b5200709260539j53f4e1d5x93c488bd51ab62d3@mail.gmail.com> The fact that the data was posted on eBay forum doesn't necessarily mean it was stolen from eBay. That's what eBay is saying according to the message below. Also, you never seen phish sites that ask for CVV/CVV2 ? Surely neither phishers nor those being phished care about PCI DSS :) Arsen On 9/26/07, Avery Sawaba wrote: > If this information is accurate, this is a BIG deal, as NOONE should > EVER be storing CVV2 information. Ebay would be in big trouble with > VISA, Mastercard, etc, as this is one of the most capital sins in > credit card handling practices. You only use security codes for > real-time verification. It should never be stored. > > Apologies for all the CAPS, and I hope this is all faked data. Scary > to think a big name like Ebay would be foolish enough to save > CVV2/CVC2 codes. > > --Sawaba > > On 9/25/07, lyger wrote: > > > > http://www.theregister.co.uk/2007/09/25/ebay_account_details_published/ > > > > Hackers brazenly posted sensitive information including home addresses and > > phone numbers for 1,200 eBay users to an official online forum dedicated > > to fraud prevention on the auction site. > > > > The information - which also included user names and email, and possibly > > their credit card numbers and three-digit CVV2 numbers - was visible for > > more than an hour to anyone visiting the forum. The miscreants appeared to > > create a script that caused each user to log in and post information > > associated with the person who owned the account. The script spit out > > about 15 posts per minute, starting around 5:45 a.m. California time. > > > > An eBay spokeswoman said the posts were not the result of a security > > breach on eBay and that the credit card numbers contained in the posts > > were not those eBay or PayPal had on file for those users. eBay > > representatives have begun contacting all users whose information was > > posted to head off any further fraud and to learn more about the attack. > > > > [...] > > _______________________________________________ > > Dataloss Mailing List (dataloss at attrition.org) > > http://attrition.org/dataloss > > > > Tenable Network Security offers data leakage and compliance monitoring > > solutions for large and small networks. Scan your network and monitor your > > traffic to find the data needing protection before it leaks out! > > http://www.tenablesecurity.com/products/compliance.shtml > > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor your > traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml > From avery.sawaba at gmail.com Wed Sep 26 14:03:07 2007 From: avery.sawaba at gmail.com (Avery Sawaba) Date: Wed, 26 Sep 2007 10:03:07 -0400 Subject: [Dataloss] (update) eBay forum mysteriously leaks account details on 1, 200 users In-Reply-To: <6c1b5200709260539j53f4e1d5x93c488bd51ab62d3@mail.gmail.com> References: <6c1b5200709260539j53f4e1d5x93c488bd51ab62d3@mail.gmail.com> Message-ID: On 9/26/07, Arsen Shirokov <1and1 at canadaballoons.com> wrote: > The fact that the data was posted on eBay forum doesn't necessarily > mean it was stolen from eBay. Hence my disclaimer, "If this information is accurate". The fact that CVV2 data is included may help disprove their claim, as it is highly unlikely that someone like Ebay would be foolish enough to do so. --Sawaba From corygould at gmail.com Wed Sep 26 14:33:22 2007 From: corygould at gmail.com (Cory Gould) Date: Wed, 26 Sep 2007 08:33:22 -0600 Subject: [Dataloss] (update) eBay forum mysteriously leaks account details on 1, 200 users In-Reply-To: References: <6c1b5200709260539j53f4e1d5x93c488bd51ab62d3@mail.gmail.com> Message-ID: <878dfe630709260733j51231cd1q9ca11149ea968829@mail.gmail.com> Why would ebay have credit cards to begin with, unless paypal was breeched and the ebay discussion group used to spread the word. Also, correct me if I'm wrong but I don't believe paypal/ebay requests CVV2 information when signing up anyway. In fact, the only time I'm required to give out that information is when using a credit card over the phone, never online. On 9/26/07, Avery Sawaba wrote: > > On 9/26/07, Arsen Shirokov <1and1 at canadaballoons.com> wrote: > > The fact that the data was posted on eBay forum doesn't necessarily > > mean it was stolen from eBay. > > Hence my disclaimer, "If this information is accurate". The fact that > CVV2 data is included may help disprove their claim, as it is highly > unlikely that someone like Ebay would be foolish enough to do so. > > --Sawaba > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor your > traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070926/a280a309/attachment.html From avery.sawaba at gmail.com Wed Sep 26 18:06:11 2007 From: avery.sawaba at gmail.com (Avery Sawaba) Date: Wed, 26 Sep 2007 14:06:11 -0400 Subject: [Dataloss] (update) eBay forum mysteriously leaks account details on 1, 200 users In-Reply-To: <878dfe630709260733j51231cd1q9ca11149ea968829@mail.gmail.com> References: <6c1b5200709260539j53f4e1d5x93c488bd51ab62d3@mail.gmail.com> <878dfe630709260733j51231cd1q9ca11149ea968829@mail.gmail.com> Message-ID: CVV is definitely used online, or anywhere a merchant wants to reduce risk (and therefore the rate they are charged by their processor). The security code concept is supposed to be a greater guarantee that the person using a card has it in their physical possession, since the only place you are supposed to be able to find it is physically printed on the back of the card. Its purpose is very similar to that of a PIN number. The only time security codes are requested (or should be requested) is right before a transaction is processed. The codes are validated in real time. --Sawaba On 9/26/07, Cory Gould wrote: > Why would ebay have credit cards to begin with, unless paypal was breeched > and the ebay discussion group used to spread the word. Also, correct me if > I'm wrong but I don't believe paypal/ebay requests CVV2 information when > signing up anyway. In fact, the only time I'm required to give out that > information is when using a credit card over the phone, never online. > > On 9/26/07, Avery Sawaba wrote: > > > > On 9/26/07, Arsen Shirokov <1and1 at canadaballoons.com> wrote: > > > The fact that the data was posted on eBay forum doesn't necessarily > > > mean it was stolen from eBay. > > > > Hence my disclaimer, "If this information is accurate". The fact that > > CVV2 data is included may help disprove their claim, as it is highly > > unlikely that someone like Ebay would be foolish enough to do so. > > > > --Sawaba > > _______________________________________________ > > Dataloss Mailing List (dataloss at attrition.org) > > http://attrition.org/dataloss > > > > Tenable Network Security offers data leakage and compliance monitoring > > solutions for large and small networks. Scan your network and monitor your > > traffic to find the data needing protection before it leaks out! > > http://www.tenablesecurity.com/products/compliance.shtml > > > > From lyger at attrition.org Wed Sep 26 23:17:29 2007 From: lyger at attrition.org (lyger) Date: Wed, 26 Sep 2007 23:17:29 +0000 (UTC) Subject: [Dataloss] TJX: Retail privacy breach foreseeable and preventable, probe finds Message-ID: Retail privacy breach foreseeable and preventable, probe finds Carly Weeks, CanWest News Service Published: Tuesday, September 25, 2007 MONTREAL - The massive security breach that hit TJX Cos. earlier this year was both foreseeable and preventable, concludes an investigation by the federal and Albertan privacy commissioners. "The company collected too much personal information, kept it too long and relied on weak encryption technology to protect it - putting the privacy of millions of its customers at risk," federal privacy commissioner Jennifer Stoddart said Tuesday. The investigation found the company breached federal and Alberta privacy laws, which are designed to protect how companies use and collect personal information. The company must make numerous changes to the way it collects and uses customer data, the investigation has concluded. For instance, while the company will continue to ask for a driver's licence to complete customer returns, it will now instantly convert the numbers into a unique identifier and delete the driver's licence number. [...] From jericho at attrition.org Thu Sep 27 06:25:43 2007 From: jericho at attrition.org (security curmudgeon) Date: Thu, 27 Sep 2007 06:25:43 +0000 (UTC) Subject: [Dataloss] follow-up: Conn. AG Investigating Former Employee Link To Pfizer Data Breach Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.informationweek.com/news/showArticle.jhtml?articleID=202101944 By Sharon Gaudin InformationWeek September 26, 2007 The Connecticut Attorney General is investigating a former Pfizer employee in connection with a data breach that compromised personally identifying employee information. Bernard Nash, an attorney for the world's largest drug maker, said in a letter to the Attorney General that another company sent a package to Pfizer on July 6 that contained a DVD with Pfizer data on it. The information had been found on a computer that the company, which went unnamed in the letter, had assigned to a worker who had formerly been employed at Pfizer, according to Nash's Sept. 21 letter. After reviewing the information, Pfizer "became aware" that personal information from the Pfizer network was on the DVD, Nash wrote. The company notified a federal prosecutor on Aug. 17 "to explain Pfizer's investigatory efforts, discuss the possibility of prosecution of the responsible individual, and receive input on the most productive use of Pfizer's investigative resources." A source close to the investigation told InformationWeek that the AG's office is investigating the matter. [..] From jericho at attrition.org Thu Sep 27 06:24:31 2007 From: jericho at attrition.org (security curmudgeon) Date: Thu, 27 Sep 2007 06:24:31 +0000 (UTC) Subject: [Dataloss] follow-up: TJX's Security System Faulted in Canada Probe Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://online.wsj.com/article/SB119076398490039298.html By Joseph Pereira September 26, 2007 TJX Cos., owner of the T.J. Maxx and Marshalls discount chains, failed to upgrade its data-encryption system in time to thwart one of the largest credit-card data thefts in North America, a Canadian government investigation found. Investigators also found that the Framingham, Mass.-based retailer was holding on to its customers' personal information unnecessarily and for too long, exposing data on at least 45.7 million credit-card numbers to hackers. As a result of their findings, the privacy commissioners of Canada and the province of Alberta -- which jointly conducted the seven-month probe -- recommended a number of corrective actions by TJX, including the use of a sophisticated coding system to protect driver's-license information and the deletion of all credit-card data after 18 months. "Basically, what we're asking for is standard practice in the industry," said Wayne Wood, a spokesman for the Office of the Information and Privacy Commissioner of Alberta. [..] From bkdelong at pobox.com Thu Sep 27 18:44:17 2007 From: bkdelong at pobox.com (B.K. DeLong) Date: Thu, 27 Sep 2007 14:44:17 -0400 Subject: [Dataloss] Obtaining PCI Co sanction info through legal discovery Message-ID: Hi all - Many of us have been challenged in obtaining information from the PCI Consortium about which companies have been fined, how much and who among them have lost their processing privileges. I know it's happening because I have spoken to folks in-the-know who tell me it's happening but are under NDA. Such information would help to combat the notion that the PCI DSS has no teeth as well as assist those of us responsible for addressing PCI DSS within our organizations obtain funding to do so by providing metrics on its impact to management. I've spoken with a few lawyers and asked if information about said sanctions could be obtained through discovery during legal proceedings. Here's the gist of the response - which may already be a no-brainer to many of you. "Certainly anything that the PCI Consortium would have communicated or delivered to the company in violation of the DSS would be discoverable. In some situations one can obtain fine letters from the bank for litigation purposes without a subpoena." Perhaps such insight can be the basis for gathering information about any PCI Co actions regarding the thousands of breaches in the Data Loss Database. Though who would be willing to wade through legal proceedings and contact the lawyers of those suing companies for breach of their client's credit card information ? Thoughts? -- B.K. DeLong (K3GRN) bkdelong at pobox.com +1.617.797.8471 http://www.wkdelong.org Son. http://www.ianetsec.com Work. http://www.bostonredcross.org Volunteer. http://www.carolingia.eastkingdom.org Service. http://bkdelong.livejournal.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org From bkdelong at pobox.com Thu Sep 27 20:50:15 2007 From: bkdelong at pobox.com (B.K. DeLong) Date: Thu, 27 Sep 2007 16:50:15 -0400 Subject: [Dataloss] Obtaining PCI Co sanction info through legal discovery In-Reply-To: <46FC134F.2070000@sbcglobal.net> References: <46FC134F.2070000@sbcglobal.net> Message-ID: On 9/27/07, James Ritchie, CISA, QSA wrote: > > Knowing what the PCI SSC has fined companies that are in > non-compliance to the DSS is really not needed. Those that are found > non-compliant will have some business drivers that are going to affect > them. The fines that are levied effect the business bottom line. If > they have lost their processing would severely handicapped earning > potentials, effect the wallet of the management, and could be driven > out of business. Divulging who these companies would affect their > integrity and reputation if released, thus causing loss of business. Very valid points. I'm not necessarily looking to out an organization who has not already been the public victim of a security breach but rather take many of the existing data loss examples in the Data Loss Database and find out what the related PCI Co actions against the companies were. Yet another valuable data point - especially for other companies and organizations that fall as merchants subject to the PCI DSS. -- B.K. DeLong (K3GRN) bkdelong at pobox.com +1.617.797.8471 http://www.wkdelong.org Son. http://www.ianetsec.com Work. http://www.bostonredcross.org Volunteer. http://www.carolingia.eastkingdom.org Service. http://bkdelong.livejournal.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org From lyger at attrition.org Fri Sep 28 17:56:28 2007 From: lyger at attrition.org (lyger) Date: Fri, 28 Sep 2007 17:56:28 +0000 (UTC) Subject: [Dataloss] (article) Asia Needs Stronger Data Breach Laws Message-ID: http://www.businessweek.com/globalbiz/content/sep2007/gb20070928_955377.htm?chan=top+news_top+news+index_global+business Governments in Asia need stronger data breach laws to ensure businesses improve the security of their customer data, according to a senior CA executive. Jerry Cox, CA's director of security sales for the Asia-Pacific region, including Japan, said in an interview: "Strong laws would force a company to disclose security breaches often involving the loss of customer data." This, Cox explained, would protect the people whose data was compromised. Strong data breach laws will also ensure companies take data security more seriously, especially if there are penalties in the form of monetary fines, or risks of reputation damage due to public disclosure. According to Cox, Japan and Korea are ahead of most parts of Southern Asia in establishing such laws. [...] From lyger at attrition.org Fri Sep 28 18:40:54 2007 From: lyger at attrition.org (lyger) Date: Fri, 28 Sep 2007 18:40:54 +0000 (UTC) Subject: [Dataloss] Laptop Computer Stolen From Vendor That Manages Job Applicant Data for Gap Inc. Message-ID: http://money.cnn.com/news/newsfeeds/articles/prnewswire/AQF07328092007-1.htm Gap Inc. today announced that a laptop containing the personal information of certain job applicants was recently stolen from the offices of an experienced third-party vendor that manages job applicant data for Gap Inc. The company has begun notifying the job applicants whose Social Security numbers were included in the information on the laptop and is offering them a year of free credit monitoring services with fraud resolution assistance, along with a dedicated 24-hour helpline. Personal data for approximately 800,000 people who applied online or by phone for store positions at one of Gap Inc.'s brands between July 2006 and June 2007 was contained on the stolen laptop. Contrary to the company's agreement with the vendor, the information on the laptop was not encrypted. The company has no reason to believe the data contained on the computer was the target of the theft or that the personal information has been accessed or used improperly. [...]