From lyger at attrition.org Tue Apr 1 01:55:59 2008 From: lyger at attrition.org (lyger) Date: Tue, 1 Apr 2008 01:55:59 +0000 (UTC) Subject: [Dataloss] Auto Parts Retailer Notifies Customers of Network Breach Message-ID: http://www.eweek.com/c/a/Security/Auto-Parts-Retailer-Notifies-Customers-of-Network-Breach/ Advance Auto Parts, a leading auto parts retailer, has begun sending letters to customers impacted by a data breach that may have exposed financial information of up to 56,000 people. The retailer reported Monday that a "network intrusion" had exposed financial information and was the subject of a criminal investigation. Fourteen of the retailer's stores, including locations in Georgia, Ohio, Louisiana, Tennessee, Mississippi, Indiana, Virginia and New York, are believed to have been affected. Advance Auto Parts did not specify how customer financial information had been revealed or how access had been gained to its network. In response to the incident, the company notified its credit, debit and check processors. [...] From lyger at attrition.org Tue Apr 1 11:48:14 2008 From: lyger at attrition.org (lyger) Date: Tue, 1 Apr 2008 11:48:14 +0000 (UTC) Subject: [Dataloss] VT: Web hacker gains credit card data at Okemo Message-ID: http://www.timesargus.com/apps/pbcs.dll/article?AID=/20080401/NEWS02/804010390/1003/NEWS02 Okemo Mountain Resort is the latest target of an Internet thief who gained access to customer credit card information. The Ludlow ski area announced Monday that its computer network was breached in February by an intruder who gained "potential access to credit card data including cardholder names, account numbers and expiration dates," Okemo said in a statement. Okemo spokeswoman Bonnie MacPherson said Monday the company has not heard of any customers subjected to fraud as a result of the breach. [.] The data breach occurred during a 16-day period between Feb. 7 and Feb. 22, involving 28,168 card transactions. Okemo noted that the actual number of credit card holders is likely smaller because of multiple transactions. [...] From brownhenrya at gmail.com Wed Apr 2 21:10:46 2008 From: brownhenrya at gmail.com (Henry Brown) Date: Wed, 2 Apr 2008 16:10:46 -0500 Subject: [Dataloss] Vision Center records in Illinois possibly used for ID theft Message-ID: <4f9b7e300804021410o4654c072v528e2e22989f475c@mail.gmail.com> http://www.pjstar.com/stories/040108/TRI_BG7EFKUT.044.php Illinois Eye Center records accessed former Illinois Eye Center employee could have used confidential patient information for identity theft. According to a letter the eye center sent last week to affected patients, the records obtained include patient names, Social Security numbers and birthdates. It is believed females between ages 18 and 25 were targeted. The Peoria County Sheriff's Department was alerted about the possible identity theft in January and has received seven or eight reports total, Lt. Mark Greskoviak said. In each case, Greskoviak said, there was an attempt to access the patients' credit information. At least one individual reported unauthorized access was obtained to his or her credit information. The female suspect, whose name has not been released, worked as a receptionist at the center from June to November 2007 and police believe she now lives outside Illinois. Although the former employee has not been charged, Greskoviak said the department hopes to make an arrest in the near future. Like most cases of identity theft, the confidential information was not used until long after it was obtained. Greskoviak recommends that patients closely examine their credit card bills and run a credit check. From jericho at attrition.org Thu Apr 3 10:00:50 2008 From: jericho at attrition.org (security curmudgeon) Date: Thu, 3 Apr 2008 10:00:50 +0000 (UTC) Subject: [Dataloss] Vermont ski area reports Hannaford-like theft of payment card data Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9074339 By Jaikumar Vijayan April 2, 2008 Computerworld In a security breach that sounds similar to the one disclosed by Hannaford Bros. Co. last month, the Okemo Mountain Resort ski area in Vermont announced this week that data from more than 46,000 credit and debit card transactions may have been compromised during a system intrusion over a 16-day period in February. Okemo said in a security advisory released on Monday that the breach may have affected customers who used their payment cards at the resort in Ludlow, Vt., between Feb. 7 and Feb. 22, the time frame when the intrusion took place. The intruder or intruders may also have accessed data from card transactions processed between January and March 2006, according to the advisory. Bonnie MacPherson, a spokeswoman for Okemo, said today that at least some of the data appears to have been stolen as the recent payment card transactions were being authorized. "We can tell you that this was a real-time theft," McPherson said. "The information was being taken as the cards were being swiped." If that is actually the case, it could make the breach at Okemo a close cousin to the much larger one announced by Hannaford on March 17. In the Hannaford breach, malware installed on servers in each of the Scarborough, Maine-based company's grocery stores intercepted card data as the information was being transmitted from point-of-sale systems to authorize transactions. [..] From rforno at infowarrior.org Fri Apr 4 11:55:12 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 04 Apr 2008 07:55:12 -0400 Subject: [Dataloss] Every Click You Make Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2008/04/03/AR2008040304 052.html?hpid=topnews Every Click You Make Internet Providers Quietly Test Expanded Tracking of Web Use to Target Advertising Two juicy nuggets from this article as my caffeine-deprived on-the-road mind read through this article: > "I don't view it as violating any privacy data at all," said Anthony Palermo, > vice present of marketing at Knology. "My understanding is that all these > companies go through great pains to hash out information that is specific to > the consumer." Wait...so it's NOT privacy violation if a company tries to send you targetted ads based on your online acdtivity? What kind of dope is this guy smoking???? > Knology customers, for example, cull the company's 27-page customer service > agreement or its terms and condition for service to find a vague reference to > its tracking system. Yep, how's that for being pro-consumer? Oh, right -- they're pro-profit first and foremost. I forgot. :( -rick From wilkepower at msn.com Fri Apr 4 13:13:38 2008 From: wilkepower at msn.com (wilke rodriquez) Date: Fri, 4 Apr 2008 07:13:38 -0600 Subject: [Dataloss] Hackers steal financial information from auto parts retailer Message-ID: Apr 04, 2008 01:04:43 GMT Sophos has reminded companies of the dangers of hackers breaking into their corporate systems, following the latest announcement from a firm that it has been the victim of a data breach. US motoring parts retailer, Advance Auto Parts, has announced on its website that hackers have gained access to the financial information of 56,000 of its customers, through an attack which affected 14 of its stores worldwide. Details of how the information was stolen have not been made public, and the identities of the hackers are currently unknown. Advance Auto Parts says it is working with the authorities to assist in the investigation. According to the company, the affected stores are based in Atlanta (Georgia), College Park (Georgia), Columbus (Ohio), Covington (Louisiana), Canal Fulton (Ohio), Garden City (Georgia), Gretna (Louisiana), Mansfield (Ohio), Memphis (Tennessee), Natchez (Mississippi), Norcross (Georgia), Paoli (Indiana), Richmond (Virginia), and Syracuse (New York). News of Advance Auto Parts' data breach has followed in the footsteps of other higher profile incidents such as the loss by Hannafords supermarket chain of 4.2 million credit card details, and last year's announcement by TJ Maxx that hackers had stolen information on 45 million credit card transactions. "Advance Auto Parts joins a growing list of companies who have suffered from an embarrassing data breach, and this news may rattle the confidence of customers," said Graham Cluley, senior technology consultant for Sophos. "All firms would be wise to look long and hard at their own security to make sure that they are doing everything possible to reduce the chances that they will be the next to fall victim." -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080404/7aae4604/attachment.html From lyger at attrition.org Fri Apr 4 22:27:48 2008 From: lyger at attrition.org (lyger) Date: Fri, 4 Apr 2008 22:27:48 +0000 (UTC) Subject: [Dataloss] Article: An Inconvenient Lack of Truth Message-ID: http://www.darkreading.com/document.asp?doc_id=150276&WT.svl=column2_1 When I graduated the University of Colorado with a history degree, I was fairly certain it would only be marginally more useful to my security career than my unofficial minor in molecular biology. Sure, I'd get to mix in analogies about the Maginot line and antibodies, but you can't swing a dead PowerPoint without hitting those two. As with many things in life, I was wrong. When I began my career in information security, I never imagined we would end up in a world where we have as much need for historians and investigative journalists as we do technical professionals. It's a world where the good guys refuse to share either their successes or failures unless compelled by law. It's a world where we have plenty of information on tools and technologies, but no context in which to make informed risk decisions on how to use them. [.] While we have no shortage of breaches, we face a dearth of good information. I've spent countless hours combing through every piece of public information on breaches, both major and minor, to determine consistencies, root causes, and effective defensive techniques. I've learned how we learned exactly the wrong lesson from the breach at Egghead.com. I've learned how the failures at ChoicePoint were a business decision (that the CEO lied about on record), not a technology failure. I've learned how all the statistics we use are wrong, and are desperately manipulated by the vendor community to sell us products we sometimes need, and often don't. My research leads to some conclusions that may be unsurprising, but often ignored: [...] From lyger at attrition.org Sat Apr 5 03:49:28 2008 From: lyger at attrition.org (lyger) Date: Sat, 5 Apr 2008 03:49:28 +0000 (UTC) Subject: [Dataloss] CA: ID theft hits 93 students at UC Irvine Message-ID: http://www.ocregister.com/articles/students-uci-henisey-2012204-irs-tax UC Irvine police say 7,000 current or former graduate students could be at risk of identity thieves who already used stolen data to file fake tax returns for 93 students. Police said Friday they don't know how the information was stolen or who is using it. Only grad students reported being targeted in the UCI case . the latest in a series of campus security breaches nationwide that led to a state law banning use of Social Security numbers as student identification. In 2006, UCLA notified 800,000 people that their data might have been hijacked. Most of the 93 UCI students discovered the thefts when they tried to file electronic tax returns and were told by the IRS that their returns had already been filed, officials said. "For the last two weeks, we have been scouring all of our databases and computer systems, but we have not found any leak here" on campus, UCI Police Chief Paul Henisey said. The thefts appear to be part of a larger national case being investigated by the Internal Revenue Service, Henisey said. IRS agents have been on campus as part of the inquiry, he said. Henisey said the trail leads out of state, but would not comment further to avoid jeopardizing the case. [...] From jericho at attrition.org Mon Apr 7 10:05:31 2008 From: jericho at attrition.org (security curmudgeon) Date: Mon, 7 Apr 2008 10:05:31 +0000 (UTC) Subject: [Dataloss] Failure to patch flaw exposes data on 60, 000 at Antioch Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9075098 By Jaikumar Vijayan April 4, 2008 Computerworld Windows systems may be the most frequently attacked by malicious hackers, but they certainly are not the only targets. Serving as the latest reminder of that fact is Antioch University in Yellow Springs, Ohio, which recently disclosed that Social Security numbers and other personal data belonging to more than 60,000 students, former students and employees may have been compromised by multiple intrusions into its main ERP server. The break-ins were discovered Feb. 13 and involved a Sun Solaris server that had not been patched against a previously disclosed FTP vulnerability, even though a fix was available for the flaw at the time of the breach, university CIO William Marshall said today. The university was alerted to the breach while IT officials were investigating a separate virus that had also infected the system and was broadcasting obscene material from it, Marshall said. That particular virus was programmed to broadcast the material on the 13th of every month and was detected by the university's antivirus software, when it started doing so on Feb. 13, he said. [..] From lyger at attrition.org Mon Apr 7 12:55:57 2008 From: lyger at attrition.org (lyger) Date: Mon, 7 Apr 2008 12:55:57 +0000 (UTC) Subject: [Dataloss] UK: HSBC loses customers' data disc Message-ID: Courtesy Neil Barclay: http://news.bbc.co.uk/1/hi/business/7334249.stm The HSBC banking group has admitted losing a computer disc with the details of 370,000 customers. The disc was lost four weeks ago after being sent by courier from the bank's life insurance offices in Southampton. The customers' details included their names, dates of birth, and their levels of insurance cover. However, there were no addresses or bank account details and HSBC said the customers' exposure to potential fraud was limited. [...] From lyger at attrition.org Mon Apr 7 15:34:12 2008 From: lyger at attrition.org (lyger) Date: Mon, 7 Apr 2008 15:34:12 +0000 (UTC) Subject: [Dataloss] Canada: 2nd theft of student data raises alarms: school councils Message-ID: http://www.cbc.ca/technology/story/2008/04/07/computer-students.html The second case of a stolen computer containing confidential student data is proof that more needs to be done in Newfoundland and Labrador to protect student privacy, an advocate says. The Eastern School District disclosed Friday that three desktop computers were stolen last week from Acreman Elementary, in Green's Harbour. Thieves broke through a window and locked doors to reach the computers, one of which served as the school's main server and held data . including names, addresses, phone numbers and medicare numbers - on 84 students. The theft comes on the heels of a robbery at the Eastern School District offices in February, when three laptop computers with data on about 28,000 students were stolen. [...] From hbrown at knology.net Mon Apr 7 16:10:42 2008 From: hbrown at knology.net (Henry Brown) Date: Mon, 07 Apr 2008 11:10:42 -0500 Subject: [Dataloss] SSN's posted on web for months Message-ID: <47FA4782.90403@knology.net> http://www.federalnewsradio.com/?nid=169&sid=1380599 WASHINGTON - A spreadsheet containing a "hidden" column of Social Security numbers belonging to about two dozen officers and civilian employees of one Army agency was left on the agency's website for five months after being notified of the presence of the personal information. The Army's Acquisition Support Center has temporarily shut down its website to scrub the information from the spreadsheet, following FederalNewsRadio's request for an interview. "We regret that this error occurred. We have temporarily taken the web site down to make the necessary corrections. We will bring the website back online once the corrections have been verified," an Army spokesman responded in an email. "We are also in the process of informing the individuals on the spreadsheet that their information was made available to the public." The spokesman's email stated that the agency was investigating why the information had been included on the spreadsheet to begin with, and why it was still on the website five months after ASC was notified of its presence. A computer expert who works for a federal contractor was surfing the web while doing research and found the spreadsheet in November. The file contained a list of Colonels and civilians who managed programs within ASC. Visible columns listed their name, rank, program and organization. [...] From lyger at attrition.org Mon Apr 7 17:06:07 2008 From: lyger at attrition.org (lyger) Date: Mon, 7 Apr 2008 17:06:07 +0000 (UTC) Subject: [Dataloss] Personal Pfizer Data on Stolen Laptop Message-ID: Courtesy rchick (etiolated.org) http://www.theday.com/re.aspx?re=6b8c60cf-8fa2-43f1-9238-6dba8792cfa3 Pfizer Inc. has revealed that the theft of a laptop computer in February potentially exposed about 800 current and former employees and contractors to identity theft. "At this time, Pfizer is not aware that any person has inappropriately used any exposed information, but the company is continuing to monitor the situation," Pfizer attorney Bernard Nash said in a letter to attorneys general in several states, including Connecticut. Nash.s letter, dated March 19, said a laptop was stolen Feb. 7 by a burglar from the home of a contractor who helps arrange planning travel and meetings for Pfizer. The laptop was password protected, Nash added. [...] From lyger at attrition.org Mon Apr 7 18:12:17 2008 From: lyger at attrition.org (lyger) Date: Mon, 7 Apr 2008 18:12:17 +0000 (UTC) Subject: [Dataloss] article: Redbox Shows Businesses How To Properly Handle A Data Breach Message-ID: http://consumerist.com/376695/redbox-shows-businesses-how-to-properly-handle-a-data-breach Redbox rents DVD movies via vending machine in drugstores and supermarkets throughout the country, and on Friday they announced that they'd found credit card skimmers attached to three of their kiosks. What's surprising is that they 'fessed up so quickly, and in a highly public manner they've got the text "SECURITY ALERT" at the top and bottom of their website, and the email they sent to their members is detailed, forthright, and helpful, and reposted in its entirety - along with photos of sample card skimmers - on their site. Attempts at identity theft no longer surprise us, but a competent handling of the issue by a company is pretty amazing. [...] From lyger at attrition.org Tue Apr 8 21:30:51 2008 From: lyger at attrition.org (lyger) Date: Tue, 8 Apr 2008 21:30:51 +0000 (UTC) Subject: [Dataloss] article: Redbox Shows Businesses How To Properly Handle A Data Breach Message-ID: Forwarded to list in reference to: http://attrition.org/pipermail/dataloss/2008-April/002174.html From: "McNabb, Joanne at OISPP" Date: Tue, 8 Apr 2008 12:24:44 -0700 I think Redbox's notice and use of its Web site is very good at letting people know about the skimming incident. What's missing is information on how long the skimmers may have been in place (if that's known) and what people should do if they used one of the Redbox's with skimmers installed. Our advice to Californians in such a situation is that the safest thing to do is to call your bank and close the credit or debit card account, explaining about the skimming and asking that the account be reported as "closed by customer request." If unauthorized charges were made to the account, then the consumer should take the standard remedial steps for financial identity theft (get police report of identity theft, write to card issuer and to credit bureaus saying the charge results from identity theft and enclosing a copy of the police report, etc. - see our Victim Checklist on the Identity Theft page at www.privacy.ca.gov). It's particularly critical to notify a bank promptly if a debit card was used illegally, as there's a tight time frame for limiting your liability. Joanne McNabb, CIPP/G Chief, California Office of Privacy Protection From lyger at attrition.org Tue Apr 8 22:40:27 2008 From: lyger at attrition.org (lyger) Date: Tue, 8 Apr 2008 22:40:27 +0000 (UTC) Subject: [Dataloss] IN: WellPoint Customer Information Exposed Message-ID: http://www.chron.com/disp/story.mpl/ap/fn/5684827.html Personal information that may have included Social Security numbers and pharmacy or medical data for about 128,000 WellPoint Inc. customers in several states was exposed online over the past year, the health insurer said Tuesday. WellPoint, which has had other data security issues in the past, recently learned about the problem, fixed it and is notifying customers, spokeswoman Shannon Troughton said. The nation's largest health insurer by membership is offering free credit-monitoring services for those customers, but has received no reports of identity theft or credit fraud. The latest security lapse stems from two servers maintained by an outside vendor that Troughton declined to identify. The vendor specializes in data management. [...] From mhill at idtexperts.com Wed Apr 9 01:52:33 2008 From: mhill at idtexperts.com (Michael Hill, CITRMS) Date: Tue, 8 Apr 2008 21:52:33 -0400 Subject: [Dataloss] IN: WellPoint Customer Information Exposed In-Reply-To: References: Message-ID: <52BEC39C493E454DA99F9964C2BB214F@mkevhillpc> Here we go again. Doling out credit monitoring when there's the real possibility of WellPoint customers becoming medical identity theft victims. Again, I ask what is it about someone using your medical information that would ever make a company think that it would be detected by credit monitoring? Michael Hill Certified Identity Theft Risk Management Specialist 404-216-3751 "If You Think You're Not At Risk, Think Again!" NOTICE: This email and any attachment to it is confidential and protected by law and intended for the use of the individual(s) or entity named on the email. This information and all email information from the sender is not legal advice nor legal representation and should not be construed as legal advice nor legal representation. Check with your attorney in your State for legal advice. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination or distribution of this communication is prohibited. If you have received this communication in error, please notify the sender via return email and delete it completely from your email system. If you have printed a copy of the email, please destroy it immediately. ----- Original Message ----- From: "lyger" To: Sent: Tuesday, April 08, 2008 6:40 PM Subject: [Dataloss] IN: WellPoint Customer Information Exposed > > http://www.chron.com/disp/story.mpl/ap/fn/5684827.html > > Personal information that may have included Social Security numbers and > pharmacy or medical data for about 128,000 WellPoint Inc. customers in > several states was exposed online over the past year, the health insurer > said Tuesday. > > WellPoint, which has had other data security issues in the past, recently > learned about the problem, fixed it and is notifying customers, > spokeswoman Shannon Troughton said. The nation's largest health insurer by > membership is offering free credit-monitoring services for those > customers, but has received no reports of identity theft or credit fraud. > > The latest security lapse stems from two servers maintained by an outside > vendor that Troughton declined to identify. The vendor specializes in data > management. > > [...] > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor your > traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml > From jericho at attrition.org Wed Apr 9 08:32:46 2008 From: jericho at attrition.org (security curmudgeon) Date: Wed, 9 Apr 2008 08:32:46 +0000 (UTC) Subject: [Dataloss] CEOs deserve jail for data breaches Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.techworld.com/security/news/index.cfm?newsID=11924 By John E. Dunn Techworld 08 April 2008 A growing number of security pros believe that the way to stop data breaches from happening is simple as it is stark - send the CEOs or board members deemed responsible to jail. The opinion emerged from a survey by security mainstay Websense at the recent UK e-Crime Congress, which polled 107 security professionals on their opinions. Seventy-nine percent believed that companies should be fined for data breaches . something that does already happen in some cases in the UK . while 59 percent were in favour of compensation for consumers affected by a breach. The most striking view of all was that the time had come to punish serious data breaches with jail time for senior staff, with 25 percent rating that as a necessary step. Only three percent were against any form of legally-enforceable punishment. [..] From jeff704 at carolina.rr.com Wed Apr 9 12:10:29 2008 From: jeff704 at carolina.rr.com (Jeff) Date: Wed, 9 Apr 2008 08:10:29 -0400 Subject: [Dataloss] CEOs deserve jail for data breaches In-Reply-To: References: Message-ID: <000801c89a3a$b41cb4e0$6542a8c0@Spot> Putting a CEO in jail for a data breach would be ridiculous unless the person were directly responsible for releasing the protected information. Jails are already over crowded and this would not solve the problem. Generally, it's hard to find people more clueless about IT than a CEO! Data breeches need to be more publicized, companies should be fined heavier based on the amount and severity of the data loss. There should also be monetary compensation to the victims built into the law. This would eliminate the need for court proceedings and add to the total fine and therefore risk to the organization. At this time, there isn't much action because the majority of people are not vocal about this issue and that makes political and corporate leaders feel that the issue is not important enough to spend time and money correcting. -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of security curmudgeon Sent: Wednesday, April 09, 2008 4:33 AM To: dataloss at attrition.org Subject: [Dataloss] CEOs deserve jail for data breaches ---------- Forwarded message ---------- From: InfoSec News http://www.techworld.com/security/news/index.cfm?newsID=11924 By John E. Dunn Techworld 08 April 2008 A growing number of security pros believe that the way to stop data breaches from happening is simple as it is stark - send the CEOs or board members deemed responsible to jail. The opinion emerged from a survey by security mainstay Websense at the recent UK e-Crime Congress, which polled 107 security professionals on their opinions. Seventy-nine percent believed that companies should be fined for data breaches . something that does already happen in some cases in the UK . while 59 percent were in favour of compensation for consumers affected by a breach. The most striking view of all was that the time had come to punish serious data breaches with jail time for senior staff, with 25 percent rating that as a necessary step. Only three percent were against any form of legally-enforceable punishment. [..] _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml No virus found in this incoming message. Checked by AVG. Version: 7.5.519 / Virus Database: 269.22.10/1366 - Release Date: 4/8/2008 5:03 PM No virus found in this outgoing message. Checked by AVG. Version: 7.5.519 / Virus Database: 269.22.10/1366 - Release Date: 4/8/2008 5:03 PM From rsk at gsp.org Wed Apr 9 12:52:00 2008 From: rsk at gsp.org (Rich Kulawiec) Date: Wed, 9 Apr 2008 08:52:00 -0400 Subject: [Dataloss] CEOs deserve jail for data breaches In-Reply-To: References: Message-ID: <20080409125159.GA2605@gsp.org> This is an excellent idea. As I wrote the other on another mailing list, the single best thing that could happen for security would be live video of every Cxx-level executive at TJX being marched into Leavenworth -- AFTER being stripped of all personal assets. ---Rsk From CGhercoias at TWEC.COM Wed Apr 9 13:14:11 2008 From: CGhercoias at TWEC.COM (Ghercoias, Catalin) Date: Wed, 09 Apr 2008 09:14:11 -0400 Subject: [Dataloss] CEOs deserve jail for data breaches In-Reply-To: <20080409125159.GA2605@gsp.org> Message-ID: I agree with the idea. After all these breaches maybe not necessarily the CXX-level executives (maybe the CFO) should be marched to jail but the Directors of the IT who have been told by their Managers of Infrastructure or Managers of Store Services that there is a potential for a breach and "this is what needs to be done/purchased..." but the Director of IT either ignored them or said "this is not critical, it can wait". How many of you Security Engineers, System Administrators, Network Administrators, etc. have discovered big problems (or potential big) in your networks and you notified your Director of IT only to be given one of the answers "this is not critical, we do not have budget for this, it can wait until next year,... or you_fill_in_the_answer_here" or the worse answer I've heard -- "this is a risk that the business is willing to assume" ?? Especially when you told them that egress traffic should be blocked at the firewall level for ... all stores, let's say. -- C. > From: Rich Kulawiec > Date: Wed, 9 Apr 2008 08:52:00 -0400 > To: > Subject: Re: [Dataloss] CEOs deserve jail for data breaches > > > This is an excellent idea. As I wrote the other on another mailing > list, the single best thing that could happen for security would > be live video of every Cxx-level executive at TJX being marched > into Leavenworth -- AFTER being stripped of all personal assets. > > ---Rsk > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor your > traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml From allan_friedman at ksgphd.harvard.edu Wed Apr 9 13:26:33 2008 From: allan_friedman at ksgphd.harvard.edu (Allan Friedman) Date: Wed, 9 Apr 2008 09:26:33 -0400 Subject: [Dataloss] CEOs deserve jail for data breaches In-Reply-To: References: <20080409125159.GA2605@gsp.org> Message-ID: <686cc62f0804090626v569b6996g249796e6d7c6e1ec@mail.gmail.com> The only reason to advocate this sort of measure is if we have concrete proof that the personal-punishment type laws are more effective than the other alternatives that have been discussed on this list, including *effective* liability models or a shared culture of openness and communication to prevent future breaches. Personal criminal charges seem to be the worse of both worlds: strong incentives not to share any information, and no real attempt to help those hurt by breaches. Has anyone seen any good research about the personal-responsibility rules in SOX? From Troy.Casey at McKesson.com Wed Apr 9 14:08:55 2008 From: Troy.Casey at McKesson.com (Casey, Troy # Atlanta) Date: Wed, 9 Apr 2008 10:08:55 -0400 Subject: [Dataloss] CEOs deserve jail for data breaches In-Reply-To: Message-ID: Off the cuff, this seems like a good idea on the surface. The problem is that the personal criminal liability will motivate companies to hide the facts and not disclose data breaches. My personal thought on this is that fines and penalties don't seem to have much of an effect, but that personal legal liability will make CEOs sit up and take notice...there neeeds to be some rationale for the mega-buck paychecks these guys are raking in, and a high level of personal legal risk seems to me a better rationale for today's CEO salaries than some canard like "market performance". If this were enacted, the "skin in the game" on the part of the CEOs might make their huge salaries seem less unfair. It's plain to me that until there is some downside risk to "accepting the risk" of an insecure system, companies will continue to give IT Security short shrift, and I think this is a sensible approach. Several have objected based on some notion that the CEO is "not responsible" for the weak controls, but I disagree. Anyone with military experience will tell you that one can delegate authority, but that one cannot delegate responsibility. The CEO is ultimately responsible for everything the company does. If the CEO were to suddenly start taking security seriously, (s)he would communicate that to the senior staff, and the new culture would trickle down to the IT Directors and others that have more direct oversight of IT security. If the CEO's attitude was 'let's have the best security we can afford', and monies made available in a security 'slush fund' to deal with unexpected security issues, the IT Directors would no longer have to say "no" when asked for the next security technology. Yes, it all ultimately comes back to the CEO and the Board of Directors - their attitude about security becomes the Company's attitude about security. Cheers, Troy Troy D. Casey -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of security curmudgeon Sent: Wednesday, April 09, 2008 4:33 AM To: dataloss at attrition.org Subject: [Dataloss] CEOs deserve jail for data breaches ---------- Forwarded message ---------- From: InfoSec News http://www.techworld.com/security/news/index.cfm?newsID=11924 By John E. Dunn Techworld 08 April 2008 A growing number of security pros believe that the way to stop data breaches from happening is simple as it is stark - send the CEOs or board members deemed responsible to jail. The opinion emerged from a survey by security mainstay Websense at the recent UK e-Crime Congress, which polled 107 security professionals on their opinions. Seventy-nine percent believed that companies should be fined for data breaches . something that does already happen in some cases in the UK . while 59 percent were in favour of compensation for consumers affected by a breach. The most striking view of all was that the time had come to punish serious data breaches with jail time for senior staff, with 25 percent rating that as a necessary step. Only three percent were against any form of legally-enforceable punishment. [..] _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml From james_ritchie at sbcglobal.net Wed Apr 9 14:12:46 2008 From: james_ritchie at sbcglobal.net (James Ritchie, CISA, QSA) Date: Wed, 09 Apr 2008 10:12:46 -0400 Subject: [Dataloss] CEOs deserve jail for data breaches In-Reply-To: <000801c89a3a$b41cb4e0$6542a8c0@Spot> References: <000801c89a3a$b41cb4e0$6542a8c0@Spot> Message-ID: <47FCCEDE.5080909@sbcglobal.net> Each company in the US has a Fiduciary responsibility to protect the data within perimeter. This has been established under several items: Model Business Corporation Act (ABA created and adopted by many states), Federal Rules on Civil Procedures, US Sentencing Guidelines, and others. These issues have defined governance and actions the accountability of senior management while protecting the data (see my article scmagazineus.com "Global Security Concerns "). In many cases, management sets the tone-at-the-top, determines what is to be spent, and is held accountable to the stockholders ( or principals of the business). What I expect to see, is a very savvy attorney turn a breach into a civil suit, naming the Cxx of the company for failure to preform their due diligence and due care of protecting the data that was entrusted to them. Jeff wrote: > Putting a CEO in jail for a data breach would be ridiculous unless the > person were directly responsible for releasing the protected information. > Jails are already over crowded and this would not solve the problem. > Generally, it's hard to find people more clueless about IT than a CEO! Data > breeches need to be more publicized, companies should be fined heavier based > on the amount and severity of the data loss. There should also be monetary > compensation to the victims built into the law. This would eliminate the > need for court proceedings and add to the total fine and therefore risk to > the organization. At this time, there isn't much action because the majority > of people are not vocal about this issue and that makes political and > corporate leaders feel that the issue is not important enough to spend time > and money correcting. > > -----Original Message----- > From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] > On Behalf Of security curmudgeon > Sent: Wednesday, April 09, 2008 4:33 AM > To: dataloss at attrition.org > Subject: [Dataloss] CEOs deserve jail for data breaches > > > > ---------- Forwarded message ---------- > From: InfoSec News > > http://www.techworld.com/security/news/index.cfm?newsID=11924 > > By John E. Dunn > Techworld > 08 April 2008 > > A growing number of security pros believe that the way to stop data breaches > from happening is simple as it is stark - send the CEOs or board members > deemed responsible to jail. > > The opinion emerged from a survey by security mainstay Websense at the > recent UK e-Crime Congress, which polled 107 security professionals on their > opinions. Seventy-nine percent believed that companies should be fined for > data breaches . something that does already happen in some cases in the UK . > while 59 percent were in favour of compensation for consumers affected by a > breach. > > The most striking view of all was that the time had come to punish serious > data breaches with jail time for senior staff, with 25 percent rating that > as a necessary step. Only three percent were against any form of > legally-enforceable punishment. > > [..] > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor your > traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml > > No virus found in this incoming message. > Checked by AVG. > Version: 7.5.519 / Virus Database: 269.22.10/1366 - Release Date: 4/8/2008 > 5:03 PM > > > No virus found in this outgoing message. > Checked by AVG. > Version: 7.5.519 / Virus Database: 269.22.10/1366 - Release Date: 4/8/2008 > 5:03 PM > > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor your > traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml > > -- James Ritchie CISA, PCI-QSA, ASV, MCSE, MCP+I, M-CIW-D, CIW-CI, Inet+, Network+, A+ Linkedin http://www.linkedin.com/pub/1/b89/433 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080409/ea25a34e/attachment-0001.html From enelson at secureprivacysolutions.com Wed Apr 9 14:30:10 2008 From: enelson at secureprivacysolutions.com (Eric Nelson) Date: Wed, 9 Apr 2008 07:30:10 -0700 Subject: [Dataloss] CEOs deserve jail for data breaches In-Reply-To: References: Message-ID: <001101c89a4e$37c5dde0$a75199a0$@com> There are a number of federal laws that do provide civil penalties and responsibility for company executives that do not follow a company's privacy and security policies. Gramm-Leach-Bliley is one example of requiring a company to implement security controls and ongoing compliance assurance. Civil penalties can be levied against both companies and individuals and executives can face possible jail time. In addition, CEO's and other executives already face the significant penalties for non-compliance under Sarbanes Oxley. These penalties are directly related to ensuring that controls and processes are in place. On a side note, yes, prisons are overcrowded, but perhaps spending a few nights with "Bubba" might be a good deterrent..., Eric Nelson Secure Privacy Solutions -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Casey, Troy # Atlanta Sent: Wednesday, April 09, 2008 7:09 AM To: dataloss at attrition.org Subject: Re: [Dataloss] CEOs deserve jail for data breaches Off the cuff, this seems like a good idea on the surface. The problem is that the personal criminal liability will motivate companies to hide the facts and not disclose data breaches. My personal thought on this is that fines and penalties don't seem to have much of an effect, but that personal legal liability will make CEOs sit up and take notice...there neeeds to be some rationale for the mega-buck paychecks these guys are raking in, and a high level of personal legal risk seems to me a better rationale for today's CEO salaries than some canard like "market performance". If this were enacted, the "skin in the game" on the part of the CEOs might make their huge salaries seem less unfair. It's plain to me that until there is some downside risk to "accepting the risk" of an insecure system, companies will continue to give IT Security short shrift, and I think this is a sensible approach. Several have objected based on some notion that the CEO is "not responsible" for the weak controls, but I disagree. Anyone with military experience will tell you that one can delegate authority, but that one cannot delegate responsibility. The CEO is ultimately responsible for everything the company does. If the CEO were to suddenly start taking security seriously, (s)he would communicate that to the senior staff, and the new culture would trickle down to the IT Directors and others that have more direct oversight of IT security. If the CEO's attitude was 'let's have the best security we can afford', and monies made available in a security 'slush fund' to deal with unexpected security issues, the IT Directors would no longer have to say "no" when asked for the next security technology. Yes, it all ultimately comes back to the CEO and the Board of Directors - their attitude about security becomes the Company's attitude about security. Cheers, Troy Troy D. Casey -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of security curmudgeon Sent: Wednesday, April 09, 2008 4:33 AM To: dataloss at attrition.org Subject: [Dataloss] CEOs deserve jail for data breaches ---------- Forwarded message ---------- From: InfoSec News http://www.techworld.com/security/news/index.cfm?newsID=11924 By John E. Dunn Techworld 08 April 2008 A growing number of security pros believe that the way to stop data breaches from happening is simple as it is stark - send the CEOs or board members deemed responsible to jail. The opinion emerged from a survey by security mainstay Websense at the recent UK e-Crime Congress, which polled 107 security professionals on their opinions. Seventy-nine percent believed that companies should be fined for data breaches . something that does already happen in some cases in the UK . while 59 percent were in favour of compensation for consumers affected by a breach. The most striking view of all was that the time had come to punish serious data breaches with jail time for senior staff, with 25 percent rating that as a necessary step. Only three percent were against any form of legally-enforceable punishment. [..] _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml From james at iqbio.net Wed Apr 9 15:20:52 2008 From: james at iqbio.net (James Childers) Date: Wed, 9 Apr 2008 08:20:52 -0700 Subject: [Dataloss] CEOs deserve jail for data breaches In-Reply-To: <001101c89a4e$37c5dde0$a75199a0$@com> References: <001101c89a4e$37c5dde0$a75199a0$@com> Message-ID: I think we need to remember that there is a difference between "best practices & stewardship of data" and "strict compliance". There are a few companies that will do everything they can to take care of the customers data by employing best practices and creating a sense of responsibility within the organization and then there are the majority who are only looking at the bottom line and what it takes to be "compliant" with the law - looking to nothing else as if it were a check-box on a form. I think that if there were criminal penalties for neglect or corporate malfeasance in the keeping of sensitive data that CEO's, CTO's and others would consider a shift in their thinking. James Childers President & CEO ASG Global Artemis Solutions Group of Companies http://www.artemis-usa.com primary email: james at iqbio.net Philosophy - 1. If you aren't making mistakes, you are not living. If you keep making the same mistake, you are not learning. 2. Concentrate your efforts on the thing that is most important to you at this moment. The rest will take care of itself. 3. Nosce te Ipsum On Apr 9, 2008, at 7:30 AM, Eric Nelson wrote: > There are a number of federal laws that do provide civil penalties and > responsibility for company executives that do not follow a company's > privacy > and security policies. > > Gramm-Leach-Bliley is one example of requiring a company to implement > security controls and ongoing compliance assurance. Civil penalties > can be > levied against both companies and individuals and executives can face > possible jail time. > > In addition, CEO's and other executives already face the significant > penalties for non-compliance under Sarbanes Oxley. These penalties > are > directly related to ensuring that controls and processes are in place. > > On a side note, yes, prisons are overcrowded, but perhaps spending a > few > nights with "Bubba" might be a good deterrent..., > > Eric Nelson > Secure Privacy Solutions > > -----Original Message----- > From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org > ] > On Behalf Of Casey, Troy # Atlanta > Sent: Wednesday, April 09, 2008 7:09 AM > To: dataloss at attrition.org > Subject: Re: [Dataloss] CEOs deserve jail for data breaches > > Off the cuff, this seems like a good idea on the surface. The problem > is that the personal criminal liability will motivate companies to > hide > the facts and not disclose data breaches. > > My personal thought on this is that fines and penalties don't seem to > have much of an effect, but that personal legal liability will make > CEOs > sit up and take notice...there neeeds to be some rationale for the > mega-buck paychecks these guys are raking in, and a high level of > personal legal risk seems to me a better rationale for today's CEO > salaries than some canard like "market performance". If this were > enacted, the "skin in the game" on the part of the CEOs might make > their > huge salaries seem less unfair. It's plain to me that until there is > some downside risk to "accepting the risk" of an insecure system, > companies will continue to give IT Security short shrift, and I think > this is a sensible approach. > > Several have objected based on some notion that the CEO is "not > responsible" for the weak controls, but I disagree. Anyone with > military experience will tell you that one can delegate authority, but > that one cannot delegate responsibility. The CEO is ultimately > responsible for everything the company does. If the CEO were to > suddenly start taking security seriously, (s)he would communicate that > to the senior staff, and the new culture would trickle down to the IT > Directors and others that have more direct oversight of IT > security. If > the CEO's attitude was 'let's have the best security we can afford', > and > monies made available in a security 'slush fund' to deal with > unexpected > security issues, the IT Directors would no longer have to say "no" > when > asked for the next security technology. Yes, it all ultimately comes > back to the CEO and the Board of Directors - their attitude about > security becomes the Company's attitude about security. > > Cheers, > Troy > > Troy D. Casey > > -----Original Message----- > From: dataloss-bounces at attrition.org > [mailto:dataloss-bounces at attrition.org] On Behalf Of security > curmudgeon > Sent: Wednesday, April 09, 2008 4:33 AM > To: dataloss at attrition.org > Subject: [Dataloss] CEOs deserve jail for data breaches > > > > ---------- Forwarded message ---------- > From: InfoSec News > > http://www.techworld.com/security/news/index.cfm?newsID=11924 > > By John E. Dunn > Techworld > 08 April 2008 > > A growing number of security pros believe that the way to stop data > breaches from happening is simple as it is stark - send the CEOs or > board members deemed responsible to jail. > > The opinion emerged from a survey by security mainstay Websense at the > recent UK e-Crime Congress, which polled 107 security professionals on > their opinions. Seventy-nine percent believed that companies should be > fined for data breaches . something that does already happen in some > cases in the UK . while 59 percent were in favour of compensation for > consumers affected by a breach. > > The most striking view of all was that the time had come to punish > serious data breaches with jail time for senior staff, with 25 percent > rating that as a necessary step. Only three percent were against any > form of legally-enforceable punishment. > > [..] > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor > your traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and > monitor your > traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and > monitor your > traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080409/c52b97bf/attachment.html From msimon at creationlogic.com Wed Apr 9 16:09:33 2008 From: msimon at creationlogic.com (Mike Simon) Date: Wed, 9 Apr 2008 09:09:33 -0700 Subject: [Dataloss] CEOs deserve jail for data breaches In-Reply-To: References: Message-ID: <25d3931b0804090909j560bd8cfo523d918b56f2b4bf@mail.gmail.com> So, everyone here that's advocating jail time for CEOs believes that the CEO fully understood the risk that was being undertaken by their IT infrastructure, policies and behavior and consciously and deliberately chose to accept that risk and potential financial consequences? Generally when a corporate executive does something stupid, the acceptable consequences are fines, which escalate based on how stupid the action was, and how much the exec could have been expected to know and prevent the stupidity. We generally perserve criminal prosecution for executives who can he shown to fully understand their actions (and more rarely lack of action) and then performed acts which were contrary to the welfare of the company or stockholders which are of direct benefit to themselves. It would be an amusing exercise to postulate what other kinds of things CEOs should receive jail time for in light of this new concept. If they choose biofuel over fuel cells and loose a billion dollars for investors, even though everyone was telling them that fuel cells were the way to go, should we lock them up? The impact to individuals is potentially greater than a data breach, since there is no remedy and it's a guaranteed loss for everyone. People were telling the CEO that he shouldn't do what he was doing, and they were right. What's the apropriate jail time for that bad decision, versus not insisting that IT processes and proceedures be audited every 6 months? I'm on the side of responsibility and safety here, but folks seem ready to crucify the execs based on little or no evidence that their actions had anything to do with the event. If a material lack of competency on the part of a CEO is reason for jail, shouldn't we translate that all the way down the line? If information is compromised because an IT manager failed to take well known precautions, or missed installing mailware protection on a critical server, do we send the CEO or the manager to jail (or both?) The CEO approved the expense, and expected that it was happening per policy, but the manager caused the data breach though their own incompetence. Since the new standard is jail time for the person responsible, the manager should now be facing jail, right? In many ways there is a better arguement for sending the manager to jail, since the material lack of competence is very closely related to their expected competencies and they screwed up anyway. I'll end the rant with the idea that we as security professionals haven't done our job until the Cxxs UNDERSTAND the risk that we are expressing well enough to make informed decisions. Just telling an executive that there is a risk, even if you quantify it, isn't enough. We have an especially difficult job in that we need to successfully translate some pretty arcane statistical concepts of risk into a continuous educational program that allows executives to make good decisions based on understanding of a fairly complex field. Anything less and we haven't done our job. Mike Simon On Wed, Apr 9, 2008 at 1:32 AM, security curmudgeon wrote: > > > ---------- Forwarded message ---------- > From: InfoSec News > > http://www.techworld.com/security/news/index.cfm?newsID=11924 > > By John E. Dunn > Techworld > 08 April 2008 > > A growing number of security pros believe that the way to stop data > breaches from happening is simple as it is stark - send the CEOs or board > members deemed responsible to jail. > > The opinion emerged from a survey by security mainstay Websense at the > recent UK e-Crime Congress, which polled 107 security professionals on > their opinions. Seventy-nine percent believed that companies should be > fined for data breaches . something that does already happen in some cases > in the UK . while 59 percent were in favour of compensation for consumers > affected by a breach. > > The most striking view of all was that the time had come to punish serious > data breaches with jail time for senior staff, with 25 percent rating that > as a necessary step. Only three percent were against any form of > legally-enforceable punishment. > > [..] > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor your > traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080409/6b560b45/attachment.html From rsk at gsp.org Wed Apr 9 16:36:32 2008 From: rsk at gsp.org (Rich Kulawiec) Date: Wed, 9 Apr 2008 12:36:32 -0400 Subject: [Dataloss] CEOs deserve jail for data breaches [LONG] In-Reply-To: <686cc62f0804090626v569b6996g249796e6d7c6e1ec@mail.gmail.com> References: <20080409125159.GA2605@gsp.org> <686cc62f0804090626v569b6996g249796e6d7c6e1ec@mail.gmail.com> Message-ID: <20080409163632.GA20601@gsp.org> Sorry, too much coffee. On Wed, Apr 09, 2008 at 09:26:33AM -0400, Allan Friedman wrote: > The only reason to advocate this sort of measure is if we have > concrete proof that the personal-punishment type laws are more > effective than the other alternatives that have been discussed on this > list, including *effective* liability models or a shared culture of > openness and communication to prevent future breaches. That's a really good point. Which I'm now about to disagree with. ;-) Well, in part at least. Let me give it my best shot. I'll argue that unless people are held *personally* accountable -- in both a civil and criminal sense -- there's no incentive for them to make any effort. Why should the executives of TJX (to re-use my favorite example) make the slightest effort to address security issues when they know, up front, that in the worst (likely) scenario, they can walk away -- with their bloated salaries, their obscene bonuses, their golden parachutes -- and start doing it again somewhere else? All they have to do is use the word processor macro that prints out "we take the privacy of our customers seriously", look suitably grave at the press conference, and quietly slink off. The people are the top of these companies are the ones who have accepted full personal responsibility for everything that happens in those companies on their watch. And we're letting them (mostly) off the hook, so we shouldn't be surprised that they repeat the behavior: it's very profitable. After all: it's not *their* data. Why should they care? (Let me note in passing that expecting Cxx level executives to take on this responsibility is expecting a lot. But that's the deal: anyone who's not up to that is free to decline such a position. But IF they accept it, and IF they accept the enormous rewards that typically go with it, then they have also -- whether they realize it or not -- accepted the responsibility. Nobody rides for free.) As I watch this list, and the "Pogo Was Right" web site, and all the other resources that we probably all watch, and I consider the impact that data protection legislation and enforcement has had to date, I'm reminded of a line from Marcus Ranum's brilliant "The Six Dumbest Ideas in Security": "If it was going to work, it would have worked by now." I submit that what we (the collective societal "we") are doing isn't working, and that it's probably not going to work. If you buy that assertion (and I'm sure some do, some don't), then the question arises: "okay, fine, let's do something different...what?" Which brings me back to: "Somebody's got to go to prison." Agent Sadusky, "National Treasure" which is starting to be my favorite quote of the month. I do recognize though, (to your point and that of others) that vigorous criminal prosecution will probably cause problems with disclosure. I'll counter that by saying we already have those problems: disclosures are delayed, minimized, obfuscated, wallpapered, and everything else possible to pretend they don't exist or don't have significant impact. And that laundry list just accounts for intentional actions: some disclosures don't happen because they don't know...or don't want to know. So I conclude that voluntary disclosure is at best a weak mechanism -- nice to have, but not one we should primarily rely on. So let me suggest a couple of possible approaches around this, approaches which I think address the problem that increased personal accountability could well decrease the inclination to be open. I'll begin by citing the Kulawiec Iceberg Principle: For every breach reported by an organization, there are ten more they're aware of. For every breach an organization's aware of, there are ten more they don't know about. (Hey, I thought it up, I'm sticking my name on it. Get your own. ;-) More seriously, if someone beat me to it, let me know and I'll pummeXXXXgive them appropriate credit.) I came up with that because it seems to match observations. The repeated pattern of disclosures which start at X, escalate to 2X, then 5X, then 10X, argues for the first part. The non-disclosures in cases where there are obviously severe problems argues for the second. A timely example: Flawed Security Lets Sprint Accounts Get Easily Hijacked http://consumerist.com/376845/flawed-security-lets-sprint-accounts-get-easily-hijacked followed up by (and thanks to Paul Ferguson for noting this): Flawed Sprint Security Worse Than We Thought http://consumerist.com/377617/flawed-sprint-security-worse-than-we-thought and both of which very likely related back to: Sprint Twiddles Thumbs While 12-Year Customers Get Scammed For $2,500 http://consumerist.com/374199/sprint-twiddles-thumbs-while-12+year-customers-get-scammed-for-2500 No disclosure yet from Sprint. But there's obviously a problem here, and I'd be really surprised if it *hadn't* been exploited. The fact that this is emerging from discussions on a consumer advocacy web site and not from Sprint corporate is telling. Either they know (in which case they're not being forthright) or they don't know (in which case they may not be very good at what they're doing). My point? My point in going through all this is that we need mechanisms which *do not* rely on voluntary disclosure, because it doesn't work very well. (This explains why I'm not very worried about a decrease in voluntary disclosure as a result of prosecutions.) I can think of three things that might have a fighting chance, so I'll propose them in order to let you all promptly shred them. ;-) 1. Not just increased safeguards for whistleblowers, but rewards. It's worth it to us as a society, and if we do it right, it won't cost us anything. If J. Random System Admin inside Foo Corp notes that data is being shipped on unencrypted CDs in violation of law and/or best practice, and JRSA drops a dime to tell someone, then when it's all sorted out, JRSA is compensated for due diligence. (Where does the money come from? Cxx executives. They have plenty to spare. Besides, if they're not doing their jobs correctly, why should they be well-paid?) We need a structure that actively encourages the people who have firsthand knowledge of this to rat out their bosses, preferably *before* breaches occur. To do that, we have to counter their company loyalty, their job security fears, etc.: hence the need for safeguards plus rewards. 2. We need markedly higher penalties for bonehead moves. These might include: - acquiring data that you really have no reason to have - storing data that you have shouldn't - storing data longer than you need it - throwing data in the dumpster out back - shipping data without encrypting it etc. What I mean here is that we all know there are a kazillion threats, and the really really clever ones are probably not on our radar...so it's hard to fault someone if they get nailed by one of those that nobody's ever seen before. But the easy ones? C'mon, there's no reason to let those happen. Even people who just skim the glossy pages of CSO magazine should know these by now. 3. We need a mechanism to correlate independent reports of data theft *symptoms*. Go back to the Sprint example above: those CAN'T be the only people affected by this problem. There must be others. But they may well think they're alone -- they may not realize that they're just another data point in a pattern. We need a way for victims of identity theft, credit card fraud, etc. to safely (and there's the catch!) pool information so that someone can step back and look at the mosaic and say "hmmm...that's odd..." I'll skip over how such a mechanism might work because I'll probably get it wrong anyway. (Some back-of-the-envelope scribbling suggests that this is a hard problem.) But I think we need it, because I think it will give us a chance to uncover the 9 of 10 that companies know about and aren't announcing, and the 9 of 10 that they haven't detected yet. It could do this because it doesn't rely on them -- and we shouldn't rely on them, because *they're the problem*. I can tell you that it shouldn't be run (a) by any government or (b) by any commercial institution. All of those already have way too much data and can't keep track of it, and besides, we already know they have miserable security. (The GAO keeps handing out F grades in security to US government agencies. I presume this is because there is no lower grade available.) So if they ran it, the most likely outcome would be that it made things worse. That said...who? I don't know. A non-profit with very very serious security and privacy clue? I'm sure that there are problems with all three of these. I'm equally sure that 4,5,6... are out there and may well be better. But I think this is worth debating because I don't think voluntary disclosure is working very well. ---Rsk From grexpectations at comcast.net Wed Apr 9 15:27:34 2008 From: grexpectations at comcast.net (grexpectations at comcast.net) Date: Wed, 09 Apr 2008 15:27:34 +0000 Subject: [Dataloss] CEOs deserve jail for data breaches Message-ID: <040920081527.29365.47FCE0660001840C000072B522007601809C0201079B0E9B0C0A9F980A9D09@comcast.net> I don't think the burden should be on the CEOs, unless the security function reports directly. For many of us, the security function reports into the CIO. We are challenged with constrained budgets and often the security function competes for funding with business driven initiatives. In these situations, the CIO is a principle stakeholder in deciding if information protection recommendations are implemented or not. I've personally witnessed many a circumstance where these types of decisions are filtered from reaching executives higher up in the organization. My .02. Regards -------------- Original message -------------- From: "Ghercoias, Catalin" > > I agree with the idea. After all these breaches maybe not necessarily the > CXX-level executives (maybe the CFO) should be marched to jail but the > Directors of the IT who have been told by their Managers of Infrastructure > or Managers of Store Services that there is a potential for a breach and > "this is what needs to be done/purchased..." but the Director of IT either > ignored them or said "this is not critical, it can wait". > > How many of you Security Engineers, System Administrators, Network > Administrators, etc. have discovered big problems (or potential big) in your > networks and you notified your Director of IT only to be given one of the > answers "this is not critical, we do not have budget for this, it can wait > until next year,... or you_fill_in_the_answer_here" or the worse answer I've > heard -- "this is a risk that the business is willing to assume" ?? > Especially when you told them that egress traffic should be blocked at the > firewall level for ... all stores, let's say. > > -- C. > > > > > From: Rich Kulawiec > > Date: Wed, 9 Apr 2008 08:52:00 -0400 > > To: > > Subject: Re: [Dataloss] CEOs deserve jail for data breaches > > > > > > This is an excellent idea. As I wrote the other on another mailing > > list, the single best thing that could happen for security would > > be live video of every Cxx-level executive at TJX being marched > > into Leavenworth -- AFTER being stripped of all personal assets. > > > > ---Rsk > > _______________________________________________ > > Dataloss Mailing List (dataloss at attrition.org) > > http://attrition.org/dataloss > > > > Tenable Network Security offers data leakage and compliance monitoring > > solutions for large and small networks. Scan your network and monitor your > > traffic to find the data needing protection before it leaks out! > > http://www.tenablesecurity.com/products/compliance.shtml > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor your > traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080409/4af14879/attachment.html From adam at homeport.org Wed Apr 9 17:16:31 2008 From: adam at homeport.org (Adam Shostack) Date: Wed, 9 Apr 2008 13:16:31 -0400 Subject: [Dataloss] CEOs deserve jail for data breaches In-Reply-To: <25d3931b0804090909j560bd8cfo523d918b56f2b4bf@mail.gmail.com> References: <25d3931b0804090909j560bd8cfo523d918b56f2b4bf@mail.gmail.com> Message-ID: <20080409171631.GC5185@homeport.org> On Wed, Apr 09, 2008 at 09:09:33AM -0700, Mike Simon wrote: | It would be an amusing exercise to postulate what other kinds of things CEOs | should receive jail time for in light of this new concept. If they choose | biofuel over fuel cells and loose a billion dollars for investors, even though | everyone was telling them that fuel cells were the way to go, should we lock I think we should jail CEOs *and* security pros who get all the budget they want, and still allow a breach. More seriously, it's easy to suggest that others go to jail for not doing what we want. I know of few professionals who'd want to accept the risk of jail time for their errors or omissions. So if you advocate CEOs in jail, be prepared to join them. Adam From mhozven at tealeaf.com Wed Apr 9 17:53:36 2008 From: mhozven at tealeaf.com (Max Hozven) Date: Wed, 9 Apr 2008 10:53:36 -0700 Subject: [Dataloss] CEOs deserve jail for data breaches In-Reply-To: <20080409171631.GC5185@homeport.org> References: <25d3931b0804090909j560bd8cfo523d918b56f2b4bf@mail.gmail.com> <20080409171631.GC5185@homeport.org> Message-ID: <771A26039D33ED489E23D9614DE630DD082A260B@SFMAIL02.tealeaf.com> My 2 cents is that we should make sure that whistle-blowers are protected and a large portion of fines collected go to potential victims of identity theft (as opposed to all going down some rat-hole of a government bureaucracy. Sending CEO's to jail for actions of someone way down the food-chain could have the undesired effect of not having good people want to be CEO's anymore, and in this economic situation, we need all the good people we can get at the top. -Max Note: Opinions expressed are that of myself only. -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Adam Shostack Sent: Wednesday, April 09, 2008 10:17 AM To: Mike Simon Cc: security curmudgeon; dataloss at attrition.org Subject: Re: [Dataloss] CEOs deserve jail for data breaches On Wed, Apr 09, 2008 at 09:09:33AM -0700, Mike Simon wrote: | It would be an amusing exercise to postulate what other kinds of | things CEOs should receive jail time for in light of this new concept. | If they choose biofuel over fuel cells and loose a billion dollars for | investors, even though everyone was telling them that fuel cells were | the way to go, should we lock I think we should jail CEOs *and* security pros who get all the budget they want, and still allow a breach. More seriously, it's easy to suggest that others go to jail for not doing what we want. I know of few professionals who'd want to accept the risk of jail time for their errors or omissions. So if you advocate CEOs in jail, be prepared to join them. Adam _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml From allan_friedman at ksgphd.harvard.edu Wed Apr 9 17:59:09 2008 From: allan_friedman at ksgphd.harvard.edu (Allan Friedman) Date: Wed, 9 Apr 2008 13:59:09 -0400 Subject: [Dataloss] breach at People's United Bank or fraud attempt? Message-ID: <686cc62f0804091059h3d395717y769bd88ee2fa102d@mail.gmail.com> I especially like the bit where the bank claims that their "primary concern" is safeguarding customer data that they left in a dumpster. http://www.boston.com/news/local/connecticut/articles/2008/04/06/taking_bank_trash_fairfield_man_claims_security_lapse/ For four months, James Hastings searched through trash bins outside People's United Bank branches in Fairfield County. He pulled out bags of paperwork with private information, including customers' Social Security numbers and account information. The bank last month won a restraining order against Hastings, 56, requiring him to not discuss the matter or distribute paperwork. He has since been interviewed by the Connecticut Post. People's Bank said Hastings is trying to extort money and claims he asked to be hired as a "fraud consultant." Bank officials also are demanding that the information be returned. Brent DiGiorgio, a spokesman for People's Bank, said its primary concern is protecting the customers' information that Hastings has taken. The bank promises to provide a year of free credit monitoring to customers whose information was taken and has contacted affected customers, he said. ... Hastings said that after several months he contacted People's and met March 19 with William A Gniazdowski, the bank's director of corporate security. Gniazdowski said Hastings asked that People's hire him as a "fraud consultant." Hastings, who has served a two-year probation for trying to get drugs from a pharmacy by impersonating a doctor, denied Gniazdowski's accusation. He said he told bank officials that People's needs a consultant. "You don't need to hire me," he said he told bank officials. From lyger at attrition.org Wed Apr 9 18:12:25 2008 From: lyger at attrition.org (lyger) Date: Wed, 9 Apr 2008 18:12:25 +0000 (UTC) Subject: [Dataloss] VA: Personal information swiped from Norfolk case worker's car Message-ID: http://www.wvec.com/news/topstories/stories/wvec_local_040908_comm_services_norfolk.493f52f7.html The personal information of about 30 clients of Norfolk's Community Services Board was compromised when a case worker's briefcase was stolen. Officials say the briefcase was left in the worker's car in a Virginia Beach parking garage on March 24, but someone smashed a window and stole it. The case worker violated the agency's policy by taking sensitive patient information outside the board's offices, Executive Director George Pratt said. He says it's unclear what information was in the files but that it likely included Social Security numbers. [...] From stefan.wahe at doit.wisc.edu Wed Apr 9 18:18:03 2008 From: stefan.wahe at doit.wisc.edu (Stefan Wahe) Date: Wed, 09 Apr 2008 13:18:03 -0500 Subject: [Dataloss] CEOs deserve jail for data breaches In-Reply-To: <771A26039D33ED489E23D9614DE630DD082A260B@SFMAIL02.tealeaf.com> References: <25d3931b0804090909j560bd8cfo523d918b56f2b4bf@mail.gmail.com> <20080409171631.GC5185@homeport.org> <771A26039D33ED489E23D9614DE630DD082A260B@SFMAIL02.tealeaf.com> Message-ID: <47FD085B.8080000@doit.wisc.edu> In reading through the thread it seems that we are quick to want to point the finger. As a security professional we definitely attempt to communicate the need for implementing technical controls and implementing procedures that will mitigate a risk to PII. CEO's may listen but do they understand. Once there is more accountability then there will be more of an interest from CEOs or middle management to spend time understanding the threats, the impact and likelihood of those threats and be able to weigh them against the cost of implementing technical controls or procedures as well as implementing and enforcing policy. Seems like there are an awful lot of laptops wondering off (stolen/lost) with sensitive data. If there is a company policy stating mobile devices should not store such PII data, are these employees being fired? Why aren't there controls preventing them from copying the data to the device? Now if the CEO is not creating and enforcing these policies, then his/her board of directors should be considering their employment status. But then again, where is the common understanding between the CISO, Business Partners, CEO, BoD and technologists? Stefan Wahe Max Hozven wrote: > My 2 cents is that we should make sure that whistle-blowers are > protected > and a large portion of fines collected go to potential victims of > identity theft > (as opposed to all going down some rat-hole of a government bureaucracy. > > Sending CEO's to jail for actions of someone way down the food-chain > could have > the undesired effect of not having good people want to be CEO's anymore, > and in this > economic situation, we need all the good people we can get at the top. > > -Max > Note: Opinions expressed are that of myself only. > > -----Original Message----- > From: dataloss-bounces at attrition.org > [mailto:dataloss-bounces at attrition.org] On Behalf Of Adam Shostack > Sent: Wednesday, April 09, 2008 10:17 AM > To: Mike Simon > Cc: security curmudgeon; dataloss at attrition.org > Subject: Re: [Dataloss] CEOs deserve jail for data breaches > > On Wed, Apr 09, 2008 at 09:09:33AM -0700, Mike Simon wrote: > | It would be an amusing exercise to postulate what other kinds of > | things CEOs should receive jail time for in light of this new concept. > > | If they choose biofuel over fuel cells and loose a billion dollars for > > | investors, even though everyone was telling them that fuel cells were > | the way to go, should we lock > > I think we should jail CEOs *and* security pros who get all the budget > they want, and still allow a breach. > > More seriously, it's easy to suggest that others go to jail for not > doing what we want. I know of few professionals who'd want to accept > the risk of jail time for their errors or omissions. > > So if you advocate CEOs in jail, be prepared to join them. > > Adam > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor > your traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor your > traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml > From chris at cwalsh.org Wed Apr 9 18:22:58 2008 From: chris at cwalsh.org (Chris Walsh) Date: Wed, 9 Apr 2008 13:22:58 -0500 Subject: [Dataloss] VA: Personal information swiped from Norfolk case worker's car In-Reply-To: References: Message-ID: <20080409182258.GA26939@fripp.cwalsh.org> No need for concern. The briefcase probably had a lock, and it wasn't apparent that SSNs were inside it. Chris On Wed, Apr 09, 2008 at 06:12:25PM +0000, lyger wrote: > > http://www.wvec.com/news/topstories/stories/wvec_local_040908_comm_services_norfolk.493f52f7.html > > The personal information of about 30 clients of Norfolk's Community > Services Board was compromised when a case worker's briefcase was stolen. > > Officials say the briefcase was left in the worker's car in a Virginia > Beach parking garage on March 24, but someone smashed a window and stole > it. From lyger at attrition.org Wed Apr 9 21:11:11 2008 From: lyger at attrition.org (lyger) Date: Wed, 9 Apr 2008 21:11:11 +0000 (UTC) Subject: [Dataloss] GA: Insurance records of 71, 000 Ga. families made public Message-ID: http://www.ajc.com/metro/content/metro/stories/2008/04/08/breach_0409.html Private records of up to 71,000 Georgia families who are members of health insurance programs for the poor or working poor were accidentally made available on the Internet for several days, and some of the data may have been viewed by unauthorized people, Tampa-based WellCare Health Plans Inc. said today. Affected families are members of WellCare of Georgia, which is part of WellCare Health Plans, said WellCare spokeswoman Amy Knapp. She said a human error allowed the information to be accessible for an unknown period of time, but that the secret data was removed from the Internet on April 2. It was not immediately known when the data breach occurred or how long the secret data was available. The state of Georgia said it was notified March 31. [...] From rsk at gsp.org Wed Apr 9 18:35:45 2008 From: rsk at gsp.org (Rich Kulawiec) Date: Wed, 9 Apr 2008 14:35:45 -0400 Subject: [Dataloss] CEOs deserve jail for data breaches In-Reply-To: <20080409171631.GC5185@homeport.org> References: <25d3931b0804090909j560bd8cfo523d918b56f2b4bf@mail.gmail.com> <20080409171631.GC5185@homeport.org> Message-ID: <20080409183545.GA22283@gsp.org> On Wed, Apr 09, 2008 at 01:16:31PM -0400, Adam Shostack wrote: > I think we should jail CEOs *and* security pros who get all the budget > they want, and still allow a breach. > > More seriously, it's easy to suggest that others go to jail for not > doing what we want. I know of few professionals who'd want to accept > the risk of jail time for their errors or omissions. > > So if you advocate CEOs in jail, be prepared to join them. I'm fine with that concept, provided the scale of the punishment is commensurate with the scope of responsibility. For example, if a CEO makes 4M a year and a security analyst makes 100K, then I expect the CEO to accept 40/41 of the responsibility. ("With great power comes great responsibility.") In part I suppose I think this way because I'm accustomed to taking on life-and-death responsibilities: I'm a whitewater kayaker and am often the "sweep boat", which means I go last and am responsible for the safety of everyone in front me. (I'm mostly on my own in this situation, since nobody is watching my back.) If while scouting a rapid, I give out bad advice, or if I mis-estimate the ability of one of the paddlers in the group to handle a particular route, or if I forget to point out something important, then someone could get into serious trouble very quickly because of my error. And even if I get everything right, someone could still screw up, at which point it's my responsibility to do anything I can possibly can, including putting myself at risk, to rescue them. If I can take on that kind of responsibility, for free, on a routine basis, knowing that if something goes horribly wrong I will not only have to live with it (assuming I survive), but may also be sued into homelessness, then surely someone who is making millions of dollars a year can be expected to take on a far lesser, non life-and-death responsibility -- and to endure the consequences if they fail. If they're not up to that, then perhaps they should step aside in favor of someone who is. ---Rsk From lyger at attrition.org Wed Apr 9 22:27:48 2008 From: lyger at attrition.org (lyger) Date: Wed, 9 Apr 2008 22:27:48 +0000 (UTC) Subject: [Dataloss] CEOs deserve jail for data breaches In-Reply-To: <20080409183545.GA22283@gsp.org> References: <25d3931b0804090909j560bd8cfo523d918b56f2b4bf@mail.gmail.com> <20080409171631.GC5185@homeport.org> <20080409183545.GA22283@gsp.org> Message-ID: On Wed, 9 Apr 2008, Rich Kulawiec wrote: ": " I'm fine with that concept, provided the scale of the punishment ": " is commensurate with the scope of responsibility. For example, ": " if a CEO makes 4M a year and a security analyst makes 100K, then ": " I expect the CEO to accept 40/41 of the responsibility. ("With great ": " power comes great responsibility.") Good conversation and comments from everyone, but we might be swerving a little off-topic for the list in general. If anyone wants to continue the thread off-list, please feel to CC me (I might even chime in somewhere). From lyger at attrition.org Thu Apr 10 04:22:40 2008 From: lyger at attrition.org (lyger) Date: Thu, 10 Apr 2008 04:22:40 +0000 (UTC) Subject: [Dataloss] (follow-up) Stolen NIH Laptop Held Social Security Numbers Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2008/04/09/AR2008040903680.html Social Security numbers for more than 1,200 participants in a National Institutes of Health study were stored on a stolen laptop containing their medical records, putting those patients at risk of identity theft, agency officials said yesterday. NIH officials had initially assured the more than 3,000 patients whose records were on the laptop that the computer's contents -- unencrypted, in violation of federal policy -- did not contain any information that could put their identity or finances at risk. But an ongoing review of the computer's last-known contents, performed on data backed up from the laptop before it was stolen, has found a file that, unbeknownst to the lead researcher, had been loaded onto the laptop by a research associate. [...] From lyger at attrition.org Thu Apr 10 11:46:01 2008 From: lyger at attrition.org (lyger) Date: Thu, 10 Apr 2008 11:46:01 +0000 (UTC) Subject: [Dataloss] IL: Police: Student hacked JT data Message-ID: http://www.suburbanchicagonews.com/heraldnews/news/887530,4_1_JO10_HACK_S1.article Police say a student using a school computer last month was able to access personal information about every student enrolled at Joliet West High School. The student allegedly downloaded a list of names and Social Security numbers to his iPod on March 7, according to reports. Police Chief Fred Hayes said the school learned George C. Janecek, 18, had gotten the information after he showed it to other students who notified a teacher that day. [...] From dmetcalf at mcraemetcalf.com Thu Apr 10 12:26:52 2008 From: dmetcalf at mcraemetcalf.com (David Metcalf) Date: Thu, 10 Apr 2008 08:26:52 -0400 Subject: [Dataloss] IL: Police: Student hacked JT data In-Reply-To: References: Message-ID: The usual assurances that the iPod and the data were recovered are fine as far as they go. But this kid was given free run of the computer and access to student records so he could update his ROTC website, there must be any number of other students with similar access to update their clubs' pages, not to mention teachers, substitutes, nonessential staff, etc. -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of lyger Sent: Thursday, April 10, 2008 7:46 AM To: dataloss at attrition.org Subject: [Dataloss] IL: Police: Student hacked JT data http://www.suburbanchicagonews.com/heraldnews/news/887530,4_1_JO10_HACK_S1.a rticle Police say a student using a school computer last month was able to access personal information about every student enrolled at Joliet West High School. The student allegedly downloaded a list of names and Social Security numbers to his iPod on March 7, according to reports. Police Chief Fred Hayes said the school learned George C. Janecek, 18, had gotten the information after he showed it to other students who notified a teacher that day. [...] _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml From lyger at attrition.org Fri Apr 11 04:46:14 2008 From: lyger at attrition.org (lyger) Date: Fri, 11 Apr 2008 04:46:14 +0000 (UTC) Subject: [Dataloss] [FIN] This is the end... Message-ID: http://attrition.org/news/content/end.html This is the end... April 11, 2008 Lyger Since July 5 2005, Attrition.org has tracked events involving large-scale thefts and loss of personally identifying information (PII). In the months and years since then, we, as well as dozens of volunteers, enthusiasts, and well-wishers have spent literally thousands of hours gathering data, discussing matters related to data breaches, creating web pages and databases, and promoting the idea of security and privacy for personal information. We feel that our combined efforts have been valuable to the security and privacy communities alike, and we hope that efforts like ours will continue to promote awareness, and maybe, some day in the future, actually make a difference. With that said, we're done. Much like Attrition.org's past defacement mirror, the time has come for us to say "no mas". In the past few weeks, it has come to our attention that too many people are more concerned with making a profit off of our work without any offer of acknowledgement or compensation. For those who aren't familiar with Attrition, we're a non-profit hobby site that takes on "projects" as we see fit, when we want to, and when we have time. For those who *are* familiar with Attrition, you probably know that we don't take kindly to being dealt with unfairly. Commercial entities, including "identity-theft prevention" upstarts and book authors, will gladly contact us, ask for information and advice, and then not even offer us the equivalent of a reach-around when selling their materials. We don't pimp our resources to others; they come to us. Unfortunately, more often than not, they won't even send us a "thank you". We've mentioned it in the past, but we're not going to mention it in the future. This is the last mention. [...] From lyger at attrition.org Sat Apr 12 03:34:31 2008 From: lyger at attrition.org (lyger) Date: Sat, 12 Apr 2008 03:34:31 +0000 (UTC) Subject: [Dataloss] dataloss: A new beginning Message-ID: http://attrition.org/news/content/nottheend.html A new beginning Fri Apr 11 23:04:01 EST 2008 Lyger First off, we would like to thank everyone who emailed us messages of support about our decision to discontinue our Data Loss resources. So far, we have received over 50 emails expressing gratitude, concern, and interest in helping continue the project. To be perfectly honest, the overwhelming offers of support have been, well, touching. We never intended for our resources to be so widely held in regard and respected by security and privacy professionals world-wide, and we are quite thankful for your messages. However, some of the messages we received were somewhat saddening, as if there was a death in the family. We didn't post our notice to cause grief, but let us all take a step back and look at this objectively. If you have something you like and, in some cases, rely upon every single day, why wait until it's gone to say "thanks" or offer support? Isn't that the classic case of "too little, too late?" Why wait until the corpse is in the coffin before you start crying? Why not show appreciation for the living... not the (apparently) dead? Every single one of you, right now, go pick up your phones, call your mom and/or your dad, and just say "thanks." Seriously. If this project means that much to you, the least you can do for us, yourself, and your 'rents is to do that one small thing. It's called "perspective". [...] From hbrown at knology.net Sat Apr 12 09:14:28 2008 From: hbrown at knology.net (Henry Brown) Date: Sat, 12 Apr 2008 04:14:28 -0500 Subject: [Dataloss] court ruling regarding TSA databreech Message-ID: <48007D74.8080808@knology.net> From Lauren Gelman's blog Court holds Privacy Act "actual damages requirement" does not require pecuniary harm http://cyberlaw.stanford.edu/node/5734 I'm breaking blog silence to report on an amazing decision out of the DC Circuit holding that the federal Privacy Act's requirement that Plaintiffs show actual damages does not require pecuniary harm but can be met by a showing of emotional distress. Am. Fed'n of Gov't Employees v. Hawley, D.D.C., No. 07-00855, 3/31/08. [T]he plaintiffs' alleged injury is not speculative nor dependent on any future event, such as a third party's misuse of the data, the court said. The court finds that plaintiffs have standing to bring their Privacy Act claim. This follows the Supreme Court's holding in Doe v. Chao, 540 U.S. 614 (2004) that a plaintiff must prove actual damages to succeed on an alleged Privacy Act violation, however in that case, the court never defined "actual damages." I think this is a great decision that supports the belief that people's harm from a privacy loss is not just another's use of that information to cause financial loss (i.e. identity theft), but that emotional damages and embarrassment are cognizable harms of privacy violations. [...] The Actual court document... https://ecf.dcd.uscourts.gov/cgi-bin/show_public_doc?2007cv0855-6 Summary provided by Saqib Ali from the FDE newsgroup.. In the recent American Federation Of Government Employees (plaintiff) v.s. Kip Hawley, in his official capacity as Administrator for TSA, the plaintiffs alleged that defendants violated the Aviation and Transportation Security Act ("ATSA") and the Privacy Act by failing to establish appropriate safeguards to insure the security and confidentiality of personnel records which resulted in unintended disclosure of Personally Identifiable Information (PII) of 100,000 TSA employees. The defendants argued that "that the individual plaintiffs should be dismissed for lack of standing for failing to demonstrate an injury-in-fact. Mot. Dismiss at 13.11 According to defendants, plaintiffs' concerns about future harm are speculative and dependent upon the criminal actions of third parties. Mot. Dismiss at 13?15" The court, however, disagrees: "Plaintiffs allege that because TSA violated ? 552a(e)(10) by failing to establish safeguards to secure the missing hard drive, they have suffered an injury in the form of embarrassment, inconvenience, mental distress, concern for identity theft, concern for damage to credit report, concern for damage to financial suitability requirements in employment, and future substantial financial harm, [and] mental distress due to the possibility of security breach at airports." Compl. 41?42. As such, plaintiffs' alleged injury is not speculative nor dependent on any future event, such as a third party's misuse of the data.12 The court finds that plaintiffs have standing to bring their Privacy Act claim." [...] From mhill at idtexperts.com Sat Apr 12 13:38:50 2008 From: mhill at idtexperts.com (Michael Hill, CITRMS) Date: Sat, 12 Apr 2008 09:38:50 -0400 Subject: [Dataloss] NY: NYC hospital reports as many as 40, 000 possible ID thefts Message-ID: <60316A0E60C0414C852D89424011F711@mkevhillpc> http://www.silive.com/newsflash/index.ssf?/base/news-33/1207944571223200.xml&storylist=simetro A hospital said Friday that one of its employees may have stolen records containing the names, phone numbers and, in some cases, social security numbers of as many as 40,000 patients. The scope of the theft at New York-Presbyterian Hospital/Weill Cornell Medical Center in Manhattan was uncovered by a federal investigation and an internal audit, the hospital said. None of the stolen data contained private medical information, and hospital spokeswoman Myrna Manners said the hospital wasn't aware of any instance where a patient had become a victim of a financial fraud or some other scam because of the data thefts. But a law enforcement investigation is under way and Manners said there is evidence the theft was linked to a "larger criminal enterprise." "We're taking this very seriously," she said. "We deeply regret that this has occurred." The hospital is contacting all 40,000 patients, setting up a hot line for people with questions and offering credit monitoring services for patients worried about possible financial crimes. [...] Michael Hill Certified Identity Theft Risk Management Specialist 404-216-3751 "If You Think You're Not At Risk, Think Again!" NOTICE: This email and any attachment to it is confidential and protected by law and intended for the use of the individual(s) or entity named on the email. This information and all email information from the sender is not legal advice nor legal representation and should not be construed as legal advice nor legal representation. Check with your attorney in your State for legal advice. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination or distribution of this communication is prohibited. If you have received this communication in error, please notify the sender via return email and delete it completely from your email system. If you have printed a copy of the email, please destroy it immediately. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080412/21a828fe/attachment.html From hbrown at knology.net Sat Apr 12 21:57:19 2008 From: hbrown at knology.net (Henry Brown) Date: Sat, 12 Apr 2008 16:57:19 -0500 Subject: [Dataloss] additional information on Advance Auto Parts data breech Message-ID: <4801303F.1080208@knology.net> http://storefrontbacktalk.com/story/041108advanceauto Unencrypted customer credit card information dating back to 2001 was among the customer payment data stolen from as many as 56,000 customers of Advance Auto Parts, according to one company official, who added that the chain is not PCI compliant. The $4.8 billion automotive aftermarket parts chain?which dubs itself the nation's second largest such chain, with 3,261 stores in 40 states, Puerto Rico and the Virgin Islands?said the breach appears to have impacted customers from 14 of its stores in Georgia, Ohio, Louisiana, Tennessee, Mississippi, New York, Virginia and Indiana. The breach?which revealed check, credit card and debit card data?apparently happened in February 2008 and was discovered "in early March," said Shelly Whitaker, the manager of public communications for Advance Auto Parts. The initial investigation revealed that "the majority of [the stolen information] was old data" from December 2001 through December 2004 and that none of the older data had been encrypted, Whitaker said. She added that the chain currently encrypts payment data. Whitaker said the old credit card data was still in the company's system because it was left over from some old network changes. "During a system conversation, the data had not been deleted," she said. Advanced Auto Parts was not PCI compliant at the time of the data breach and is still not compliant, although Whitaker said the chain is "in the final stages" of having a PCI assessment completed. It had not been declared PCI compliant because of "an open item not related to this intrusion," which Whitaker declined to identify. "We should be compliant in the next couple of months," she said on April 11. From lyger at attrition.org Sun Apr 13 18:24:53 2008 From: lyger at attrition.org (lyger) Date: Sun, 13 Apr 2008 18:24:53 +0000 (UTC) Subject: [Dataloss] OH: UT tells employees of potential data breach Message-ID: http://toledoblade.com/apps/pbcs.dll/article?AID=/20080413/NEWS21/804130353 Personal information of nearly 6,500 University of Toledo employees - the majority having worked on the Health Science Campus in 1993 and 1999 - last month was inadvertently placed on a server to which all employees had access. The information, which was used for payroll purposes, included basically what is on a W-2 - name, address, and Social Security number - and was accessible for about 24 hours. An employee in the payroll department authorized to work with the data accidentally moved it to the wrong folder on the morning of March 4. It was discovered in the wrong place by an information technology employee on March 5, said Bob Hogle, interim information technology chief operating officer. [...] From rchicker at etiolated.org Mon Apr 14 01:30:27 2008 From: rchicker at etiolated.org (rchick) Date: Sun, 13 Apr 2008 21:30:27 -0400 Subject: [Dataloss] West Seneca School District notifying 1,800 employees Message-ID: http://www.buffalonews.com/home/story/321395.html Several current and former Williamsville North High School students are believed to have broken into the school district's computer system last month and copied secure files that included the personal information and Social Security numbers of school employees, authorities say. This computer breach marks the third time in the past month that students have gained unauthorized access to sensitive information in area school districts. Students in the Grand Island and West Seneca districts have been charged with unauthorized computer use. "From talking with staff and from talking with students involved, we know these students gained access to personal information regarding employees of the school district," Amherst Police Chief John Askey said. The students, Askey said, overrode the security defenses of a classroom computer at Williamsville North and went trolling for information. "They actively attacked the system ? subverted those security procedures and precautions," he said. He added that several of the hackers are considered "very bright kids" and good students with no lengthy disciplinary records. The extent of the security breach remains unknown because police are required to have computer evidence extracted by the Western New York Regional Computer Forensics Laboratory, Askey said, which might take several weeks. But he added that police know the students may have accessed personal staff data. This prompted Superintendent Howard S. Smith to send a letter this week to the district's 1,800 employees, asking them to notify Amherst police if they uncover any suspicious credit card or banking activity. [...] -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080413/1974c9a6/attachment.html From jericho at attrition.org Mon Apr 14 18:54:50 2008 From: jericho at attrition.org (security curmudgeon) Date: Mon, 14 Apr 2008 18:54:50 +0000 (UTC) Subject: [Dataloss] Authorities: State employee used confidential information in identity fraud case Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://deseretnews.com/article/1,5143,695269275,00.html By Geoffrey Fattah Deseret News April 10, 2008 Federal officials said a former state employee who took applications from people seeking food stamps and other welfare aid worked with three others to steal the identity of Utah residents and charge tens of thousands of dollars in purchases. During a joint press conference Thursday, federal and state officials said this was the largest security breach at the Department of Workforce Services and were working to re-instate the public's trust. "It is a particularly gross crime," said U.S. Attorney for Utah Brett Tolman. Authorities unsealed indictments against four individuals, including one state employee. Charged were Joshua Smith, 32, of Murray; Michelle Chapman, 29, of Murray; John Johnstun, 44, or Midvale and Laura Bustamante, 34, of Midvale. Authorities said Bustamante had worked on and off with the DWS as early as 2000 and recently had worked as an eligibility specialist, taking applications from Utah residents applying for food stamps, financial aid, child care programs including CHIP and Medicaid. [..] From rforno at infowarrior.org Tue Apr 15 16:22:10 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 15 Apr 2008 12:22:10 -0400 Subject: [Dataloss] Lawmakers Want FBI Access to Data Curbed Message-ID: Lawmakers Want FBI Access to Data Curbed By Carrie Johnson Washington Post Staff Writer Tuesday, April 15, 2008; A04 http://www.washingtonpost.com/wp-dyn/content/article/2008/04/14/AR2008041402 664_pf.html Bipartisan groups in Congress are pressing to place new controls on the FBI's ability to demand troves of sensitive personal information from telephone providers and credit card companies, over the opposition of agency officials who say they deserve more time to clean up past abuses. Proposals to rein in the use of secret "national security letters" will be discussed over the next week at hearings in both chambers. The hearings stem from disclosures that the FBI had clandestinely gathered telephone, e-mail and financial records "sought for" or "relevant to" terrorism or intelligence activities without following appropriate procedures. The Justice Department's inspector general issued reports in 2007 and earlier this year citing repeated breaches. They included shoddy FBI paperwork, improper claims about nonexistent emergencies and an insufficient link between the data requests and ongoing national security probes. "It is clear that the NSL authority is too overbroad and operates unchecked," said Rep. Jerrold Nadler (D-N.Y.), a co-sponsor of the House bill. "We must give our law enforcement the tools they need to protect us, but any such powers must be consistent with the rule of law." The House bill, sponsored by Nadler, Rep. Bill Delahunt (D-Mass.), Rep. Jeff Flake (R-Ariz.) and Rep. Ron Paul (R-Tex.), would tighten the language governing when national security letters could be used, by requiring that they clearly pertain to investigations of a foreign power or an agent instead of just being considered "relevant" to such investigations. The House bill would also force the FBI to destroy information that had been illegally obtained -- something that existing rules do not require -- and it would allow the recipient of a letter to file a civil lawsuit if the missive is found to be illegal or without sufficient factual justification. A Senate bill, sponsored by Russell Feingold (D-Wis.), Richard J. Durbin (D-Ill.), Lisa Murkowski (R-Alaska) and John E. Sununu (R-N.H.), would require the FBI to track its use of the letters more carefully and would narrow the types of records that can be obtained with a letter, and therefore without judicial approval, to those that are least sensitive. Three supporters of the legislation are slated to appear at Nadler's hearing this afternoon: David Kris, an expert in national security law who worked in the Clinton and Bush administrations; Bruce Fein, a Justice Department official in the Reagan era; and Jameel Jaffer, director of the national security project at the American Civil Liberties Union. "It's a bipartisan issue," Fein said in an interview. "It's not trusting the goodwill or the angelic disposition of the government to preserve our rights. . . . We ought to learn from our experience since 9/11 and restore checks and balances. Congress can't just rely on the FBI to fix the problem." Officials at the Justice Department's National Security Division and the FBI have acknowledged problems with the past use of national security letters. But they say they have stepped up training programs, instituted internal reviews, and developed new databases to improve the accuracy of internal tracking and accounting. Valerie E. Caproni, the FBI's top lawyer, is expected to testify today that the bureau needs more time to overhaul its internal systems, according to a government source familiar with her position who was not authorized to speak in advance of the hearing. "We are committed to using [the letters] in ways that maximize their national security value while providing the highest level of privacy and protection," FBI Assistant Director John Miller said. From lyger at attrition.org Tue Apr 15 19:11:54 2008 From: lyger at attrition.org (lyger) Date: Tue, 15 Apr 2008 19:11:54 +0000 (UTC) Subject: [Dataloss] Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data Message-ID: (courtesy Jericho) http://thedailywtf.com/Articles/Oklahoma-Leaks-Tens-of-Thousands-of-Social-Security-Numbers,-Other-Sensitive-Data.aspx One of the cardinal rules of computer programming is to never trust your input. This holds especially true when your input comes from users, and even more so when it comes from the anonymous, general public. Apparently, the developers at Oklahoma.s Department of Corrections slept through that day in computer science class, and even managed to skip all of Common Sense 101. You see, not only did they trust anonymous user input on their public-facing website, but they blindly executed it and displayed whatever came back. The result of this negligently bad coding has some rather serious consequences: the names, addresses, and social security numbers of tens of thousands of Oklahoma residents were made available to the general public for a period of at least three years. Up until yesterday, April 13 2008, anyone with a web browser and the knowledge from Chapter One of SQL For Dummies could have easily accessed - and possibly, changed - any data within the DOC's databases. It took me all of a minute to figure out how to download 10,597 records - SSNs and all - from their website: [...] From jericho at attrition.org Wed Apr 16 07:49:57 2008 From: jericho at attrition.org (security curmudgeon) Date: Wed, 16 Apr 2008 07:49:57 +0000 (UTC) Subject: [Dataloss] UVa laptop stolen, had sensitive data Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.dailyprogress.com/cdp/news/local/article/uva_laptop_stolen_had_sensitive_data/17976/ By Brian McNeill Dailyprogress.com April 16, 2008 A laptop stolen from a University of Virginia employee contained sensitive information about more than 7,000 students, staff and faculty members. Stolen from an unidentified employee from an undisclosed location in Albemarle County, the laptop contained a confidential file filled with names and Social Security numbers. "As soon as we learned about the theft, we starting moving as quickly as we could," UVa spokeswoman Carol Wood said. UVa mailed out letters Monday to each person affected by the data breach. The university will publicly announce the incident today. The Albemarle County Police Department is investigating the theft. At the police department's request, UVa is releasing few details about the incident. Wood declined to say when the burglary occurred or which academic departments were affected. She did say, however, that the theft did not occur on UVa's campus. [..] From chris at cwalsh.org Wed Apr 16 15:16:32 2008 From: chris at cwalsh.org (Chris Walsh) Date: Wed, 16 Apr 2008 10:16:32 -0500 Subject: [Dataloss] UVa laptop stolen, had sensitive data In-Reply-To: References: Message-ID: <20080416151632.GB69912@fripp.cwalsh.org> Time for somebody to FOIA the Virginia AG's office. Breaches must be centrally-reported to the AG there. cw On Wed, Apr 16, 2008 at 07:49:57AM +0000, security curmudgeon wrote: > > > ---------- Forwarded message ---------- > > A laptop stolen from a University of Virginia employee contained sensitive > information about more than 7,000 students, staff and faculty members. > > Stolen from an unidentified employee from an undisclosed location in > Albemarle County, the laptop contained a confidential file filled with > names and Social Security numbers. > > "As soon as we learned about the theft, we starting moving as quickly as > we could," UVa spokeswoman Carol Wood said. > > UVa mailed out letters Monday to each person affected by the data breach. > The university will publicly announce the incident today. The Albemarle > County Police Department is investigating the theft. At the police > department's request, UVa is releasing few details about the incident. > > Wood declined to say when the burglary occurred or which academic > departments were affected. She did say, however, that the theft did not > occur on UVa's campus. > From mikeasimon at gmail.com Wed Apr 16 15:34:15 2008 From: mikeasimon at gmail.com (Mike Simon) Date: Wed, 16 Apr 2008 08:34:15 -0700 Subject: [Dataloss] UVa laptop stolen, had sensitive data In-Reply-To: <20080416151632.GB69912@fripp.cwalsh.org> References: <20080416151632.GB69912@fripp.cwalsh.org> Message-ID: <7e1ecdc0804160834q32c9db9cu9da8b52aa10ead34@mail.gmail.com> Typically, even a FOIA request can be refused while police are investigating the crime. Something to do with not alerting the criminals to exactly what the police know and what actions they are taking. On Wed, Apr 16, 2008 at 8:16 AM, Chris Walsh wrote: > Time for somebody to FOIA the Virginia AG's office. > > Breaches must be centrally-reported to the AG there. > > cw > > On Wed, Apr 16, 2008 at 07:49:57AM +0000, security curmudgeon wrote: > > > > > > ---------- Forwarded message ---------- > > > > A laptop stolen from a University of Virginia employee contained > sensitive > > information about more than 7,000 students, staff and faculty members. > > > > Stolen from an unidentified employee from an undisclosed location in > > Albemarle County, the laptop contained a confidential file filled with > > names and Social Security numbers. > > > > "As soon as we learned about the theft, we starting moving as quickly as > > we could," UVa spokeswoman Carol Wood said. > > > > UVa mailed out letters Monday to each person affected by the data > breach. > > The university will publicly announce the incident today. The Albemarle > > County Police Department is investigating the theft. At the police > > department's request, UVa is releasing few details about the incident. > > > > Wood declined to say when the burglary occurred or which academic > > departments were affected. She did say, however, that the theft did not > > occur on UVa's campus. > > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor your > traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080416/30a7506d/attachment.html From rchicker at etiolated.org Thu Apr 17 02:23:54 2008 From: rchicker at etiolated.org (rchick) Date: Wed, 16 Apr 2008 22:23:54 -0400 Subject: [Dataloss] Computer Containing Test Scores Missing From School Message-ID: April 14, 2008 http://www.wxii12.com/news/15878798/detail.html STOKES COUNTY, N.C. -- A school computer containing the names, test scores and Social Security numbers of students from three Stokes County high schools was stolen from a locked closet, authorities said. The school system sent home a letter to parents last week notifying them of the theft, which affected between 400 to 800 students at West, South and North Stokes high schools. "Wednesday after we returned from our spring break, a teacher notified us that she had misplaced (the) laptop computer," said school system superintendent Dr. Stewart Hobbs. The computer was used for scoring exams in the career and technical courses, the school system said. And though the computer contained personal information, Hobbs said he doesn't think the information can be accessed. "All information stored on the computer is protected by two separate security systems, each of which requires a password," the letter stated. "Any time any type of computer, especially if it has student information that's missing, this is of importance to us," Hobbs said -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080416/cccee32e/attachment-0001.html From lyger at attrition.org Thu Apr 17 04:17:14 2008 From: lyger at attrition.org (lyger) Date: Thu, 17 Apr 2008 04:17:14 +0000 (UTC) Subject: [Dataloss] DLDOS revision Message-ID: For anyone interested, Attrition's Data Loss Database has been revised to reflect the full path to the RefPage column as of tonight. Where you once would have seen "uva01.html" in said column, you will now see: http://attrition.org/dataloss/2008/04/uva01.html for the full year, month, and page path. Thanks to Adam Shostack for the original suggestion and Marjorie Simmons for her help to make this happen. From lyger at attrition.org Thu Apr 17 04:42:56 2008 From: lyger at attrition.org (lyger) Date: Thu, 17 Apr 2008 04:42:56 +0000 (UTC) Subject: [Dataloss] DLDOS: "Call to Arms": Proposed revisions Message-ID: http://attrition.org/news/content/08-03-15.001.html After our first "call to arms" regarding new data additions and a new data structure for DLDOS, one submission came through with several new ideas for possible enhancements the the existing "database". For those of you who might be interested... courtesy Marjorie Simmons: http://attrition.org/dataloss/dataloss_new.csv Some obvious changes: Multiple data type additions, setting 0/1 flags for the columns, which would enhance the current limitation of just two data types The addition of "biometric" data type to the columns mentioned above The addition of an XREF2 column to allow for possible cross-references to other data sources (like ITRC's Breach Report) The movement of the UID column to the first column in the flat file, which may or may not affect anyone's parsing efforts If anyone has any thoughts, comments, or concerns, we would definitely like to hear them. From macwheel99 at wowway.com Wed Apr 16 15:20:42 2008 From: macwheel99 at wowway.com (Al Mac Wheel) Date: Wed, 16 Apr 2008 10:20:42 -0500 Subject: [Dataloss] off-topic: Learning from Librarians Message-ID: <6.2.1.2.1.20080416101112.0278ba30@pop3.mail.wowway.com> What a librarian can teach you about privacy http://cwflyris.computerworld.com/t/3124317/308968/108105/2/ [...] In 2003, the chief librarian of the city of Santa Cruz, Calif., was able to warn her patrons about whether the FBI had served a National Security Letter (NSL) demanding information about who was reading what books. She managed that task despite specific provisions in the USA Patriot Act at the time that prohibited librarians or booksellers from revealing to anyone that they'd been issued an NSL. So, how did the librarian get the word out? By regularly reporting to the library board that no NSL had been issued to any of the city's 10 branches, which was perfectly legal. Everyone knew that if the chief librarian failed to report that nothing had happened, then indeed an NSL had been served. {...] virtually every librarian will comply with a court order or subpoena, where a specific suspect has been identified by law enforcement agencies [ ..] librarians will balk at what they consider "fishing expeditions," where the government simply wants to know who has been reading this or that book. Let's face it: When it comes to keeping data secure, there's plenty that IT can learn from librarians. Just as ALA members ensure that their patrons' reading habits remain strictly private by establishing privacy audits, so, too, can CIOs audit their systems to ensure that customer and employee data is protected, says Caldwell-Stone. Privacy audits keep customer and employee content under wraps and can protect companies from embarrassing revelations. - Al Mac From jericho at attrition.org Thu Apr 17 08:16:21 2008 From: jericho at attrition.org (security curmudgeon) Date: Thu, 17 Apr 2008 08:16:21 +0000 (UTC) Subject: [Dataloss] eBay's Korean Unit Apologizes for Hacking Incident Message-ID: Courtesy of W.K. http://www.telecomskorea.com/index.php?option=com_content&task=view&id=5518&Itemid=2 eBay's Korean Unit Apologizes for Hacking Incident Written by T_Korea Thursday, 17 April 2008 U.S. auction giant eBay's Korean unit apologized Thursday for a hacking incident that lead to leaks of private information of more than 10 million users of its service. Park Joo-man, president of Internet Auction, said in an e-mail apology sent to affected users that the hacking of its website in early February lead to the leaking of information of some 10,810,000 users as of its latest tally with the police. Internet Auction is controlled by the San Jose, California-based eBay. "We deeply apologize for causing concern resulting from the hacking crime," Park said. The company, after a joint investigation with the police, said that more than 90 percent of the information outflow was of names, IDs and resident registration numbers. Credit card and passwords were not likely included in the leak, it added. The company and the police allege that a user with the ID named "fuckkr" may have hacked into the company's website using a type of worm via an overseas IP address. From lyger at attrition.org Thu Apr 17 14:14:19 2008 From: lyger at attrition.org (lyger) Date: Thu, 17 Apr 2008 14:14:19 +0000 (UTC) Subject: [Dataloss] CT: Laptop stolen with student data, contained personal information of 3400 CSU System pupils Message-ID: http://www.newstimes.com/ci_8956150 The Connecticut State University System announced Wednesday a laptop computer that was stolen from a vendor contained the data of about 3,400 current and former students from the four state universities, including Western Connecticut State University. The computer was password-protected but contained unencrypted files with personally identifiable data, including names and Social Security numbers for certain students who attended Central, Eastern, Southern and Western Connecticut State universities between September 2001 and December 2004. State university system officials contacted the students about steps they can take to protect their identities. [...] From lyger at attrition.org Thu Apr 17 17:17:23 2008 From: lyger at attrition.org (lyger) Date: Thu, 17 Apr 2008 17:17:23 +0000 (UTC) Subject: [Dataloss] UK: Patient data stolen from Epsom hospital Message-ID: http://www.surreyad.co.uk/news/2026/2026090/patient_data_stolen_from_epsom_hospital A LAPTOP containing the personal details of patients at hospitals across Surrey has been stolen from Epsom Hospital. The names, addresses and dates of birth of 180 patients who attend outreach clinics at hospitals across the county were stored on the computer, which was stolen from an office at the Dorking Road hospital last month. The theft took place some time between midday on Wednesday, March 12 and 2pm on Monday, March 17. [...] From rchicker at etiolated.org Thu Apr 17 18:31:20 2008 From: rchicker at etiolated.org (rchick) Date: Thu, 17 Apr 2008 14:31:20 -0400 Subject: [Dataloss] Tapes stolen containing patient info of 47,000 Message-ID: April. 17, 2008 BY John Dorschner http://www.miamiherald.com/news/breaking_dade/story/499492.html The confidential information of tens of thousands of University of Miami patients was stolen last month when thieves took a case out of a vehicle used by a private off-site storage company, UM said Thursday morning '' Anyone who has been a patient of a University of Miami physician or visited a UM facility since Jan. 1, 1999, is likely included on the tapes,'' the university said in a news release. ``The data included names, addresses, Social Security numbers or health information. The university will be notifying by mail the 47,000 patients whose data may have included credit card or other financial information regarding bill payment.'' The information was in a container holding computer back-up tapes. The container was removed from a vehicle in downtown Coral Gables on March 17, the storage company told UM. ''Shortly after learning of the incident, the university determined it would be unlikely that a thief would be able to access the backup tapes because of the complex and proprietary format in which they were written,'' UM said in the statement. ''Even so, the university engaged leading computer security experts at Terremark Worldwide to independently ascertain the feasibility of accessing and extracting data from a similar set of backup tapes,'' UM reported. A Terremark executive, Christopher Day, said that after a week of trying to extract the data, it couldn't do so. ''Because of the highly proprietary compression and encoding used in writing the tapes, we were unable to extract any usable data,'' Day was quoted as saying in the news release. UM then asked Alan Brill, senior managing director at Kroll Ontrack, to review the testing. ''While the report shows it is not impossible to access the data, in this case there are many barriers that stand between a thief and being able to actually get usable data from the tapes,'' the report quoted Brill as saying. In its release, UM said it has created a website for information about the incident: www.dataincident.miami.edu. Patients can also contact a call center at 1-866-628-4492. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080417/a15471e7/attachment.html From hogs at campbacon.com Thu Apr 17 18:55:07 2008 From: hogs at campbacon.com (Aaron Abbott) Date: Thu, 17 Apr 2008 13:55:07 -0500 Subject: [Dataloss] fringe: Warning on Storage of Health Records In-Reply-To: References: Message-ID: <2f3727480804171155j7b806242qfb0e70afb35ce046@mail.gmail.com> NPR had a story about this on Morning Edition today, as well. http://www.npr.org/templates/story/story.php?storyId=89688554 Morning Edition , April 17, 2008 ? There are Web sites that allow you to keep information about your medical treatment online, where you and your doctor can access it easily. An article in the *New England Journal of Medicine* on Thursday asks if electronic medical records are the next big thing in health care. The answer? When it comes to keeping these records yourself, it depends. Debbie Witchey is like many Americans: She wants to have all her medical records accessible online. Dozens of Internet sites offer the service, some free, some not. Witchey knows about personal health records. She's senior vice president of government affairs for the Healthcare Leadership Council, a Washington, D.C.-based lobbying group for the health care industry. It's pushing something different: electronic health records, which doctors and hospitals keep on computers so they're quickly available to any doctor at any hospital. The council doesn't have a position on personal health records, which individuals maintain. [..] ---------- Forwarded message ---------- From: security curmudgeon Date: Apr 17, 2008 1:35 PM Subject: [Dataloss] fringe: Warning on Storage of Health Records To: dataloss at attrition.org ---------- Forwarded message ---------- From: David Farber http://www.nytimes.com/2008/04/17/business/17record.html Warning on Storage of Health Records By STEVE LOHR In an article in The New England Journal of Medicine, two leading researchers warn that the entry of big companies like Microsoft and Google into the field of personal health records could drastically alter the practice of clinical research and raise new challenges to the privacy of patient records. The authors, Dr. Kenneth D. Mandl and Dr. Isaac S. Kohane, are longtime proponents of the benefits of electronic patient records to improve care and help individuals make smarter health decisions. But their concern, stated in the article published Wednesday and in an interview, is that the medical profession and policy makers have not begun to grapple with the implications of companies like Microsoft and Google becoming the hosts for vast stores of patient information. The arrival of these new corporate entrants, the authors write, promises to bring "a seismic change" in the control and stewardship of patient information. Today, most patient records remain within the health system ? in doctors' offices, hospitals, clinics, health maintenance organizations and pharmacy networks. Federal regulations govern how personal information can be shared among health institutions and insurers, and the rules restrict how such information can be mined for medical research. One requirement is that researchers have no access to individual patients' identities. [..] _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080417/3273f738/attachment.html From lyger at attrition.org Fri Apr 18 02:12:54 2008 From: lyger at attrition.org (lyger) Date: Fri, 18 Apr 2008 02:12:54 +0000 (UTC) Subject: [Dataloss] Laptop theft may have compromised student info. Message-ID: (Earlier mentions include the Connecticut State University System and Buffalo State... why do I get the feeling we're not done hearing about this one yet? - Lyger) http://www.maryvilledailyforum.com/articles/2008/04/17/news/news3.txt The theft of a laptop computer in New York could potentially put personal information about Northwest Missouri State University students and alumni in the wrong hands. SunGard Higher Education has notified Northwest of the theft of a laptop computer owned by one of SunGard.s employees that may have put the personal information of students and former students at risk. While it is not believed identity theft was the motive behind the incident, which occurred in March on a college campus in New York, Northwest moved immediately to inform those who might be affected. [...] From jericho at attrition.org Fri Apr 18 09:53:11 2008 From: jericho at attrition.org (security curmudgeon) Date: Fri, 18 Apr 2008 09:53:11 +0000 (UTC) Subject: [Dataloss] Community Bank says new Visa cards in mail after hacking incident Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.stripes.com/article.asp?section=104&article=54108 By Charlie Coon Stars and Stripes Mideast edition April 17, 2008 No Community Bank customers lost money when an Internet site they used to make purchases was attacked by a malicious computer program, prompting the overseas military bank to cancel 867 Visa banking cards last week. The affected customers have been mailed a new bank card, according to Thomas LaRock, a spokesman with the Defense Finance and Accounting Service, which oversees the Defense Department.s contract with Bank of America and its Community Bank subsidiary. "The bank has made, and continues to make, every effort to directly contact each of the 867 affected cardholders to inform them of the incident and notify them that a new card has been issued," LaRock wrote in an e-mailed response to Stars and Stripes. Most of the customers were Germany-based, according to DFAS. According to LaRock, the compromise apparently occurred when a malicious computer program targeted an online merchant with rapid-fire fake purchases. Once the purchases were authorized by the merchant, the perpetrator used the authorizations to trace back the information to the affected Visa cards. [..] From lyger at attrition.org Fri Apr 18 21:21:21 2008 From: lyger at attrition.org (lyger) Date: Fri, 18 Apr 2008 21:21:21 +0000 (UTC) Subject: [Dataloss] Fredonia State also Affected by Stolen Computer Message-ID: (yep, not done yet...) http://publicbroadcasting.net/wned/news.newsmain?action=article&ARTICLE_ID=1262782§ionID=1 It appears Buffalo State College isn't the only school affected by the theft of a laptop computer. Officials at Fredonia State College say nearly one-thousand current and former students may be affected by the security breach. Fredonia uses the same computerized records system as Buffalo State College, which announced yesterday that the names and Socuial Security numbers of up to 16,000 students may be at risk after a laptop belonging to a company called SunGard was stolen. [...] From lyger at attrition.org Sat Apr 19 13:59:25 2008 From: lyger at attrition.org (lyger) Date: Sat, 19 Apr 2008 13:59:25 +0000 (UTC) Subject: [Dataloss] 700,000 Hoosier ID's compromised in computer theft Message-ID: http://www.pal-item.com/apps/pbcs.dll/article?AID=/20080419/UPDATES/80419008 A computer server containing Social Security numbers and other personal information of 700,000 people was stolen last month from a Southside debt-collection bureau in what appears to be the largest computer security breach ever in Indiana. The information includes customer-billing records for about 100 Indiana businesses, including Citizens Gas & Coke Utility, St. Vincent Health and Methodist Medical Group. The exposed data was limited to past-due billing information that had been turned over for debt collection to the Central Collection Bureau, the agency announced Friday. Customers whose accounts were in good standing were not affected. [...] From hbrown at knology.net Sun Apr 20 00:15:21 2008 From: hbrown at knology.net (Henry Brown) Date: Sat, 19 Apr 2008 19:15:21 -0500 Subject: [Dataloss] Ma hospital missing handheld Message-ID: <480A8B19.5010800@knology.net> COMMENTARY... why would a PDA, which according to this news story was used to collect and upload data daily have 384 patient records ?? and of course there is the minor issue of PDA going missing on March 12 and "patients" being notified on April 17 END OF COMMENTARY http://www.telegram.com/article/20080419/NEWS/804190436/1116 HealthAlliance computer lost By Lisa Eckelbecker TELEGRAM & GAZETTE STAFF leckelbecker at telegram.com LEOMINSTER? The healthcare system Central New England HealthAlliance has sent letters to 384 patients notifying them that their personal information, including Social Security numbers and health insurance information, may be vulnerable because a hand-held computer used by a home health nurse is missing. HealthAlliance, which has hospitals and offers services in North Central Massachusetts, knows of no misuse of information that was stored in the personal digital assistant, or PDA, but has reported the potential data breach to Leominster police, said Mary Lourdes Burke, a spokeswoman for HealthAlliance. ?We?re still taking the necessary steps, in terms of investigating the incident, notifying the patients and (following) all the rules and regulations of the state in terms of notifying the proper authorities,? Mrs. Burke said. In a letter dated April 17 that was sent to HealthAlliance home health patients, HealthAlliance Director of Compliance and Corporate Privacy David J. Murray wrote that a home health nurse noticed her PDA was missing on or about March 12. Nurses use the PDAs to document care while they are visiting patients, then connect them to HealthAlliance computers at the end of the day to update electronic medical records, he wrote. [...] From lyger at attrition.org Sun Apr 20 14:47:44 2008 From: lyger at attrition.org (lyger) Date: Sun, 20 Apr 2008 14:47:44 +0000 (UTC) Subject: [Dataloss] SunGard: NMC student data at risk after theft Message-ID: http://www.record-eagle.com/local/local_story_111094330.html Northwestern Michigan College officials are sending letters to about 1,600 past students whose personal information is at risk after a laptop computer was stolen in New York. The computer was stolen March 13 from a school consultant working for SunGard Higher Education, which provides NMC's data management systems. The computer contained personal information on 1,611 people who attended NMC in 2003, including about 40 employees, college officials said. [...] From jericho at attrition.org Mon Apr 21 08:59:04 2008 From: jericho at attrition.org (security curmudgeon) Date: Mon, 21 Apr 2008 08:59:04 +0000 (UTC) Subject: [Dataloss] We make it way too easy for those who steal identities Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.fresnobee.com/columnists/boren/story/538680.html By Jim Boren The Fresno Bee 04/20/08 No wonder identity theft is the fastest-growing crime. Our common sense hasn't caught up with our technology. We let anyone have our Social Security and driver's license numbers. We might as well leave our wallets on a store counter and walk away. A thief with a computer can quickly empty our bank accounts. The bad guys consider our personal information better than cash. They can only spend cash once, but with our personal information, they can create false identities to open credit card and checking accounts. The next thing you know, they're buying boats in your name and you don't know it until the repo guy is at your door looking for the Chris Craft Corsair 36. I once interviewed a Sherman Oaks woman who didn't know her identity had been stolen until she was called by a collection agency demanding money on an unpaid cell phone bill. In a panic, she got a copy of her credit report and found out that more than than $300,000 in fraudulent charges had been made in her name. [..] From mhill at idtexperts.com Sun Apr 20 17:42:20 2008 From: mhill at idtexperts.com (Michael Hill, CITRMS) Date: Sun, 20 Apr 2008 13:42:20 -0400 Subject: [Dataloss] IN: Personal information belong to homeless veterans found in dumpster Message-ID: http://www.wishtv.com/Global/story.asp?S=8198185&nav=menu35_4 INDIANAPOLIS (WISH) - Hundreds of files containing medical histories and Social Security numbers were found in the trash on Indianapolis' east side. The records belong to homeless veterans. Some of the records date back to 2004 and 24-Hour News 8 found boxes of them in a dumpster. For several weeks Helping Homeless Veterans and Families on the east side has been busy moving. Their new location is posted on the front door. "We been moving here about the past month, we're still moving," Dr. Charles Haenlein said. Haenlein is the President and CEO of Helping Homeless Veterans and Families, an organization that helps Homeless Veterans find shelter and work. He says they also try to protect their identity. [...] An anonymous tip sent 24-Hour News 8 dumpster diving. What we found in several boxes surprised us. [...] Inside each file there were veterans names, birth dates, signatures and medical records. One file even had a copy of a veteran's driver's license. [...] Michael Hill Certified Identity Theft Risk Management Specialist 404-216-3751 "If You Think You're Not At Risk, Think Again!" NOTICE: This email and any attachment to it is confidential and protected by law and intended for the use of the individual(s) or entity named on the email. This information and all email information from the sender is not legal advice nor legal representation and should not be construed as legal advice nor legal representation. Check with your attorney in your State for legal advice. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination or distribution of this communication is prohibited. If you have received this communication in error, please notify the sender via return email and delete it completely from your email system. If you have printed a copy of the email, please destroy it immediately. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080420/b4aa430d/attachment.html From lyger at attrition.org Tue Apr 22 02:03:28 2008 From: lyger at attrition.org (lyger) Date: Tue, 22 Apr 2008 02:03:28 +0000 (UTC) Subject: [Dataloss] IE: 10,000 bank account details stolen Message-ID: http://www.irishexaminer.com/irishexaminer/pages/story.aspx-qqqg=ireland-qqqm=ireland-qqqa=ireland-qqqid=60907-qqqx=1.asp POTENTIALLY invaluable personal and account details of 10,000 Bank of Ireland customers, including passwords and medical histories, are missing. Last night Data Protection Commissioner Billy Hawkes said the matter had been brought to his attention last Friday while the data - gathered by the bank's life assurance division and contained in four laptop computers - has been missing since last year. Mr Hawkes said Bank of Ireland personnel had told his office that they became aware of the sensitive nature of what was contained in the stolen laptops last week. [...] From jericho at attrition.org Tue Apr 22 09:04:16 2008 From: jericho at attrition.org (security curmudgeon) Date: Tue, 22 Apr 2008 09:04:16 +0000 (UTC) Subject: [Dataloss] The new byword in infosecurity: Don't embarrass the boss Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.news.com/8301-10787_3-9924786-60.html By Charles Cooper Coop's Corner News.com April 21, 2008 Information security may be improving but embarrassing incidents involving data loss or identity theft at the Veterans' Administration and at TJX Companies, the operator of T.J. Maxx and Marshalls retail chains, suggest that the battle is a long way from victory. Indeed, three-fourths of the information security professionals around the world surveyed by Frost & Sullivan say they now consider avoiding reputation damage to their organizations as a top priority. That fits with the times. Increasingly, companies are elevating the prevention of high-profile data security breaches to the level of a strategic goal, if not competitive weapon. Here's where things are getting interesting. That new sensitivity to data loss has invited more high-level scrutiny from the business side into how IT maps out its cyberdefenses. In fact, the percentage of information security personnel reporting to executive management or boards of director has climbed to 49 percent from 21 percent just four years ago. [..] From mhill at idtexperts.com Tue Apr 22 12:23:38 2008 From: mhill at idtexperts.com (Michael Hill, CITRMS) Date: Tue, 22 Apr 2008 08:23:38 -0400 Subject: [Dataloss] NC: LendingTree tells clients of breach Message-ID: http://www.charlotte.com/business/story/590991.html Adding to a growing list of companies suffering data breaches, LendingTree notified mortgage customers Monday that some of their personal information may have been inappropriately accessed. In a letter, the Charlotte-based company said that outside loan companies may have accessed the information, including Social Security numbers, between October 2006 and early 2008 and used it to market their own mortgages to LendingTree customers. LendingTree would not say Monday when it learned of the incident or how many people were potentially affected. It sent e-mails to alert customers it believes may be at risk of having their information accessed. The company said it does not believe the disclosure led to identity theft or fraudulent financial activity, but recommended customers check their credit reports for suspicious activity. [..] According to a Q&A sent to customers, "several former employees" may have shared confidential passwords with "a handful" of lenders that were not approved by the company. [...] The company has since enhanced its security system and also filed a civil fraud lawsuit Monday in Orange County, Calif., in connection with the incident, according to public records. The suit names three California-based mortgage lenders, eight individuals and two other businesses as co-defendants. [...] Michael Hill Certified Identity Theft Risk Management Specialist 404-216-3751 "If You Think You're Not At Risk, Think Again!" NOTICE: This email and any attachment to it is confidential and protected by law and intended for the use of the individual(s) or entity named on the email. This information and all email information from the sender is not legal advice nor legal representation and should not be construed as legal advice nor legal representation. Check with your attorney in your State for legal advice. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination or distribution of this communication is prohibited. If you have received this communication in error, please notify the sender via return email and delete it completely from your email system. If you have printed a copy of the email, please destroy it immediately. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080422/4a82b7df/attachment.html From lyger at attrition.org Tue Apr 22 14:36:04 2008 From: lyger at attrition.org (lyger) Date: Tue, 22 Apr 2008 14:36:04 +0000 (UTC) Subject: [Dataloss] UK: Boots customer bank details taken Message-ID: http://news.bbc.co.uk/2/hi/uk_news/england/nottinghamshire/7360821.stm Personal details of thousands of customers of Boots' dental plan have been stolen after a courier car was broken into in Bristol. The information from Boots Dental Plan included customer bank account details, but officials claimed it was "highly unlikely" these could be accessed. The details of 27,000 customers and 7,000 employees were stolen on 3 April. [...] From hbrown at knology.net Tue Apr 22 15:50:30 2008 From: hbrown at knology.net (Henry Brown) Date: Tue, 22 Apr 2008 10:50:30 -0500 Subject: [Dataloss] NY postal worker stealing & using credit cards Message-ID: <480E0946.1010402@knology.net> Sorta related question: would US Postal Service have any liability? http://www.newsday.com/news/local/suffolk/ny-lipost225659376apr22,0,7641397.story Cops arrest Smithtown postal worker BY ANDREW SCHARFF April 22, 2008 A Smithtown postal worker was arrested after he stole credit cards from the mail and went on a shopping spree, authorities said. Paul Hank, 44, who has worked as a distribution clerk at the Smithtown Post Office for 15 years, used the cards to pay for clothing, meals at restaurants, computer equipment and power tools, Suffolk police said. Police were tipped off when consumers notified credit card companies that their new cards were not arriving through the mail, said Det. Lt. Robert Edwards of the Fourth Squad. The consumers didn't receive their new cards but they were getting bills with fraudulent charges on them, police said. Suffolk police used video surveillance from the retail stores where Hank, of Yaphank, shopped, Edwards said. The purchases were made starting perhaps as long ago as December, police said. Authorities arrested Hank after a two-month-long investigation conducted jointly by the Fourth and Sixth squads along with agents of the U.S. Postal Service Office of Inspector General. [...] From rforno at infowarrior.org Tue Apr 22 17:11:11 2008 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 22 Apr 2008 13:11:11 -0400 Subject: [Dataloss] CRS Reports on Data Protection Message-ID: (c/o SecrecyNews) "Information Security and Data Breach Notification Safeguards," updated April 3, 2008: http://www.fas.org/sgp/crs/secrecy/RL34120.pdf "Congressional Oversight of Intelligence: Current Structure and Alternatives," updated April 1, 2008: http://www.fas.org/sgp/crs/intel/RL32525.pdf "Data Mining and Homeland Security: An Overview," updated April 3, 2008: http://www.fas.org/sgp/crs/homesec/RL31798.pdf From tglassey at earthlink.net Tue Apr 22 17:25:47 2008 From: tglassey at earthlink.net (TS Glassey) Date: Tue, 22 Apr 2008 10:25:47 -0700 Subject: [Dataloss] NY postal worker stealing & using credit cards References: <480E0946.1010402@knology.net> Message-ID: <014901c8a49e$9b0c4600$6501a8c0@tsg1> IANAL (I am NOT a lawyer) but the USPS is no longer a pure federal agency but rather a Corporation which is a fully owned subsidiary of the US Government per se. That means likely that Sovereign Immunity will prevent the employee's themselves from being liable until they leave the employee of the Entity. Todd Glassey ----- Original Message ----- From: "Henry Brown" To: Sent: Tuesday, April 22, 2008 8:50 AM Subject: [Dataloss] NY postal worker stealing & using credit cards > Sorta related question: would US Postal Service have any liability? > > > http://www.newsday.com/news/local/suffolk/ny-lipost225659376apr22,0,7641397.story > > Cops arrest Smithtown postal worker > BY ANDREW SCHARFF > April 22, 2008 > > A Smithtown postal worker was arrested after he stole credit cards from > the mail and went on a shopping spree, authorities said. > > Paul Hank, 44, who has worked as a distribution clerk at the Smithtown > Post Office for 15 years, used the cards to pay for clothing, meals at > restaurants, computer equipment and power tools, Suffolk police said. > > Police were tipped off when consumers notified credit card companies > that their new cards were not arriving through the mail, said Det. Lt. > Robert Edwards of the Fourth Squad. > > The consumers didn't receive their new cards but they were getting bills > with fraudulent charges on them, police said. Suffolk police used video > surveillance from the retail stores where Hank, of Yaphank, shopped, > Edwards said. > > The purchases were made starting perhaps as long ago as December, police > said. > > Authorities arrested Hank after a two-month-long investigation conducted > jointly by the Fourth and Sixth squads along with agents of the U.S. > Postal Service Office of Inspector General. > > [...] > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor your > traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml From jericho at attrition.org Tue Apr 22 18:05:02 2008 From: jericho at attrition.org (security curmudgeon) Date: Tue, 22 Apr 2008 18:05:02 +0000 (UTC) Subject: [Dataloss] (IN)SECURE Magazine Issue 16 released (fwd) Message-ID: Of interest, page 101 has an article titled "Payment card data: know your defense options" that may be of interest to the list. http://www.net-security.org/dl/insecure/INSECURE-Mag-16.pdf ---------- Forwarded message ---------- From: Richard Forno (IN)SECURE Magazine is a freely available digital security magazine discussing some of the hottest information security topics. Issue 16 has just been released. Download it from: http://www.insecuremag.com The covered topics include: - Security policy considerations for virtual worlds - US political elections and cybercrime - Using packet analysis for network troubleshooting - The effectiveness of industry certifications - Building a secure future: lessons learned from 2007's highest- profile security events - Advanced social engineering and human exploitation, part 2 - Interview with Nitesh Dhanjani, Senior Manager at Ernst & Young - Is your data safe? Secure your web apps - RSA Conference 2008 - Producing secure software with security enhanced software development processes - Network event analysis with Net/FSE - Security risks for mobile computing on public WLANs: hotspot registration - Black Hat Europe 2008 Briefings & Training - A Japanese perspective on Software Configuration Management - Windows log forensics: did you cover your tracks? - Traditional vs. non-tranditional database auditing - Payment card data: know your defense options Visit the (IN)SECURE Magazine web site at: http://www.insecuremag.com Subscribe to our RSS feed at: http://feeds.feedburner.com/insecuremagazine Thanks goes to the following companies for their support of (IN)SECURE magazine: Qualys - http://www.qualys.com/pci_compliance/se-g GFI - http://www.gfi.com/adentry.asp?adv=62&loc=41 Contact: - For information on contributing to (IN)SECURE Magazine, please contact Chief Editor Mirko Zorz at editor( at )insecuremag.com - For marketing inquiries do contact Marketing Director Berislav Kucan at marketing( at )insecuremag.com _______________________________________________ Infowarrior mailing list Infowarrior at attrition.org https://attrition.org/mailman/listinfo/infowarrior From hbrown at knology.net Tue Apr 22 18:48:43 2008 From: hbrown at knology.net (Henry Brown) Date: Tue, 22 Apr 2008 13:48:43 -0500 Subject: [Dataloss] MORE users affected by the SunGard laptop theft Message-ID: <480E330B.9090805@knology.net> These from Binghamton University http://www.bupipedream.com/pipeline_web/display_article.php?id=7938 Another security breach ? this time following the theft of a laptop owned by the company which implements the Banner system ? has exposed the names and Social Security numbers of over 130 individuals related to Binghamton University. This weekend the University notified 11 students and about 120 applicants that their names and Social Security numbers were saved on a laptop belonging to an employee of SunGard Higher Education, which was stolen on March 13. The information was password protected, but not encrypted, and the laptop also contained similar information for about 3,400 Connecticut State University students and an undisclosed number of University at Buffalo students. Although SunGard Higher Education, the company which offers consulting for Banner system users, notified the SUNY system about the theft on April 9, a BU spokeswoman declined to say what caused the nearly two-week delay in notifying students about the breach. A SUNY spokeswoman could not be reached for comment about the time lapse. According to New York State law, any person or business who handles sensitive personal information, such as Social Security numbers, must disclose security breaches, but the law does not specify a time frame for the notification. [...] From lyger at attrition.org Tue Apr 22 19:25:21 2008 From: lyger at attrition.org (lyger) Date: Tue, 22 Apr 2008 19:25:21 +0000 (UTC) Subject: [Dataloss] Hannaford spending millions to upgrade after security breach Message-ID: http://ap.google.com/article/ALeqM5ic85268s4GzOT78ixJKz-vlSzxuwD90725C00 Hannaford Bros. Co. said Tuesday it is spending millions of dollars to enhance the security of its data network following a massive security breach that exposed up to 4.2 million credit and debit card numbers to fraud. It was during the card approval process that customer accounts at grocery stores in the Northeast and Florida were compromised from Dec. 7 to March 10. That exposure occurred even though the company met the latest standards for data security. Company officials said Tuesday that the new measures include encryption of all card numbers during the entire time they are within the supermarket chain's data network. Hannaford also said it has installed a "24/7-managed security monitoring and detection service" from IBM to detect intrusions. [...] From jpole at jcpa.com Tue Apr 22 19:42:46 2008 From: jpole at jcpa.com (Jamie C. Pole) Date: Tue, 22 Apr 2008 15:42:46 -0400 Subject: [Dataloss] Hannaford spending millions to upgrade after security breach In-Reply-To: References: Message-ID: Wow - I'm happy that AP saw fit to minimize the Hannaford incident by comparing it with TJX. I'm sure Hannaford's lawyers also appreciate that statement. As far as Hannaford buying a "24/7-managed security monitoring and detection service" from IBM, I'm very happy for them, but I still want to know how a PCI-compliant environment was breached, and how the vendor that sold Hannaford it's PCI compliance certificate is still selling product. Not 30 minutes ago, I got a blast-spam advertisement from Rapid7 regarding the very product that Hannaford was using. Why would I buy that product? Why would I recommend that product to a client? How is the IBM monitoring solution going to prevent another breach? Is Hannaford still using the Rapid7 product? Is Hannaford still PCI-compliant? If so, HOW??? This incident graphically demonstrated that their PCI compliance certificate was bogus. Even if we believe that none of the systems involved in the breach were covered by PCI (which we don't), why didn't the PCI assessment identify those systems as being necessary? Why was credit card information accessible from systems that were not part of the PCI environment? How has Hannaford been processing credit card transactions since the incident? Lots of questions... Jamie On Apr 22, 2008, at 3:25 PM, lyger wrote: > > http://ap.google.com/article/ALeqM5ic85268s4GzOT78ixJKz-vlSzxuwD90725C00 > > Hannaford Bros. Co. said Tuesday it is spending millions of dollars to > enhance the security of its data network following a massive security > breach that exposed up to 4.2 million credit and debit card numbers to > fraud. > > It was during the card approval process that customer accounts at > grocery > stores in the Northeast and Florida were compromised from Dec. 7 to > March > 10. That exposure occurred even though the company met the latest > standards for data security. > > Company officials said Tuesday that the new measures include > encryption of > all card numbers during the entire time they are within the > supermarket > chain's data network. Hannaford also said it has installed a "24/7- > managed > security monitoring and detection service" from IBM to detect > intrusions. From hbrown at knology.net Tue Apr 22 19:49:12 2008 From: hbrown at knology.net (Henry Brown) Date: Tue, 22 Apr 2008 14:49:12 -0500 Subject: [Dataloss] follow-up on the May 2006 VA dataloss Message-ID: <480E4138.2080609@knology.net> http://www.gsnmagazine.com/cms/features/columns/682.html VA?s proactive solution for data breach analysis By Adair Martinez Adair Martinez is Deputy Assistant Secretary for Information Protection & Risk Management at the U.S. Department of Veterans Affairs. Following the May 2006 incident involving the theft of a U.S. Department of Veterans Affairs (VA) laptop computer, it was clear that we had a need for a formal process for evaluating and responding to data breach incidents. Using BMC Software?s development tool, the VA has built an infrastructure to document privacy and security incidents via the enterprise deployment of applications such as the PVTS (Privacy Tracking System) and VA-NSOC (VA Network Security Operations Center). The lack of a formalized, quantifiable risk evaluation of incidents was not efficient. We did not have a system that prioritized, maximized or optimized VA resources in response to data breach incidents. In addition, communication channels between the local information security officer and privacy officer, NSOC and the national level were not well defined. The lack of a risk assessment process and incident handling coordination potentially reduced the timeliness and effectiveness of response actions by the VA. In 2006, the VA began the process of developing a formal process to conduct risk assessments of privacy and security incidents that involve potential data breaches. [...] From tglassey at earthlink.net Tue Apr 22 20:11:59 2008 From: tglassey at earthlink.net (TS Glassey) Date: Tue, 22 Apr 2008 13:11:59 -0700 Subject: [Dataloss] Hannaford spending millions to upgrade after securitybreach References: Message-ID: <001f01c8a4b5$213ab2f0$0a01a8c0@tsg1> If these new 'controls' don't meet the ones that Judge Grimm put in place in Lorraine v Markel then what will it matter? todd glassey ----- Original Message ----- From: "lyger" To: Sent: Tuesday, April 22, 2008 12:25 PM Subject: [Dataloss] Hannaford spending millions to upgrade after securitybreach > > http://ap.google.com/article/ALeqM5ic85268s4GzOT78ixJKz-vlSzxuwD90725C00 > > Hannaford Bros. Co. said Tuesday it is spending millions of dollars to > enhance the security of its data network following a massive security > breach that exposed up to 4.2 million credit and debit card numbers to > fraud. > > It was during the card approval process that customer accounts at grocery > stores in the Northeast and Florida were compromised from Dec. 7 to March > 10. That exposure occurred even though the company met the latest > standards for data security. > > Company officials said Tuesday that the new measures include encryption of > all card numbers during the entire time they are within the supermarket > chain's data network. Hannaford also said it has installed a "24/7-managed > security monitoring and detection service" from IBM to detect intrusions. > > [...] > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor your > traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml From hbrown at knology.net Tue Apr 22 20:33:04 2008 From: hbrown at knology.net (Henry Brown) Date: Tue, 22 Apr 2008 15:33:04 -0500 Subject: [Dataloss] Child data breaches in UK Message-ID: <480E4B80.7030008@knology.net> From the Birmingham England Post: http://tinyurl.com/5fuuze 94 child data 'security breaches' Apr 22 2008 Almost 100 security breaches have been reported to the privacy watchdog since the child benefit data loss scandal, it has been revealed. Information Commissioner Richard Thomas said he has been notified of 94 data breaches - two-thirds of which were committed by Government or other public sector bodies. The material included a wide range of personal details, including health records. Fourteen losses have been reported by financial institutions since November's major gaffe by HM Revenue and Customs (HMRC), which mislaid computer discs carrying details of 25 million child benefit claimants. Mr Thomas described the number of incidents as "alarming". Of the total reported to the commissioner, 62 security breaches were in the public sector, 28 were in the private sector and four in the charity or third sector. Of those reported by public sector bodies, almost a third happened in central Government and associated agencies, and a fifth in the NHS. Mr Thomas said: "It is particularly disappointing that the HMRC breaches have not prevented other unacceptable security breaches from occurring. "The Government, banks and other organisations need to regain the public's trust by being far more careful with people's personal information. "Once again I urge business and public sector leaders to make data protection a priority in their organisation." The HMRC scandal involved staff losing two computer discs in their internal mail which held the personal details of all families in the United Kingdom claiming child benefit. Information included dates of birth, National Insurance number, and bank details. From jericho at attrition.org Wed Apr 23 05:22:49 2008 From: jericho at attrition.org (security curmudgeon) Date: Wed, 23 Apr 2008 05:22:49 +0000 (UTC) Subject: [Dataloss] LendingTree sues mortgage firms over security breach (fwd) Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.news.com/8301-10784_3-9926007-7.html By Elinor Mills News Blog News.com April 22, 2008 LendingTree on Monday told customers that their sensitive information was leaked in a security breach and that it has sued three lending companies as a result. Several former employees of LendingTree are believed to have taken company passwords and given them to a handful of lenders who then accessed LendingTree customer data files, the company said. The data includes customer names, Social Security numbers, addresses, e-mail addresses, telephone numbers, and income and employment information, but not credit card information, LendingTree said in an e-mail to customers and on a frequently-asked-questions page on its Web site. The outside lenders are believed to have accessed LendingTree customer loan request forms between October 2006 and early 2008. The lenders then tried to market loans to the customers, LendingTree says. LendingTree's internal security uncovered the security breach and the company quickly reported it to authorities and made several security system changes. A LendingTree spokeswoman declined to say exactly when the breach occurred, when it was discovered, or how many customers were affected. [..] From hbrown at knology.net Wed Apr 23 11:03:50 2008 From: hbrown at knology.net (Henry Brown) Date: Wed, 23 Apr 2008 06:03:50 -0500 Subject: [Dataloss] a different kind of data breach from UCONN Message-ID: <480F1796.3040406@knology.net> http://www.wfsb.com/news/15949434/detail.html STORRS, Conn. -- A student bought a computer hard drive and discovered that it contains personal information about people with ties to the University of Connecticut. Ryan Green, a junior at UConn, bought the drive at the UConn Co-op for $200 and discovered it already contained information. "I opened it up and it wasn't blank, it was actually halfway full," Green said. Authorities continue to investigate to determine how the information got on the drive and how it might have been used. Green found about 10,000 private pictures, 10,000 Microsoft Word documents and even some sensitive personal information like credit cards and driver's licenses ... One of the people with their entire life on that drive included a UConn professor who asked to remain anonymous. The drive contained images of the professor's credit cards to a pilot's license to folders full of his tax records. The professor said he intentionally put much of the information on his computer for safekeeping while he was traveling outside the country. From lyger at attrition.org Wed Apr 23 11:49:54 2008 From: lyger at attrition.org (lyger) Date: Wed, 23 Apr 2008 11:49:54 +0000 (UTC) Subject: [Dataloss] TX: Social Security Numbers Exposed On Hospital Bills Message-ID: http://www.tylerpaper.com/article/20080423/NEWS09/804220345 Some 2,000 medical bills were mailed around East Texas last week with patients' Social Security numbers visible on the envelope after a technical glitch skewed billing at the collection agency used by the University of Texas Health Science Center at Tyler. Chief Operating Officer Rob Marshall at UTHSCT said the problem was quickly addressed and fixed, but his disappointment in collection agency CBE Group Inc. might not be repairable. "We're in negotiations ... I can't confirm or deny that we'll be with (CBE) in the future," he said Tuesday evening. "But we do have a different set of rules on handling issues like this and have already said how to safeguard this in the future." [...] From btober at ct.metrocast.net Wed Apr 23 12:12:56 2008 From: btober at ct.metrocast.net (btober at ct.metrocast.net) Date: Wed, 23 Apr 2008 08:12:56 -0400 Subject: [Dataloss] a different kind of data breach from UCONN In-Reply-To: <480F1796.3040406@knology.net> References: <480F1796.3040406@knology.net> Message-ID: <480F27C8.9090705@ct.metrocast.net> Henry Brown wrote: > A student bought a computer hard drive and discovered > that it contains personal information about people with ties to the > University of Connecticut. > ...a junior at UConn, bought the drive at the UConn Co-op > and discovered it already contained information. > All I can say is badblocks -t random /dev/hdb badblocks -t random /dev/hdb badblocks -t random /dev/hdb followed by judicious application of a sledgehammer. From mhill at idtexperts.com Wed Apr 23 14:43:51 2008 From: mhill at idtexperts.com (Michael Hill, CITRMS) Date: Wed, 23 Apr 2008 10:43:51 -0400 Subject: [Dataloss] CO: CollegeInvest Loses Customers' Personal Information Message-ID: <0374977F610244C6A96200F09849ED66@mkevhillpc> http://www.myfoxcolorado.com/myfox/pages/News/Detail?contentId=6367257&version=1&locale=EN-US&layoutCode=TSTY&pageId=3.2.1 CollegeInvest sent letters this week to customers who had personal information stored on a computer hard drive that disappeared during a move. CollegeInvest is the higher education financing resource organization operated by the Colorado Department of Higher Education. Officials of CollegeInvest say there is little risk of customers' personal information falling into the wrong hands because the data is password protected, and in a format that would be difficult to access. The hard drive contained information from some, but not all CollegeInvest customers. The letters are going to all affected customers with information about what data is on the missing hard drive, and information about tools they can use to monitor their credit for unauthorized activity. A press release says that CollegeInvest moved to a new office recently. The organization hired a relocation firm that offered specialists in moving computer equipment. Collegeinvest found the hard drive was missing when employees unpacked at the new locations. Michael Hill Certified Identity Theft Risk Management Specialist 404-216-3751 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080423/a81692d0/attachment.html From hbrown at knology.net Wed Apr 23 20:07:28 2008 From: hbrown at knology.net (Henry Brown) Date: Wed, 23 Apr 2008 15:07:28 -0500 Subject: [Dataloss] Chrysler Canadian Lease Customers data lost Message-ID: <480F9700.1080806@knology.net> From the Windstor Star http://tinyurl.com/6j4n2q Chrysler Financial customer data lost Dave Hall Windsor Star Wednesday, April 23, 2008 A Windsor man is upset there was a six-week delay in notifying Chrysler Financial's Canadian lease customers about a lost data tape containing their personal information. Chris Jovanovic, who leases a car from Chrysler, said the company was notified by United Parcel Service about the lost tape on March 12, but a letter from Chrysler Financial dated March 27 didn't arrive in his mailbox until Monday. "It's the time frame of notification that's got me upset, because if the tape did fall into the wrong hands, they've had six weeks to access the information and do something with it," said Jovanovic. In a letter to customers dated March 27, Chrysler Financial general counsel Brian Chillman said that the company was notified by UPS on March 12 that a data tape sent by Chrysler Financial to a third-party credit reporting agency had been destroyed or lost in transit and never arrived at the agency. "The data tape cannot be easily accessed and requires specialized software and equipment to read but it did contain some personal information that Chrysler Financial had obtained from you," said Chillman in his letter. Despite it being not readily accessible, Chillman said "as a precautionary measure, we are alerting you to this recent incident so that you may be watchful of any possible misuse of your personal information by an unauthorized recipient." This information includes names, addresses and social insurance numbers. The lost information affects Chrysler Financial lease customers across Canada. [...] From rchicker at etiolated.org Wed Apr 23 20:23:09 2008 From: rchicker at etiolated.org (rchick) Date: Wed, 23 Apr 2008 16:23:09 -0400 Subject: [Dataloss] Hackers Breach System At UMass Message-ID: Apr 22, 2008 By Lesley Tannerhttp://www.cbs3springfield.com/news/local/18021744.html Hackers breached the computer system used by UMass Amherst's Health Services, potentially gaining access to thousands of medical records. More than half of the student population at UMass Amherst are patients on record at the University Health Services. "I've been here every time I've been sick this semester," says Freshman Brooke Quinn. "That's my doctor, it's where I go," says Senior Jennifer Scott. That's why university officials were so concerned when they found a security breach on the clinic's computer server. Though many of the most personal medical records are kept on paper files, officials say some personal information is available on the 150 computers used by the department. "What we're doing is going through as quickly as we can," says UMass Spokesperson Ed Blaguszewski. "And we are making an assessment and can't say for sure that the material wasn't breached." "I think that it is scary that anybody on our campus could have our personal information and medical records," says Quinn. But it's not their on-campus classmates students need to worry about. Officials believe outside hackers wanted to use the server as a host for illegal music and video downloads, one that would make the culprits untraceable. "It wasn't a case from what we can tell of someone being in the office and breaking into a computer," says Blaguszewski. "These things are done remotely often times from countries all over the world." A fact that's even more unsettling for patients who were unaware of the breach more than a week after it occurred. The University did post a notice on the Health Services website, and say they are notifying patients when they enter the clinic. But we found one student on her way out who still didn't know. "I wasn't aware of it, and no one I know was aware of it," says Scott. "If it's that easy for someone who just wanted to get music who knows what would happen for someone who was trying to get confidential information." Campus officials say it will be weeks before they are completely sure what information, if any, was taken off the computers. They say the entire campus system is being looked at to avoid future breaches. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080423/7e20cf68/attachment.html From rchicker at etiolated.org Wed Apr 23 20:40:57 2008 From: rchicker at etiolated.org (rchick) Date: Wed, 23 Apr 2008 16:40:57 -0400 Subject: [Dataloss] SCSU security breach Message-ID: *SCSU security breach * By News Channel 8's Erin Cox Posted April 23, 2008 Updated 3:30 PM http://www.wtnh.com/Global/story.asp?S=8215997 New Haven (WTNH) _ Southern Connecticut State University is taking action Wednesday evening to prevent its students from becoming victims of identity theft. The move comes after a website with student and alumni information was found to be easily accessible to hackers. It seems to be a care free life as a college student, but some students at Southern are uneasy to learn their personal information could be floating out there because of the security breach. "I didn't even known about it until you brought it up," Shelrica McKenizie, a senior at Southern, said. "That's shocking to me." SCSU says records of about 11,000 students and alumni may have been compromised by hackers. These days, students turn over a lot of personal identity information to their schools. "Social, insurance, everything," Brandon Lee, a senior at Southern, noted. "So, it's kind of scary that someone out there could have my information." "It's all our information," Desiree Pacaud, a freshman at Southern, said. "It's unsettling especially financial aid information -- because it's not just my information, it's both my parents'. It appears that no financial information was accessed but Southern admits that social security numbers were vulnerable. However, the breach at Southern is prompting a warning to administrators at other state schools -- like Eastern, Western, Central and even UConn. The attorney general is telling them to make sure personal information is better protected. "There is a huge amount of confidential, financial and personal information that is submitted by the students," Attorney General Richard Blumenthal said. "Their parents and families, in these web servers, [are] potentially at risk if someone hacks into the system as they did at Southern. "I don't know what they don't have," Adam Nesteruk, a senior at Southern, said. "I think, honestly, they know pretty much everything about me and my family." A help desk has been established to respond to questions at (203) 392-7216 or you can visit www.southernct.edu/creditmonitoring -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080423/9217b77b/attachment.html From rchicker at etiolated.org Thu Apr 24 12:58:33 2008 From: rchicker at etiolated.org (rchick) Date: Thu, 24 Apr 2008 08:58:33 -0400 Subject: [Dataloss] More colleges are scrambling due to SunGard Message-ID: Major College Software Vendor Puts Students at Many Campuses at Risk of Identity TheftThursday, April 24, 2008 http://chronicle.com/free/2008/04/2619n.htm At least 18 colleges are scrambling to inform tens of thousands of students they are at risk of having their identities stolen after SunGard, a leading software vendor, reported that a laptop owned by one of its consultants was stolen. The complete extent of the problem is still unknown, though many of the campuses that have been identified are in Connecticut and New York. The laptop contained students' names and Social Security numbers. In some cases, the exposed data also included financial aid information, e-mail addresses, birth dates, and driver-identification numbers. Now college officials are accusing SunGard of waiting too long?about one month?to inform them of the security breach. The Connecticut attorney general has opened an inquiry into the incident. And there are widespread concerns that SunGard may not be adequately protecting college data. SunGard Higher Education, the division of the company that employed the consultant, said it found out on March 13 that the laptop was stolen. Colleges said they weren't told of the theft until the second week of April. A spokeswoman for the company, Laura Kvinge, said that was not an undue delay, noting that the company needed to analyze backup data to determine the affected colleges before alerting them. SunGard has set up a Web page and a 24-hour toll-free telephone number to answer customers' questions about the incident, and has offered to pay for one year of credit monitoring for affected students. That has not mollified Richard Blumenthal, Connecticut's attorney general. "We are extremely troubled by the delay in alerting us about the breach in security," Mr. Blumenthal said in a telephone interview on Wednesday. "SunGard waited about a month, which is inexcusable." M. Jodi Rell, Connecticut's governor, in a written statement, also faulted SunGard for the delay. [...] -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080424/37947d12/attachment.html From lyger at attrition.org Thu Apr 24 17:53:53 2008 From: lyger at attrition.org (lyger) Date: Thu, 24 Apr 2008 17:53:53 +0000 (UTC) Subject: [Dataloss] 'Significant security hole' found in Wisconsin database Message-ID: http://www.forbes.com/feeds/ap/2008/04/24/ap4929553.html A computer program housing personal information about Wisconsin seniors and disabled people had a "significant security hole," a state health official overseeing the program said in an e-mail obtained by The Associated Press. In addition, a senior center volunteer in McFarland said he could see hundreds of files of people's private information from across the country in the system run by Virginia-based Harmony Information Systems. The volunteer, who worked 41 years for the Wisconsin Department of Health and Family Services, is calling on the state to do a review to see whether there have been any security breaches. [.] The information is entered into an electronic record that includes the person's name and Social Security number. [...] From hbrown at knology.net Fri Apr 25 12:13:39 2008 From: hbrown at knology.net (Henry Brown) Date: Fri, 25 Apr 2008 07:13:39 -0500 Subject: [Dataloss] Canton NY store data breach Message-ID: <4811CAF3.3080601@knology.net> From WWNY TV Watertown NY http://tinyurl.com/6kdvmk Canton police are investigating the theft of thousands of dollars from local bank accounts in what is being described as a major identity theft ring. The trouble all started when someone apparently hacked into the Canton WiseBuys store computer system during a changeover between December 5 and December 20. The hacker obtained personal identification and banking numbers of hundreds of customers. Hundreds of complaints have been coming in almost daily to the police station since the thefts first began being discovered by cardholders in early March. Police say close to $100,000 was fraudulently taken in what police are describing as an ?organized ring?. Most of the illegal transactions were discovered when customers received their bank statements. [...] From rchicker at etiolated.org Fri Apr 25 13:35:26 2008 From: rchicker at etiolated.org (rchick) Date: Fri, 25 Apr 2008 09:35:26 -0400 Subject: [Dataloss] Hong Kong officials lose personal data on 700 troubled children Message-ID: Apr 25, 2008, 10:25 GMT http://news.monstersandcritics.com/health/news/article_1401863.php/Hong_Kong_officials_lose_personal_data_on_700_troubled_children Hong Kong - Medical data on almost 700 Hong Kong children and teenagers with social and developmental problems have been lost, the territory's government admitted Friday. The records were held on a memory card which was stolen from an unlocked room at a Child Assessment Centre in the city's Tuen Mun district, the government's Department of Health said. The lost data included detailed records of interviews with troubled youngsters including assessments and, in some cases, their photos, identity card numbers and addresses. Hong Kong's Deputy Director of Health Gloria Tam apologized to the families affected and said they should contact police if anyone suspicious approached them with their personal details. As the case involved personal privacy, the affected families should remain alert and report to the police if they were approached by suspicious people with their personal data, she said. 'We have reminded our staff about the absolute importance of office security and to strictly adhere to the government's security regulations,' she said in a statement. A government hotline has been set up to deal with calls from youngsters and family members concerned over the loss of the data, she added. From rchicker at etiolated.org Fri Apr 25 23:27:13 2008 From: rchicker at etiolated.org (rchick) Date: Fri, 25 Apr 2008 19:27:13 -0400 Subject: [Dataloss] 10,000 compromised at CU Message-ID: Computers with personal data of nearly 10,000 compromised at CU http://www.9news.com/news/article.aspx?storyid=90632 BOULDER ? The University of Colorado at Boulder announced Friday that three computers in the Division of Continuing Education and Professional Studies were compromised, leaving nearly 10,000 people open to potential identity theft. Bronson Hilliard, a spokesman for CU-Boulder, says one of the three computers had personal data, including names, Social Security numbers, addresses and grades, of about 9,000 students and about 500 instructors. "The university and I are deeply troubled that this compromise occurred despite efforts under way across campus to address computer security," stated Chancellor G.P. "Bud" Peterson in a news release. "We will continue and strengthen our security efforts and hold our departments accountable for their success." Hilliard says they do not believe the data has been accessed, but CU is in the process of contacting the affected students and instructors by mail. Officials say students and instructors who were involved in the Division of Continuing Education and Professional Studies between 1997 and 2003 were affected. CU says a computer forensics firm has been hired to conduct an analysis. From rchicker at etiolated.org Sat Apr 26 02:02:34 2008 From: rchicker at etiolated.org (rchick) Date: Fri, 25 Apr 2008 22:02:34 -0400 Subject: [Dataloss] Baltimore State Hwy Administration employees exposed Message-ID: SHA Personal Information Exposed Accidentally April 25, 2008 BALTIMORE -- Sensitive personal information concerning 1,800 State Highway Administration employees, including names and Social Security numbers, was compromised last week, officials said. "We had an incident where an employee transferred personnel transaction data from a secure drive to a SHA shared drive," said SHA Deputy Administrator of Finance and I.T. Normetha Goodrum. An internal investigation found that the breach was done inadvertently and not with criminal intent. SHA said it is currently redacting Social Security numbers and will no longer keep them in personnel files. They said that personnel information will be password protected. Officials said they're still checking to see if the information has gone beyond the agency, but said they don't believe so. They sent letters and e-mails to those potentially impacted, including SHA field workers and former employees. Computer security expert Avi Rubin of Johns Hopkins University said he considers the internal data compromise serious and preventable. "I think it is even more important for organizations to look into encryption solutions so that when these things occur, somebody can only find encrypted data and it won't do them any good," he said. Security breaches of computer data have become a growing problem. State law mandates that businesses keep consumer data and report when it's lost or stolen. The state attorney general's office keeps track of them. So far this year, 64 companies have reported security breaches, officials said. They said that hackers sometimes get it, and in some cases, it's stolen out of employees' homes, cars or lockers. "They can open bank accounts, take out a mortgages, establish a line of credit all in your name, then skip town," Rubin said. "We are taking it seriously, and we want to take every measure possible so that it does not happen again," Goodrum said. Computer experts said they are amazed that companies rarely do security sweeps or preventive maintenance. Rubin said that most react only after their information is compromised or breached. From a.vakra at tallinnlv.ee Sat Apr 26 00:26:38 2008 From: a.vakra at tallinnlv.ee (ariel sheryl) Date: Sat, 26 Apr 2008 00:26:38 +0000 Subject: [Dataloss] Perfectly crafted luxury timepieces Message-ID: <000801c8a743$0772fb2d$ac9473bf@gsevrjuh> Prestige Replicas Tiffany & CO. Jewlery Tiffany & CO BraceletsTiffany & CO BraceletsTiffany & CO NecklaceMost Popular Ladies Watches Classic Santos Series Santos ClassicPearlmaster 18k GoldFormula 1 Series Formula 1Louis Vuitton Bags & Wallets Monogram CollectionBlack MurakamiWhite Murakami Click here -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080425/d711ebaa/attachment.html From jericho at attrition.org Sat Apr 26 04:24:43 2008 From: jericho at attrition.org (security curmudgeon) Date: Sat, 26 Apr 2008 04:24:43 +0000 (UTC) Subject: [Dataloss] Microsoft Security Intelligence Report V4 Message-ID: [Page 33 - 36 uses Attrition's DLDOS for generating the statistics. - jericho] http://www.microsoft.com/downloads/details.aspx?FamilyId=BCC879DB-9FE6-4331-B231-E274EA8FC804&displaylang=en This volume of the SIR focuses on the second half of the 2007 calendar year (from July through December) and builds upon the data published in the previously released volumes of the SIR. Using data derived from several hundred million Windows users, and some of the busiest online services on the Internet, this report provides an in-depth perspective on trends in software vulnerability disclosures as well as trends in the malicious and potentially unwanted software landscape, and an update on trends in software vulnerability exploits. The scope of this fourth volume of the report has been expanded to include a focus on privacy and breach notifications, and a look at Microsofts work supporting law enforcement agencies worldwide in the fight against cyber criminals. From chris at cwalsh.org Sat Apr 26 18:10:37 2008 From: chris at cwalsh.org (Chris Walsh) Date: Sat, 26 Apr 2008 13:10:37 -0500 Subject: [Dataloss] Followup: Tapes stolen containing patient info of 47, 000 In-Reply-To: References: Message-ID: <7A8B0F00-B5CD-42E9-A92B-616AEADD0F1C@cwalsh.org> According to http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=storage&articleId=9080322&taxonomyId=19&intsrc=kc_top , *financial* data for 47K is on the tapes, but *** 2,000,000 *** records were exposed. Accorrding to a FAQ set up by the university (http://dataincident.miami.edu/faqs.htm ): "The University will be notifying by mail the approximately 47,000 patients whose data included credit card or other financial information regarding bill payment." I read this as saying that they could have lost everything about me that is in my medical record, including my name, address, diseases and treatments, prognosis, family medical history, and the like, but if the file didn't also have information on how I paid them, I do not get notified. Some clarification would be useful. I find it hard to imagine that a large proportion of these records don't have a name, DOB, and SSN, for example, but it isn't clear from what the University has said whether they consider this "financial information regarding bill payment". On Apr 17, 2008, at 1:31 PM, rchick wrote: > > April. 17, 2008 > BY John Dorschner > http://www.miamiherald.com/news/breaking_dade/story/499492.html > > The confidential information of tens of thousands of University of > Miami patients was stolen last month when thieves took a case out of > a vehicle used by a private off-site storage company, UM said > Thursday morning > > '' Anyone who has been a patient of a University of Miami physician > or visited a UM facility since Jan. 1, 1999, is likely included on > the tapes,'' the university said in a news release. ``The data > included names, addresses, Social Security numbers or health > information. The university will be notifying by mail the 47,000 > patients whose data may have included credit card or other financial > information regarding bill payment.'' From adam at homeport.org Sat Apr 26 19:54:26 2008 From: adam at homeport.org (Adam Shostack) Date: Sat, 26 Apr 2008 15:54:26 -0400 Subject: [Dataloss] Followup: Tapes stolen containing patient info of 47, 000 In-Reply-To: <7A8B0F00-B5CD-42E9-A92B-616AEADD0F1C@cwalsh.org> References: <7A8B0F00-B5CD-42E9-A92B-616AEADD0F1C@cwalsh.org> Message-ID: <20080426195426.GC28219@homeport.org> I've been doing some digging. The "complex and proprietary format" seems to be IBM's Tivoli Storage Manager, which comes with crypto capabilities, and at least one IBM partner claims to be able to reconstruct the data from their tapes. Links & more: http://www.emergentchaos.com/archives/2008/04/university_of_miami_good.html Adam On Sat, Apr 26, 2008 at 01:10:37PM -0500, Chris Walsh wrote: | According to http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=storage&articleId=9080322&taxonomyId=19&intsrc=kc_top | , *financial* data for 47K is on the tapes, but *** 2,000,000 *** | records were exposed. | | Accorrding to a FAQ set up by the university (http://dataincident.miami.edu/faqs.htm | ): | | "The University will be notifying by mail the approximately 47,000 | patients whose data included credit card or other financial | information regarding bill payment." | | I read this as saying that they could have lost everything about me | that is in my medical record, including my name, address, diseases and | treatments, prognosis, family medical history, and the like, but if | the file didn't also have information on how I paid them, I do not get | notified. Some clarification would be useful. I find it hard to | imagine that a large proportion of these records don't have a name, | DOB, and SSN, for example, but it isn't clear from what the University | has said whether they consider this "financial information regarding | bill payment". | | | On Apr 17, 2008, at 1:31 PM, rchick wrote: | > | > April. 17, 2008 | > BY John Dorschner | > http://www.miamiherald.com/news/breaking_dade/story/499492.html | > | > The confidential information of tens of thousands of University of | > Miami patients was stolen last month when thieves took a case out of | > a vehicle used by a private off-site storage company, UM said | > Thursday morning | > | > '' Anyone who has been a patient of a University of Miami physician | > or visited a UM facility since Jan. 1, 1999, is likely included on | > the tapes,'' the university said in a news release. ``The data | > included names, addresses, Social Security numbers or health | > information. The university will be notifying by mail the 47,000 | > patients whose data may have included credit card or other financial | > information regarding bill payment.'' | | _______________________________________________ | Dataloss Mailing List (dataloss at attrition.org) | http://attrition.org/dataloss | | Tenable Network Security offers data leakage and compliance monitoring | solutions for large and small networks. Scan your network and monitor your | traffic to find the data needing protection before it leaks out! | http://www.tenablesecurity.com/products/compliance.shtml From hbrown at knology.net Sun Apr 27 16:45:23 2008 From: hbrown at knology.net (Henry Brown) Date: Sun, 27 Apr 2008 11:45:23 -0500 Subject: [Dataloss] laptop stolen in PA Message-ID: <4814ADA3.2010507@knology.net> http://www.wgal.com/news/16008321/detail.html EAST HEMPFIELD TOWNSHIP, Pa. -- A laptop stolen from a doctors office containing the social security numbers of patients and office staff was stolen recently in East Hempfield Township, Lancaster County. East Hempfield Township police said someone stole the computer from an unlocked conference room inside the Physicians Alliance office building on Columbia Avenue last week. The theft has raised fears for identity theft. Police said they suspect whoever stole the laptop wanted the computer more than the information on it. Investigators also said the personal information is not easy to access. General Internal Medicine of Lancaster located in the office building sent a letter to patients to alert them of what happened. They told patients in the letter to keep an eye on credit card statements and file a fraud report. From jericho at attrition.org Mon Apr 28 07:24:42 2008 From: jericho at attrition.org (security curmudgeon) Date: Mon, 28 Apr 2008 07:24:42 +0000 (UTC) Subject: [Dataloss] Laptop security lapse at BoI shines a light on data safety Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.independent.ie/business/irish/laptop-security-lapse-at-boi-shines-a-light-on-data-safety-1359869.html By Sharon Lynch independent.ie April 26 2008 LOSING a laptop can be attributed to just plain bad luck, two can be put down to carelessness, however, three and four would send anybody's alarm bells ringing. But this was not the case at Bank of Ireland earlier this week when it emerged that four laptops had been stolen from the institution's investment arm between June and October of last year. The bank said it was only told six weeks ago that three of its unencrypted laptops were stolen from cars and another from the branch. And when it emerged that the laptops had the personal data of 10,000 customers, which were only protected by a password system, a number of questions were raised about the safety of customer information as well as the regulation of security systems. Weak Owen O'Connor at Information Systems Security Association Ireland described the bank's IT security procedure as a "very weak'' level of protection. "If a laptop is unencrypted, a moderately skilled IT person will be able to access all information on the files," he said. [..] From lyger at attrition.org Mon Apr 28 11:33:25 2008 From: lyger at attrition.org (lyger) Date: Mon, 28 Apr 2008 11:33:25 +0000 (UTC) Subject: [Dataloss] IE: (update) 30, 000 bank customers affected by data theft Message-ID: http://www.rte.ie/news/2008/0428/boi.html The number of Bank of Ireland customers affected by the theft of laptops last year has risen to over 30,000, RT News has learned. Following futher investigations by the bank, it has emerged that details of more customers were on the four missing laptops than previously thought. Last week, the bank said that medical records, bank account details, names, addresses and dates of birth of 10,000 customers were on the laptops. [...] From rchicker at etiolated.org Mon Apr 28 18:26:08 2008 From: rchicker at etiolated.org (rchick) Date: Mon, 28 Apr 2008 14:26:08 -0400 Subject: [Dataloss] Accountant firm reports stolen laptop - four clients involved Message-ID: April 24, 2008 http://www.theworldlink.com/articles/2008/04/24/news/doc4810bce97af34074884341.txt NORTH BEND - The theft of a laptop computer owned by a local accounting firm has made nearly 500 employees of Coos County and private organizations concerned about identity theft. County officials worry the data may have contained employees' names, Social Security numbers and other personal information, which had been used in recent audits performed by Hough, MacAdam & Wartnik LLC of North Bend. Although, there have been no known reports of identity theft from any of the 482 employees notified, the computer has not been found and, according to a letter from the firm, thieves sometimes hold victims' information for later use. According to a Coos Bay Police press log, at approximately 7:28 a.m. on March 5, officers received a report of a woman flagging down Officer Tony Wetmore, identified as 122 in the log, near Coos Bay City Hall. Crystal Albiar, 30, told Wetmore a laptop computer had been stolen from a vehicle, which, Wetmore said, belonged to Albiar. The victim is listed on the press log as Hough, MacAdam & Wartnik, Albiar is a senior accountant at the firm. Later that day, a letter from the company was sent to clients stating that a "serious data security incident" may have involved clients' personal information. "During the night of Tuesday, March 4, 2008, a notebook computer was stolen from a locked vehicle. The notebook's hard drive may have contained your name, Social Security number, and other personal information," the letter stated. "We have notified law enforcement about this incident. This notification included a general report alerting them to the fact that the incident occurred. However, we have not notified them about the presence of your specific information in the data breach." The letter went on to tell recipients to take preventative measures to avert and detect any misuse of information. These steps included closely monitoring financial accounts; contacting financial institutions if unauthorized activity was detected; and placing a fraud alert on credit files. [...] Via an e-mail correspondence with The World, Shirley MacAdam said the March 5 letters were sent to the 482 employees of four clients ? only one of which was a public agency. She demurred from identifying the clients involved, but further investigation revealed the County and South Coast Hospice & Palliative Care in Coos Bay are among the four. [...] From hbrown at knology.net Tue Apr 29 18:23:56 2008 From: hbrown at knology.net (Henry Brown) Date: Tue, 29 Apr 2008 13:23:56 -0500 Subject: [Dataloss] the cost(s) for an ID thief Message-ID: <481767BC.5010203@knology.net> http://www.slate.com/id/2189902/ Credit Card Numbers for SaleHow much does a Visa or MasterCard number go for these days? By Jacob Leibenluft Posted Thursday, April 24, 2008, at 6:18 PM ET Security experts at the InfoSecurity Europe conference are drawing attention to "data supermarkets" that sell stolen credit card numbers for a fixed price. According to a BBC story, "credit card details are cheap" on the black market while "the logfiles of big companies can go for up to $300." How much is my credit card number worth on the Internet? As little as a few cents. Reliable statistics about data theft are notoriously hard to come by, and reports of cheap cards for sale are nothing new. Researchers who track the Internet Relay Chat servers where this sort of business is often done, however, are reporting that the lowest advertised prices of credit card numbers has been falling during the past two years. Symantec?a firm that sells security software to both consumers and businesses?reported earlier this month that credit card numbers were now selling for anywhere between 40 cents and $20. (Credit cards from Europe or smaller card companies typically cost up to twice as much as standard-issue American numbers, presumably due to their relative scarcity within the market.) By comparison, Symantec researchers found bank account numbers going for anywhere from $10 to $1,000, and "full identities"?which include date of birth, address, and social security and telephone numbers?selling for between $1 and $15 a pop. [...] From hbrown at knology.net Wed Apr 30 12:13:43 2008 From: hbrown at knology.net (Henry Brown) Date: Wed, 30 Apr 2008 07:13:43 -0500 Subject: [Dataloss] A reason for UCLA medical record(s) breach Message-ID: <48186277.6030706@knology.net> PERSONAL OPINION the dates of the recent major breaches don't seem to match with the accused seller's time of employment, PERHAPS an effort at public relations by UCLA Medical Center End of PERSONAL OPINION http://www.msnbc.msn.com/id/24372993/ LOS ANGELES - A former UCLA Medical Center employee was indicted on charges that she accessed the records of dozens of high-profile patients and selling the information to a media outlet, prosecutors said Tuesday. The indictment follows revelations of privacy breaches involving at least 61 patients at the University of California, Los Angeles? hospitals, including actress Farrah Fawcett, singer Britney Spears and California first lady Maria Shriver. [...]