From jericho at attrition.org  Fri Aug  1 09:46:43 2008
From: jericho at attrition.org (security curmudgeon)
Date: Fri, 1 Aug 2008 09:46:43 +0000 (UTC)
Subject: [Dataloss] fringe: Data Breach Fallout: Do CISOs Need Legal
	Protection?
Message-ID: <Pine.LNX.4.64.0808010946270.4243@forced.attrition.org>



---------- Forwarded message ----------
From: InfoSec News <alerts at infosecnews.org>

http://www.csoonline.com/article/440108/Data_Breach_Fallout_Do_CISOs_Need_Legal_Protection_

By Bill Brenner
Senior Editor
CSO Online
July 30, 2008

In the wake of a data breach, the company's top brass may go looking for 
someone to blame. If you are the security chief, chances are it's going to 
be you.

It doesn't matter that you warned executives repeatedly that certain 
technological or cultural flaws were putting the company at risk, or that 
you had to maintain security with a shoestring budget and little or no 
staff. Chances are you'll take the fall whether you deserve it or not, 
says George Moraetes, a Chicago-based security contractor and executive 
board advisor for security event management firm IdentityLogix.

He has watched as some of his CSO acquaintances were blamed for a security 
failure or dismissed for trying to blow the whistle over the company's 
security holes.

"One friend of mine, the CISO of a credit bureau, blew the whistle on a 
security auditor who wasn't following best practices and was making 
reporting discrepancies," says Moraetes, an independent consultant. "The 
auditor was a friend of the top brass, and the CISO was let go. I know of 
three others in Georgia who were fired or demoted for similar reasons."

[...]

From rforno at infowarrior.org  Fri Aug  1 14:38:38 2008
From: rforno at infowarrior.org (Richard Forno)
Date: Fri, 1 Aug 2008 10:38:38 -0400
Subject: [Dataloss] RD on USG laptop insecurity
Message-ID: <A7F08319-AB0A-4D4D-A19F-6E5A63C8AD64@infowarrior.org>


When even Readers' Digest starts to talk about the USG losing  
laptops......you know we have a problem!

Outrageous! Government Carelessness
The government keeps losing laptop computers containing its citizens'  
most personal information.
By Michael Crowley

http://tinyurl.com/5acxrk

From hbrown at knology.net  Fri Aug  1 15:17:17 2008
From: hbrown at knology.net (Henry Brown)
Date: Fri, 01 Aug 2008 10:17:17 -0500
Subject: [Dataloss] bank robbing computer hackers caught in Hungary
Message-ID: <489328FD.5080408@knology.net>

below link provides a DIRECT link to the Hungarian  News Source
http://www.infosecnews.org/hypermail/0807/15152.html

Hungarian customs zeroes in on bank-robbing computer hackers

The Hungarian Customs and Finance Guard has recovered or accounted for
some USD 1.5m stolen from a foreign financial institution in an attack
by hackers as the money was laundered by a ring that included Hungarian
citizens, the guard told MTI on Wednesday.

The money launderers transferred the money to bank accounts in Hungary
and the accounts of off-shore companies. In the course of the
investigation, they withdrew more than HUF 70m - or USD 500,000 - of the
money in cash, the guard said.

The guard issued arrest warrants for three Hungarian citizens as a
result of the investigation.


From hbrown at knology.net  Fri Aug  1 18:54:53 2008
From: hbrown at knology.net (Henry Brown)
Date: Fri, 01 Aug 2008 13:54:53 -0500
Subject: [Dataloss] US Government Computer stolen with PII data
Message-ID: <48935BFD.9030005@knology.net>

 From the Knoxville News..

http://tinyurl.com/5pbzq5

Inspector says TVA's computer tracking policy inadequate
By Larisa Brass
[...]

The TVA Inspector General office reports that the agency?s policies for 
tracking its computers are inadequate, and in ?at least? one case, a 
stolen computer contained employee social security numbers.

According to the IG, Since TVA rolled out an inventory system for its 
computers in August 2004, called the HP Service Desk, TVA has been 
unable to track over 5,550 computers. ?The inability to adequately 
track, as well as the lack of encryption, on these computers increases 
the risk for the disclosure of sensitive or restricted information,? the 
report stated.

In addition, it said, the policies for handling and reporting stolen 
computers were not consistently followed.

According to the IG, a computer stolen from TVA contained ?personally 
identifiable information ? employee social security numbers.

TVA spokesman Jim Allen said that more than 3,000 of the 5,500 missing 
computers had now been accounted for and TVA?s inventory tracking system 
has been tightened.

[...]


From hbrown at knology.net  Fri Aug  1 19:16:40 2008
From: hbrown at knology.net (Henry Brown)
Date: Fri, 01 Aug 2008 14:16:40 -0500
Subject: [Dataloss] laptop stolen in FL
Message-ID: <48936118.3060002@knology.net>

 From MD. Attorney Generals Office

http://www.oag.state.md.us/idtheft/Breach%20Notices/ITU-153870.pdf

June 18, 2008

[...]

I am writing to give you notice of a lost laptop involving Phase 3, a 
business unit of my client Sun Gard Data Systems Inc.  ("SunGard").   On 
May 11, 2008 an employee of Phase3 which processes trade data for 
retail/institutional brokerage firms, left a bag containing a laptop in 
a taxi at the Ft. Lauderdale-Hollywood International Airport. The laptop 
contained data belonging to Newedge USA, LLC ("Newedge"), a Phase3 client.

SunGard notified and worked closely with law enforcement to locate the 
laptop, but the laptop, which was password-protected, has not been 
recovered. Neither Phase3 nor Newedge have any indication that any 
unauthorized person has accessed the laptop, nor of any misuse of 
information on the laptop.

Phase3, in coordination with experts it retained for this purpose and 
Newedge forensic experts, has conducted a review of information believed 
to have been on the laptop. This review has established that it may have 
contained personal information of approximately 350 residents of your 
state.  The forensic review indicates that the information included 
names, Social Security Numbers, as well as, in some instances, other 
information such as date of birth, home address and telephone number

[...]


From hbrown at knology.net  Fri Aug  1 19:39:45 2008
From: hbrown at knology.net (Henry Brown)
Date: Fri, 01 Aug 2008 14:39:45 -0500
Subject: [Dataloss] dumpster diving in OH
Message-ID: <48936681.9020504@knology.net>

 From the KY Post.  ( http://www.kypost.com/default.aspx )
http://tinyurl.com/638gqv

Detectives in Warren County are trying to track down a financial 
consultant who dumped thousands of records belonging to his clients in 
dumpsters.

The records found in the Harbor Watch neighborhood off 
Socialville-Foster Road in Deerfield Township contain information that 
would be an identity thief's dream.

Sheriff's investigators spent Thursday going through more than twenty 
boxes of files that contain social security numbers, addresses, phone 
numbers and driver's license information.

[...]


From arshad.noor at strongauth.com  Fri Aug  1 20:08:48 2008
From: arshad.noor at strongauth.com (Arshad Noor)
Date: Fri, 1 Aug 2008 16:08:48 -0400 (EDT)
Subject: [Dataloss] Suggestion for changing status quo on data losses
In-Reply-To: <A7F08319-AB0A-4D4D-A19F-6E5A63C8AD64@infowarrior.org>
Message-ID: <29058542.1421217621328280.JavaMail.root@gw.noorhome.net>

In light of the exemplary work the people behind this listserv
do, and the educational service they provide, I would like to
suggest taking this a step further so we can stem this deluge
of data losses we are subjected to every day.

I propose that attrition.org make up a dedicated list of every
US Senator and Congressman, and email them every single data-
loss announcement.

It is my sincere belief that US-based politicians have their
heads in the sand about the gravity of this problem, as do most
people on the street.  However,the media is also to blame.  (I 
live in Silicon Valley and I do not recall seeing any news item 
about the 80-million birthdates exposed by Facebook or the 
password breaches at the iTunes web site in the newspaper here;
but for this and another forum, even I would be clue-less).

However, if this listserv notifies every US Senator & Congress
person about every breach that we see, then they/their staffers 
can hardly claim they didn't realize how bad the situation is.  
The once a year report put out by the FTC is good for soundbites,
but the daily reports of the losses ought to shake them up.  If
not, I suggest letting them know with your vote this November.
(I intend to).

Arshad Noor
StrongAuth, Inc.

From jericho at attrition.org  Fri Aug  1 20:48:15 2008
From: jericho at attrition.org (security curmudgeon)
Date: Fri, 1 Aug 2008 20:48:15 +0000 (UTC)
Subject: [Dataloss] Suggestion for changing status quo on data losses
In-Reply-To: <29058542.1421217621328280.JavaMail.root@gw.noorhome.net>
References: <29058542.1421217621328280.JavaMail.root@gw.noorhome.net>
Message-ID: <Pine.LNX.4.64.0808012035560.4243@forced.attrition.org>


: In light of the exemplary work the people behind this listserv do, and 
: the educational service they provide, I would like to suggest taking 
: this a step further so we can stem this deluge of data losses we are 
: subjected to every day.

While we certainly appreciate the compliments and like to think we do good 
work, please remember that we're volunteers and do this in our spare time. 
There is also a big difference between 'hobbyists' and 'lobbyists'.

: I propose that attrition.org make up a dedicated list of every US 
: Senator and Congressman, and email them every single data- loss 
: announcement.

The list of Congress critters and their e-mail addresses is easy to get, 
there would be no need for us to maintain or research such a list.

http://www.senate.gov/general/contact_information/senators_cfm.cfm
http://www.webslingerz.com/jhoffman/congress-email.html

: However, if this listserv notifies every US Senator & Congress person 
: about every breach that we see, then they/their staffers can hardly 
: claim they didn't realize how bad the situation is.  The once a year 
: report put out by the FTC is good for soundbites, but the daily reports 
: of the losses ought to shake them up.  If not, I suggest letting them 
: know with your vote this November. (I intend to).

Voluntarily subscribing every Congress person to our mail list would 
violate the spirit of attrition.org and move dangerously close to the 
world of unsolicited spam. While the mails would be related to current 
issues and just the type of thing you write your represenation about, 
flooding them with this list and the discussions that occur would likely 
piss them off, not endear them to caring about dataloss issues.

In my opinion, to do this correctly would involve someone drafting a 
well-written form letter that list subscribers could use to send to their 
own representative. One page, cite the issue, quote some statistics, say 
it affects them (faster way to make them care) and then to 'fix it'. Of 
course, 'fixing it' is generally a myth as there isn't a simple to 
implement solution to stop dataloss.

Again, thank you for the praise, but please remember that we're stretched 
thin between attrition.org, datalossdb.org and osvdb.org and those pesky 
day jobs and significant others. It would be extremely helpful if more 
people would spend fifteen minutes a week updating those sites with us, or 
contributing to new ideas like this one.

Jericho
attrition.org staff


From adam at homeport.org  Fri Aug  1 21:01:42 2008
From: adam at homeport.org (Adam Shostack)
Date: Fri, 1 Aug 2008 17:01:42 -0400
Subject: [Dataloss] Suggestion for changing status quo on data losses
In-Reply-To: <Pine.LNX.4.64.0808012035560.4243@forced.attrition.org>
References: <29058542.1421217621328280.JavaMail.root@gw.noorhome.net>
	<Pine.LNX.4.64.0808012035560.4243@forced.attrition.org>
Message-ID: <20080801210142.GD9065@homeport.org>

Two very quick comments about this idea:

1) When approaching Congress, it's useful to have some idea what you
want them to do.  Getting consensus around this is difficult.

2) King Log, King Stork.

Adam

On Fri, Aug 01, 2008 at 08:48:15PM +0000, security curmudgeon wrote:
| 
| : In light of the exemplary work the people behind this listserv do, and 
| : the educational service they provide, I would like to suggest taking 
| : this a step further so we can stem this deluge of data losses we are 
| : subjected to every day.
| 
| While we certainly appreciate the compliments and like to think we do good 
| work, please remember that we're volunteers and do this in our spare time. 
| There is also a big difference between 'hobbyists' and 'lobbyists'.
| 
| : I propose that attrition.org make up a dedicated list of every US 
| : Senator and Congressman, and email them every single data- loss 
| : announcement.
| 
| The list of Congress critters and their e-mail addresses is easy to get, 
| there would be no need for us to maintain or research such a list.
| 
| http://www.senate.gov/general/contact_information/senators_cfm.cfm
| http://www.webslingerz.com/jhoffman/congress-email.html
| 
| : However, if this listserv notifies every US Senator & Congress person 
| : about every breach that we see, then they/their staffers can hardly 
| : claim they didn't realize how bad the situation is.  The once a year 
| : report put out by the FTC is good for soundbites, but the daily reports 
| : of the losses ought to shake them up.  If not, I suggest letting them 
| : know with your vote this November. (I intend to).
| 
| Voluntarily subscribing every Congress person to our mail list would 
| violate the spirit of attrition.org and move dangerously close to the 
| world of unsolicited spam. While the mails would be related to current 
| issues and just the type of thing you write your represenation about, 
| flooding them with this list and the discussions that occur would likely 
| piss them off, not endear them to caring about dataloss issues.
| 
| In my opinion, to do this correctly would involve someone drafting a 
| well-written form letter that list subscribers could use to send to their 
| own representative. One page, cite the issue, quote some statistics, say 
| it affects them (faster way to make them care) and then to 'fix it'. Of 
| course, 'fixing it' is generally a myth as there isn't a simple to 
| implement solution to stop dataloss.
| 
| Again, thank you for the praise, but please remember that we're stretched 
| thin between attrition.org, datalossdb.org and osvdb.org and those pesky 
| day jobs and significant others. It would be extremely helpful if more 
| people would spend fifteen minutes a week updating those sites with us, or 
| contributing to new ideas like this one.
| 
| Jericho
| attrition.org staff
| 
| _______________________________________________
| Dataloss Mailing List (dataloss at attrition.org)
| http://attrition.org/dataloss
| 
| Tenable Network Security offers data leakage and compliance monitoring
| solutions for large and small networks. Scan your network and monitor your
| traffic to find the data needing protection before it leaks out!
| http://www.tenablesecurity.com/products/compliance.shtml


From SSteele at infolocktech.com  Fri Aug  1 21:06:44 2008
From: SSteele at infolocktech.com (Sean Steele)
Date: Fri, 1 Aug 2008 17:06:44 -0400
Subject: [Dataloss] Suggestion for changing status quo on data losses
In-Reply-To: <29058542.1421217621328280.JavaMail.root@gw.noorhome.net>
References: <A7F08319-AB0A-4D4D-A19F-6E5A63C8AD64@infowarrior.org>
	<29058542.1421217621328280.JavaMail.root@gw.noorhome.net>
Message-ID: <50EE0FBAE567774C8E244E1C7D4C2B87318C9F@MAIL032.mail.lan>

Arshad, I believe the plan/advice/activism you outline below is done in
earnest but it strikes me as hopelessly naive (and I don't mean that in
a pejorative way). I live and work in Washigton, DC and this is my
take...

For starters, what's our goal beyond acting to "shake [legislators] up"?
The only concrete action that a legislator can conduct is to either
create, contribute to, or vote on policy/law/legislation. Are we seeking
more legislation? What sort of legislation and to what end? What new
act(s) of Congress will affect data protection and data stewardship
beyond the collective GLBA/HIPAA/SOX/FISMA/etc. we already have in
place? Should we move to legislate the provisions of PCI-DSS (a set of
industry regulations for the payment card industry), for example?

My guess is we have enough compliance requirements already, but we
haven't properly ENFORCED them with the Executive Branch (the White
House and its executive agencies like DOJ, FBI, DHHS, DHS, DOC, etc.).
Enforcement should and can come through either the "carrot" (financial
incentives for no data breaches, etc.) or the "stick" (criminal
penalties, civil fines, suspension of business operations, etc.)

I believe this past month we saw the first instance of the US Dept. of
Health & Human Services (DHHS), Office of Civil Rights (OCR), the HIPAA
security enforcement office, actually levying fines and penalties for a
HIPAA security violation that amounted to at least $100,000:
http://www.healthcareitnews.com/story.cms?id=9610&page=1.

This is in the more than 3 years since most covered entities became
fully subject to HIPAA security compliance requirements.

With all this said, it can't hurt. I just don't think Congress is where
we want to be lobbying -- we should wait for the new Administration and
direct our efforts squarely at the enforcement agencies, auditors, and
"watchdogs".

Best,

--
Sean Steele, CISSP, CISA
Sr. Security Consultant
infoLock Technologies
703.504.9000 x219  direct
202.270.8672  mobile
ssteele at infolocktech.com

-----Original Message-----
From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of Arshad Noor
Sent: Friday, August 01, 2008 4:09 PM
To: dataloss at attrition.org
Subject: [Dataloss] Suggestion for changing status quo on data losses

In light of the exemplary work the people behind this listserv
do, and the educational service they provide, I would like to
suggest taking this a step further so we can stem this deluge
of data losses we are subjected to every day.

I propose that attrition.org make up a dedicated list of every
US Senator and Congressman, and email them every single data-
loss announcement.

It is my sincere belief that US-based politicians have their
heads in the sand about the gravity of this problem, as do most
people on the street.  However,the media is also to blame.  (I 
live in Silicon Valley and I do not recall seeing any news item 
about the 80-million birthdates exposed by Facebook or the 
password breaches at the iTunes web site in the newspaper here;
but for this and another forum, even I would be clue-less).

However, if this listserv notifies every US Senator & Congress
person about every breach that we see, then they/their staffers 
can hardly claim they didn't realize how bad the situation is.  
The once a year report put out by the FTC is good for soundbites,
but the daily reports of the losses ought to shake them up.  If
not, I suggest letting them know with your vote this November.
(I intend to).

Arshad Noor
StrongAuth, Inc.
_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor
your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml

From jericho at attrition.org  Fri Aug  1 21:13:25 2008
From: jericho at attrition.org (security curmudgeon)
Date: Fri, 1 Aug 2008 21:13:25 +0000 (UTC)
Subject: [Dataloss] fringe: LEAHY CYBER CRIME MEASURE
Message-ID: <Pine.LNX.4.64.0808012113100.4243@forced.attrition.org>



---------- Forwarded message ----------
From: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rMslade at shaw.ca>

Is this good, or bad?

Leahy introduced the Identity Theft Enforcement and Restitution Act last 
October. On Wednesday, the Senate amended a House-passed bill to extend 
Secret Service protection to former vice presidents to include the 
Leahy-Specter cyber crime bill. The legislation (H.R. 5938) as amended 
will now return to the House for consideration.

If enacted, the Identity Theft Enforcement and Restitution Act that 
amended H.R. 5938 would:

Give victims of identity theft the ability to seek restitution for the 
loss of time and money spent restoring credit and remedying the harms of 
identity theft;

Ensure that identity thieves who impersonate businesses in order to steal 
sensitive personal data can be prosecuted under federal identity theft 
laws. Current law only provides for prosecution of identity theft 
perpetrated against an individual.

Enable prosecution of those who steal personal information from a computer 
even when the victim's computer is located in the same state as the 
thief's computer. Under current law, federal courts only have jurisdiction 
if the thief uses an interstate communication to access the victim's 
computer.

Eliminate the requirement that damage to a victim's computer exceed $5,000 
before charges can be brought for unauthorized access to a computer. The 
provision protects innocent actors while punishing violations resulting in 
less than $5,000 in damage as misdemeanors.

Make it a felony to employ spyware or keyloggers to damage ten or more 
computers regardless of the aggregate amount of damage caused, ensuring 
that the most egregious identity thieves will not escape with a minimal, 
or no, sentence.

Makes it a crime to threaten to steal or release information from a 
computer. Current law only permits the prosecution of those who seek to 
extort companies or government agencies by explicitly threatening to shut 
down or damage a computer. Violators of this provision are subject to a 
criminal fine and up to five years in prison.

Add the remedies of civil and criminal forfeiture to the arsenal of tools 
available to federal prosecutors to combat cyber crime. Mandate that the 
U.S. Sentencing Commission review and update its guidelines for identity 
theft and other cyber crime offenses.


(In general, this sounds OK, but I have come to fear odd side-effects of these last
minute bill amendments ...)

From lyger at attrition.org  Fri Aug  1 21:31:08 2008
From: lyger at attrition.org (lyger)
Date: Fri, 1 Aug 2008 21:31:08 +0000 (UTC)
Subject: [Dataloss] Suggestion for changing status quo on data losses
In-Reply-To: <Pine.LNX.4.64.0808012035560.4243@forced.attrition.org>
References: <29058542.1421217621328280.JavaMail.root@gw.noorhome.net>
	<Pine.LNX.4.64.0808012035560.4243@forced.attrition.org>
Message-ID: <Pine.LNX.4.64.0808012119100.21230@forced.attrition.org>



On Fri, 1 Aug 2008, security curmudgeon wrote:

": " : In light of the exemplary work the people behind this listserv do, and 
": " : the educational service they provide, I would like to suggest taking 
": " : this a step further so we can stem this deluge of data losses we are 
": " : subjected to every day.
": " 
": " While we certainly appreciate the compliments and like to think we do good 
": " work, please remember that we're volunteers and do this in our spare time. 
": " There is also a big difference between 'hobbyists' and 'lobbyists'.

I'd also like to thank Arshad for the compliments, but agree with Jericho 
on this one.  We're simply not in a position to spend any additional time 
on these resources.  I would like to point out (for those who may have 
missed it or forgotten) that we do plan to migrate attrition.org's data 
loss resources (mail list, web site, and RSS feed) completely to 
DataLossDB.org in the coming weeks.  With a little help, we hope it will 
be a seamless transition.


": " Again, thank you for the praise, but please remember that we're stretched 
": " thin between attrition.org, datalossdb.org and osvdb.org and those pesky 
": " day jobs and significant others. It would be extremely helpful if more 
": " people would spend fifteen minutes a week updating those sites with us, or 
": " contributing to new ideas like this one.
": " 
": " Jericho
": " attrition.org staff

I think it's OK to disclose that the Data Loss Mail list has a little over 
1500 subscribers as of this email.  If even half of the list could 
contribute those 15 minutes a week to the sites mentioned above or other 
data loss resources or projects, that would be almost another 200 hours *a 
week* spent on these issues.  How cool would that be?

Lyger
the other guy

From lyger at attrition.org  Fri Aug  1 22:15:32 2008
From: lyger at attrition.org (lyger)
Date: Fri, 1 Aug 2008 22:15:32 +0000 (UTC)
Subject: [Dataloss] OH: Delphi workers' personal information on missing
	flash drive
Message-ID: <Pine.LNX.4.64.0808012213190.23679@forced.attrition.org>


http://www.daytondailynews.com/n/content/oh/story/news/local/2008/08/01/ddn080108delphiweb.html

A flash drive with Social Security numbers and other personal information 
from 2,600 former Dayton-area Delphi workers was removed from the 
unattended laptop of a state employee and is missing.

Helen Jones-Kelley, director of the Job and Family Services department, 
said on Friday, Aug. 1, that letters have been sent to all those affected. 
The incident occurred on July 25 in Lebanon, Jones-Kelley said.

The drive included the names, addresses, telephone numbers as well as the 
Social Security numbers of the workers.

[...]

From cwalsh at cwalsh.org  Fri Aug  1 23:54:07 2008
From: cwalsh at cwalsh.org (Chris Walsh)
Date: Fri, 1 Aug 2008 18:54:07 -0500
Subject: [Dataloss] RD on USG laptop insecurity
In-Reply-To: <A7F08319-AB0A-4D4D-A19F-6E5A63C8AD64@infowarrior.org>
References: <A7F08319-AB0A-4D4D-A19F-6E5A63C8AD64@infowarrior.org>
Message-ID: <984FBC2B-00C2-406B-9A59-0DD1314E08D8@cwalsh.org>

I haven't read the article, but do they suggest that Matlock be  
brought in to investigate?

:^)

cw

On Aug 1, 2008, at 9:38 AM, Richard Forno wrote:

>
> When even Readers' Digest starts to talk about the USG losing
> laptops......you know we have a problem!
>
> Outrageous! Government Carelessness
> The government keeps losing laptop computers containing its citizens'
> most personal information.
> By Michael Crowley
>
> http://tinyurl.com/5acxrk

From macwheel99 at wowway.com  Sat Aug  2 01:32:45 2008
From: macwheel99 at wowway.com (macwheel99 at wowway.com)
Date: Fri, 1 Aug 2008 20:32:45 -0500
Subject: [Dataloss] RD on USG laptop insecurity
In-Reply-To: <984FBC2B-00C2-406B-9A59-0DD1314E08D8@cwalsh.org>
References: <A7F08319-AB0A-4D4D-A19F-6E5A63C8AD64@infowarrior.org>
	<984FBC2B-00C2-406B-9A59-0DD1314E08D8@cwalsh.org>
Message-ID: <20080802012610.M11116@wowway.com>

I have read the article ... it is a digest of what we all should know.

With relevance to another thread on the notion that elected officials need 
to be informed on this (they already know all about it, but sometimes 
pretend to be surprised, because of the need to get re-elected).  

>From the article:
[..]
But the computer lost in Alabama wasn't encrypted. Neither was a laptop 
stolen from the car trunk of a researcher at the National Institutes of 
Health in February. That laptop had detailed information -- names, birth 
dates, medical histories -- on 2,500 patients enrolled in a federal medical 
study. (In a twist you couldn't make up, one of them was Texas Congressman 
Joe Barton, who also happens to be the founder of the Congressional Privacy 
Caucus. "I was stunned," Barton said.)
[..]
Despite growing awareness of the problem, real safeguards are not in place. 
A February report by the Government Accountability Office found that only 
two of 24 agencies the GAO reviewed had implemented all the security 
measures recommended by the government. So it shouldn't be a surprise that 
the GAO also found that at least 19 of 24 agencies had experienced one or 
more breaches that could expose people's personal information to identity 
theft
[..]

> >
> > http://tinyurl.com/5acxrk


From jkouns at opensecurityfoundation.org  Sat Aug  2 15:30:34 2008
From: jkouns at opensecurityfoundation.org (jkouns)
Date: Sat, 02 Aug 2008 11:30:34 -0400
Subject: [Dataloss] Most Security Breaches Go Unreported
Message-ID: <48947D9A.2040000@opensecurityfoundation.org>

Most Security Breaches Go Unreported
http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=209901208

By _Thomas Claburn_ <mailto:tclaburn at cmp.com>
InformationWeek 
<http://www.informationweek.com/;jsessionid=KQHXRTCTN0YIEQSNDLPSKH0CJUNN2JVN> 

August 1, 2008 08:00 AM

Security incidents, as defined by the study, represent "an unexpected 
activity that brought sudden risk to the organization and took one or 
more security personnel to address."

Some of the security incidents, such as the e-mail-borne malware 
<http://www.techweb.com/encyclopedia/defineterm.jhtml?term=malware&x=&y=> 
and phishing 
<http://www.techweb.com/encyclopedia/defineterm.jhtml?term=phishing&x=&y=> 
that affected 69% of respondents' companies, may not have led to serious 
consequences in every instance. But 29% of those answering the survey 
said their organizations experienced customer or employee data leakage. 
Twenty-eight percent reported insider threats or theft and 16% reported 
intellectual property theft.

"With 29% of respondents stating that they experienced the leakage of 
employee or customer data in 2007, it is alarming to see that only 11% 
of those types of incidents went reported," said Tim Mather, chief 
security strategist for RSA 
<http://www.techweb.com/encyclopedia/defineterm.jhtml?term=RSA&x=&y=> 
Conference, in a statement. "Security professionals need to remain 
cognizant of the regulations that their organizations must comply with 
and ensure they are taking steps to properly report the security 
incidents that are required by law -- whatever they may be."

Such findings echo a recent a study of over 500 data breach forensic 
investigations 
(http://www.informationweek.com/news/security/client/showArticle.jhtml?articleID=208403240) 
<http://www.informationweek.com/news/security/client/showArticle.jhtml?articleID=208403240> 
conducted by Verizon (NYSE: VZ 
<http://www.techweb.com/financialCenter/index.jhtml?Account=techweb&Page=QUOTE&Ticker=VZ>) 
Business Security Solutions. According to Bryan Sartin, VP of 
investigative response at Verizon, the publicly reported breaches are 
"just the tip of iceberg." He said that less than 5% of the more than 
500 cases covered in the Verizon study involved some form of disclosure.

In short, companies appear to be far more insecure than they 
acknowledge. The RSA survey indicates that 46% of companies experienced 
no security incidents in 2007, 19% experienced 1 to 2, 14% experienced 3 
to 5, 7% experienced 6 to 10, 3% experienced 11 to 20, and 13% 
experienced more than 20 security incidents.

The top security challenge, according to respondents, is lost or stolen 
devices (49%), followed by non-malicious employee error and employee 
education (tied at 47%), budgetary constraints (44%), external hacking 
<http://www.techweb.com/encyclopedia/defineterm.jhtml?term=hacking&x=&y=> 
threats (38%), executive buy-in (26%), and malicious insider threats (22%).

More than 89% of security incidents went unreported in 2007, according 
to survey of about 300 attendees at this year's RSA Conference 
<http://www.rsaconference.com/>.


From arshad.noor at strongauth.com  Sat Aug  2 20:46:37 2008
From: arshad.noor at strongauth.com (Arshad Noor)
Date: Sat, 02 Aug 2008 13:46:37 -0700
Subject: [Dataloss] Suggestion for changing status quo on data losses
In-Reply-To: <Pine.LNX.4.64.0808012035560.4243@forced.attrition.org>
References: <29058542.1421217621328280.JavaMail.root@gw.noorhome.net>
	<Pine.LNX.4.64.0808012035560.4243@forced.attrition.org>
Message-ID: <4894C7AD.6040006@strongauth.com>

security curmudgeon wrote:
> 
> In my opinion, to do this correctly would involve someone drafting a 
> well-written form letter that list subscribers could use to send to their 
> own representative. One page, cite the issue, quote some statistics, say 
> it affects them (faster way to make them care) and then to 'fix it'. Of 
> course, 'fixing it' is generally a myth as there isn't a simple to 
> implement solution to stop dataloss.
> 

Jericho/All,

Thank you for reminding me of advice I used to give out many years ago,
but stopped bothering seeing how ineffective our representatives are in
so many other areas.  Nonetheless, if I do not let them know, I cannot
expect them to address the problem.

That said, I have sent my CA representatives the attached letter.  I
have also sent it to both Presidential candidates, and am disclosing
this letter for discussion and in case others may want to adopt it to
send to their own representatives (permission is freely granted to one
and all).

While the suggestion cannot guarantee a solution to the problem, it is
my strong belief that it is the first step towards a long-term solution.

Let the tomato/egg throwing begin....

Arshad Noor
StrongAuth, Inc.

----------------------------------------
I am writing to inform you of my concerns about America's current 
Information Security policies and to propose a plan for addressing its 
shortcomings.

Since California's seminal Breach Disclosure law (CA Senate Bill 1386) 
and similar laws in 40+ states, this country has witnessed the public 
disclosure of some of the largest breaches to private data in our brief 
history with information technology (estimated to be well over 200M 
identities in the last 5 years ? http://etiolated.org/ and 
http://www.privacyrights.org/).

While there are Federal laws stipulating data-protection (GLBA, HIPAA, 
SOX, FISMA, etc.), we continue to see unrelenting breaches of data, 
indicating the laws are ineffective in this regard.  It is my belief 
there are fundamental flaws in America's technology security policy that 
need to be corrected before we see any change.

Every sector of US industry that can cause harm to humans is not only 
regulated, but is required to disclose adverse events that either cause 
harm, or have the potential to cause harm, to a regulatory body. 
Automobiles, airlines, food, drugs, medical, chemical, banking, 
environment, power, construction ? they are all required to report 
adverse events.  Except the IT sector!

Just as the Center for Disease Control (CDC) would be hopelessly 
ineffective if mandatory reporting of adverse health events were not 
required, the IT sector is currently hampered because there is neither a 
Federal agency with the mandate to collect such information, nor a law 
requiring companies to report adverse security events to such a central 
authority.

The history of science shows that improvements come only with research. 
  However, research requires comprehensive data.  Without data that 
supports root-cause analysis and statistical analysis, it is impossible 
for scientists and engineers to solve the problem we face, and 
consequently, for our nation to build a stronger IT infrastructure.

I propose that the US Congress enact a law stipulating the following:

- The creation of a ?National Technology and Security Administration 
(NTSA)? modeled along the lines of the National Highway Transportation 
and Safety Administration (NHTSA) with the following mandate:

   a) Collect information on computer-related breaches in the USA.
   b) Create statistical reports from breach data and disseminate such 
reports (including raw data) to the internet.
   c) Establish a Security Baseline that all technology products must 
deliver.
   d) Establish a Security Profile for different classes of systems that 
businesses, government agencies and individuals must achieve.
   e) Mandate the recall of products that do not meet the Security Baseline.

- Requiring ALL businesses that store private data of US citizens on 
computerized devices ? regardless of geography ? to report adverse 
security events to the NTSA;

- Allocating the NTSA appropriate resources and giving it the 
operational latitude to carry out its mandate;

- Eliminating the liability exclusion for defective IT products (no 
other manufacturing industry is excluded from the liability of producing 
defective products; why does the IT industry enjoy this exclusion more 
than 25 years after the PC was created, and nearly 50 years of the 
existence of the computing industry?)

With such a law the US will establish the foundation of a process to 
make the internet and information technology products secure.  This will 
not happen overnight.  But within 24 months of the creation of such an 
agency, we can expect to start seeing some benefits, and within five 
years, we can expect a dramatic reduction of breaches to private data.

While we can never eradicate all vulnerabilities or breaches, the NTSA 
can make significant contributions towards protecting the private data 
of US citizens.  Given that the US economy is critically dependent on 
computers, we cannot wait for a catastrophic IT event to take decisive 
action.

I have had some discussions with people on security forums in this 
regard, and am attaching some observations for your benefit.  I look 
forward to seeing some action from US Congress on this issue.  If there 
is anything I can do to help, please don't hesitate to have your 
staffers contact me.

Regards,


1) What constitutes a security event?

A loss of resources (data, time, money, capacity) for the owner of the 
computer asset due to any factor that can neither be deemed negligence 
nor accident on the part of the owner.  An assumption is that the owner 
has defined a security policy and is in conformance to it.  For 
individual users, the security policy will be either the default 
security policy of the manufacturer or a stronger policy if they have 
implemented it.

2) How would the information provided to this new agency be protected?

All user/company information that can identify them is anonymized.  The 
detail must have a section that is legible to business-people and a 
section that is gory for technical people.  Names & versions of 
operating systems, software, sufficient configuration detail to describe 
protections in place (but without any identification information again). 
  Security specialists and researchers must have this detail so they can 
learn from the experience, build models for future protection, etc.

FOIA rules would apply, but the information should be available as soon 
as it is reported in an online database on the internet.

Mechanisms to verify the authenticity and integrity of the report should 
be in place (once again, without identifying the reporter).

3) What are the penalties for not reporting security events?

Loss of insurance coverage for damages.  Penalties for companies if they 
are found out later.

4) And how are they enforced?

I would like to say that it should be on an honor-based systems because 
the more data we have, the more benefit we derive from it.  So, that 
should be an incentive to report.

However, audits of randomly selected companies could be implemented to 
see if the reporting is statistically in correspondence to the security 
events visible on the internet.  Non-compliant companies will be fined 
and subject to mandatory annual audits for three years.

5) Do the rules apply just to corporations; or to individuals?

It has to apply to all - especially to individuals.  However, since the 
vast majority of individual users cannot be expected to know what to 
report, manufacturers of computer systems must include diagnostic tools 
that can be used to pick up reporting information after scrubbing 
identification information.  This can then be submitted separately by 
the "victim".
----------------------------------------

From bgivens at privacyrights.org  Sat Aug  2 22:07:51 2008
From: bgivens at privacyrights.org (Beth Givens)
Date: Sat, 02 Aug 2008 15:07:51 -0700
Subject: [Dataloss] Suggestion for changing status quo on data  losses
Message-ID: <7.0.1.0.2.20080802150430.03434978@privacyrights.org>

FYI, California has a security requirement law on the books. Here's 
the summary, along with a link to the text of the law:
    * 
<http://www.leginfo.ca.gov/cgi-bin/displaycode?section=civ&group=01001-02000&file=1798.80-1798.84>Security 
of Personal Information - Civil Code section 1798.81.5. This law 
requires specified businesses to use safeguards to ensure the 
security of Californians' personal information (defined as name plus 
SSN, driver's license/state ID, financial account number) and to 
contractually require third parties to do the same. It does not apply 
to businesses that are subject to certain other information security laws.
This law is in addition to the security breach notice law, 
implemented in 2003, the first of such laws in the nation:
    * Security Breach Notice - Civil Code sections 
<http://www.leginfo.ca.gov/cgi-bin/displaycode?section=civ&group=01001-02000&file=1798.25-1798.29>1798.29, 
<http://www.leginfo.ca.gov/cgi-bin/displaycode?section=civ&group=01001-02000&file=1798.80-1798.84>1798.82, 
and 1798.84. This law requires a business or a State agency that 
maintains unencrypted computerized data that includes personal 
information, as defined, to notify any California resident whose 
unencrypted personal information was, or is reasonably believed to 
have been, acquired by an unauthorized person. The type of 
information that triggers the notice requirement is an individual's 
name plus one or more of the following: Social Security number, 
driver's license or California Identification Card number, financial 
account numbers, medical information or health insurance information. 
The law's intention is to give affected individuals the opportunity 
to take steps to protect themselves from identity theft. See the 
Office of Privacy Protection's 
<http://www.oispp.ca.gov/consumer_privacy/laws//consumer_privacy/pdf/secbreach.pdf>Recommended 
Practices in relation to this law.

Beth Givens
Privacy Rights Clearinghouse, Director
www.privacyrights.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20080802/e974c36f/attachment.html 

From lyger at attrition.org  Sat Aug  2 23:05:33 2008
From: lyger at attrition.org (lyger)
Date: Sat, 2 Aug 2008 23:05:33 +0000 (UTC)
Subject: [Dataloss] CA: Countrywide insider stole mortgage applicants' data,
	FBI says
Message-ID: <Pine.LNX.4.64.0808022304480.1886@forced.attrition.org>


http://www.latimes.com/business/la-fi-arrest2-2008aug02,0,7330731.story

The FBI on Friday arrested a former Countrywide Financial Corp. employee 
and another man in an alleged scheme to steal and sell sensitive personal 
information, including Social Security numbers, of as many as 2 million 
mortgage applicants.

The breach in security, which occurred over a two-year period though July, 
was one of the largest in years, experts said.

The insider was identified as Rene L. Rebollo Jr., 36, who had worked as a 
senior financial analyst at Full Spectrum Lending, Countrywide's subprime 
lending division. He was arrested at his home in Pasadena and charged with 
unauthorized access to a financial institution's computers.

Authorities also arrested Wahid Siddiqi, 25, at his home in Thousand Oaks. 
Authorities alleged that he was a reseller of Countrywide data.

[...]

From arshad.noor at strongauth.com  Sat Aug  2 23:35:23 2008
From: arshad.noor at strongauth.com (Arshad Noor)
Date: Sat, 02 Aug 2008 16:35:23 -0700
Subject: [Dataloss] Suggestion for changing status quo on data losses
In-Reply-To: <4894C7AD.6040006@strongauth.com>
References: <29058542.1421217621328280.JavaMail.root@gw.noorhome.net>	<Pine.LNX.4.64.0808012035560.4243@forced.attrition.org>
	<4894C7AD.6040006@strongauth.com>
Message-ID: <4894EF3B.5030900@strongauth.com>

I have to publicly apologize to Lyger, Jericho and others of the
dataloss listserv and attrition.org for my faux-pas.  I neglected
to mention attrition.org in my letter to my representatives because
I was under the mistaken impression that etiolated.org belonged to
the same group.

If anyone chooses to use the text from my letter, please don't make
the same mistake I did and give attrition.org the credit it deserves
in your letter to your representatives.

Once again, I believe the work done by the people behind this listserv
is highly commendable, but even with the best of intentions, people
can make mistakes - I know I did.  My apologies.

Arshad Noor
StrongAuth, Inc.

Arshad Noor wrote:
> security curmudgeon wrote:
>> In my opinion, to do this correctly would involve someone drafting a 
>> well-written form letter that list subscribers could use to send to their 
>> own representative. One page, cite the issue, quote some statistics, say 
>> it affects them (faster way to make them care) and then to 'fix it'. Of 
>> course, 'fixing it' is generally a myth as there isn't a simple to 
>> implement solution to stop dataloss.
>>
> 
> Jericho/All,
> 
> Thank you for reminding me of advice I used to give out many years ago,
> but stopped bothering seeing how ineffective our representatives are in
> so many other areas.  Nonetheless, if I do not let them know, I cannot
> expect them to address the problem.
> 
> That said, I have sent my CA representatives the attached letter.  I
> have also sent it to both Presidential candidates, and am disclosing
> this letter for discussion and in case others may want to adopt it to
> send to their own representatives (permission is freely granted to one
> and all).
> 
> While the suggestion cannot guarantee a solution to the problem, it is
> my strong belief that it is the first step towards a long-term solution.
> 
> Let the tomato/egg throwing begin....
> 
> Arshad Noor
> StrongAuth, Inc.
> 
> ----------------------------------------
> I am writing to inform you of my concerns about America's current 
> Information Security policies and to propose a plan for addressing its 
> shortcomings.
> 
> Since California's seminal Breach Disclosure law (CA Senate Bill 1386) 
> and similar laws in 40+ states, this country has witnessed the public 
> disclosure of some of the largest breaches to private data in our brief 
> history with information technology (estimated to be well over 200M 
> identities in the last 5 years ? http://etiolated.org/ and 
> http://www.privacyrights.org/).
> 
> While there are Federal laws stipulating data-protection (GLBA, HIPAA, 
> SOX, FISMA, etc.), we continue to see unrelenting breaches of data, 
> indicating the laws are ineffective in this regard.  It is my belief 
> there are fundamental flaws in America's technology security policy that 
> need to be corrected before we see any change.
> 
> Every sector of US industry that can cause harm to humans is not only 
> regulated, but is required to disclose adverse events that either cause 
> harm, or have the potential to cause harm, to a regulatory body. 
> Automobiles, airlines, food, drugs, medical, chemical, banking, 
> environment, power, construction ? they are all required to report 
> adverse events.  Except the IT sector!
> 
> Just as the Center for Disease Control (CDC) would be hopelessly 
> ineffective if mandatory reporting of adverse health events were not 
> required, the IT sector is currently hampered because there is neither a 
> Federal agency with the mandate to collect such information, nor a law 
> requiring companies to report adverse security events to such a central 
> authority.
> 
> The history of science shows that improvements come only with research. 
>   However, research requires comprehensive data.  Without data that 
> supports root-cause analysis and statistical analysis, it is impossible 
> for scientists and engineers to solve the problem we face, and 
> consequently, for our nation to build a stronger IT infrastructure.
> 
> I propose that the US Congress enact a law stipulating the following:
> 
> - The creation of a ?National Technology and Security Administration 
> (NTSA)? modeled along the lines of the National Highway Transportation 
> and Safety Administration (NHTSA) with the following mandate:
> 
>    a) Collect information on computer-related breaches in the USA.
>    b) Create statistical reports from breach data and disseminate such 
> reports (including raw data) to the internet.
>    c) Establish a Security Baseline that all technology products must 
> deliver.
>    d) Establish a Security Profile for different classes of systems that 
> businesses, government agencies and individuals must achieve.
>    e) Mandate the recall of products that do not meet the Security Baseline.
> 
> - Requiring ALL businesses that store private data of US citizens on 
> computerized devices ? regardless of geography ? to report adverse 
> security events to the NTSA;
> 
> - Allocating the NTSA appropriate resources and giving it the 
> operational latitude to carry out its mandate;
> 
> - Eliminating the liability exclusion for defective IT products (no 
> other manufacturing industry is excluded from the liability of producing 
> defective products; why does the IT industry enjoy this exclusion more 
> than 25 years after the PC was created, and nearly 50 years of the 
> existence of the computing industry?)
> 
> With such a law the US will establish the foundation of a process to 
> make the internet and information technology products secure.  This will 
> not happen overnight.  But within 24 months of the creation of such an 
> agency, we can expect to start seeing some benefits, and within five 
> years, we can expect a dramatic reduction of breaches to private data.
> 
> While we can never eradicate all vulnerabilities or breaches, the NTSA 
> can make significant contributions towards protecting the private data 
> of US citizens.  Given that the US economy is critically dependent on 
> computers, we cannot wait for a catastrophic IT event to take decisive 
> action.
> 
> I have had some discussions with people on security forums in this 
> regard, and am attaching some observations for your benefit.  I look 
> forward to seeing some action from US Congress on this issue.  If there 
> is anything I can do to help, please don't hesitate to have your 
> staffers contact me.
> 
> Regards,
> 
> 
> 1) What constitutes a security event?
> 
> A loss of resources (data, time, money, capacity) for the owner of the 
> computer asset due to any factor that can neither be deemed negligence 
> nor accident on the part of the owner.  An assumption is that the owner 
> has defined a security policy and is in conformance to it.  For 
> individual users, the security policy will be either the default 
> security policy of the manufacturer or a stronger policy if they have 
> implemented it.
> 
> 2) How would the information provided to this new agency be protected?
> 
> All user/company information that can identify them is anonymized.  The 
> detail must have a section that is legible to business-people and a 
> section that is gory for technical people.  Names & versions of 
> operating systems, software, sufficient configuration detail to describe 
> protections in place (but without any identification information again). 
>   Security specialists and researchers must have this detail so they can 
> learn from the experience, build models for future protection, etc.
> 
> FOIA rules would apply, but the information should be available as soon 
> as it is reported in an online database on the internet.
> 
> Mechanisms to verify the authenticity and integrity of the report should 
> be in place (once again, without identifying the reporter).
> 
> 3) What are the penalties for not reporting security events?
> 
> Loss of insurance coverage for damages.  Penalties for companies if they 
> are found out later.
> 
> 4) And how are they enforced?
> 
> I would like to say that it should be on an honor-based systems because 
> the more data we have, the more benefit we derive from it.  So, that 
> should be an incentive to report.
> 
> However, audits of randomly selected companies could be implemented to 
> see if the reporting is statistically in correspondence to the security 
> events visible on the internet.  Non-compliant companies will be fined 
> and subject to mandatory annual audits for three years.
> 
> 5) Do the rules apply just to corporations; or to individuals?
> 
> It has to apply to all - especially to individuals.  However, since the 
> vast majority of individual users cannot be expected to know what to 
> report, manufacturers of computer systems must include diagnostic tools 
> that can be used to pick up reporting information after scrubbing 
> identification information.  This can then be submitted separately by 
> the "victim".
> ----------------------------------------
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
> 
> Tenable Network Security offers data leakage and compliance monitoring
> solutions for large and small networks. Scan your network and monitor your
> traffic to find the data needing protection before it leaks out!
> http://www.tenablesecurity.com/products/compliance.shtml

From hbrown at knology.net  Mon Aug  4 09:32:08 2008
From: hbrown at knology.net (Henry Brown)
Date: Mon, 04 Aug 2008 04:32:08 -0500
Subject: [Dataloss] Follow up to: Fake Card reader results in ID theft in
	Los Gatos Ca.
Message-ID: <4896CC98.3080701@knology.net>

http://www.nbc11.com/news/17066606/detail.html

Police: Man Behind South Bay Lunardi's ATM Scam Nabbed

Police arrested a man Friday they said was involved with an ATM scam at 
a Los Gatos supermarket that lost about $300,000.

After a four-month investigation, the Los Gatos Monte/Sereno Police 
Department arrested Raymond Kurt Fisher, 37, at his San Jose home 
Thursday, police said.

Fischer worked in the Lunardi's meat department, and he was working 
there until Thursday, NBC11 reported.

Between March and April, 14, 2008, 250 Lunardi's shoppers found 
fraudulent charges or cash withdrawals with a grand total of about 
$300,000 from their bank accounts, police said.

The majority of the withdrawals were made in Southern California, police 
said.

Fisher was booked into the Santa Clara County Jail in connection with 
burglary, conspiracy, drunken driving, and further charges may be filed 
later, according to the district attorney's office.

The investigation is ongoing, and police said they are not ruling out 
further arrests.


-------- Original Message --------
Subject:     [Dataloss] Fake Card reader results in ID theft in Los 
Gatos Ca.
Date:     Thu, 01 May 2008 05:38:38 -0500
From:     Henry Brown <hbrown at knology.net>
To:     dataloss at attrition.org


http://cbs5.com/local/supermarket.identity.theft.2.711956.html

An ATM and credit card reader in a checkout aisle at the Los Gatos 
Lunardi's supermarket was recently switched, resulting in more than two
dozen reported cases of identity theft, a Los Gatos/Monte Sereno Police 
Department spokesman said Tuesday.

Police received the first reports from victims who said their credit or 
debit cards had been used fraudulently on Sunday night and additional
victim reports continued on Monday and today, according to police 
spokesman Tam McCarty.

"They started pouring in," McCarty said.

Police believe the victims all had their card numbers stolen at the Los 
Gatos Lunardi's, 720 Blossom Hill Road, after officials from Lunardi's
contacted them about a problem with one of their card readers.

"It was a switched card reader at one of the aisles," McCarty said. 
Recent shoppers of the Los Gatos Lunardi's should check the status of
their bank or credit card accounts for charges they did not make, 
according to police.

"Specifically look for charges in the Southern California area,Pasadena, 
Huntington; that's where most of them seem to be," McCarty said.

[...]



From hbrown at knology.net  Mon Aug  4 14:09:06 2008
From: hbrown at knology.net (Henry Brown)
Date: Mon, 04 Aug 2008 09:09:06 -0500
Subject: [Dataloss] laptop stolen from Manchester England hospital
Message-ID: <48970D82.5040406@knology.net>

http://www.manchestereveningnews.co.uk/news/s/1060793_laptop_with_1500_patients_details_stolen

Laptop with 1,500 patients' details stolen
Brian Lashley
1/ 8/2008

A LAPTOP containing confidential patient data has been stolen from a 
hospital by a burglar who climbed through an unlocked window.

The computer holds personal information about 1,581 patients attending a 
clinic at Stepping Hill Hospital, Hazel Grove, Stockport.

Hospital chiefs said the data is protected by a complex password system, 
which would be difficult to crack.

Security at the hospital has since been reviewed and stepped up.

The laptop was stolen along with a projector and personal items from a 
desk drawer during the burglary at an office block on the hospital site.

The hospital's CCTV cameras are thought to have captured images of the 
burglar, who it is believed was acting alone.

[...]

"It has reported the theft to Greater Manchester Police who are 
investigating.

"Amongst the items stolen was a laptop computer used for scheduling 
appointments, which held some patient information.

"This information was held on a secure system with three levels of 
password protection. The Trust believes it is unlikely that anyone would 
be able to access this data.

"Despite this low level of risk the Trust has written to 1,581 patients, 
who attended the clinic, to inform them of the incident.


[...]

Anyone with information about the theft of the laptop from Stepping Hill 
between July 12 and 13 should contact police

[...]


From ADAIL at sunocoinc.com  Mon Aug  4 15:09:01 2008
From: ADAIL at sunocoinc.com (DAIL, WILLARD A)
Date: Mon, 4 Aug 2008 11:09:01 -0400
Subject: [Dataloss] Suggestion for changing status quo on data losses
In-Reply-To: <4894C7AD.6040006@strongauth.com>
Message-ID: <AAF9B5D29F7CE44CBDF032F4F523E9A339D41D@mds3aex0e.USISUNOCOINC.com>


I have found legislators to be far more receptive to communications from
their constituents than they are about general unsolicited information
from organizations.  With the exception a PAC or lobbyist (with
interesting resources),  legislators seem far more interested in an
issue if the people who vote for them are interested in or concerned
about the issue, and are vocal about their angst.

A slightly more effective approach might be to provide access to local
chapters of privacy groups or Bar associations and have those groups
write their representatives.  Otherwise, I personally would focus the
information on chairs and members of sub-committees with a subject
matter interest in consumer privacy.




-----Original Message-----
From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of Arshad Noor
Sent: Saturday, August 02, 2008 3:47 PM
To: dataloss at attrition.org
Subject: Re: [Dataloss] Suggestion for changing status quo on data
losses


security curmudgeon wrote:
>
> In my opinion, to do this correctly would involve someone drafting a
> well-written form letter that list subscribers could use to send to
their
> own representative. One page, cite the issue, quote some statistics,
say
> it affects them (faster way to make them care) and then to 'fix it'.
Of
> course, 'fixing it' is generally a myth as there isn't a simple to
> implement solution to stop dataloss.
>

Jericho/All,

Thank you for reminding me of advice I used to give out many years ago,
but stopped bothering seeing how ineffective our representatives are in
so many other areas.  Nonetheless, if I do not let them know, I cannot
expect them to address the problem.

That said, I have sent my CA representatives the attached letter.  I
have also sent it to both Presidential candidates, and am disclosing
this letter for discussion and in case others may want to adopt it to
send to their own representatives (permission is freely granted to one
and all).

While the suggestion cannot guarantee a solution to the problem, it is
my strong belief that it is the first step towards a long-term solution.

Let the tomato/egg throwing begin....

Arshad Noor
StrongAuth, Inc.

----------------------------------------
I am writing to inform you of my concerns about America's current
Information Security policies and to propose a plan for addressing its
shortcomings.

Since California's seminal Breach Disclosure law (CA Senate Bill 1386)
and similar laws in 40+ states, this country has witnessed the public
disclosure of some of the largest breaches to private data in our brief
history with information technology (estimated to be well over 200M
identities in the last 5 years - http://etiolated.org/ and
http://www.privacyrights.org/).

While there are Federal laws stipulating data-protection (GLBA, HIPAA,
SOX, FISMA, etc.), we continue to see unrelenting breaches of data,
indicating the laws are ineffective in this regard.  It is my belief
there are fundamental flaws in America's technology security policy that

need to be corrected before we see any change.

Every sector of US industry that can cause harm to humans is not only
regulated, but is required to disclose adverse events that either cause
harm, or have the potential to cause harm, to a regulatory body.
Automobiles, airlines, food, drugs, medical, chemical, banking,
environment, power, construction - they are all required to report
adverse events.  Except the IT sector!

Just as the Center for Disease Control (CDC) would be hopelessly
ineffective if mandatory reporting of adverse health events were not
required, the IT sector is currently hampered because there is neither a

Federal agency with the mandate to collect such information, nor a law
requiring companies to report adverse security events to such a central
authority.

The history of science shows that improvements come only with research.
  However, research requires comprehensive data.  Without data that
supports root-cause analysis and statistical analysis, it is impossible
for scientists and engineers to solve the problem we face, and
consequently, for our nation to build a stronger IT infrastructure.

I propose that the US Congress enact a law stipulating the following:

- The creation of a "National Technology and Security Administration
(NTSA)" modeled along the lines of the National Highway Transportation
and Safety Administration (NHTSA) with the following mandate:

   a) Collect information on computer-related breaches in the USA.
   b) Create statistical reports from breach data and disseminate such
reports (including raw data) to the internet.
   c) Establish a Security Baseline that all technology products must
deliver.
   d) Establish a Security Profile for different classes of systems that

businesses, government agencies and individuals must achieve.
   e) Mandate the recall of products that do not meet the Security
Baseline.

- Requiring ALL businesses that store private data of US citizens on
computerized devices - regardless of geography - to report adverse
security events to the NTSA;

- Allocating the NTSA appropriate resources and giving it the
operational latitude to carry out its mandate;

- Eliminating the liability exclusion for defective IT products (no
other manufacturing industry is excluded from the liability of producing

defective products; why does the IT industry enjoy this exclusion more
than 25 years after the PC was created, and nearly 50 years of the
existence of the computing industry?)

With such a law the US will establish the foundation of a process to
make the internet and information technology products secure.  This will

not happen overnight.  But within 24 months of the creation of such an
agency, we can expect to start seeing some benefits, and within five
years, we can expect a dramatic reduction of breaches to private data.

While we can never eradicate all vulnerabilities or breaches, the NTSA
can make significant contributions towards protecting the private data
of US citizens.  Given that the US economy is critically dependent on
computers, we cannot wait for a catastrophic IT event to take decisive
action.

I have had some discussions with people on security forums in this
regard, and am attaching some observations for your benefit.  I look
forward to seeing some action from US Congress on this issue.  If there
is anything I can do to help, please don't hesitate to have your
staffers contact me.

Regards,


1) What constitutes a security event?

A loss of resources (data, time, money, capacity) for the owner of the
computer asset due to any factor that can neither be deemed negligence
nor accident on the part of the owner.  An assumption is that the owner
has defined a security policy and is in conformance to it.  For
individual users, the security policy will be either the default
security policy of the manufacturer or a stronger policy if they have
implemented it.

2) How would the information provided to this new agency be protected?

All user/company information that can identify them is anonymized.  The
detail must have a section that is legible to business-people and a
section that is gory for technical people.  Names & versions of
operating systems, software, sufficient configuration detail to describe

protections in place (but without any identification information again).

  Security specialists and researchers must have this detail so they can

learn from the experience, build models for future protection, etc.

FOIA rules would apply, but the information should be available as soon
as it is reported in an online database on the internet.

Mechanisms to verify the authenticity and integrity of the report should

be in place (once again, without identifying the reporter).

3) What are the penalties for not reporting security events?

Loss of insurance coverage for damages.  Penalties for companies if they

are found out later.

4) And how are they enforced?

I would like to say that it should be on an honor-based systems because
the more data we have, the more benefit we derive from it.  So, that
should be an incentive to report.

However, audits of randomly selected companies could be implemented to
see if the reporting is statistically in correspondence to the security
events visible on the internet.  Non-compliant companies will be fined
and subject to mandatory annual audits for three years.

5) Do the rules apply just to corporations; or to individuals?

It has to apply to all - especially to individuals.  However, since the
vast majority of individual users cannot be expected to know what to
report, manufacturers of computer systems must include diagnostic tools
that can be used to pick up reporting information after scrubbing
identification information.  This can then be submitted separately by
the "victim".
----------------------------------------
_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor
your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml

This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments.

From lyger at attrition.org  Mon Aug  4 21:33:25 2008
From: lyger at attrition.org (lyger)
Date: Mon, 4 Aug 2008 21:33:25 +0000 (UTC)
Subject: [Dataloss] CO: College contractor loses 15,
	000 students' personal information
Message-ID: <Pine.LNX.4.64.0808042132250.17367@forced.attrition.org>


http://www.9news.com/news/local/article.aspx?storyid=97054&catid=346

Arapahoe Community College (ACC) is notifying 15,000 students that their 
personal information has been lost or stolen.

An ACC spokesperson tells 9NEWS that a hard copy letter detailing the loss 
is being mailed to all affected students Monday. The letter is in addition 
to an e-mail that was sent on Friday.

The e-mail indicates that a contractor who manages the student information 
database had a flash drive lost or stolen at Copper Mountain Resort in 
Summit County. A police report was filed with the Summit County Sheriff's 
Department on Friday.

[...]

From hbrown at knology.net  Tue Aug  5 09:36:48 2008
From: hbrown at knology.net (Henry Brown)
Date: Tue, 05 Aug 2008 04:36:48 -0500
Subject: [Dataloss] Laptop stolen at SF Ca Airport with data of 33000
	travelers
Message-ID: <48981F30.3000300@knology.net>

http://abclocal.go.com/kgo/story?section=news/local&id=6306342

SAN FRANCISCO (KGO) -- A stolen laptop has prompted administrators of a 
popular airport program to implement new security measures. The computer 
was stolen over the weekend at San Francisco International and thousands 
of passengers' personal records were taken along with it.

For the past year, travelers at SFO have had the option to enroll in the 
Clear Registered Traveler Program. Those who sign up get a biometric ID 
card, which allows them to bypass regular security lines for $128 a year.

[...]

Over the weekend, the popular program ran into a security breach. 
Someone entered the Clear office at SFO and stole a laptop computer. It 
contained records of 33,000 applicants. Information included names, 
addresses, birthdates, and in some cases, driver's license and passport 
numbers.

[...]

The company says the thief would have to bypass two separate passwords 
to obtain any personal information. Even so, the Transportation Security 
Administration is temporarily prohibiting new customers from enrolling 
in the Clear program.

[...]

No telling how long the enrollment process will be suspended, the TSA 
says it will depend on how long it will take for the company that runs 
Clear to notify its applicants and improve the security on its computers.

"Basically what we're doing is we're downloading new software into all 
our laptops at the airports, more encrypted and revisiting all the 
enrollment procedures here," said David Pfeiffer, the Clear general manager.

[...]

As for who stole the laptop in the first place, authorities are still 
investigating. There were no apparent signs of a break-in.


From lyger at attrition.org  Tue Aug  5 11:47:01 2008
From: lyger at attrition.org (lyger)
Date: Tue, 5 Aug 2008 11:47:01 +0000 (UTC)
Subject: [Dataloss] (update): 150,000 hit by brewer data theft
Message-ID: <Pine.LNX.4.64.0808051146050.18563@forced.attrition.org>


http://ukpress.google.com/article/ALeqM5heyH8ZkcfOobs32-4RsWGOPKVSQQ

About 150,000 people in the US have been affected by the theft of laptops 
with personal information about current and former employees of brewing 
giant Anheuser-Busch.

A letter sent by the St Louis, Missouri-based brewer to the Florida 
Attorney General's Office said the laptops, stolen in June, contained 
personal information on nearly 87,500 residents, including current and 
former employees, and more than 3,000 people involved in employee 
assistance programmes, either as recipients or providers.

The state of California was notified that nearly 55,000 of its residents 
were affected, said Abraham Arredondo, a spokesman for the attorney 
general's office there.

In all, residents in at least six states: Florida, New Hampshire, 
Virginia, Missouri, Texas and California are involved.

[...]

From lyger at attrition.org  Tue Aug  5 14:43:37 2008
From: lyger at attrition.org (lyger)
Date: Tue, 5 Aug 2008 14:43:37 +0000 (UTC)
Subject: [Dataloss] CA/FL/???: Laptop With Personal Information Stolen At
	Airport
Message-ID: <Pine.LNX.4.64.0808051440090.19512@forced.attrition.org>


(earlier, Henry Brown sent in a story about a missing laptop containing 
personal information for about 33,000 at San Francisco International:)

http://attrition.org/pipermail/dataloss/2008-August/002608.html

(now, we have this just in:)

http://www.cfnews13.com/News/Local/2008/8/5/laptop_with_personal_information_stolen_at_airport.html

A laptop containing personal information for about 33,000 people was 
reported stolen in a possible security breach at Orlando International 
Airport.

According to the Orlando Sentinel, a laptop containing personal 
information for people who signed up for the "Clear" program, a 
registered-traveler service.

The information was not encrypted, the paper reported.

[...]

(errrrr....)

From lyger at attrition.org  Tue Aug  5 15:03:34 2008
From: lyger at attrition.org (lyger)
Date: Tue, 5 Aug 2008 15:03:34 +0000 (UTC)
Subject: [Dataloss] (admin) Moderators + Vegas = ...
Message-ID: <Pine.LNX.4.64.0808051454400.27900@forced.attrition.org>


Quick note to everyone:  all mail list moderators are either already in 
Las Vegas for this week's Black Hat and/or DefCon events or are currently 
packing our bags and printing out our boarding passes.  We will continue 
to post and approve messages as time permits, but please be patient if 
list traffic gets reealllyyyy slloooowwwww over the next five days or so.

For anyone who will be attending the conferences this week, please feel 
free to come up and say hi if you see us.  We'll be the guys and 
gals wearing attrition.org, DatalossDB.org, and OSVDB.org gear running 
away from the sound of the sirens... ;)

Lyger

From chris at cwalsh.org  Tue Aug  5 16:52:36 2008
From: chris at cwalsh.org (Chris Walsh)
Date: Tue, 5 Aug 2008 11:52:36 -0500
Subject: [Dataloss] Laptop stolen at SF Ca Airport with data of 33000
	travelers
In-Reply-To: <48981F30.3000300@knology.net>
References: <48981F30.3000300@knology.net>
Message-ID: <aebe31730808050952yad471ub85e9672d66e6558@mail.gmail.com>

Absolutely epic.

Sigh.

cw

On Tue, Aug 5, 2008 at 4:36 AM, Henry Brown <hbrown at knology.net> wrote:

>
> For the past year, travelers at SFO have had the option to enroll in the
> Clear Registered Traveler Program. Those who sign up get a biometric ID
> card, which allows them to bypass regular security lines for $128 a year.
>
> [...]



>
> As for who stole the laptop in the first place, authorities are still
> investigating. There were no apparent signs of a break-in.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20080805/7fb59acf/attachment.html 

From mhozven at tealeaf.com  Tue Aug  5 17:02:50 2008
From: mhozven at tealeaf.com (Max Hozven)
Date: Tue, 5 Aug 2008 10:02:50 -0700
Subject: [Dataloss] Laptop stolen at SF Ca Airport with data of
	33000travelers
In-Reply-To: <aebe31730808050952yad471ub85e9672d66e6558@mail.gmail.com>
References: <48981F30.3000300@knology.net>
	<aebe31730808050952yad471ub85e9672d66e6558@mail.gmail.com>
Message-ID: <771A26039D33ED489E23D9614DE630DD0902A022@SFMAIL02.tealeaf.com>

Food for thought:

If the thief had connected up a USB-drive, copied the data from the
laptop to his drive, and walked away, no one would have known.

If the machine was password protected, they could have booted it via a
Ghost/etc boot CD, then copied the data that way.

 

-Max

 "Note: The views and opinions expressed in this email are strictly
those of the page author."

 

________________________________

From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of Chris Walsh
Sent: Tuesday, August 05, 2008 9:53 AM
To: Henry Brown
Cc: dataloss at attrition.org
Subject: Re: [Dataloss] Laptop stolen at SF Ca Airport with data of
33000travelers

 

Absolutely epic.

Sigh.

cw

On Tue, Aug 5, 2008 at 4:36 AM, Henry Brown <hbrown at knology.net> wrote:


For the past year, travelers at SFO have had the option to enroll in the
Clear Registered Traveler Program. Those who sign up get a biometric ID
card, which allows them to bypass regular security lines for $128 a
year.

[...]

 

	
	As for who stole the laptop in the first place, authorities are
still
	investigating. There were no apparent signs of a break-in.

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20080805/33f2ecdb/attachment.html 

From james at iqbio.net  Tue Aug  5 17:09:22 2008
From: james at iqbio.net (James Childers)
Date: Tue, 5 Aug 2008 10:09:22 -0700
Subject: [Dataloss] Laptop stolen at SF Ca Airport with data of 33000
	travelers
In-Reply-To: <aebe31730808050952yad471ub85e9672d66e6558@mail.gmail.com>
References: <48981F30.3000300@knology.net>
	<aebe31730808050952yad471ub85e9672d66e6558@mail.gmail.com>
Message-ID: <CEB3F97C-3AE9-46C7-A2BE-76DCEE6B9D23@iqbio.net>

Epic stupidity.  This data include a biometric profile?

James Childers
iPhone Account
Personal Toll-Free: 888-650-7373
Direct Follow Me: 360-515-0005

1. If you're not making mistakes, you aren't living.  If you keep  
making the same mistakes you aren't learning.
2. Concentrate on the things that are most important to you right now  
- The rest will take care of itself.
3. Nosce te Ipsum.

On Aug 5, 2008, at 9:52 AM, "Chris Walsh" <chris at cwalsh.org> wrote:

> Absolutely epic.
>
> Sigh.
>
> cw
>
> On Tue, Aug 5, 2008 at 4:36 AM, Henry Brown <hbrown at knology.net>  
> wrote:
>
> For the past year, travelers at SFO have had the option to enroll in  
> the
> Clear Registered Traveler Program. Those who sign up get a biometric  
> ID
> card, which allows them to bypass regular security lines for $128 a  
> year.
>
> [...]
>
>
> As for who stole the laptop in the first place, authorities are still
> investigating. There were no apparent signs of a break-in.
>
>
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
>
> Tenable Network Security offers data leakage and compliance monitoring
> solutions for large and small networks. Scan your network and  
> monitor your
> traffic to find the data needing protection before it leaks out!
> http://www.tenablesecurity.com/products/compliance.shtml
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20080805/6c189532/attachment.html 

From SSteele at infolocktech.com  Tue Aug  5 17:29:48 2008
From: SSteele at infolocktech.com (Sean Steele)
Date: Tue, 5 Aug 2008 13:29:48 -0400
Subject: [Dataloss] Laptop stolen at SF Ca Airport with data
	of33000travelers
Message-ID: <50EE0FBAE567774C8E244E1C7D4C2B870BB187@MAIL032.mail.lan>

This morning I flew from Reagan (DCA) to Detroit and passed the SteerClear (err, FlyClear) lane, and its workers. 

I asked about the laptop theft/loss in SFO, attributable to one of their co-workers, and their response was... 

"That's OK, it wasn't from THIS airport!"

Wow. I fear for us all.

-S.


________________________________

From: dataloss-bounces at attrition.org 
To: Chris Walsh ; Henry Brown 
Cc: dataloss at attrition.org 
Sent: Tue Aug 05 13:02:50 2008
Subject: Re: [Dataloss] Laptop stolen at SF Ca Airport with data of33000travelers 


Food for thought:

If the thief had connected up a USB-drive, copied the data from the laptop to his drive, and walked away, no one would have known.

If the machine was password protected, they could have booted it via a Ghost/etc boot CD, then copied the data that way.

 

-Max

 ?Note: The views and opinions expressed in this email are strictly those of the page author.?

 

________________________________

From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Chris Walsh
Sent: Tuesday, August 05, 2008 9:53 AM
To: Henry Brown
Cc: dataloss at attrition.org
Subject: Re: [Dataloss] Laptop stolen at SF Ca Airport with data of 33000travelers

 

Absolutely epic.

Sigh.

cw

On Tue, Aug 5, 2008 at 4:36 AM, Henry Brown <hbrown at knology.net> wrote:


For the past year, travelers at SFO have had the option to enroll in the
Clear Registered Traveler Program. Those who sign up get a biometric ID
card, which allows them to bypass regular security lines for $128 a year.

[...]

 

	
	As for who stole the laptop in the first place, authorities are still
	investigating. There were no apparent signs of a break-in.

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20080805/6e468d15/attachment.html 

From mhozven at tealeaf.com  Tue Aug  5 17:33:04 2008
From: mhozven at tealeaf.com (Max Hozven)
Date: Tue, 5 Aug 2008 10:33:04 -0700
Subject: [Dataloss] Laptop stolen at SF Ca Airport with data
	of33000travelers
In-Reply-To: <50EE0FBAE567774C8E244E1C7D4C2B870BB187@MAIL032.mail.lan>
References: <50EE0FBAE567774C8E244E1C7D4C2B870BB187@MAIL032.mail.lan>
Message-ID: <771A26039D33ED489E23D9614DE630DD090AB382@SFMAIL02.tealeaf.com>

<sigh...>

 

Regarding the hardware involved, looks like it's time to bring back
dumb-terminals, with no CD/floppy/usb/anything on them,

in instances like this.  PC's/laptops/etc always have the "walk away
with them" risk.

It would also be good to require an electronic ID badge plugged into the
dumb terminal (and password) to gain access.

 

-Max

 

________________________________

From: Sean Steele [mailto:SSteele at infolocktech.com] 
Sent: Tuesday, August 05, 2008 10:30 AM
To: Max Hozven; chris at cwalsh.org; hbrown at knology.net
Cc: dataloss at attrition.org
Subject: Re: [Dataloss] Laptop stolen at SF Ca Airport with data
of33000travelers

 

This morning I flew from Reagan (DCA) to Detroit and passed the
SteerClear (err, FlyClear) lane, and its workers. 

I asked about the laptop theft/loss in SFO, attributable to one of their
co-workers, and their response was... 

"That's OK, it wasn't from THIS airport!"

Wow. I fear for us all.

-S.

________________________________

From: dataloss-bounces at attrition.org 
To: Chris Walsh ; Henry Brown 
Cc: dataloss at attrition.org 
Sent: Tue Aug 05 13:02:50 2008
Subject: Re: [Dataloss] Laptop stolen at SF Ca Airport with data
of33000travelers 

Food for thought:

If the thief had connected up a USB-drive, copied the data from the
laptop to his drive, and walked away, no one would have known.

If the machine was password protected, they could have booted it via a
Ghost/etc boot CD, then copied the data that way.

 

-Max

 "Note: The views and opinions expressed in this email are strictly
those of the page author."

 

________________________________

From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of Chris Walsh
Sent: Tuesday, August 05, 2008 9:53 AM
To: Henry Brown
Cc: dataloss at attrition.org
Subject: Re: [Dataloss] Laptop stolen at SF Ca Airport with data of
33000travelers

 

Absolutely epic.

Sigh.

cw

On Tue, Aug 5, 2008 at 4:36 AM, Henry Brown <hbrown at knology.net> wrote:


For the past year, travelers at SFO have had the option to enroll in the
Clear Registered Traveler Program. Those who sign up get a biometric ID
card, which allows them to bypass regular security lines for $128 a
year.

[...]

 

	
	As for who stole the laptop in the first place, authorities are
still
	investigating. There were no apparent signs of a break-in.

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20080805/5d34eef7/attachment.html 

From hbrown at knology.net  Tue Aug  5 18:40:50 2008
From: hbrown at knology.net (Henry Brown)
Date: Tue, 05 Aug 2008 13:40:50 -0500
Subject: [Dataloss] CA/FL/???: Laptop With Personal Information Stolen
 At	Airport
In-Reply-To: <Pine.LNX.4.64.0808051440090.19512@forced.attrition.org>
References: <Pine.LNX.4.64.0808051440090.19512@forced.attrition.org>
Message-ID: <48989EB2.4060208@knology.net>

Confirmation the theft PROBABLY occurred  at San Francisco International 
Airport

http://www.washingtonpost.com/wp-dyn/content/article/2008/08/04/AR2008080402703.html
http://tinyurl.com/6dajvb

The Transportation Security Administration suspended Verified Identity 
Pass from enrolling travelers in its pre-screening program after a 
laptop computer containing the records of 33,000 people went missing.

The company, based in New York, lost possession of the laptop July 26 at 
San Francisco International Airport. The laptop contained unencrypted 
pre-enrollment records of individuals, the TSA said in a statement 
yesterday.

[...]

AND from the Orlando Sentinel
...
http://www.orlandosentinel.com/business/orl-clear0508aug05,0,4458701.story

The federal government on Monday barred a registered-traveler service 
launched three years ago at Orlando International Airport from enrolling 
new members after an unencrypted company laptop containing personal 
information for about 33,000 prospective customers was stolen from a 
locked office.

The Transportation Security Administration said it has instructed all 
airports that contract with Verified Identity Pass Inc. -- which 
operates the "Clear" program at OIA and nearly 20 other airports across 
the country -- to suspend enrollment in the service and to secure all 
unencrypted computers until encryption software is installed. The agency 
also instructed San Francisco International Airport, where the laptop 
was lost, to ensure that Verified Identity Pass immediately contacts 
everyone whose personal information was stored on the missing computer.

-------- Original Message --------
Subject: [Dataloss] CA/FL/???: Laptop With Personal Information Stolen 
At    Airport
From: lyger <lyger at attrition.org>
To: dataloss at attrition.org
Date: 8/5/2008 9:43 AM
> (earlier, Henry Brown sent in a story about a missing laptop containing 
> personal information for about 33,000 at San Francisco International:)
>
> http://attrition.org/pipermail/dataloss/2008-August/002608.html
...



From lyger at attrition.org  Tue Aug  5 18:54:03 2008
From: lyger at attrition.org (lyger)
Date: Tue, 5 Aug 2008 18:54:03 +0000 (UTC)
Subject: [Dataloss] CA/FL/???: Laptop With Personal Information Stolen
 At Airport
In-Reply-To: <48989EB2.4060208@knology.net>
References: <Pine.LNX.4.64.0808051440090.19512@forced.attrition.org>
	<48989EB2.4060208@knology.net>
Message-ID: <Pine.LNX.4.64.0808051851180.6871@forced.attrition.org>


(this is why editors have jobs!  note the changes between the archive 
and the current story...)

http://attrition.org/pipermail/dataloss/2008-August/002610.html

http://www.cfnews13.com/News/Local/2008/8/5/laptop_with_personal_information_stolen_at_airport.html

A laptop containing personal information for about 33,000 people was 
reported stolen in a possible security breach for the Clear Program, which 
is in use at the Orlando International Airport.

According to the Orlando Sentinel, the laptop was stolen at San Francisco 
International Airport.

[...]

On Tue, 5 Aug 2008, Henry Brown wrote:

": " Confirmation the theft PROBABLY occurred  at San Francisco International 
": " Airport
": " 
": " http://www.washingtonpost.com/wp-dyn/content/article/2008/08/04/AR2008080402703.html
": " http://tinyurl.com/6dajvb
": " 
": " The Transportation Security Administration suspended Verified Identity 
": " Pass from enrolling travelers in its pre-screening program after a 
": " laptop computer containing the records of 33,000 people went missing.
": " 
": " AND from the Orlando Sentinel
": " ...
": " http://www.orlandosentinel.com/business/orl-clear0508aug05,0,4458701.story
": " 
": " The federal government on Monday barred a registered-traveler service 
": " launched three years ago at Orlando International Airport from enrolling 
": " new members after an unencrypted company laptop containing personal 
": " information for about 33,000 prospective customers was stolen from a 
": " locked office.

From jericho at attrition.org  Tue Aug  5 19:32:23 2008
From: jericho at attrition.org (security curmudgeon)
Date: Tue, 5 Aug 2008 19:32:23 +0000 (UTC)
Subject: [Dataloss] (admin) Moderators + Vegas = ...
In-Reply-To: <Pine.LNX.4.64.0808051454400.27900@forced.attrition.org>
References: <Pine.LNX.4.64.0808051454400.27900@forced.attrition.org>
Message-ID: <Pine.LNX.4.64.0808051931351.16768@forced.attrition.org>


: Quick note to everyone:  all mail list moderators are either already in 
: Las Vegas for this week's Black Hat and/or DefCon events or are 
: currently packing our bags and printing out our boarding passes.  We 
: will continue to post and approve messages as time permits, but please 
: be patient if list traffic gets reealllyyyy slloooowwwww over the next 
: five days or so.
: 
: For anyone who will be attending the conferences this week, please feel 
: free to come up and say hi if you see us.  We'll be the guys and gals 
: wearing attrition.org, DatalossDB.org, and OSVDB.org gear running away 
: from the sound of the sirens... ;)

First one that finds Lyger, screams "DATA LOSS" at him, and pushes him in 
the Belagio fountain will get a crisp 20 dollar bill and a White Russian, 
compliments of attrition.org.

From mhozven at tealeaf.com  Tue Aug  5 20:02:16 2008
From: mhozven at tealeaf.com (Max Hozven)
Date: Tue, 5 Aug 2008 13:02:16 -0700
Subject: [Dataloss] CA/FL/???: Laptop With Personal Information Stolen
	At Airport
In-Reply-To: <Pine.LNX.4.64.0808051851180.6871@forced.attrition.org>
References: <Pine.LNX.4.64.0808051440090.19512@forced.attrition.org><48989EB2.4060208@knology.net>
	<Pine.LNX.4.64.0808051851180.6871@forced.attrition.org>
Message-ID: <771A26039D33ED489E23D9614DE630DD090AB515@SFMAIL02.tealeaf.com>

 

http://www.mercurynews.com/nationworld/ci_10105205


Laptop with security applicants' data is found


By MARCUS WOHLSEN Associated Press Writer

Article Launched: 08/05/2008 12:34:41 PM PDT





SAN FRANCISCO-The company that runs an airport security prescreening
program said Tuesday they've found a laptop containing the personal
information of 33,000 people more than a week after it apparently went
missing. 

The Transportation Security Administration suspended new enrollments to
the program, known as Clear, after the unencrypted computer was reported
stolen. 

Officials with Verified Identity Pass, which operates the Clear program,
said the laptop was found Tuesday morning in the same office where it
supposedly had gone missing. 

The program allows passengers to pay to use special "fast lanes" to
avoid long lines at airport security checkpoints. The laptop contained
the personal information of applicants to the program.

 

 

-----Original Message-----
From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of lyger
Sent: Tuesday, August 05, 2008 11:54 AM
To: Henry Brown
Cc: dataloss at attrition.org
Subject: Re: [Dataloss] CA/FL/???: Laptop With Personal Information
Stolen At Airport

 

 

(this is why editors have jobs!  note the changes between the archive 

and the current story...)

 

http://attrition.org/pipermail/dataloss/2008-August/002610.html

 

http://www.cfnews13.com/News/Local/2008/8/5/laptop_with_personal_informa
tion_stolen_at_airport.html

 

A laptop containing personal information for about 33,000 people was 

reported stolen in a possible security breach for the Clear Program,
which 

is in use at the Orlando International Airport.

 

According to the Orlando Sentinel, the laptop was stolen at San
Francisco 

International Airport.

 

[...]

 

On Tue, 5 Aug 2008, Henry Brown wrote:

 

": " Confirmation the theft PROBABLY occurred  at San Francisco
International 

": " Airport

": " 

": "
http://www.washingtonpost.com/wp-dyn/content/article/2008/08/04/AR200808
0402703.html

": " http://tinyurl.com/6dajvb

": " 

": " The Transportation Security Administration suspended Verified
Identity 

": " Pass from enrolling travelers in its pre-screening program after a 

": " laptop computer containing the records of 33,000 people went
missing.

": " 

": " AND from the Orlando Sentinel

": " ...

": "
http://www.orlandosentinel.com/business/orl-clear0508aug05,0,4458701.sto
ry

": " 

": " The federal government on Monday barred a registered-traveler
service 

": " launched three years ago at Orlando International Airport from
enrolling 

": " new members after an unencrypted company laptop containing personal


": " information for about 33,000 prospective customers was stolen from
a 

": " locked office.

_______________________________________________

Dataloss Mailing List (dataloss at attrition.org)

http://attrition.org/dataloss

 

Tenable Network Security offers data leakage and compliance monitoring

solutions for large and small networks. Scan your network and monitor
your

traffic to find the data needing protection before it leaks out!

http://www.tenablesecurity.com/products/compliance.shtml

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20080805/263cb516/attachment.html 

From fergdawg at netzero.net  Tue Aug  5 20:08:16 2008
From: fergdawg at netzero.net (Paul Ferguson)
Date: Tue, 5 Aug 2008 20:08:16 GMT
Subject: [Dataloss] CA/FL/???: Laptop With Personal Information Stolen
	At A	irport
Message-ID: <20080805.130816.1630.0@webmail22.vgs.untd.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -- "Max Hozven" <mhozven at tealeaf.com> wrote:

>http://www.mercurynews.com/nationworld/ci_10105205

Yes, I just saw that.

Also, Ryan Singel raises some rather disturbing issues (as well)
over on Threat Level:

http://blog.wired.com/27bstroke6/2008/08/registered-trav.html

- - ferg

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.3 (Build 3017)

wj8DBQFImLMuq1pz9mNUZTMRAsIeAJ0QpsBS6JGWpHXPWNXvoKuY/RoRRgCg5aDT
2b9q/c6Ww4MXPzBhtgGQS2s=
=R/Q0
-----END PGP SIGNATURE-----

--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/




From arshad.noor at strongauth.com  Tue Aug  5 20:20:31 2008
From: arshad.noor at strongauth.com (Arshad Noor)
Date: Tue, 05 Aug 2008 13:20:31 -0700
Subject: [Dataloss] CA/FL/???: Laptop With Personal Information Stolen
 At Airport
In-Reply-To: <771A26039D33ED489E23D9614DE630DD090AB515@SFMAIL02.tealeaf.com>
References: <Pine.LNX.4.64.0808051440090.19512@forced.attrition.org><48989EB2.4060208@knology.net>	<Pine.LNX.4.64.0808051851180.6871@forced.attrition.org>
	<771A26039D33ED489E23D9614DE630DD090AB515@SFMAIL02.tealeaf.com>
Message-ID: <4898B60F.3070203@strongauth.com>

I hate sounding so cynical, but how difficult is it to "manufacture"
the stolen laptop with the 33,000 names restored from a backup copy,
given what's at stake?  Even if it was the original laptop, we don't
know that any of the records from this - or any of their other -
laptops, was compromised.  Pathetic!

Arshad Noor
StrongAuth, Inc.

Max Hozven wrote:
>  
> http://www.mercurynews.com/nationworld/ci_10105205
>   *Laptop with security applicants' data is found*
> By MARCUS WOHLSEN Associated Press Writer 
> Article Launched: 08/05/2008 12:34:41 PM PDT
>
> SAN FRANCISCO?The company that runs an airport security prescreening 
> program said Tuesday they've found a laptop containing the personal 
> information of 33,000 people more than a week after it apparently went 
> missing.
> 

From hbrown at knology.net  Tue Aug  5 20:27:17 2008
From: hbrown at knology.net (Henry Brown)
Date: Tue, 05 Aug 2008 15:27:17 -0500
Subject: [Dataloss] Laptop stolen at SF Ca Airport with data of 33000
 travelers
In-Reply-To: <48981F30.3000300@knology.net>
References: <48981F30.3000300@knology.net>
Message-ID: <4898B7A5.6010809@knology.net>

Laptop found in original office!

http://www.sfgate.com/cgi-bin/article.cgi?f=/n/a/2008/08/05/financial/f102608D05.DTL&tsp=1

SAN FRANCISCO (AP) - The company that runs an airport security 
prescreening program said Tuesday they've found a laptop containing the 
personal information of 33,000 people more than a week after it 
apparently went missing.

The Transportation Security Administration suspended new enrollments to 
the program, known as Clear, after the unencrypted computer was reported 
stolen.

The company that runs an airport security prescreening program said 
Tuesday they found a laptop containing the personal information of 
33,000 people more than a week after it apparently went missing.

The Transportation Security Administration announced late Monday that it 
had suspended new enrollments to the program, known as Clear, after the 
unencrypted computer was reported stolen at San Francisco International 
Airport.

A spokeswoman for Verified Identity Pass Inc., which operates the 
program, said the company reported the laptop stolen to airport police 
and the TSA more than a week ago when they could not account for its 
whereabouts.

The laptop was found Tuesday morning in the same company office where it 
supposedly had gone missing, said spokeswoman Allison Beer.

"It was not in an obvious location," said Beer, who said an 
investigation was under way to determine whether the computer was 
actually stolen or had just been misplaced.

...


-------- Original Message --------
Subject: [Dataloss] Laptop stolen at SF Ca Airport with data of 33000   
 travelers
Date: 8/5/2008 4:36 AM
> http://abclocal.go.com/kgo/story?section=news/local&id=6306342
>
> SAN FRANCISCO (KGO) -- A stolen laptop has prompted administrators of a 
> popular airport program to implement new security measures. The computer 
> was stolen over the weekend at San Francisco International and thousands 
> of passengers' personal records were taken along with it.
[...]


From brian.honan at bhconsulting.ie  Tue Aug  5 20:46:46 2008
From: brian.honan at bhconsulting.ie (Brian Honan)
Date: Tue, 5 Aug 2008 21:46:46 +0100
Subject: [Dataloss] CA/FL/???: Laptop With Personal Information Stolen
	At Airport
In-Reply-To: <4898B60F.3070203@strongauth.com>
References: <Pine.LNX.4.64.0808051440090.19512@forced.attrition.org><48989EB2.4060208@knology.net>	<Pine.LNX.4.64.0808051851180.6871@forced.attrition.org>	<771A26039D33ED489E23D9614DE630DD090AB515@SFMAIL02.tealeaf.com>
	<4898B60F.3070203@strongauth.com>
Message-ID: <003f01c8f73c$613f83b0$23be8b10$@honan@bhconsulting.ie>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>> Even if it was the original laptop, we don't know that any of the records
from this - or any of their other - laptops, was compromised

Nor would we know if the data was altered to cause trouble for individuals
or data added to enable those who otherwise might not qualify for the
program to be given access.

Brian

- -----Original Message-----
From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org]
On Behalf Of Arshad Noor
Sent: Tuesday, August 05, 2008 9:21 PM
Cc: dataloss at attrition.org
Subject: Re: [Dataloss] CA/FL/???: Laptop With Personal Information Stolen
At Airport

I hate sounding so cynical, but how difficult is it to "manufacture"
the stolen laptop with the 33,000 names restored from a backup copy,
given what's at stake?  Even if it was the original laptop, we don't
know that any of the records from this - or any of their other -
laptops, was compromised.  Pathetic!

Arshad Noor
StrongAuth, Inc.

Max Hozven wrote:
>  
> http://www.mercurynews.com/nationworld/ci_10105205
>   *Laptop with security applicants' data is found*
> By MARCUS WOHLSEN Associated Press Writer 
> Article Launched: 08/05/2008 12:34:41 PM PDT
>
> SAN FRANCISCO-The company that runs an airport security prescreening 
> program said Tuesday they've found a laptop containing the personal 
> information of 33,000 people more than a week after it apparently went 
> missing.
> 
_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml



-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: us-ascii

wj8DBQFImLw4i7bwgPG1z30RAknIAJ9hm7j95dZg8bcr0oLwBGzf4k9fXgCfRTEQ
0cozYKi8WlvOTCAZnIp776A=
=Br4w
-----END PGP SIGNATURE-----

From hbrown at knology.net  Tue Aug  5 21:06:47 2008
From: hbrown at knology.net (Henry Brown)
Date: Tue, 05 Aug 2008 16:06:47 -0500
Subject: [Dataloss] TJX (and others) data breach "hackers" charged by US
	Justice Dept
Message-ID: <4898C0E7.8000104@knology.net>


http://www.boston.com/news/local/breaking_news/2008/08/eleven_charged.html

Eleven charged in hacking ring that allegedly stole 40 million card numbers
By Martin Finucane, Globe Staff

Eleven people from at least five different countries are facing charges 
for their involvement in a wide-ranging scheme to hack into nine US 
companies and steal and sell more than 40 million credit and debit card 
numbers, federal law enforcement officials said today in Boston.

"As far as we know, this is the single largest and most complex identity 
theft case that's ever been charged in this country," Attorney General 
Michael Mukasey said. Officials said the ring had stolen hundreds of 
millions of dollars.

Three of the defendants are US citizens, one is from Estonia, three are 
from Ukraine, two are from China, and one is from Belarus, the US 
attorney's office in Boston said. The 11th defendant is known only by an 
online alias.

A grand jury indictment handed up today in Boston charges that Albert 
"Segvec" Gonzalez of Miami and his conspirators began by "wardriving" -- 
or driving around and looking to eavesdrop on wireless networks. They 
then allegedly hacked into the wireless networks of TJX, BJ's Wholesale 
Club, OfficeMax, Boston Market, Barnes & Noble, Dave & Buster's, Sports 
Authority, Forever 21, and DSW.
[...]

Two other Miami residents were charged in Boston, while eight other 
people were charged in San Diego.

[...]



From tglassey at earthlink.net  Tue Aug  5 23:03:12 2008
From: tglassey at earthlink.net (TS Glassey)
Date: Tue, 5 Aug 2008 16:03:12 -0700
Subject: [Dataloss] US DOJ announces largest prosecution for ID theft yet.
Message-ID: <000001c8f764$d91f5a40$6401a8c0@tsg1>

________________________________

FOR IMMEDIATE RELEASE
Tuesday, August 5, 2008
WWW.USDOJ.GOV

AG
(202) 514-2007
TDD (202) 514-1888


Retail Hacking Ring Charged for Stealing and Distributing Credit and
Debit Card Numbers from Major U.S. Retailers


More Than 40 Million Credit and Debit Card Numbers Stolen


BOSTON - Eleven perpetrators allegedly involved in the hacking of nine
major U.S. retailers and the theft and sale of more than 40 million
credit and debit card numbers have been charged with numerous crimes,
including conspiracy, computer intrusion, fraud and identity theft,
Attorney General Michael B. Mukasey, U.S. Attorney for the District of
Massachusetts Michael J. Sullivan, U.S. Attorney for the Southern
District of California Karen P. Hewitt, U.S. Attorney for the Eastern
District of New York Benton J. Campbell and U.S. Secret Service Director
Mark Sullivan announced today. The scheme is believed to constitute the
largest hacking and identity theft case ever prosecuted by the
Department of Justice. 

Three of the defendants are U.S. citizens, one is from Estonia, three
are from Ukraine, two are from the People's Republic of China and one is
from Belarus. One individual is only known by an alias online, and his
place of origin is unknown.

In an indictment returned on Aug. 5, 2008, by a federal grand jury in
Boston, Albert "Segvec" Gonzalez, of Miami, was charged with computer
fraud, wire fraud, access device fraud, aggravated identity theft and
conspiracy for his role in the scheme. Criminal informations were also
released today in Boston on related charges against Christopher Scott
and Damon Patrick Toey, both of Miami. 

The Boston indictment alleges that during the course of the
sophisticated conspiracy, Gonzalez and his co-conspirators obtained the
credit and debit card numbers by "wardriving" and hacking into the
wireless computer networks of major retailers - including TJX Companies,
BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports
Authority, Forever 21 and DSW. Once inside the networks, they installed
"sniffer" programs that would capture card numbers, as well as password
and account information, as they moved through the retailers' credit and
debit processing networks.

The indictment alleges that after they collected the data, the
conspirators concealed the data in encrypted computer servers that they
controlled in Eastern Europe and the United States. They allegedly sold
some of the credit and debit card numbers, via the Internet, to other
criminals in the United States and Eastern Europe. The stolen numbers
were "cashed out" by encoding card numbers on the magnetic strips of
blank cards. The defendants then used these cards to withdraw tens of
thousands of dollars at a time from ATMs. Gonzalez and others were
allegedly able to conceal and launder their fraud proceeds by using
anonymous Internet-based currencies both within the United States and
abroad, and by channeling funds through bank accounts in Eastern Europe.


Gonzalez was previously arrested by the Secret Service in 2003 for
access device fraud. During the course of this investigation, the Secret
Service discovered that Gonzalez, who was working as a confidential
informant for the agency, was criminally involved in the case. Because
of the size and scope of his criminal activity, Gonzalez faces a maximum
penalty of life in prison if he is convicted of all the charges alleged
in the Boston indictment.

Also today, indictments were unsealed in San Diego against scheme
participant Maksym "Maksik" Yastremskiy, of Kharkov, Ukraine, and
Aleksandr "Jonny Hell" Suvorov, of Sillamae, Estonia. The indictments
charge the defendants with crimes related to the sale of the stolen
credit card data that Gonzalez and others illegally obtained, as well as
additional stolen credit card data. Suvorov is charged with conspiracy
to possess unauthorized access devices, possession of unauthorized
access devices, trafficking in unauthorized access devices, identity
theft, aggravated identity theft, and aiding and abetting. Yastremskiy
is charged with trafficking in unauthorized access devices, identity
theft, aggravated identity theft and conspiracy to launder monetary
instruments. The indictment also contains a forfeiture allegation. 

In addition, an indictment against Hung-Ming Chiu and Zhi Zhi Wang, both
of the People's Republic of China, and a person known only by the online
nickname "Delpiero," was also unsealed in San Diego today. Chiu, Wang
and Delpiero are charged with conspiracy to possess unauthorized access
devices, trafficking in unauthorized access devices, trafficking in
counterfeit access devices, possession of unauthorized access devices,
aggravated identity theft, and aiding and abetting. Also in San Diego,
Sergey Pavolvich, of Belarus, and Dzmitry Burak and Sergey Storchak,
both of Ukraine, were charged in a criminal complaint with conspiracy to
traffic in unauthorized access devices. All are believed to be foreign
nationals residing outside of the United States. 

The San Diego charges allege that Yastremskiy, Suvorov, Chiu, Wang,
Delpiero, Pavolvich, Burak and Storchak operated an international stolen
credit and debit card distribution ring with operations from Ukraine,
Belarus, Estonia, the People's Republic of China, the Philippines and
Thailand. The indictments allege that each of the defendants sold stolen
credit and debit card information for personal gain. For example, the
indictment of Yastremskiy alleges that he received proceeds exceeding
$11 million from this criminal activity. These indictments and
complaints are the result of a three-year undercover investigation
conducted out of the San Diego Field Office of the U.S. Secret Service. 

In May 2008, Gonzalez, Suvorov and Yastremskiy also were charged in a
related indictment in the Eastern District of New York. The New York
charges allege that the trio was engaged in a sophisticated scheme to
hack into computer networks run by the Dave & Buster's restaurant chain,
and stole credit and debit card numbers from at least 11 locations.
Specifically, the indictment alleges that the defendants gained
unauthorized access to the cash register terminals and installed at each
restaurant a "packet sniffer," a computer code designed to capture
communications on a computer network. The packet sniffer was configured
to capture credit and debit card numbers as this information was
processed by the restaurants. At one restaurant location, the packet
sniffer captured data for approximately 5,000 credit and debit cards,
eventually causing losses of at least $600,000 to the financial
institutions that issued the credit and debit cards.

Gonzalez is currently in pre-trial confinement on the New York charges.
Based upon the San Diego charges, Turkish officials apprehended
Yastremskiy in July 2007 in Turkey when he travelled there on vacation.
He has been in confinement since then in Turkey, pending the resolution
of related Turkish charges, and the United States has made a formal
request for his extradition. At the request of the Department of
Justice, Suvorov was apprehended by the German Federal Police in
Frankfurt in March 2008 on the San Diego charges when he travelled there
on vacation. He is currently in confinement pending the resolution of
extradition proceedings.

"So far as we know, this is the single largest and most complex identity
theft case ever charged in this country," said Attorney General Mukasey.
"It highlights the efforts of the Justice Department to fight this
pernicious crime and shows that, with the cooperation of our law
enforcement partners around the world, we can identify, charge and
apprehend even the most sophisticated international computer hackers."

"While technology has made our lives much easier it has also created new
vulnerabilities.  This case clearly shows how strokes on a keyboard with
a criminal purpose can have costly results.  Consumers, companies and
governments from around the world must further develop ways to protect
our sensitive personal and business information and detect those,
whether here or abroad, that conspire to exploit technology for criminal
gain," said U.S. Attorney Michael J. Sullivan.

"These prosecutions demonstrate that, through coordinated commitment,
the United States Secret Service and the Department of Justice will
penetrate and prosecute hacker organizations, wherever based and however
sophisticated. The United States Attorney's Office for the Southern
District of California is especially gratified that the work of the San
Diego field office of the Secret Service contributed to an unprecedented
effort to dismantle this international criminal enterprise," said Karen
P. Hewitt, U.S. Attorney for the Southern District of California.

"Computer hacking and identity theft pose serious risks to our
commercial, personal and financial security," said U.S. Attorney for the
Eastern District of New York Benton J. Campbell. "Hackers who reach into
our country from abroad will find no refuge from the reach of U.S.
criminal justice."

"Technology has forever changed the way commerce is conducted, virtually
erasing geographic boundaries," said U.S. Secret Service Director Mark
Sullivan. "While these advances and the global nature of cyber crime
continue to have a profound impact on our financial crimes
investigations, this case demonstrates how combining law enforcement
resources throughout the world sends a strong message to criminals that
they will be pursued and prosecuted no matter where they reside."

"The Internal Revenue Service Criminal Investigation Division recommends
charges in numerous types of financial crimes," said Internal Revenue
Service Criminal Investigation (IRS-CI) Chief Eileen Mayer. "Today's
indictment is the result of a strong law enforcement partnership that
brings together the necessary skills to follow alleged criminal activity
from cyberspace to bank accounts.  We are committed to the government's
efforts to stop this type of corruptive activity."  

These cases are being prosecuted by Assistant U.S. Attorney Stephen
Heymann of the District of Massachusetts, Assistant U.S. Attorney
Orlando Gutierrez of the Southern District of California, Assistant U.S.
Attorney Will Campos of the Eastern District of New York, and by Senior
Counsel Kimberly Kiefer Peretti, and Trial Attorneys Jenny Ellickson and
Evan Williams of the Criminal Division's Computer Crime & Intellectual
Property Section. The Criminal Division's Office of International
Affairs provided extensive assistance related to extradition matters.
All of theses cases are being investigated by the U.S. Secret Service.
The IRS-CI provided significant investigatory assistance in the Boston
case.

###

08-689
---
Personal Disclaimers Apply

TS Glassey

From hbrown at knology.net  Fri Aug  8 08:42:45 2008
From: hbrown at knology.net (Henry Brown)
Date: Fri, 08 Aug 2008 03:42:45 -0500
Subject: [Dataloss] 1200 patient records missing from TX hospital district
Message-ID: <489C0705.6060703@knology.net>

http://www.chron.com/disp/story.mpl/metropolitan/5931497.html

A low-level Harris County Hospital District administrator probably 
violated federal law when she downloaded medical and financial records 
for 1,200 patients with HIV, AIDS and other medical conditions onto a 
flash drive that later was lost or stolen, legal experts said Thursday.

[...]

The hospital district has released little information about the 
situation. On Wednesday, spokesman Bryan McLeod issued a brief statement 
to the Chronicle saying patients affected by the breach would receive a 
letter in the mail and would be allowed to enroll in a credit protection 
program at the district's expense. The district has strengthened its 
policies and procedures regarding the use of transportable media 
devices, the statement said.

[...]

McLeod later issued a second brief statement saying the data on the 
device included the patients' names, medical record numbers, billing 
codes, the facilities where the office visits occurred and other billing 
information. It also included the patients' Medicaid or Medicare 
numbers, which can indicate their Social Security numbers or those of 
their spouses.

[...]



From jericho at attrition.org  Thu Aug  7 17:47:21 2008
From: jericho at attrition.org (security curmudgeon)
Date: Thu, 7 Aug 2008 17:47:21 +0000 (UTC)
Subject: [Dataloss] follow-up: U.S. Indicts 11 For Alleged TJX Data Theft
Message-ID: <Pine.LNX.4.64.0808071747060.31842@forced.attrition.org>



---------- Forwarded message ----------
From: InfoSec News <alerts at infosecnews.org>

http://www.crn.com/security/209903419

By Stefanie Hoffman
ChannelWeb
Aug. 05, 2008

A U.S. federal grand jury indicted 11 people Tuesday on charges that 
included the alleged theft of more than 45 million credit and debit card 
numbers from retail giant TJX in what officials call one of the largest 
data heists in history.

The U.S. Attorney's office in Boston said that the individuals indicted 
were responsible for "wardriving" and then hacking into wireless networks 
of numerous retailers, including TJX companies, BJ's Wholesale Club, 
OfficeMax (NYSE:OMX), Boston Market, Barnes & Noble, Sports Authority, 
forever 21 and DFW Inc. in order to steal tens of millions of credit card 
numbers.

The Framington, Mass.-based retail giant TJX, which owns discount clothing 
stores TJ Maxx and Marshall's, was by far the hardest hit, suffering a 
loss of 45.7 million card numbers, which the retailer revealed in March of 
2007.

[...]

From jericho at attrition.org  Thu Aug  7 17:47:59 2008
From: jericho at attrition.org (security curmudgeon)
Date: Thu, 7 Aug 2008 17:47:59 +0000 (UTC)
Subject: [Dataloss] follow-up: 41 million credit/debit card numbers
	compromised
Message-ID: <Pine.LNX.4.64.0808071747380.31842@forced.attrition.org>



---------- Forwarded message ----------
From: Richard Forno <rforno at infowarrior.org>

11 charged in connection with credit card fraud

By ANNE D'INNOCENZIO ? 16 hours ago

http://ap.google.com/article/ALeqM5iL9Fn3VNKRc00RHOLhI-cC-qEVwwD92CBBI80

NEW YORK (AP) ? The Department of Justice announced Tuesday that it had 
charged 11 people in connection with the hacking of nine major U.S. 
retailers and the theft and sale of more than 41 million credit and debit 
card numbers.

It is believed to be the largest hacking and identity theft case ever 
prosecuted by the Department of Justice. The charges include conspiracy, 
computer intrusion, fraud and identity theft.

The indictment returned Tuesday by a federal grand jury in Boston alleges 
that the people charged hacked into the wireless computer networks of 
retailers including TJX Cos., BJ's Wholesale Club, OfficeMax, Boston 
Market, Barnes & Noble, Sports Authority, Forever 21 and DSW.

"While technology has made our lives much easier it has also created new 
vulnerabilities," U.S. Attorney Michael J. Sullivan said in a statement. 
"This case clearly shows how strokes on a keyboard with a criminal purpose 
can have costly results."

The indictment alleges that the hackers installed programs to capture card 
numbers, passwords and account information, and then concealed the data in 
computer servers that they controlled in the U.S. and Eastern Europe.

[..]

From SteveHamburg at eclipsecurityllc.com  Thu Aug  7 17:46:40 2008
From: SteveHamburg at eclipsecurityllc.com (Steve Hamburg)
Date: Thu, 7 Aug 2008 12:46:40 -0500
Subject: [Dataloss] Email correspondences containing PII / sensitive
	information that may be used to commit identity theft
In-Reply-To: <000001c8f764$d91f5a40$6401a8c0@tsg1>
References: <000001c8f764$d91f5a40$6401a8c0@tsg1>
Message-ID: <FB456446E6ECE449890987E030C5BC795A2C76@mail.eclipsec.com>

I apologize if this is a mere repeat of a previous thread, however, I
just received an email notification from Disney Cruise Lines (DCL) that
frustrates me, and reminded me of many other violators out there.

I'm planning a Disney trip for my family (yes, there will be people
staying at, and guarding our residence), and the unprotected
confirmation email received from DCL included the names and birth dates
of all of my family members, as well as where within the cruise ship we
would be residing.  This reminded me of many other violators, for
example:

1. How many times have you received an unprotected email after
requesting a new password or creating a new account that contains both
your user ID and password?
2. How many times have you had service providers (e.g., attorneys,
accountants, etc.) send you unprotected emails with attachments
containing extremely sensitive information?

It would be very interesting if a service / notification mechanism were
to exist where these types of risk-prone actions could be reported and
the informant could be rest-assured that disciplinary actions would be
exercised.

Thoughts?

Steve.
 
--
Steven E. Hamburg, President
Eclipsecurity, LLC
Toll Free: (877) 369-5331 x 302
Office: (847) 850-5088 x 302
www.eclipsecurityllc.com

Lock-in success.  Because information travels... 
********************
This message and any accompanying attachments are intended
only for the addressees(s) named above, and may contain information 
that is privileged or confidential.  If you have received 
this email in error, please notify the sender and delete this 
message and any accompanying attachments immediately 
thereafter.  To the extent the contents of this message or any 
accompanying attachments are original works of authorship, the 
right to copy, prepare derivative works, distribute, or display publicly
such work without the permission of Eclipsecurity, LLC, is strictly 
prohibited under U.S. Copyright law.
********************


From macwheel99 at wowway.com  Fri Aug  8 17:09:34 2008
From: macwheel99 at wowway.com (Al Mac Wheel)
Date: Fri, 08 Aug 2008 12:09:34 -0500
Subject: [Dataloss] Email correspondences containing PII / sensitive
 information that may be used to commit identity theft
In-Reply-To: <FB456446E6ECE449890987E030C5BC795A2C76@mail.eclipsec.com>
References: <000001c8f764$d91f5a40$6401a8c0@tsg1>
	<FB456446E6ECE449890987E030C5BC795A2C76@mail.eclipsec.com>
Message-ID: <6.2.1.2.1.20080808115844.02f1a6a0@pop3.mail.wowway.com>

I do not believe there is a satisfactory alternative out there as yet.

What you are complaining about is an extremely widespread practice.
1. I would guess 99% of the time when I request a new password, or register 
at a site new to me, the password and logon info arrives via e-mail in 
plain text.
2. I think all professionals I deal with ... auditors, accountants, 
lawyers, whoever ... all of them send highly sensitive info in attachments 
that anyone who can see the e-mail (such as our ISP), can also read the 
data, and request same from me.  A handful of them have some boiler plate 
verbiage below the sig about what is the authorized use of this 
e-mail.  These same people have this identical verbiage on the bottom of 
their postings to discussion lists, whose archives are available to the 
general public.
3. Vast numbers of the computer using public appears to be clueless when it 
comes to relationships between types of computer usage (e.g. P2P) and 
various risks (e.g. spyware).

We can report this kind of thing to the FTC or equivalent organiation in 
other nations, but generally all they do is collect statistics on how much 
of the total industry is criminal and/or incompetent.  Some organization 
has to be extremely more blatant in harming consumers before action taken.

The anti-spam, anti-virus,e-police, etc. software includes a lot with false 
positives and failures to block all the bad stuff, and lacks standards 
across various software clients.

, Steve Hamburg wrote:
>I apologize if this is a mere repeat of a previous thread, however, I
>just received an email notification from Disney Cruise Lines (DCL) that
>frustrates me, and reminded me of many other violators out there.
>
>I'm planning a Disney trip for my family (yes, there will be people
>staying at, and guarding our residence), and the unprotected
>confirmation email received from DCL included the names and birth dates
>of all of my family members, as well as where within the cruise ship we
>would be residing.  This reminded me of many other violators, for
>example:
>
>1. How many times have you received an unprotected email after
>requesting a new password or creating a new account that contains both
>your user ID and password?
>2. How many times have you had service providers (e.g., attorneys,
>accountants, etc.) send you unprotected emails with attachments
>containing extremely sensitive information?
>
>It would be very interesting if a service / notification mechanism were
>to exist where these types of risk-prone actions could be reported and
>the informant could be rest-assured that disciplinary actions would be
>exercised.
>
>Thoughts?
>
>Steve.
>
>--
>Steven E. Hamburg, President
>Eclipsecurity, LLC
>Toll Free: (877) 369-5331 x 302
>Office: (847) 850-5088 x 302
>www.eclipsecurityllc.com
>
>Lock-in success.  Because information travels...
>********************
>This message and any accompanying attachments are intended
>only for the addressees(s) named above, and may contain information
>that is privileged or confidential.  If you have received
>this email in error, please notify the sender and delete this
>message and any accompanying attachments immediately
>thereafter.  To the extent the contents of this message or any
>accompanying attachments are original works of authorship, the
>right to copy, prepare derivative works, distribute, or display publicly
>such work without the permission of Eclipsecurity, LLC, is strictly
>prohibited under U.S. Copyright law.
>********************
>
>_______________________________________________
>Dataloss Mailing List (dataloss at attrition.org)
>http://attrition.org/dataloss
>
>Tenable Network Security offers data leakage and compliance monitoring
>solutions for large and small networks. Scan your network and monitor your
>traffic to find the data needing protection before it leaks out!
>http://www.tenablesecurity.com/products/compliance.shtml



From lyger at attrition.org  Fri Aug  8 18:40:54 2008
From: lyger at attrition.org (lyger)
Date: Fri, 8 Aug 2008 18:40:54 +0000 (UTC)
Subject: [Dataloss] UK: BBC apologises after children's personal data stolen
Message-ID: <Pine.LNX.4.64.0808081840080.5005@forced.attrition.org>


http://www.timesonline.co.uk/tol/news/uk/article4481621.ece

The BBC has apologised to parents and started an investigation after a 
memory stick containing the personal data of hundreds of children was 
stolen.

Parents have been sent a letter by the BBC informing them that details 
such as the names, addresses, mobile phone numbers and dates of birth of 
children who applied to take part in a cookery show had been taken. The 
stolen data also included details of when children and their parents would 
be away on holiday. The BBC said that it took the loss of the sensitive 
data extremely seriously and has suspended production on the programme, 
Gastronuts, while an investigation is conducted.

[...]

From adam at homeport.org  Fri Aug  8 22:19:58 2008
From: adam at homeport.org (Adam Shostack)
Date: Fri, 8 Aug 2008 18:19:58 -0400
Subject: [Dataloss] (admin) Moderators + Vegas = ...
In-Reply-To: <Pine.LNX.4.64.0808051931351.16768@forced.attrition.org>
References: <Pine.LNX.4.64.0808051454400.27900@forced.attrition.org>
	<Pine.LNX.4.64.0808051931351.16768@forced.attrition.org>
Message-ID: <20080808221958.GA29652@homeport.org>

On Tue, Aug 05, 2008 at 07:32:23PM +0000, security curmudgeon wrote:
| 
| : Quick note to everyone:  all mail list moderators are either already in 
| : Las Vegas for this week's Black Hat and/or DefCon events or are 
| : currently packing our bags and printing out our boarding passes.  We 
| : will continue to post and approve messages as time permits, but please 
| : be patient if list traffic gets reealllyyyy slloooowwwww over the next 
| : five days or so.
| : 
| : For anyone who will be attending the conferences this week, please feel 
| : free to come up and say hi if you see us.  We'll be the guys and gals 
| : wearing attrition.org, DatalossDB.org, and OSVDB.org gear running away 
| : from the sound of the sirens... ;)
| 
| First one that finds Lyger, screams "DATA LOSS" at him, and pushes him in 
| the Belagio fountain will get a crisp 20 dollar bill and a White Russian, 
| compliments of attrition.org.

Does yelling "Nice shirt!" count? :)


From fergdawg at netzero.net  Fri Aug  8 18:58:26 2008
From: fergdawg at netzero.net (Paul Ferguson)
Date: Fri, 8 Aug 2008 18:58:26 GMT
Subject: [Dataloss] Irish Credit-Card Holders Hit By Online Theft
Message-ID: <20080808.115826.27343.0@webmail01.vgs.untd.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Via The Belfast Telegraph.

[snip]

Irish banks are reportedly working to cancel hundreds of credit cards
following a suspected online security breach.

Reports this morning say fraudsters are believed to have hacked into the
database of one the country's leading retailers to steal the credit card
details of its customers.

The theft was discovered on Wednesday night after the thieves tested stolen
credit card details on a US website, spending a small amount to see if they
would work.

Irish banks were informed that hundreds of their customers may be at risk
of identity fraud as a result and they have contacted these customers to
cancel their credit cards.

[snip]

Link:
http://www.belfasttelegraph.co.uk/breaking-news/ireland/irish-creditcard-ho
lders-hit-by-online-theft-13934391.html

- - ferg

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.3 (Build 3017)

wj8DBQFInJdSq1pz9mNUZTMRAvETAKDH3AQB5mO2D9NG9U6++g86vpk4tgCfdyms
oKl2pqiaHE33O58b2ryQcxM=
=g/9R
-----END PGP SIGNATURE-----


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/


From lyger at attrition.org  Mon Aug 11 23:43:45 2008
From: lyger at attrition.org (lyger)
Date: Mon, 11 Aug 2008 23:43:45 +0000 (UTC)
Subject: [Dataloss] Personal data of 380,000 welfare recipients stolen
Message-ID: <Pine.LNX.4.64.0808112342590.22099@forced.attrition.org>


http://www.irishtimes.com/newspaper/ireland/2008/0812/1218477342243.html

THE DEPARTMENT of Social and Family Affairs is contacting 380,000 social 
welfare recipients after it emerged their personal details were stored on 
a laptop computer which was stolen more than a year ago.

About 100,000 of the records contained bank account details of welfare 
recipients.

Information relating to these welfare recipients was stored on a computer 
used by the Comptroller and Auditor General at a Department of Social and 
Family Affairs office on Dublin's Pearse Street in April 2007.

[...]

From jericho at attrition.org  Tue Aug 12 08:10:11 2008
From: jericho at attrition.org (security curmudgeon)
Date: Tue, 12 Aug 2008 08:10:11 +0000 (UTC)
Subject: [Dataloss] follow-up: Missing SFO Clear Laptop Was Stolen,
	Not Misplaced
Message-ID: <Pine.LNX.4.64.0808120809540.12772@forced.attrition.org>



---------- Forwarded message ----------
From: Paul Ferguson <fergdawg at netzero.net>


Via CBS5.com.

[snip]

A laptop containing the personal information of 33,000 applicants to a 
program that allows air travelers to bypass airport security lines was 
likely stolen then returned, not just misplaced for more than a week, 
investigators said Monday.

The Transportation Security Administration announced a week ago that it 
had suspended new enrollments to the program, known as Clear, after the 
unencrypted computer went missing from a locked office at San Francisco 
International Airport.

The TSA also told officials at SFO and other airports that used Clear to 
cease use of any unencrypted computers and secure devices until encryption 
can be installed.

The day after TSA's announcement, the laptop reappeared in a locked 
cabinet in the same office where it was last seen.

Verified Identity Pass Inc., which runs the Clear program, said at the 
time the company did not know whether its computer was actually stolen or 
had just been overlooked.

Investigators are now treating the disappearance as a theft and are 
interviewing Verified Identity Pass employees to figure out who took the 
laptop and why, said San Mateo County Sheriff's Sgt. Wes Matsuura.

It was "highly doubtful" that a random member of the public swiped the 
computer and then returned it to the locked office, which is not in a 
visible location at the airport, Matsuura said.

[snip]

More:
http://cbs5.com/local/sfo.laptop.stolen.2.792738.html

From lyger at attrition.org  Tue Aug 12 13:56:35 2008
From: lyger at attrition.org (lyger)
Date: Tue, 12 Aug 2008 13:56:35 +0000 (UTC)
Subject: [Dataloss] Wells Fargo hit by data breach
Message-ID: <Pine.LNX.4.64.0808121355510.26028@forced.attrition.org>


http://www.finextra.com/fullstory.asp?id=18849

US banking group Wells Fargo is notifying 7000 customers that hackers have 
accessed their confidential personal data by illegally using its access 
codes.

Personal information including names, addresses, dates of birth, social 
security numbers, driver's licence numbers and in some cases, credit 
account information was accessed by "unauthorised persons".

The incident was first reported by The Breach Blog which provides links to 
a letter sent by the bank to New Hampshire Attorney General Kelly Ayotte.

[...]

From hbrown at knology.net  Tue Aug 12 15:57:26 2008
From: hbrown at knology.net (Henry Brown)
Date: Tue, 12 Aug 2008 10:57:26 -0500
Subject: [Dataloss] dumpster diving in San Antonio TX
Message-ID: <48A1B2E6.5070306@knology.net>

 From WOAI.com

http://tinyurl.com/6pz25e

The News 4 Trouble Shooters found a gold mine at a local drug treatment 
center.

Hundreds of private, personal records thrown out with the trash. 
Information that, by law, must be protected.

A tip led the Trouble Shooters to the dumpster behind Treatment 
Associates, located at 701 San Pedro, near downtown.

We pulled out more than 40 file folders with private drug treatment 
records. Records detailing medical histories of clients with diseases 
and drug addictions.

We also found documents showing sexual abuse and information needed to 
steal someones' identity, like social security numbers.

"The concern of course is that this information was released," said Mary 
Walker, the spokesperson for Child Protective Services. Walker says she 
is troubled that CPS records with such personal information were just 
thrown out in the trash.

"This causes us serious concern, what you've shown us are records that 
have very private information in them, records that are confidential and 
certainly nothing that we would release," said Walker.


From jericho at attrition.org  Wed Aug 13 06:46:24 2008
From: jericho at attrition.org (security curmudgeon)
Date: Wed, 13 Aug 2008 06:46:24 +0000 (UTC)
Subject: [Dataloss] follow-up: Worker who lost data no longer on job
Message-ID: <Pine.LNX.4.64.0808130646080.13595@forced.attrition.org>



---------- Forwarded message ----------
From: InfoSec News <alerts at infosecnews.org>

http://www.chron.com/disp/story.mpl/metropolitan/5937805.html

By LIZ AUSTIN PETERSON
Copyright 2008
Houston Chronicle
Aug. 11, 2008

The Harris County Hospital District administrator who downloaded medical 
and financial records for 1,200 patients onto a flash drive that later was 
lost or stolen no longer works there, a district spokesman said Monday.

Spokesman Bryan McLeod confirmed the low-level administrator's departure 
but would not say whether she resigned or was fired or when she left, 
calling it a confidential personnel matter.

Attempts to reach the former employee for comment Monday were 
unsuccessful.

The flash drive contained records listing patients' names, medical record 
numbers, billing codes, the facilities where they were treated and other 
billing information, the district said. It also included the patients' 
Medicaid or Medicare numbers, which can indicate their Social Security 
numbers or those of their spouses.

Many of the patients listed on the flash drive have HIV or AIDS, according 
to Harris County Judge Ed Emmett.

[...]

From lyger at attrition.org  Wed Aug 13 11:32:15 2008
From: lyger at attrition.org (lyger)
Date: Wed, 13 Aug 2008 11:32:15 +0000 (UTC)
Subject: [Dataloss] SC: Laptops With Cable Company Workers' Data Stolen
Message-ID: <Pine.LNX.4.64.0808131131210.25392@forced.attrition.org>


http://www.wyff4.com/news/17177025/detail.html

The personal information of thousands of current and former Charter 
Communications employees are in the wrong hands after several laptop 
computers were stolen last month, the company said.

A letter sent to the affected workers said that the computers were stolen 
from the company's Greenville offices and contained records of more than 
9,000 Charter employees nationwide.

The information included Social Security numbers, dates of birth and 
driver's license numbers.

[...]

From jjturner at gmail.com  Thu Aug 14 13:56:30 2008
From: jjturner at gmail.com (Jon Turner)
Date: Thu, 14 Aug 2008 09:56:30 -0400
Subject: [Dataloss] Surgery loses patient data tape
Message-ID: <3352c09b0808140656o3a405a49xd7281f37746ef0fa@mail.gmail.com>

A tape containing the records of more than 11,000 patients has been
lost by a GP practice in Greater Manchester.

The magnetic tape contains duplicates of current and old patient
details at Whitaker Lane Practice in Prestwich.

Doctors say the records can only be viewed using specialist equipment
and are unlikely to be accessible by other systems, such as home
computers.

Letters have been sent to all 6,000 registered patients at the
practice to inform them of the loss.

From jjturner at gmail.com  Thu Aug 14 13:59:09 2008
From: jjturner at gmail.com (Jon Turner)
Date: Thu, 14 Aug 2008 09:59:09 -0400
Subject: [Dataloss] Mothers-to-be contacted after midwife loses diary
Message-ID: <3352c09b0808140659l7a50cebbk30786d06f081e340@mail.gmail.com>

Health bosses in Rochdale have apologised to hundreds of new and
expectant mothers after a midwife lost a diary containing their names
and addresses.
The Pennine Acute Trust wrote to 345 women in the area after a
community midwife lost her diary last week.

The hand-written diary covered her antenatal and postnatal
appointments between January and July 2008.

A trust spokesman said the diary contained patients' telephone numbers
and addresses but no medical information.

From lyger at attrition.org  Thu Aug 14 18:34:27 2008
From: lyger at attrition.org (lyger)
Date: Thu, 14 Aug 2008 18:34:27 +0000 (UTC)
Subject: [Dataloss] FL: Medical Center Patient Records Posted On Internet
Message-ID: <Pine.LNX.4.64.0808141833450.2416@forced.attrition.org>


http://www.wftv.com/news/17188045/detail.html?taf=orlc

Hundreds of people in Brevard County found out Thursday if their personal 
information was stolen. Names, social security numbers and even personal 
medical information of more than 500 patients at Wuesthoff Medical Center 
were posted on the Internet.

A Rockledge patient was contacted after an insurance agent in Arizona 
discovered the list while surfing the Web. The Medical Center shut the 
site down, but patients were worried because they don't know who could 
have seen it.

[...]

From lyger at attrition.org  Fri Aug 15 11:37:24 2008
From: lyger at attrition.org (lyger)
Date: Fri, 15 Aug 2008 11:37:24 +0000 (UTC)
Subject: [Dataloss] follow-up: Wuesthoff Web site security breached
Message-ID: <Pine.LNX.4.64.0808151131050.25571@forced.attrition.org>


(so which is it... "hackers" or little ol' Google?  you decide...)

http://www.floridatoday.com/apps/pbcs.dll/article?AID=/20080815/BUSINESS/808150326/1006/NEWS01

Hackers penetrated Wuesthoff Health System's pre-registration Web site 
earlier this week, gaining access to personal information on 500 patients, 
including names, addresses and Social Security numbers.
Advertisement

Wuestoff officials said there were six outside "hits" Tuesday and 
Wednesday to its live Web site, where patients registered ahead of time 
for surgery, lab work and other services the Rockledge-based healthcare 
system provides. The site was immediately shut down.

[...]

In Wuesthoff's case, Crites said the provider uses the same encryption 
technology to protect online information as banks do, but installed a new 
software program two weeks ago, called Google Analytics, that may have 
provided a portal for unauthorized entry.

Wuesthoff implemented the program to better track consumers researching 
its Web site, she said, and has never had a problem until now. The on-site 
database has been in existence since 2006, she said.

"The breach of information does not appear to be a malicious entry," 
Crites said. "It was the depth and capabilities of the Google search 
engine."

[...]

From lyger at attrition.org  Fri Aug 15 19:43:29 2008
From: lyger at attrition.org (lyger)
Date: Fri, 15 Aug 2008 19:43:29 +0000 (UTC)
Subject: [Dataloss] TX: KHS mail mix-up prompts identity theft concerns
Message-ID: <Pine.LNX.4.64.0808151942180.29700@forced.attrition.org>


http://www.kellercitizen.com/101/story/10750.html

When the Silva family received a mailing from Keller High School last 
week, they didn.t think it would be anything unusual.

Upon opening it, Apollo and Marsha Silva found two enrollment forms. One 
was an emergency-care authorization form for their son, Anthony, 15, an 
incoming sophomore. But the other was a student-information form 
containing a classmate.s social security number, student ID number, home 
address, phone number and contact information for his parents at home and 
at work.

They quickly realized that their son.s private information, which they 
used to set up his college fund and other accounts, was mailed to someone 
else.

[.]

The high school has received about 45 phone calls from families who 
received the wrong paperwork, a spokeswoman for the Keller school district 
said Tuesday.

[...]

From mhill at idtexperts.com  Sat Aug 16 14:45:23 2008
From: mhill at idtexperts.com (Michael Hill, CITRMS)
Date: Sat, 16 Aug 2008 10:45:23 -0400
Subject: [Dataloss] GA: Documents Loaded with Personal Information Found in
	Atlanta Dumpster
Message-ID: <C5E0B78731F44FCCA0AE811E1940BA81@mkevhillpc>

http://www.myfoxatlanta.com/myfox/pages/News/Detail?contentId=7220769&version=1&locale=EN-US&layoutCode=TSTY&pageId=3.2.1

ATLANTA (MyFOX Atlanta) - Thousands of documents loaded with social security numbers and other personal information were thrown out Friday, left in dumpsters that anyone could get to.

"I thought, wow, that's a lot of cardboard. And then I said, wait a minute, those look like documents," said George Altman.

Altman works at the Northlake office park where the documents were dumped.  Altman said it took him about 10 seconds to realize there was a problem.

"As you see, this thing is full of things like this, where there's a person's photo on here. You open it up and there's a social security readily available," said Altman.

The documents listed dates of birth, addresses and even medical records in almost every file.

No one was at the law office Friday afternoon where the case files originated.  Late Friday, the personal injury lawyer who represented the clients in the files said the cases were closed so he threw the documents out.  He later admitted it was a mistake to dump them.

"These are old records, they're 10 years old, but I still live in the same house I had 10 or 15 years ago and my social security number hasn't changed," said Altman.

The files filled up parts of three dumpsters and the personal information of literally thousands of people were there for anyone to take.  The information belonged to people not just from the Atlanta area, but from everywhere from Lula to Jackson.

"I am completely stunned by this and I can't believe this is still happening in today's age, when we're so aware of identity theft," said Altman. 






Michael Hill, MCSD
Certified Identity Theft Risk Management Specialist
www.idtheft101.net 
404-216-3751
 



"If You Think You're Not At Risk, Think Again!"
 
 
NOTICE:
This email and any attachment to it is confidential and protected by law and intended for the use of the individual(s) or entity named on the email.  This information and all email information from the sender is not legal advice nor legal representation and should not be construed as legal advice nor legal representation. Check with your attorney in your State for legal advice. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination or distribution of this communication is prohibited.  If you have received this communication in error, please notify the sender via return email and delete it completely from your email system.  If you have printed a copy of the email, please destroy it immediately. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20080816/c878366b/attachment.html 

From jjturner at gmail.com  Sun Aug 17 17:34:20 2008
From: jjturner at gmail.com (Jon Turner)
Date: Sun, 17 Aug 2008 18:34:20 +0100
Subject: [Dataloss] Ministry of Justice loses 45,000 personal records
Message-ID: <3352c09b0808171034o4772c306l48dfcd05f5b2f7d7@mail.gmail.com>

http://www.timesonline.co.uk/tol/news/uk/article4546434.ece
>From Times OnlineAugust 16, 2008

Ministry of Justice loses 45,000 personal recordsKevin Dowling
The Government's reputation for protecting people's sensitive
electronic data has been dealt yet another blow with the revelation
that the Ministry of Justice (MoJ) lost the records of 45,000 people.

The information included dates of birth, national insurance numbers,
criminal records, and in a single incident, the loss of bank details
and other information belonging to 27,000 people working for suppliers
to the department.

In another case, officials lost an "inadequately protected" laptop
storing the job applications of 13 people who were applying for
judicial positions with the service.

The revelations in the department's annual accounts come after similar
blunders saw two CDs with the child benefit records of 25 million
families lost in the post and the loss of 658 laptops by the Ministry
of Defence.

In 30,000 cases the MoJ did not notify the people affected, judging
that it did not need to do so after carrying out a risk assessment.

In January an "inadequately protected" laptop containing records of
14,000 fine defaulters including names, dates of birth, addresses,
offences, and - in a fifth of cases - national insurance numbers, went
missing from a "secured" government office.

In June 2007 records of 27,000 people working for suppliers to the
MoJ, again kept on "inadequately protected" storage devices, were
lost.

From jjturner at gmail.com  Mon Aug 18 12:21:14 2008
From: jjturner at gmail.com (Jon Turner)
Date: Mon, 18 Aug 2008 13:21:14 +0100
Subject: [Dataloss] Depts reveal data losses and breaches
Message-ID: <3352c09b0808180521g3dad2823secd62b9f3cf514e7@mail.gmail.com>

The DWP's resource accounts said its biggest breach was the retention
of two discs by a contractor. The discs contained the data of 9,000
people and forced the department to notify law enforcement. The
department also suffered two other incidents. One in July 2007 that
potentially affected 7,800 and one in January when papers with data on
45 people were lost.

http://www.publicservice.co.uk/news_story.asp?id=6798

Note: DoJ are already loaded

From lyger at attrition.org  Mon Aug 18 19:02:46 2008
From: lyger at attrition.org (lyger)
Date: Mon, 18 Aug 2008 19:02:46 +0000 (UTC)
Subject: [Dataloss] Feds seek to nab credit card thieves in La., Miss.
Message-ID: <Pine.LNX.4.64.0808181901190.18636@forced.attrition.org>


Courtesy Victor Chavez:

http://www.forbes.com/feeds/ap/2008/08/18/ap5334017.html

A ring of cyberthieves has stolen tens of thousands of credit card
numbers from Louisiana and Mississippi restaurants this year, leading to
over $1 million in losses for the banks that issued them.

The restaurants began reporting the thefts beginning in March in Baton
Rouge, followed by similar cases in Flowood, Miss., Lafayette, Lake
Charles and West Monroe. The hackers have swiped credit and debit card
numbers off 16 restaurants' computer systems, then sought to sell them
for anywhere between $1 and $100 each, according to Special Agent Sean
Connor of the U.S. Secret Service, an arm of the Treasury Department
that investigates financial crimes.

"Once they get a big pile of credit card numbers, they turn around and
sell them on the Internet," Connor said.

The cases appear connected and probably involve a criminal network that
stretches overseas, which would be consistent with other identity theft
<http://www.forbes.com/feeds/ap/2008/06/25/ap5152958.html?partner=alerts
>  cases, U.S. Attorney David Dugas said. A group indicted in a separate
case earlier this month includes defendants from three continents.

Authorities have no total dollar figure for the losses sustained in the
Louisiana-Mississippi cases because the victims - local and national
banks - are still compiling figures, Connor said. The hardest hit is a
bank reporting over $1.1 million in losses, he said.

[...]

From lyger at attrition.org  Mon Aug 18 23:57:45 2008
From: lyger at attrition.org (lyger)
Date: Mon, 18 Aug 2008 23:57:45 +0000 (UTC)
Subject: [Dataloss] VA: Dominion Enterprises Discloses Data Breach in
	Business Division
Message-ID: <Pine.LNX.4.64.0808182356500.30309@forced.attrition.org>


http://www.marketwatch.com/news/story/dominion-enterprises-discloses-data-breach/story.aspx?guid=%7B2FC9A6DF-38BC-451D-9AC3-1FFD05A36D20%7D&dist=hppr

Dominion Enterprises today announced that a computer server within 
InterActive Financial Marketing Group (IFMG), a division of Dominion 
Enterprises located in Richmond, Virginia, was hacked into and illegally 
accessed by an unknown and unauthorized third party between November 2007 
and February 2008.

The data intrusion resulted in the potential exposure of personal 
information, including the names, addresses, birth dates, and social 
security numbers of 92,095 applicants who submitted credit applications to 
IFMG's family of special finance Web sites.

Dominion Enterprises is mailing letters to the individuals whose personal 
information it can determine was illegally accessed. The company is 
offering one full year of free credit monitoring services to all affected 
parties, and has provided information about additional resources where 
consumers can learn how to help protect themselves from identity theft.

[...]

From tglassey at earthlink.net  Tue Aug 19 01:58:28 2008
From: tglassey at earthlink.net (TS Glassey)
Date: Mon, 18 Aug 2008 18:58:28 -0700
Subject: [Dataloss] Feds seek to nab credit card thieves in La., Miss.
References: <Pine.LNX.4.64.0808181901190.18636@forced.attrition.org>
Message-ID: <005701c9019f$293c1100$6401a8c0@tsg1>

It would be interesting to know who's Management Systems these shops all 
bought.

Todd

----- Original Message ----- 
From: "lyger" <lyger at attrition.org>
To: <dataloss at attrition.org>
Sent: Monday, August 18, 2008 12:02 PM
Subject: [Dataloss] Feds seek to nab credit card thieves in La., Miss.


>
> Courtesy Victor Chavez:
>
> http://www.forbes.com/feeds/ap/2008/08/18/ap5334017.html
>
> A ring of cyberthieves has stolen tens of thousands of credit card
> numbers from Louisiana and Mississippi restaurants this year, leading to
> over $1 million in losses for the banks that issued them.
>
> The restaurants began reporting the thefts beginning in March in Baton
> Rouge, followed by similar cases in Flowood, Miss., Lafayette, Lake
> Charles and West Monroe. The hackers have swiped credit and debit card
> numbers off 16 restaurants' computer systems, then sought to sell them
> for anywhere between $1 and $100 each, according to Special Agent Sean
> Connor of the U.S. Secret Service, an arm of the Treasury Department
> that investigates financial crimes.
>
> "Once they get a big pile of credit card numbers, they turn around and
> sell them on the Internet," Connor said.
>
> The cases appear connected and probably involve a criminal network that
> stretches overseas, which would be consistent with other identity theft
> <http://www.forbes.com/feeds/ap/2008/06/25/ap5152958.html?partner=alerts
>>  cases, U.S. Attorney David Dugas said. A group indicted in a separate
> case earlier this month includes defendants from three continents.
>
> Authorities have no total dollar figure for the losses sustained in the
> Louisiana-Mississippi cases because the victims - local and national
> banks - are still compiling figures, Connor said. The hardest hit is a
> bank reporting over $1.1 million in losses, he said.
>
> [...]
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
>
> Tenable Network Security offers data leakage and compliance monitoring
> solutions for large and small networks. Scan your network and monitor your
> traffic to find the data needing protection before it leaks out!
> http://www.tenablesecurity.com/products/compliance.shtml 


From macwheel99 at wowway.com  Tue Aug 19 02:58:43 2008
From: macwheel99 at wowway.com (macwheel99 at wowway.com)
Date: Mon, 18 Aug 2008 21:58:43 -0500
Subject: [Dataloss] Feds seek to nab credit card thieves in La., Miss.
In-Reply-To: <005701c9019f$293c1100$6401a8c0@tsg1>
References: <Pine.LNX.4.64.0808181901190.18636@forced.attrition.org>
	<005701c9019f$293c1100$6401a8c0@tsg1>
Message-ID: <20080819023810.M1198@wowway.com>

A company can buy some computer system and not install, or manage, it 
properly.
I am more interested in whether they had any PCI audits or other security 
audits, and what if anything the audits had to say about their state of 
security preparedness.

Here's what went wrong at TJX Max (click on preview to see document filed by 
5/3 bank auditor AFTER the mess.) http://www.box.net/shared/ieae3qfqj9

 This is quite an eye-opener ... they had perfectly good computer systems, 
but at some level of company leadership, there was no conception of their 
security responsibilities, what it meant to be PCI compliant.

There were TWELVE cyber security standards applicable to TJX.
They had met THREE of them.

Buying and installing computer systems is not enough.

There has to be informed management of that systems have been properly 
implemented, are doing the job they are intended to do, and continue to do 
so, after any upgrades to related systems.

When that does not happen, we cannot blame the computer vendors. That's like 
blaming an auto manufacturer because a drunk is driving around, on a flat 
tire, with broken lights.

 TS Glassey wrote
> It would be interesting to know who's Management Systems these shops 
> all bought.
> 
> Todd
> 
> ----- Original Message ----- 
> From: "lyger" <lyger at attrition.org>
> >
> > Courtesy Victor Chavez:
> >
> > http://www.forbes.com/feeds/ap/2008/08/18/ap5334017.html
<snip>
> > The restaurants began reporting the thefts beginning in March in Baton
> > Rouge, followed by similar cases in Flowood, Miss., Lafayette, Lake
> > Charles and West Monroe. The hackers have swiped credit and debit card
> > numbers off 16 restaurants' computer systems, 
> >
> > The cases appear connected and probably involve a criminal network that
> > stretches overseas, which would be consistent with other identity theft
> > <http://www.forbes.com/feeds/ap/2008/06/25/ap5152958.html?partner=alerts
> >>  cases, U.S. Attorney David Dugas said.
> > [...]


From arshad.noor at strongauth.com  Tue Aug 19 03:52:12 2008
From: arshad.noor at strongauth.com (Arshad Noor)
Date: Mon, 18 Aug 2008 20:52:12 -0700
Subject: [Dataloss] Feds seek to nab credit card thieves in La., Miss.
In-Reply-To: <20080819023810.M1198@wowway.com>
References: <Pine.LNX.4.64.0808181901190.18636@forced.attrition.org>	<005701c9019f$293c1100$6401a8c0@tsg1>
	<20080819023810.M1198@wowway.com>
Message-ID: <48AA436C.50400@strongauth.com>

Hear, hear!  I, overwhelmingly, agree with macwheel99.

When people start taking personal responsibility for the
proper execution of their jobs and business mandates, we
can then expect to see a reduction of such breaches.
However, based on the number of data-loss reports I get
on this forum weekly, I am not optimistic that there are
sufficient people who take this responsibility seriously.
Therefore, the only way for companies to take our personal
data seriously is through legislation that has serious
consequences for failure to protect that data.

Arshad Noor
StrongAuth, Inc.

macwheel99 at wowway.com wrote:
> A company can buy some computer system and not install, or manage, it 
> properly.
> I am more interested in whether they had any PCI audits or other security 
> audits, and what if anything the audits had to say about their state of 
> security preparedness.
> 
> Here's what went wrong at TJX Max (click on preview to see document filed by 
> 5/3 bank auditor AFTER the mess.) http://www.box.net/shared/ieae3qfqj9
> 
>  This is quite an eye-opener ... they had perfectly good computer systems, 
> but at some level of company leadership, there was no conception of their 
> security responsibilities, what it meant to be PCI compliant.
> 
> There were TWELVE cyber security standards applicable to TJX.
> They had met THREE of them.
> 
> Buying and installing computer systems is not enough.
> 
> There has to be informed management of that systems have been properly 
> implemented, are doing the job they are intended to do, and continue to do 
> so, after any upgrades to related systems.
> 
> When that does not happen, we cannot blame the computer vendors. That's like 
> blaming an auto manufacturer because a drunk is driving around, on a flat 
> tire, with broken lights.
> 

From fergdawg at netzero.net  Tue Aug 19 03:15:37 2008
From: fergdawg at netzero.net (Paul Ferguson)
Date: Tue, 19 Aug 2008 03:15:37 GMT
Subject: [Dataloss] Feds seek to nab credit card thieves in La., Miss.
Message-ID: <20080818.201537.19908.0@webmail01.vgs.untd.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -- macwheel99 at wowway.com wrote:

>A company can buy some computer system and not install, or manage, it 
properly.
I am more interested in whether they had any PCI audits or other security 
audits, and what if anything the audits had to say about their state of 
security preparedness.
>
>Here's what went wrong at TJX Max (click on preview to see document filed
>by  
5/3 bank auditor AFTER the mess.) http://www.box.net/shared/ieae3qfqj9
>
> This is quite an eye-opener ... they had perfectly good computer systems,
>  
but at some level of company leadership, there was no conception of their 
security responsibilities, what it meant to be PCI compliant.
>

It was my understanding that (according to Evan Schuman at
StorefrontBacktalk):

"...Visa knew of the extensive security problems at TJX but decided to give
the retailer permission to remain non-compliant through Dec. 31, 2008,
according to documents filed in federal court Thursday."

http://storefrontbacktalk.com/story/110907visaletter

- - ferg

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.3 (Build 3017)

wj8DBQFIqjrPq1pz9mNUZTMRAqdoAKDpV5otrGpjHtgAS+JhRfj9oE1IKACg5+PE
/MG2rjpCo5fDWheWt8yvjVY=
=E1p1
-----END PGP SIGNATURE-----



--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/


From jjturner at gmail.com  Tue Aug 19 07:42:50 2008
From: jjturner at gmail.com (Jon Turner)
Date: Tue, 19 Aug 2008 08:42:50 +0100
Subject: [Dataloss] Feds seek to nab credit card thieves in La., Miss.
In-Reply-To: <20080818.201537.19908.0@webmail01.vgs.untd.com>
References: <20080818.201537.19908.0@webmail01.vgs.untd.com>
Message-ID: <3352c09b0808190042r198942cdp2493c0d27b9d76b2@mail.gmail.com>

2008/8/19 Paul Ferguson <fergdawg at netzero.net>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> - -- macwheel99 at wowway.com wrote:
>
>>A company can buy some computer system and not install, or manage, it
> properly.
> I am more interested in whether they had any PCI audits or other security
> audits, and what if anything the audits had to say about their state of
> security preparedness.
>>
>>Here's what went wrong at TJX Max (click on preview to see document filed
>>by
> 5/3 bank auditor AFTER the mess.) http://www.box.net/shared/ieae3qfqj9
>>
>> This is quite an eye-opener ... they had perfectly good computer systems,
>>
> but at some level of company leadership, there was no conception of their
> security responsibilities, what it meant to be PCI compliant.
>>
>
> It was my understanding that (according to Evan Schuman at
> StorefrontBacktalk):
>
> "...Visa knew of the extensive security problems at TJX but decided to give
> the retailer permission to remain non-compliant through Dec. 31, 2008,
> according to documents filed in federal court Thursday."
>
> http://storefrontbacktalk.com/story/110907visaletter
>
> - - ferg
Most companies are still burying their head in the sand regarding PCI,
a large number are doing so knowingly, a significant number have no
clue. If its going to cost the X million to become compliant and there
is only a risk of a fine then why should they care?  At the moment its
mainly just a risk of a fine if they lose data, as soon as the word
risk is mentioned to management, then the "It will never happen to us"
complex kicks in and all chance of funding goes out the window (mainly
because now everyone thinks they know about security, AV + firewall =
secure to most non specialist). Security is a just cost of doing
business, it doesn't add sales or company value, so every one attempts
to minimize it.

Only when the payment vendors take away their right to process cards
will they start to take notice. From Visa point of view you can see
why they would approve the exemption though, either they approve it
and are able to fine them if they loose the data ($'s to Visa) and
also get 2% on most transactions through the store ($'s to Visa) and
the payment processor/vendor is liable for loses not Visa or they
don't t approve it and remove the right to process Visa cards ($ to
Mastercard + Amex).

At the moment, it still the security security teams in most
organisations (if they have one) pushing PCI and they don't have a
very loud voice, where as marketing and finance do.

oh, sorry about the first post being a rant....

From lyger at attrition.org  Tue Aug 19 11:31:16 2008
From: lyger at attrition.org (lyger)
Date: Tue, 19 Aug 2008 11:31:16 +0000 (UTC)
Subject: [Dataloss] FL: Student Files Are Exposed on Web Site
Message-ID: <Pine.LNX.4.64.0808191129400.7797@forced.attrition.org>


http://www.nytimes.com/2008/08/19/technology/19review.html?_r=1&ref=technology&oref=slogin

The Princeton Review, the test-preparatory firm, accidentally published 
the personal data and standardized test scores of tens of thousands of 
Florida students on its Web site, where they were available for seven 
weeks.

A flaw in configuring the site allowed anyone to type in a relatively 
simple Web address and have unfettered access to hundreds of files on the 
company's computer network, including educational materials and internal 
communications.

Another test-preparatory company said it stumbled on the files while doing 
competitive research. This company provided The New York Times with the 
Web address of the internal files on the condition that it not be named. 
The Times informed the Princeton Review of the problem on Monday, and the 
company promptly shut off access to that portion of its site.

One file on the site contained information on about 34,000 students in the 
public schools in Sarasota, Fla., where the Princeton Review was hired to 
build an online tool to help the county measure students. academic 
progress. The file included the students' birthdays and ethnicities, 
whether they had learning disabilities, whether English was their second 
language, and their level of performance on the Florida Comprehensive 
Assessment Test, which is given to students in grades 3 to 11.

Another folder contained dozens of files with names and birth dates for 
74,000 students in the school system of Fairfax County, Va., which had 
hired the Princeton Review to measure and improve student performance.

[...]

From lyger at attrition.org  Tue Aug 19 17:23:33 2008
From: lyger at attrition.org (lyger)
Date: Tue, 19 Aug 2008 17:23:33 +0000 (UTC)
Subject: [Dataloss] WA: Kingston Tax Service computers stolen;
 clients warned of identity theft
Message-ID: <Pine.LNX.4.64.0808191722480.5692@forced.attrition.org>


http://www.pnwlocalnews.com/kitsap/nkh/news/27134264.html

Immediate action is necessary on behalf of all Kingston Tax Service 
clients to protect themselves from identity theft.

Office computers were stolen from the business in a reported burglary 
sometime before 8:30 a.m. on Aug. 12.

"On each of the computers is information which can be used by identity 
thieves," states a letter sent to clients of Kingston Tax Services.

The letter, written by owner Tim Winsor the day the robbery report was 
filed, urges clients to put fraud alerts on their credit cards 
"immediately."

Although the information was password protected, Winsor states they aren't 
foolproof. He advises clients they need to call to banks, credit card 
companies, the Social Security Administration and three Credit Bureau 
Fraud Departments: TransUnion, Equifax and Experian.

[...]

From george at georgetoft.com  Wed Aug 20 04:15:52 2008
From: george at georgetoft.com (George Toft)
Date: Tue, 19 Aug 2008 21:15:52 -0700
Subject: [Dataloss] Feds seek to nab credit card thieves in La., Miss.
In-Reply-To: <48AA436C.50400@strongauth.com>
References: <Pine.LNX.4.64.0808181901190.18636@forced.attrition.org>
	<005701c9019f$293c1100$6401a8c0@tsg1> <20080819023810.M1198@wowway.com>
	<48AA436C.50400@strongauth.com>
Message-ID: <1219205753.12355.87.camel@bobpc2.georgetoft.com>

Fat chance on the legislation.  

I had the opportunity to talk to a lobbyist for a major insurance
company about our state data protection law and she gave me critical
insight as to WHY our well-written bill got defanged and neutered.  This
Ins Co told the state legislation that they would have to stop operating
in the state should the bill pass as written - it was modeled after
California's law).  This Ins Co is one of the state's largest employers.
The economic damage caused by their departure would be devastating, so
the bill conveniently died in committee.

It's all about the Benjamins - one way or another.

George


On Mon, 2008-08-18 at 20:52 -0700, Arshad Noor wrote:
> Hear, hear!  I, overwhelmingly, agree with macwheel99.
> 
> When people start taking personal responsibility for the
> proper execution of their jobs and business mandates, we
> can then expect to see a reduction of such breaches.
> However, based on the number of data-loss reports I get
> on this forum weekly, I am not optimistic that there are
> sufficient people who take this responsibility seriously.
> Therefore, the only way for companies to take our personal
> data seriously is through legislation that has serious
> consequences for failure to protect that data.
> 
> Arshad Noor
> StrongAuth, Inc.
> 
> macwheel99 at wowway.com wrote:
> > A company can buy some computer system and not install, or manage, it 
> > properly.
> > I am more interested in whether they had any PCI audits or other security 
> > audits, and what if anything the audits had to say about their state of 
> > security preparedness.
> > 
> > Here's what went wrong at TJX Max (click on preview to see document filed by 
> > 5/3 bank auditor AFTER the mess.) http://www.box.net/shared/ieae3qfqj9
> > 
> >  This is quite an eye-opener ... they had perfectly good computer systems, 
> > but at some level of company leadership, there was no conception of their 
> > security responsibilities, what it meant to be PCI compliant.
> > 
> > There were TWELVE cyber security standards applicable to TJX.
> > They had met THREE of them.
> > 
> > Buying and installing computer systems is not enough.
> > 
> > There has to be informed management of that systems have been properly 
> > implemented, are doing the job they are intended to do, and continue to do 
> > so, after any upgrades to related systems.
> > 
> > When that does not happen, we cannot blame the computer vendors. That's like 
> > blaming an auto manufacturer because a drunk is driving around, on a flat 
> > tire, with broken lights.
> > 
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
> 
> Tenable Network Security offers data leakage and compliance monitoring
> solutions for large and small networks. Scan your network and monitor your
> traffic to find the data needing protection before it leaks out!
> http://www.tenablesecurity.com/products/compliance.shtml
> 


From jericho at attrition.org  Thu Aug 21 10:31:37 2008
From: jericho at attrition.org (security curmudgeon)
Date: Thu, 21 Aug 2008 10:31:37 +0000 (UTC)
Subject: [Dataloss] UK.gov loses 29 million personal records  (fwd)
Message-ID: <Pine.LNX.4.64.0808211031260.18072@forced.attrition.org>



---------- Forwarded message ----------
From: InfoSec News <alerts at infosecnews.org>

http://www.theregister.co.uk/2008/08/20/uk_gov_lost_records/

By John Leyden
The Register
20th August 2008

UK government departments have managed to leak a total of 29 million 
personal records over a single year.

In addition to the 25 million records spilled in the infamous lost child 
benefit CDs debacle, another four million records went astray in other 
stuff-ups, some of which have previously gone unreported.

Since the HMRC data loss fiasco, Whitehall departments have begun to 
include data of information leaks as part of their annual financial 
statements. An analysis of these figures by the BBC revealed that personal 
information disclosures across UK government departments, excluding 
information on the lost child benefit CDs, averaged 300,000 records a 
month in the year up until April 2008 (the end of the UK tax year).

The loss of three million records of driving-test candidates by the 
Department of Transport in May 2007 makes up the bulk of these figures. 
The disappearance of an unencrypted laptop containing 620,000 personal 
records, including sensitive financial information such as bank account 
and National Insurance numbers, by the Ministry of Defence in January was 
another big contributor to the running count.

[...]

From jjturner at gmail.com  Thu Aug 21 20:20:36 2008
From: jjturner at gmail.com (Jon Turner)
Date: Thu, 21 Aug 2008 21:20:36 +0100
Subject: [Dataloss] Company loses data on criminals
Message-ID: <3352c09b0808211320i432fa128i37b65158cf7e5da1@mail.gmail.com>

http://news.bbc.co.uk/1/hi/uk/7575766.stm

A contractor working for the Home Office has lost a computer memory
stick containing personal details about tens of thousands of
criminals.
The Home Office was first told by private firm PA Consulting on Monday
that the data might be missing.
The lost data includes details about 10,000 prolific offenders as well
as information on all 84,000 prisoners in England and Wales.
The Home Office said a full investigation was being conducted.
They said the police and the Information Commissioner had been informed.

From lyger at attrition.org  Sat Aug 23 13:14:37 2008
From: lyger at attrition.org (lyger)
Date: Sat, 23 Aug 2008 13:14:37 +0000 (UTC)
Subject: [Dataloss] Incident Highlight - Total affected... who's counting?
Message-ID: <Pine.LNX.4.64.0808231313060.7116@forced.attrition.org>


http://datalossdb.org

2008-08-23 by Lyger

http://datalossdb.org/incidents/1127

There has been some discussion about the recent loss of a "memory stick" 
with the personal details of inmates in Great Britain. As the story above 
shows, it appears that about 84,000 prisoners may have been affected by 
this breach... or is that 94,000? Or... is that 130,000? Who knows... as 
bad as the British government apparently is about keeping anyone's (even 
prisoners) personal information safe, the media is apparently equally as 
bad about doing that "numbers thing".

For now, DataLossDB has this particular breach listed as 94,000 total 
records affected until more conclusive (coherent?) data has been obtained, 
but at least one question should be asked: does the total number of people 
affected in ANY data breach really matter? It seems that breaches with a 
large number of people and/or records affected get more media attention, 
especially when a lot of zeros and commas are in the headline, but is that 
really any indication of the magnitude of the real problem at hand?

[...]

From lyger at attrition.org  Sun Aug 24 03:08:45 2008
From: lyger at attrition.org (lyger)
Date: Sun, 24 Aug 2008 03:08:45 +0000 (UTC)
Subject: [Dataloss] Revealed: 8 million victims in the world's biggest cyber
	heist
Message-ID: <Pine.LNX.4.64.0808240307500.11096@forced.attrition.org>


http://www.sundayherald.com/news/heraldnews/display.var.2432225.0.0.php

AN INTERNATIONAL criminal gang has pulled off one of the most audacious 
cyber-crimes ever and stolen the identities of an estimated eight million 
people in a hacking raid that could ultimately net more than 2.8billion in 
illegal funds.

A Sunday Herald investigation has discovered that late on Thursday night, 
a previously unknown Indian hacker successfully breached the IT defences 
of the Best Western Hotel group's online booking system and sold details 
of how to access it through an underground network operated by the Russian 
mafia.

It is a move that has been dubbed the greatest cyber-heist in world 
history. The attack scooped up the personal details of every single 
customer that has booked into one of Best Western's 1312 continental 
hotels since 2007.

[...]

From mhozven at tealeaf.com  Sun Aug 24 00:18:01 2008
From: mhozven at tealeaf.com (Max Hozven)
Date: Sat, 23 Aug 2008 17:18:01 -0700
Subject: [Dataloss] Video - A Texas company uses its bank's shredded checks
	to cushion jars they ship to customers.
Message-ID: <771A26039D33ED489E23D9614DE630DD092B2808@SFMAIL02.tealeaf.com>

http://www.cnn.com/video/#/video/us/2008/08/23/rocha.shredded.checks.kwc
h 

Shredded checks for packing? 1:45

A Texas company uses its bank's shredded checks to cushion jars they
ship to customers.  

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20080823/b1e5057b/attachment.html 

From macwheel99 at wowway.com  Sat Aug 23 16:42:03 2008
From: macwheel99 at wowway.com (Al Mac Wheel)
Date: Sat, 23 Aug 2008 11:42:03 -0500
Subject: [Dataloss] Incident Highlight - Total affected... who's
 counting?
In-Reply-To: <Pine.LNX.4.64.0808231313060.7116@forced.attrition.org>
References: <Pine.LNX.4.64.0808231313060.7116@forced.attrition.org>
Message-ID: <6.2.1.2.1.20080823113324.04099020@pop3.mail.wowway.com>

A statistic I would like to see from the researchers, who use DataLoss and 
other data, is the risk of a breach, by public & private sector, based on 
past performance.

In the geographiies where disclosure mandated, there are so many thousand 
schools, of which so many scores have reported incidents.
How many none reported?
How many one?
How many multiple?

Thus, this has happened at what % of total schools?
And what % of total schools have repeat incidents?
Break that down by universities and secondary schools.
I'd guess most secondary schools incidents not yet making the national news.

Is it a reasonable expectation that it does not matter what university you 
attend, or apply to, or are an alumni of, you are going to be breached by 
that university?

Now do the same kind of analysis for other kinds of industriies.

The GAO has published statistics on # incidents by government agency, 
without divulging nature of breaches ... how does that compare to total 
government offices and computers?  What % of government is experiencing 
breaches?  I'd guess maybe 75%.

, lyger wrote:

>http://datalossdb.org
>
>2008-08-23 by Lyger
>
>http://datalossdb.org/incidents/1127
>
>There has been some discussion about the recent loss of a "memory stick"
>with the personal details of inmates in Great Britain. As the story above
>shows, it appears that about 84,000 prisoners may have been affected by
>this breach... or is that 94,000? Or... is that 130,000? Who knows... as
>bad as the British government apparently is about keeping anyone's (even
>prisoners) personal information safe, the media is apparently equally as
>bad about doing that "numbers thing".
>
>For now, DataLossDB has this particular breach listed as 94,000 total
>records affected until more conclusive (coherent?) data has been obtained,
>but at least one question should be asked: does the total number of people
>affected in ANY data breach really matter? It seems that breaches with a
>large number of people and/or records affected get more media attention,
>especially when a lot of zeros and commas are in the headline, but is that
>really any indication of the magnitude of the real problem at hand?
>
>[...]
>_______________________________________________
>Dataloss Mailing List (dataloss at attrition.org)
>http://attrition.org/dataloss
>
>Tenable Network Security offers data leakage and compliance monitoring
>solutions for large and small networks. Scan your network and monitor your
>traffic to find the data needing protection before it leaks out!
>http://www.tenablesecurity.com/products/compliance.shtml



From jkouns at opensecurityfoundation.org  Mon Aug 25 02:39:47 2008
From: jkouns at opensecurityfoundation.org (jkouns)
Date: Sun, 24 Aug 2008 22:39:47 -0400
Subject: [Dataloss] Best Western Response
Message-ID: <48B21B73.8040407@opensecurityfoundation.org>

http://www.marketwatch.com/news/story/best-western-responds-sunday-herald/story.aspx?guid={A87F9682-AC67-4803-A135-B6ACF42C0956}&dist=hppr

Best Western Responds to Sunday Herald Story Claiming Security Breach
Hotel Chain Asserts No Evidence to Support Sensational Claims
Last update: 6:37 p.m. EDT Aug. 24, 2008

PHOENIX, Aug 24, 2008 (BUSINESS WIRE) -- The story printed in the 
Sunday, August 24, 2008, Glasgow Sunday Herald claiming a security 
breach of Best Western guest information is grossly unsubstantiated. 
Claims reported about our Central Reservations customer records are not 
accurate. We at Best Western take the confidentiality of our customers' 
personal information very seriously. The Sunday Herald reporter brought 
to our attention the possible compromise of a select portion of data at 
a single hotel; we investigated immediately and provided commentary. 
Best Western would have welcomed the opportunity to fact-check the 
story, which would have resulted in more accurate and credible reporting 
on the part of the newspaper. We have found no evidence to support the 
sensational claims ultimately made by the reporter and newspaper.

Most importantly, whereas the reporter asserted the recent compromise of 
data for past guests from as far back as 2007, Best Western purges all 
online reservations promptly upon guest departure.

Best Western is committed to safeguarding the confidential information 
of our guests. We comply with the Payment Card Industry (PCI) Data 
Security Standards (DSS). To maintain that compliance, Best Western 
maintains a secure network protected by firewalls and governed by a 
strong information security policy. We collect credit card information 
only when it is necessary to process a guest's reservation; we restrict 
access to that information to only those requiring access and through 
the use of unique and individual, password-protected points of entry; we 
encrypt credit card information in our systems and databases and in any 
electronic transmission over public networks; and again, we delete 
credit card information and all other personal information upon guest 
departure. We regularly test our systems and processes in an effort to 
protect customer information, and employ the services of 
industry-leading third-party firms to evaluate our safeguards.

PCI requires the periodic evaluation, testing, and re-certification of 
compliance. To that end, our most recent internal review was conducted 
in August 2008, as was our most recent external test and review. Both 
evaluations showed Best Western to be compliant with PCI DSS.
Best Western would like to assure our customers, member hotels and 
business partners that we have no evidence to suggest that there is need 
for widespread concern. As a precautionary measure, now and always, we 
advise guests to review their credit card statements closely, and we 
will of course continue to comply with PCI standards going forward. 
Customer inquiries should be directed to our US customer service team 
at 800 528-1238

SOURCE: Best Western International

Best Western International 
Troy Rutman, 00 + 1 +602.578.0086 (mobile) 
00 + 1 +602.957.5668 (office) 
Troy.Rutman at bestwestern.com


From jericho at attrition.org  Mon Aug 25 10:24:26 2008
From: jericho at attrition.org (security curmudgeon)
Date: Mon, 25 Aug 2008 10:24:26 +0000 (UTC)
Subject: [Dataloss] follow-up: Firm Hired After Security Breach Faces State
	Probe (fwd)
Message-ID: <Pine.LNX.4.64.0808251024010.20108@forced.attrition.org>



---------- Forwarded message ----------
From: InfoSec News <alerts at infosecnews.org>

http://www.courant.com/business/hc-debix0822.artaug22,0,3146872.story

By JANICE PODSADA
Courant Staff Writer
August 22, 2008

Gov. M. Jodi Rell said Thursday that she wants an investigation into a 
company the state hired to offer credit monitoring to people affected by a 
security breach involving a stolen Department of Revenue Services laptop 
computer.

The laptop contained Social Security numbers and bank account information 
for thousands of state residents.

State officials hired Debix Identity Protection Network last year after 
the laptop was stolen from an employee's car in August 2007.

As part of its contract, Debix, based in Austin, Texas, agreed to monitor 
the credit reports of 53,000 people through the three major credit 
bureaus.

The state received complaints after those people received letters from 
Experian, one of the three credit bureaus, asking for confidential 
information in order to continue the monitoring, Rell said.

[...]

From jericho at attrition.org  Mon Aug 25 10:25:17 2008
From: jericho at attrition.org (security curmudgeon)
Date: Mon, 25 Aug 2008 10:25:17 +0000 (UTC)
Subject: [Dataloss] fringe: ID scam from McDonald's drive-through
Message-ID: <Pine.LNX.4.64.0808251024560.20108@forced.attrition.org>



---------- Forwarded message ----------
From: InfoSec News <alerts at infosecnews.org>
Forwarded from: Thomas J. Hofstetter <THofstetter (at) midwestiso.org>

http://www.tribtoday.com/page/content.detail/id/509724.html?nav=5021

By RAYMOND L. SMITH
Tribune Chronicle
August 22, 2008

LIBERTY - Police claim an identity fraud scam that began on July 20 was 
broken up when several people were arrested in connection with the use of 
credit and debit cards that did not belong to them.

Arrested and arraigned in Girard Municipal Court were Aaron K. Wright Jr., 
21, 149 Breaden St.; Terrance T. Phillips, 21, 372 Mary Knoll Ave., 
Campbell; Mark S. Lett II, 21, 3055 Hadley, Youngstown; and Alexandria 
Daniel, 18, 159 Maywood Drive, Youngstown.

A warrant was issued for another suspect, Brian Cunningham, 20.

Detective Sgt. Thomas R. Couche' said the department is looking at three 
other suspects.

Police said Daniel, an employee at a Liberty McDonald's restaurant, took 
credit or debit cards from drive-through customers and used a device she 
had hidden near the window to swipe the cards to record their numbers.

The information on the device then was downloaded and used to make new 
cards either in the names of the persons which the original cards belonged 
or in the names of the perpetrators, police said.

[...]

From fergdawg at netzero.net  Mon Aug 25 06:54:52 2008
From: fergdawg at netzero.net (Paul Ferguson)
Date: Mon, 25 Aug 2008 06:54:52 GMT
Subject: [Dataloss] UPDATE: Best Western Refutes (Some) Claims Of Hacker
	Compromise
Message-ID: <20080824.235452.27235.0@webmail23.vgs.untd.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

George Hulme over at InformationWeek.com goes over some the
speculation on this issue:

http://www.informationweek.com/blog/main/archives/2008/08/update_best_wes.h
tml

Not that I completely agree (or disagree) with him, but there's
something really fishy going on here...

FYI,

- - ferg

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.3 (Build 3017)

wj8DBQFIslc3q1pz9mNUZTMRAsIDAKCU3XAxfHOGRLdpRAIxD3+MxKXNGwCgiJO1
GK6aYzTTsmC5cKZFSMYdb4A=
=DOk/
-----END PGP SIGNATURE-----


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/


From dweaver81 at earthlink.net  Mon Aug 25 11:15:39 2008
From: dweaver81 at earthlink.net (Domonick T. Weaver)
Date: Mon, 25 Aug 2008 07:15:39 -0400
Subject: [Dataloss] Best Western Response
In-Reply-To: <48B21B73.8040407@opensecurityfoundation.org>
References: <48B21B73.8040407@opensecurityfoundation.org>
Message-ID: <200808250715.39680.dweaver81@earthlink.net>

On Sunday 24 August 2008 22:39:47 jkouns wrote:
> http://www.marketwatch.com/news/story/best-western-responds-sunday-herald/s
>tory.aspx?guid={A87F9682-AC67-4803-A135-B6ACF42C0956}&dist=hppr
>
> Best Western Responds to Sunday Herald Story Claiming Security Breach
> Hotel Chain Asserts No Evidence to Support Sensational Claims
> Last update: 6:37 p.m. EDT Aug. 24, 2008
>
> PHOENIX, Aug 24, 2008 (BUSINESS WIRE) -- The story printed in the
> Sunday, August 24, 2008, Glasgow Sunday Herald claiming a security
> breach of Best Western guest information is grossly unsubstantiated.
> Claims reported about our Central Reservations customer records are not
> accurate. We at Best Western take the confidentiality of our customers'
> personal information very seriously. The Sunday Herald reporter brought
> to our attention the possible compromise of a select portion of data at
> a single hotel; we investigated immediately and provided commentary.
> Best Western would have welcomed the opportunity to fact-check the
> story, which would have resulted in more accurate and credible reporting
> on the part of the newspaper. We have found no evidence to support the
> sensational claims ultimately made by the reporter and newspaper.
>
> Most importantly, whereas the reporter asserted the recent compromise of
> data for past guests from as far back as 2007, Best Western purges all
> online reservations promptly upon guest departure.
>
> Best Western is committed to safeguarding the confidential information
> of our guests. We comply with the Payment Card Industry (PCI) Data
> Security Standards (DSS). To maintain that compliance, Best Western
> maintains a secure network protected by firewalls and governed by a
> strong information security policy. We collect credit card information
> only when it is necessary to process a guest's reservation; we restrict
> access to that information to only those requiring access and through
> the use of unique and individual, password-protected points of entry; we
> encrypt credit card information in our systems and databases and in any
> electronic transmission over public networks; and again, we delete
> credit card information and all other personal information upon guest
> departure. We regularly test our systems and processes in an effort to
> protect customer information, and employ the services of
> industry-leading third-party firms to evaluate our safeguards.
>
> PCI requires the periodic evaluation, testing, and re-certification of
> compliance. To that end, our most recent internal review was conducted
> in August 2008, as was our most recent external test and review. Both
> evaluations showed Best Western to be compliant with PCI DSS.
> Best Western would like to assure our customers, member hotels and
> business partners that we have no evidence to suggest that there is need
> for widespread concern. As a precautionary measure, now and always, we
> advise guests to review their credit card statements closely, and we
> will of course continue to comply with PCI standards going forward.
> Customer inquiries should be directed to our US customer service team
> at 800 528-1238
>
> SOURCE: Best Western International
>
> Best Western International
> Troy Rutman, 00 + 1 +602.578.0086 (mobile)
> 00 + 1 +602.957.5668 (office)
> Troy.Rutman at bestwestern.com
>
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
>
> Tenable Network Security offers data leakage and compliance monitoring
> solutions for large and small networks. Scan your network and monitor your
> traffic to find the data needing protection before it leaks out!
> http://www.tenablesecurity.com/products/compliance.shtml

I just want to know this:  if they purge the data in their system so often, 
then how come I can call Best Western and make a reservation on my Visa card, 
without informing them of the number?  and I haven't slept in a Best Western 
in 5 years? hmm....go figure!

From adam at homeport.org  Mon Aug 25 15:58:26 2008
From: adam at homeport.org (Adam Shostack)
Date: Mon, 25 Aug 2008 11:58:26 -0400
Subject: [Dataloss] follow-up: Firm Hired After Security Breach Faces
	State Probe (fwd)
In-Reply-To: <Pine.LNX.4.64.0808251024010.20108@forced.attrition.org>
References: <Pine.LNX.4.64.0808251024010.20108@forced.attrition.org>
Message-ID: <20080825155826.GB11522@homeport.org>

On Mon, Aug 25, 2008 at 10:24:26AM +0000, security curmudgeon wrote:

| http://www.courant.com/business/hc-debix0822.artaug22,0,3146872.story
| 
| 
| The state received complaints after those people received letters from 
| Experian, one of the three credit bureaus, asking for confidential 
| information in order to continue the monitoring, Rell said.
| 

It's unsurprising that the credit agencies are playing games.  I'm
sure it has nothing to do with trying to protect their highly
profitable credit monitoring businesses.  They just want to make sure
they can preserve the miracle of instant credit.

Adam


From hobbit at avian.org  Mon Aug 25 20:00:24 2008
From: hobbit at avian.org (*Hobbit*)
Date: Mon, 25 Aug 2008 20:00:24 +0000 (GMT)
Subject: [Dataloss] Best Western Response
Message-ID: <20080825200024.64B4A780A@relayer.avian.org>

   ... how come I can call Best Western and make a reservation on my
   Visa card, without informing them of the number?  and I haven't
   slept in a Best Western in 5 years?

And your card number hasn't changed in 5 years either??  Hmmm...

But I would be hard pressed to believe that any hotel chain large
or small ever destroys their records of people's card numbers.
I would call bullshit on BW's "response" based on that alone.

_H*

From lists at merchant911.org  Mon Aug 25 21:21:21 2008
From: lists at merchant911.org (Tom Mahoney)
Date: Mon, 25 Aug 2008 17:21:21 -0400
Subject: [Dataloss] Best Western Response
In-Reply-To: <20080825200024.64B4A780A@relayer.avian.org>
References: <20080825200024.64B4A780A@relayer.avian.org>
Message-ID: <p06240805c4d8d20646b3@[155.68.73.152]>

I don't see how they could respond to chargebacks if they did that.

Let's all stay at Best Westerns and then say we didn't.  I'm willing 
to bet that they'd find those 'destroyed' records pretty quickly!

At 8:00 PM +0000 8/25/08,  *Hobbit* typed out:
>
>But I would be hard pressed to believe that any hotel chain large
>or small ever destroys their records of people's card numbers.
>I would call bullshit on BW's "response" based on that alone.
>
>_H*
>_______________________________________________

From jericho at attrition.org  Tue Aug 26 09:46:47 2008
From: jericho at attrition.org (security curmudgeon)
Date: Tue, 26 Aug 2008 09:46:47 +0000 (UTC)
Subject: [Dataloss] Personal data of 1m bank customers found on secondhand
 computer sold on eBay for 35UKP
Message-ID: <Pine.LNX.4.64.0808260946310.6645@forced.attrition.org>



---------- Forwarded message ----------
From: InfoSec News <alerts at infosecnews.org>

http://www.dailymail.co.uk/news/article-1049121/Personal-data-1m-bank-customers-secondhand-sold-eBay-35.html

By Dan Newling
dailymail.co.uk
25th August 2008

Personal details of more than a million bank customers have been found on 
a computer sold on eBay.

Highly- sensitive information on American Express, NatWest and Royal Bank 
of Scotland customers was stored on the machine's hard drive.

It includes names, addresses, mobile phone numbers, bank account numbers, 
sort codes, credit card numbers, mothers' maiden names and even 
signatures.

It was described as 'a data thief's treasure chest', with everything a 
criminal needs to assume a customer's identity - and clear out their bank 
account.

The massive data loss - one of the worst ever in Britain - is a clear 
breach of the banks' obligation under the Data Protection Act to keep all 
personal information secure.

Coming just days after the Home Office admitted losing the details of 
127,000 criminals, it is certain to fuel public concern about how 
Government and businesses look after our secrets.

Last night it was revealed that a second computer from the same site has 
gone missing, meaning yet more information could have leaked.

IT security expert Adam Laurie said: 'This is appalling. This information 
is worth millions - a thief could easily use it to go on an enormous 
shopping spree.'

[...]

From jericho at attrition.org  Tue Aug 26 10:07:27 2008
From: jericho at attrition.org (security curmudgeon)
Date: Tue, 26 Aug 2008 10:07:27 +0000 (UTC)
Subject: [Dataloss] fringe: Public,
	private sectors at odds over cyber security
Message-ID: <Pine.LNX.4.64.0808261007130.6645@forced.attrition.org>



---------- Forwarded message ----------
From: InfoSec News <alerts at infosecnews.org>

http://www.latimes.com/business/la-fi-security26-2008aug26,0,2021258.story

By Joseph Menn, Los Angeles Times Staff Writer
August 26, 2008

Three very big and very different computer security breaches that have 
dominated recent headlines did more than show how badly the Internet needs 
major repairs. They also exposed the huge rift between corporate America 
and the federal government over who should fix it, cyber-security experts 
say.

In the last few months, law enforcement officials cracked an international 
ring that tapped customer databases and trafficked in tens of millions of 
credit card numbers; a researcher uncovered a major flaw that permits 
hackers to steer some Web surfers to fake versions of popular websites 
filled with malicious software; and computer assaults, which some 
researchers said they had traced back to Russia's state-run 
telecommunications firms, crippled websites belonging to the country of 
Georgia.

Yet the episodes did little to boost cyber security higher on the agendas 
of the federal government or the two major presidential candidates.

"Nothing is happening," said Jerry Dixon, the former director of the 
National Cyber Security Division at the Department of Homeland Security. 
"This has got to be in the top five national security priorities."

Dixon is just one of hundreds of technology executives and experts who 
have been saying for years that Washington needs to do much more to 
protect consumers, businesses and the government itself from attacks by 
criminal hackers and those supported by rival nations.

[...]

From macwheel99 at wowway.com  Tue Aug 26 02:09:42 2008
From: macwheel99 at wowway.com (macwheel99 at wowway.com)
Date: Mon, 25 Aug 2008 21:09:42 -0500
Subject: [Dataloss] Best Western Response
In-Reply-To: <20080825200024.64B4A780A@relayer.avian.org>
References: <20080825200024.64B4A780A@relayer.avian.org>
Message-ID: <20080826020549.M41860@wowway.com>

Another hotel chain overcharged me a few days on my Master Card.

I had told them I planned to stay to a particular date, then I checked out 
early, and the checkout paperwork correctly reflected the # days I had 
stayed.

When I saw that my credit card bill was much bigger than the paperwork they 
gave me on checkout, I called to get it fixed.  They fixed it.  They did not 
need me to give them my credit card # again.

I was calling them 2 weeks after I checked out, when I saw my credit card 
bill.

The chain was Econo Lodge.

On Mon, 25 Aug 2008 20:00:24 +0000 (GMT), *Hobbit* wrote
> ... how come I can call Best Western and make a reservation on my
>    Visa card, without informing them of the number?  and I haven't
>    slept in a Best Western in 5 years?
> 
> And your card number hasn't changed in 5 years either??  Hmmm...
> 
> But I would be hard pressed to believe that any hotel chain large
> or small ever destroys their records of people's card numbers.
> I would call bullshit on BW's "response" based on that alone.
> 
> _H*
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
> 
> Tenable Network Security offers data leakage and compliance 
> monitoring solutions for large and small networks. Scan your network 
> and monitor your traffic to find the data needing protection before 
> it leaks out! http://www.tenablesecurity.com/products/compliance.shtml


--
WOW! Homepage (http://www.wowway.com)


From mhill at idtexperts.com  Tue Aug 26 02:42:49 2008
From: mhill at idtexperts.com (Michael Hill, CITRMS)
Date: Mon, 25 Aug 2008 22:42:49 -0400
Subject: [Dataloss] follow-up: Firm Hired After Security Breach
	FacesState Probe (fwd)
In-Reply-To: <20080825155826.GB11522@homeport.org>
References: <Pine.LNX.4.64.0808251024010.20108@forced.attrition.org>
	<20080825155826.GB11522@homeport.org>
Message-ID: <3A2628E6EF9D47139B7F668A34C7E84C@mkevhillpc>

>  The state received complaints after those people received letters from
> | Experian, one of the three credit bureaus, asking for confidential
> | information in order to continue the monitoring, Rell said.
> |


This will not be the first time we see this.  A company has a data breach, 
offers free credit monitoring for a year, then when that year is up, the 
credit monitoring company will be asking the consumer for confidential 
information (ex. credit card info) in order to continue the monitoring.  A 
good percentage of the consumers involved in this breach will not continue 
the monitoring.  The smart thieves will know this, and now will start using 
the PII they stole or bought.  Is this a realistic scenario?


Michael Hill
Certified Identity Theft Risk Management Specialist
www.idtheft101.net
404-216-3751

INFORMATION SECURITY | RISK MANAGEMENT | COMPLIANCE | FORENSICS | TRAINING


"If You Think You're Not At Risk, Think Again!"


NOTICE:
This email and any attachment to it is confidential and protected by law and 
intended for the use of the individual(s) or entity named on the email. 
This information and all email information from the sender is not legal 
advice nor legal representation and should not be construed as legal advice 
nor legal representation. Check with your attorney in your State for legal 
advice. If the reader of this message is not the intended recipient, you are 
hereby notified that any dissemination or distribution of this communication 
is prohibited.  If you have received this communication in error, please 
notify the sender via return email and delete it completely from your email 
system.  If you have printed a copy of the email, please destroy it 
immediately. 


From jpole at jcpa.com  Tue Aug 26 12:08:34 2008
From: jpole at jcpa.com (Jamie C. Pole)
Date: Tue, 26 Aug 2008 08:08:34 -0400
Subject: [Dataloss] follow-up: Firm Hired After Security Breach
	FacesState Probe (fwd)
In-Reply-To: <3A2628E6EF9D47139B7F668A34C7E84C@mkevhillpc>
References: <Pine.LNX.4.64.0808251024010.20108@forced.attrition.org>
	<20080825155826.GB11522@homeport.org>
	<3A2628E6EF9D47139B7F668A34C7E84C@mkevhillpc>
Message-ID: <02788964-7EF6-42D9-8FD0-A901FDEC4808@jcpa.com>


I believe that's an absolutely realistic scenario - I'm dealing with a  
client right now that seems to be experiencing it.

They were breached 14 months ago, and provided credit monitoring for  
the victims.  The monitoring ran out, and several of the victims have  
since contacted the client to ascertain whether or not another breach  
had taken place.  Several of them have recently found new credit  
cards, new lines of credit, and a few other types of unauthorized  
transactions on their credit reports.

As for the consumers electing not to continue the monitoring coverage,  
this is a double-edged sword.  On the one hand, the credit reporting  
bureaus should not be permitted to sell monitoring services.  If they  
spent a little time developing mechanisms to verify the accuracy of  
the information they reported, it might be slightly more difficult to  
commit identity/credit fraud.  On the other hand, once your personal  
data has been disclosed, I would think it's in your best interest to  
continue the monitoring for several years, at the very least.

Of course, none of this would be an issue if these companies were  
forced to spend a reasonable amount of money on prevention.  Then  
again, with PCI being the (bad) joke that it is, a lot of these  
companies and agencies actually believe that they are safe.

Jamie



On Aug 25, 2008, at 10:42 PM, Michael Hill, CITRMS wrote:

>> The state received complaints after those people received letters  
>> from
>> | Experian, one of the three credit bureaus, asking for confidential
>> | information in order to continue the monitoring, Rell said.
>> |
>
>
> This will not be the first time we see this.  A company has a data  
> breach,
> offers free credit monitoring for a year, then when that year is up,  
> the
> credit monitoring company will be asking the consumer for confidential
> information (ex. credit card info) in order to continue the  
> monitoring.  A
> good percentage of the consumers involved in this breach will not  
> continue
> the monitoring.  The smart thieves will know this, and now will  
> start using
> the PII they stole or bought.  Is this a realistic scenario?
>
>
> Michael Hill
> Certified Identity Theft Risk Management Specialist
> www.idtheft101.net
> 404-216-3751
>
> INFORMATION SECURITY | RISK MANAGEMENT | COMPLIANCE | FORENSICS |  
> TRAINING
>
>
> "If You Think You're Not At Risk, Think Again!"
>
>
> NOTICE:
> This email and any attachment to it is confidential and protected by  
> law and
> intended for the use of the individual(s) or entity named on the  
> email.
> This information and all email information from the sender is not  
> legal
> advice nor legal representation and should not be construed as legal  
> advice
> nor legal representation. Check with your attorney in your State for  
> legal
> advice. If the reader of this message is not the intended recipient,  
> you are
> hereby notified that any dissemination or distribution of this  
> communication
> is prohibited.  If you have received this communication in error,  
> please
> notify the sender via return email and delete it completely from  
> your email
> system.  If you have printed a copy of the email, please destroy it
> immediately.
>
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
>
> Tenable Network Security offers data leakage and compliance monitoring
> solutions for large and small networks. Scan your network and  
> monitor your
> traffic to find the data needing protection before it leaks out!
> http://www.tenablesecurity.com/products/compliance.shtml


From mhill at idtexperts.com  Tue Aug 26 13:07:18 2008
From: mhill at idtexperts.com (Michael Hill, CITRMS)
Date: Tue, 26 Aug 2008 09:07:18 -0400
Subject: [Dataloss] PA: Data breach affects hundreds of Pa. welfare benefit
	recipients
Message-ID: <E5850FF0D8F04E2B9A03480DA4CAC80F@mkevhillpc>

http://www.pennlive.com/midstate/index.ssf/2008/08/data_breach_affects_hundreds_o.html


Letters were mailed Monday by the state Department of Public Welfare informing welfare clients that their personal information was breached last week. 

Paper jams in a state Department of General Services mail inserter caused 2,845 benefit renewal packets to go to the wrong Pennsylvania welfare client's home. Nearly half of them included the intended recipients' Social Security numbers. 

The department placed a 90-day fraud alert on the credit reports of people whose Social Security numbers were shared through the mistake. 

"We're taking it very seriously," said Anne Rung, deputy secretary for administration and procurement for General Services. 




Michael Hill
Certified Identity Theft Risk Management Specialist
www.idtheft101.net
404-216-3751

INFORMATION SECURITY | RISK MANAGEMENT | COMPLIANCE | FORENSICS | TRAINING


"If You Think You're Not At Risk, Think Again!"


NOTICE:
This email and any attachment to it is confidential and protected by law and 
intended for the use of the individual(s) or entity named on the email. 
This information and all email information from the sender is not legal 
advice nor legal representation and should not be construed as legal advice 
nor legal representation. Check with your attorney in your State for legal 
advice. If the reader of this message is not the intended recipient, you are 
hereby notified that any dissemination or distribution of this communication 
is prohibited.  If you have received this communication in error, please 
notify the sender via return email and delete it completely from your email 
system.  If you have printed a copy of the email, please destroy it 
immediately. 



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20080826/6fb146a1/attachment.html 

From dweaver81 at gmail.com  Tue Aug 26 13:13:35 2008
From: dweaver81 at gmail.com (Domonick T. Weaver)
Date: Tue, 26 Aug 2008 09:13:35 -0400
Subject: [Dataloss] fringe: Public,
	private sectors at odds over cyber security
In-Reply-To: <Pine.LNX.4.64.0808261007130.6645@forced.attrition.org>
References: <Pine.LNX.4.64.0808261007130.6645@forced.attrition.org>
Message-ID: <200808260913.35534.dweaver81@earthlink.netr>

On Tuesday 26 August 2008 06:07:27 security curmudgeon wrote:
> ---------- Forwarded message ----------
> From: InfoSec News <alerts at infosecnews.org>
>
> http://www.latimes.com/business/la-fi-security26-2008aug26,0,2021258.story
>
> By Joseph Menn, Los Angeles Times Staff Writer
> August 26, 2008
>
> Three very big and very different computer security breaches that have
> dominated recent headlines did more than show how badly the Internet needs
> major repairs. They also exposed the huge rift between corporate America
> and the federal government over who should fix it, cyber-security experts
> say.
>
> In the last few months, law enforcement officials cracked an international
> ring that tapped customer databases and trafficked in tens of millions of
> credit card numbers; a researcher uncovered a major flaw that permits
> hackers to steer some Web surfers to fake versions of popular websites
> filled with malicious software; and computer assaults, which some
> researchers said they had traced back to Russia's state-run
> telecommunications firms, crippled websites belonging to the country of
> Georgia.
>
> Yet the episodes did little to boost cyber security higher on the agendas
> of the federal government or the two major presidential candidates.
>
> "Nothing is happening," said Jerry Dixon, the former director of the
> National Cyber Security Division at the Department of Homeland Security.
> "This has got to be in the top five national security priorities."
>
> Dixon is just one of hundreds of technology executives and experts who
> have been saying for years that Washington needs to do much more to
> protect consumers, businesses and the government itself from attacks by
> criminal hackers and those supported by rival nations.
>
> [...]
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
>
> Tenable Network Security offers data leakage and compliance monitoring
> solutions for large and small networks. Scan your network and monitor your
> traffic to find the data needing protection before it leaks out!
> http://www.tenablesecurity.com/products/compliance.shtml

I completely concur with your opinion.  I work for a post-secondary school 
system as a contractor for a commercial computer corporation as a technician.  
To save myself frombecoming a victim, I keep a steady eye on my credit and 
banking reports.  But even still, our network isn't even safe.  no where is.  
Until the world government steps into action to make the Net a free AND safe 
environment, these instances will continue.  

It seems as if now, instead of learning from our mistakes, we are just look 
past them to go for the next "big thing"...YouTUBE, Live Search and 
GoogleEarth, etc, etc.  But no one has made the real breakthroughs.  How can 
we better secure our systems?  What are we doing that's making us naked in 
cyberspace?  And how can we make it easier for the common user to protect 
themselves out there?

All of us, as members of the IT world, need to understand that the only way we 
can stop this madness is by increase our digital security.  Not by 
increasing, or even capping, bandwidth.  We just need to get a grip on the 
reality.  I bet if we put all these data breach in the public eye long 
enough, people will start to ask questions...and lots of them.



-- 
"Proper planning prevents poor performance." - Ret. Sgt 1st class Richard 
Weaver

From HarrisMC at health.missouri.edu  Tue Aug 26 18:41:57 2008
From: HarrisMC at health.missouri.edu (Harris, Michael C.)
Date: Tue, 26 Aug 2008 13:41:57 -0500
Subject: [Dataloss] Best Western Response
In-Reply-To: <20080826020549.M41860@wowway.com>
References: <20080825200024.64B4A780A@relayer.avian.org>
	<20080826020549.M41860@wowway.com>
Message-ID: <F25805C752A5AF49A379DFEE5108BA2A0628A362@UM-XMAIL03.um.umsystem.edu>

There is something missing here, that doesn't true out with the
expectations in the PCI standard for a level one payer.  Smaller mom and
pop level four establishment may slip by, but the mandatory audits of
level one folks should be forcing some change across the hospitality
industry... Perhaps slowly.  It should have been identified as an audit
point with a remediation plan in the quarterly or yearly PCI audit.

So who was the last quarterly PCI auditor for Best Western? Is PCI that
broken or ignored?


Level One 6,000,000 transactions per year
Annual On-site PCI Data Security Assessment and Quarterly Network Scan 
Qualified Security Assessor or Internal Audit if signed by Officer of
the company Approved Scanning Vendor

Level Two  1,000,000 to 6,000,000 transactions
Annual On-site PCI Data Security Assessment and Quarterly Network Scan 
Merchant Approved Scanning Vendor

-----Original Message-----
From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of
macwheel99 at wowway.com
Sent: Monday, August 25, 2008 9:10 PM
To: *Hobbit*; dataloss at attrition.org
Cc: macwheel99 at wowway.com
Subject: Re: [Dataloss] Best Western Response

Another hotel chain overcharged me a few days on my Master Card.

I had told them I planned to stay to a particular date, then I checked
out early, and the checkout paperwork correctly reflected the # days I
had stayed.

When I saw that my credit card bill was much bigger than the paperwork
they gave me on checkout, I called to get it fixed.  They fixed it.
They did not need me to give them my credit card # again.

I was calling them 2 weeks after I checked out, when I saw my credit
card bill.

The chain was Econo Lodge.

On Mon, 25 Aug 2008 20:00:24 +0000 (GMT), *Hobbit* wrote
> ... how come I can call Best Western and make a reservation on my
>    Visa card, without informing them of the number?  and I haven't
>    slept in a Best Western in 5 years?
> 
> And your card number hasn't changed in 5 years either??  Hmmm...
> 
> But I would be hard pressed to believe that any hotel chain large or 
> small ever destroys their records of people's card numbers.
> I would call bullshit on BW's "response" based on that alone.
> 
> _H*
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org) 
> http://attrition.org/dataloss
> 
> Tenable Network Security offers data leakage and compliance monitoring

> solutions for large and small networks. Scan your network and monitor 
> your traffic to find the data needing protection before it leaks out! 
> http://www.tenablesecurity.com/products/compliance.shtml


--
WOW! Homepage (http://www.wowway.com)

_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor
your traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml

From james_ritchie at sbcglobal.net  Tue Aug 26 19:40:37 2008
From: james_ritchie at sbcglobal.net (JAMES RITCHIE)
Date: Tue, 26 Aug 2008 12:40:37 -0700 (PDT)
Subject: [Dataloss] Best Western Response
Message-ID: <178626.39154.qm@web81402.mail.mud.yahoo.com>

Loophole that is found.

If each local hotel gains their own merchant ID, processes the transaction through a payment gateway that is not the corporate headquarters, then their level will be determined on that merchant ID, not the aggregate of all the hotels.

If each hotel processes through corporate headquarters (now becomes the gateway) to the payment gateway, then the aggregate of all hotels would be combined into one.

I have seen where each location was forced to get their own merchant ID and payment gateway to keep the transactions down, thus keeping the cost of audits down.

 James Ritchie
http://www.linkedin.com/pub/1/b89/433





----- Original Message ----
From: "Harris, Michael C." <HarrisMC at health.missouri.edu>
To: dataloss at attrition.org
Cc: macwheel99 at wowway.com
Sent: Tuesday, August 26, 2008 2:41:57 PM
Subject: Re: [Dataloss] Best Western Response

There is something missing here, that doesn't true out with the
expectations in the PCI standard for a level one payer.  Smaller mom and
pop level four establishment may slip by, but the mandatory audits of
level one folks should be forcing some change across the hospitality
industry... Perhaps slowly.  It should have been identified as an audit
point with a remediation plan in the quarterly or yearly PCI audit.

So who was the last quarterly PCI auditor for Best Western? Is PCI that
broken or ignored?


Level One 6,000,000 transactions per year
Annual On-site PCI Data Security Assessment and Quarterly Network Scan 
Qualified Security Assessor or Internal Audit if signed by Officer of
the company Approved Scanning Vendor

Level Two  1,000,000 to 6,000,000 transactions
Annual On-site PCI Data Security Assessment and Quarterly Network Scan 
Merchant Approved Scanning Vendor

-----Original Message-----
From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of
macwheel99 at wowway.com
Sent: Monday, August 25, 2008 9:10 PM
To: *Hobbit*; dataloss at attrition.org
Cc: macwheel99 at wowway.com
Subject: Re: [Dataloss] Best Western Response

Another hotel chain overcharged me a few days on my Master Card.

I had told them I planned to stay to a particular date, then I checked
out early, and the checkout paperwork correctly reflected the # days I
had stayed.

When I saw that my credit card bill was much bigger than the paperwork
they gave me on checkout, I called to get it fixed.  They fixed it.
They did not need me to give them my credit card # again.

I was calling them 2 weeks after I checked out, when I saw my credit
card bill.

The chain was Econo Lodge.

On Mon, 25 Aug 2008 20:00:24 +0000 (GMT), *Hobbit* wrote
> ... how come I can call Best Western and make a reservation on my
>    Visa card, without informing them of the number?  and I haven't
>    slept in a Best Western in 5 years?
> 
> And your card number hasn't changed in 5 years either??  Hmmm...
> 
> But I would be hard pressed to believe that any hotel chain large or 
> small ever destroys their records of people's card numbers.
> I would call bullshit on BW's "response" based on that alone.
> 
> _H*
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org) 
> http://attrition.org/dataloss
> 
> Tenable Network Security offers data leakage and compliance monitoring

> solutions for large and small networks. Scan your network and monitor 
> your traffic to find the data needing protection before it leaks out! 
> http://www.tenablesecurity.com/products/compliance.shtml


--
WOW! Homepage (http://www.wowway.com)

_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor
your traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml
_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20080826/50e43fb3/attachment.html 

From ADAIL at sunocoinc.com  Tue Aug 26 19:55:11 2008
From: ADAIL at sunocoinc.com (DAIL, WILLARD A)
Date: Tue, 26 Aug 2008 15:55:11 -0400
Subject: [Dataloss] Best Western Response
In-Reply-To: <F25805C752A5AF49A379DFEE5108BA2A0628A362@UM-XMAIL03.um.umsystem.edu>
Message-ID: <AAF9B5D29F7CE44CBDF032F4F523E9A339D507@mds3aex0e.USISUNOCOINC.com>


If you are not storing track data or other "prohibited information", you
are not using a known vulnerable payment application (or it is an
internally developed application), and you are encrypting your
information store, you should pass a PCI audit (or at least this should
not be the reason you fail one).

PCI is a minimum baseline for compliance, and it is a risk-based
program.  It is in no way, shape, or form, a comprehensive set of
information security controls.  It's certainly an improvement over
nothing, but it is not a mature program in terms of technology (which
morphs at astonishing rates) or level of implementation across the
entire business sector.

Various state laws prohibit the retention of Private Personally
Identifiable Information (without a business need) as does  the European
Principles on Privacy. Still, which agency or firm audits that
information prior to a breach?  It looks as if the parent company is
International, so they'll probably be speaking with EU privacy
commissioners, but under the US framework, if a state has the "business
need" caveat, who decides what constitutes business need?  Most likely
it would be the business that decides, and then its decision is
validated or repudiated by the civil legal system.

Technical details are always lacking in press articles, but it sounds
like, rather than a credit card cloning endeavor (which is PCI's focus),
this breach is more about full identity theft and the credit card
numbers are secondary to the incident, rather than material, because the
identity information in the databases would still be an issue sans the
credit information (and unless more than the PAN was being stored, the
full card # is mostly useless).


-----Original Message-----
From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of Harris, Michael C.
Sent: Tuesday, August 26, 2008 1:42 PM
To: dataloss at attrition.org
Cc: macwheel99 at wowway.com
Subject: Re: [Dataloss] Best Western Response
Importance: Low


There is something missing here, that doesn't true out with the
expectations in the PCI standard for a level one payer.  Smaller mom and
pop level four establishment may slip by, but the mandatory audits of
level one folks should be forcing some change across the hospitality
industry... Perhaps slowly.  It should have been identified as an audit
point with a remediation plan in the quarterly or yearly PCI audit.

So who was the last quarterly PCI auditor for Best Western? Is PCI that
broken or ignored?


Level One 6,000,000 transactions per year
Annual On-site PCI Data Security Assessment and Quarterly Network Scan
Qualified Security Assessor or Internal Audit if signed by Officer of
the company Approved Scanning Vendor

Level Two  1,000,000 to 6,000,000 transactions
Annual On-site PCI Data Security Assessment and Quarterly Network Scan
Merchant Approved Scanning Vendor


This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments.

From ADAIL at sunocoinc.com  Tue Aug 26 20:20:31 2008
From: ADAIL at sunocoinc.com (DAIL, WILLARD A)
Date: Tue, 26 Aug 2008 16:20:31 -0400
Subject: [Dataloss] Best Western Response
In-Reply-To: <AAF9B5D29F7CE44CBDF032F4F523E9A339D508@mds3aex0e.USISUNOCOINC.com>
Message-ID: <AAF9B5D29F7CE44CBDF032F4F523E9A339D509@mds3aex0e.USISUNOCOINC.com>




	-----Original Message-----
	From: DAIL, WILLARD A
	Sent: Tuesday, August 26, 2008 3:02 PM
	To: dataloss at attrition.org
	Subject: RE: [Dataloss] Best Western Response


	Good point.  The hospitality industry is one where franchisees
or local owners participate in branding, so any given location may or
may not be company owned.
	
	

		-----Original Message-----
		From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of JAMES RITCHIE
		Sent: Tuesday, August 26, 2008 2:41 PM
		To: Harris, Michael C.; dataloss at attrition.org
		Cc: macwheel99 at wowway.com
		Subject: Re: [Dataloss] Best Western Response
	
	
		Loophole that is found.
	
		If each local hotel gains their own merchant ID,
processes the transaction through a payment gateway that is not the
corporate headquarters, then their level will be determined on that
merchant ID, not the aggregate of all the hotels.
	
		If each hotel processes through corporate headquarters
(now becomes the gateway) to the payment gateway, then the aggregate of
all hotels would be combined into one.
	
		I have seen where each location was forced to get their
own merchant ID and payment gateway to keep the transactions down, thus
keeping the cost of audits down.
	
		
		James Ritchie
		http://www.linkedin.com/pub/1/b89/433
	
		



This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20080826/438ccdfd/attachment.html 

From jpole at jcpa.com  Tue Aug 26 20:21:45 2008
From: jpole at jcpa.com (Jamie C. Pole)
Date: Tue, 26 Aug 2008 16:21:45 -0400
Subject: [Dataloss] Best Western Response
In-Reply-To: <F25805C752A5AF49A379DFEE5108BA2A0628A362@UM-XMAIL03.um.umsystem.edu>
References: <20080825200024.64B4A780A@relayer.avian.org>
	<20080826020549.M41860@wowway.com>
	<F25805C752A5AF49A379DFEE5108BA2A0628A362@UM-XMAIL03.um.umsystem.edu>
Message-ID: <3FDF62BB-9112-4513-8AA8-346444610F5D@jcpa.com>


The PCI DSS program is a joke.  Pure & simple.  Definitely broken,  
sometimes ignored.

I teach a LOT of public and private classes on auditing and ethical  
hacking/penetration analysys, and it never ceases to amaze me how  
little the people with the QSA designation actually know.  Most of  
them seem to be former IT auditors - that particular bar (QSA) is set  
W-A-Y too low.

Think about it - when was the last time you heard about a security  
breach involving credit card processing where the target was NOT PCI- 
compliant?

All of the good ones I've worked on recently have had PCI  
certification in place.  That certification has meant precisely zilch  
in the overall scheme of things.

The fact is that the PCI DSS program itself is flawed, and provides  
nothing more than a false sense of security.  When certain "security"  
companies commoditize "network scanning" to the point that it is an  
entirely automated effort, the buyer deserves what they are going to  
get.

The number of breaches involving PCI-compliant entities should speak  
for itself...

Jamie


On Aug 26, 2008, at 2:41 PM, Harris, Michael C. wrote:

> There is something missing here, that doesn't true out with the
> expectations in the PCI standard for a level one payer.  Smaller mom  
> and
> pop level four establishment may slip by, but the mandatory audits of
> level one folks should be forcing some change across the hospitality
> industry... Perhaps slowly.  It should have been identified as an  
> audit
> point with a remediation plan in the quarterly or yearly PCI audit.
>
> So who was the last quarterly PCI auditor for Best Western? Is PCI  
> that
> broken or ignored?
>
>
> Level One 6,000,000 transactions per year
> Annual On-site PCI Data Security Assessment and Quarterly Network Scan
> Qualified Security Assessor or Internal Audit if signed by Officer of
> the company Approved Scanning Vendor
>
> Level Two  1,000,000 to 6,000,000 transactions
> Annual On-site PCI Data Security Assessment and Quarterly Network Scan
> Merchant Approved Scanning Vendor


From jericho at attrition.org  Tue Aug 26 20:52:13 2008
From: jericho at attrition.org (security curmudgeon)
Date: Tue, 26 Aug 2008 20:52:13 +0000 (UTC)
Subject: [Dataloss] Best Western Response
In-Reply-To: <3FDF62BB-9112-4513-8AA8-346444610F5D@jcpa.com>
References: <20080825200024.64B4A780A@relayer.avian.org>
	<20080826020549.M41860@wowway.com>
	<F25805C752A5AF49A379DFEE5108BA2A0628A362@UM-XMAIL03.um.umsystem.edu>
	<3FDF62BB-9112-4513-8AA8-346444610F5D@jcpa.com>
Message-ID: <Pine.LNX.4.64.0808262049240.6645@forced.attrition.org>


: The fact is that the PCI DSS program itself is flawed, and provides 
: nothing more than a false sense of security.  When certain "security"  
: companies commoditize "network scanning" to the point that it is an 
: entirely automated effort, the buyer deserves what they are going to 
: get.

And when said scanning vendor is in bed with the PCI Security Standards 
Council as far as ASV certification goes (MC/Visa), the industry deserves 
what they choose to adopt.


From noloader at gmail.com  Tue Aug 26 20:50:54 2008
From: noloader at gmail.com (Jeffrey Walton)
Date: Tue, 26 Aug 2008 16:50:54 -0400
Subject: [Dataloss] Best Western Response
In-Reply-To: <F25805C752A5AF49A379DFEE5108BA2A0628A362@UM-XMAIL03.um.umsystem.edu>
References: <20080825200024.64B4A780A@relayer.avian.org>
	<20080826020549.M41860@wowway.com>
	<F25805C752A5AF49A379DFEE5108BA2A0628A362@UM-XMAIL03.um.umsystem.edu>
Message-ID: <605f8e050808261350n87cb216ia60bd5b093d8bc7b@mail.gmail.com>

> So who was the last quarterly PCI auditor for Best Western?
Sounds like Authur Andersen
[http://en.wikipedia.org/wiki/Arthur_Andersen]. Did  they re-invent
themselves...

On 8/26/08, Harris, Michael C. <HarrisMC at health.missouri.edu> wrote:
> There is something missing here, that doesn't true out with the
> expectations in the PCI standard for a level one payer.  Smaller mom and
> pop level four establishment may slip by, but the mandatory audits of
> level one folks should be forcing some change across the hospitality
> industry... Perhaps slowly.  It should have been identified as an audit
> point with a remediation plan in the quarterly or yearly PCI audit.
>
> So who was the last quarterly PCI auditor for Best Western? Is PCI that
> broken or ignored?
>
> Level One 6,000,000 transactions per year
> Annual On-site PCI Data Security Assessment and Quarterly Network Scan
> Qualified Security Assessor or Internal Audit if signed by Officer of
> the company Approved Scanning Vendor
>
> Level Two  1,000,000 to 6,000,000 transactions
> Annual On-site PCI Data Security Assessment and Quarterly Network Scan
> Merchant Approved Scanning Vendor
>
> [SNIP]

From mhill at idtexperts.com  Tue Aug 26 21:28:01 2008
From: mhill at idtexperts.com (Michael Hill, CITRMS)
Date: Tue, 26 Aug 2008 17:28:01 -0400
Subject: [Dataloss] Best Western Response
In-Reply-To: <3FDF62BB-9112-4513-8AA8-346444610F5D@jcpa.com>
References: <20080825200024.64B4A780A@relayer.avian.org><20080826020549.M41860@wowway.com><F25805C752A5AF49A379DFEE5108BA2A0628A362@UM-XMAIL03.um.umsystem.edu>
	<3FDF62BB-9112-4513-8AA8-346444610F5D@jcpa.com>
Message-ID: <2440C54ECB5E492C81A2AC195E48C692@mkevhillpc>

No matter what anybody or any government or industry puts together, there is 
no perfect system/solution.  But taking reasonable steps to safeguard the 
data compared to NOT doing anything should count for something.



Michael Hill
Certified Identity Theft Risk Management Specialist
www.idtheft101.net
404-216-3751

INFORMATION SECURITY | RISK MANAGEMENT | COMPLIANCE | FORENSICS | TRAINING


"If You Think You're Not At Risk, Think Again!"


NOTICE:
This email and any attachment to it is confidential and protected by law and
intended for the use of the individual(s) or entity named on the email.
This information and all email information from the sender is not legal
advice nor legal representation and should not be construed as legal advice
nor legal representation. Check with your attorney in your State for legal
advice. If the reader of this message is not the intended recipient, you are
hereby notified that any dissemination or distribution of this communication
is prohibited.  If you have received this communication in error, please
notify the sender via return email and delete it completely from your email
system.  If you have printed a copy of the email, please destroy it
immediately.




----- Original Message ----- 
From: "Jamie C. Pole" <jpole at jcpa.com>
To: "Harris, Michael C." <HarrisMC at health.missouri.edu>
Cc: <dataloss at attrition.org>
Sent: Tuesday, August 26, 2008 4:21 PM
Subject: Re: [Dataloss] Best Western Response


>
> The PCI DSS program is a joke.  Pure & simple.  Definitely broken,
> sometimes ignored.
>
> I teach a LOT of public and private classes on auditing and ethical
> hacking/penetration analysys, and it never ceases to amaze me how
> little the people with the QSA designation actually know.  Most of
> them seem to be former IT auditors - that particular bar (QSA) is set
> W-A-Y too low.
>
> Think about it - when was the last time you heard about a security
> breach involving credit card processing where the target was NOT PCI-
> compliant?
>
> All of the good ones I've worked on recently have had PCI
> certification in place.  That certification has meant precisely zilch
> in the overall scheme of things.
>
> The fact is that the PCI DSS program itself is flawed, and provides
> nothing more than a false sense of security.  When certain "security"
> companies commoditize "network scanning" to the point that it is an
> entirely automated effort, the buyer deserves what they are going to
> get.
>
> The number of breaches involving PCI-compliant entities should speak
> for itself...
>
> Jamie 


From jpole at jcpa.com  Tue Aug 26 21:33:50 2008
From: jpole at jcpa.com (Jamie C. Pole)
Date: Tue, 26 Aug 2008 17:33:50 -0400
Subject: [Dataloss] Best Western Response
In-Reply-To: <2440C54ECB5E492C81A2AC195E48C692@mkevhillpc>
References: <20080825200024.64B4A780A@relayer.avian.org><20080826020549.M41860@wowway.com><F25805C752A5AF49A379DFEE5108BA2A0628A362@UM-XMAIL03.um.umsystem.edu>
	<3FDF62BB-9112-4513-8AA8-346444610F5D@jcpa.com>
	<2440C54ECB5E492C81A2AC195E48C692@mkevhillpc>
Message-ID: <1CF84B3B-12ED-4244-85E4-F71A6EEB037A@jcpa.com>


When the standard doesn't reflect the reality of the situation, I  
would argue that credit card processors are FAR better off having a  
real security assessment done by competent consultant resources,  
rather than have automated tools run by "certified" individuals that  
don't have the knowledge to interpret the results.

I agree that something is better than nothing, but the PCI DSS program  
gives nothing but a false sense of security.  The processors should be  
made to very clearly understand that PCI compliance is only meaningful  
to the PCI people - it does not reflect whether or not the environment  
can be breached in the real world.  I have yet to see a PCI DSS  
certified environment that would allow me to sleep at night if I was  
responsible for it.

Jamie


On Aug 26, 2008, at 5:28 PM, Michael Hill, CITRMS wrote:

> No matter what anybody or any government or industry puts together,  
> there is no perfect system/solution.  But taking reasonable steps to  
> safeguard the data compared to NOT doing anything should count for  
> something.
>
>
>
> Michael Hill
> Certified Identity Theft Risk Management Specialist
> www.idtheft101.net
> 404-216-3751
>
> INFORMATION SECURITY | RISK MANAGEMENT | COMPLIANCE | FORENSICS |  
> TRAINING
>
>
> "If You Think You're Not At Risk, Think Again!"


From daniel.clemens at packetninjas.net  Tue Aug 26 22:02:53 2008
From: daniel.clemens at packetninjas.net (Daniel Clemens)
Date: Tue, 26 Aug 2008 17:02:53 -0500
Subject: [Dataloss] Best Western Response
In-Reply-To: <3FDF62BB-9112-4513-8AA8-346444610F5D@jcpa.com>
References: <20080825200024.64B4A780A@relayer.avian.org>
	<20080826020549.M41860@wowway.com>
	<F25805C752A5AF49A379DFEE5108BA2A0628A362@UM-XMAIL03.um.umsystem.edu>
	<3FDF62BB-9112-4513-8AA8-346444610F5D@jcpa.com>
Message-ID: <C8D39298-D916-48F5-87C1-D2F0234DF7AA@packetninjas.net>


On Aug 26, 2008, at 3:21 PM, Jamie C. Pole wrote:

>
> The PCI DSS program is a joke.  Pure & simple.  Definitely broken,
> sometimes ignored.
>
> I teach a LOT of public and private classes on auditing and ethical
> hacking/penetration analysys, and it never ceases to amaze me how
> little the people with the QSA designation actually know.  Most of
> them seem to be former IT auditors - that particular bar (QSA) is set
> W-A-Y too low.
>
> Think about it - when was the last time you heard about a security
> breach involving credit card processing where the target was NOT PCI-
> compliant?
>

Better yet, when have you done any penetration testing engagement  
where the client was 'Compliant with x and y regulation and or  
standard' and you still gained access? (Probably almost every time or  
at worst 85% of the time)

This is the exact reason why penetration testing and hacking will  
almost always win over an institutionalized process and or standard.
Penetration testing (or whatever you want to call it now days) does  
not equate to a 'completely formal audit' which I think the PCI (PCI  
Scanning companies) standards and all the 'certified ethical hacker  
mindsets'  seem to confuse. They are similar , but they are not the  
same.

What I think the real complaint is about, -  is the fact that there is  
a watered down Carolyn Meinel / JP happy hacker mindset which has  
successfully infected all that follow the logic that security equates  
to an exact science when fighting against creative minds.

So there , I said it. :P

| Daniel Uriah Clemens
| http://bits.packetninjas.org
"Imagination is more important than knowledge."-- Albert Einstein









From lyger at attrition.org  Tue Aug 26 22:30:20 2008
From: lyger at attrition.org (lyger)
Date: Tue, 26 Aug 2008 22:30:20 +0000 (UTC)
Subject: [Dataloss] VA: Personal Information Of Prince William Co. Students
	Posted Online
Message-ID: <Pine.LNX.4.64.0808262229290.24291@forced.attrition.org>


http://www.nbc4.com/news/17303374/detail.html

Personal information of some students, employees and volunteers was 
accidentally posted online by a Prince William County Public Schools 
employee, according to a news release issued Tuesday.

Information for more than 2,600 people was exposed through a file-sharing 
program by an employee working from home on a personal computer. Names, 
addresses and student identification numbers of more than 1,600 students 
were exposed. Names and social security numbers of 65 employees were 
exposed. Other confidential information for about 250 employees was 
exposed. And the names, addresses and e-mail addresses of more than 700 
volunteers were exposed.

[...]

From jpole at jcpa.com  Tue Aug 26 22:22:01 2008
From: jpole at jcpa.com (Jamie C. Pole)
Date: Tue, 26 Aug 2008 18:22:01 -0400
Subject: [Dataloss] Best Western Response
In-Reply-To: <C8D39298-D916-48F5-87C1-D2F0234DF7AA@packetninjas.net>
References: <20080825200024.64B4A780A@relayer.avian.org>
	<20080826020549.M41860@wowway.com>
	<F25805C752A5AF49A379DFEE5108BA2A0628A362@UM-XMAIL03.um.umsystem.edu>
	<3FDF62BB-9112-4513-8AA8-346444610F5D@jcpa.com>
	<C8D39298-D916-48F5-87C1-D2F0234DF7AA@packetninjas.net>
Message-ID: <CCFFDF4F-DC1F-4504-AFCF-CB72DCA93389@jcpa.com>


Sounds great to me...

I encounter the same problem in the Defense space.  They are very much  
beholden to STIGs and checklists - and I have never caught a hacker in  
possession of either.

This is the difference between security assessment and automated  
compliance testing.  Automated compliance testing (seemingly the  
majority of PCI DSS at this point) can only measure compliance with an  
arbitrary (and outdated, outmoded, obsolete, etc.) baseline.  Security  
assessment SHOULD throw convention to the wind in favor of adopting  
the same mindset as the hacker community.  Any truly competent  
security consultant should be able to do this.

I agree that some "lowest common denominator" can be helpful, but not  
at the expense of and actual security program.  Too many processors  
take their PCI certificate "to the bank", and don't seem to bother  
doing anything else.

That is the fatal flaw in the program.

In addition, the way the PCI QSA program is structured ensures that  
competent security consultants will stay out of it.  Why would anyone  
want to sign on to a program where you have essentially unlimited  
liability, but are forced to base your certification decisions on a  
ridiculous standard?  AND you have to pay them $20,000 initially, and  
$10,000 per year afterward...  Where does that money go???

Your comment about breaching other environments compliant with  
applicable standards is right on the mark.  A rigid standard is not  
the answer to this problem.

Jamie



On Aug 26, 2008, at 6:02 PM, Daniel Clemens wrote:

>
> Better yet, when have you done any penetration testing engagement  
> where the client was 'Compliant with x and y regulation and or  
> standard' and you still gained access? (Probably almost every time  
> or at worst 85% of the time)
>
> This is the exact reason why penetration testing and hacking will  
> almost always win over an institutionalized process and or standard.
> Penetration testing (or whatever you want to call it now days) does  
> not equate to a 'completely formal audit' which I think the PCI (PCI  
> Scanning companies) standards and all the 'certified ethical hacker  
> mindsets'  seem to confuse. They are similar , but they are not the  
> same.
>
> What I think the real complaint is about, -  is the fact that there  
> is a watered down Carolyn Meinel / JP happy hacker mindset which has  
> successfully infected all that follow the logic that security  
> equates to an exact science when fighting against creative minds.
>
> So there , I said it. :P
>
> | Daniel Uriah Clemens
> | http://bits.packetninjas.org
> "Imagination is more important than knowledge."-- Albert Einstein
>
>
>
>
>
>
>
>


From jericho at attrition.org  Tue Aug 26 22:44:06 2008
From: jericho at attrition.org (security curmudgeon)
Date: Tue, 26 Aug 2008 22:44:06 +0000 (UTC)
Subject: [Dataloss] Best Western Response
In-Reply-To: <CCFFDF4F-DC1F-4504-AFCF-CB72DCA93389@jcpa.com>
References: <20080825200024.64B4A780A@relayer.avian.org>
	<20080826020549.M41860@wowway.com>
	<F25805C752A5AF49A379DFEE5108BA2A0628A362@UM-XMAIL03.um.umsystem.edu>
	<3FDF62BB-9112-4513-8AA8-346444610F5D@jcpa.com>
	<C8D39298-D916-48F5-87C1-D2F0234DF7AA@packetninjas.net>
	<CCFFDF4F-DC1F-4504-AFCF-CB72DCA93389@jcpa.com>
Message-ID: <Pine.LNX.4.64.0808262242330.6645@forced.attrition.org>



: I agree that some "lowest common denominator" can be helpful, but not at 
: the expense of and actual security program.  Too many processors take 
: their PCI certificate "to the bank", and don't seem to bother doing 
: anything else.
: 
: That is the fatal flaw in the program.
: 
: In addition, the way the PCI QSA program is structured ensures that 
: competent security consultants will stay out of it.  Why would anyone 
: want to sign on to a program where you have essentially unlimited 
: liability, but are forced to base your certification decisions on a 
: ridiculous standard?  AND you have to pay them $20,000 initially, and 
: $10,000 per year afterward...  Where does that money go???

After that, you get to bid against the LCD who does their automated scans 
w/ little to no validation for pennies on the dollar. A company I used to 
work for was an ASV for a while, but we only did the work as a loss 
leader to get in the door and then upsell. That was the *only* value of 
doing PCI work.

From jericho at attrition.org  Wed Aug 27 06:19:33 2008
From: jericho at attrition.org (security curmudgeon)
Date: Wed, 27 Aug 2008 06:19:33 +0000 (UTC)
Subject: [Dataloss] US data breaches booming in '08
Message-ID: <Pine.LNX.4.64.0808270619200.6645@forced.attrition.org>



---------- Forwarded message ----------
From: InfoSec News <alerts at infosecnews.org>

http://www.theregister.co.uk/2008/08/27/itrc_data_breaches_2008_beat_2007/

By Austin Modine
The Register
27th August 2008

The number of personal information leaks reported in the US this year have 
already exceeded the total amount in all of 2007, San Diego-based Identity 
Theft Resource Center said today.

With four months left in 2008, the firm found that 449 US businesses and 
government agencies have thus far reported lost or stolen customer and 
employee data.

But the agency reckons the actual number is likely higher, due to 
under-reporting and data loss that affects multiple businesses being 
reported as a single event. All told, ITRC said its 2008 list represents 
compromised records of more than 22 million individuals ? although it 
calls that number "grossly incomplete" because in about 40 per cent of 
events the number of records exposed is not reported or fully disclosed.

Yet ITRC founder Linda Foley attributes part of the growth to companies 
becoming more open to reporting data loss and the group's access to state 
notification lists.

[...]

From jericho at attrition.org  Wed Aug 27 06:20:09 2008
From: jericho at attrition.org (security curmudgeon)
Date: Wed, 27 Aug 2008 06:20:09 +0000 (UTC)
Subject: [Dataloss] Needham schools say system was breached
Message-ID: <Pine.LNX.4.64.0808270619570.6645@forced.attrition.org>



---------- Forwarded message ----------
From: InfoSec News <alerts at infosecnews.org>

http://www.boston.com/news/education/k_12/articles/2008/08/26/needham_schools_say_system_was_breached/

By Peter Schworm
Globe Staff
August 26, 2008

A junior at Needham High School posted students' schedules and 
identification numbers and teachers' classroom rosters on his Facebook 
account after hacking into an online student information system, school 
officials said yesterday.

In an e-mail sent yesterday morning to high school parents, principal Paul 
Richards and the district's superintendent, Dan Gutekanst, said the 
student admitted he had obtained and posted the information after learning 
part of a teacher's password, then developing a program to penetrate the 
system. The student posted the information as an Excel file that was 
e-mailed among other students.

"As you might imagine, this is a serious breach of our system and will 
require significant work to determine how to prevent this from happening 
again," stated the e-mail to parents.

Students who accessed the information notified school officials about the 
breach, and Richards talked to the alleged hacker. The student did not 
alter any information, Richards said. School officials did not release the 
boy's name.

[...]

From lyger at attrition.org  Wed Aug 27 14:48:59 2008
From: lyger at attrition.org (lyger)
Date: Wed, 27 Aug 2008 14:48:59 +0000 (UTC)
Subject: [Dataloss] KS: Theft included K-State students. personal data
Message-ID: <Pine.LNX.4.64.0808271448030.19784@forced.attrition.org>


http://cjonline.com/stories/082708/bre_theft.shtml

Eighty-six Kansas State University students are receiving letters from the 
Division of Continuing Education advising them that papers with their 
names and Social Security numbers on them were stolen from a parked 
vehicle last week.

An instructor for classes offered through the Division of Continuing 
Education, taught through the UFM Community Learning Center, reported an 
Aug. 15 overnight theft of numerous items from a car, which was parked 
outside a Manhattan residence. Items taken included a backpack with a list 
of names and Social Security numbers of 86 K-State students who had taken 
that instructor's classes from fall 2007 through summer 2008.

[...]

From rchicker at etiolated.org  Wed Aug 27 19:01:31 2008
From: rchicker at etiolated.org (rchick)
Date: Wed, 27 Aug 2008 15:01:31 -0400
Subject: [Dataloss] Caterpillar Says Employee Data Stolen
Message-ID: <a20b4dac0808271201g655bf633y2fa639bf9e60f8f4@mail.gmail.com>

http://www.breitbart.com/article.php?id=D8OP99M81&show_article=1&catnum=4

CHAMPAIGN, Ill. (AP) - Caterpillar Inc. said late Friday that a laptop
computer containing personal data on employees was stolen from a benefits
consultant that works with the company.

Caterpillar spokesman Rusty Dunn declined to provide many details Friday.

"This is an open investigation and we're not prepared to get into any
specifics," Dunn said.

He said one laptop computer was stolen earlier this month, but didn't say
where the theft took place or identify the consultant.

Dunn declined to say how many employees were affected. He said the majority
are based in the U.S. and letters have been sent to notify them. Dunn said a
call center is being established to take their inquiries.

The Peoria-based heavy-equipment maker said in a release that it did not
believe the computer was targeted for the data, nor does it believe the data
has been accessed or used.

"We deeply regret that this incident occurred," Caterpillar Human Services
Division Vice President Sid Banwart said in the release. "We are putting in
place an enhanced level of protection for this type of personal data."

A message left Friday at the Peoria office of the United Auto Workers union,
which represents a number of Caterpillar employees in Illinois, was not
returned.

Caterpillar has more than 90,000 employees around the world, according to
its Web site.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20080827/3b10d681/attachment.html 

From bkdelong at pobox.com  Wed Aug 27 19:25:35 2008
From: bkdelong at pobox.com (B.K. DeLong)
Date: Wed, 27 Aug 2008 15:25:35 -0400
Subject: [Dataloss] Caterpillar Says Employee Data Stolen
In-Reply-To: <a20b4dac0808271201g655bf633y2fa639bf9e60f8f4@mail.gmail.com>
References: <a20b4dac0808271201g655bf633y2fa639bf9e60f8f4@mail.gmail.com>
Message-ID: <a98a91c0808271225s4cba4b54n9507c00d1dfec370@mail.gmail.com>

This article was an AP piece from April 2007, I believe:
http://www.sfgate.com/cgi-bin/article.cgi?f=/n/a/2007/04/27/financial/f172558D76.DTL&type=business

On Wed, Aug 27, 2008 at 3:01 PM, rchick <rchicker at etiolated.org> wrote:
> http://www.breitbart.com/article.php?id=D8OP99M81&show_article=1&catnum=4
>
> CHAMPAIGN, Ill. (AP) - Caterpillar Inc. said late Friday that a laptop
> computer containing personal data on employees was stolen from a benefits
> consultant that works with the company.
>
> Caterpillar spokesman Rusty Dunn declined to provide many details Friday.
>
> "This is an open investigation and we're not prepared to get into any
> specifics," Dunn said.
>
> He said one laptop computer was stolen earlier this month, but didn't say
> where the theft took place or identify the consultant.
>
> Dunn declined to say how many employees were affected. He said the majority
> are based in the U.S. and letters have been sent to notify them. Dunn said a
> call center is being established to take their inquiries.
>
> The Peoria-based heavy-equipment maker said in a release that it did not
> believe the computer was targeted for the data, nor does it believe the data
> has been accessed or used.
>
> "We deeply regret that this incident occurred," Caterpillar Human Services
> Division Vice President Sid Banwart said in the release. "We are putting in
> place an enhanced level of protection for this type of personal data."
>
> A message left Friday at the Peoria office of the United Auto Workers union,
> which represents a number of Caterpillar employees in Illinois, was not
> returned.
>
> Caterpillar has more than 90,000 employees around the world, according to
> its Web site.
>
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
>
> Tenable Network Security offers data leakage and compliance monitoring
> solutions for large and small networks. Scan your network and monitor your
> traffic to find the data needing protection before it leaks out!
> http://www.tenablesecurity.com/products/compliance.shtml
>
>



-- 
B.K. DeLong (K3GRN)
bkdelong at pobox.com
+1.617.797.8471

http://www.wkdelong.org                    Son.
http://www.ianetsec.com                    Work.
http://www.bostonredcross.org             Volunteer.
http://www.carolingia.eastkingdom.org   Service.
http://bkdelong.livejournal.com             Play.


PGP Fingerprint:
38D4 D4D4 5819 8667 DFD5  A62D AF61 15FF 297D 67FE

FOAF:
http://foaf.brain-stream.org

From hbrown at knology.net  Wed Aug 27 19:59:40 2008
From: hbrown at knology.net (Henry Brown)
Date: Wed, 27 Aug 2008 14:59:40 -0500
Subject: [Dataloss] Fringe: legality of posting PII data in VA
Message-ID: <48B5B22C.4060102@knology.net>

Judge lets privacy advocate keep Social Security numbers on Web site

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9113642

Can a state government prohibit an individual from posting Social 
Security numbers online that were easily and legally obtained from 
government Web sites?

The answer, a federal judge in Virginia ruled last week, is a definite 
'No,' at least for Betty "BJ" Ostergren, a privacy advocate who operates 
a Web site that posts Social Security numbers obtained from public 
records. Ostergren's postings are part of a campaign to show how easy it 
is to access very personal information on the Web.

In a memorandum issued last Friday 
http://www.acluva.org/docket/pleadings/ostergren_opinion.pdf  , Judge 
Robert Payne of the U.S. District Court for the Eastern District of 
Virginia ruled that it would be unconstitutional for the state of 
Virginia to force Ostergren to remove from her site Social Security 
numbers that she legally obtained from public records. A memorandum 
opinion does not create a legal precedent.

[...]



From george at georgetoft.com  Thu Aug 28 08:43:09 2008
From: george at georgetoft.com (George Toft)
Date: Thu, 28 Aug 2008 01:43:09 -0700
Subject: [Dataloss] Fringe: legality of posting PII data in VA
In-Reply-To: <48B5B22C.4060102@knology.net>
References: <48B5B22C.4060102@knology.net>
Message-ID: <1219912989.12355.568.camel@bobpc2.georgetoft.com>

This article appeared in the this week's SANS newsletter:
 --Judge Says Law Barring Woman from Posting SSNs on Internet is
Unconstitutional
(August 22, 2008)
A US District judge has ruled that a law barring BJ Ostergren from
publishing Social Security numbers (SSNs) on the Internet is, in this
specific case, unconstitutional.  Ostergren's website contains public
documents that include SSNs of prominent people.   Ostergren's point is
to show how the government has failed to protect people's privacy.
http://ap.google.com/article/ALeqM5jiGOcctpSb22Nw59ozzMFCW2hv7gD92NM65G0
[Editor's Note (Northcutt): Virginia is going to have to choose between
two paths: continue to publish social security numbers and other PII on
their state web sites putting their citizens at risk of identity theft,
or start sanitizing the information. The latter is a huge task that
would involve modifying public records.  This is a fairly big problem
that Ostergren has brought to light. Here is the suit, even a quick read
and you realize it is slam dunk:
http://www.acluva.org/docket/pleadings/ostergren_complaint.pdf ]]


I checked out her web site, http://www.opcva.com/watchdog/, and
following her links, discovered the Maryland gov't web site publishes a
person's physical characteristics - information you would normally find
on a driver's license - height, weight, age, address, etc.

Scary stuff.

George


On Wed, 2008-08-27 at 14:59 -0500, Henry Brown wrote:
> Judge lets privacy advocate keep Social Security numbers on Web site
> 
> http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9113642
> 
> Can a state government prohibit an individual from posting Social 
> Security numbers online that were easily and legally obtained from 
> government Web sites?
> 
> The answer, a federal judge in Virginia ruled last week, is a definite 
> 'No,' at least for Betty "BJ" Ostergren, a privacy advocate who operates 
> a Web site that posts Social Security numbers obtained from public 
> records. Ostergren's postings are part of a campaign to show how easy it 
> is to access very personal information on the Web.
> 
> In a memorandum issued last Friday 
> http://www.acluva.org/docket/pleadings/ostergren_opinion.pdf  , Judge 
> Robert Payne of the U.S. District Court for the Eastern District of 
> Virginia ruled that it would be unconstitutional for the state of 
> Virginia to force Ostergren to remove from her site Social Security 
> numbers that she legally obtained from public records. A memorandum 
> opinion does not create a legal precedent.
> 
> [...]
> 
> 
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
> 
> Tenable Network Security offers data leakage and compliance monitoring
> solutions for large and small networks. Scan your network and monitor your
> traffic to find the data needing protection before it leaks out!
> http://www.tenablesecurity.com/products/compliance.shtml
> 


From lyger at attrition.org  Thu Aug 28 15:50:26 2008
From: lyger at attrition.org (lyger)
Date: Thu, 28 Aug 2008 15:50:26 +0000 (UTC)
Subject: [Dataloss] RI: Suspected merchant data breach spurs WashTrust to
 notify 1, 000 card-holders
Message-ID: <Pine.LNX.4.64.0808281548570.31237@forced.attrition.org>


http://www.pbn.com/stories/34753.html

The Washington Trust Co. has notified about 1,000 customers that their 
debit and credit card accounts might have been compromised in a suspected 
security breach at an unidentified MasterCard merchant.

Washington Trust spokeswoman Elizabeth B. Eckel, senior vice president of 
marketing, said this morning that, although there has been no evidence of 
fraudulent activity, the bank's policy calls for the accounts to be closed 
and new cards to be issued.

That action was taken after Washington Trust, Rhode Island's largest 
independent bank, received an advisory from MasterCard saying the company 
was investigating a "suspected security breach of a U.S. e-commerce-based 
merchant's Web server which contained debit card data."

[...]

From lyger at attrition.org  Thu Aug 28 18:49:04 2008
From: lyger at attrition.org (lyger)
Date: Thu, 28 Aug 2008 18:49:04 +0000 (UTC)
Subject: [Dataloss] (follow-up) CT: State learns customers affected by bank
 data loss could balloon to 10 million
Message-ID: <Pine.LNX.4.64.0808281847430.2980@forced.attrition.org>


http://www.norwalkplus.com/nwk/information/nwsnwk/publish/News_1/State_learns_customers_affected_by_bank_data_loss_could_balloon_to_10_million2151.shtml

Governor M. Jodi Rell today announced that the state.s investigation into 
the loss of confidential data of more than 500,000 Connecticut residents 
by the Bank of New York Mellon Corp. has revealed that the security breach 
is much broader than first reported.

The Connecticut consumers were among 4 million people whose data was lost 
in February when BNY Mellon was transferring information, some on behalf 
of People's United Bank of Bridgeport.

"It is simply outrageous that this mountain of information was not better 
protected and it is equally outrageous that we are hearing about a 
possible six million additional individuals and businesses six months 
after the fact," Governor Rell said. "We fear a substantial number 
Connecticut residents are among this latest group."

The sensitive data includes names, addresses, dates of birth and Social 
Security numbers. BNY Mellon did not notify People's until May 13 that 
information on 556,000 People's depositors, was missing.

[...]

From lyger at attrition.org  Thu Aug 28 21:31:03 2008
From: lyger at attrition.org (lyger)
Date: Thu, 28 Aug 2008 21:31:03 +0000 (UTC)
Subject: [Dataloss] (follow-up): Bank of NY Mellon data breach now affects
	12.5 mln
In-Reply-To: <Pine.LNX.4.64.0808281847430.2980@forced.attrition.org>
References: <Pine.LNX.4.64.0808281847430.2980@forced.attrition.org>
Message-ID: <Pine.LNX.4.64.0808282129480.7424@forced.attrition.org>


To update the previous story:

http://www.reuters.com/article/domesticNews/idUSN2834717120080828

Bank of New York Mellon Corp said on Thursday that a security breach 
involving the loss of personal information is much larger than previously 
reported, affecting about 12.5 million people, up from 4.5 million.

The case is the largest new reported U.S. data breach in 2008, as measured 
by the number of exposed records, according to the Identity Theft Resource 
Center.

Connecticut Gov. Jodi Rell, who announced a probe of the breach in May, in 
a statement said she is still pursuing a possible "substantial" fine, 
restitution and other remedies against Bank of New York Mellon.

[...]

From lyger at attrition.org  Thu Aug 28 22:48:10 2008
From: lyger at attrition.org (lyger)
Date: Thu, 28 Aug 2008 22:48:10 +0000 (UTC)
Subject: [Dataloss] OH: Reynoldsburg student information stolen
Message-ID: <Pine.LNX.4.64.0808282247270.9681@forced.attrition.org>


http://www.columbusdispatch.com/live/content/local_news/stories/2008/08/28/rey_students.html?sid=101

A laptop stolen over the weekend contained personal information about 
4,259 Reynoldsburg students, the district said today. The data included 
Social Security numbers as well as names, addresses and phone numbers.

A computer technician had been using the laptop to transfer student 
information about an electronic lunch payment system to the district's 
schools. He completed that work last week but didn't delete the 
information from the laptop, which was stolen from his car Saturday.

He filed a police report Monday but didn't realize that the student 
information was on the laptop until yesterday, officials said.

[...]

From lyger at attrition.org  Fri Aug 29 01:51:48 2008
From: lyger at attrition.org (lyger)
Date: Fri, 29 Aug 2008 01:51:48 +0000 (UTC)
Subject: [Dataloss] admin: Reminder about DataLossDB.org and mail list
	changes
Message-ID: <Pine.LNX.4.64.0808290135020.13859@forced.attrition.org>


In the next few weeks, Attrition.org will be completing the transition of 
its "data loss" resources to the Open Security Foundation 
(http://opensecurityfoundation.org) and DataLossDB 
(http://datalossdb.org).

At some time between September 1 and September 15, we will stop updating 
Attrition's data loss web page (which will, through cause and effect, also 
end Attrition's RSS feed) and the Data Loss Database - Open Source 
(DLDOS).  If possible, we would like to ask that anyone linking to either 
of those resources please link to those found at DataLossDB, which will be 
updated in the same manner that Attrition's resources have been for the 
last 3+ years.

http://datalossdb.org/download

http://datalossdb.org/latest_incidents.rss

We hope that the mail list conversion will also go smoothly.  There should 
be no need for anyone to unsubscribe and resubscribe to the mail list.  If 
you have any questions about the transition, please email me directly (and 
please, not the entire list) at lyger at attrition.org.

From hbrown at knology.net  Fri Aug 29 10:23:59 2008
From: hbrown at knology.net (Henry Brown)
Date: Fri, 29 Aug 2008 05:23:59 -0500
Subject: [Dataloss] 13000 SSN posted on internet in LA
Message-ID: <48B7CE3F.8080401@knology.net>

http://www.nola.com/news/t-p/capital/index.ssf?/base//news-6/1219902067300440.xml&coll=1

BATON ROUGE -- A glitch during a computer upgrade at the Louisiana Real 
Estate Commission caused the names, addresses and Social Security 
numbers of more than 13,000 licensed agents to be exposed on the 
Internet last week, sending waves of concern through the real estate 
community statewide.

 The commission, which is a state regulatory agency that oversees the 
licensing of all real estate agents and brokers, discovered the problem 
Friday after the confidential information had been accessible on the 
Internet for about two days, Executive Director J.C. Willie said.

"Are we concerned? I guess we got to be," said Mark Rodi, president of 
Louisiana Realtors, a private industry group. "But you can't get upset 
about what you can't control."

[...]

The insurer in years past had required that all the agents be identified 
by their Social Security numbers. That form of agent ID is no longer 
used by the commission or the insurance carrier. But the commission had 
kept the old list with the Social Security numbers in its computer 
files, Willie said.

 "It was an unfortunate occurrence, but it was handled immediately upon 
discovery," said Commission Chairwoman Gretchen Ezernack, a Monroe Realtor.

The commission contacted the Internet search engine companies Google and 
Yahoo to ensure that the pages were not being retained by their systems, 
Willie said.

Willie said it would be hard to pinpoint exactly who left the file 
exposed and that he expected there would be no consequences for whoever 
might be to blame.

Rodi and Louisiana Realtors Chief Executive Malcolm Young said they were 
satisfied that the commission was doing all it could to address the 
problem.


From hbrown at knology.net  Fri Aug 29 10:15:28 2008
From: hbrown at knology.net (Henry Brown)
Date: Fri, 29 Aug 2008 05:15:28 -0500
Subject: [Dataloss] ATM theft in fl
Message-ID: <48B7CC40.7050302@knology.net>

http://news-press.com/apps/pbcs.dll/article?AID=/20080828/NEWS0101/80828066

If you have used an ATM at the Camelot branch of Wachovia Bank in Cape 
Coral in the past few days, you may want to check on your account.

Vicki Zingale, 47, found out Wednesday that $2,400 had been withdrawn 
from her checking account by someone using her information to create a 
debit card. The withdrawals took place in West Palm Beach in $800 
increments Sunday, Monday and Tuesday.

Advertisement

Kathy Harrison, Wachovia's Florida spokeswoman, confirmed today that the 
Camelot branch, at Cape Coral Parkway and Chiquita Boulevard, has had 
several debit cards' identities stolen because someone placed what's 
known as a "skimming" device on the ATM.

That device collected each person's card information, including personal 
identification numbers, and allowed the suspect to create different 
debit cards with that information.

Harrison did not have specific information as to whether an arrest had 
been made, but she said Wachovia is working with West Palm Beach police. 
It was unclear how many cards had their information stolen.

Zingale said she was told by a bank official today that someone was in 
custody in West Palm Beach, but it was unclear whether that was in 
connection with the skimmer placed on the Cape Coral ATM.

Harrison said Cape Coral and Fort Myers ATMs have had several reports of 
skimming devices being placed on them in the past few years.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20080829/d8228fb2/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: adlabel_horz.gif
Type: image/gif
Size: 126 bytes
Desc: not available
Url : http://attrition.org/pipermail/dataloss/attachments/20080829/d8228fb2/attachment.gif 

From mhill at idtexperts.com  Sat Aug 30 16:59:38 2008
From: mhill at idtexperts.com (Michael Hill, CITRMS)
Date: Sat, 30 Aug 2008 12:59:38 -0400
Subject: [Dataloss] OH: Pensioners' data breached: 13,
	000 state police and fire retirees at risk after ex-employee took
	info
Message-ID: <A54A4726632A45CE87516D5F99ABE749@mkevhillpc>

http://www.dispatchpolitics.com/live/content/local_news/stories/2008/08/30/copy/PENSION.ART_ART_08-30-08_B1_G7B69U5.html?adsec=politics&sid=101

About 13,000 retired Ohio police officers and firefighters were told this week that their home addresses and Social Security numbers had been improperly forwarded from their pension system office. 

A former mailroom supervisor at the Ohio Police & Fire Pension System forwarded the names, addresses and Social Security numbers from his work e-mail address to his personal e-mail address before quitting his job Aug. 15, pension officials said yesterday.

Pension officials said there's no reason to think that the ex-employee, 56-year-old Richard A. Conway, is misusing the information or forwarding it to others. Still, they said, police and fire retirees are being asked to monitor their financial accounts just in case.

"We just don't believe that there was malicious intent for personal gain, but he did violate our policies by taking this information out of the building," said William Estabrook, executive director of the pension system.

On Aug. 18, Estabrook sent Conway a certified letter in which he asked the former employee to state in writing that he would not use the forwarded information for any purpose, including charitable solicitations.

Conway did not respond by the Aug. 22 deadline, Estabrook said.

The matter was turned over to Columbus police yesterday, he said.

Conway could not be reached for comment.

The file contains information for 13,000 of the approximately 24,000 retired members of the Ohio Police & Fire Pension System, most of whom are former police officers, pension spokesman Dave Graham said.

The data is limited to names, addresses and Social Security numbers; no financial information is in the file, he said.

Pension officials discovered the breach when they noticed an unusually large file attachment from Conway's state e-mail account to what appeared to be a personal address, Graham said.

Conway has assured an attorney for the pension system that he has no intention of misusing the data, but he would not put that into writing, pension officials said.





Michael Hill
Certified Identity Theft Risk Management Specialist
www.idtheft101.net 
404-216-3751
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20080830/96c601d8/attachment.html 

From mhill at idtexperts.com  Sat Aug 30 15:22:21 2008
From: mhill at idtexperts.com (Michael Hill, CITRMS)
Date: Sat, 30 Aug 2008 11:22:21 -0400
Subject: [Dataloss] NV: Man Finds Thousands of Medical Records in Storage
	Unit
Message-ID: <254ED96577E04BA3803C9BE7FBCF9F55@mkevhillpc>

http://www.lasvegasnow.com/Global/story.asp?S=8925605&nav=menu102_2

It was a shocking discovery in an abandoned storage unit. Thousands of medical charts, all listed to Southwest Medical. 
Larry Coldmire bought the contents of the storage unit for just $25 dollars in an auction. He had hoped to find treasures that he could turn into a profit, but what was there instead is identity theft just waiting to happen.

"That was a little bit too much information because I don't want anyone getting in touch with my medical records, because I have had my identity stolen before and I am still fighting with it in the credit bureau," he said.

Coldmire has alerted police to the records left by Southwest Medical Association. He tried to call the medical group, but a recording said the number was out of service. 



Michael Hill
Certified Identity Theft Risk Management Specialist
www.idtheft101.net 
404-216-3751
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20080830/04715283/attachment.html 

From jericho at attrition.org  Sat Aug 30 19:15:16 2008
From: jericho at attrition.org (security curmudgeon)
Date: Sat, 30 Aug 2008 19:15:16 +0000 (UTC)
Subject: [Dataloss] Data watchdogs did not want to see eBay bank server
Message-ID: <Pine.LNX.4.64.0808301911550.3461@forced.attrition.org>



---------- Forwarded message ----------
From: InfoSec News <alerts at infosecnews.org>

http://www.theregister.co.uk/2008/08/28/data_bank_details/

By John Oates
The Register
28th August 2008

The man who paid 35UKP for a server stuffed full of Royal Bank of Scotland 
and NatWest customer details has been left less than impressed with the 
reaction of UK data regulators.

Andrew Chapman's story hit the news after he bought a server on eBay which 
contained over a million customer details including full account details, 
mothers' maiden names, addresses and even scans of signatures. But neither 
the Financial Services Authority nor the Information Commissioner's Office 
contacted Chapman when he went public with what he found inside the 
machine.

Chapman said he phoned the Information Commissioner Office's head of 
investigations and offered him the machine. Instead he was told to return 
it to Graphic Data.

Chapman, an IT manager from Oxford, told the Reg: "I don't really see how 
either the FSA or ICO can ascertain what happened by relying on Graphic 
Data. It is a nonsense to ask companies to self-report." He said he was 
told the ICO had no power to seize equipment - although that clearly would 
not have been necessary in this case.

[...]

http://conference.hackinthebox.org/hitbsecconf2008kl/

From hbrown at knology.net  Sat Aug 30 20:19:44 2008
From: hbrown at knology.net (Henry Brown)
Date: Sat, 30 Aug 2008 15:19:44 -0500
Subject: [Dataloss] laptop stolen from educational facility in rochester NY
Message-ID: <48B9AB60.9040500@knology.net>

http://www.rit.edu/news/?v=46283

RIT recently discovered that personal information was on a laptop 
computer stolen from the National Technical Institute for the Deaf on 
August 25. The information included names, dates of birth, and Social 
Security numbers.

NOTE: Letters were mailed to those affected. This information security 
alert does NOT affect the entire RIT community, but a specific population.

This includes about 12,700 individuals who have applied to enroll at the 
National Technical Institute for the Deaf (dating back to 1968). Another 
1,100 members of the RIT community have also been impacted. Again, 
people affected have been notified individually.

...