[Dataloss] UK: Police personal data found on discarded floppy

Thu Jan 3 03:04:31 UTC 2008

One important, and often overlooked, way that this "inconsequential" data and the relationships can be used is via Social Engineering attempts.  In other words, 1+1=2 and so on.

-----Original Message-----
From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Marjorie Simmons
Sent: Wednesday, January 02, 2008 4:58 PM
To: dataloss at attrition.org
Subject: Re: [Dataloss] UK: Police personal data found on discarded floppy

One often overlooked problem with the release of just name, address and phone is that it can and often does uncover a relationship between the data loser and the exposed persons.
While it might be inconsequential in some instances, it definitely is a major concern in other instances. For example, Widget Business XYZ loses its customer mailing list and a defense agency is a customer, and the widgets can only be used as part of a certain technology, where the timing of the widget deployment is sensitive. Or, consider the law firm whose client mailing list is compromised.  There are many such instances when simple name, address and telephone data losses can show a relationship between people that the parties would neither expect nor want to have disclosed.

While raw data may be available in a publicly available directory, the relationship between parties is often not, and it is the exposure of the relationship, confidential or simply hidden, that is the problem.

###
-----Original Message-----
On Wed, 26 Dec 2007,  lyger wrote

On Wed, 26 Dec 2007, Dan O'Donnell wrote:

": " <http://news.bbc.co.uk/1/hi/england/devon/7160490.stm>
": "
": "   Police data details found at dump
": " A senior police officer has apologised after confidential details of
": " staff were found on a dump in Devon.
": "
": " The details, on a floppy disk, included names, addresses, telephone
": " numbers and ranks of employees of Devon and Cornwall Police.
": "
": " The disk was in an obsolete computer that had been used by the force
": " and had been sent for recycling.

While losing the personal information of police officers is certainly a concern due to the nature of their jobs, I've noticed other recent reports of general "data loss" involving not much more than names, addresses, and sometimes phone numbers.  Should this generally be considered "personal information" if such data can usually be found in a phone book or Google (for most people anyway)?  Just a thought and something we consider when including (or not including) breach data on attrition's data loss web page and database...

_______________________________________________
Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml