From rchicker at etiolated.org  Mon Jun  2 00:15:41 2008
From: rchicker at etiolated.org (rchick)
Date: Sun, 1 Jun 2008 20:15:41 -0400
Subject: [Dataloss] PA: data compromised at Pocono Mountain School District
Message-ID: <a20b4dac0806011715t40753bbfi5f50abaf098dd12b@mail.gmail.com>

http://www.mcall.com/news/local/all-b4_3pocono.6436000may31,0,1422227.story

May 31, 2008

A hacker apparently broke into the computers at Pocono Mountain School
District and may have tapped into confidential information concerning
students and their parents, the district's superintendent said Friday.

Parents were notified in a letter sent home by Superintendent Dwight
R. Pfenning.

''We have notified law enforcement about the incident,'' Pfenning said
in the letter. Pfenning did not say if state police or local police
had been called or when they were told about the security breach.

Pfenning's letter, dated Friday, said the information that may be in
the wrong hands includes the students' birth dates, Social Security
numbers, student IDs, home phones, and the parents' names, phone
numbers and emergency phone numbers.

[..]

There are more than 11,000 students in the sprawling district, which
covers the borough of Mount Pocono and the townships of Barrett,
Coolbaugh, Jackson, Paradise, Pocono, Tobyhanna and Tunkhannock.

[..]

From jericho at attrition.org  Mon Jun  2 07:17:21 2008
From: jericho at attrition.org (security curmudgeon)
Date: Mon, 2 Jun 2008 07:17:21 +0000 (UTC)
Subject: [Dataloss] IT directors call for mandatory data breach disclosure
Message-ID: <Pine.LNX.4.64.0806020716590.27556@forced.attrition.org>



---------- Forwarded message ----------
From: InfoSec News <alerts at infosecnews.org>

http://www.vnunet.com/vnunet/news/2217814/disclosure-uk-breaches-should

By Ian Williams
vnunet.com
29 May 2008

Nearly seven out 10 IT managers believe that data breach disclosure should 
be compulsory in the UK, according to a survey by Secure Computing.

The security firm polled 103 directors at this year's InfoSec security 
show in London in April.

Over 80 per cent of respondents said that data leaks by insiders, whether 
deliberate or accidental, is at the top of their list of security woes.

Only 17 per cent cited external threats posed by cyber-criminals, such as 
spammers and hackers, as more dangerous.

[..]

From adam at homeport.org  Mon Jun  2 15:16:07 2008
From: adam at homeport.org (Adam Shostack)
Date: Mon, 2 Jun 2008 11:16:07 -0400
Subject: [Dataloss] IT directors call for mandatory data breach
	disclosure
In-Reply-To: <Pine.LNX.4.64.0806020716590.27556@forced.attrition.org>
References: <Pine.LNX.4.64.0806020716590.27556@forced.attrition.org>
Message-ID: <20080602151607.GM21298@homeport.org>

Does anyone have a pointer to the original survey?  A search of secure
computing's UK site didn't turn anything up. (The magazine's site, not
the firewall company's site.)

Adam

On Mon, Jun 02, 2008 at 07:17:21AM +0000, security curmudgeon wrote:
| 
| 
| ---------- Forwarded message ----------
| From: InfoSec News <alerts at infosecnews.org>
| 
| http://www.vnunet.com/vnunet/news/2217814/disclosure-uk-breaches-should
| 
| By Ian Williams
| vnunet.com
| 29 May 2008
| 
| Nearly seven out 10 IT managers believe that data breach disclosure should 
| be compulsory in the UK, according to a survey by Secure Computing.
| 
| The security firm polled 103 directors at this year's InfoSec security 
| show in London in April.
| 
| Over 80 per cent of respondents said that data leaks by insiders, whether 
| deliberate or accidental, is at the top of their list of security woes.
| 
| Only 17 per cent cited external threats posed by cyber-criminals, such as 
| spammers and hackers, as more dangerous.
| 
| [..]
| _______________________________________________
| Dataloss Mailing List (dataloss at attrition.org)
| http://attrition.org/dataloss
| 
| Tenable Network Security offers data leakage and compliance monitoring
| solutions for large and small networks. Scan your network and monitor your
| traffic to find the data needing protection before it leaks out!
| http://www.tenablesecurity.com/products/compliance.shtml


From jericho at attrition.org  Mon Jun  2 17:26:07 2008
From: jericho at attrition.org (security curmudgeon)
Date: Mon, 2 Jun 2008 17:26:07 +0000 (UTC)
Subject: [Dataloss] Police find stolen computer device containing health
	records
Message-ID: <Pine.LNX.4.64.0806021725470.27556@forced.attrition.org>



---------- Forwarded message ----------
From: InfoSec News <alerts at infosecnews.org>

http://www.cbc.ca/health/story/2008/05/30/pictou-device.html

CBC News
May 30, 2008

New Glasgow police say they've recovered a computer memory stick 
containing the personal information of 150 people who used mental-health 
services in Pictou County.

Someone has admitted to stealing the device and trying to destroy it, but 
no charges are expected, the Pictou County Health Authority said Friday.

The health authority said police believe no information was released.

"We are thankful that no confidential information has been compromised,. 
health district CEO Pat Lee said in a release.

[..]

From lyger at attrition.org  Mon Jun  2 19:13:42 2008
From: lyger at attrition.org (lyger)
Date: Mon, 2 Jun 2008 19:13:42 +0000 (UTC)
Subject: [Dataloss] DC: Walter Reed says patient data may have been
	compromised
Message-ID: <Pine.LNX.4.64.0806021912560.21242@forced.attrition.org>


http://ap.google.com/article/ALeqM5ggIYzqvXf4Qosf6ubPXxZRRAMPEAD91230F02

Officials at Walter Reed Army Medical Center say personal information on 
about 1,000 patients may have been revealed in a breach of sensitive data.

The officials said Monday they learned of the apparent security problem on 
May 21 from an outside company, which they did not identify. The medical 
center said it is working to notify all of the people named in the data 
file that may have been compromised. It's unclear what kind of information 
may been revealed, and Walter Reed did not immediately respond to 
questions.

[...]

From rchicker at etiolated.org  Mon Jun  2 20:59:53 2008
From: rchicker at etiolated.org (rchick)
Date: Mon, 2 Jun 2008 16:59:53 -0400
Subject: [Dataloss] CT Dept of Labor reports losing unemployment files
Message-ID: <a20b4dac0806021359i4136e49fs2a490c0231ceaf49@mail.gmail.com>

http://www.newsday.com/news/local/wire/connecticut/ny-bc-ct--lostlaborrecords0602jun02,0,7864495.story

June 2, 2008

WETHERSFIELD, Conn. - State labor officials say records with
confidential information on about 2,100 people have been lost and
might have been mistakenly shredded.

The files contained copies of letters informing applicants that they
were ineligible for the unemployment insurance. They were dated
between May 2 and May 20 and contained names, addresses and Social
Security numbers.

[..]

From lyger at attrition.org  Tue Jun  3 02:38:57 2008
From: lyger at attrition.org (lyger)
Date: Tue, 3 Jun 2008 02:38:57 +0000 (UTC)
Subject: [Dataloss] Into the Second Millenium
Message-ID: <Pine.LNX.4.64.0806030234200.6481@forced.attrition.org>


http://attrition.org/news/content/08-06-02.001.html

As of this writing, Attrition.org's Data Loss Database - Open Source 
(DLDOS) officially has 1,000 entries. The Connecticut Department of Labor 
(un?)graciously  lost documents containing the names, addresses, and 
Social Security numbers of about 2,100 people, which places them into the 
database with a unique identifier (UID) of DL-1000. DLDOS includes data 
breaches from every year since 2000 with a sharp spike in numbers 
beginning in 2005, so we're not really surprised that we reached this 
"milestone" number shortly before the third anniversary of the data loss 
project. Still, it's something of a bittersweet event to commemorate; we 
would rather not have to put dozens of breaches every month on a web page, 
in a database, and sent to a mailing list of about 1,400 subscribers. If 
it wasn't a problem, we wouldn't... but it is, so we do.

[...]

From mhill at idtexperts.com  Tue Jun  3 21:53:35 2008
From: mhill at idtexperts.com (Michael Hill, CITRMS)
Date: Tue, 3 Jun 2008 17:53:35 -0400
Subject: [Dataloss] CA: Identity Thefts Traced to Graduate Healthcare
Message-ID: <6DEDE6F706DC44848032C6484C167679@mkevhillpc>

http://www.newuniversity.org/main/article?slug=identity_thefts_traced_to156

United Healthcare, the provider for UCI's Graduate Student Health Insurance Program, admitted that it was the source of identity thefts of past and present UCI graduate and medical students on Wednesday, May 28. 

Beginning in February, UC Irvine graduate students who attempted to submit income tax returns electronically were informed by the IRS that their had already been filed, provoking complaints to the UCI Police Department to solve the identity thefts. To date, all 155 reported victims were participants in UCI's Graduate Student Health Insurance Program. 

UCI is currently making efforts to provide identity theft victims with sufficient information to solve the problems caused by the situation. UCIPD sent out the first crime alert on March 20 and has released periodic updates with more information. In addition, affected students will also be provided a guide to prevent identity theft and fraud in the future. 

Administration has assured students that data security is their top priority. IT security teams meet regularly in discussion of security problems and practices. UCI's computer safety Web site, located at security.uci.edu, provides students with information on how to protect their computers from cyber attacks. The site also discusses recent security concerns and email scams. 

UCI's financial aid office has set up emergency loans available to victims of identity theft whose delay in receiving their income tax refund has affected their financial status. 

[...]



Mike Hill

www.idtheft101.net 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20080603/818ab9da/attachment.html 

From arshad.noor at strongauth.com  Tue Jun  3 23:37:50 2008
From: arshad.noor at strongauth.com (Arshad Noor)
Date: Tue, 03 Jun 2008 16:37:50 -0700
Subject: [Dataloss] CA: Identity Thefts Traced to Graduate Healthcare
In-Reply-To: <6DEDE6F706DC44848032C6484C167679@mkevhillpc>
References: <6DEDE6F706DC44848032C6484C167679@mkevhillpc>
Message-ID: <4845D5CE.1000905@strongauth.com>

Its interesting that identity thieves are taking the theft of personal
information to new levels - filing IRS tax returns in the names of the
victims for tax refunds!  This is the result when business processes
(eFiling) are modified to take advantage of electronic efficiency
without taking security into consideration.

There are thousands of such business processes waiting to be exploited
IMO - credit card numbers are just the tip of the iceberg.  What makes
this especially problematic is that most business processes are not as
standardized as credit card processing, and consequently have many more
vulnerabilities due to their variability.

Companies and government agencies are well advised to start reviewing
their business processes for security - specifically authenticity and
integrity - before issuing any money or benefits.  However, this is
easier said than done - business people and management consultants
don't know enough about security, while security consultants don't know
enough about business processes.  Attackers will be sure to exploit this
gap for some time to come.

Arshad Noor
StrongAuth, Inc.

Michael Hill, CITRMS wrote:
> http://www.newuniversity.org/main/article?slug=identity_thefts_traced_to156
>  
> 
> United Healthcare, the provider for UCI?s Graduate Student Health 
> Insurance Program, admitted that it was the source of identity thefts of 
> past and present UCI graduate and medical students on Wednesday, May 28.
> 
> Beginning in February, UC Irvine graduate students who attempted to 
> submit income tax returns electronically were informed by the IRS that 
> their had already been filed, provoking complaints to the UCI Police 
> Department to solve the identity thefts. To date, all 155 reported 
> victims were participants in UCI?s Graduate Student Health Insurance 
> Program.
> 
> UCI is currently making efforts to provide identity theft victims with 
> sufficient information to solve the problems caused by the situation. 
> UCIPD sent out the first crime alert on March 20 and has released 
> periodic updates with more information. In addition, affected students 
> will also be provided a guide to prevent identity theft and fraud in the 
> future.
> 
> Administration has assured students that data security is their top 
> priority. IT security teams meet regularly in discussion of security 
> problems and practices. UCI?s computer safety Web site, located at 
> security.uci.edu, provides students with information on how to protect 
> their computers from cyber attacks. The site also discusses recent 
> security concerns and email scams.
> 
> UCI?s financial aid office has set up emergency loans available to 
> victims of identity theft whose delay in receiving their income tax 
> refund has affected their financial status.
> 
> [...]

From lyger at attrition.org  Wed Jun  4 04:00:07 2008
From: lyger at attrition.org (lyger)
Date: Wed, 4 Jun 2008 04:00:07 +0000 (UTC)
Subject: [Dataloss] OR: OSU Bookstore investigating possible ID theft
Message-ID: <Pine.LNX.4.64.0806040358540.10633@forced.attrition.org>


http://www.dhonline.com/articles/2008/06/03/news/local/5loc10_osu.txt

The Oregon State Police is investigating the theft of personal information 
from as many as 4,700 online customers of the OSU Bookstore who used 
credit cards to purchase items.

In March, OSP began investigation into a report that approximately 30 OSU 
Bookstore customers. personal information may have been compromised 
following online orders.

Then last week, telephone calls and e-mails began coming into the 
bookstore from customers who had noticed fraudulent charges on their 
credit cards almost immediately after placing online orders, according to 
OSU Bookstore General Manager Steve Eckrich. "We immediately shut down our 
servers when we recognized it as an external breach," he said.

[...]

From hbrown at knology.net  Wed Jun  4 13:13:58 2008
From: hbrown at knology.net (Henry Brown)
Date: Wed, 04 Jun 2008 08:13:58 -0500
Subject: [Dataloss] Verizon SELLS 12500 unlisted phone numbers in Washington
	County PA
Message-ID: <48469516.1020404@knology.net>


http://www.herald-mail.com/?cmd=displaystory&story_id=195325

HAGERSTOWN - The unlisted telephone numbers of nearly 13,000 people were 
printed in the Washington County Phone Book after Verizon inadvertently 
sold the information to the phone book publisher, a Verizon spokesman said.

Harry Mitchell, Verizon director of media relations, said Friday that 
Verizon was trying to determine how about 12,500 unlisted numbers and 
addresses, primarily of Washington County residents, were printed in the 
phone book published by Ogden Directories Inc.

"Verizon accepts responsibility," Mitchell said. "We certainly apologize 
to those customers whose numbers were published. ... We're taking 
accountability for that."

Mitchell said Verizon started calling customers Friday to tell them 
about the mistake.

Verizon will change the published numbers for free and will for a 
one-year period reimburse the $1.89 monthly cost of having an unlisted 
number, Mitchell said.
advertisement

Verizon acknowledged that the mistake was "big" but said it was isolated.

[...]



From rchicker at etiolated.org  Wed Jun  4 13:53:37 2008
From: rchicker at etiolated.org (rchick)
Date: Wed, 4 Jun 2008 09:53:37 -0400
Subject: [Dataloss] UK: Stolen tapes contain sensitive data on Hampshire
	workers
Message-ID: <a20b4dac0806040653r316d7659g94da17ddc01ac3b3@mail.gmail.com>

http://www.thisishampshire.net/display.var.2316596.0.stolen_tapes_contain_sensitive_data_on_hampshire_workers.php

CONFIDENTIAL tapes containing the personal and medical details of
thousands of staff from Hampshire firms.

The tapes contained highly sensitive information including details
ranging from illnesses to home addresses.

Thieves targeted a security van while it was transporting the tapes
between offices to be backed up.

The stolen data includes information on staff from a number of
companies in Hampshire including finance giant Skandia.

Thousands of people have received letters telling them their details
were on the stolen tapes that were owned by the company Medisure which
handles healthcare cover for a number of firms in the county.

While the stolen tapes are said to contain no financial information,
they did contain employee names, home addresses, age, details of
dependants, details of any health care claims and scanned copies of
correspondence.

[...]

From Troy.Casey at McKesson.com  Wed Jun  4 14:10:58 2008
From: Troy.Casey at McKesson.com (Casey, Troy # Atlanta)
Date: Wed, 4 Jun 2008 10:10:58 -0400
Subject: [Dataloss] CA: Identity Thefts Traced to Graduate Healthcare
In-Reply-To: <4845D5CE.1000905@strongauth.com>
Message-ID: <CBF3501A8FAFAC4A8160984AE465F07901D99A0F@EXCHANGE3.dsa.int>

Seems to me that to e-file for taxes, you have to provide either a
pre-selected PIN or the Adjusted Gross Income (AGI) from the previous
year's 1040.  Assuming the thieves here did in fact e-file - and not
send in paper forms - they would have had to have the AGI for the
previous year for each student they filed for.  Of course, the
university's financial aid department would have that information, but
it seems unlikely that United Healthcare would have had that.

So it looks to me like the trail would lead back to someone at the
University that had (or gained) access to both the health insurance info
and the financial aid info, assuming these were in fact e-filed. 

Just thinking out loud,
Troy

-----Original Message-----
From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of Arshad Noor
Sent: Tuesday, June 03, 2008 7:38 PM
To: Michael Hill, CITRMS
Cc: dataloss at attrition.org
Subject: Re: [Dataloss] CA: Identity Thefts Traced to Graduate
Healthcare

Its interesting that identity thieves are taking the theft of personal
information to new levels - filing IRS tax returns in the names of the
victims for tax refunds!  This is the result when business processes
(eFiling) are modified to take advantage of electronic efficiency
without taking security into consideration.

There are thousands of such business processes waiting to be exploited
IMO - credit card numbers are just the tip of the iceberg.  What makes
this especially problematic is that most business processes are not as
standardized as credit card processing, and consequently have many more
vulnerabilities due to their variability.

Companies and government agencies are well advised to start reviewing
their business processes for security - specifically authenticity and
integrity - before issuing any money or benefits.  However, this is
easier said than done - business people and management consultants don't
know enough about security, while security consultants don't know enough
about business processes.  Attackers will be sure to exploit this gap
for some time to come.

Arshad Noor
StrongAuth, Inc.

Michael Hill, CITRMS wrote:
> http://www.newuniversity.org/main/article?slug=identity_thefts_traced_
> to156
>  
> 
> United Healthcare, the provider for UCI's Graduate Student Health 
> Insurance Program, admitted that it was the source of identity thefts 
> of past and present UCI graduate and medical students on Wednesday,
May 28.
> 
> Beginning in February, UC Irvine graduate students who attempted to 
> submit income tax returns electronically were informed by the IRS that

> their had already been filed, provoking complaints to the UCI Police 
> Department to solve the identity thefts. To date, all 155 reported 
> victims were participants in UCI's Graduate Student Health Insurance 
> Program.
> 
> UCI is currently making efforts to provide identity theft victims with

> sufficient information to solve the problems caused by the situation.
> UCIPD sent out the first crime alert on March 20 and has released 
> periodic updates with more information. In addition, affected students

> will also be provided a guide to prevent identity theft and fraud in 
> the future.
> 
> Administration has assured students that data security is their top 
> priority. IT security teams meet regularly in discussion of security 
> problems and practices. UCI's computer safety Web site, located at 
> security.uci.edu, provides students with information on how to protect

> their computers from cyber attacks. The site also discusses recent 
> security concerns and email scams.
> 
> UCI's financial aid office has set up emergency loans available to 
> victims of identity theft whose delay in receiving their income tax 
> refund has affected their financial status.
> 
> [...]
_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor
your traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml

From macwheel99 at wowway.com  Wed Jun  4 15:56:33 2008
From: macwheel99 at wowway.com (Al Mac Wheel)
Date: Wed, 04 Jun 2008 10:56:33 -0500
Subject: [Dataloss] CA: Identity Thefts Traced to Graduate  Healthcare
In-Reply-To: <CBF3501A8FAFAC4A8160984AE465F07901D99A0F@EXCHANGE3.dsa.int
 >
References: <4845D5CE.1000905@strongauth.com>
	<CBF3501A8FAFAC4A8160984AE465F07901D99A0F@EXCHANGE3.dsa.int>
Message-ID: <6.2.1.2.1.20080604103155.02e86350@pop3.mail.wowway.com>

The fact remains that according to the FTC, one of the largest growing 
areas of identity theft exploitation is the filing of false tax returns in 
the name of the identity theft victims.  Congress had to hold hearings into 
how brain dead the IRS has been in dealing with this mess.  One of the 
reasons it is growing so fast, is the IRS is crooked-friendly, in how it 
handles victims of identity theft.

I remember an FTC report that went back further than this one, but now 
cannot find the link.  My memory is that it is now bigger than 10% of id 
crimes, but 10 years ago it was smaller than 1% of them.

In the 2007 FTC statistics (52 pages), which include information gathered 
from other organizattions, in some categories they compare statistics 2005-2007
* types of id fraud
* number of complaints vs. amount of $ stolen
* how the money was stolen
** dominated by credit card, wire transfer, debit credit bank card
* how people got contacted
* age of victims
* victimization by geography
http://www.ftc.gov/opa/2008/02/fraud.pdf
23 % of id theft was credit card fraud
18 % was utilities fraud
14 % was employment fraud
13 % was bank fraud

but if you compare their statistics over many years, you can see some kinds 
of fraud are growing much more rapidly than others, such as phony income 
tax returns

The metropolitan areas with the highest per capita rates of reported 
consumer fraud complaints were Albany-Lebanon, Oregon; Greeley, Colorado; 
and Napa, California.

ID Theft tops the list of complaints to the FTC
32 % of complaints for that reason
8 % is the next highest category
http://www.consumeraffairs.com/news04/2008/02/id_theft.html

There's phishing to get people's IRS info.
http://www.irs.gov/individuals/article/0,,id=96596,00.html


, Casey, Troy # Atlanta wrote:
>Seems to me that to e-file for taxes, you have to provide either a
>pre-selected PIN or the Adjusted Gross Income (AGI) from the previous
>year's 1040.  Assuming the thieves here did in fact e-file - and not
>send in paper forms - they would have had to have the AGI for the
>previous year for each student they filed for.  Of course, the
>university's financial aid department would have that information, but
>it seems unlikely that United Healthcare would have had that.
>
>So it looks to me like the trail would lead back to someone at the
>University that had (or gained) access to both the health insurance info
>and the financial aid info, assuming these were in fact e-filed.
>
>Just thinking out loud,
>Troy
>
>-----Original Message-----
>From: dataloss-bounces at attrition.org
>[mailto:dataloss-bounces at attrition.org] On Behalf Of Arshad Noor
>Sent: Tuesday, June 03, 2008 7:38 PM
>To: Michael Hill, CITRMS
>Cc: dataloss at attrition.org
>Subject: Re: [Dataloss] CA: Identity Thefts Traced to Graduate
>Healthcare
>
>Its interesting that identity thieves are taking the theft of personal
>information to new levels - filing IRS tax returns in the names of the
>victims for tax refunds!  This is the result when business processes
>(eFiling) are modified to take advantage of electronic efficiency
>without taking security into consideration.
>
>There are thousands of such business processes waiting to be exploited
>IMO - credit card numbers are just the tip of the iceberg.  What makes
>this especially problematic is that most business processes are not as
>standardized as credit card processing, and consequently have many more
>vulnerabilities due to their variability.
>
>Companies and government agencies are well advised to start reviewing
>their business processes for security - specifically authenticity and
>integrity - before issuing any money or benefits.  However, this is
>easier said than done - business people and management consultants don't
>know enough about security, while security consultants don't know enough
>about business processes.  Attackers will be sure to exploit this gap
>for some time to come.
>
>Arshad Noor
>StrongAuth, Inc.
>
>Michael Hill, CITRMS wrote:
> > http://www.newuniversity.org/main/article?slug=identity_thefts_traced_
> > to156
> >
> >
> > United Healthcare, the provider for UCI's Graduate Student Health
> > Insurance Program, admitted that it was the source of identity thefts
> > of past and present UCI graduate and medical students on Wednesday,
>May 28.
> >
> > Beginning in February, UC Irvine graduate students who attempted to
> > submit income tax returns electronically were informed by the IRS that
>
> > their had already been filed, provoking complaints to the UCI Police
> > Department to solve the identity thefts. To date, all 155 reported
> > victims were participants in UCI's Graduate Student Health Insurance
> > Program.
> >
> > UCI is currently making efforts to provide identity theft victims with
>
> > sufficient information to solve the problems caused by the situation.
> > UCIPD sent out the first crime alert on March 20 and has released
> > periodic updates with more information. In addition, affected students
>
> > will also be provided a guide to prevent identity theft and fraud in
> > the future.
> >
> > Administration has assured students that data security is their top
> > priority. IT security teams meet regularly in discussion of security
> > problems and practices. UCI's computer safety Web site, located at
> > security.uci.edu, provides students with information on how to protect
>
> > their computers from cyber attacks. The site also discusses recent
> > security concerns and email scams.
> >
> > UCI's financial aid office has set up emergency loans available to
> > victims of identity theft whose delay in receiving their income tax
> > refund has affected their financial status.
> >
> > [...]
>_______________________________________________
>Dataloss Mailing List (dataloss at attrition.org)
>http://attrition.org/dataloss
>
>Tenable Network Security offers data leakage and compliance monitoring
>solutions for large and small networks. Scan your network and monitor
>your traffic to find the data needing protection before it leaks out!
>http://www.tenablesecurity.com/products/compliance.shtml
>_______________________________________________
>Dataloss Mailing List (dataloss at attrition.org)
>http://attrition.org/dataloss
>
>Tenable Network Security offers data leakage and compliance monitoring
>solutions for large and small networks. Scan your network and monitor your
>traffic to find the data needing protection before it leaks out!
>http://www.tenablesecurity.com/products/compliance.shtml



From rchicker at etiolated.org  Thu Jun  5 00:15:12 2008
From: rchicker at etiolated.org (rchick)
Date: Wed, 4 Jun 2008 20:15:12 -0400
Subject: [Dataloss] AT&T management staff data on stolen laptop
Message-ID: <a20b4dac0806041715p2ee4a0e5ief00c48ed6866805@mail.gmail.com>

June 04, 2008
http://www.scmagazineus.com/ATT-management-staff-data-on-stolen-laptop/article/110884/

An undisclosed number of management-level workers at AT&T have been
notified that their personal information was stored unencrypted on a
stolen laptop.

The laptop was stolen May 15 from the car of an employee, Walt Sharp,
a spokesman for AT&T, told SCMagazineUS.com on Wednesday. The data on
the computer was not encrypted -- a violation of company policy -- and
included names, Social Security numbers and in some cases, salary and
bonus information.

Sharp said the company would not disclose the number of affected
individuals, but there is no reason to believe any of the data was
being targeted when the machine was stolen.

"Usually these are property crimes in which the drive is wiped clean
and resold for profit," he said.

The employee who was in possession of the laptop when it was stolen
has been disciplined.

"There are a number of rules governing the handling of encrypted
material and the mobile devices handling that material that employees
must follow," Sharp said. "It is up to the employee to ensure that any
sensitive material is encrypted."

[...]

From lyger at attrition.org  Thu Jun  5 03:37:33 2008
From: lyger at attrition.org (lyger)
Date: Thu, 5 Jun 2008 03:37:33 +0000 (UTC)
Subject: [Dataloss] Canada: 32,000 farmers data on stolen laptop
Message-ID: <Pine.LNX.4.64.0806050336180.13453@forced.attrition.org>


http://www.winnipegfreepress.com/breakingnews/story/4182176p-4771903c.html

It took more than two months for a federal government agency to alert 
32,000 farmers, including 7,000 Manitobans, that their private information 
was in unknown hands after a laptop was stolen.

The news comes on the heels of an annual report released this week by 
Canada's privacy commissioner, which blasted the private sector for 
failing to protect personal information.

Although the theft happened March 30, Canadians weren't sent letters until 
last week informing them their social insurance numbers, bank account 
numbers and other data had been stored on a laptop stolen from the 
Canadian Canola Growers Association (CCGA).

[...]

From mhill at idtexperts.com  Thu Jun  5 03:10:19 2008
From: mhill at idtexperts.com (Michael Hill, CITRMS)
Date: Wed, 4 Jun 2008 23:10:19 -0400
Subject: [Dataloss] FL: Dumpster discovery: Personal files found
Message-ID: <0479153C1B9B42608522888DB7BFDED1@mkevhillpc>

http://www.wflxfox29.com/Global/story.asp?S=8416813

Update, WED 10 AM: BOCA RATON, FL (Fox29) - Fox 29 first brought you the story Tuesday: People's personal information tossed in the trash for anyone to take. We're now learning why and hearing from the victims. 

Dumpsters on Northwest 1st Avenue Boca Raton were found full of files and paperwork with personal information - names, addresses, drivers licenses and some social security numbers - all out in the open for the taking. 

"I'm taken aback; I really almost shaking. The fact that records could be around for all these years," describes victim Geraldine Spieler. 

Spieler says she used a Boca moving company 13 years ago. That moving company was sold and relocated. The building owner now cleaning out and tossing the files with information on employees, applicants and customers like Spieler. "It shouldn't have been available to anybody, but nobody has done anything." 

Building owner Charles Wheeler, former owner of the moving company, says, "In my heart I don't think it's going to be a problem. And I didn't realize until I heard from you guys that there was something sensitive in there. And it should have never been thrown out." 

"It's very frightening to think of that it was available, and that it could have happened," says Spieler.

The building owner says even though he didn't know sensitive information was being thrown out, the trash hauler was supposed to arrive before cleaning crews left Tuesday. 

In case you were wondering, all the documents have since been shredded.



Michael Hill 
Certified Identity Theft Risk Management Specialist
www.idtheft101.com
404-216-3751


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20080604/08f35db6/attachment.html 

From fergdawg at netzero.net  Thu Jun  5 05:20:00 2008
From: fergdawg at netzero.net (Paul Ferguson)
Date: Thu, 5 Jun 2008 05:20:00 GMT
Subject: [Dataloss] Researchers Say Notification Laws Are Not Lowering ID
	Theft Incidents
Message-ID: <20080604.222000.18050.0@webmail24.vgs.untd.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If anyone finds a link to the CMU report, please forward it to
the list.

Via ComputerWorld.

[snip]

Over the past five years, 43 U.S. states have adopted data breach
notification laws, but has all of this legislation actually cut down on
identity theft? Not according to researchers at Carnegie Mellon University
who have published a state-by-state analysis of data supplied by the U.S.
Federal Trade Commission (FTC).

"There doesn't seem to be any evidence that the laws actually reduce
identity theft," said Sasha Romanosky, a Ph.D student at Carnegie Mellon
who is one of the paper's authors.

Romanosky's team took a state-by-state look at FTC identity theft
complaints filed between 2002 and 2006 to see whether there was a
noticeable impact on complaints in states that had adopted data breach
notification laws such as California's SB 1386, which compels companies and
institutions to notify state residents when their personal information has
been lost or stolen. Their paper is set to be presented at a conference on
Information Security Economics held at Dartmouth College later this month.

[snip]

More:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&art
icleId=9093659

- - ferg

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.3 (Build 3017)

wj8DBQFIR3d8q1pz9mNUZTMRAtjSAKCiepk/4oEETO5heMLRAPZx+8E2gwCfVenZ
tzWLNWN3geNZwCkMsfKebes=
=RgQy
-----END PGP SIGNATURE-----


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/


From lyger at attrition.org  Thu Jun  5 05:25:59 2008
From: lyger at attrition.org (lyger)
Date: Thu, 5 Jun 2008 05:25:59 +0000 (UTC)
Subject: [Dataloss] Researchers Say Notification Laws Are Not Lowering
 ID Theft Incidents
In-Reply-To: <20080604.222000.18050.0@webmail24.vgs.untd.com>
References: <20080604.222000.18050.0@webmail24.vgs.untd.com>
Message-ID: <Pine.LNX.4.64.0806050524430.20112@forced.attrition.org>


http://attrition.org/pipermail/dataloss/2008-May/002307.html

http://weis2008.econinfosec.org/papers/Romanosky.pdf


On Thu, 5 Jun 2008, Paul Ferguson wrote:

": " -----BEGIN PGP SIGNED MESSAGE-----
": " Hash: SHA1
": " 
": " If anyone finds a link to the CMU report, please forward it to
": " the list.
": " 
": " Via ComputerWorld.
": " 
": " [snip]
": " 
": " Over the past five years, 43 U.S. states have adopted data breach
": " notification laws, but has all of this legislation actually cut down on
": " identity theft? Not according to researchers at Carnegie Mellon University
": " who have published a state-by-state analysis of data supplied by the U.S.
": " Federal Trade Commission (FTC).
": " 
": " "There doesn't seem to be any evidence that the laws actually reduce
": " identity theft," said Sasha Romanosky, a Ph.D student at Carnegie Mellon
": " who is one of the paper's authors.
": " 
": " Romanosky's team took a state-by-state look at FTC identity theft
": " complaints filed between 2002 and 2006 to see whether there was a
": " noticeable impact on complaints in states that had adopted data breach
": " notification laws such as California's SB 1386, which compels companies and
": " institutions to notify state residents when their personal information has
": " been lost or stolen. Their paper is set to be presented at a conference on
": " Information Security Economics held at Dartmouth College later this month.
": " 
": " [snip]
": " 
": " More:
": " http://www.computerworld.com/action/article.do?command=viewArticleBasic&art
": " icleId=9093659


From hbrown at knology.net  Thu Jun  5 11:49:44 2008
From: hbrown at knology.net (Henry Brown)
Date: Thu, 05 Jun 2008 06:49:44 -0500
Subject: [Dataloss] Researchers Say Notification Laws Are Not Lowering
 ID	Theft Incidents
In-Reply-To: <20080604.222000.18050.0@webmail24.vgs.untd.com>
References: <20080604.222000.18050.0@webmail24.vgs.untd.com>
Message-ID: <4847D2D8.6020401@knology.net>

A link to the paper by Sasha Romanosky and others 
http://weis2008.econinfosec.org/papers/Romanosky.pdf

Another  "article"  on the 20 page paper..
http://news.idg.no/cw/art.cfm?id=56E28F72-17A4-0F78-3155C53BCC1D1B0D

Researchers say notification laws not lowering ID theft

[...]

Because reports to the FTC are incomplete, it's hard to draw conclusions 
from the data, said Gartner analyst Avivah Litan. But she noted that 
while breach laws have made lost laptops front-page news, many companies 
have responded to tighter laws and regulations by focusing more on 
compliance than on security.

Often, that's not good enough to protect customers from ID theft, she 
said. "If you just meet the letter of the law you may pass an audit, but 
you have to pass the spirit of the law."

Romanosky admits that there may be problems in the methodology used by 
his team. And while he noted that the data -- compiled from 
self-reported complaints -- may not be perfect, the FTC database is the 
only source of this type of information.

[...]

-------- Original Message --------
Subject: [Dataloss] Researchers Say Notification Laws Are Not Lowering 
ID    Theft Incidents
From: Paul Ferguson <fergdawg at netzero.net>
To: dataloss at attrition.org
Date: 6/5/2008 12:20 AM
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> If anyone finds a link to the CMU report, please forward it to
> the list.
>
> Via ComputerWorld.



From jericho at attrition.org  Thu Jun  5 08:57:07 2008
From: jericho at attrition.org (security curmudgeon)
Date: Thu, 5 Jun 2008 08:57:07 +0000 (UTC)
Subject: [Dataloss] follow-up: Army Hospital Breach May Be Result of P2P Leak
Message-ID: <Pine.LNX.4.64.0806050856130.12791@forced.attrition.org>



---------- Forwarded message ----------
From: InfoSec News <alerts at infosecnews.org>

http://www.darkreading.com/document.asp?doc_id=155501

By Tim Wilson
Site Editor
Dark Reading
June 3, 2008

Peer-to-peer (P2P) applications may have been the culprit in a security 
breach that has exposed the personal information of more than 1,000 
patients at Walter Reed Hospital, according to early reports.

Names, Social Security numbers, birth dates, and other information was 
exposed through a single computer file, hospital officials said Monday. 
The file did not include information such as medical records, or the 
diagnosis or prognosis for patients, they said in an Associated Press 
report [1].

The officials declined to discuss the nature of the breach with AP, citing 
an ongoing investigation. However, according to an industry news report 
[2], Col. Patricia Horoho, commander of the Walter Reed Health Care 
System, posted a Website message yesterday which suggests a potential P2P 
leak.

"I need everyone to ensure that they are not loading or downloading 
programs that are not authorized by the command as it increases our 
vulnerability and possibly can cause a breach in protected information 
being shared," the message said. Horoho's message has since been pulled 
from the Walter Reed site, but the trade journal managed to get a screen 
capture [3] before the message disappeared.

[..]

From adam at homeport.org  Thu Jun  5 15:01:57 2008
From: adam at homeport.org (Adam Shostack)
Date: Thu, 5 Jun 2008 11:01:57 -0400
Subject: [Dataloss] Researchers Say Notification Laws Are Not Lowering
	ID Theft Incidents
In-Reply-To: <20080604.222000.18050.0@webmail24.vgs.untd.com>
References: <20080604.222000.18050.0@webmail24.vgs.untd.com>
Message-ID: <20080605150156.GB4110@homeport.org>


There's also no evidence that the laws reduce baggy pants.  But that
was't their intent either. Their intent was to reduce the *impact* of
id theft.

Adam

On Thu, Jun 05, 2008 at 05:20:00AM +0000, Paul Ferguson wrote:
| -----BEGIN PGP SIGNED MESSAGE-----
| Hash: SHA1
| 
| If anyone finds a link to the CMU report, please forward it to
| the list.
| 
| Via ComputerWorld.
| 
| [snip]
| 
| Over the past five years, 43 U.S. states have adopted data breach
| notification laws, but has all of this legislation actually cut down on
| identity theft? Not according to researchers at Carnegie Mellon University
| who have published a state-by-state analysis of data supplied by the U.S.
| Federal Trade Commission (FTC).
| 
| "There doesn't seem to be any evidence that the laws actually reduce
| identity theft," said Sasha Romanosky, a Ph.D student at Carnegie Mellon
| who is one of the paper's authors.
| 
| Romanosky's team took a state-by-state look at FTC identity theft
| complaints filed between 2002 and 2006 to see whether there was a
| noticeable impact on complaints in states that had adopted data breach
| notification laws such as California's SB 1386, which compels companies and
| institutions to notify state residents when their personal information has
| been lost or stolen. Their paper is set to be presented at a conference on
| Information Security Economics held at Dartmouth College later this month.
| 
| [snip]
| 
| More:
| http://www.computerworld.com/action/article.do?command=viewArticleBasic&art
| icleId=9093659
| 
| - - ferg
| 
| -----BEGIN PGP SIGNATURE-----
| Version: PGP Desktop 9.6.3 (Build 3017)
| 
| wj8DBQFIR3d8q1pz9mNUZTMRAtjSAKCiepk/4oEETO5heMLRAPZx+8E2gwCfVenZ
| tzWLNWN3geNZwCkMsfKebes=
| =RgQy
| -----END PGP SIGNATURE-----
| 
| 
| --
| "Fergie", a.k.a. Paul Ferguson
|  Engineering Architecture for the Internet
|  fergdawg(at)netzero.net
|  ferg's tech blog: http://fergdawg.blogspot.com/
| 
| _______________________________________________
| Dataloss Mailing List (dataloss at attrition.org)
| http://attrition.org/dataloss
| 
| Tenable Network Security offers data leakage and compliance monitoring
| solutions for large and small networks. Scan your network and monitor your
| traffic to find the data needing protection before it leaks out!
| http://www.tenablesecurity.com/products/compliance.shtml


From arshad.noor at strongauth.com  Thu Jun  5 16:06:32 2008
From: arshad.noor at strongauth.com (Arshad Noor)
Date: Thu, 05 Jun 2008 09:06:32 -0700
Subject: [Dataloss] [Fwd: Bank Technology News Intelligencer: BNY Mellon
 Will Spend Big on Breach]
Message-ID: <48480F08.8030407@strongauth.com>

FYI.

Arshad Noor
StrongAuth, Inc.

------
http://www.americanbanker.com/btn_article.html?id=200806048QUUBB5X&email=y

Got an extra $886 million in your budget this year? This was the
"breach-of-the-week" story in late May, but the lost tape with 4.5
million names on it keeps getting more expensive for Bank of New York
Mellon.
------


From arshad.noor at strongauth.com  Thu Jun  5 16:56:24 2008
From: arshad.noor at strongauth.com (Arshad Noor)
Date: Thu, 05 Jun 2008 09:56:24 -0700
Subject: [Dataloss] [Fwd: Bank Technology News Intelligencer: Warn Your
 Execs: Whalers Targeting Bank CEOs ]
Message-ID: <48481AB8.4000406@strongauth.com>

Fascinating attack at a number of levels:

1) The attacker installs a new Trusted Root CA certificate on the
    victims' computer;
2) Steals Client-Certificates (and presumably, Private Keys stored
    in files) in addition to stored passwords and account information;
3) Targets only CxOs;

Attackers appear to be moving at warp-speed in exploiting weaknesses
in technology and business processes, while corporations are still
stuck trying to get into third - perhaps even second - gear despite
real solutions staring them in the face.  Pathetic.

Arshad Noor
StrongAuth, Inc.

------------------------------------------------------------------------
<http://www.americanbanker.com/btn_article.html?id=20080604332OVKTM&email=y>

Security researchers at SecureWorks are warning about the latest spear
phish-now more catchily-called whaling, because of the big-fish nature
of its targets-that is targeting CEOs and other senior financial
services executives.



From hbrown at knology.net  Fri Jun  6 13:44:49 2008
From: hbrown at knology.net (Henry Brown)
Date: Fri, 06 Jun 2008 08:44:49 -0500
Subject: [Dataloss] MORE BNY (Mellon Corp) Tapes lost
Message-ID: <48493F51.4020803@knology.net>

http://www.pittsburghlive.com/x/pittsburghtrib/business/s_570347.html

Bank of New York Mellon Corp., the world's largest custodian of assets, 
reported a second potential breach of customer data this year and said 
it will provide enhanced fraud-protection services to those affected.

The most recent incident occurred on April 29 when a backup data-storage 
tape containing images of scanned checks and other payment documents was 
lost while being moved from Philadelphia to Pittsburgh, spokesmen for 
the bank said Friday. It involved data of 47 institutional clients and a 
yet to be determined number of individual customers.

"The tape was being carried by a commercial carrier ... and was lost in 
transit," said Ron Sommer, at the bank's Downtown offices. "It was 
ground transportation delivery, and it didn't reach its destination."

[...]


From tglassey at earthlink.net  Fri Jun  6 16:26:49 2008
From: tglassey at earthlink.net (TSG)
Date: Fri, 6 Jun 2008 09:26:49 -0700
Subject: [Dataloss] MORE BNY (Mellon Corp) Tapes lost
References: <48493F51.4020803@knology.net>
Message-ID: <00b001c8c7f2$2114e650$0200a8c0@tsg1>

I wanna know who the carrier was...

Todd Glassey

----- Original Message ----- 
From: "Henry Brown" <hbrown at knology.net>
To: <dataloss at attrition.org>
Sent: Friday, June 06, 2008 6:44 AM
Subject: [Dataloss] MORE BNY (Mellon Corp) Tapes lost


> http://www.pittsburghlive.com/x/pittsburghtrib/business/s_570347.html
>
> Bank of New York Mellon Corp., the world's largest custodian of assets,
> reported a second potential breach of customer data this year and said
> it will provide enhanced fraud-protection services to those affected.
>
> The most recent incident occurred on April 29 when a backup data-storage
> tape containing images of scanned checks and other payment documents was
> lost while being moved from Philadelphia to Pittsburgh, spokesmen for
> the bank said Friday. It involved data of 47 institutional clients and a
> yet to be determined number of individual customers.
>
> "The tape was being carried by a commercial carrier ... and was lost in
> transit," said Ron Sommer, at the bank's Downtown offices. "It was
> ground transportation delivery, and it didn't reach its destination."
>
> [...]
>
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
>
> Tenable Network Security offers data leakage and compliance monitoring
> solutions for large and small networks. Scan your network and monitor your
> traffic to find the data needing protection before it leaks out!
> http://www.tenablesecurity.com/products/compliance.shtml 


From jericho at attrition.org  Fri Jun  6 19:24:09 2008
From: jericho at attrition.org (security curmudgeon)
Date: Fri, 6 Jun 2008 19:24:09 +0000 (UTC)
Subject: [Dataloss] time to name names (was Re: MORE BNY (Mellon Corp) Tapes
	lost)
In-Reply-To: <48493F51.4020803@knology.net>
References: <48493F51.4020803@knology.net>
Message-ID: <Pine.LNX.4.64.0806061918040.12791@forced.attrition.org>



: http://www.pittsburghlive.com/x/pittsburghtrib/business/s_570347.html
: 
: "The tape was being carried by a commercial carrier ... and was lost in 
: transit," said Ron Sommer, at the bank's Downtown offices. "It was 
: ground transportation delivery, and it didn't reach its destination."

The amount of data loss incidents due to backup media being lost in 
transit is disgusting. While everyone looks to the oragnizations like BNY 
for these incidents, they need to disclose which commercial carriers are 
losing the data like this. 

I want to see the data and determine if a specific carrier or service is 
primarily at fault here if that is where the blame lies.

From mkorc at umich.edu  Fri Jun  6 19:54:34 2008
From: mkorc at umich.edu (Corcoran, Michele)
Date: Fri, 6 Jun 2008 15:54:34 -0400
Subject: [Dataloss] time to name names (was Re: MORE BNY (Mellon Corp)
 Tapes	lost)
In-Reply-To: <Pine.LNX.4.64.0806061918040.12791@forced.attrition.org>
References: <48493F51.4020803@knology.net>
	<Pine.LNX.4.64.0806061918040.12791@forced.attrition.org>
Message-ID: <87F2840FEEE64E4DB7314736973AB11B02AE051E11@ITCS-ECLS-1-VS1.adsroot.itcs.umich.edu>

Let's say we do look at the commercial carrier, and the carrier offers insurance against loss and the customer either chooses the insurance or waives the insurance, most commercial carriers will make insurance available, offered with disclosure that if a package's worth is more than insurance will cover the carrier can refuse to carry the package, based on what the customer has disclosed.  Interesting....

Michele Corcoran
647-6870
University of Michigan
ITCS/ITCom





-----Original Message-----
From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of security curmudgeon
Sent: Friday, June 06, 2008 3:24 PM
To: dataloss at attrition.org
Subject: [Dataloss] time to name names (was Re: MORE BNY (Mellon Corp) Tapes lost)



: http://www.pittsburghlive.com/x/pittsburghtrib/business/s_570347.html
:
: "The tape was being carried by a commercial carrier ... and was lost in
: transit," said Ron Sommer, at the bank's Downtown offices. "It was
: ground transportation delivery, and it didn't reach its destination."

The amount of data loss incidents due to backup media being lost in
transit is disgusting. While everyone looks to the oragnizations like BNY
for these incidents, they need to disclose which commercial carriers are
losing the data like this.

I want to see the data and determine if a specific carrier or service is
primarily at fault here if that is where the blame lies.
_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml

From jericho at attrition.org  Fri Jun  6 20:06:01 2008
From: jericho at attrition.org (security curmudgeon)
Date: Fri, 6 Jun 2008 20:06:01 +0000 (UTC)
Subject: [Dataloss] time to name names (was Re: MORE BNY (Mellon Corp)
 Tapes lost)
In-Reply-To: <87F2840FEEE64E4DB7314736973AB11B02AE051E11@ITCS-ECLS-1-VS1.adsroot.itcs.umich.edu>
References: <48493F51.4020803@knology.net>
	<Pine.LNX.4.64.0806061918040.12791@forced.attrition.org>
	<87F2840FEEE64E4DB7314736973AB11B02AE051E11@ITCS-ECLS-1-VS1.adsroot.itcs.umich.edu>
Message-ID: <Pine.LNX.4.64.0806062003020.12791@forced.attrition.org>


: Let's say we do look at the commercial carrier, and the carrier offers 
: insurance against loss and the customer either chooses the insurance or 
: waives the insurance, most commercial carriers will make insurance 
: available, offered with disclosure that if a package's worth is more 
: than insurance will cover the carrier can refuse to carry the package, 
: based on what the customer has disclosed.  Interesting....

Which leads to, what did BNY (or others) claim the backup tapes were 
worth =)

Even if you go with a conservative estimate that one 'identity' is worth 
less than 20 bucks (recently stated in a paper), that is still a lot of 
money if the tapes have a million records. I really doubt BNY is 
declaring the tapes worth that much.

So we have a system of couriers, off-site storage and backup providers 
that seem to be a serious weak point in the data security. Taking this 
one step farther, what if the tape *is* encrypted using really strong 
encryption and the tape is lost. Does the company have to warn customers?

If not, will that lead to companies claiming strong encryption 
regardless, knowing that the odds of the unencrypted tape being 
discovered is very low, then falling back on "error in backup process, it 
should have been encrypted" claims?

From lawyer at carpereslegalis.com  Fri Jun  6 23:13:35 2008
From: lawyer at carpereslegalis.com (Marjorie Simmons)
Date: Fri, 6 Jun 2008 16:13:35 -0700
Subject: [Dataloss] time to name names (was Re: MORE BNY (Mellon Corp)
	Tapes lost)
Message-ID: <2A8F1557BA2248F69F2730754E9A7F4C@Lakshmi>

< Friday muse on a shipper's duty >

 | Even if you go with a conservative estimate that one 
 | 'identity' is worth less than 20 bucks (recently stated 
 | in a paper) . . .

First, the worth of an identity is not the market value 
of the identity, because the market is illegitimate.

  : if a package's worth is more than insurance will 
  : cover the carrier can refuse to carry the package 

Second, many carriers will not refuse such shipments 
but will limit their liability instead. The focus of the 
liability for losses needs to remain on the shipper 
rather than the carrier. 

It may be helpful to view these losses through a legal 
"damages" lens. First tho, a simple cost-benefit analysis. 
Last time I read the standard contract of carriage for a 
FedEx overnight item it limited damages to the extent 
of the insurance, which was itself limited to a specific 
amount. For example, an item with a liquid value of 
$3000 (a negotiable instrument) could have a maximum 
insurance of $500, and so carrier loss of the item limits 
the carrier's liability to $500. The risk of loss beyond 
the $500 cap is upon the shipper, not the carrier.

In commercial contracts (B2B) involving carriers the 
loss limits can be higher but still have a cap, thus claims 
are similarly limited to no more than the pre-arranged 
damages cap, no matter how much the actual value of 
the incurred loss. The calculation businesses often use 
in determining the benefit of a low-cost (low insurance) 
shipping rate involves the statistical loss rate of the 
carrier.  The value of the shipper's benefit in using a 
specific carrier can be (simplistically) derived from the 
cost of carriage plus the statistical likelihood of loss, 
minus the benefit derived from the carrier's actual 
delivery of the shipped item(s). One accounting 
method for a cost-benefit analysis is:

   1. Identify a risk [ here, carrier loss ]
   2. Estimate the potential loss from the risk. 
       Multiply the loss by its likelihood to get the 
       risk exposure.
   3. Determine a control procedure that, 
       if implemented, reduces the risk.
   4. Determine the reduction in risk exposure 
       resulting from the control procedure. 
       This is the quantitative benefit.
   5. Identify incremental costs of the control 
       procedure.
   6. Compare the incremental costs with the 
       reduction in risk exposure.
   7. Consider qualitative benefits (those difficult to 
       state in financial terms) and the accuracy of 
       your estimates.

(http://www.mhhe.com/business/accounting/boockholdt/cost.html)

The question thus becomes whether the shipper (not 
the carrier) has a duty to insure beyond the limits of the 
contract of carriage. A shipper's duty does not pass to a 
carrier because the shipper's relationship with regard to 
the item shipped is with the shipper's intended recipient. 
Such a duty cannot be contracted to a carrier without the 
consent of the recipient.

Most carriers limit absolutely the insurance available to 
items of "extraordinary value" (negotiable instruments, 
works of art, jewelry, etc.) because such items have 
value beyond their face value which is often speculative. 
For example, let's say a lawyer FedEx's a legal 
document to a court, knowing that document must be 
received by a date certain, but FedEx loses the shipment. 
What are the losses flowing from that event?  FedEx 
loses $100 unless the lawyer declared a higher value 
and paid the fee, but still stands to lose no more than $500. 
The lawyer's clients may stand to lose millions if the 
court where the document was to be filed does not 
excuse the lawyer's FedEx loss.

The loss of data which can be used in identity theft and 
is normally considered private also has a speculative 
value (as far as most carriers are concerned), and thus 
is something that most carriers class like the above 
items of "extraordinary value". Such data has intrinsic 
value but is not currently measured with an absolute 
value.

</ Friday muse on a shipper's duty >

###


From arshad.noor at strongauth.com  Fri Jun  6 23:13:39 2008
From: arshad.noor at strongauth.com (Arshad Noor)
Date: Fri, 6 Jun 2008 19:13:39 -0400 (EDT)
Subject: [Dataloss] time to name names (was Re: MORE BNY (Mellon Corp)
 Tapes lost)
In-Reply-To: <Pine.LNX.4.64.0806062003020.12791@forced.attrition.org>
Message-ID: <6030946.2401212794019482.JavaMail.root@gw.noorhome.net>


----- Original Message -----
From: "security curmudgeon" <jericho at attrition.org>
To: dataloss at attrition.org
Sent: Friday, June 6, 2008 1:06:01 PM (GMT-0800) America/Los_Angeles
Subject: Re: [Dataloss] time to name names (was Re: MORE BNY (Mellon Corp) Tapes lost)


Taking this one step farther, what if the tape *is* encrypted using really 
strong encryption and the tape is lost. Does the company have to warn 
customers?

  Certainly not in California.  The Breach Disclosure law (originally 
  SB-1386) provides a safe-harbor for encrypted data.  Not sure what the 
  other 42 US states do, but they modeled their laws along the lines of
  California's to the best of my knowledge.

If not, will that lead to companies claiming strong encryption 
regardless,....

  This is a weakness in all Breach Disclosure laws.  They do not specify
  the type of encryption.  While I agree that lawmakers are not the most
  qualified people to determine appropriate ciphers, they could have at
  least pointed to NIST standards as the minimum.  That would have given
  us 3DES and AES encryption.  Right now, we have nothing.  Very short-
  sighted.

Arshad Noor
StrongAuth, Inc.


From lyger at attrition.org  Fri Jun  6 23:31:36 2008
From: lyger at attrition.org (lyger)
Date: Fri, 6 Jun 2008 23:31:36 +0000 (UTC)
Subject: [Dataloss] time to name names (was Re: MORE BNY (Mellon Corp)
 Tapes lost)
In-Reply-To: <6030946.2401212794019482.JavaMail.root@gw.noorhome.net>
References: <6030946.2401212794019482.JavaMail.root@gw.noorhome.net>
Message-ID: <Pine.LNX.4.64.0806062329500.11779@forced.attrition.org>


While outdated by a few months and not accounting for recently 
added/updated state laws, this document provides a quick overview of which 
states provide exemptions for encrypted data:

http://www.scottandscottllp.com/resources/state_data_breach_notification_law.pdf


On Fri, 6 Jun 2008, Arshad Noor wrote:

": " 
": " ----- Original Message -----
": " From: "security curmudgeon" <jericho at attrition.org>
": " To: dataloss at attrition.org
": " Sent: Friday, June 6, 2008 1:06:01 PM (GMT-0800) America/Los_Angeles
": " Subject: Re: [Dataloss] time to name names (was Re: MORE BNY (Mellon Corp) Tapes lost)
": " 
": " 
": " Taking this one step farther, what if the tape *is* encrypted using really 
": " strong encryption and the tape is lost. Does the company have to warn 
": " customers?
": " 
": "   Certainly not in California.  The Breach Disclosure law (originally 
": "   SB-1386) provides a safe-harbor for encrypted data.  Not sure what the 
": "   other 42 US states do, but they modeled their laws along the lines of
": "   California's to the best of my knowledge.
": " 
": " If not, will that lead to companies claiming strong encryption 
": " regardless,....
": " 
": "   This is a weakness in all Breach Disclosure laws.  They do not specify
": "   the type of encryption.  While I agree that lawmakers are not the most
": "   qualified people to determine appropriate ciphers, they could have at
": "   least pointed to NIST standards as the minimum.  That would have given
": "   us 3DES and AES encryption.  Right now, we have nothing.  Very short-
": "   sighted.
": " 
": " Arshad Noor
": " StrongAuth, Inc.

From ADAIL at sunocoinc.com  Fri Jun  6 23:30:56 2008
From: ADAIL at sunocoinc.com (DAIL, WILLARD A)
Date: Fri, 6 Jun 2008 19:30:56 -0400
Subject: [Dataloss] time to name names (was Re: MORE BNY (Mellon Corp)
	Tapeslost)
References: <48493F51.4020803@knology.net>
	<Pine.LNX.4.64.0806061918040.12791@forced.attrition.org>
Message-ID: <AAF9B5D29F7CE44CBDF032F4F523E9A3483D5A@mds3aex0e.USISUNOCOINC.com>


Aside from the privacy issue, couriered tapes  are also a concern due to the "Crash Restart" method of system attack. 

Basically, a hacker colludes with your courier to drop off your tapes in the morning.  The courier then picks up the altered tapes that afternoon.  A couple of really nasty things happened to your tapes that day. 



________________________________

From: dataloss-bounces at attrition.org on behalf of security curmudgeon
Sent: Fri 6/6/2008 3:24 PM
To: dataloss at attrition.org
Subject: [Dataloss] time to name names (was Re: MORE BNY (Mellon Corp) Tapeslost)





: http://www.pittsburghlive.com/x/pittsburghtrib/business/s_570347.html
:
: "The tape was being carried by a commercial carrier ... and was lost in
: transit," said Ron Sommer, at the bank's Downtown offices. "It was
: ground transportation delivery, and it didn't reach its destination."

The amount of data loss incidents due to backup media being lost in
transit is disgusting. While everyone looks to the oragnizations like BNY
for these incidents, they need to disclose which commercial carriers are
losing the data like this.

I want to see the data and determine if a specific carrier or service is
primarily at fault here if that is where the blame lies.
_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml



This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments.

From mtanenbaum at mercurycompanies.com  Fri Jun  6 23:34:56 2008
From: mtanenbaum at mercurycompanies.com (Mitch Tanenbaum - MC)
Date: Fri, 6 Jun 2008 17:34:56 -0600
Subject: [Dataloss] Fw: time to name names (was Re: MORE BNY (Mellon Corp)
	Tapes lost)
Message-ID: <8863F491C755804C8E587C621C4DDAD14B1B3C@mc-exch03.mts.net>

Two things

I am guessing that the data includes customers from most of the 50 states given this is a major bank so the rules get very mushy given it is controlled by the state of residency.

Second, some states like NY, do do not have an encryption exclusion at all.

Mitch

----- Original Message -----
From: dataloss-bounces at attrition.org <dataloss-bounces at attrition.org>
To: security curmudgeon <jericho at attrition.org>
Cc: dataloss at attrition.org <dataloss at attrition.org>
Sent: Fri Jun 06 17:13:39 2008
Subject: Re: [Dataloss] time to name names (was Re: MORE BNY (Mellon Corp) Tapes lost)


----- Original Message -----
From: "security curmudgeon" <jericho at attrition.org>
To: dataloss at attrition.org
Sent: Friday, June 6, 2008 1:06:01 PM (GMT-0800) America/Los_Angeles
Subject: Re: [Dataloss] time to name names (was Re: MORE BNY (Mellon Corp) Tapes lost)


Taking this one step farther, what if the tape *is* encrypted using really 
strong encryption and the tape is lost. Does the company have to warn 
customers?

  Certainly not in California.  The Breach Disclosure law (originally 
  SB-1386) provides a safe-harbor for encrypted data.  Not sure what the 
  other 42 US states do, but they modeled their laws along the lines of
  California's to the best of my knowledge.

If not, will that lead to companies claiming strong encryption 
regardless,....

  This is a weakness in all Breach Disclosure laws.  They do not specify
  the type of encryption.  While I agree that lawmakers are not the most
  qualified people to determine appropriate ciphers, they could have at
  least pointed to NIST standards as the minimum.  That would have given
  us 3DES and AES encryption.  Right now, we have nothing.  Very short-
  sighted.

Arshad Noor
StrongAuth, Inc.

_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20080606/1f5001c6/attachment.html 

From fergdawg at netzero.net  Fri Jun  6 23:57:18 2008
From: fergdawg at netzero.net (Paul Ferguson)
Date: Fri, 6 Jun 2008 23:57:18 GMT
Subject: [Dataloss] time to name names (was Re: MORE BNY (Mellon Corp)
	Tape	s lost)
Message-ID: <20080606.165718.22414.1@webmail24.vgs.untd.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -- "Marjorie Simmons" <lawyer at carpereslegalis.com> wrote:

> | Even if you go with a conservative estimate that one 
> | 'identity' is worth less than 20 bucks (recently stated 
> | in a paper) . . .
>
>First, the worth of an identity is not the market value 
of the identity, because the market is illegitimate.
>

I would suggest that is actually not the case -- while the
market for identity credentials (includes login IDs, credit
card numbers, CVV & Track 2 data, SSNs, etc.) may indeed be
illegitimate, it is thriving.

So as far as I'm concerned, the statement above on market value
is completely meaningless.

- - ferg

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.3 (Build 3017)

wj8DBQFISc7Vq1pz9mNUZTMRAr2TAKDedtywJzO7QUv9xukUQuI1LB1ObgCeMcBD
EQrBJV23UlfpCo7UsMy6Csg=
=Z/MH
-----END PGP SIGNATURE-----


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/


From ADAIL at sunocoinc.com  Sat Jun  7 00:17:15 2008
From: ADAIL at sunocoinc.com (DAIL, WILLARD A)
Date: Fri, 6 Jun 2008 19:17:15 -0500
Subject: [Dataloss] time to name names (was Re: MORE BNY (Mellon
	Corp)Tape	s lost)
Message-ID: <3d0401c8c833$d77c9ac5$e93487d1@USISUNOCOINC.com>


As a legitimate company, the street value of an identity is meaningless, unless one plans to sell identities.

Executives and Risk Managers need to focus on the regulatory and punitive damage costs of a breach.       Who cares if a full identity goes for $20 if you'll end up paying $125 for losing it?

The only use I have ever found for the data is to illustrate a thief's financial incentive to attack a given system, while attempting to justify hardening it.

-----Original Message-----
From: "Paul Ferguson" <fergdawg at netzero.net>
To: "lawyer at carpereslegalis.com" <lawyer at carpereslegalis.com>
Cc: "dataloss at attrition.org" <dataloss at attrition.org>
Sent: 6/6/08 7:02 PM
Subject: Re: [Dataloss] time to name names (was Re: MORE BNY (Mellon Corp)Tape	s lost)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -- "Marjorie Simmons" <lawyer at carpereslegalis.com> wrote:

> | Even if you go with a conservative estimate that one
> | 'identity' is worth less than 20 bucks (recently stated
> | in a paper) . . .
>
>First, the worth of an identity is not the market value
of the identity, because the market is illegitimate.
>

I would suggest that is actually not the case -- while the
market for identity credentials (includes login IDs, credit
card numbers, CVV & Track 2 data, SSNs, etc.) may indeed be
illegitimate, it is thriving.

So as far as I'm concerned, the statement above on market value
is completely meaningless.

- - ferg

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.3 (Build 3017)

wj8DBQFISc7Vq1pz9mNUZTMRAr2TAKDedtywJzO7QUv9xukUQuI1LB1ObgCeMcBD
EQrBJV23UlfpCo7UsMy6Csg=
=Z/MH
-----END PGP SIGNATURE-----


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/

_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml

This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments.

From chris at cwalsh.org  Sat Jun  7 01:53:08 2008
From: chris at cwalsh.org (Chris Walsh)
Date: Fri, 6 Jun 2008 20:53:08 -0500
Subject: [Dataloss] Fw: time to name names (was Re: MORE BNY (Mellon
	Corp) Tapes lost)
In-Reply-To: <8863F491C755804C8E587C621C4DDAD14B1B3C@mc-exch03.mts.net>
References: <8863F491C755804C8E587C621C4DDAD14B1B3C@mc-exch03.mts.net>
Message-ID: <20080607015308.GA95689@fripp.cwalsh.org>

The NY law does not consider encrypted information, regardless of its nature, to be private information as long as the encryption key remains protected.  The law requires notification when private information  has been or is reasonably believed to have been acquired by an unauthorized person.

(b) "Private information" shall mean personal information consisting of any information in
combination with any one or more of the following data elements, when either the
personal information or the data element is not encrypted, or encrypted with an
encryption key that has also been acquired

www.cscic.state.ny.us/lib/laws/documents/899-aa.pdf

I find it interesting that many of the various parties whose information was exposed have been identified not by BONY, or by any NY regulator, but by the *Connecticut* AG's office.


On Jun 6, 2008, at 6:34 PM, Mitch Tanenbaum - MC wrote:

Second, some states like NY, do do not have an encryption exclusion at all.



From lyger at attrition.org  Sat Jun  7 02:12:25 2008
From: lyger at attrition.org (lyger)
Date: Sat, 7 Jun 2008 02:12:25 +0000 (UTC)
Subject: [Dataloss] CA: Stanford alerts employees that stolen laptop had
	personal data
Message-ID: <Pine.LNX.4.64.0806070211250.15073@forced.attrition.org>


http://news-service.stanford.edu/news/2008/june11/laprelease-061108.html

Stanford University determined yesterday that a university laptop, which 
was recently stolen, contained confidential personnel data. The university 
is not disclosing details about the theft as an investigation is under 
way.

The university is sending e-mails and letters to current and former 
employees whose personal information may be at risk, as well as posting 
information on the Stanford homepage at: http://www.stanford.edu, and 
notifying the media. Officials estimate that the problem could extend to 
as many as 72,000 people currently or previously employed by Stanford.

[...]

From lawyer at carpereslegalis.com  Sat Jun  7 03:10:19 2008
From: lawyer at carpereslegalis.com (Marjorie Simmons)
Date: Fri, 6 Jun 2008 20:10:19 -0700
Subject: [Dataloss] time to name names (was Re: MORE BNY (Mellon
	Corp)Tapes lost)
Message-ID: <7A03915239A74F0BA2005101DAD88470@Lakshmi>


Willard Dail wrote in reply to Paul Ferguson: 
 | the street value of an identity is meaningless, unless one 
 | plans to sell identities . . . . The only use I have ever found 
 | for the data is to illustrate a thief's financial incentive . . .

True, Willard, that is one legitimate use of an account of the 
street value of an identity.

Paul Ferguson wrote in reply to Marjorie Simmons:
 [Simmons wrote in reply to Michele Corcoran]
 | > | Even if you go with a conservative estimate that one
 | > | 'identity' is worth less than 20 bucks (recently stated
 | > | in a paper) . . .
 | >
 |>>First, the worth of an identity is not the market value
 |>>of the identity, because the market is illegitimate.

 |> I would suggest that is actually not the case -- while the
 |> market for identity credentials (includes login IDs, credit
 |> card numbers, CVV & Track 2 data, SSNs, etc.) may indeed be
 |> illegitimate, it is thriving.

 |> So as far as I'm concerned, the statement above on market 
 |> value is completely meaningless.

Paul, it is not clear to which statement you are referring. 
The worth of an identity depends upon to whom you 
are referring: the loser or the purchaser. If it is the loser, 
the worth of an identity is not equal to the market value. 
If it is to the purchaser, it may be, it depends. You may 
have misunderstood my meaning, and perhaps I could 
have been clearer.

To illustrate, consider the market value of a certain stock. 
On Wall Street, the stock price may be $x per share. To 
an investor with an agenda or plan it may be worth much 
more or much less, even if that investor purchases some 
shares at the market price.

To most individuals their identity is worth quite a bit, 
even if a thief can sell it on the black market for $20.

Perhaps this helps.

###


From fergdawg at netzero.net  Sat Jun  7 04:14:50 2008
From: fergdawg at netzero.net (Paul Ferguson)
Date: Sat, 7 Jun 2008 04:14:50 GMT
Subject: [Dataloss] time to name names (was Re: MORE BNY (Mellon
	Corp)Tapes	 lost)
Message-ID: <20080606.211450.22038.0@webmail06.vgs.untd.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -- "Marjorie Simmons" <lawyer at carpereslegalis.com> wrote:

>Paul Ferguson wrote in reply to Marjorie Simmons:
> [Simmons wrote in reply to Michele Corcoran]
> | > | Even if you go with a conservative estimate that one
> | > | 'identity' is worth less than 20 bucks (recently stated
> | > | in a paper) . . .
> | >
> |>>First, the worth of an identity is not the market value
> |>>of the identity, because the market is illegitimate.
>
> |> I would suggest that is actually not the case -- while the
> |> market for identity credentials (includes login IDs, credit
> |> card numbers, CVV & Track 2 data, SSNs, etc.) may indeed be
> |> illegitimate, it is thriving.
>
> |> So as far as I'm concerned, the statement above on market 
> |> value is completely meaningless.
>
>Paul, it is not clear to which statement you are referring. 
The worth of an identity depends upon to whom you 
are referring: the loser or the purchaser. If it is the loser, 
the worth of an identity is not equal to the market value. 
If it is to the purchaser, it may be, it depends. You may 
have misunderstood my meaning, and perhaps I could 
have been clearer.
>
>To illustrate, consider the market value of a certain stock. 
On Wall Street, the stock price may be $x per share. To 
an investor with an agenda or plan it may be worth much 
more or much less, even if that investor purchases some 
shares at the market price.
>
>To most individuals their identity is worth quite a bit, 
even if a thief can sell it on the black market for $20.
>

Well, let's leave it as an exercise for the readers. ;-)

My primary workload these days is working with law enforcement,
NGOs (the various regional CERTs/CSIRTs, ISPs, etc.) on incident
notification -- usually by the time I notify them they have a
problem, there are already victims. My primary task is to shrink
the "time-to-exploit" window as much as possible.

What I'm saying is not so different that what you are saying,
although I'm approaching this issue from a slightly different
perspective. Unfortunately, I have accepted that fact that there
will be compromises -- but I'm also of the opinion that the "stick"
is needed now since the "carrot" has obviously not worked -- companies
hide behind compliance mandates and do not radically change their
behavior until it is too late, and consumers get pinched.

Before I ramble on too much further, let me say this -- there is
a thriving underground economy which exists because "legitimate"
businesses do not adhere to (what could be considered) "best
practices", much less industry compliance mandates and regulations.

This sort of lackadaisical attitude is prevalent all across the
board, from we hosters, to Enterprise organizations, to e-commerce,
to banks, to even the SCADA community. and until a "stick" approach
is taken to provide punishment from making bad business decisions,
this trend will become worse than it already is.

In fact, if you look to New Zealand and the U.K, they are already
pushing fraud loss liability back onto the consumer.

$.02,

- - ferg

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.3 (Build 3017)

wj8DBQFISgs3q1pz9mNUZTMRAjwdAJ9zj6hr9Xgzrfklcd26aFNW76SUxwCffuUo
RQf6PE6Mx495Y+pSttuzf6U=
=4VpJ
-----END PGP SIGNATURE-----



--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/


From chris at cwalsh.org  Sat Jun  7 15:42:41 2008
From: chris at cwalsh.org (Chris Walsh)
Date: Sat, 7 Jun 2008 10:42:41 -0500
Subject: [Dataloss] Researchers Say Notification Laws Are Not Lowering
	ID Theft Incidents
In-Reply-To: <20080605150156.GB4110@homeport.org>
References: <20080604.222000.18050.0@webmail24.vgs.untd.com>
	<20080605150156.GB4110@homeport.org>
Message-ID: <B5D102A3-D7D6-4301-AF50-F3F04DF10FBF@cwalsh.org>

A fair point, but plenty has been written about the notion of name and  
shame with these laws.  The idea being that embarrassment or threat  
thereof will induce firms to do the right thing.  This is specifically  
recognized in the paper (refer to figure 4, for example).

Regardless of whether the legislators sought to reduce ID theft, and  
whether it makes sense to think that selfishly-acting firms might help  
reduce it when faced with embarrassment, the repeated descriptions of  
this paper as showing that ID theft is not reduced are wrong.  The  
paper does not conclude that ID theft is not reduced.  It fails to  
conclude that it is reduced.  There's a difference, which seems to be  
eluding the press.

With better data (which the authors say they would like to see  
collected), we'd have much more to say.  THAT, it seems to me, is the  
story here.

On Jun 5, 2008, at 10:01 AM, Adam Shostack wrote:

>
> There's also no evidence that the laws reduce baggy pants.  But that
> was't their intent either. Their intent was to reduce the *impact* of
> id theft.
>

From hbrown at knology.net  Sat Jun  7 21:20:14 2008
From: hbrown at knology.net (Henry Brown)
Date: Sat, 07 Jun 2008 16:20:14 -0500
Subject: [Dataloss] Southington CT city employees at risk after break in
Message-ID: <484AFB8E.3020503@knology.net>

http://www.courant.com/news/local/nb/hc-southeft0607.artjun07,0,983269.story

Title: State Asks Southington To Give 26 ID-Theft Protection
Author: KEN BYRON | Courant Staff Writer
Date: June 7, 2008

SOUTHINGTON ? - The state is asking the town to protect 26 current and 
former water department employees against identity theft after personal 
information about them was stolen from the department's former headquarters.

Late last month, police learned that the department's former 
headquarters off High Street had been broken into.

The department had stored records there, and documents with the names 
and Social Security numbers of the 26 people were found scattered by the 
nearby Quinnipiac River, state Attorney General Richard Blumenthal said 
Friday.

Twenty-two current employees and four former employees are affected.

Whoever broke into the building rifled through the papers in it," 
Blumenthal said.

He said the state wants the water department to provide the affected 
employees with identity-theft insurance and with a credit-protection 
plan that would warn them if an application for any sort of credit is 
made in their name.

The department has not yet responded to that request, Blumenthal said, 
and department Superintendent Thomas West could not be reached on Friday 
for comment.

So far, Blumenthal said, Southington officials have cooperated with his 
office.

Except for the storage of old records, the building has been vacant 
since the department moved to a new headquarters on West Queen Street 
three years ago.

So far, Blumenthal said, no department employees whose information was 
taken have been victimized.



From lyger at attrition.org  Sat Jun  7 22:02:04 2008
From: lyger at attrition.org (lyger)
Date: Sat, 7 Jun 2008 22:02:04 +0000 (UTC)
Subject: [Dataloss] TN: ETSU says stolen computer could lead to identity
	theft
Message-ID: <Pine.LNX.4.64.0806072201100.5174@forced.attrition.org>


http://wztv.com/template/inews_wire/wires.regional.tn/3ed9eb5b-www.fox17.com.shtml

East Tennessee State University has sent a letter to 6,200 people whose 
identities could be compromised by the theft of a desktop computer.

The letter, dated Monday and provided to the Johnson City Press by the 
father of a graduate who received one, says the computer is password 
protected and files cannot be easily accessed. But it says there is a 
small possibility that the information could be compromised.

[...]

From veedot at earthlink.net  Sun Jun  8 00:45:04 2008
From: veedot at earthlink.net (V.)
Date: Sat, 07 Jun 2008 20:45:04 -0400
Subject: [Dataloss] time to name names (was Re: MORE BNY (Mellon Corp)
 Tapeslost)
In-Reply-To: <AAF9B5D29F7CE44CBDF032F4F523E9A3483D5A@mds3aex0e.USISUNOCO
	INC.com>
References: <48493F51.4020803@knology.net>
	<Pine.LNX.4.64.0806061918040.12791@forced.attrition.org>
	<AAF9B5D29F7CE44CBDF032F4F523E9A3483D5A@mds3aex0e.USISUNOCOINC.com>
Message-ID: <E1K590j-00033M-Q4@elasmtp-masked.atl.sa.earthlink.net>

At 07:30 PM 6/6/2008 -0400, DAIL, WILLARD A wrote:
>Aside from the privacy issue, couriered tapes  are also a concern 
>due to the "Crash Restart" method of system attack.
>Basically, a hacker colludes with your courier to drop off your 
>tapes in the morning.  The courier then picks up the altered tapes 
>that afternoon.  A couple of really nasty things happened to your 
>tapes that day.
<snip>

In addition to the scenario outlined in Mr. Dail's post, imagine your 
tapes (or laptops) make an unauthorized stop just to be copied.  Not 
so far fetched, and in many cases this type of loss would remain an 
unknown occurrence.  All it requires is a payoff to someone -- the 
courier, or the custodian of the data.

Almost everyone has a price; if bribed with enough money, many people 
will find they can't resist.  Most identity loss is probably due to 
negligence and/or apathy, but collusion is a possibility which must 
be considered and investigated in many cases.  If a courier is 
offered a large amount of cash to wait just a very few minutes while 
someone copies a hard disk, how many couriers could say no?  While 
this scenario is hard to imagine in the case of a small business, 
tapes or backups belonging to big, influential entities are certainly 
at risk for this type of criminal behavior.

(BTW, many people assume a laptop running Windoze is secure by virtue 
of having a boot password, but these can be bypassed by booting with 
a Linux CD.  Remove the CD, shut down the laptop, return to courier.)

$0.02,
V.
--
   ___________________________________
  /__________________________________ \
  \  _______________________________/\ \
   \ \ \                            \ \ \
    \ \ \(c)2008 veedot at earthlink.net\ \ \
     \ \ \____________________________\_\ \
      \ \/_________________________________\
       \___________________________________/
"Doubt is not a pleasant condition, but certainty is absurd."
                                  - Voltaire



From patricia57 at adelphia.net  Mon Jun  9 03:54:13 2008
From: patricia57 at adelphia.net (Patricia Herberger)
Date: Sun, 8 Jun 2008 23:54:13 -0400
Subject: [Dataloss] time to name names (was Re: MORE BNY (Mellon Corp)
	Tapeslost)
In-Reply-To: <E1K590j-00033M-Q4@elasmtp-masked.atl.sa.earthlink.net>
References: <48493F51.4020803@knology.net>	<Pine.LNX.4.64.0806061918040.12791@forced.attrition.org>	<AAF9B5D29F7CE44CBDF032F4F523E9A3483D5A@mds3aex0e.USISUNOCOINC.com>
	<E1K590j-00033M-Q4@elasmtp-masked.atl.sa.earthlink.net>
Message-ID: <00a201c8c9e4$7b74d580$725e8080$@net>

What about the "Liability Follows the Data" section of the FACTA Red Flags
Rule?  According to that Rule, both the courier and the company that gave
their data to the courier would be at fault.

Patricia L. Herberger
Certified Identity Theft Risk Management Specialist

-----Original Message-----
From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org]
On Behalf Of V.
Sent: Saturday, June 07, 2008 8:45 PM
To: DAIL, WILLARD A; security curmudgeon; dataloss at attrition.org
Subject: Re: [Dataloss] time to name names (was Re: MORE BNY (Mellon Corp)
Tapeslost)

At 07:30 PM 6/6/2008 -0400, DAIL, WILLARD A wrote:
>Aside from the privacy issue, couriered tapes  are also a concern 
>due to the "Crash Restart" method of system attack.
>Basically, a hacker colludes with your courier to drop off your 
>tapes in the morning.  The courier then picks up the altered tapes 
>that afternoon.  A couple of really nasty things happened to your 
>tapes that day.
<snip>

In addition to the scenario outlined in Mr. Dail's post, imagine your 
tapes (or laptops) make an unauthorized stop just to be copied.  Not 
so far fetched, and in many cases this type of loss would remain an 
unknown occurrence.  All it requires is a payoff to someone -- the 
courier, or the custodian of the data.

Almost everyone has a price; if bribed with enough money, many people 
will find they can't resist.  Most identity loss is probably due to 
negligence and/or apathy, but collusion is a possibility which must 
be considered and investigated in many cases.  If a courier is 
offered a large amount of cash to wait just a very few minutes while 
someone copies a hard disk, how many couriers could say no?  While 
this scenario is hard to imagine in the case of a small business, 
tapes or backups belonging to big, influential entities are certainly 
at risk for this type of criminal behavior.

(BTW, many people assume a laptop running Windoze is secure by virtue 
of having a boot password, but these can be bypassed by booting with 
a Linux CD.  Remove the CD, shut down the laptop, return to courier.)

$0.02,
V.
--
   ___________________________________
  /__________________________________ \
  \  _______________________________/\ \
   \ \ \                            \ \ \
    \ \ \(c)2008 veedot at earthlink.net\ \ \
     \ \ \____________________________\_\ \
      \ \/_________________________________\
       \___________________________________/
"Doubt is not a pleasant condition, but certainty is absurd."
                                  - Voltaire


_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml


From ADAIL at sunocoinc.com  Mon Jun  9 11:56:53 2008
From: ADAIL at sunocoinc.com (DAIL, WILLARD A)
Date: Mon, 9 Jun 2008 07:56:53 -0400
Subject: [Dataloss] time to name names (was Re: MORE BNY (Mellon Corp)
	Tapeslost)
References: <48493F51.4020803@knology.net>	<Pine.LNX.4.64.0806061918040.12791@forced.attrition.org>	<AAF9B5D29F7CE44CBDF032F4F523E9A3483D5A@mds3aex0e.USISUNOCOINC.com>
	<E1K590j-00033M-Q4@elasmtp-masked.atl.sa.earthlink.net>
	<00a201c8c9e4$7b74d580$725e8080$@net>
Message-ID: <AAF9B5D29F7CE44CBDF032F4F523E9A3483D5E@mds3aex0e.USISUNOCOINC.com>


Liability... if only I could get it through heads that you transfer risk, not liability...

That said, liability occurs at the entity level.  Most breaches originate internally, and are therefore the result of someone violating company policy and the law.  They're not particularly focused on liability, but someone's lawyer most assuredly will.


I should add to V's point as well that social engineering does not always require a bribe.  I've heard anecdotal stories from law enforcement officers of point-of-sale equipment being compromised by someone who approached the store clerk and offered them a $50 to walk outside and have a smoke, or she could stay inside and get a bullet in the forehead.  An employee who cannot be bribed may still be coerced through violence or threats against their families.  Some of these criminals are very organized and often have larger "operating budgets" than their target organizations.


________________________________

From: Patricia Herberger [mailto:patricia57 at adelphia.net]
Sent: Sun 6/8/2008 11:54 PM
To: 'V.'; DAIL, WILLARD A; 'security curmudgeon'; dataloss at attrition.org
Subject: RE: [Dataloss] time to name names (was Re: MORE BNY (Mellon Corp) Tapeslost)



What about the "Liability Follows the Data" section of the FACTA Red Flags
Rule?  According to that Rule, both the courier and the company that gave
their data to the courier would be at fault.

Patricia L. Herberger
Certified Identity Theft Risk Management Specialist

-----Original Message-----
From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org]
On Behalf Of V.
Sent: Saturday, June 07, 2008 8:45 PM
To: DAIL, WILLARD A; security curmudgeon; dataloss at attrition.org
Subject: Re: [Dataloss] time to name names (was Re: MORE BNY (Mellon Corp)
Tapeslost)

At 07:30 PM 6/6/2008 -0400, DAIL, WILLARD A wrote:
>Aside from the privacy issue, couriered tapes  are also a concern
>due to the "Crash Restart" method of system attack.
>Basically, a hacker colludes with your courier to drop off your
>tapes in the morning.  The courier then picks up the altered tapes
>that afternoon.  A couple of really nasty things happened to your
>tapes that day.
<snip>

In addition to the scenario outlined in Mr. Dail's post, imagine your
tapes (or laptops) make an unauthorized stop just to be copied.  Not
so far fetched, and in many cases this type of loss would remain an
unknown occurrence.  All it requires is a payoff to someone -- the
courier, or the custodian of the data.

Almost everyone has a price; if bribed with enough money, many people
will find they can't resist.  Most identity loss is probably due to
negligence and/or apathy, but collusion is a possibility which must
be considered and investigated in many cases.  If a courier is
offered a large amount of cash to wait just a very few minutes while
someone copies a hard disk, how many couriers could say no?  While
this scenario is hard to imagine in the case of a small business,
tapes or backups belonging to big, influential entities are certainly
at risk for this type of criminal behavior.

(BTW, many people assume a laptop running Windoze is secure by virtue
of having a boot password, but these can be bypassed by booting with
a Linux CD.  Remove the CD, shut down the laptop, return to courier.)

$0.02,
V.
--
   ___________________________________
  /__________________________________ \
  \  _______________________________/\ \
   \ \ \                            \ \ \
    \ \ \(c)2008 veedot at earthlink.net\ \ \
     \ \ \____________________________\_\ \
      \ \/_________________________________\
       \___________________________________/
"Doubt is not a pleasant condition, but certainty is absurd."
                                  - Voltaire


_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml




This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments.

From lyger at attrition.org  Mon Jun  9 17:11:45 2008
From: lyger at attrition.org (lyger)
Date: Mon, 9 Jun 2008 17:11:45 +0000 (UTC)
Subject: [Dataloss] SC: USC warns personal data may be on stolen computer
Message-ID: <Pine.LNX.4.64.0806091710380.12685@forced.attrition.org>


http://www.thestate.com/breaking/story/428754.html

The University of South Carolina is warning about 7,000 faculty, staff and 
students that some of their personal information was on a desktop computer 
stolen from an office at the business school.

Russ McKinney, the university spokesman, said that over the Memorial Day 
weekend, several items were stolen from an office in the Moore School of 
Business.

"Among the items was a desktop computer belonging to Deputy Dean Dr. Scott 
Koerwer," McKinney said. "As a result of the computer being stolen, we 
feel it is possible that some personally identifiable data could have been 
compromised."

McKinney said university officials have no evidence anyone's personal 
information was accessed.

From arshad.noor at strongauth.com  Mon Jun  9 19:18:55 2008
From: arshad.noor at strongauth.com (Arshad Noor)
Date: Mon, 09 Jun 2008 12:18:55 -0700
Subject: [Dataloss] [Fwd: Ransomware]
Message-ID: <484D821F.7040100@strongauth.com>

Fascinating!  Attackers are using encryption to make money (I'm not
sure how they expect not to get traced to the EFTs - but that's a
different subject), while most companies are still sitting on the
fence about data-encryption of customer data.

Arshad Noor
StrongAuth, Inc.

-------- Original Message --------
Subject: Ransomware
Date: Mon, 9 Jun 2008 11:54:20 -0400 (EDT)
From: Leichter, Jerry <leichter_jerrold at emc.com>
To: cryptography at metzdowd.com

Computerworld reports:

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9094818

on a call from Kaspersky Labs for help breaking encryption used by some
ransomeware:  Code that infects a system, uses a public key embedded in
the code to encrypt your files, then tells you you have to go to some
web site and pay for the decryption key.

Apparently earlier versions of this ransomware were broken because of a
faulty implementation of the encryption.  This one seems to get it
right.  It uses a 1024-bit RSA key.  Vesselin Bontchev, a long-time
antivirus developer at another company, claims that Kaspersky is just
looking for publicity:  The encryption in this case is done right and
there's no real hope of breaking it.

Speculation about this kind of attack has made the rounds for years.
It appears the speculations have now become reality.

							-- Jerry

From hbrown at knology.net  Tue Jun 10 15:20:03 2008
From: hbrown at knology.net (Henry Brown)
Date: Tue, 10 Jun 2008 10:20:03 -0500
Subject: [Dataloss] South Bend IN bank replacing all Debit Cards
Message-ID: <484E9BA3.20902@knology.net>

An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20080610/22b09848/attachment.html 

From jschroeder at wavelink.com  Tue Jun 10 17:16:23 2008
From: jschroeder at wavelink.com (Jake Schroeder)
Date: Tue, 10 Jun 2008 11:16:23 -0600
Subject: [Dataloss] Utah hospital billing records from over 2 million
	patients stolen
Message-ID: <AEF56CFE6FCD8043A1A71B1CCC6BD1193AD5009066@wavelink-mail.headquarters.wavelink.com>

http://www.kutv.com/content/news/local/story.aspx?content_id=76de0817-3ffe-4f8e-9764-506795954fa1

SALT LAKE CITY (AP) - Billing records have been stolen from a business that does work for the University of Utah Hospitals and Clinics.

Spokeswoman Chantelle Turner says the records have information from 2.2 million patients. She declined to disclose additional details until a 1 p.m. news conference Tuesday.

At that time, the hospital and Salt Lake County Sheriff Jim Winder will explain how patients will be notified about the theft.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20080610/af30758c/attachment.html 

From rchicker at etiolated.org  Tue Jun 10 17:23:13 2008
From: rchicker at etiolated.org (rchick)
Date: Tue, 10 Jun 2008 13:23:13 -0400
Subject: [Dataloss] UK: 38,
	000 Cotton Traders customers stolen from hacked website
Message-ID: <a20b4dac0806101023v5b51e872xeb15e09c5d620807@mail.gmail.com>

http://news.bbc.co.uk/2/hi/technology/7446871.stm

Cotton Traders has annual sales of ?5m
The credit card details of up to 38,000 customers of clothing firm
Cotton Traders were stolen following a hack of its website, BBC News
has learned.
The firm has not confirmed the size of the breach but it has
acknowledged the site was attacked earlier this year.

It said Barclaycard was contacted as soon as it learned of the attack,
and most cards were stopped.
Cotton Traders was founded by ex-England rugby captains Fran Cotton
and Steve Smith.
In a statement, Cotton Traders said all of its customers' credit card
data was encrypted on the website.

[...]

From hbrown at knology.net  Tue Jun 10 17:59:35 2008
From: hbrown at knology.net (Henry Brown)
Date: Tue, 10 Jun 2008 12:59:35 -0500
Subject: [Dataloss] dumpster diving in Baco Raton Fl
Message-ID: <484EC107.4070309@knology.net>

Original Story Posted on Jun 3, 2008
Two Updates posted jun 4 and Jun 10

http://www.wflxfox29.com/Global/story.asp?S=8416813

[...]
Piles and piles of personal files with tax information, social security 
numbers and license numbers, were found in a Boca Raton dumpster. These 
dumpsters are located between a set of warehouses here on Northwest 
First Avenue.

The dumped personal records inside, apparently belonged to Wheeler's 
Moving Company. Some files even dated back as far as 20 years or more.

An incredible amount of personal information and old client files 
containing driver's licenses, social security numbers, telephone 
numbers, addresses and birth dates were found on these files.

After contacting the Wheeler's Moving Company, they claimed to have 
moved out of Boca Raton and into Jupiter about a year ago and they had 
no idea this had happened. Police received a call Monday, and were able 
to clean up a majority of this dumpster.

There are currently some remnants of the files out there, but officials 
are doing their best to protect the people on these files so their 
identities are not stolen and get these files and papers shredded properly.

And a followup

[...]
Spieler says she used a Boca moving company 13 years ago. That moving 
company was sold and relocated. The building owner now cleaning out and 
tossing the files with information on employees, applicants and 
customers like Spieler. "It shouldn't have been available to anybody, 
but nobody has done anything."

Building owner Charles Wheeler, former owner of the moving company, 
says, "In my heart I don't think it's going to be a problem. And I 
didn't realize until I heard from you guys that there was something 
sensitive in there. And it should have never been thrown out."


From lyger at attrition.org  Tue Jun 10 20:42:44 2008
From: lyger at attrition.org (lyger)
Date: Tue, 10 Jun 2008 20:42:44 +0000 (UTC)
Subject: [Dataloss] University of Florida notifies 11,
 000 students that Social Security numbers were posted online
Message-ID: <Pine.LNX.4.64.0806102041440.15110@forced.attrition.org>


http://www.wwsb.com/Global/story.asp?S=8459135

The University of Florida is sending letters to more than 11,000 current 
and former students to notify them that their Social Security numbers, 
names and addresses were accidentally posted online.

University officials said Tuesday that the privacy breach was recently 
discovered during a routine systems audit.

[...]

From lyger at attrition.org  Tue Jun 10 21:07:24 2008
From: lyger at attrition.org (lyger)
Date: Tue, 10 Jun 2008 21:07:24 +0000 (UTC)
Subject: [Dataloss] (update): Utah hospital billing records from over 2
 million patients stolen
In-Reply-To: <AEF56CFE6FCD8043A1A71B1CCC6BD1193AD5009066@wavelink-mail.headquarters.wavelink.com>
References: <AEF56CFE6FCD8043A1A71B1CCC6BD1193AD5009066@wavelink-mail.headquarters.wavelink.com>
Message-ID: <Pine.LNX.4.64.0806102105410.16081@forced.attrition.org>


http://www.kutv.com/content/news/local/story.aspx?content_id=76de0817-3ffe-4f8e-9764-506795954fa1

Billing records of 2.2 million patients at the University of Utah 
Hospitals and Clinics were stolen from a vehicle after a courier failed to 
immediately take them to a storage center, authorities said Tuesday.

The records, described only as backup information tapes, contained Social 
Security numbers of 1.3 million people treated at the university over the 
last 16 years, said Lorris Betz, senior vice president for health 
sciences.

Betz said people would be notified by a letter at a cost of $500,000 just 
for stamps and envelopes. The hospital also pledged free credit 
monitoring. 

[...]

From dmetcalf at mcraemetcalf.com  Tue Jun 10 21:48:39 2008
From: dmetcalf at mcraemetcalf.com (David Metcalf)
Date: Tue, 10 Jun 2008 17:48:39 -0400
Subject: [Dataloss] (update): Utah hospital billing records from over 2
	million patients stolen
In-Reply-To: <Pine.LNX.4.64.0806102105410.16081@forced.attrition.org>
References: <AEF56CFE6FCD8043A1A71B1CCC6BD1193AD5009066@wavelink-mail.headquarters.wavelink.com>
	<Pine.LNX.4.64.0806102105410.16081@forced.attrition.org>
Message-ID: <!&!AAAAAAAAAAAYAAAAAAAAAA+RYlaTgMpBgKuKBWKaUf7CgAAAEAAAAEdw8ZTrX29AojI746UwFRMBAAAAAA==@mcraemetcalf.com>

I cannot believe that they are only offering a $1,000 reward for return of
the tapes "no questions asked."

 

http://healthcare.utah.edu/publicaffairs/news/current/billing_theft.html

 

The website of the security company that lost the tapes is also interesting.
It shows impressive pictures of their storage vault which was "designed to
be an impregnable fortress" and can even withstand a nuclear blast.
Unfortunately, the employee never made it that far.

 

http://www.perpetualstorage.com/index_home.htm

 

Another example of human error overcoming the most rugged technological
precautions.  Or as Mom used to say, "No system is fool proof."

 

David

 

-----Original Message-----
From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org]
On Behalf Of lyger
Sent: Tuesday, June 10, 2008 5:07 PM
To: dataloss at attrition.org
Subject: [Dataloss] (update): Utah hospital billing records from over 2
million patients stolen

 

 

http://www.kutv.com/content/news/local/story.aspx?content_id=76de0817-3ffe-4
f8e-9764-506795954fa1

 

Billing records of 2.2 million patients at the University of Utah 

Hospitals and Clinics were stolen from a vehicle after a courier failed to 

immediately take them to a storage center, authorities said Tuesday.

 

The records, described only as backup information tapes, contained Social 

Security numbers of 1.3 million people treated at the university over the 

last 16 years, said Lorris Betz, senior vice president for health 

sciences.

 

Betz said people would be notified by a letter at a cost of $500,000 just 

for stamps and envelopes. The hospital also pledged free credit 

monitoring. 

 

[...]

_______________________________________________

Dataloss Mailing List (dataloss at attrition.org)

http://attrition.org/dataloss

 

Tenable Network Security offers data leakage and compliance monitoring

solutions for large and small networks. Scan your network and monitor your

traffic to find the data needing protection before it leaks out!

http://www.tenablesecurity.com/products/compliance.shtml

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20080610/b08fcbb0/attachment.html 

From arshad.noor at strongauth.com  Tue Jun 10 22:12:57 2008
From: arshad.noor at strongauth.com (Arshad Noor)
Date: Tue, 10 Jun 2008 15:12:57 -0700
Subject: [Dataloss] [Fwd: Re: (update): Utah hospital billing records from
 over 2 million patients stolen]
Message-ID: <484EFC69.8010000@strongauth.com>

Even if somebody returned it, it wouldn't mean that the data is
not going to be misused.  Not sure what the point of the meager
reward is, considering their cleanup cost is going to be nearly
3 orders of magnitude larger.

Arshad Noor
StrongAuth, Inc.

-------- Original Message --------
Subject: 	Re: [Dataloss] (update): Utah hospital billing records from
over 2 million patients stolen
Date: 	Tue, 10 Jun 2008 17:48:39 -0400
From: 	David Metcalf <dmetcalf at mcraemetcalf.com>
To: 	'lyger' <lyger at attrition.org>, <dataloss at attrition.org>

I cannot believe that they are only offering a $1,000 reward for return
of the tapes "no questions asked."

http://healthcare.utah.edu/publicaffairs/news/current/billing_theft.html

The website of the security company that lost the tapes is also
interesting.  It shows impressive pictures of their storage vault which
was ?designed to be an impregnable fortress? and can even withstand a
nuclear blast.  Unfortunately, the employee never made it that far.

http://www.perpetualstorage.com/index_home.htm

Another example of human error overcoming the most rugged technological
precautions.  Or as Mom used to say, ?No system is fool proof.?

David

-----Original Message-----
From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of lyger
Sent: Tuesday, June 10, 2008 5:07 PM
To: dataloss at attrition.org
Subject: [Dataloss] (update): Utah hospital billing records from over 2
million patients stolen

http://www.kutv.com/content/news/local/story.aspx?content_id=76de0817-3ffe-4f8e-9764-506795954fa1

Billing records of 2.2 million patients at the University of Utah
Hospitals and Clinics were stolen from a vehicle after a courier
failed to immediately take them to a storage center, authorities
said Tuesday.

The records, described only as backup information tapes, contained
Social Security numbers of 1.3 million people treated at the
university over the last 16 years, said Lorris Betz, senior vice
president for health sciences.

Betz said people would be notified by a letter at a cost of $500,000
just for stamps and envelopes. The hospital also pledged free credit
monitoring.

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Attached Message Part
Url: http://attrition.org/pipermail/dataloss/attachments/20080610/461504d9/attachment.ksh 

From mhozven at tealeaf.com  Tue Jun 10 22:18:06 2008
From: mhozven at tealeaf.com (Max Hozven)
Date: Tue, 10 Jun 2008 15:18:06 -0700
Subject: [Dataloss] (update): Utah hospital billing records from over
	2million patients stolen
In-Reply-To: <!&!AAAAAAAAAAAYAAAAAAAAAA+RYlaTgMpBgKuKBWKaUf7CgAAAEAAAAEdw8ZTrX29AojI746UwFRMBAAAAAA==@mcraemetcalf.com>
References: <AEF56CFE6FCD8043A1A71B1CCC6BD1193AD5009066@wavelink-mail.headquarters.wavelink.com><Pine.LNX.4.64.0806102105410.16081@forced.attrition.org>
	<!&!AAAAAAAAAAAYAAAAAAAAAA+RYlaTgMpBgKuKBWKaUf7CgAAAEAAAAEdw8ZTrX29AojI746UwFRMBAAAAAA==@mcraemetcalf.com>
Message-ID: <771A26039D33ED489E23D9614DE630DD08A04DCF@SFMAIL02.tealeaf.com>

Maybe customers should put in a GPS tracking device in each of their
tape boxes (or one box in each

shipment of boxes).

At least if the box isn't stolen (and the GPS discarded/trashed/etc),
they would have a chance at tracking

the location (or last tracked location) of a tape box.

 

-Max

 

________________________________

From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of David Metcalf
Sent: Tuesday, June 10, 2008 2:49 PM
To: 'lyger'; dataloss at attrition.org
Subject: Re: [Dataloss] (update): Utah hospital billing records from
over 2million patients stolen

 

I cannot believe that they are only offering a $1,000 reward for return
of the tapes "no questions asked."

 

http://healthcare.utah.edu/publicaffairs/news/current/billing_theft.html

 

The website of the security company that lost the tapes is also
interesting.  It shows impressive pictures of their storage vault which
was "designed to be an impregnable fortress" and can even withstand a
nuclear blast.  Unfortunately, the employee never made it that far.

 

http://www.perpetualstorage.com/index_home.htm

 

Another example of human error overcoming the most rugged technological
precautions.  Or as Mom used to say, "No system is fool proof."

 

David

 

-----Original Message-----
From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of lyger
Sent: Tuesday, June 10, 2008 5:07 PM
To: dataloss at attrition.org
Subject: [Dataloss] (update): Utah hospital billing records from over 2
million patients stolen

 

 

http://www.kutv.com/content/news/local/story.aspx?content_id=76de0817-3f
fe-4f8e-9764-506795954fa1

 

Billing records of 2.2 million patients at the University of Utah 

Hospitals and Clinics were stolen from a vehicle after a courier failed
to 

immediately take them to a storage center, authorities said Tuesday.

 

The records, described only as backup information tapes, contained
Social 

Security numbers of 1.3 million people treated at the university over
the 

last 16 years, said Lorris Betz, senior vice president for health 

sciences.

 

Betz said people would be notified by a letter at a cost of $500,000
just 

for stamps and envelopes. The hospital also pledged free credit 

monitoring. 

 

[...]

_______________________________________________

Dataloss Mailing List (dataloss at attrition.org)

http://attrition.org/dataloss

 

Tenable Network Security offers data leakage and compliance monitoring

solutions for large and small networks. Scan your network and monitor
your

traffic to find the data needing protection before it leaks out!

http://www.tenablesecurity.com/products/compliance.shtml

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20080610/e8437dbf/attachment.html 

From mhozven at tealeaf.com  Tue Jun 10 22:24:30 2008
From: mhozven at tealeaf.com (Max Hozven)
Date: Tue, 10 Jun 2008 15:24:30 -0700
Subject: [Dataloss] (update): Utah hospital billing records from over
	2million patients stolen
In-Reply-To: <43D4A3DBDFA01E4297DEA3C25036E16D01134F44FB@SFMAIL02.tealeaf.com>
References: <AEF56CFE6FCD8043A1A71B1CCC6BD1193AD5009066@wavelink-mail.headquarters.wavelink.com><Pine.LNX.4.64.0806102105410.16081@forced.attrition.org>
	<!&!AAAAAAAAAAAYAAAAAAAAAA+RYlaTgMpBgKuKBWKaUf7CgAAAEAAAAEdw8ZTrX29AojI746UwFRMBAAAAAA==@mcraemetcalf.com>
	<43D4A3DBDFA01E4297DEA3C25036E16D01134F44FB@SFMAIL02.tealeaf.com>
Message-ID: <771A26039D33ED489E23D9614DE630DD08A04DDC@SFMAIL02.tealeaf.com>

Here's one as small as a pager:

http://www.mightygps.com/miniflextrack.htm

 

(No, I have no connection to this product/company, I googled it up...)

 

-Max

 

________________________________

From: Max Hozven 
Sent: Tuesday, June 10, 2008 3:18 PM
To: David Metcalf; 'lyger'; dataloss at attrition.org
Subject: RE: [Dataloss] (update): Utah hospital billing records from
over 2million patients stolen

 

Maybe customers should put in a GPS tracking device in each of their
tape boxes (or one box in each

shipment of boxes).

At least if the box isn't stolen (and the GPS discarded/trashed/etc),
they would have a chance at tracking

the location (or last tracked location) of a tape box.

 

-Max

 

________________________________

From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of David Metcalf
Sent: Tuesday, June 10, 2008 2:49 PM
To: 'lyger'; dataloss at attrition.org
Subject: Re: [Dataloss] (update): Utah hospital billing records from
over 2million patients stolen

 

I cannot believe that they are only offering a $1,000 reward for return
of the tapes "no questions asked."

 

http://healthcare.utah.edu/publicaffairs/news/current/billing_theft.html

 

The website of the security company that lost the tapes is also
interesting.  It shows impressive pictures of their storage vault which
was "designed to be an impregnable fortress" and can even withstand a
nuclear blast.  Unfortunately, the employee never made it that far.

 

http://www.perpetualstorage.com/index_home.htm

 

Another example of human error overcoming the most rugged technological
precautions.  Or as Mom used to say, "No system is fool proof."

 

David

 

-----Original Message-----
From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of lyger
Sent: Tuesday, June 10, 2008 5:07 PM
To: dataloss at attrition.org
Subject: [Dataloss] (update): Utah hospital billing records from over 2
million patients stolen

 

 

http://www.kutv.com/content/news/local/story.aspx?content_id=76de0817-3f
fe-4f8e-9764-506795954fa1

 

Billing records of 2.2 million patients at the University of Utah 

Hospitals and Clinics were stolen from a vehicle after a courier failed
to 

immediately take them to a storage center, authorities said Tuesday.

 

The records, described only as backup information tapes, contained
Social 

Security numbers of 1.3 million people treated at the university over
the 

last 16 years, said Lorris Betz, senior vice president for health 

sciences.

 

Betz said people would be notified by a letter at a cost of $500,000
just 

for stamps and envelopes. The hospital also pledged free credit 

monitoring. 

 

[...]

_______________________________________________

Dataloss Mailing List (dataloss at attrition.org)

http://attrition.org/dataloss

 

Tenable Network Security offers data leakage and compliance monitoring

solutions for large and small networks. Scan your network and monitor
your

traffic to find the data needing protection before it leaks out!

http://www.tenablesecurity.com/products/compliance.shtml

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20080610/e63db830/attachment-0001.html 

From alex.joannou at cloakware.com  Tue Jun 10 22:30:39 2008
From: alex.joannou at cloakware.com (=?utf-8?B?QWxleCBKb2Fubm91?=)
Date: Tue, 10 Jun 2008 22:30:39 +0000
Subject: [Dataloss] (update): Utah hospital billing records from
	over2million patients stolen
In-Reply-To: <771A26039D33ED489E23D9614DE630DD08A04DCF@SFMAIL02.tealeaf.com>
References: <AEF56CFE6FCD8043A1A71B1CCC6BD1193AD5009066@wavelink-mail.headquarters.wavelink.com><Pine.LNX.4.64.0806102105410.16081@forced.attrition.org><!&!AAAAAAAAAAAYAAAAAAAAAA+RYlaTgMpBgKuKBWKaUf7CgAAAEAAAAEdw8ZTrX29AojI746UwFRMBAAAAAA==@mcraemetcalf.com><771A26039D33ED489E23D9614DE630DD08A04DCF@SFMAIL02.tealeaf.com>
Message-ID: <1252487003-1213137071-cardhu_decombobulator_blackberry.rim.net-397241301-@bxe018.bisx.prod.on.blackberry>

Like a lojack for data tapes.  Sounds like a great product idea.  

Thanks, 

Alex

-----Original Message-----
From: "Max Hozven" <mhozven at tealeaf.com>

Date: Tue, 10 Jun 2008 15:18:06 
To:"David Metcalf" <dmetcalf at mcraemetcalf.com>, "lyger" <lyger at attrition.org>,       <dataloss at attrition.org>
Subject: Re: [Dataloss] (update): Utah hospital billing records from over
	2million patients stolen


Maybe customers should put in a GPS tracking device in each of their tape boxes (or one box in each 
shipment of boxes). 
At least if the box isn?t stolen (and the GPS discarded/trashed/etc), they would have a chance at tracking 
the location (or last tracked location) of a tape box. 
? 
-Max 
? 
 
 
----------------
 
From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of David Metcalf
 Sent: Tuesday, June 10, 2008 2:49 PM
 To: 'lyger'; dataloss at attrition.org
 Subject: Re: [Dataloss] (update): Utah hospital billing records from over 2million patients stolen 
? 
I cannot believe that they are only offering a $1,000 reward for return of the tapes "no questions asked." 
? 
http://healthcare.utah.edu/publicaffairs/news/current/billing_theft.html 
? 
The website of the security company that lost the tapes is also interesting.? It shows impressive pictures of their storage vault which was ?designed to be an impregnable fortress? and can even withstand a nuclear blast.? Unfortunately, the employee never made it that far. 
? 
http://www.perpetualstorage.com/index_home.htm 
? 
Another example of human error overcoming the most rugged technological precautions.? Or as Mom used to say, ?No system is fool proof.? 
? 
David 
? 
-----Original Message-----
 From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of lyger
 Sent: Tuesday, June 10, 2008 5:07 PM
 To: dataloss at attrition.org
 Subject: [Dataloss] (update): Utah hospital billing records from over 2 million patients stolen 
? 
? 
http://www.kutv.com/content/news/local/story.aspx?content_id=76de0817-3ffe-4f8e-9764-506795954fa1 
? 
Billing records of 2.2 million patients at the University of Utah 
Hospitals and Clinics were stolen from a vehicle after a courier failed to 
immediately take them to a storage center, authorities said Tuesday. 
? 
The records, described only as backup information tapes, contained Social 
Security numbers of 1.3 million people treated at the university over the 
last 16 years, said Lorris Betz, senior vice president for health 
sciences. 
? 
Betz said people would be notified by a letter at a cost of $500,000 just 
for stamps and envelopes. The hospital also pledged free credit 
monitoring. 
? 
[...] 
_______________________________________________ 
Dataloss Mailing List (dataloss at attrition.org) 
http://attrition.org/dataloss 
? 
Tenable Network Security offers data leakage and compliance monitoring 
solutions for large and small networks. Scan your network and monitor your 
traffic to find the data needing protection before it leaks out! 
http://www.tenablesecurity.com/products/compliance.shtml _______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml


From ADAIL at sunocoinc.com  Tue Jun 10 22:49:56 2008
From: ADAIL at sunocoinc.com (DAIL, WILLARD A)
Date: Tue, 10 Jun 2008 18:49:56 -0400
Subject: [Dataloss] (update): Utah hospital billing records
	fromover2million patients stolen
References: <AEF56CFE6FCD8043A1A71B1CCC6BD1193AD5009066@wavelink-mail.headquarters.wavelink.com><Pine.LNX.4.64.0806102105410.16081@forced.attrition.org><!&!AAAAAAAAAAAYAAAAAAAAAA+RYlaTgMpBgKuKBWKaUf7CgAAAEAAAAEdw8ZTrX29AojI746UwFRMBAAAAAA==@mcraemetcalf.com><771A26039D33ED489E23D9614DE630DD08A04DCF@SFMAIL02.tealeaf.com>
	<1252487003-1213137071-cardhu_decombobulator_blackberry.rim.net-397241301-@bxe018.bisx.prod.on.blackberry>
Message-ID: <AAF9B5D29F7CE44CBDF032F4F523E9A3483D61@mds3aex0e.USISUNOCOINC.com>


I've spoken to this company before, when I owned a small company in the transportation security industry.  They manufacture tracking devices for bank bags and money shipments.  Data tapes would seem like a perfect fit.

http://www.zytrack.com/banking.htm

________________________________

From: dataloss-bounces at attrition.org on behalf of Alex Joannou
Sent: Tue 6/10/2008 6:30 PM
To: Max Hozven; dataloss-bounces at attrition.org; David Metcalf; lyger; dataloss at attrition.org
Subject: Re: [Dataloss] (update): Utah hospital billing records fromover2million patients stolen



Like a lojack for data tapes.  Sounds like a great product idea.

Thanks,

Alex

-----Original Message-----
From: "Max Hozven" <mhozven at tealeaf.com>

Date: Tue, 10 Jun 2008 15:18:06
To:"David Metcalf" <dmetcalf at mcraemetcalf.com>, "lyger" <lyger at attrition.org>,       <dataloss at attrition.org>
Subject: Re: [Dataloss] (update): Utah hospital billing records from over
        2million patients stolen


Maybe customers should put in a GPS tracking device in each of their tape boxes (or one box in each
shipment of boxes).
At least if the box isnt stolen (and the GPS discarded/trashed/etc), they would have a chance at tracking
the location (or last tracked location) of a tape box.

-Max



----------------

From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of David Metcalf
 Sent: Tuesday, June 10, 2008 2:49 PM
 To: 'lyger'; dataloss at attrition.org
 Subject: Re: [Dataloss] (update): Utah hospital billing records from over 2million patients stolen

I cannot believe that they are only offering a $1,000 reward for return of the tapes "no questions asked."

http://healthcare.utah.edu/publicaffairs/news/current/billing_theft.html

The website of the security company that lost the tapes is also interesting. It shows impressive pictures of their storage vault which was designed to be an impregnable fortress and can even withstand a nuclear blast. Unfortunately, the employee never made it that far.

http://www.perpetualstorage.com/index_home.htm

Another example of human error overcoming the most rugged technological precautions. Or as Mom used to say, No system is fool proof.

David

-----Original Message-----
 From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of lyger
 Sent: Tuesday, June 10, 2008 5:07 PM
 To: dataloss at attrition.org
 Subject: [Dataloss] (update): Utah hospital billing records from over 2 million patients stolen


http://www.kutv.com/content/news/local/story.aspx?content_id=76de0817-3ffe-4f8e-9764-506795954fa1

Billing records of 2.2 million patients at the University of Utah
Hospitals and Clinics were stolen from a vehicle after a courier failed to
immediately take them to a storage center, authorities said Tuesday.

The records, described only as backup information tapes, contained Social
Security numbers of 1.3 million people treated at the university over the
last 16 years, said Lorris Betz, senior vice president for health
sciences.

Betz said people would be notified by a letter at a cost of $500,000 just
for stamps and envelopes. The hospital also pledged free credit
monitoring.

[...]
_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml _______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml

_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml



This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments.

From lyger at attrition.org  Wed Jun 11 07:32:07 2008
From: lyger at attrition.org (lyger)
Date: Wed, 11 Jun 2008 07:32:07 +0000 (UTC)
Subject: [Dataloss] rant: Useless Compensation for Data Loss Incidents
Message-ID: <Pine.LNX.4.64.0806110729510.2694@forced.attrition.org>


http://attrition.org/security/rant/dl-compensation.html

Wed Jun 11 03:38:35 EDT 2008
Apacid, Jericho

If you have been the victim of a data loss incident, odds are you have 
received a letter from the careless organization that lost your 
information. These letters always offer apologies and sincere hope that 
your identity or personal information isn't abused. The recent BNY Mellon 
incident (which now stands at 4.5 million potential customers affected) 
resulted in customers receiving such a letter:

[.]

Notice that in return for having your personal information lost, they are 
offering free credit monitoring for 12 whole months! This seemingly 
generous offer has apparently become the standard business practice for 
acceptable compensation when your personal information is treated with 
carelessness. BNY opted to go with ConsumerInfo.com's "Triple Alert" 
credit monitoring product (despite no mention of that 'product' on the 
consumerinfo.com web page), which watches for changes to your credit 
reports from the three national credit reporting agencies in the United 
States (Experian, Equifax, TransUnion). If you are unlucky and get caught 
up in multiple data loss incidents, you may receive this "gracious 
compensation" many times over.

First, why is this type of reactive credit monitoring acceptable 
compensation? This seems to be another case of one business following 
another and... voila, we have an industry 'standard' that does little to 
serve the customer but does everything to serve businesses that want to 
look caring and "customer-centric" in the media.

[...]

From dean.brunson at utah.edu  Wed Jun 11 15:19:42 2008
From: dean.brunson at utah.edu (Dean Brunson)
Date: Wed, 11 Jun 2008 09:19:42 -0600
Subject: [Dataloss] (update): Utah hospital billing records from over
 2	million patients stolen
In-Reply-To: <!&!AAAAAAAAAAAYAAAAAAAAAA+RYlaTgMpBgKuKBWKaUf7CgAAAEAAAAEdw8ZTrX29AojI746UwFRMBAAAAAA==@mcraemetcalf.com>
References: <AEF56CFE6FCD8043A1A71B1CCC6BD1193AD5009066@wavelink-mail.headquarters.wavelink.com>	<Pine.LNX.4.64.0806102105410.16081@forced.attrition.org>
	<!&!AAAAAAAAAAAYAAAAAAAAAA+RYlaTgMpBgKuKBWKaUf7CgAAAEAAAAEdw8ZTrX29AojI746UwFRMBAAAAAA==@mcraemetcalf.com>
Message-ID: <484FED0E.3040301@utah.edu>

A sad note here is that Perpetual Storage hadn't lost a single record in 
over 40 years, until this one employee came along. No one here has said 
why he was using his own car. Company policy is that personal vehicles 
are never used. And taking the tapes home overnight, and leaving the 
cash box that contained the tapes in plain sight... the employee is now 
former- he was fired immediately. Local news has reported that local law 
enforcement and the FBI are both involved in the investigation, but they 
haven't yet decided whether to file any charges. Charges or not, the 
former employee should not be able to get bonded in the future.

This guy would never be able to pay restitution for his actions -- 
they're telling us that the cost of stamps and envelopes will be in the 
neighborthood of half a million dollars. I don't know who's paying for 
that -- the University, or Perpetual Storage. I suspect the University 
will pay, and then approach Perpetual Storage after the fact. And for 
the time being, no backup tapes are being kept on site. Unfortunately, 
that's a good news / bad news kind of solution, but if they resumed the 
Perpetual Storage solution, or found someone else for off-site storage, 
and more records were lost, I'm sure there'd be blood-letting among 
senior management.

Oh, and the $1,000 reward versus the $500,000 bill for stamps and 
envelopes -- I don't get that, either.

Dean B



David Metcalf wrote:
>
> I cannot believe that they are only offering a $1,000 reward for 
> return of the tapes "no questions asked."
>
> http://healthcare.utah.edu/publicaffairs/news/current/billing_theft.html
>
> The website of the security company that lost the tapes is also 
> interesting. It shows impressive pictures of their storage vault which 
> was ?designed to be an impregnable fortress? and can even withstand a 
> nuclear blast. Unfortunately, the employee never made it that far.
>
> http://www.perpetualstorage.com/index_home.htm
>
> Another example of human error overcoming the most rugged 
> technological precautions. Or as Mom used to say, ?No system is fool 
> proof.?
>
> David
>
> -----Original Message-----
> From: dataloss-bounces at attrition.org 
> [mailto:dataloss-bounces at attrition.org] On Behalf Of lyger
> Sent: Tuesday, June 10, 2008 5:07 PM
> To: dataloss at attrition.org
> Subject: [Dataloss] (update): Utah hospital billing records from over 
> 2 million patients stolen
>
> http://www.kutv.com/content/news/local/story.aspx?content_id=76de0817-3ffe-4f8e-9764-506795954fa1
>
> Billing records of 2.2 million patients at the University of Utah
>
> Hospitals and Clinics were stolen from a vehicle after a courier 
> failed to
>
> immediately take them to a storage center, authorities said Tuesday.
>
> The records, described only as backup information tapes, contained Social
>
> Security numbers of 1.3 million people treated at the university over the
>
> last 16 years, said Lorris Betz, senior vice president for health
>
> sciences.
>
> Betz said people would be notified by a letter at a cost of $500,000 just
>
> for stamps and envelopes. The hospital also pledged free credit
>
> monitoring.
>
> [...]
>
> _______________________________________________
>
> Dataloss Mailing List (dataloss at attrition.org)
>
> http://attrition.org/dataloss
>
> Tenable Network Security offers data leakage and compliance monitoring
>
> solutions for large and small networks. Scan your network and monitor your
>
> traffic to find the data needing protection before it leaks out!
>
> http://www.tenablesecurity.com/products/compliance.shtml
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
>
> Tenable Network Security offers data leakage and compliance monitoring
> solutions for large and small networks. Scan your network and monitor your
> traffic to find the data needing protection before it leaks out!
> http://www.tenablesecurity.com/products/compliance.shtml
>   

From MKEVHILL at aol.com  Wed Jun 11 13:02:02 2008
From: MKEVHILL at aol.com (MKEVHILL at aol.com)
Date: Wed, 11 Jun 2008 09:02:02 EDT
Subject: [Dataloss] rant: Useless Compensation for Data Loss Incidents
Message-ID: <c1c.39a04257.358126ca@aol.com>

 
Credit monitoring is the cheapest reactive measure, plain and  simple.  And 
without a doubt, its a false sense of security these  "careless organizations" 
are giving the effected individuals. 
 
 
 
 
Mike
 
 
Michael  Hill 
Certified Identity Theft Risk Management Specialist
_www.idtheft101.net_ (http://www.idtheft101.net/)  
404-216-3751




In a message dated 6/11/2008 3:33:05 A.M. Eastern Daylight Time,  
lyger at attrition.org writes:


http://attrition.org/security/rant/dl-compensation.html

Wed  Jun 11 03:38:35 EDT 2008
Apacid, Jericho

If you have been the victim  of a data loss incident, odds are you have 
received a letter from the  careless organization that lost your 
information. These letters always  offer apologies and sincere hope that 
your identity or personal  information isn't abused. The recent BNY Mellon 
incident (which now stands  at 4.5 million potential customers affected) 
resulted in customers  receiving such a letter:

[.]

Notice that in return for having  your personal information lost, they are 
offering free credit monitoring  for 12 whole months! This seemingly 
generous offer has apparently become  the standard business practice for 
acceptable compensation when your  personal information is treated with 
carelessness. BNY opted to go with  ConsumerInfo.com's "Triple Alert" 
credit monitoring product (despite no  mention of that 'product' on the 
consumerinfo.com web page), which watches  for changes to your credit 
reports from the three national credit  reporting agencies in the United 
States (Experian, Equifax, TransUnion).  If you are unlucky and get caught 
up in multiple data loss incidents, you  may receive this "gracious 
compensation" many times over.

First,  why is this type of reactive credit monitoring acceptable 
compensation?  This seems to be another case of one business following 
another and...  voila, we have an industry 'standard' that does little to 
serve the  customer but does everything to serve businesses that want to 
look caring  and "customer-centric" in the  media.

[...]
_______________________________________________
Dataloss  Mailing List  (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable  Network Security offers data leakage and compliance monitoring
solutions  for large and small networks. Scan your network and monitor your
traffic to  find the data needing protection before it leaks  out!
http://www.tenablesecurity.com/products/compliance.shtml







**************Vote for your city's best dining and nightlife. City's Best 
2008.      (http://citysbest.aol.com?ncid=aolacg00050000000102)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20080611/c5149ed5/attachment.html 

From ADAIL at sunocoinc.com  Wed Jun 11 12:17:38 2008
From: ADAIL at sunocoinc.com (DAIL, WILLARD A)
Date: Wed, 11 Jun 2008 08:17:38 -0400
Subject: [Dataloss] rant: Useless Compensation for Data Loss Incidents
References: <Pine.LNX.4.64.0806110729510.2694@forced.attrition.org>
Message-ID: <AAF9B5D29F7CE44CBDF032F4F523E9A3483D64@mds3aex0e.USISUNOCOINC.com>


Being a person that actually put an Incident Response Plan together, I can attest to the fact that it the thought process, at least in our case, was "What is the risk to the consumer and what, if anything can we do to help the consumer mitigate that risk?"

Unfortunately, there's just not much else that a company can do after-the-fact.  We hope our efforts before-the-fact prevent us from ever losing such data, but companies are often at the mercy of the competence of a single employee or sub-contractor on a given day (like the tape courier with a hang-over).  Sure, you can put contracts in place and that makes the bean-counters and lawyers happy, but it doesn't please the ex-cop in me because I deal with violations and exceptions of law, it's my world.

If a lost tape is nothing but credit card PAN's I don't think even credit monitoring is called for, but if your SSN or PII is involved then it's at least something you can do to get some level of early warning.

Where I think the actual problem lies is that most company executives (even most company lawyers) have not caught on to the fact that ISO 27002 is becoming a reference standard for courts to establish a level of "due care" (check Lexus Nexus if you don't believe me) and non-compliant organizations are deemed "Wishy Washy" or "Loose".  So, companies are building IT security processes around PCI, or CoBit, or ITIL, which actually falls under the COSO portion of International Law and they think they are covered, when in reality, the COSO organization only covers financial transactions, and they are missing all of the parallel (and the fact they are parallel and complimentary) controls under the OECD (Laws) and ISO (Standards). 

The net effect are security controls that are 1/3 adequate.

________________________________

From: dataloss-bounces at attrition.org on behalf of lyger
Sent: Wed 6/11/2008 3:32 AM
To: dataloss at attrition.org
Subject: [Dataloss] rant: Useless Compensation for Data Loss Incidents




http://attrition.org/security/rant/dl-compensation.html

Wed Jun 11 03:38:35 EDT 2008
Apacid, Jericho

If you have been the victim of a data loss incident, odds are you have
received a letter from the careless organization that lost your
information. These letters always offer apologies and sincere hope that
your identity or personal information isn't abused. The recent BNY Mellon
incident (which now stands at 4.5 million potential customers affected)
resulted in customers receiving such a letter:

[.]

Notice that in return for having your personal information lost, they are
offering free credit monitoring for 12 whole months! This seemingly
generous offer has apparently become the standard business practice for
acceptable compensation when your personal information is treated with
carelessness. BNY opted to go with ConsumerInfo.com's "Triple Alert"
credit monitoring product (despite no mention of that 'product' on the
consumerinfo.com web page), which watches for changes to your credit
reports from the three national credit reporting agencies in the United
States (Experian, Equifax, TransUnion). If you are unlucky and get caught
up in multiple data loss incidents, you may receive this "gracious
compensation" many times over.

First, why is this type of reactive credit monitoring acceptable
compensation? This seems to be another case of one business following
another and... voila, we have an industry 'standard' that does little to
serve the customer but does everything to serve businesses that want to
look caring and "customer-centric" in the media.

[...]
_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml



This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments.

From jim at diversifiedbenefits.biz  Wed Jun 11 17:57:30 2008
From: jim at diversifiedbenefits.biz (Jim)
Date: Wed, 11 Jun 2008 12:57:30 -0500
Subject: [Dataloss] Subscribion authorization
Message-ID: <20080611175956.CFWE26883.eastrmmtao103.cox.net@eastrmimpo02.cox.net>

I am complying to the provided directions of receiving the dataloss listing.
Jim Graham 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20080611/8c82c575/attachment.html 

From mbarnett at TIFRM.com  Wed Jun 11 18:37:04 2008
From: mbarnett at TIFRM.com (M Barnett - TIFRM)
Date: Wed, 11 Jun 2008 12:37:04 -0600
Subject: [Dataloss] rant: Useless Compensation for Data Loss Incidents
In-Reply-To: <Pine.LNX.4.64.0806110729510.2694@forced.attrition.org>
References: <Pine.LNX.4.64.0806110729510.2694@forced.attrition.org>
Message-ID: <00e401c8cbf2$26031700$1a02a8c0@ADMIN4CFD40D48>

I don't typically chime in on these discussions, but I was glad to see this
one and could not resist. Courtesy of massive advertising campaigns, credit
monitoring has become the de facto accepted "industry standard response", up
to and including the federal government as evidenced by a recent Blanket
Purchase Agreement that mandates that a breach response service offering
must include credit monitoring. It is, in essence, an attempt to stave off
class action lawsuits before they are filed. 

There are fundamental considerations for both consumers and businesses
regarding credit monitoring that are consistently overlooked, or blatantly
ignored:

1.	CONSUMER CONSIDERATIONS:  First and foremost, it provides the
obvious false sense of security. Consumers simply do not realize that they
can be victimized in many ways that may never show on their credit reports.
IF something does show, the service is not an effective early warning system
(see the excerpt below) because it functions in the manner that the credit
reporting system operates, not in the way that the thieves operate. 

Example excerpt from the CITRMS Reference Manual:

It is important to note that because of the way that these services are
designed, and the way that the credit reporting system functions, the credit
monitoring "early warning system" can and does fail. For example, in
December of 2006, the New York Times published an article entitled
"Protectors, Too, Gather Profits from ID Theft".  An excerpt from this story
follows:

"Melody Millett was shocked when her car loan company asked her if she was
the wife of Abundio Perez, who had applied for 26 credit cards, financed
several cars and taken out a home mortgage using a Social Security number
belonging to her actual husband. Beyond her shock, Mrs. Millett was angry.
Five months earlier, the Milletts had subscribed to a $79.99-a-year service
from Equifax, a big financial data warehouse, that promised to monitor any
access to her credit records. But it never reported the credit activity that
might have signaled that they were victims of identity theft." (Source: New
York Times)


Secondly, most services simply notify the consumer that "Congratulations -
you are a victim. Good luck!"  IF there is any form of assistance provided
in conjunction with the service, it is almost always limited to resolving
only those matters that involve the credit report. It omits erroneous
criminal records, employment and taxation issues, banking account fraud and
related losses, medical identity theft and possible contaminated records,
exhaustion of benefits, etc.  Finally, the companies publically announce
what service they are providing (if any), and for how long. The thieves
monitor these announcements just as anyone else, and can easily sit on the
information until the alarm bells stop ringing and the service expires. For
the consumer, theft of their information can be the unwanted gift that keeps
on giving as their information is sold and re-sold, long after any token
service offering has ended.


Does such a service have a possible place in a consumer's overall risk
management plan? Yes, but it should certainly never be relied upon as the
sole means of "protection."  
 

2.	BUSINESS CONSIDERATIONS:  I might concede that offering something
is, to at least some degree, better than the other side of the spectrum
which is more common:  "Dear consumer, we lost your information. Check your
credit reports and please do not sue us."  However, beyond the costs
associated with providing the service, the most fundamental consideration
that businesses do not grasp is that, under the myriad of state and federal
laws that establish rights of action for consumers impacted by a breach, the
business' liability for damages suffered by victimized consumers is not
limited to only those types of victimization that show on a credit report.
Case in point, the recent Utah medical billing records breach. There is a
good possibility that this information could be utilized to perpetrate
medical identity theft, which is not only unlikely to show in credit
reports, but also produces an additional layer of problems for both the
consumers and the healthcare providers and facilities. It is also possible
that a business could provide credit monitoring services and, if not
accompanied by a waiver and release, still be sued in a class action for
victimizations not uncovered by the service.

In some cases, actual victimization by the impacted consumers is not even a
prerequisite for actions - the mere fact that the breach occurred at all can
serve as the justification. 


In my opinion, the entire topic of data breaches and information security,
and resultant blame for the rampant problems, rests with numerous
stakeholders - including the very legislators that draft the related laws.
Unfortunately for the businesses themselves, the same crazy quilt of data
security laws that allow for fines, penalties, and actions are often vague
and ill-worded at best. Common sense or lack thereof, blatant negligence,
ignorance, or dishonest insiders as contributing factors aside, many
businesses do attempt to achieve compliance and may go to considerable
lengths in an attempt to meet the "reasonable" standards discussed in these
laws and regulations. Yet more often than not, they are not provided with
clear and concise steps that constitute "reasonable" compliance. Rather,
they are forced to follow suggestions and illustrative examples. The Red
Flags Rule is the most recent shining example of this. "Reasonable" is most
often determined after an incident, in a court of law and the court of
public opinion, with the full benefit of 20/20 hindsight. Your company
suffered a breach, therefore the measures that you took obviously were not
"reasonable" to prevent such an incident.  While it may be impossible to
draft legislation that keeps pace with the breakneck speed of advancements
in technology, and negligent businesses should be held accountable, there is
still vast room for improvement in the specific guidance issued and possible
safe harbor provisions for companies that do actively attempt to secure the
data of its customers and employees.  But that is a separate topic
altogether.

Respectfully,

Michael Barnett, CITRMS
CEO
The Institute of Fraud Risk Management, Inc.
www.TIFRM.Net  
www.TIFRM.coursehost.com  
 
The Institute of Fraud Risk Management, Inc.
955 South Virginia Street; Suite #116
Reno, Nevada  89502
"Knowledge is the Best Defense Against Fraud" 
 


-----Original Message-----
From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org]
On Behalf Of lyger
Sent: Wednesday, June 11, 2008 1:32 AM
To: dataloss at attrition.org
Subject: [Dataloss] rant: Useless Compensation for Data Loss Incidents


http://attrition.org/security/rant/dl-compensation.html

Wed Jun 11 03:38:35 EDT 2008
Apacid, Jericho

If you have been the victim of a data loss incident, odds are you have 
received a letter from the careless organization that lost your 
information. These letters always offer apologies and sincere hope that 
your identity or personal information isn't abused. The recent BNY Mellon 
incident (which now stands at 4.5 million potential customers affected) 
resulted in customers receiving such a letter:

[.]

Notice that in return for having your personal information lost, they are 
offering free credit monitoring for 12 whole months! This seemingly 
generous offer has apparently become the standard business practice for 
acceptable compensation when your personal information is treated with 
carelessness. BNY opted to go with ConsumerInfo.com's "Triple Alert" 
credit monitoring product (despite no mention of that 'product' on the 
consumerinfo.com web page), which watches for changes to your credit 
reports from the three national credit reporting agencies in the United 
States (Experian, Equifax, TransUnion). If you are unlucky and get caught 
up in multiple data loss incidents, you may receive this "gracious 
compensation" many times over.

First, why is this type of reactive credit monitoring acceptable 
compensation? This seems to be another case of one business following 
another and... voila, we have an industry 'standard' that does little to 
serve the customer but does everything to serve businesses that want to 
look caring and "customer-centric" in the media.

[...]
_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml



From lyger at attrition.org  Wed Jun 11 19:06:23 2008
From: lyger at attrition.org (lyger)
Date: Wed, 11 Jun 2008 19:06:23 +0000 (UTC)
Subject: [Dataloss] TN: Schools' Stolen Laptop Contains Personal Info
Message-ID: <Pine.LNX.4.64.0806111905300.11208@forced.attrition.org>


http://www.wsmv.com/news/16573465/detail.html

A computer containing sensitive information was stolen from the Dickson 
County Board of Education, according to a report in The Dickson Herald.

The theft happened sometime between late Friday and Monday, Dickson County 
Schools Director Johnny Chandler told the Herald.

Chandler said notification was sent out immediately to anyone that could 
be harmed by the theft.

Personal information and the Social Security numbers of more than 800 
people were stored on the computer. The theft could affect everyone except 
food service workers, a school system representative said.

[...]

From hbrown at knology.net  Wed Jun 11 20:32:37 2008
From: hbrown at knology.net (Henry Brown)
Date: Wed, 11 Jun 2008 15:32:37 -0500
Subject: [Dataloss] AT&T management staff data on stolen laptop
In-Reply-To: <a20b4dac0806041715p2ee4a0e5ief00c48ed6866805@mail.gmail.com>
References: <a20b4dac0806041715p2ee4a0e5ief00c48ed6866805@mail.gmail.com>
Message-ID: <48503665.9040707@knology.net>

An Interesting "press release" from AT&T the day BEFORE they "announced" 
the loss of the laptop

http://www.att.com/gen/press-room?pid=4800&cdvn=news&newsarticleid=25761

AT&T Launches Encryption Services to Help Businesses Secure E-Mail and Data
[...]
"Data protection and loss prevention is becoming increasingly critical 
for businesses of all sizes with data breaches costing organizations 
more and more each year," said S. Dale McHenry, vice president, 
Enterprise Network Services, AT&T. "AT&T's managed security services 
provide businesses with the tools and resources that they need to 
securely handle their data, helping to enforce data privacy and save 
money with the electronic transfer of documents."
[...]



-------- Original Message --------
Subject: [Dataloss] AT&T management staff data on stolen laptop
From: rchick <rchicker at etiolated.org>
To: dataloss at attrition.org
Date: 6/4/2008 7:15 PM
> June 04, 2008
> http://www.scmagazineus.com/ATT-management-staff-data-on-stolen-laptop/article/110884/
>
> An undisclosed number of management-level workers at AT&T have been
> notified that their personal information was stored unencrypted on a
> stolen laptop.
[...]




From mhill at idtexperts.com  Wed Jun 11 20:57:40 2008
From: mhill at idtexperts.com (Michael Hill, CITRMS)
Date: Wed, 11 Jun 2008 16:57:40 -0400
Subject: [Dataloss] rant: Useless Compensation for Data Loss Incidents
In-Reply-To: <00e401c8cbf2$26031700$1a02a8c0@ADMIN4CFD40D48>
References: <Pine.LNX.4.64.0806110729510.2694@forced.attrition.org>
	<00e401c8cbf2$26031700$1a02a8c0@ADMIN4CFD40D48>
Message-ID: <A2D502F7A6924544AF9BD38B19F70732@mkevhillpc>

I read posts such as Michael Barnett's (which I totally agree with) and 
continue to conclude that there is absolutely no way any identity theft 
protection plan can prevent your identity from being stolen and used to 
commit fraud in your name.

Consumers need to be prepared for when they become a victim.  So what does 
that plan look like?



Michael Hill
Certified Identity Theft Risk Management Specialist
www.idtheft101.net
404-216-3751


"If You Think You're Not At Risk, Think Again!"


----- Original Message ----- 
From: "M Barnett - TIFRM" <mbarnett at TIFRM.com>
To: "'lyger'" <lyger at attrition.org>; <dataloss at attrition.org>
Sent: Wednesday, June 11, 2008 2:37 PM
Subject: Re: [Dataloss] rant: Useless Compensation for Data Loss Incidents


>I don't typically chime in on these discussions, but I was glad to see this
> one and could not resist. Courtesy of massive advertising campaigns, 
> credit
> monitoring has become the de facto accepted "industry standard response", 
> up
> to and including the federal government as evidenced by a recent Blanket
> Purchase Agreement that mandates that a breach response service offering
> must include credit monitoring. It is, in essence, an attempt to stave off
> class action lawsuits before they are filed.
>
> There are fundamental considerations for both consumers and businesses
> regarding credit monitoring that are consistently overlooked, or blatantly
> ignored:
>
> 1.  CONSUMER CONSIDERATIONS:  First and foremost, it provides the
> obvious false sense of security. Consumers simply do not realize that they
> can be victimized in many ways that may never show on their credit 
> reports.
> IF something does show, the service is not an effective early warning 
> system
> (see the excerpt below) because it functions in the manner that the credit
> reporting system operates, not in the way that the thieves operate.
>
> Example excerpt from the CITRMS Reference Manual:
>
> It is important to note that because of the way that these services are
> designed, and the way that the credit reporting system functions, the 
> credit
> monitoring "early warning system" can and does fail. For example, in
> December of 2006, the New York Times published an article entitled
> "Protectors, Too, Gather Profits from ID Theft".  An excerpt from this 
> story
> follows:
>
> "Melody Millett was shocked when her car loan company asked her if she was
> the wife of Abundio Perez, who had applied for 26 credit cards, financed
> several cars and taken out a home mortgage using a Social Security number
> belonging to her actual husband. Beyond her shock, Mrs. Millett was angry.
> Five months earlier, the Milletts had subscribed to a $79.99-a-year 
> service
> from Equifax, a big financial data warehouse, that promised to monitor any
> access to her credit records. But it never reported the credit activity 
> that
> might have signaled that they were victims of identity theft." (Source: 
> New
> York Times)
>
>
> Secondly, most services simply notify the consumer that "Congratulations -
> you are a victim. Good luck!"  IF there is any form of assistance provided
> in conjunction with the service, it is almost always limited to resolving
> only those matters that involve the credit report. It omits erroneous
> criminal records, employment and taxation issues, banking account fraud 
> and
> related losses, medical identity theft and possible contaminated records,
> exhaustion of benefits, etc.  Finally, the companies publically announce
> what service they are providing (if any), and for how long. The thieves
> monitor these announcements just as anyone else, and can easily sit on the
> information until the alarm bells stop ringing and the service expires. 
> For
> the consumer, theft of their information can be the unwanted gift that 
> keeps
> on giving as their information is sold and re-sold, long after any token
> service offering has ended.
>
>
> Does such a service have a possible place in a consumer's overall risk
> management plan? Yes, but it should certainly never be relied upon as the
> sole means of "protection."
>
>
> 2.  BUSINESS CONSIDERATIONS:  I might concede that offering something
> is, to at least some degree, better than the other side of the spectrum
> which is more common:  "Dear consumer, we lost your information. Check 
> your
> credit reports and please do not sue us."  However, beyond the costs
> associated with providing the service, the most fundamental consideration
> that businesses do not grasp is that, under the myriad of state and 
> federal
> laws that establish rights of action for consumers impacted by a breach, 
> the
> business' liability for damages suffered by victimized consumers is not
> limited to only those types of victimization that show on a credit report.
> Case in point, the recent Utah medical billing records breach. There is a
> good possibility that this information could be utilized to perpetrate
> medical identity theft, which is not only unlikely to show in credit
> reports, but also produces an additional layer of problems for both the
> consumers and the healthcare providers and facilities. It is also possible
> that a business could provide credit monitoring services and, if not
> accompanied by a waiver and release, still be sued in a class action for
> victimizations not uncovered by the service.
>
> In some cases, actual victimization by the impacted consumers is not even 
> a
> prerequisite for actions - the mere fact that the breach occurred at all 
> can
> serve as the justification.
>
>
> In my opinion, the entire topic of data breaches and information security,
> and resultant blame for the rampant problems, rests with numerous
> stakeholders - including the very legislators that draft the related laws.
> Unfortunately for the businesses themselves, the same crazy quilt of data
> security laws that allow for fines, penalties, and actions are often vague
> and ill-worded at best. Common sense or lack thereof, blatant negligence,
> ignorance, or dishonest insiders as contributing factors aside, many
> businesses do attempt to achieve compliance and may go to considerable
> lengths in an attempt to meet the "reasonable" standards discussed in 
> these
> laws and regulations. Yet more often than not, they are not provided with
> clear and concise steps that constitute "reasonable" compliance. Rather,
> they are forced to follow suggestions and illustrative examples. The Red
> Flags Rule is the most recent shining example of this. "Reasonable" is 
> most
> often determined after an incident, in a court of law and the court of
> public opinion, with the full benefit of 20/20 hindsight. Your company
> suffered a breach, therefore the measures that you took obviously were not
> "reasonable" to prevent such an incident.  While it may be impossible to
> draft legislation that keeps pace with the breakneck speed of advancements
> in technology, and negligent businesses should be held accountable, there 
> is
> still vast room for improvement in the specific guidance issued and 
> possible
> safe harbor provisions for companies that do actively attempt to secure 
> the
> data of its customers and employees.  But that is a separate topic
> altogether.
>
> Respectfully,
>
> Michael Barnett, CITRMS
> CEO
> The Institute of Fraud Risk Management, Inc.
> www.TIFRM.Net
> www.TIFRM.coursehost.com
>
> The Institute of Fraud Risk Management, Inc.
> 955 South Virginia Street; Suite #116
> Reno, Nevada  89502
> "Knowledge is the Best Defense Against Fraud"
>
>
>
> -----Original Message-----
> From: dataloss-bounces at attrition.org 
> [mailto:dataloss-bounces at attrition.org]
> On Behalf Of lyger
> Sent: Wednesday, June 11, 2008 1:32 AM
> To: dataloss at attrition.org
> Subject: [Dataloss] rant: Useless Compensation for Data Loss Incidents
>
>
> http://attrition.org/security/rant/dl-compensation.html
>
> Wed Jun 11 03:38:35 EDT 2008
> Apacid, Jericho
>
> If you have been the victim of a data loss incident, odds are you have
> received a letter from the careless organization that lost your
> information. These letters always offer apologies and sincere hope that
> your identity or personal information isn't abused. The recent BNY Mellon
> incident (which now stands at 4.5 million potential customers affected)
> resulted in customers receiving such a letter:
>
> [.]
>
> Notice that in return for having your personal information lost, they are
> offering free credit monitoring for 12 whole months! This seemingly
> generous offer has apparently become the standard business practice for
> acceptable compensation when your personal information is treated with
> carelessness. BNY opted to go with ConsumerInfo.com's "Triple Alert"
> credit monitoring product (despite no mention of that 'product' on the
> consumerinfo.com web page), which watches for changes to your credit
> reports from the three national credit reporting agencies in the United
> States (Experian, Equifax, TransUnion). If you are unlucky and get caught
> up in multiple data loss incidents, you may receive this "gracious
> compensation" many times over.
>
> First, why is this type of reactive credit monitoring acceptable
> compensation? This seems to be another case of one business following
> another and... voila, we have an industry 'standard' that does little to
> serve the customer but does everything to serve businesses that want to
> look caring and "customer-centric" in the media.
>
> [...]
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
>
> Tenable Network Security offers data leakage and compliance monitoring
> solutions for large and small networks. Scan your network and monitor your
> traffic to find the data needing protection before it leaks out!
> http://www.tenablesecurity.com/products/compliance.shtml
>
>
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
>
> Tenable Network Security offers data leakage and compliance monitoring
> solutions for large and small networks. Scan your network and monitor your
> traffic to find the data needing protection before it leaks out!
> http://www.tenablesecurity.com/products/compliance.shtml
> 


From dmetcalf at mcraemetcalf.com  Wed Jun 11 20:57:36 2008
From: dmetcalf at mcraemetcalf.com (David Metcalf)
Date: Wed, 11 Jun 2008 16:57:36 -0400
Subject: [Dataloss] rant: Useless Compensation for Data Loss Incidents
In-Reply-To: <c1c.39a04257.358126ca@aol.com>
References: <c1c.39a04257.358126ca@aol.com>
Message-ID: <!&!AAAAAAAAAAAYAAAAAAAAAA+RYlaTgMpBgKuKBWKaUf7CgAAAEAAAAFumfthHyyZAjK6GhhdAzu4BAAAAAA==@mcraemetcalf.com>

I agree, but it is difficult to specify a concrete alternative that a court
could order these companies to provide.  The TJX settlement called for
credit monitoring, not because it was perfect, but rather because the
lawyers and plaintiffs' experts could not think of a better alternative that
the court might actually award.  Defense lawyers now tell their clients
that, based on this precedent, credit monitoring is all they are liable to
provide.  If a better response could be developed and approved by a court in
making a class action award, that would become the new "industry standard."


 

Any ideas?  Should credit monitoring be the standard for incidents like
Hannaford (involving Track 2 data), but require a higher level of protection
for incidents like BNY Mellon of U of U where social security numbers,
medical records or highly personal information is disclosed?

 

  _____  

From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org]
On Behalf Of MKEVHILL at aol.com
Sent: Wednesday, June 11, 2008 9:02 AM
To: lyger at attrition.org; dataloss at attrition.org
Subject: Re: [Dataloss] rant: Useless Compensation for Data Loss Incidents

 

Credit monitoring is the cheapest reactive measure, plain and simple.  And
without a doubt, its a false sense of security these "careless
organizations" are giving the effected individuals. 

 

 

 

 

Mike

 

 

Michael Hill 
Certified Identity Theft Risk Management Specialist
www.idtheft101.net <http://www.idtheft101.net/>  
404-216-3751




 

 

In a message dated 6/11/2008 3:33:05 A.M. Eastern Daylight Time,
lyger at attrition.org writes:


http://attrition.org/security/rant/dl-compensation.html

Wed Jun 11 03:38:35 EDT 2008
Apacid, Jericho

If you have been the victim of a data loss incident, odds are you have 
received a letter from the careless organization that lost your 
information. These letters always offer apologies and sincere hope that 
your identity or personal information isn't abused. The recent BNY Mellon 
incident (which now stands at 4.5 million potential customers affected) 
resulted in customers receiving such a letter:

[.]

Notice that in return for having your personal information lost, they are 
offering free credit monitoring for 12 whole months! This seemingly 
generous offer has apparently become the standard business practice for 
acceptable compensation when your personal information is treated with 
carelessness. BNY opted to go with ConsumerInfo.com's "Triple Alert" 
credit monitoring product (despite no mention of that 'product' on the 
consumerinfo.com web page), which watches for changes to your credit 
reports from the three national credit reporting agencies in the United 
States (Experian, Equifax, TransUnion). If you are unlucky and get caught 
up in multiple data loss incidents, you may receive this "gracious 
compensation" many times over.

First, why is this type of reactive credit monitoring acceptable 
compensation? This seems to be another case of one business following 
another and... voila, we have an industry 'standard' that does little to 
serve the customer but does everything to serve businesses that want to 
look caring and "customer-centric" in the media.

[...]
_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml

 





  _____  

Vote for your city's best dining and nightlife. City's Best 2008
<http://citysbest.aol.com?ncid=aolacg00050000000102> .

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20080611/d676cb8b/attachment.html 

From Derek.Rigsby at idcure.com  Thu Jun 12 00:41:27 2008
From: Derek.Rigsby at idcure.com (Derek Rigsby)
Date: Wed, 11 Jun 2008 18:41:27 -0600
Subject: [Dataloss] rant: Useless Compensation for Data Loss Incidents
In-Reply-To: <A2D502F7A6924544AF9BD38B19F70732@mkevhillpc>
Message-ID: <002e01c8cc25$0da96280$0300a8c0@stonecreekfunding.com>

I am certainly biased and for that reason usually keep my comments to
myself.  In this case I am compelled to speak up.  I could not agree more
that credit monitoring is not a solution for victims of a breach event.  I
also believe a victim of a breach event cannot "prevent" the fraudulent use
of ones identity.  However, victims can have all aspects of their identity
(except medical records protected by HIPPA) restored to 100% of their
pre-theft status.  I am not talking about a do it yourself manual.  Victims
should be assigned a dedicated recovery advocate armed with a limited power
of attorney.  This POA gives an advocate the authority to do the recovery
work on behalf of the victim.  At the same time the information gleaned from
the recovery process can be shared with authorities in an effort to help
prosecute the criminals that committed the identity theft.
 
At some point a victim will learn that their identity has been used
fraudulently regardless of whether or not they have credit monitoring.
After the victim suspects fraudulent activity they should be required to
file a police report.  That report will cut down on victims trying to get
their legitimate big screen TV purchase written off as id theft since filing
a false report is a crime.  Then the company that experienced the breach
should pay for a fully managed recovery and warranty the restoration for 3
years.  The cost of doing this would be less than that of blanket credit
monitoring programs and the victim is better off in the long run.  

Again I am not trying to use this rant to sell product.  I just believe it
is an actual solution to post mortem breach responses.  It best serves the
victim, offers a lower price to the company breached (we will all pay higher
prices to cover these costs in the end) and it helps our overstretched law
enforcement deal with the overwhelming surge in identity theft.  


Derek Rigsby
720.278.0756 
Derek.Rigsby at idcure.com
 

 
The information contained in this e-mail message is intended only for the
personal and confidential use of the recipient(s) named above.  This message
may be client related and as such is privileged and confidential.  If the
reader of this message is not the intended recipient or an agent responsible
for delivering it to the intended recipient, you are hereby notified that
you have received this document in error and that any review, dissemination,
distribution, or copying of this message is strictly prohibited.  If you
have received this communication in error, please return it to the sender
and delete the original message.
 
-----Original Message-----
From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org]
On Behalf Of Michael Hill, CITRMS
Sent: Wednesday, June 11, 2008 2:58 PM
To: MBarnett at TIFRM.com; 'lyger'; dataloss at attrition.org
Subject: Re: [Dataloss] rant: Useless Compensation for Data Loss Incidents

I read posts such as Michael Barnett's (which I totally agree with) and 
continue to conclude that there is absolutely no way any identity theft 
protection plan can prevent your identity from being stolen and used to 
commit fraud in your name.

Consumers need to be prepared for when they become a victim.  So what does 
that plan look like?



Michael Hill
Certified Identity Theft Risk Management Specialist
www.idtheft101.net
404-216-3751


"If You Think You're Not At Risk, Think Again!"


----- Original Message ----- 
From: "M Barnett - TIFRM" <mbarnett at TIFRM.com>
To: "'lyger'" <lyger at attrition.org>; <dataloss at attrition.org>
Sent: Wednesday, June 11, 2008 2:37 PM
Subject: Re: [Dataloss] rant: Useless Compensation for Data Loss Incidents


>I don't typically chime in on these discussions, but I was glad to see this
> one and could not resist. Courtesy of massive advertising campaigns, 
> credit
> monitoring has become the de facto accepted "industry standard response", 
> up
> to and including the federal government as evidenced by a recent Blanket
> Purchase Agreement that mandates that a breach response service offering
> must include credit monitoring. It is, in essence, an attempt to stave off
> class action lawsuits before they are filed.
>
> There are fundamental considerations for both consumers and businesses
> regarding credit monitoring that are consistently overlooked, or blatantly
> ignored:
>
> 1.  CONSUMER CONSIDERATIONS:  First and foremost, it provides the
> obvious false sense of security. Consumers simply do not realize that they
> can be victimized in many ways that may never show on their credit 
> reports.
> IF something does show, the service is not an effective early warning 
> system
> (see the excerpt below) because it functions in the manner that the credit
> reporting system operates, not in the way that the thieves operate.
>
> Example excerpt from the CITRMS Reference Manual:
>
> It is important to note that because of the way that these services are
> designed, and the way that the credit reporting system functions, the 
> credit
> monitoring "early warning system" can and does fail. For example, in
> December of 2006, the New York Times published an article entitled
> "Protectors, Too, Gather Profits from ID Theft".  An excerpt from this 
> story
> follows:
>
> "Melody Millett was shocked when her car loan company asked her if she was
> the wife of Abundio Perez, who had applied for 26 credit cards, financed
> several cars and taken out a home mortgage using a Social Security number
> belonging to her actual husband. Beyond her shock, Mrs. Millett was angry.
> Five months earlier, the Milletts had subscribed to a $79.99-a-year 
> service
> from Equifax, a big financial data warehouse, that promised to monitor any
> access to her credit records. But it never reported the credit activity 
> that
> might have signaled that they were victims of identity theft." (Source: 
> New
> York Times)
>
>
> Secondly, most services simply notify the consumer that "Congratulations -
> you are a victim. Good luck!"  IF there is any form of assistance provided
> in conjunction with the service, it is almost always limited to resolving
> only those matters that involve the credit report. It omits erroneous
> criminal records, employment and taxation issues, banking account fraud 
> and
> related losses, medical identity theft and possible contaminated records,
> exhaustion of benefits, etc.  Finally, the companies publically announce
> what service they are providing (if any), and for how long. The thieves
> monitor these announcements just as anyone else, and can easily sit on the
> information until the alarm bells stop ringing and the service expires. 
> For
> the consumer, theft of their information can be the unwanted gift that 
> keeps
> on giving as their information is sold and re-sold, long after any token
> service offering has ended.
>
>
> Does such a service have a possible place in a consumer's overall risk
> management plan? Yes, but it should certainly never be relied upon as the
> sole means of "protection."
>
>
> 2.  BUSINESS CONSIDERATIONS:  I might concede that offering something
> is, to at least some degree, better than the other side of the spectrum
> which is more common:  "Dear consumer, we lost your information. Check 
> your
> credit reports and please do not sue us."  However, beyond the costs
> associated with providing the service, the most fundamental consideration
> that businesses do not grasp is that, under the myriad of state and 
> federal
> laws that establish rights of action for consumers impacted by a breach, 
> the
> business' liability for damages suffered by victimized consumers is not
> limited to only those types of victimization that show on a credit report.
> Case in point, the recent Utah medical billing records breach. There is a
> good possibility that this information could be utilized to perpetrate
> medical identity theft, which is not only unlikely to show in credit
> reports, but also produces an additional layer of problems for both the
> consumers and the healthcare providers and facilities. It is also possible
> that a business could provide credit monitoring services and, if not
> accompanied by a waiver and release, still be sued in a class action for
> victimizations not uncovered by the service.
>
> In some cases, actual victimization by the impacted consumers is not even 
> a
> prerequisite for actions - the mere fact that the breach occurred at all 
> can
> serve as the justification.
>
>
> In my opinion, the entire topic of data breaches and information security,
> and resultant blame for the rampant problems, rests with numerous
> stakeholders - including the very legislators that draft the related laws.
> Unfortunately for the businesses themselves, the same crazy quilt of data
> security laws that allow for fines, penalties, and actions are often vague
> and ill-worded at best. Common sense or lack thereof, blatant negligence,
> ignorance, or dishonest insiders as contributing factors aside, many
> businesses do attempt to achieve compliance and may go to considerable
> lengths in an attempt to meet the "reasonable" standards discussed in 
> these
> laws and regulations. Yet more often than not, they are not provided with
> clear and concise steps that constitute "reasonable" compliance. Rather,
> they are forced to follow suggestions and illustrative examples. The Red
> Flags Rule is the most recent shining example of this. "Reasonable" is 
> most
> often determined after an incident, in a court of law and the court of
> public opinion, with the full benefit of 20/20 hindsight. Your company
> suffered a breach, therefore the measures that you took obviously were not
> "reasonable" to prevent such an incident.  While it may be impossible to
> draft legislation that keeps pace with the breakneck speed of advancements
> in technology, and negligent businesses should be held accountable, there 
> is
> still vast room for improvement in the specific guidance issued and 
> possible
> safe harbor provisions for companies that do actively attempt to secure 
> the
> data of its customers and employees.  But that is a separate topic
> altogether.
>
> Respectfully,
>
> Michael Barnett, CITRMS
> CEO
> The Institute of Fraud Risk Management, Inc.
> www.TIFRM.Net
> www.TIFRM.coursehost.com
>
> The Institute of Fraud Risk Management, Inc.
> 955 South Virginia Street; Suite #116
> Reno, Nevada  89502
> "Knowledge is the Best Defense Against Fraud"
>
>
>
> -----Original Message-----
> From: dataloss-bounces at attrition.org 
> [mailto:dataloss-bounces at attrition.org]
> On Behalf Of lyger
> Sent: Wednesday, June 11, 2008 1:32 AM
> To: dataloss at attrition.org
> Subject: [Dataloss] rant: Useless Compensation for Data Loss Incidents
>
>
> http://attrition.org/security/rant/dl-compensation.html
>
> Wed Jun 11 03:38:35 EDT 2008
> Apacid, Jericho
>
> If you have been the victim of a data loss incident, odds are you have
> received a letter from the careless organization that lost your
> information. These letters always offer apologies and sincere hope that
> your identity or personal information isn't abused. The recent BNY Mellon
> incident (which now stands at 4.5 million potential customers affected)
> resulted in customers receiving such a letter:
>
> [.]
>
> Notice that in return for having your personal information lost, they are
> offering free credit monitoring for 12 whole months! This seemingly
> generous offer has apparently become the standard business practice for
> acceptable compensation when your personal information is treated with
> carelessness. BNY opted to go with ConsumerInfo.com's "Triple Alert"
> credit monitoring product (despite no mention of that 'product' on the
> consumerinfo.com web page), which watches for changes to your credit
> reports from the three national credit reporting agencies in the United
> States (Experian, Equifax, TransUnion). If you are unlucky and get caught
> up in multiple data loss incidents, you may receive this "gracious
> compensation" many times over.
>
> First, why is this type of reactive credit monitoring acceptable
> compensation? This seems to be another case of one business following
> another and... voila, we have an industry 'standard' that does little to
> serve the customer but does everything to serve businesses that want to
> look caring and "customer-centric" in the media.
>
> [...]
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
>
> Tenable Network Security offers data leakage and compliance monitoring
> solutions for large and small networks. Scan your network and monitor your
> traffic to find the data needing protection before it leaks out!
> http://www.tenablesecurity.com/products/compliance.shtml
>
>
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
>
> Tenable Network Security offers data leakage and compliance monitoring
> solutions for large and small networks. Scan your network and monitor your
> traffic to find the data needing protection before it leaks out!
> http://www.tenablesecurity.com/products/compliance.shtml
> 

_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml



From nellwal at yahoo.com  Thu Jun 12 01:14:30 2008
From: nellwal at yahoo.com (Nell Walton)
Date: Wed, 11 Jun 2008 21:14:30 -0400
Subject: [Dataloss] rant: Useless Compensation for Data Loss Incidents
In-Reply-To: <!&!AAAAAAAAAAAYAAAAAAAAAA+RYlaTgMpBgKuKBWKaUf7CgAAAEAAAAFumfthHyyZAjK6GhhdAzu4BAAAAAA==@mcraemetcalf.com>
References: <c1c.39a04257.358126ca@aol.com>
	<!&!AAAAAAAAAAAYAAAAAAAAAA+RYlaTgMpBgKuKBWKaUf7CgAAAEAAAAFumfthHyyZAjK6GhhdAzu4BAAAAAA==@mcraemetcalf.com>
Message-ID: <003901c8cc29$ad0090c0$6400a8c0@NellOffice>

Fines and other penalties by the federal and state governments.  There is no
100% safe way to protect data, we all know this, but some companies lag on
providing even the basics - and they should have to pay the price.  As it is
now the FTC doesn't do much as far as regulation goes - time for some
official body to step up to the plate and start making these companies
accountable outside of long running class action suits that just further bog
down a court system that is already bogged down.  The only people that are
making any money out of these class action suits are the LAWYERS on both
sides and they are making out like bandits.  It's not in their interest to
try to solve the ROOT of the problem.   Herein lies the rub.

  _____  

From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org]
On Behalf Of David Metcalf
Sent: Wednesday, June 11, 2008 4:58 PM
To: MKEVHILL at aol.com; lyger at attrition.org; dataloss at attrition.org
Subject: Re: [Dataloss] rant: Useless Compensation for Data Loss Incidents



I agree, but it is difficult to specify a concrete alternative that a court
could order these companies to provide.  The TJX settlement called for
credit monitoring, not because it was perfect, but rather because the
lawyers and plaintiffs' experts could not think of a better alternative that
the court might actually award.  Defense lawyers now tell their clients
that, based on this precedent, credit monitoring is all they are liable to
provide.  If a better response could be developed and approved by a court in
making a class action award, that would become the new "industry standard."


 

Any ideas?  Should credit monitoring be the standard for incidents like
Hannaford (involving Track 2 data), but require a higher level of protection
for incidents like BNY Mellon of U of U where social security numbers,
medical records or highly personal information is disclosed?

 

  _____  

From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org]
On Behalf Of MKEVHILL at aol.com
Sent: Wednesday, June 11, 2008 9:02 AM
To: lyger at attrition.org; dataloss at attrition.org
Subject: Re: [Dataloss] rant: Useless Compensation for Data Loss Incidents

 

Credit monitoring is the cheapest reactive measure, plain and simple.  And
without a doubt, its a false sense of security these "careless
organizations" are giving the effected individuals. 

 

 

 

 

Mike

 

 

Michael Hill 
Certified Identity Theft Risk Management Specialist
www.idtheft101.net <http://www.idtheft101.net/>  
404-216-3751




 

 

In a message dated 6/11/2008 3:33:05 A.M. Eastern Daylight Time,
lyger at attrition.org writes:


http://attrition.org/security/rant/dl-compensation.html

Wed Jun 11 03:38:35 EDT 2008
Apacid, Jericho

If you have been the victim of a data loss incident, odds are you have 
received a letter from the careless organization that lost your 
information. These letters always offer apologies and sincere hope that 
your identity or personal information isn't abused. The recent BNY Mellon 
incident (which now stands at 4.5 million potential customers affected) 
resulted in customers receiving such a letter:

[.]

Notice that in return for having your personal information lost, they are 
offering free credit monitoring for 12 whole months! This seemingly 
generous offer has apparently become the standard business practice for 
acceptable compensation when your personal information is treated with 
carelessness. BNY opted to go with ConsumerInfo.com's "Triple Alert" 
credit monitoring product (despite no mention of that 'product' on the 
consumerinfo.com web page), which watches for changes to your credit 
reports from the three national credit reporting agencies in the United 
States (Experian, Equifax, TransUnion). If you are unlucky and get caught 
up in multiple data loss incidents, you may receive this "gracious 
compensation" many times over.

First, why is this type of reactive credit monitoring acceptable 
compensation? This seems to be another case of one business following 
another and... voila, we have an industry 'standard' that does little to 
serve the customer but does everything to serve businesses that want to 
look caring and "customer-centric" in the media.

[...]
_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml

 





  _____  

Vote for your city's best dining and nightlife. City's
<http://citysbest.aol.com?ncid=aolacg00050000000102> Best 2008.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20080611/94ebfbef/attachment.html 

From hbrown at knology.net  Thu Jun 12 13:32:20 2008
From: hbrown at knology.net (Henry Brown)
Date: Thu, 12 Jun 2008 08:32:20 -0500
Subject: [Dataloss] Columbia University (NY) has posted SSNs on line for 16
	months
Message-ID: <48512564.5000608@knology.net>

 From the NY Sun http://tinyurl.com/5fnfxq
Columbia Students Outraged By Online Privacy Breach
By ANNA PHILLIPS, Special to the Sun
June 12, 2008

Angry Columbia University students are demanding an investigation after 
it was discovered yesterday that 5,000 of their Social Security numbers 
had been searchable online for the last 16 months.

Students received an e-mail message on Tuesday night from the vice 
president of student auxiliary and business services, Scott Wright, 
explaining that in February 2007, a student employee had posted a 
database of students' housing information, including this reporter's, on 
a Google-hosted Web site.

"No financial data was included in the file in question, and we have no 
evidence of wrongdoing or identity theft," Mr. Wright said in the e-mail 
message. "We are very sorry for this occurrence."

Columbia would not identify the student, saying only that the person had 
worked in the university's housing office.

Administrators said they learned about the security breach June 3 when 
an alumna contacted the housing office. Google removed the Web site upon 
request.

As a result of the security breach, Columbia is offering students a free 
two-year subscription to a credit monitoring service.

Yesterday, students informed the school that the information of about 
200 students was still searchable.

A Columbia spokesman, Robert Hornsby, said Google had removed the file 
as of yesterday evening.

Several students yesterday created an online petition and posted it to 
the main campus Web log, demanding that the university investigate the 
former employee and issue a report explaining how security will be 
increased.

A similar leak occurred in April 2007, when the university noticed that 
three databases containing students' addresses and Social Security 
numbers were online.



From Troy.Casey at McKesson.com  Thu Jun 12 15:33:32 2008
From: Troy.Casey at McKesson.com (Casey, Troy # Atlanta)
Date: Thu, 12 Jun 2008 11:33:32 -0400
Subject: [Dataloss] Columbia University (NY) has posted SSNs on line for
	16months
In-Reply-To: <48512564.5000608@knology.net>
Message-ID: <CBF3501A8FAFAC4A8160984AE465F07901D99FF2@EXCHANGE3.dsa.int>

 "we have no evidence of wrongdoing"

Apparently Columbia University does not consider an employee posting its
students' social security numbers on the Internet to constitute
"wrongdoing."  Pretty lax practices by the University, considering this
same thing basically happened just 14 months before this incident!

At least the victims are afforded a heaping helping of the useless
credit monitoring service.  The University spokespeople seem to
acknowledge no culpability on the University's part.

We need some new legislation in this area.  Desperately.

And that's saying a lot coming from a libertarian like myself!

Troy D. Casey

-----Original Message-----
From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of Henry Brown
Sent: Thursday, June 12, 2008 9:32 AM
To: dataloss at attrition.org
Subject: [Dataloss] Columbia University (NY) has posted SSNs on line for
16months

 From the NY Sun http://tinyurl.com/5fnfxq Columbia Students Outraged By
Online Privacy Breach By ANNA PHILLIPS, Special to the Sun June 12, 2008

Angry Columbia University students are demanding an investigation after
it was discovered yesterday that 5,000 of their Social Security numbers
had been searchable online for the last 16 months.

Students received an e-mail message on Tuesday night from the vice
president of student auxiliary and business services, Scott Wright,
explaining that in February 2007, a student employee had posted a
database of students' housing information, including this reporter's, on
a Google-hosted Web site.

"No financial data was included in the file in question, and we have no
evidence of wrongdoing or identity theft," Mr. Wright said in the e-mail
message. "We are very sorry for this occurrence."

Columbia would not identify the student, saying only that the person had
worked in the university's housing office.

Administrators said they learned about the security breach June 3 when
an alumna contacted the housing office. Google removed the Web site upon
request.

As a result of the security breach, Columbia is offering students a free
two-year subscription to a credit monitoring service.

Yesterday, students informed the school that the information of about
200 students was still searchable.

A Columbia spokesman, Robert Hornsby, said Google had removed the file
as of yesterday evening.

Several students yesterday created an online petition and posted it to
the main campus Web log, demanding that the university investigate the
former employee and issue a report explaining how security will be
increased.

A similar leak occurred in April 2007, when the university noticed that
three databases containing students' addresses and Social Security
numbers were online.


_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor
your traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml

From hbrown at knology.net  Thu Jun 12 16:04:06 2008
From: hbrown at knology.net (Henry Brown)
Date: Thu, 12 Jun 2008 11:04:06 -0500
Subject: [Dataloss] Data breach notification survey
Message-ID: <485148F6.8040008@knology.net>

 From clearswift.com press release
http://www.clearswift.com/news/item.aspx?ID=1465

[...]
Results highlights:

78% of IT decision-makers don?t believe the general public should be 
informed if a data breach occurs;
54% of U.S. IT decision-makers are unaware of data breach disclosure laws;
53% are in favor of legislation that would force companies to publicly 
declare a data breach if it occurred; 38% are in favour of legislation 
that would make negligent loss of personal information a criminal offence;
19% of companies have suffered a data loss in the last 12-18 months; 50% 
more than once;
38% of IT managers have seen their annual IT spends increased by as much 
as 10% since data breach notification legislation were introduced.

[...]

While respondents felt the general public did not need to know (78%), 
they did indicate that affected customers and partners should be 
informed (95%) while less than half of them felt that industry 
regulators (42%) or even the police (35%) should be notified.

[...]

All the above figures, unless otherwise stated are from Clearswift. 
Total sample size was 3 340 US IT decision makers. Fieldwork was 
undertaken between March 10 and April 10, 2008. The survey was completed 
online.

[...]





From ewhite at avrenter.com  Thu Jun 12 16:15:30 2008
From: ewhite at avrenter.com (Edward White)
Date: Thu, 12 Jun 2008 12:15:30 -0400
Subject: [Dataloss] Data breach notification survey
References: <485148F6.8040008@knology.net>
Message-ID: <361C9E2A6FE55842BA9A883952C3DC8C700627@mail1.avrenter.com>

Here is a novel idea: 
1) Companies should not be able to buy and sell personal information.

2) Companies, mainly retailers, should not be able to keep information
swiped via a credit card or any other card past the time of payment

3) If Companies are required to keep any personal data for any reason
and for any amount of time; they should be required to protect the data
with encryption

If the companies violate any of these points the CEO, CFO and CIO should
have to go to jail for 90 days.  There should be a time period of 6
months to complete the protection.  After the first set of executives
goes to jail for 90 days most of the companies will be compliant very
quickly.  If you do not have the data, you can not lose it; if you
protect the data it can't be used.  This should knock out most of the
problems and guess what the companies will not have the liability issue
:) 

-----Original Message-----
From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of Henry Brown
Sent: Thursday, June 12, 2008 12:04 PM
To: dataloss at attrition.org
Subject: [Dataloss] Data breach notification survey

 From clearswift.com press release
http://www.clearswift.com/news/item.aspx?ID=1465

[...]
Results highlights:

78% of IT decision-makers don't believe the general public should be 
informed if a data breach occurs;
54% of U.S. IT decision-makers are unaware of data breach disclosure
laws;
53% are in favor of legislation that would force companies to publicly 
declare a data breach if it occurred; 38% are in favour of legislation 
that would make negligent loss of personal information a criminal
offence;
19% of companies have suffered a data loss in the last 12-18 months; 50%

more than once;
38% of IT managers have seen their annual IT spends increased by as much

as 10% since data breach notification legislation were introduced.

[...]

While respondents felt the general public did not need to know (78%), 
they did indicate that affected customers and partners should be 
informed (95%) while less than half of them felt that industry 
regulators (42%) or even the police (35%) should be notified.

[...]

All the above figures, unless otherwise stated are from Clearswift. 
Total sample size was 3 340 US IT decision makers. Fieldwork was 
undertaken between March 10 and April 10, 2008. The survey was completed

online.

[...]




_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor
your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml
 

__________ Information from ESET NOD32 Antivirus, version of virus
signature database 3181 (20080612) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com
 
 

__________ Information from ESET NOD32 Antivirus, version of virus
signature database 3181 (20080612) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com
 

From macwheel99 at wowway.com  Thu Jun 12 15:57:37 2008
From: macwheel99 at wowway.com (Al Mac Wheel)
Date: Thu, 12 Jun 2008 10:57:37 -0500
Subject: [Dataloss] rant: Useless Compensation for Data Loss  Incidents
In-Reply-To: <002e01c8cc25$0da96280$0300a8c0@stonecreekfunding.com>
References: <A2D502F7A6924544AF9BD38B19F70732@mkevhillpc>
	<002e01c8cc25$0da96280$0300a8c0@stonecreekfunding.com>
Message-ID: <6.2.1.2.1.20080612104651.027a3760@pop3.mail.wowway.com>

Keep thinking ... hopefully your great ideas will help "bridge" us to 
better ones.

A problem here is that for many id theft victims, there is no clear link to 
which breach led to them becoming a victim.  Many of us have had multiple 
alerts that one place or another breached our private information.  Prior 
threads have shown that there may be many breaches going on that are not 
getting reported.

It there is to be serious help for id victims, I believe it could be funded 
out of some insurance fund that is populated by outfits with known 
breaches, so that all victims get consistent assistance, probably inadequate.

I personally have id theft insurance from Allstate.  The deal is that 
Allstate has a private detective firm on retainer, on behalf of their 
policy holders, that will perform a service very similar to what you 
describe, in the event I join the ranks of an id theft victim.  This is a 
rider on my personal property insurance policy.  I am also taking personal 
life style choices to try to reduce the risk of me having to cash in that 
policy.

, Derek Rigsby wrote:
>I am certainly biased and for that reason usually keep my comments to
>myself.  In this case I am compelled to speak up.  I could not agree more
>that credit monitoring is not a solution for victims of a breach event.  I
>also believe a victim of a breach event cannot "prevent" the fraudulent use
>of ones identity.  However, victims can have all aspects of their identity
>(except medical records protected by HIPPA) restored to 100% of their
>pre-theft status.  I am not talking about a do it yourself manual.  Victims
>should be assigned a dedicated recovery advocate armed with a limited power
>of attorney.  This POA gives an advocate the authority to do the recovery
>work on behalf of the victim.  At the same time the information gleaned from
>the recovery process can be shared with authorities in an effort to help
>prosecute the criminals that committed the identity theft.
>
>At some point a victim will learn that their identity has been used
>fraudulently regardless of whether or not they have credit monitoring.
>After the victim suspects fraudulent activity they should be required to
>file a police report.  That report will cut down on victims trying to get
>their legitimate big screen TV purchase written off as id theft since filing
>a false report is a crime.  Then the company that experienced the breach
>should pay for a fully managed recovery and warranty the restoration for 3
>years.  The cost of doing this would be less than that of blanket credit
>monitoring programs and the victim is better off in the long run.
>
>Again I am not trying to use this rant to sell product.  I just believe it
>is an actual solution to post mortem breach responses.  It best serves the
>victim, offers a lower price to the company breached (we will all pay higher
>prices to cover these costs in the end) and it helps our overstretched law
>enforcement deal with the overwhelming surge in identity theft.
>
>
>Derek Rigsby
>720.278.0756
>Derek.Rigsby at idcure.com

<snip> earlier

Al Macintyre
Computer Professional



From tglassey at earthlink.net  Thu Jun 12 16:59:32 2008
From: tglassey at earthlink.net (TSG)
Date: Thu, 12 Jun 2008 09:59:32 -0700
Subject: [Dataloss] Columbia University (NY) has posted SSNs on line
	for16months
References: <CBF3501A8FAFAC4A8160984AE465F07901D99FF2@EXCHANGE3.dsa.int>
Message-ID: <009f01c8ccad$b13ecab0$0200a8c0@tsg1>

Not that I am a lawyer (because I am not)  but there is an easy answer...

The way to deal with this is to use the Qui Tam statute and sue the
university under the False Claims Act based on their filings with the
Department of Health and Welfare and their filings with the State and
Federal Department's of Education which fund much of the schools internal
actions.

The security issue is a derivative error for fraudulently claiming that they 
properly met all of the operating requiments for a school. And clearly they 
havent... They (the school) are required through those filings to obey any 
and all laws relevant to their operations, so it (this breach) is a simple 
CFAA negligence claim.

Then all of the student body become a class and all that needs to be
documented is the failing to ask for a summary judgment. See the Federal
Laws, especially the Computer Fraud and Abuse Act and the Stored
Communications Act have amazing latitude here.

Todd Glassey (as a civilian).


----- Original Message ----- 
From: "Casey, Troy # Atlanta" <Troy.Casey at McKesson.com>
To: <dataloss at attrition.org>
Sent: Thursday, June 12, 2008 8:33 AM
Subject: Re: [Dataloss] Columbia University (NY) has posted SSNs on line
for16months


> "we have no evidence of wrongdoing"
>
> Apparently Columbia University does not consider an employee posting its
> students' social security numbers on the Internet to constitute
> "wrongdoing."  Pretty lax practices by the University, considering this
> same thing basically happened just 14 months before this incident!
>
> At least the victims are afforded a heaping helping of the useless
> credit monitoring service.  The University spokespeople seem to
> acknowledge no culpability on the University's part.
>
> We need some new legislation in this area.  Desperately.
>
> And that's saying a lot coming from a libertarian like myself!
>
> Troy D. Casey
>
> -----Original Message-----
> From: dataloss-bounces at attrition.org
> [mailto:dataloss-bounces at attrition.org] On Behalf Of Henry Brown
> Sent: Thursday, June 12, 2008 9:32 AM
> To: dataloss at attrition.org
> Subject: [Dataloss] Columbia University (NY) has posted SSNs on line for
> 16months
>
> From the NY Sun http://tinyurl.com/5fnfxq Columbia Students Outraged By
> Online Privacy Breach By ANNA PHILLIPS, Special to the Sun June 12, 2008
>
> Angry Columbia University students are demanding an investigation after
> it was discovered yesterday that 5,000 of their Social Security numbers
> had been searchable online for the last 16 months.
>
> Students received an e-mail message on Tuesday night from the vice
> president of student auxiliary and business services, Scott Wright,
> explaining that in February 2007, a student employee had posted a
> database of students' housing information, including this reporter's, on
> a Google-hosted Web site.
>
> "No financial data was included in the file in question, and we have no
> evidence of wrongdoing or identity theft," Mr. Wright said in the e-mail
> message. "We are very sorry for this occurrence."
>
> Columbia would not identify the student, saying only that the person had
> worked in the university's housing office.
>
> Administrators said they learned about the security breach June 3 when
> an alumna contacted the housing office. Google removed the Web site upon
> request.
>
> As a result of the security breach, Columbia is offering students a free
> two-year subscription to a credit monitoring service.
>
> Yesterday, students informed the school that the information of about
> 200 students was still searchable.
>
> A Columbia spokesman, Robert Hornsby, said Google had removed the file
> as of yesterday evening.
>
> Several students yesterday created an online petition and posted it to
> the main campus Web log, demanding that the university investigate the
> former employee and issue a report explaining how security will be
> increased.
>
> A similar leak occurred in April 2007, when the university noticed that
> three databases containing students' addresses and Social Security
> numbers were online.
>
>
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
>
> Tenable Network Security offers data leakage and compliance monitoring
> solutions for large and small networks. Scan your network and monitor
> your traffic to find the data needing protection before it leaks out!
> http://www.tenablesecurity.com/products/compliance.shtml
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
>
> Tenable Network Security offers data leakage and compliance monitoring
> solutions for large and small networks. Scan your network and monitor your
> traffic to find the data needing protection before it leaks out!
> http://www.tenablesecurity.com/products/compliance.shtml


From tglassey at earthlink.net  Thu Jun 12 16:52:17 2008
From: tglassey at earthlink.net (TSG)
Date: Thu, 12 Jun 2008 09:52:17 -0700
Subject: [Dataloss] Data breach notification survey
References: <485148F6.8040008@knology.net>
	<361C9E2A6FE55842BA9A883952C3DC8C700627@mail1.avrenter.com>
Message-ID: <009e01c8ccad$b0f9ab60$0200a8c0@tsg1>

I agree... but the government and congress will never do this. The only way 
to make it work is sue over copyright issues to the information itself. 
Creating a virtual trademark per se, that is composed of the personal 
information might work for this.

Todd Glassey

----- Original Message ----- 
From: "Edward White" <ewhite at avrenter.com>
To: "Henry Brown" <hbrown at knology.net>
Cc: <dataloss at attrition.org>
Sent: Thursday, June 12, 2008 9:15 AM
Subject: Re: [Dataloss] Data breach notification survey


> Here is a novel idea:
> 1) Companies should not be able to buy and sell personal information.
>
> 2) Companies, mainly retailers, should not be able to keep information
> swiped via a credit card or any other card past the time of payment
>
> 3) If Companies are required to keep any personal data for any reason
> and for any amount of time; they should be required to protect the data
> with encryption
>
> If the companies violate any of these points the CEO, CFO and CIO should
> have to go to jail for 90 days.  There should be a time period of 6
> months to complete the protection.  After the first set of executives
> goes to jail for 90 days most of the companies will be compliant very
> quickly.  If you do not have the data, you can not lose it; if you
> protect the data it can't be used.  This should knock out most of the
> problems and guess what the companies will not have the liability issue
> :)
>
> -----Original Message-----
> From: dataloss-bounces at attrition.org
> [mailto:dataloss-bounces at attrition.org] On Behalf Of Henry Brown
> Sent: Thursday, June 12, 2008 12:04 PM
> To: dataloss at attrition.org
> Subject: [Dataloss] Data breach notification survey
>
> From clearswift.com press release
> http://www.clearswift.com/news/item.aspx?ID=1465
>
> [...]
> Results highlights:
>
> 78% of IT decision-makers don't believe the general public should be
> informed if a data breach occurs;
> 54% of U.S. IT decision-makers are unaware of data breach disclosure
> laws;
> 53% are in favor of legislation that would force companies to publicly
> declare a data breach if it occurred; 38% are in favour of legislation
> that would make negligent loss of personal information a criminal
> offence;
> 19% of companies have suffered a data loss in the last 12-18 months; 50%
>
> more than once;
> 38% of IT managers have seen their annual IT spends increased by as much
>
> as 10% since data breach notification legislation were introduced.
>
> [...]
>
> While respondents felt the general public did not need to know (78%),
> they did indicate that affected customers and partners should be
> informed (95%) while less than half of them felt that industry
> regulators (42%) or even the police (35%) should be notified.
>
> [...]
>
> All the above figures, unless otherwise stated are from Clearswift.
> Total sample size was 3 340 US IT decision makers. Fieldwork was
> undertaken between March 10 and April 10, 2008. The survey was completed
>
> online.
>
> [...]
>
>
>
>
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
>
> Tenable Network Security offers data leakage and compliance monitoring
> solutions for large and small networks. Scan your network and monitor
> your
> traffic to find the data needing protection before it leaks out!
> http://www.tenablesecurity.com/products/compliance.shtml
>
>
> __________ Information from ESET NOD32 Antivirus, version of virus
> signature database 3181 (20080612) __________
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>
> __________ Information from ESET NOD32 Antivirus, version of virus
> signature database 3181 (20080612) __________
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
>
> Tenable Network Security offers data leakage and compliance monitoring
> solutions for large and small networks. Scan your network and monitor your
> traffic to find the data needing protection before it leaks out!
> http://www.tenablesecurity.com/products/compliance.shtml 


From arshad.noor at strongauth.com  Thu Jun 12 17:50:55 2008
From: arshad.noor at strongauth.com (Arshad Noor)
Date: Thu, 12 Jun 2008 10:50:55 -0700
Subject: [Dataloss] [Fwd: Bank Technology News Intelligencer: Verizon Says 9
 Out of 10 Breaches Preventable]
Message-ID: <485161FF.6030409@strongauth.com>

What does say for the "reasonable practice" argument (attributed to
Carroll Towing) that I hear so often on this list ?  Does this report
indicate that breached companies be held liable for not doing enough?

Arshad Noor
StrongAuth, Inc.

Verizon's PR:
http://newscenter.verizon.com/press-releases/verizon/2008/verizon-business-releases.html

Full report is at:
http://www.verizonbusiness.com/resources/security/databreachreport.pdf


--- Quote---

Some of the findings may be contrary to widely held beliefs, such as 
that insiders are responsible for most breaches. Key findings include:

     * Most data breaches investigated were caused by external sources. 
Thirty-nine percent of breaches were attributed to business partners, a 
number that rose five-fold during the course of the period studied.

     * Most breaches resulted from a combination of events rather than a 
single action. Sixty-two percent of breaches were attributed to 
significant internal errors that either directly or indirectly 
contributed to a breach. For breaches that were deliberate, 59 percent 
were the result of hacking and intrusions.

     * Of those breaches caused by hacking, 39 percent were aimed at the 
application or software layer.  Attacks to the application, software and 
services layer were much more commonplace than operating system platform 
exploits, which made up 23 percent. Fewer than 25 percent of attacks 
took advantage of a known or unknown vulnerability.  Significantly, 90 
percent of known vulnerabilities exploited had patches available for at 
least six months prior to the breach.

     * Nine of 10 breaches involved some type of "unknown" including 
unknown systems, data, network connections and/or account user 
privileges. Additionally, 75 percent of breaches are discovered by a 
third party rather than the victimized organization and go undetected 
for a lengthy period.

     * In the modern organization, data is everywhere and keeping track 
of it is an extremely complex challenge. The fundamental principle, 
however, is quite simple - if you don't know where data is, you 
certainly can't protect it. "

--- End Quote---



-------- Original Message --------
Bank Technology News Intelligencer

Verizon Says 9 Out of 10 Breaches Preventable

<http://www.americanbanker.com/btn_article.html?id=20080611WB3VD1I8&email=y>

Here's one the board of directors won't want to hear: nine out of 10
corporate data breaches could have been prevented; this according to a
report by Verizon Business that looked into 500 forensic investigations.


From hbrown at knology.net  Thu Jun 12 21:50:05 2008
From: hbrown at knology.net (Henry Brown)
Date: Thu, 12 Jun 2008 16:50:05 -0500
Subject: [Dataloss] Analysis of ID theft from the Victims Perspective
Message-ID: <48519A0D.7040302@knology.net>

ITRC's 5th Annual Aftermath Study Released: An Analysis of Identity 
Theft Through the Victim's Eyes

 From the Identity Theft Resource Center
http://tinyurl.com/6k53yy
ITRC's 5th Annual Aftermath Study Released: An Analysis of Identity 
Theft Through the Victim's Eyes

San Diego, CA:  The Identity Theft Resource Center (ITRC) released an 
important report today discussing the impact of identity theft 
victimization. Since 2003, the Identity Theft Resource Center has 
conducted annual victimization surveys to study the impact of identity 
theft crimes on its victims.  Now in its fifth year, the report allows 
us to analyze the data, draw some conclusions, map trends and identify 
areas for further research. While ITRC reports the data in terms of 
percentages, it is critical that we remember those numbers are people. 
These are people with lives that have been interrupted, altered, torn 
apart and/or changed.

According to several sources, The Aftermath is the only study of its 
kind.  This study reflects only the experiences of confirmed identity 
theft victims who worked with the ITRC, and is not a census or general 
population-based study.  The questions asked ranged from the emotional 
impact this crime has had on their lives all the way through to their 
ability to recover their good name.  It includes the financial loss to 
the business community in goods and services.

The 37 Page Study:
http://www.idtheftcenter.org/artman2/uploads/1/Aftermath_2007_20080529v2_2.pdf



From tglassey at earthlink.net  Thu Jun 12 23:30:08 2008
From: tglassey at earthlink.net (TSG)
Date: Thu, 12 Jun 2008 16:30:08 -0700
Subject: [Dataloss] Fw:  Data breach notification survey
Message-ID: <00c201c8cce4$41b6fbe0$0200a8c0@tsg1>


----- Original Message ----- 
From: "TSG" <tglassey at earthlink.net>
To: "Edward White" <ewhite at avrenter.com>
Cc: <dataloss at attrition.org>
Sent: Thursday, June 12, 2008 4:19 PM
Subject: Re: [Dataloss] Data breach notification survey


>I like this idea Edward - but I am going to put on my devils' advocate hat 
>here and push back.
>
> Don't get the wrong idea - I want to proceed with your suggestion but I 
> also want to point out some other things...
>
>
> Todd
>
> ----- Original Message ----- 
> From: "Edward White" <ewhite at avrenter.com>
> To: "TSG" <tglassey at earthlink.net>
> Cc: <dataloss at attrition.org>
> Sent: Thursday, June 12, 2008 10:14 AM
> Subject: RE: [Dataloss] Data breach notification survey
>
>
> Todd and All who would like to make a difference,
> Let's break the problem into its component parts
>
> 1) Personal Data held by companies
>
> TSG: Which is constrained by the different regulatory frameworks.
>
> 2) Personal data out in the open
>
> Let's put all of our ideas together to fix the problem with breaches of
> personal data and craft a letter that will put our ideas into action.
>
> TSG: the key to all of this is that the industry is still reeling from its 
> SOX spanking's. Those were the huge costs that it cost to become SOX 
> compliance. The problem is it wasnt SOX that was the culprate - it was the 
> sloppy and uncontrolled methods that people used to use to try and scate 
> around the sides of the requirement's. The issue isnt SOX or any other 
> Federal Law other than the Rules of Evidence which are where the rubber 
> meets the road. What people are pushing back against is the costs of 
> meeting the new Digital Evidence Competency costs and my reaction to many 
> of them is that as an Auditor I will not sign off on their external's 
> without this in place.
>
> TSG: As a shareholder My response would be a littel different - I may 
> litigate their gross negligence as well unless they come up with a strong 
> Evidence Capture and Anti-spoliation Position and Practice.
>
> I know the right senators office to start with and then will get their
> input for a final letter that I will hand deliver to every Senators and
> Congressman's office in Washington, DC
>
> It may take 6 months to a year + to get the ideas into Law.  This is our
> Country and the Senate and the Congress work for us.  Let's fix the
> issue.
>
> TSG: The issue is easily fixed through civil litigation under Qui Tam. 
> Trust me - most civil attorney's dont see this one, but if you properly 
> analyze the US Law you will find that Qui Tam under the False Claims Act 
> is huge. For instance ALL of the ENRON Victims probably still have 
> recovery rights against the officers of ENRON itself. Likewise would any 
> of those shareholders of company's who were dinged in the back-dating 
> scandle as well...
>
> There are many smart people in this country and we need to rise to the
> challenge.
>
> Thanks
> Ed
>


From rchicker at etiolated.org  Sat Jun 14 01:40:05 2008
From: rchicker at etiolated.org (rchick)
Date: Fri, 13 Jun 2008 21:40:05 -0400
Subject: [Dataloss] TX: Hundreds of Insurance files found in Richardson
	dumpster
Message-ID: <a20b4dac0806131840o7088db91gef3d94b126e167df@mail.gmail.com>

June 13, 2008
http://www.wfaa.com/sharedcontent/dws/news/localnews/tv/stories/wfaa080613_lj_lopez.2c3f840a.html

RICHARDSON - You expect when you give your private information to an
insurance company, it will stay that way.

But on Friday, hundreds of files with people's names, social security
numbers and policy numbers were found in a Richardson dumpster - a
gold mine for identity thieves.

The files contain a lot of private information. The people who filled
out the forms probably never expected them to end up where anyone
could simply walk away with them.

Mike McCarty was driving by a dumpster near his work in Richardson. He
saw a man taking pictures of trash inside, so he stopped.

"If you look through these far enough, you'll find most of the data
that a thief would be looking for," McCarty said.

"[The man] said he was looking for empty boxes because he was going to
move but he found a bunch of these files."

There were files with people's names, addresses, social security
numbers and even pictures of their homes and cars.

"Not something you would want to find in a dumpster," said McCarty.

The files were dumped here by a company called Texas Insurance Claims
Services which processes people's claims.

[..]

From arshad.noor at strongauth.com  Sat Jun 14 01:57:54 2008
From: arshad.noor at strongauth.com (Arshad Noor)
Date: Fri, 13 Jun 2008 18:57:54 -0700
Subject: [Dataloss] TX: Hundreds of Insurance files found in Richardson
 dumpster
In-Reply-To: <a20b4dac0806131840o7088db91gef3d94b126e167df@mail.gmail.com>
References: <a20b4dac0806131840o7088db91gef3d94b126e167df@mail.gmail.com>
Message-ID: <485325A2.70707@strongauth.com>

Just another company taking another short cut....

The only thing that might make this worse for the victims
is if the policies were for identity-theft protection!

Arshad Noor
StrongAuth, Inc.

rchick wrote:
> June 13, 2008
> http://www.wfaa.com/sharedcontent/dws/news/localnews/tv/stories/wfaa080613_lj_lopez.2c3f840a.html
> 
> RICHARDSON - You expect when you give your private information to an
> insurance company, it will stay that way.
> 
> But on Friday, hundreds of files with people's names, social security
> numbers and policy numbers were found in a Richardson dumpster - a
> gold mine for identity thieves.
> 
> The files contain a lot of private information. The people who filled
> out the forms probably never expected them to end up where anyone
> could simply walk away with them.
> 
> Mike McCarty was driving by a dumpster near his work in Richardson. He
> saw a man taking pictures of trash inside, so he stopped.
> 
> "If you look through these far enough, you'll find most of the data
> that a thief would be looking for," McCarty said.
> 
> "[The man] said he was looking for empty boxes because he was going to
> move but he found a bunch of these files."
> 
> There were files with people's names, addresses, social security
> numbers and even pictures of their homes and cars.
> 
> "Not something you would want to find in a dumpster," said McCarty.
> 
> The files were dumped here by a company called Texas Insurance Claims
> Services which processes people's claims.
> 
> [..]

From hbrown at knology.net  Sat Jun 14 12:38:43 2008
From: hbrown at knology.net (Henry Brown)
Date: Sat, 14 Jun 2008 07:38:43 -0500
Subject: [Dataloss] Commentary on data breach laws
Message-ID: <4853BBD3.7050602@knology.net>

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9096538
Opinion: Breach laws fail to protect anyone

By Bart Lazar

 The database security laws passed by 39 states cause businesses 
substantial expense. Although the goal of these laws is to prevent 
identity theft, there is no credible evidence that demonstrates that the 
supposed benefit to consumers outweighs the administrative burden and 
expense caused to companies. Because the alleged benefits are illusory, 
a company's time and resources would be better spent on proactive 
efforts to prevent data breaches.

With security breaches at major companies frequently in the news, 
legislators feel pressured to pass laws to protect consumers. No 
politician wants to be viewed as being soft on identity theft. However, 
legislatures have not passed proactive laws that would prevent theft, 
but reactive ones that impose substantial burdens on companies.

[...]

Ultimately, the privacy and security interests of our citizens may be 
better served if the money spent on reacting to security breaches as 
part of a legislated incident response instead was invested on a 
proactive basis into security infrastructure and training.


From lyger at attrition.org  Sun Jun 15 04:56:31 2008
From: lyger at attrition.org (lyger)
Date: Sun, 15 Jun 2008 04:56:31 +0000 (UTC)
Subject: [Dataloss] (update): UT: Lawsuit filed over stolen medical records
Message-ID: <Pine.LNX.4.64.0806150455310.9004@forced.attrition.org>


http://deseretnews.com/article/1,5143,700234576,00.html

A proposed class-action lawsuit has been filed over the stolen billing 
records of 2.2 million University of Utah Hospital and Clinics patients. 
U. patient Patrick M. Beamish claims a courier for Perpetual Storage Inc. 
acted negligently in transporting the records, resulting in their theft 
and putting millions of people at "significant risk" of identity theft, 
according to a lawsuit filed Wednesday. The complaint seeks class-action 
status, which would need approval by a judge.

"Our main interest is making sure everyone is protected," said Karra J. 
Porter, of the Salt Lake firm Christensen & Jensen. "This isn't a money 
maker for us. Protection is the key concern."

[...]

From hbrown at knology.net  Sun Jun 15 19:22:33 2008
From: hbrown at knology.net (Henry Brown)
Date: Sun, 15 Jun 2008 14:22:33 -0500
Subject: [Dataloss] stolen laptop in Irving Tx in March
Message-ID: <48556BF9.8000102@knology.net>

from a copy of the "required" letter sent to the New Hampshire Attorney 
General...

http://doj.nh.gov/consumer/pdf/r_e_moulton.pdf

Date May 23

[...]
R.E. Moulton is a leader in the medical stop-loss insurance industry and 
the stop-loss insurance products administered by it are available 
nation-wide. We are writing to inform you of an incident involving the 
possible disclosure of personal information. Specifically, on or around 
March 7,2008, thieves broke into our Irving, Texas regional office and 
stole a laptop computer containing personally identifiable information 
of numerous individuals, including names in combination with social 
security numbers. A police report was filed and the police are actively 
investigating this crime.

Personal information was on the stolen laptop because R.E. Moulton 
receives requests to provide quotes for stop-loss insurance coverage. 
Approximately 19,000 individuals were affected, although there may be 
duplicates on our master list; this means that the list of affected 
individuals may be smaller. At this time, we are unable to determine the 
number of New Hampshire residents, if any, who will be notified of this 
incident because the information maintained on the laptop did not 
include addresses, but we will provide a list at a later date if we find 
that New Hampshire residents were affected.

Letters will be sent to these individuals as soon as we receive their 
addresses from their employers or the third parties
who arranged for the insurance quotes. Those employers and third parties 
were notified of this incident during the week of May 5, 2008 and are 
currently collecting the needed addresses. Depending on the length of 
time needed to collect addresses, we hope to start sending letters to 
the affected individuals in June.

Please know thaI we have taken this incident very seriously. While we do 
not anticipate that any of the information will be used for unauthorized 
or malicious purposes, to help those whose information was involved, we 
have engaged
[...]


From hbrown at knology.net  Sun Jun 15 21:01:52 2008
From: hbrown at knology.net (Henry Brown)
Date: Sun, 15 Jun 2008 16:01:52 -0500
Subject: [Dataloss] CT SSN's posted on the internet
Message-ID: <48558340.8080707@knology.net>

http://www.hartfordbusiness.com/news5756.html

SSNs Posted On State Web Sites
State auditors found DAS violated state law in not protecting personal 
information
By Diane Weaver Dunne
Hartford Business Journal Staff Writer
06/16/08

For more than three years, the state Department of Administrative 
Services posted the Social Security numbers of individual contractors on 
a state Web site in violation of state law, exposing the state to 
lawsuits and monetary loss, according to a recently released state audit.

The audit also uncovered that the Social Security numbers of prospective 
nursing employees were accessible on an agency Web site for 19 months 
until a complaint was lodged.

State Auditor Robert G. Jaekle said that when personal information, such 
as Social Security numbers, falls into the wrong hands, it exposes 
people to the risk of identity theft.

?Social Security numbers ? personal identifying information ? was not 
appropriately protected,? said Jaekle, adding that the individuals 
affected were notified by the agency and access to the information had 
been removed from the Web.

[...]



From hbrown at knology.net  Wed Jun 18 10:49:42 2008
From: hbrown at knology.net (Henry Brown)
Date: Wed, 18 Jun 2008 05:49:42 -0500
Subject: [Dataloss] Privacy data blowing in the wind in Tucson AZ
Message-ID: <4858E846.2080800@knology.net>

 From KVOA.com Tucson AZ

http://tinyurl.com/597zs9

Hundreds of receipts reveal the risk of identity theft

The Investigators found credit card numbers blowing in the wind for 
anyone to see. These piles and papers strewn across the alley contain 
hundreds of old receipts from Domino's Pizza stores.

When we got a call about this, we went down to University Avenue and 
Euclid and saw these receipts were three, four, and even five years 
old.    

We contacted the former owner of 24 Domino's Pizza stores in Tucson. She 
won't talk with us on-camera, but told us she'd been discarding boxes of 
old records near her home and somehow all those receipts got loose.

[...]

The Investigators contacted the Federal Trade Commission in Washington 
and they say thieves could potentially use discarded credit card numbers 
even if the card has expired. The numbers on the card in many cases are 
still the same.

[...]
In this case, the Investigators contacted Tucson Police and several 
officers came to collect the records we found and have them destroyed.


From hbrown at knology.net  Wed Jun 18 10:55:08 2008
From: hbrown at knology.net (Henry Brown)
Date: Wed, 18 Jun 2008 05:55:08 -0500
Subject: [Dataloss] Fringe: Free credit monitoring for the masses
Message-ID: <4858E98C.5090307@knology.net>

http://www.orlandosentinel.com/business/orl-credit1708jun17,0,7568776.story

Company offers to monitor credit record for free

Richard Burnett | Sentinel Staff Writer
   June 17, 2008

In an unprecedented legal deal, one of the nation's major credit 
reporting companies has agreed to offer free credit monitoring service 
to potentially hundreds of millions of U.S. consumers.

TransUnion LLC launched the offer Monday as part of settling a 
10-year-old class-action lawsuit that accused the company of improperly 
selling targeted consumer-data lists to other companies for unsolicited 
marketing activity. The company also agreed to pay $75 million into a 
settlement fund. It is the largest consumer-related class action 
settlement on record in the U.S., experts say.

[...]



From lyger at attrition.org  Wed Jun 18 13:50:49 2008
From: lyger at attrition.org (lyger)
Date: Wed, 18 Jun 2008 13:50:49 +0000 (UTC)
Subject: [Dataloss] UK: Patients' records on stolen laptop
Message-ID: <Pine.LNX.4.64.0806181349560.23405@forced.attrition.org>


http://ukpress.google.com/article/ALeqM5g8iNPMcsfjtLDvAlPdRONHQBsB1Q

A laptop containing confidential information about 11,000 patients has 
been stolen from a GP's home.

Contrary to Department of Health guidelines, the information was not 
encrypted, which would have made it unreadable without a special code to 
unscramble it.

The laptop was among items stolen in a recent burglary at the home of the 
unnamed doctor, who works at the Castlecroft Medical Practice in 
Wolverhampton.

The information on the computer, which belongs to the practice, included 
patients' names, dates of birth, addresses, contact details and 
confidential medical records. The practice has written to all of its 
11,000 patients to inform them that information about them was on the 
stolen computer.

[...]

From jericho at attrition.org  Wed Jun 18 17:24:24 2008
From: jericho at attrition.org (security curmudgeon)
Date: Wed, 18 Jun 2008 17:24:24 +0000 (UTC)
Subject: [Dataloss] follow-up: Manitobans in class-action suit over missing
	laptop
Message-ID: <Pine.LNX.4.64.0806181724030.24823@forced.attrition.org>



---------- Forwarded message ----------
From: InfoSec News <alerts at infosecnews.org>

http://www.winnipegfreepress.com/breakingnews/story/4187602p-4777954c.html

By Lindsey Wiebe
Winnipeg Free Press
June 17, 2008

Dozens of Manitobans have joined a class-action lawsuit over a stolen 
laptop that contained private information from 32,000 Canadian farmers, 
according to a Saskatchewan law office.

The statement of claim was filed Monday morning in the Saskatchewan Court 
of Queen's Bench. It accuses federal Agriculture and Agri-Food Minister 
Gerry Ritz and the Carman-based Canadian Canola Growers Association of 
showing "reckless disregard" in the storage of unencrypted personal data 
on the laptop, stolen in March.

Although only two plaintiffs are named, roughly 100 people are involved, 
said Tony Merchant of the Merchant Law Group, which filed the statement. 
He said roughly one-third of those involved are from Manitoba.

Farmers named include Manitoban Darryl Oliver, who lives on a farm in the 
Rural Municipality of Archie.

Oliver was "shocked and emotionally dismayed to learn that his 
confidential information was in the hands of a thief," according to the 
statement of claim, and especially surprised his data was still being 
stored, considering he quit farming actively in 2005.

The statement goes on to say the plaintiffs suffered "severe and 
significant emotional distress and trauma, and economic loss or damage."

[...]

From mhill at idtexperts.com  Wed Jun 18 18:47:19 2008
From: mhill at idtexperts.com (Michael Hill, CITRMS)
Date: Wed, 18 Jun 2008 14:47:19 -0400
Subject: [Dataloss] Data Breach and Identity Theft Conference
Message-ID: <8B6A5AF93B014771B5BFEDA9BA64C022@mkevhillpc>

 I thought the board might find this interesting.  Is anyone attending? 

A huge conference is being held next week in D.C. on Data Breaches and Identity Theft (http://www.americanconference.com/finance/databreaches.htm) where high ranking federal regulators and enforcement officials educating businesses about taking the necessary steps to identify, prevent, and mitigate occurrences of identity theft. The senior regulators will discuss the latest regulatory developments and enforcement priorities, .i.e., "The Red Flags Rule".

I found the Conference Overview to be very interesting in addition to the speakers. 
In 2007, statistics show that the average total cost of a data breach for a company was $6.3 million. Moreover, the average total cost for lost or exposed data grew to $239 per compromised record, and the costs for public relations and communications following an incident have gone up 3% in the last year. Experts warn that the amount of lost revenue a company experiences in the wake of a data breach will only continue to grow, especially as 60% of surveyed customers indicate that they would consider leaving a company following a data breach. 

And to add insult to injury, experts predict that the high profile data breaches like that of TJX and other large scale losses reported last year are only the tip of the iceberg compared to what will be seen in the future, as cyber-criminals get more sophisticated and gain more economic incentives for stealing consumer information. 



Thanks,
Mike

Michael Hill 
Certified Identity Theft Risk Management Specialist
www.idtheft101.net 
404-216-3751
 



"If You Think You're Not At Risk, Think Again!"
 
 
NOTICE:
This email and any attachment to it is confidential and protected by law and intended for the use of the individual(s) or entity named on the email.  This information and all email information from the sender is not legal advice nor legal representation and should not be construed as legal advice nor legal representation. Check with your attorney in your State for legal advice. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination or distribution of this communication is prohibited.  If you have received this communication in error, please notify the sender via return email and delete it completely from your email system.  If you have printed a copy of the email, please destroy it immediately. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20080618/19712472/attachment.html 

From hbrown at knology.net  Thu Jun 19 19:12:04 2008
From: hbrown at knology.net (Henry Brown)
Date: Thu, 19 Jun 2008 14:12:04 -0500
Subject: [Dataloss] Citibank debit card server "hacked"
Message-ID: <485AAF84.6010003@knology.net>

http://blog.wired.com/27bstroke6/2008/06/citibank-atm-se.html

A computer intrusion into a Citibank server that processes ATM 
withdrawals led to two Brooklyn men making hundreds of fraudulent 
withdrawals from New York City cash machines in February, pocketing at 
least $750,000 in cash, according to federal prosecutors.

The ATM crime spree is apparently the first to be publicly linked to the 
breach of a major U.S. bank's systems, experts say.

"We've never heard of PINs coming out of the bank environment," says Dan 
Clements, CEO of the fraud watchdog company CardCops, who monitors crime 
forums for stolen information.

Credit card and ATM PIN numbers show up often enough in underground 
trading, but they're invariably linked to social engineering tricks like 
phishing attacks, "shoulder surfing" and fake PIN pads affixed to gas 
station pay-at-the-pump terminals.

But if federal prosecutors are correct, the Citibank intrusion is an 
indication that even savvy consumers who guard their ATM cards and PIN 
codes can fall prey to the growing global cyber-crime trade.

"That's really the gold, the debit cards and the PINs," says Clements.

Citibank denied to Wired.com's Threat Level that its systems were 
hacked. But the bank's representatives warned the FBI on February 1 that 
"a Citibank server that processes ATM withdrawals at 7-Eleven 
convenience stores had been breached," according to a sworn affidavit 
(.pdf) by FBI cyber-crime agent Albert Murray.

[...]





From rchicker at etiolated.org  Thu Jun 19 20:26:55 2008
From: rchicker at etiolated.org (rchick)
Date: Thu, 19 Jun 2008 16:26:55 -0400
Subject: [Dataloss] TX: Convenience store accused of dumping receipts
Message-ID: <a20b4dac0806191326t627388d2pa86997836f1b9c91@mail.gmail.com>

http://www.click2houston.com/news/16655991/detail.html

HOUSTON -- A Houston-based convenience store chain has been accused of
exposing its customers to identity theft, KPRC Local 2 reported
Thursday.

Texas Attorney General Greg Abbott said Petroleum Wholesale, which
operated Sunmart Travel Centers and Convenience Stores in 10 states,
improperly disposed of customer records containing information
including Social Security numbers, bank account number and credit and
debit card information.

Investigators said that the company dumped hundreds of records in a
publicly accessible trash container outside its former headquarters.
Officials said the records included receipts with customers' names and
full credit or debit card numbers, including expiration dates. The
records also included returned checks and forms containing customers'
names and bank routing, driver's license and Social Security numbers,
investigators said.

[..]

Petroleum Wholesale was also charged with violating Chapter 35 of the
Business and Commerce Code, which requires companies to develop
retention and disposal procedures for confidential information. It
could be fined up to $500 per abandoned record.

[..]

From hbrown at knology.net  Thu Jun 19 20:39:38 2008
From: hbrown at knology.net (Henry Brown)
Date: Thu, 19 Jun 2008 15:39:38 -0500
Subject: [Dataloss] Laptops missing from London England Hospital
Message-ID: <485AC40A.5020104@knology.net>

 From the London Evening Standard http://tinyurl.com/5zbrfw

Laptops holding tens of thousands of patients' records have been stolen 
from a hospital and a GP's home, it emerged yesterday.

In the latest lost personal data scandal, the information was stored on 
the machines in contravention of NHS guidelines.

It was revealed that details of 20,000 patients were on six laptops 
stolen earlier this month from filing cabinets at St George's Hospital, 
in Tooting, South West London.

It is the fourth data breach the hospital has suffered in the past year.

The data includes patients' names, postcodes, hospital numbers and dates 
of birth and can be accessed if passwords are cracked.

Normally such information is stored on the hospital's central network, 
but because of technical problems it was being stored temporarily on the 
laptops.

It was also admitted last night that the medical histories of 11,000 
patients, along with their names, addresses and dates of birth, were on 
a laptop stolen from a GP's home in Wolverhampton.

The information was not encrypted as it was supposed to be, and is only 
password protected.

Following both thefts, the health trusts concerned have written to the 
patients affected and have informed police.

But they insisted there was no reason to believe the computers were 
targeted for anything but their monetary value.

[...]



From hbrown at knology.net  Fri Jun 20 11:14:19 2008
From: hbrown at knology.net (Henry Brown)
Date: Fri, 20 Jun 2008 06:14:19 -0500
Subject: [Dataloss] Kansas sells computers with privacy information
Message-ID: <485B910B.70600@knology.net>

http://www.saljournal.com/rdnews/story/HNS-computer-audit-6-18-08

TOPEKA -- Lawmakers expressed alarm Wednesday over a legislative report 
showing that confidential information was left on outdated state 
computers being released for sale to the public.

The Legislative Division of Post Audit found that several state agencies 
had failed to adequately remove sensitive data from some machines, 
including Social Security numbers and password files.

The computers had been turned over to a government office that disposes 
of excess state property for Topeka-based agencies, but they hadn't been 
sold.

However, the report stated the state's problems with handling surplus 
computers posed a significant risk for a costly and embarrassing breach 
of private data to the public or criminals.

[...]

Researchers found that seven of the 15 computers they looked at still 
contained information that's considered confidential under state or 
federal law. That includes thousands of Social Security numbers, names 
of Medicaid beneficiaries and personnel information about state employees.

Password files and other network information that could be valuable to 
hackers were also on the machines.

Another four computers contained sensitive agency files such as employee 
accident reports and architectural drawings of state office buildings. 
One even contained copyrighted music files.

[...]



From rchicker at etiolated.org  Fri Jun 20 21:31:32 2008
From: rchicker at etiolated.org (rchick)
Date: Fri, 20 Jun 2008 17:31:32 -0400
Subject: [Dataloss] UK: Virgin Media loses CD containing 3000 customer bank
	details
Message-ID: <a20b4dac0806201431m70bed1a5hfdaf65613b1d6b1@mail.gmail.com>

http://www.finextra.com/fullstory.asp?id=18619
20 June 2008

Virgin Media - the entertainment and communications arm of Richard
Branson's Virgin Group - has lost an unencrypted computer disc
containing the bank account details of 3000 UK customers.

Virgin Media discovered the CD - which also contained names and
addresses of customers - was missing on 29 May.

The breach affects customers that signed up to Virgin Media services
in Carphone Warehouse stores from January this year.

It is not known why the data was burned onto a CD - a move thought to
be at odds with the firm's policy of using secure FTP transfers.
[..]

From lyger at attrition.org  Mon Jun 23 21:46:49 2008
From: lyger at attrition.org (lyger)
Date: Mon, 23 Jun 2008 21:46:49 +0000 (UTC)
Subject: [Dataloss] FL: Data breach at Bay Area bank
Message-ID: <Pine.LNX.4.64.0806232146080.10274@forced.attrition.org>


http://www.myfoxtampabay.com/myfox/pages/News/Detail?contentId=6830565&version=1&locale=EN-US&layoutCode=TSTY&pageId=3.2.1

Customers of one Bay Area bank should check their bank statements and 
apply for a new debit card after a data breach last week.

Bank Atlantic confirms they had a data loss, involving their MasterCard 
debit cards.

A spokesperson says it happened through a local merchant, but at this 
time, isn't saying which one.

[...]

From lyger at attrition.org  Mon Jun 23 23:40:15 2008
From: lyger at attrition.org (lyger)
Date: Mon, 23 Jun 2008 23:40:15 +0000 (UTC)
Subject: [Dataloss] CNET Employees Notified After Data Breach
Message-ID: <Pine.LNX.4.64.0806232339230.18498@forced.attrition.org>


http://www.pcworld.com/businesscenter/article/147460/cnet_employees_notified_after_data_breach.html

More than 6,500 CNET Networks employees and relatives are being notified 
of a possible data breach after burglars stole computer systems from the 
offices of the company that administers the Internet publisher's benefit 
plans.

CNET was one of several clients affected when burglars broke into the 
Walnut Creek, California, offices of Colt Express Outsourcing Services, 
stealing equipment "which contains the human resources data of several of 
their clients including CNET networks," CNET Senior Vice President of 
Human Resources Jose Martin said in a June letter notifying employees of 
the incident.

The computers contained names, birth dates, Social Security numbers and 
employment information of the beneficiaries of CNET's health insurance 
plans.

[...]

From lyger at attrition.org  Tue Jun 24 11:45:07 2008
From: lyger at attrition.org (lyger)
Date: Tue, 24 Jun 2008 11:45:07 +0000 (UTC)
Subject: [Dataloss] MO: Former SEMO Employee Found with Data Files of
 Personal Information of Students
Message-ID: <Pine.LNX.4.64.0806241143510.19927@forced.attrition.org>


http://www.kfvs12.com/Global/story.asp?S=8541051&nav=menu51_2_3_2

Hundreds of students received an identity theft warning following a 
security breach at Southeast Missouri State University.

According to the school, a grand jury in Georgia indicted a former worker 
on three felony counts.

[.]

Dr. Holt thinks the 800 or so students were random targets.

"It isn't as though he picked a numerical portion of social security 
numbers or an alphabetic range, there's no logic to it,"  said Holt.

[...]

From lyger at attrition.org  Tue Jun 24 17:05:46 2008
From: lyger at attrition.org (lyger)
Date: Tue, 24 Jun 2008 17:05:46 +0000 (UTC)
Subject: [Dataloss] CA: Security breach compromises 5,
 000 social security numbers at Consumer Affairs
Message-ID: <Pine.LNX.4.64.0806241704370.28788@forced.attrition.org>


http://www.capitolweekly.net/article.php?_adctlid=v%7Cjq2q43wvsl855o%7Cx7o1tt8kp1c3g5&issueId=x79xdv8us2oeyp&xid=x7csom3a3og08k

The state Department of Consumer Affairs (DCA) has sent letters to 5,000 
employees, contractors and board members warning them of a security breach 
that has compromised their names and social security numbers.

The breach occurred on June 5 or 6 when a Microsoft Word document was 
improperly transmitted electronically outside of the department, said DCA 
spokesman Russ Heimerich. The document also contained the salaries and 
titles of everyone on the list, but Heimerich noted that this was public 
information.

"The thing that is troubling to us is that information was coupled with 
their social security numbers," Heimerich said.

[...]

From fukami at gmail.com  Wed Jun 25 09:29:38 2008
From: fukami at gmail.com (fukami)
Date: Wed, 25 Jun 2008 11:29:38 +0200
Subject: [Dataloss] Germany accidentally reveals residential rolls on
	internet
Message-ID: <19EDDBA0-E8C1-44FD-8DF2-55A6E698A728@gmail.com>


http://www.monstersandcritics.com/tech/news/article_1412897.php

A slip-up in Germany led to residential rolls on half a million
people becoming freely accessible on the internet, an investigative
programme on German TV said Monday.

The rolls, which list names, dates of birth, marital status and
religious affiliation, are normally protected by passwords.

HSH, the company which supplied the software and maintained the
databases, admitted Monday that for three months, a non-secret
password had applied to rolls kept by 15 local authorities. The
password was in software documentation on the web. After the
error was discovered on Friday, new, secret passwords were adopted.

HSH denied a suggestion by the TV programme Report Muenchen that
the privacy had been compromised in 200 towns over a period of
years. It did not say how many people were listed on the rolls
affected. In Germany it is compulsory for the whole population
to register on rolls of residents, which are for official use only.

HSH, which is based near Berlin and specializes in computerizing
the rolls, said an error led to the publication on the internet
between March 15 and June 20 of the standard password.

It said somebody had used the password to extract data on
individuals at four of the local authorities.






From jericho at attrition.org  Thu Jun 26 08:55:06 2008
From: jericho at attrition.org (security curmudgeon)
Date: Thu, 26 Jun 2008 08:55:06 +0000 (UTC)
Subject: [Dataloss] follow-up: Stakeouts,
 Lucky Breaks Snare Six More in Citibank ATM Heist
Message-ID: <Pine.LNX.4.64.0806260854490.5109@forced.attrition.org>



---------- Forwarded message ----------
From: InfoSec News <alerts at infosecnews.org>

http://blog.wired.com/27bstroke6/2008/06/fbi-arrests-six.html

By Kevin Poulsen
Threat Level
Wired.com
June 24, 2008

Citibank officials monitoring their network for fraud on Thursday, May 8, 
noticed suspicious ATM transactions at 8:30 p.m., coming through the five 
cash machines in the vestibule of a Citibank branch at 65th Street and 
Madison Avenue in New York City's Upper East Side.

As luck would have it, a bank employee -- probably a corporate security 
official -- was already staking out the branch from across the street.

Three months had passed since Citibank notified the FBI that a hacker 
managed to steal customer-account numbers and PIN codes, in an attack on a 
server that processes transactions from Citi-branded ATMs at 7-Eleven 
convenience stores. In late February and early March, the FBI and the U.S. 
Secret Service arrested two Ukrainian immigrants and two alleged 
co-conspirators for allegedly using the stolen PINs to steal $2 million in 
cash from unsuspecting Citibank customers.

[..]

From jericho at attrition.org  Thu Jun 26 08:54:25 2008
From: jericho at attrition.org (security curmudgeon)
Date: Thu, 26 Jun 2008 08:54:25 +0000 (UTC)
Subject: [Dataloss] Scottish Ambulance Service loses nearly 900, 000 records
Message-ID: <Pine.LNX.4.64.0806260854050.5109@forced.attrition.org>



---------- Forwarded message ----------
From: InfoSec News <alerts at infosecnews.org>

http://www.computing.co.uk/computing/news/2219911/scottish-ambulance-service

By Tom Young
Computing
24 Jun 2008

The Scottish Ambulance Service has lost data relating to almost a million 
emergency calls including the name and addresses of patients, in the 
latest public sector data loss scandal.

The disc went missing while courier TNT was transporting it to MIS 
Emergency Services, the company that supplies the IT system used in the 
ambulance service's three centres.

The disc - which was encrypted - contained a copy of records of 894,629 
calls to the service's Paisley centre since February 2006, including the 
addresses of incidents, some phone numbers and some patient names.

"Given the security measures and the complex structure of the database it 
would be extremely difficult to gain access to any meaningful 
information," said a spokesman for the Scottish Ambulance Service.

[..]

From lyger at attrition.org  Thu Jun 26 12:03:33 2008
From: lyger at attrition.org (lyger)
Date: Thu, 26 Jun 2008 12:03:33 +0000 (UTC)
Subject: [Dataloss] (update) UT: U. stolen record estimate is lowered
Message-ID: <Pine.LNX.4.64.0806261203050.25542@forced.attrition.org>


http://www.sltrib.com/news/ci_9697249

A theft of billing records affected fewer University Hospital patients than 
originally thought, a spokesman said Wednesday, but a notification letter won't 
reach some whose personal information was stolen.

The letter will go out to about 1.5 million patients whose billing records, 
some with Social Security numbers, were stolen from a storage company 
employee's personal vehicle on June 3. Original estimates had put the number of 
people affected at 2.2 million. Hospital officials lowered the estimate by 
eliminating dead patients and duplicate entries, University Hospital spokesman 
Christopher Nelson said. But an unknown number of the names were eliminated 
because there is no valid address for the records, some of which go back 16 
years.

[...]

From rchicker at etiolated.org  Fri Jun 27 01:15:45 2008
From: rchicker at etiolated.org (rchick)
Date: Thu, 26 Jun 2008 21:15:45 -0400
Subject: [Dataloss] Personal information of 826 state employees stolen
Message-ID: <a20b4dac0806261815p52721ab2of1c405213a445b4f@mail.gmail.com>

June 26, 2008
http://www.kxan.com/Global/story.asp?S=8562199

AUSTIN, Texas (KXAN) -- The personal information of 826 state
employees was stolen from a Wichita Falls home office.

A lockbox containing the information was taken from the home office of
an employee of L-1 Identity Solutions, a private company contracted by
the Department of Public Safety to do fingerprinting.

Notices are in the mail to inform the hundreds of victims that their
names, home addresses, dates of birth, driver's license and Social
Security numbers are in the hands of criminals. About 100 of those
people work for the State Board of Education, and this is happening
less than a year after the Texas Legislature mandated that all
education employees submit their fingerprints for criminal background
checks.

The of 826 people now in the hands of criminals.

[..]

From lyger at attrition.org  Fri Jun 27 22:55:53 2008
From: lyger at attrition.org (lyger)
Date: Fri, 27 Jun 2008 22:55:53 +0000 (UTC)
Subject: [Dataloss] Montgomery Ward didn't tell consumers about credit card
	hack
Message-ID: <Pine.LNX.4.64.0806272254320.30195@forced.attrition.org>


http://www.wztv.com/template/inews_wire/wires.national/2c50aedd-www.fox17.com.shtml

The parent company of Montgomery Ward is admitting that it was hit with a 
credit card hack, but it didn't inform the customers affected.

At least 51,000 records were exposed in the breach at Direct Marketing 
Services. Company CEO David Milgrom says Citigroup detected the computer 
invasion in December. Hackers had plundered the database that holds 
account information for all of Direct Marketing Services' retail 
properties by going through another site owned by the company.

[...]

From hbrown at knology.net  Mon Jun 30 14:09:39 2008
From: hbrown at knology.net (Henry Brown)
Date: Mon, 30 Jun 2008 09:09:39 -0500
Subject: [Dataloss] US SSA data breach
Message-ID: <4868E923.8060500@knology.net>

http://www.fcw.com/online/news/152975-1.html

SSA lists thousands of live persons as dead

The Social Security Administration inadvertently compromised the 
personal information of more than 20,000 people by listing them in the 
Death Master File (DMF) while they were still alive, the agency's 
inspector general has determined.

The IG's analysis dates to January 2004. Since then, SSA has made the 
live people's Social Security number, full name, date of birth, and 
state and ZIP code of last known residence available to users of the 
database, the IG found.

After learning that those people were not deceased, SSA deleted the 
information, which limited its spread. However, that had no effect on 
the information previously made available to DMF subscribers.

The IG's investigators found some instances where the personal 
information was available for free viewing on the Internet, according to 
a June 4 IG report.

SSA provides the data to the Commerce Department's National Technical 
Information Service (NTIS), which in turn sells it to customers. 
Customers include the government, investigative businesses, financial 
and credit reporting firms, and geneaology researchers. Some, including 
prominent geneaology Web sites, post some or all of the information 
online for their users.

[...]

The Social Security Administration IG report
http://www.ssa.gov/oig/ADOBEPDF/A-06-08-18042.pdf


From netsecurity at sound-by-design.com  Mon Jun 30 15:24:28 2008
From: netsecurity at sound-by-design.com (Allen)
Date: Mon, 30 Jun 2008 08:24:28 -0700
Subject: [Dataloss] CEOs deserve jail for data breaches
In-Reply-To: <000801c89a3a$b41cb4e0$6542a8c0@Spot>
References: <Pine.LNX.4.64.0804090832280.21237@forced.attrition.org>
	<000801c89a3a$b41cb4e0$6542a8c0@Spot>
Message-ID: <4868FAAC.5040705@sound-by-design.com>



Jeff wrote:
> Putting a CEO in jail for a data breach would be ridiculous unless the
> person were directly responsible for releasing the protected information.
> Jails are already over crowded and this would not solve the problem.
> Generally, it's hard to find people more clueless about IT than a CEO! 

Which is why it would be *very* useful to jail them as an example to 
the rest to get a clue.

In addition, the laws of agency dictate that the buck stops at the 
CEO and if he/she hires clueless people who create structures 
subject to data breach, then *they* are the ultimately responsible 
party.

In an arson for hire, not only do the arsonists get charged, but 
also the person who hired them. Should they (as the CEO of the 
enterprise) go free because they are not directly responsible? I 
think not.

Best,

Allen

(Sorry for the very delayed response - the original post got 
mis-filed.)

From mhill at idtexperts.com  Mon Jun 30 19:07:01 2008
From: mhill at idtexperts.com (Michael Hill, CITRMS)
Date: Mon, 30 Jun 2008 15:07:01 -0400
Subject: [Dataloss] US SSA data breach
In-Reply-To: <4868E923.8060500@knology.net>
References: <4868E923.8060500@knology.net>
Message-ID: <0EFDEEDDC2884707B02896C53B01AE81@mkevhillpc>

How many DMF subscribers have access to those 20,000?
How many subscribers to those DMF subscribers have access to those 20,000?
How many subscribers to those subscribers to those DMF subscribers have 
access to those 20,000?
So on and so on and so forth....


Mike


Michael Hill
Certified Identity Theft Risk Management Specialist
www.idtheft101.net
404-216-3751


"If You Think You're Not At Risk, Think Again!"


NOTICE:
This email and any attachment to it is confidential and protected by law and 
intended for the use of the individual(s) or entity named on the email. 
This information and all email information from the sender is not legal 
advice nor legal representation and should not be construed as legal advice 
nor legal representation. Check with your attorney in your State for legal 
advice. If the reader of this message is not the intended recipient, you are 
hereby notified that any dissemination or distribution of this communication 
is prohibited.  If you have received this communication in error, please 
notify the sender via return email and delete it completely from your email 
system.  If you have printed a copy of the email, please destroy it 
immediately. 


From chris at cwalsh.org  Mon Jun 30 19:30:21 2008
From: chris at cwalsh.org (Chris Walsh)
Date: Mon, 30 Jun 2008 14:30:21 -0500
Subject: [Dataloss] US SSA data breach
In-Reply-To: <4868E923.8060500@knology.net>
References: <4868E923.8060500@knology.net>
Message-ID: <aebe31730806301230g17bded95p5d16c4e6be121374@mail.gmail.com>

IIRC, this DMF is used by various genealogy sites.  In that sense, everyone
has access to it.  The DMF itself is made publicly available in its
entirety.

See http://ssdi.rootsweb.ancestry.com/ as an example site.

cw
On Mon, Jun 30, 2008 at 9:09 AM, Henry Brown <hbrown at knology.net> wrote:

> http://www.fcw.com/online/news/152975-1.html
>
> SSA lists thousands of live persons as dead
>
> The Social Security Administration inadvertently compromised the
> personal information of more than 20,000 people by listing them in the
> Death Master File (DMF) while they were still alive, the agency's
> inspector general has determined.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20080630/1484da84/attachment.html 

From hbrown at knology.net  Mon Jun 30 19:37:05 2008
From: hbrown at knology.net (Henry Brown)
Date: Mon, 30 Jun 2008 14:37:05 -0500
Subject: [Dataloss] Montgomery Ward didn't tell consumers about credit
 card	hack
In-Reply-To: <Pine.LNX.4.64.0806272254320.30195@forced.attrition.org>
References: <Pine.LNX.4.64.0806272254320.30195@forced.attrition.org>
Message-ID: <486935E1.3080701@knology.net>

Follow up with some interesting ADDITIONAL Details...

http://ap.google.com/article/ALeqM5hMgFbRpfc74PW0CvbF3kFbWFkHsAD91IJCHG2

[...]
Milgrom said Direct Marketing Services immediately informed its payment 
processor and Visa and MasterCard. Then, Milgrom said, Direct Marketing 
Services closely followed a set of guidelines, issued by Visa, on how to 
respond to a security breach. That included a report to the U.S. Secret 
Service. He said he believed by the end of December that Direct 
Marketing Services had met its obligations.

[...]

After being asked about those laws by The Associated Press, Milgrom said 
Direct Marketing Services now plans to contact consumers.

[...]

Along with the card numbers, their three-digit "security codes" and 
expiration dates, the thieves had the cardholders' names, addresses and 
phone numbers. The data had been organized in the same way, indicating 
the numbers likely came from the same database. CardCops' president, Dan 
Clements, also noticed that the vast majority of the cardholders were 
women, a clue that the records came from a merchant catering to a 
certain demographic.

[...]

It is not clear to Clements, though, whether the hackers were inflating 
their claim when they offered 200,000 records or whether Milgrom's 
number of 51,000 is accurate.

[...]

Links to the 44 state notification laws: 
http://www.ncsl.org/programs/lis/cip/priv/breachlaws.htm

-------- Original Message --------
Subject: [Dataloss] Montgomery Ward didn't tell consumers about credit 
card    hack
From: lyger <lyger at attrition.org>
To: dataloss at attrition.org
Date: 6/27/2008 5:55 PM
> http://www.wztv.com/template/inews_wire/wires.national/2c50aedd-www.fox17.com.shtml