From hbrown at knology.net Sat Mar 1 22:23:28 2008 From: hbrown at knology.net (Henry Brown) Date: Sat, 01 Mar 2008 16:23:28 -0600 Subject: [Dataloss] HP leaks Japanese data Message-ID: <47C9D760.9020007@knology.net> http://search.japantimes.co.jp/mail/nb20080301n3.html HP leaks personal data on Web site Hewlett-Packard Co.'s Japanese unit said it may have leaked the personal data of 139,583 people in Japan. The information included names, addresses and telephone numbers, the unit of the Palo Alto, Calif.-based computer and peripheral equipment maker said on its Japanese-language Web site Friday. The information, from questionnaires and seminar application forms, was mistakenly posted on a Web page and publicly accessible from Feb. 13 to 20. The company said the information was accessed, but there have been no reports it was misused. From lyger at attrition.org Tue Mar 4 01:22:14 2008 From: lyger at attrition.org (lyger) Date: Tue, 4 Mar 2008 01:22:14 +0000 (UTC) Subject: [Dataloss] Missing laptop, data could affect Q-C Oscar Mayer employees Message-ID: http://www.qctimes.com/articles/2008/03/03/news/local/doc47cc7e171b8bd249394271.txt?sPos=2 A company-owned laptop computer was stolen from an employee of Kraft Foods traveling on company business. And now 20,000 employees nationwide have received letters telling them that their personal information was stored on the missing laptop and they could be vulnerable to some type of identity theft. That group of 20,000 includes employees from Davenport.s Kraft Oscar Mayer plant. It is unknown how many employees of the Davenport facility were affected. The plant employs about 1,700 people. Kraft Foods spokeswoman Cathy Pernu said the theft took place in mid-January and involved an employee who was working on a systems project. "It had migrating information that was transferring from one computer to another." [...] From lyger at attrition.org Wed Mar 5 00:26:47 2008 From: lyger at attrition.org (lyger) Date: Wed, 5 Mar 2008 00:26:47 +0000 (UTC) Subject: [Dataloss] FTC Settles Breach Complaint With Student Lender Message-ID: http://www.pcworld.com/article/id,143121-c,privacy/article.html (I don't recall hearing about this one... anyone else?) The U.S. Federal Trade Commission has settled a complaint against student lender Goal Financial after allegations that the company failed to safeguard personal data. Goal Financial allowed two employees to access the personal information of about 7,000 customers and take the information to a competing firm between 2005 and 2006, and the company allowed an employee to sell a hard drive containing the unencrypted personal information of 34,000 customers sometime in 2006, the FTC said. The company failed to protect personal information such as birth dates, Social Security numbers, and income and employment information, the FTC said in its complaint against Goal Financial. [...] From lyger at attrition.org Wed Mar 5 12:51:28 2008 From: lyger at attrition.org (lyger) Date: Wed, 5 Mar 2008 12:51:28 +0000 (UTC) Subject: [Dataloss] UK: Details on 200 children stolen Message-ID: http://www.shropshirestar.com/2008/03/05/details-on-200-children-stolen/ A laptop with confidential information about more than 200 children - including their names, addresses, dates of birth and treatment - has been stolen from a Shropshire medical centre. The thief walked into Madeley Health Centre, Telford, while a speech and language therapist was running a clinic, unplugged her laptop from an adjoining room and walked off with it. Health chiefs quickly deactivated the laptop to ensure it could not be used to access general NHS data. But a memory stick plugged into the machine carried details on 238 children, giving their names, addresses, dates of birth and speech and language therapy treatment. [...] From lyger at attrition.org Wed Mar 5 23:29:57 2008 From: lyger at attrition.org (lyger) Date: Wed, 5 Mar 2008 23:29:57 +0000 (UTC) Subject: [Dataloss] Nevada Firm Loses Job Seeker's Data Message-ID: http://www.chron.com/disp/story.mpl/ap/fn/5595764.html A private firm working for the Nevada Department of Public Safety has lost personal information provided by 109 individuals seeking jobs with the agency. Agency spokesman Dan Burns said the applicants are being notified that their personal data, including Social Security numbers, addresses and background check information, has been lost. [...] From hbrown at knology.net Thu Mar 6 01:08:34 2008 From: hbrown at knology.net (Henry Brown) Date: Wed, 05 Mar 2008 19:08:34 -0600 Subject: [Dataloss] British Govt loses more than 1000 computer in 10 years Message-ID: <47CF4412.7010504@knology.net> http://www.tgdaily.com/content/view/36324/118/ British govt loses more than a 1000 laptops, March 5, 2008, 4:33PM London (England) ? In a report to the House of Commons, British ministries and departments said they?ve lost more than a thousand laptops over the last decade. 200 of those were lost in the last year alone. The biggest offender was the Ministry of Defense which lost almost 50% of the total or 503 laptops. In addition to laptops, the MoD lost 23 PCs since 1998. Other agencies like the Department of Health, Ministry of Justice and HM Revenue and Commons lost sizable numbers of computers. The numbers in the report could have been much higher as the totals didn?t include the Home or Foreign Offices. The report comes on the heels of a high-profile case in January where the moD lost a laptop containing 600,000 names of people who were interested in joining the armed forces. The folks at the US Veterans Administration are probably wiping their foreheads now and saying, "Thank god! It's not just us!" From lyger at attrition.org Thu Mar 6 12:37:14 2008 From: lyger at attrition.org (lyger) Date: Thu, 6 Mar 2008 12:37:14 +0000 (UTC) Subject: [Dataloss] OR: Hospital donor files compromised Message-ID: http://www.bendbulletin.com/apps/pbcs.dll/article?AID=/20080306/NEWS0107/803060442/1006&nav_category=NEWS0107 A computer virus may have exposed to outside eyes the names, credit card numbers, dates of birth and home addresses of more than 11,500 individuals who donated to Cascade Healthcare Community, the parent company of St. Charles in Bend and Redmond. The virus penetrated the computer system Dec. 11, and the hospital.s information technology staff believed they had rebuffed it. But Feb. 5, they detected suspicious activity in the system and called in computer forensic experts to investigate. By Feb. 20, it became clear the information had been made vulnerable by the virus. [...] From chris at cwalsh.org Thu Mar 6 20:22:44 2008 From: chris at cwalsh.org (Chris Walsh) Date: Thu, 6 Mar 2008 14:22:44 -0600 Subject: [Dataloss] fringe: Researchers: Disk Encryption Not Secure In-Reply-To: <995180C2-B9F8-4509-8571-73DCBB90227E@nosignal.net> References: <530c940802220614x2ecce8a2ia6dca8c9dc952f5a@mail.gmail.com> <276A6F4116DF36418A24927C83CB897801109244@CHI4EVS03.corp.transunion.com> <995180C2-B9F8-4509-8571-73DCBB90227E@nosignal.net> Message-ID: <20080306202244.GA29938@fripp.cwalsh.org> A practical means of doing the key recovery described by Felten, et. al., has been made available: http://mcgrewsecurity.com/projects/msramdmp/ Pretty cool. From lyger at attrition.org Sat Mar 8 19:34:51 2008 From: lyger at attrition.org (lyger) Date: Sat, 8 Mar 2008 19:34:51 +0000 (UTC) Subject: [Dataloss] Breach of MTV Computer Files Message-ID: http://www.nytimes.com/2008/03/08/technology/08data.html?_r=1&ref=business&oref=slogin Computer files with confidential data on about 5,000 employees at MTV Networks were breached by someone outside the company, the network told employees on Friday in a memo. MTV later said in a statement that the security breach occurred after an Internet connection in an employee's computer was compromised. [.] The internal memo, from Catherine Houser, executive vice president for human resources at MTV Networks, said the personal information in the files included names, birth dates, Social Security numbers and compensation data. [...] From brownhenrya at gmail.com Mon Mar 10 11:44:05 2008 From: brownhenrya at gmail.com (Henry Brown) Date: Mon, 10 Mar 2008 06:44:05 -0500 Subject: [Dataloss] Medicaid Computers stolen from Texas City Tx Message-ID: <4f9b7e300803100444vf09cc68q9bce52ea3d311906@mail.gmail.com> >From the Galveston County Daily News http://tinyurl.com/2owkkl TEXAS CITY ? Sensitive information that could be used to steal Medicaid clients' identity may have been stored on two computers stolen during a burglary, officials said Friday. Texas City police were called to investigate an overnight burglary Wednesday morning at the Texas Department of Health and Human Services at 714 Loop 197 N. [...] Stephanie Goodman, a spokeswoman with Texas Health and Human Services, said the computers could have contained personal information only on e-mails. The e-mails, however, would normally contain only an individual's case number, she said. It is unlikely those e-mails would have listed Social Security numbers, she said. "I can't say 100 percent that it wouldn't be on e-mails, but that would be the only way to have access to anything," Goodman said. The state isn't likely to alert Medicaid clients about the incident, Goodman said. [...] From msimon2 at eclipsecurityllc.com Mon Mar 10 15:00:42 2008 From: msimon2 at eclipsecurityllc.com (Mark Simon) Date: Mon, 10 Mar 2008 10:00:42 -0500 Subject: [Dataloss] Medicaid Computers stolen from Texas City Tx In-Reply-To: <4f9b7e300803100444vf09cc68q9bce52ea3d311906@mail.gmail.com> References: <4f9b7e300803100444vf09cc68q9bce52ea3d311906@mail.gmail.com> Message-ID: No one should be too surprised that the Texas Health and Human Services Commission isn't likely to alert Medicaid clients of its uncertainty concerning the possible misappropriation of social security numbers. A recent change in Texas law makes the protection of social security numbers optional for state agencies,* unlike most states where public policy mandates the safeguard of social security numbers from public display or disclosure. Effective March 28, 2007, Tex. Gov't Code Sec. ? 552.147[0] provides in pertinent part, "The social security number of a living person is ... not confidential under this section and this section does not make the social security number of a living person confidential under another provision of this chapter or other law." Notwithstanding Texas law, HIPAA's Privacy Rule protects the confidentiality of Medicaid client social security numbers. "The HIPAA Privacy Rule provides a Federal floor of privacy protections for individuals' individually identifiable health information where that information is held by a covered entity or by a business associate of the covered entity. State laws that are contrary to the Privacy Rule are preempted by the Federal requirements, unless a specific exception applies. These exceptions include if the State law (1) relates to the privacy of individually identifiable health information and provides greater privacy protections or privacy rights with respect to such information, (2) provides for the reporting of disease or injury, child abuse, birth, or death, or for public health surveillance, investigation, or intervention, or (3) requires certain health plan reporting, such as for management or financial audits. In these circumstances, a covered entity is not required to comply with a contrary provision of the Privacy Rule." Source: U.S. Department of Health and Human Services, FAQ "Does the HIPAA Privacy Rule preempt State laws?" at http://www.hhs.gov/hipaafaq/state/399.html. * Texas continues to require businesses to safeguard social security numbers in Tex. Bus. & Com. Code ? 35.58 (2007). -- Mark S. Simon, Director of Regulatory Compliance Consulting Eclipsecurity, LLC Mobile: (224) 612-3101 Office: (847) 850-5088 Toll Free: (877) 369-5331 www.eclipsecurityLLC.com Lock-in success. Because information travels... The information contained in this message may be CONFIDENTIAL and is for the intended addressee only. Any unauthorized use, dissemination of the information or copying of this message is prohibited. If you are not the intended addressee, please notify the sender immediately and delete this message. -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Henry Brown Sent: Monday, March 10, 2008 6:44 AM To: dataloss at attrition.org Subject: [Dataloss] Medicaid Computers stolen from Texas City Tx >From the Galveston County Daily News http://tinyurl.com/2owkkl TEXAS CITY - Sensitive information that could be used to steal Medicaid clients' identity may have been stored on two computers stolen during a burglary, officials said Friday. Texas City police were called to investigate an overnight burglary Wednesday morning at the Texas Department of Health and Human Services at 714 Loop 197 N. [...] Stephanie Goodman, a spokeswoman with Texas Health and Human Services, said the computers could have contained personal information only on e-mails. The e-mails, however, would normally contain only an individual's case number, she said. It is unlikely those e-mails would have listed Social Security numbers, she said. "I can't say 100 percent that it wouldn't be on e-mails, but that would be the only way to have access to anything," Goodman said. The state isn't likely to alert Medicaid clients about the incident, Goodman said. [...] _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml From skalter at affiniongroup.com Mon Mar 10 15:07:40 2008 From: skalter at affiniongroup.com (Kalter, Sarah ) Date: Mon, 10 Mar 2008 11:07:40 -0400 Subject: [Dataloss] A data security breach legislation question In-Reply-To: Message-ID: <03CB35A095056340A769529ED1536F771B2C8E38@exchnorwalk-3.ads.trilegiant.com> Hi All, Does anyone happen to know how many states have enacted data security breach laws/legislation? And if so, which states? Thank you so much! Best, Sarah From lyger at attrition.org Mon Mar 10 16:13:52 2008 From: lyger at attrition.org (lyger) Date: Mon, 10 Mar 2008 16:13:52 +0000 (UTC) Subject: [Dataloss] A data security breach legislation question In-Reply-To: <03CB35A095056340A769529ED1536F771B2C8E38@exchnorwalk-3.ads.trilegiant.com> References: <03CB35A095056340A769529ED1536F771B2C8E38@exchnorwalk-3.ads.trilegiant.com> Message-ID: At last count, it looks like the total is up to 38: http://www.csoonline.com/read/020108/ammap/ammap.html If anyone knows of any updates in the last month, please feel free to pass them along. On Mon, 10 Mar 2008, Kalter, Sarah wrote: ": " Hi All, ": " ": " Does anyone happen to know how many states have enacted data security ": " breach laws/legislation? And if so, which states? ": " ": " Thank you so much! ": " ": " Best, ": " Sarah From bkdelong at pobox.com Mon Mar 10 16:19:46 2008 From: bkdelong at pobox.com (B.K. DeLong) Date: Mon, 10 Mar 2008 12:19:46 -0400 Subject: [Dataloss] A data security breach legislation question In-Reply-To: References: <03CB35A095056340A769529ED1536F771B2C8E38@exchnorwalk-3.ads.trilegiant.com> Message-ID: What really needs to be put together is a chart or small table with metrics on what each law requires.... On Mon, Mar 10, 2008 at 12:13 PM, lyger wrote: > > At last count, it looks like the total is up to 38: > > http://www.csoonline.com/read/020108/ammap/ammap.html > > If anyone knows of any updates in the last month, please feel free to pass > them along. > > > On Mon, 10 Mar 2008, Kalter, Sarah wrote: > > ": " Hi All, > > > ": " > ": " Does anyone happen to know how many states have enacted data security > ": " breach laws/legislation? And if so, which states? > ": " > ": " Thank you so much! > ": " > ": " Best, > ": " Sarah > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor your > traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml > -- B.K. DeLong (K3GRN) bkdelong at pobox.com +1.617.797.8471 http://www.wkdelong.org Son. http://www.ianetsec.com Work. http://www.bostonredcross.org Volunteer. http://www.carolingia.eastkingdom.org Service. http://bkdelong.livejournal.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org From afranks at madacovi.com Mon Mar 10 16:20:51 2008 From: afranks at madacovi.com (Anthony Franks) Date: Mon, 10 Mar 2008 16:20:51 +0000 (GMT Standard Time) Subject: [Dataloss] A data security breach legislation question References: <03CB35A095056340A769529ED1536F771B2C8E38@exchnorwalk-3.ads.trilegiant.com> Message-ID: <47D55FE2.000089.02432@ZENO> I see your 38, and raise it one to 39! http://www.ncsl.org/programs/lis/cip/priv/breachlaws.htm Ant Anthony Franks OBE Director of Marketing and Business Development Optic Vision Ltd The Old Barn Appleford Rd Long Wittenham Oxon OX14 4PS anthony.franks at opticvision.co.uk afranks at madacovi.com Landline (H) ++ 44 1908 630 380 Landline (W) ++44 8452 301 041 Mobile ++ 44 7894 507 316 Skype bigant27 www.opticvision.co.uk P Please consider the environment before printing this email This email and any attachments are confidential and may be legally privileged. If you have received it in error, you are on notice of its status. It is intended solely for the addressee. Any unauthorised use is strictly prohibited. If you are not the intended recipient please notify the sender immediately and delete the email and any attachments. While Optic Vision Ltd takes care to protect its systems from virus attacks and other harmful events, the firm gives no warranty that this message (including attachments) is free of any virus or other harmful matter, and accepts no responsibility for any loss or damage resulting from the recipient receiving opening or using it. All content in and attached to this email is copyright ? Optic Vision, all rights are protected, publication or transmission of content of this email without the express permission of the copyright owner is strictly prohibited. -------Original Message------- From: lyger Date: 10/03/2008 16:14:34 To: Kalter, Sarah Cc: dataloss at attrition.org Subject: Re: [Dataloss] A data security breach legislation question At last count, it looks like the total is up to 38: http://www.csoonline.com/read/020108/ammap/ammap.html If anyone knows of any updates in the last month, please feel free to pass them along. On Mon, 10 Mar 2008, Kalter, Sarah wrote: ": " Hi All, ": " ": " Does anyone happen to know how many states have enacted data security ": " breach laws/legislation? And if so, which states? ": " ": " Thank you so much! ": " ": " Best, ": " Sarah _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080310/174fe2ce/attachment.html From mikeasimon at gmail.com Mon Mar 10 16:22:24 2008 From: mikeasimon at gmail.com (Mike Simon) Date: Mon, 10 Mar 2008 09:22:24 -0700 Subject: [Dataloss] A data security breach legislation question In-Reply-To: References: <03CB35A095056340A769529ED1536F771B2C8E38@exchnorwalk-3.ads.trilegiant.com> Message-ID: <7e1ecdc0803100922vbbbfad9oa71e5e5e72e8567d@mail.gmail.com> Also, keep in mind that most of the state laws require notification of their residents if you do business in that state. With the number of states with such laws and any kind of interstate presence, it's unlikely that you can escape notification no matter what state you operate in. > ": " Does anyone happen to know how many states have enacted data security > ": " breach laws/legislation? And if so, which states? > ": " > ": " Thank you so much! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080310/ca26e4cb/attachment.html From adam at homeport.org Mon Mar 10 16:26:15 2008 From: adam at homeport.org (Adam Shostack) Date: Mon, 10 Mar 2008 12:26:15 -0400 Subject: [Dataloss] A data security breach legislation question In-Reply-To: References: <03CB35A095056340A769529ED1536F771B2C8E38@exchnorwalk-3.ads.trilegiant.com> Message-ID: <20080310162615.GC14045@homeport.org> Nah, what we need is good pointers to the 4 or 6 charts online. http://www.emergentchaos.com/archives/2008/02/breach_laws_charts_update.html On Mon, Mar 10, 2008 at 12:19:46PM -0400, B.K. DeLong wrote: | What really needs to be put together is a chart or small table with | metrics on what each law requires.... | | On Mon, Mar 10, 2008 at 12:13 PM, lyger wrote: | > | > At last count, it looks like the total is up to 38: | > | > http://www.csoonline.com/read/020108/ammap/ammap.html | > | > If anyone knows of any updates in the last month, please feel free to pass | > them along. | > | > | > On Mon, 10 Mar 2008, Kalter, Sarah wrote: | > | > ": " Hi All, | > | > | > ": " | > ": " Does anyone happen to know how many states have enacted data security | > ": " breach laws/legislation? And if so, which states? | > ": " | > ": " Thank you so much! | > ": " | > ": " Best, | > ": " Sarah | > _______________________________________________ | > Dataloss Mailing List (dataloss at attrition.org) | > http://attrition.org/dataloss | > | > Tenable Network Security offers data leakage and compliance monitoring | > solutions for large and small networks. Scan your network and monitor your | > traffic to find the data needing protection before it leaks out! | > http://www.tenablesecurity.com/products/compliance.shtml | > | | | | -- | B.K. DeLong (K3GRN) | bkdelong at pobox.com | +1.617.797.8471 | | http://www.wkdelong.org Son. | http://www.ianetsec.com Work. | http://www.bostonredcross.org Volunteer. | http://www.carolingia.eastkingdom.org Service. | http://bkdelong.livejournal.com Play. | | | PGP Fingerprint: | 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE | | FOAF: | http://foaf.brain-stream.org | _______________________________________________ | Dataloss Mailing List (dataloss at attrition.org) | http://attrition.org/dataloss | | Tenable Network Security offers data leakage and compliance monitoring | solutions for large and small networks. Scan your network and monitor your | traffic to find the data needing protection before it leaks out! | http://www.tenablesecurity.com/products/compliance.shtml From rebeccaherold at rebeccaherold.com Mon Mar 10 16:30:37 2008 From: rebeccaherold at rebeccaherold.com (Rebecca Herold) Date: Mon, 10 Mar 2008 11:30:37 -0500 Subject: [Dataloss] A data security breach legislation question References: <03CB35A095056340A769529ED1536F771B2C8E38@exchnorwalk-3.ads.trilegiant.com> Message-ID: <025801c882cc$12f710e0$0202a8c0@RebeccaHerold> Counting the District of Columbia, as of the end of October it was 40; see http://www.privacyguidance.com/files/statebreachnotificationlaws10.19.07.pdf Best regards, Rebecca Herold ----- Original Message ----- From: "Kalter, Sarah " To: "lyger" ; Sent: Monday, March 10, 2008 10:07 AM Subject: [Dataloss] A data security breach legislation question > Hi All, > > Does anyone happen to know how many states have enacted data security > breach laws/legislation? And if so, which states? > > Thank you so much! > > Best, > Sarah > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor your > traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml From macwheel99 at wowway.com Mon Mar 10 16:27:52 2008 From: macwheel99 at wowway.com (Al Mac Wheel) Date: Mon, 10 Mar 2008 10:27:52 -0600 Subject: [Dataloss] A data security breach legislation question In-Reply-To: References: <03CB35A095056340A769529ED1536F771B2C8E38@exchnorwalk-3.ads.trilegiant.com> Message-ID: <6.2.1.2.1.20080310102010.03d00a60@pop3.mail.wowway.com> An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080310/053ef9ed/attachment.html From lyger at attrition.org Mon Mar 10 18:12:21 2008 From: lyger at attrition.org (lyger) Date: Mon, 10 Mar 2008 18:12:21 +0000 (UTC) Subject: [Dataloss] NY: Blue Cross Addresses Identity Theft Concerns Message-ID: http://www.wivb.com/Global/story.asp?S=7992428 Blue-Cross Blue-Shield of Western New York says it is notifying tens of thousands of its members about identity theft concerns after one of it's company laptops went missing. Blue-Cross says a laptop hard-drive containing vital information about an estimated 40,000 of its members has been missing since last November. [...] From privacylaws at sbcglobal.net Mon Mar 10 19:46:14 2008 From: privacylaws at sbcglobal.net (Privacy Laws) Date: Mon, 10 Mar 2008 12:46:14 -0700 (PDT) Subject: [Dataloss] A data security breach legislation question In-Reply-To: <025801c882cc$12f710e0$0202a8c0@RebeccaHerold> Message-ID: <930945.63168.qm@web81608.mail.mud.yahoo.com> Wait what about New York City and Puerto Rico? Saundra Kae Rubel, CIPP Rebecca Herold wrote: Counting the District of Columbia, as of the end of October it was 40; see http://www.privacyguidance.com/files/statebreachnotificationlaws10.19.07.pdf Best regards, Rebecca Herold ----- Original Message ----- From: "Kalter, Sarah " To: "lyger" ; Sent: Monday, March 10, 2008 10:07 AM Subject: [Dataloss] A data security breach legislation question > Hi All, > > Does anyone happen to know how many states have enacted data security > breach laws/legislation? And if so, which states? > > Thank you so much! > > Best, > Sarah > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor your > traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080310/415039ef/attachment.html From rebeccaherold at rebeccaherold.com Mon Mar 10 19:56:09 2008 From: rebeccaherold at rebeccaherold.com (Rebecca Herold) Date: Mon, 10 Mar 2008 14:56:09 -0500 Subject: [Dataloss] A data security breach legislation question References: <930945.63168.qm@web81608.mail.mud.yahoo.com> Message-ID: <034701c882e8$c9d3bea0$0202a8c0@RebeccaHerold> Yes, if you start adding in all the laws within the local and city levels and U.S. territories, that could become a much longer list indeed. If you have a list of all of these it would be great to see! BTW, hopefully Iowa will soon be passing their proposed privacy breach notice / credit freeze bill into law and then we can add it to the list of state laws. ----- Original Message ----- From: Privacy Laws To: Rebecca Herold ; dataloss at attrition.org Sent: Monday, March 10, 2008 2:46 PM Subject: Re: [Dataloss] A data security breach legislation question Wait what about New York City and Puerto Rico? Saundra Kae Rubel, CIPP Rebecca Herold wrote: Counting the District of Columbia, as of the end of October it was 40; see http://www.privacyguidance.com/files/statebreachnotificationlaws10.19.07.pdf Best regards, Rebecca Herold ----- Original Message ----- From: "Kalter, Sarah " To: "lyger" ; Sent: Monday, March 10, 2008 10:07 AM Subject: [Dataloss] A data security breach legislation question > Hi All, > > Does anyone happen to know how many states have enacted data security > breach laws/legislation? And if so, which states? > > Thank you so much! > > Best, > Sarah > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor your > traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080310/856388bf/attachment.html From susan at susanorrconsulting.com Mon Mar 10 20:17:35 2008 From: susan at susanorrconsulting.com (Susan Orr) Date: Mon, 10 Mar 2008 15:17:35 -0500 Subject: [Dataloss] A data security breach legislation question In-Reply-To: <025801c882cc$12f710e0$0202a8c0@RebeccaHerold> References: <03CB35A095056340A769529ED1536F771B2C8E38@exchnorwalk-3.ads.trilegiant.com> <025801c882cc$12f710e0$0202a8c0@RebeccaHerold> Message-ID: <47D5975F.6060707@susanorrconsulting.com> I was just looking at the various states the other day, and there are some differences - some exempt encrypted information, some exclude financial institutions and others that are covered under other existing federal and state laws like GLBA. One state I believe exempts "state agencies" Oklahoma I think. Didn't know it was up to 40, last I saw was 38. I'll have to check it out, thanks. Rebecca Herold wrote: > Counting the District of Columbia, as of the end of October it was 40; see > http://www.privacyguidance.com/files/statebreachnotificationlaws10.19.07.pdf > > Best regards, > > Rebecca Herold > ----- Original Message ----- > From: "Kalter, Sarah " > To: "lyger" ; > Sent: Monday, March 10, 2008 10:07 AM > Subject: [Dataloss] A data security breach legislation question > > > >> Hi All, >> >> Does anyone happen to know how many states have enacted data security >> breach laws/legislation? And if so, which states? >> >> Thank you so much! >> >> Best, >> Sarah >> _______________________________________________ >> Dataloss Mailing List (dataloss at attrition.org) >> http://attrition.org/dataloss >> >> Tenable Network Security offers data leakage and compliance monitoring >> solutions for large and small networks. Scan your network and monitor your >> traffic to find the data needing protection before it leaks out! >> http://www.tenablesecurity.com/products/compliance.shtml >> > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor your > traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml > -------------- next part -------------- A non-text attachment was scrubbed... Name: susan.vcf Type: text/x-vcard Size: 289 bytes Desc: not available Url : http://attrition.org/pipermail/dataloss/attachments/20080310/6e3ccb9b/attachment.vcf From slvrspoon at gmail.com Wed Mar 12 12:30:23 2008 From: slvrspoon at gmail.com (Rob Shavell) Date: Wed, 12 Mar 2008 04:30:23 -0800 Subject: [Dataloss] A data security breach legislation question In-Reply-To: <47D5975F.6060707@susanorrconsulting.com> References: <03CB35A095056340A769529ED1536F771B2C8E38@exchnorwalk-3.ads.trilegiant.com> <025801c882cc$12f710e0$0202a8c0@RebeccaHerold> <47D5975F.6060707@susanorrconsulting.com> Message-ID: <9541644d0803120530n5562a53co408c6d39444d41f0@mail.gmail.com> hi all, the question i have around US data breach notification legislation is this: "why are we counting states?" if most legislation applies to affected record-holders if they are residents and 95% of breaches already either happen in a state with a law or include records of persons residing in such states, then... hasn't this basically become a necessity? in other words, organizations had better just notify to be in compliance. following from this: what is the importance to an organization of reading through particulars of state by state legislation when they can just follow California, notify everyone, and be in compliance? bonus question: in your opinion, why are so many companies choosing to include credit monitoring services for those affected? a) altruism b) just not that costly c) concern about downstream law-suits d) ? rgds, rob On 10/03/2008, Susan Orr wrote: > I was just looking at the various states the other day, and there are > some differences - some exempt encrypted information, some exclude > financial institutions and others that are covered under other existing > federal and state laws like GLBA. One state I believe exempts "state > agencies" Oklahoma I think. > > Didn't know it was up to 40, last I saw was 38. I'll have to check it > out, thanks. > > > Rebecca Herold wrote: > > Counting the District of Columbia, as of the end of October it was 40; see > > http://www.privacyguidance.com/files/statebreachnotificationlaws10.19.07.pdf > > > > Best regards, > > > > Rebecca Herold > > ----- Original Message ----- > > From: "Kalter, Sarah " > > To: "lyger" ; > > Sent: Monday, March 10, 2008 10:07 AM > > Subject: [Dataloss] A data security breach legislation question > > > > > > > >> Hi All, > >> > >> Does anyone happen to know how many states have enacted data security > >> breach laws/legislation? And if so, which states? > >> > >> Thank you so much! > >> > >> Best, > >> Sarah > >> _______________________________________________ > >> Dataloss Mailing List (dataloss at attrition.org) > >> http://attrition.org/dataloss > >> > >> Tenable Network Security offers data leakage and compliance monitoring > >> solutions for large and small networks. Scan your network and monitor your > >> traffic to find the data needing protection before it leaks out! > >> http://www.tenablesecurity.com/products/compliance.shtml > >> > > > > _______________________________________________ > > Dataloss Mailing List (dataloss at attrition.org) > > http://attrition.org/dataloss > > > > Tenable Network Security offers data leakage and compliance monitoring > > solutions for large and small networks. Scan your network and monitor your > > traffic to find the data needing protection before it leaks out! > > http://www.tenablesecurity.com/products/compliance.shtml > > > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor your > traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml > > > From Terry.Miller at finra.org Wed Mar 12 14:15:56 2008 From: Terry.Miller at finra.org (Miller, Terry) Date: Wed, 12 Mar 2008 10:15:56 -0400 Subject: [Dataloss] A data security breach legislation question In-Reply-To: <9541644d0803120530n5562a53co408c6d39444d41f0@mail.gmail.com> References: <03CB35A095056340A769529ED1536F771B2C8E38@exchnorwalk-3.ads.trilegiant.com><025801c882cc$12f710e0$0202a8c0@RebeccaHerold><47D5975F.6060707@susanorrconsulting.com> <9541644d0803120530n5562a53co408c6d39444d41f0@mail.gmail.com> Message-ID: Note that on March 4 the SEC proposed expanding privacy Regulation S-P which is based on GLBA. The proposed expansion, which is based in large part on existing banking and FTC regulations, would include a national notification requirement. The requirement may preempt certain state laws which allow for such preemption. Here is the proposal, which is now out for comment. http://www.sec.gov/rules/proposed/2008/34-57427.pdf Terry -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Rob Shavell Sent: Wednesday, March 12, 2008 8:30 AM To: dataloss at attrition.org Subject: Re: [Dataloss] A data security breach legislation question hi all, the question i have around US data breach notification legislation is this: "why are we counting states?" if most legislation applies to affected record-holders if they are residents and 95% of breaches already either happen in a state with a law or include records of persons residing in such states, then... hasn't this basically become a necessity? in other words, organizations had better just notify to be in compliance. following from this: what is the importance to an organization of reading through particulars of state by state legislation when they can just follow California, notify everyone, and be in compliance? bonus question: in your opinion, why are so many companies choosing to include credit monitoring services for those affected? a) altruism b) just not that costly c) concern about downstream law-suits d) ? rgds, rob On 10/03/2008, Susan Orr wrote: > I was just looking at the various states the other day, and there are > some differences - some exempt encrypted information, some exclude > financial institutions and others that are covered under other existing > federal and state laws like GLBA. One state I believe exempts "state > agencies" Oklahoma I think. > > Didn't know it was up to 40, last I saw was 38. I'll have to check it > out, thanks. > > > Rebecca Herold wrote: > > Counting the District of Columbia, as of the end of October it was 40; see > > http://www.privacyguidance.com/files/statebreachnotificationlaws10.19.07 .pdf > > > > Best regards, > > > > Rebecca Herold > > ----- Original Message ----- > > From: "Kalter, Sarah " > > To: "lyger" ; > > Sent: Monday, March 10, 2008 10:07 AM > > Subject: [Dataloss] A data security breach legislation question > > > > > > > >> Hi All, > >> > >> Does anyone happen to know how many states have enacted data security > >> breach laws/legislation? And if so, which states? > >> > >> Thank you so much! > >> > >> Best, > >> Sarah > >> _______________________________________________ > >> Dataloss Mailing List (dataloss at attrition.org) > >> http://attrition.org/dataloss > >> > >> Tenable Network Security offers data leakage and compliance monitoring > >> solutions for large and small networks. Scan your network and monitor your > >> traffic to find the data needing protection before it leaks out! > >> http://www.tenablesecurity.com/products/compliance.shtml > >> > > > > _______________________________________________ > > Dataloss Mailing List (dataloss at attrition.org) > > http://attrition.org/dataloss > > > > Tenable Network Security offers data leakage and compliance monitoring > > solutions for large and small networks. Scan your network and monitor your > > traffic to find the data needing protection before it leaks out! > > http://www.tenablesecurity.com/products/compliance.shtml > > > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor your > traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml > > > _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml This email, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this email is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this email is prohibited. If you have received this email in error, please notify the sender by replying to this message and delete this email immediately. From rebeccaherold at rebeccaherold.com Wed Mar 12 14:31:34 2008 From: rebeccaherold at rebeccaherold.com (Rebecca Herold) Date: Wed, 12 Mar 2008 09:31:34 -0500 Subject: [Dataloss] A data security breach legislation question References: <03CB35A095056340A769529ED1536F771B2C8E38@exchnorwalk-3.ads.trilegiant.com><025801c882cc$12f710e0$0202a8c0@RebeccaHerold><47D5975F.6060707@susanorrconsulting.com> <9541644d0803120530n5562a53co408c6d39444d41f0@mail.gmail.com> Message-ID: <041701c8844d$c8b78e00$0202a8c0@RebeccaHerold> Hi Rob, True, privacy breach notification is basically a necessity that all organizations must now be prepared for since the majority of states already have breach notice laws in place, and more are coming along all the time. In fact, all organizations handling personally identifiable information (PII) should create a privacy breach response plan, that is tied in with the information security response plan, and not wait to try and handle a privacy breach ad hoc. However, choosing just one state privacy breach notice law, such as California, to follow would be a risky proposition; there are some very subtle, but important differences within each of the separate laws. For example, there are distinct differences in how the different laws: a.. Define encryption (some have technical specifications, others have vague descriptions) b.. Define a breach (some name specific situations, others give a vague description) c.. Define when notification is required (yes, again some provide some details while others are vague) d.. Etc...several more... In general, I recommend to the businesses I work with that they identify the most most stringent requirements across the board, and then build their privacy breach response plans to meet compliance with those. I just wrote a couple of papers; one about making the "reasonable belief" decision for when a privacy breach has occurred, and one about deprivacy breach notification decisions. (If interested you can download them from http://nexus.realtimepublishers.com/rtitc.htm). Regarding credit monitoring... I have seen companies choosing to provide credit monitoring for individuals impacted by breaches, even if not legally required, largely because of precedents set by companies who experienced breaches early on (e.g., Wells Fargo a few years ago) and chose to provide credit monitoring to the impacted individuals to help mitigate customer loss that could have resulted. When companies start providing such services, and it is well publicized that they are doing so, it sets the bar high for all other companies; it establishes a type of defacto expectation in the public. Best regards, Rebecca Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI Rebecca Herold & Associates LLC rebeccaherold at rebeccaherold.com http://www.privacyguidance.com Blog: http://www.realtime-itcompliance.com Professor at: http://www3.norwich.edu/msia http://www.informationshield.com/protectinginformation.html http://www.informationshield.com/privacy_main.html ----- Original Message ----- From: "Rob Shavell" To: Sent: Wednesday, March 12, 2008 7:30 AM Subject: Re: [Dataloss] A data security breach legislation question > hi all, > the question i have around US data breach notification legislation is this: > > "why are we counting states?" > > if most legislation applies to affected record-holders if they are > residents and 95% of breaches already either happen in a state with a > law or include records of persons residing in such states, then... > hasn't this basically become a necessity? > > in other words, organizations had better just notify to be in compliance. > > following from this: what is the importance to an organization of > reading through particulars of state by state legislation when they > can just follow California, notify everyone, and be in compliance? > > bonus question: in your opinion, why are so many companies choosing to > include credit monitoring services for those affected? a) altruism b) > just not that costly c) concern about downstream law-suits d) ? > > rgds, > rob > > > > > On 10/03/2008, Susan Orr wrote: >> I was just looking at the various states the other day, and there are >> some differences - some exempt encrypted information, some exclude >> financial institutions and others that are covered under other existing >> federal and state laws like GLBA. One state I believe exempts "state >> agencies" Oklahoma I think. >> >> Didn't know it was up to 40, last I saw was 38. I'll have to check it >> out, thanks. >> >> >> Rebecca Herold wrote: >> > Counting the District of Columbia, as of the end of October it was 40; see >> > http://www.privacyguidance.com/files/statebreachnotificationlaws10.19.07.pdf >> > >> > Best regards, >> > >> > Rebecca Herold >> > ----- Original Message ----- >> > From: "Kalter, Sarah " >> > To: "lyger" ; >> > Sent: Monday, March 10, 2008 10:07 AM >> > Subject: [Dataloss] A data security breach legislation question >> > >> > >> > >> >> Hi All, >> >> >> >> Does anyone happen to know how many states have enacted data security >> >> breach laws/legislation? And if so, which states? >> >> >> >> Thank you so much! >> >> >> >> Best, >> >> Sarah >> >> _______________________________________________ >> >> Dataloss Mailing List (dataloss at attrition.org) >> >> http://attrition.org/dataloss >> >> >> >> Tenable Network Security offers data leakage and compliance monitoring >> >> solutions for large and small networks. Scan your network and monitor your >> >> traffic to find the data needing protection before it leaks out! >> >> http://www.tenablesecurity.com/products/compliance.shtml >> >> >> > >> > _______________________________________________ >> > Dataloss Mailing List (dataloss at attrition.org) >> > http://attrition.org/dataloss >> > >> > Tenable Network Security offers data leakage and compliance monitoring >> > solutions for large and small networks. Scan your network and monitor your >> > traffic to find the data needing protection before it leaks out! >> > http://www.tenablesecurity.com/products/compliance.shtml >> > >> >> _______________________________________________ >> Dataloss Mailing List (dataloss at attrition.org) >> http://attrition.org/dataloss >> >> Tenable Network Security offers data leakage and compliance monitoring >> solutions for large and small networks. Scan your network and monitor your >> traffic to find the data needing protection before it leaks out! >> http://www.tenablesecurity.com/products/compliance.shtml >> >> >> > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor your > traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080312/21ee4dc0/attachment.html From jpeyton at mcguirewoods.com Wed Mar 12 15:05:55 2008 From: jpeyton at mcguirewoods.com (Peyton, Janet P.) Date: Wed, 12 Mar 2008 11:05:55 -0400 Subject: [Dataloss] A data security breach legislation question In-Reply-To: <9541644d0803120530n5562a53co408c6d39444d41f0@mail.gmail.com> Message-ID: It is important to look at the individual states because some have multiple notice requirements (for notifying not only the consumer but also the Attorney General's office, or in NY also notifying a state agency that deals with data breach, etc.) Also, if you take a look at Massachusetts, for example, it is a little different than California in terms of the specific topics that must be addressed in the notice letter. Until there is federal legislation that preempts the patchwork of state laws, it will continue to be important to analyze compliance state-by-state. Janet Peyton Janet P. Peyton Partner McGuireWoods LLP One James Center 901 East Cary Street Richmond, VA 23219-4030 804.775.1166 (Direct Line) 804.698.2230 (Direct FAX) jpeyton at mcguirewoods.com This e-mail may contain confidential or privileged information. If you are not the intended recipient, please advise by return e-mail and delete immediately without reading or forwarding to others. -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Rob Shavell Sent: Wednesday, March 12, 2008 8:30 AM To: dataloss at attrition.org Subject: Re: [Dataloss] A data security breach legislation question hi all, the question i have around US data breach notification legislation is this: "why are we counting states?" if most legislation applies to affected record-holders if they are residents and 95% of breaches already either happen in a state with a law or include records of persons residing in such states, then... hasn't this basically become a necessity? in other words, organizations had better just notify to be in compliance. following from this: what is the importance to an organization of reading through particulars of state by state legislation when they can just follow California, notify everyone, and be in compliance? bonus question: in your opinion, why are so many companies choosing to include credit monitoring services for those affected? a) altruism b) just not that costly c) concern about downstream law-suits d) ? rgds, rob On 10/03/2008, Susan Orr wrote: > I was just looking at the various states the other day, and there are > some differences - some exempt encrypted information, some exclude > financial institutions and others that are covered under other > existing federal and state laws like GLBA. One state I believe > exempts "state agencies" Oklahoma I think. > > Didn't know it was up to 40, last I saw was 38. I'll have to check > it out, thanks. > > > Rebecca Herold wrote: > > Counting the District of Columbia, as of the end of October it was > 40; see > > http://www.privacyguidance.com/files/statebreachnotificationlaws10.19.07 .pdf > > > > Best regards, > > > > Rebecca Herold > > ----- Original Message ----- > > From: "Kalter, Sarah " > > To: "lyger" ; > > Sent: Monday, March 10, 2008 10:07 AM > > Subject: [Dataloss] A data security breach legislation question > > > > > > > >> Hi All, > >> > >> Does anyone happen to know how many states have enacted data security > >> breach laws/legislation? And if so, which states? > >> > >> Thank you so much! > >> > >> Best, > >> Sarah > >> _______________________________________________ > >> Dataloss Mailing List (dataloss at attrition.org) > >> http://attrition.org/dataloss > >> > >> Tenable Network Security offers data leakage and compliance monitoring > >> solutions for large and small networks. Scan your network and monitor your > >> traffic to find the data needing protection before it leaks out! > >> http://www.tenablesecurity.com/products/compliance.shtml > >> > > > > _______________________________________________ > > Dataloss Mailing List (dataloss at attrition.org) > > http://attrition.org/dataloss > > > > Tenable Network Security offers data leakage and compliance monitoring > > solutions for large and small networks. Scan your network and monitor your > > traffic to find the data needing protection before it leaks out! > > http://www.tenablesecurity.com/products/compliance.shtml > > > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance > monitoring solutions for large and small networks. Scan your network > and monitor your traffic to find the data needing protection before > it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml > > > _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml From Craig.Muller at demoxi.com Wed Mar 12 15:25:37 2008 From: Craig.Muller at demoxi.com (Craig Muller) Date: Wed, 12 Mar 2008 08:25:37 -0700 Subject: [Dataloss] A data security breach legislation question References: <03CB35A095056340A769529ED1536F771B2C8E38@exchnorwalk-3.ads.trilegiant.com><025801c882cc$12f710e0$0202a8c0@RebeccaHerold><47D5975F.6060707@susanorrconsulting.com><9541644d0803120530n5562a53co408c6d39444d41f0@mail.gmail.com> <041701c8844d$c8b78e00$0202a8c0@RebeccaHerold> Message-ID: Hi Rob, I believe companies are offering credit monitoring because they are concerned with lawsuits and public perception. Little do they know that credit monitoring is a costly and less effective solution than one of the free alternative, fraud alerts. It?s unfortunate that promotion of credit monitoring gives the false impression that consumers are protected from identity theft if they pay for credit monitoring. I would much rather get a phone call when someone is attempting to access my credit report (fraud alerts) than to be notified electronically after it has been accessed. Plus the fraud alert is free. Regards, Craig Craig Muller VP Identity Services 714.417.9984 craig at freeidentityprotect.com www.freeidentityprotect.com ----- Original Message ----- From: "Rob Shavell" To: Sent: Wednesday, March 12, 2008 7:30 AM Subject: Re: [Dataloss] A data security breach legislation question > hi all, > the question i have around US data breach notification legislation is this: > > "why are we counting states?" > > if most legislation applies to affected record-holders if they are > residents and 95% of breaches already either happen in a state with a > law or include records of persons residing in such states, then... > hasn't this basically become a necessity? > > in other words, organizations had better just notify to be in compliance. > > following from this: what is the importance to an organization of > reading through particulars of state by state legislation when they > can just follow California, notify everyone, and be in compliance? > > bonus question: in your opinion, why are so many companies choosing to > include credit monitoring services for those affected? a) altruism b) > just not that costly c) concern about downstream law-suits d) ? > > rgds, > rob > > > > > On 10/03/2008, Susan Orr wrote: >> I was just looking at the various states the other day, and there are >> some differences - some exempt encrypted information, some exclude >> financial institutions and others that are covered under other existing >> federal and state laws like GLBA. One state I believe exempts "state >> agencies" Oklahoma I think. >> >> Didn't know it was up to 40, last I saw was 38. I'll have to check it >> out, thanks. >> >> >> Rebecca Herold wrote: >> > Counting the District of Columbia, as of the end of October it was 40; see >> > HYPERLINK "http://www.privacyguidance.com/files/statebreachnotificationlaws10.19.07.pdf"http://www.privacyguidance.com/files/statebreachnotificationlaws10.19.07.pdf >> > >> > Best regards, >> > >> > Rebecca Herold >> > ----- Original Message ----- No virus found in this outgoing message. Checked by AVG. Version: 7.5.518 / Virus Database: 269.21.7/1325 - Release Date: 3/11/2008 1:41 PM -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080312/c5f60f79/attachment.html From msimon2 at eclipsecurityllc.com Wed Mar 12 16:30:50 2008 From: msimon2 at eclipsecurityllc.com (Mark Simon) Date: Wed, 12 Mar 2008 11:30:50 -0500 Subject: [Dataloss] SEC Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Personal Information In-Reply-To: References: <03CB35A095056340A769529ED1536F771B2C8E38@exchnorwalk-3.ads.trilegiant.com><025801c882cc$12f710e0$0202a8c0@RebeccaHerold><47D5975F.6060707@susanorrconsulting.com><9541644d0803120530n5562a53co408c6d39444d41f0@mail.gmail.com> Message-ID: Terry- Thanks for calling to our attention proposed amendments to SEC Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Personal Information. I have some additional information I'd like to add to your posting. The SEC is seeking comments on its proposed amendments at http://www.sec.gov/cgi-bin/ruling-comments?ruling=s70608&rule_path=/comm ents/s7-06-08&file_num=S7-06-08&action=Show_Form&title=Part%20248%20-%20 Regulation%20S-P:%20Privacy%20of%20Consumer%20Financial%20Information%20 and%20Safeguarding%20Personal%20Information The amendments are expected to affect more than 17,000 covered institutions. The proposal is at http://www.sec.gov/rules/proposed/2008/34-57427.pdf Prompting the proposal is the following finding by the SEC: "We have become concerned with the significant increase in the number of information security breaches that have come to light in recent years and the potential created by such breaches for misuse of personal financial information, including identity theft. We are concerned that some firms do not regularly reevaluate and update their safeguarding programs to deal with increasingly sophisticated methods of attack. To help prevent and address security breaches at covered institutions, we propose to require more specific standards for safeguarding personal information, including standards for responding to data security breaches." The SEC has yet to publish its proposed regulatory amendments in the Federal Register. Once publication occurs, there will be a 60-day comment period. The regulation amendments could take effect shortly thereafter. -- Mark S. Simon, Director of Regulatory Compliance Consulting Eclipsecurity, LLC Mobile: (224) 612-3101 Office: (847) 850-5088 Toll Free: (877) 369-5331 www.eclipsecurityLLC.com Lock-in success. Because information travels... The information contained in this message may be CONFIDENTIAL and is for the intended addressee only. Any unauthorized use, dissemination of the information or copying of this message is prohibited. If you are not the intended addressee, please notify the sender immediately and delete this message. -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Miller, Terry Sent: Wednesday, March 12, 2008 9:16 AM To: Rob Shavell; dataloss at attrition.org Subject: Re: [Dataloss] A data security breach legislation question Note that on March 4 the SEC proposed expanding privacy Regulation S-P which is based on GLBA. The proposed expansion, which is based in large part on existing banking and FTC regulations, would include a national notification requirement. The requirement may preempt certain state laws which allow for such preemption. Here is the proposal, which is now out for comment. http://www.sec.gov/rules/proposed/2008/34-57427.pdf Terry -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Rob Shavell Sent: Wednesday, March 12, 2008 8:30 AM To: dataloss at attrition.org Subject: Re: [Dataloss] A data security breach legislation question hi all, the question i have around US data breach notification legislation is this: "why are we counting states?" if most legislation applies to affected record-holders if they are residents and 95% of breaches already either happen in a state with a law or include records of persons residing in such states, then... hasn't this basically become a necessity? in other words, organizations had better just notify to be in compliance. following from this: what is the importance to an organization of reading through particulars of state by state legislation when they can just follow California, notify everyone, and be in compliance? bonus question: in your opinion, why are so many companies choosing to include credit monitoring services for those affected? a) altruism b) just not that costly c) concern about downstream law-suits d) ? rgds, rob On 10/03/2008, Susan Orr wrote: > I was just looking at the various states the other day, and there are > some differences - some exempt encrypted information, some exclude > financial institutions and others that are covered under other existing > federal and state laws like GLBA. One state I believe exempts "state > agencies" Oklahoma I think. > > Didn't know it was up to 40, last I saw was 38. I'll have to check it > out, thanks. > > > Rebecca Herold wrote: > > Counting the District of Columbia, as of the end of October it was 40; see > > http://www.privacyguidance.com/files/statebreachnotificationlaws10.19.07 .pdf > > > > Best regards, > > > > Rebecca Herold > > ----- Original Message ----- > > From: "Kalter, Sarah " > To: "lyger" > ; > Sent: Monday, March > 10, 2008 10:07 AM > Subject: [Dataloss] A data security breach > legislation question > > > >> Hi All, >> >> Does anyone happen > to know how many states have enacted data security > >> breach laws/legislation? And if so, which states? > >> > >> Thank you so much! > >> > >> Best, > >> Sarah > >> _______________________________________________ > >> Dataloss Mailing List (dataloss at attrition.org) >> > http://attrition.org/dataloss >> >> Tenable Network Security offers > data leakage and compliance monitoring > >> solutions for large and small networks. Scan your network and monitor your > >> traffic to find the data needing protection before it leaks out! > >> http://www.tenablesecurity.com/products/compliance.shtml > >> > > > > _______________________________________________ > > Dataloss Mailing List (dataloss at attrition.org) > > http://attrition.org/dataloss > > Tenable Network Security offers > data leakage and compliance monitoring > > solutions for large and small networks. Scan your network and monitor your > > traffic to find the data needing protection before it leaks out! > > http://www.tenablesecurity.com/products/compliance.shtml > > > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor your > traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml > > > _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml This email, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this email is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this email is prohibited. If you have received this email in error, please notify the sender by replying to this message and delete this email immediately. _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml From Terry.Miller at finra.org Wed Mar 12 17:32:42 2008 From: Terry.Miller at finra.org (Miller, Terry) Date: Wed, 12 Mar 2008 13:32:42 -0400 Subject: [Dataloss] SEC Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Personal Information References: <03CB35A095056340A769529ED1536F771B2C8E38@exchnorwalk-3.ads.trilegiant.com><025801c882cc$12f710e0$0202a8c0@RebeccaHerold><47D5975F.6060707@susanorrconsulting.com><9541644d0803120530n5562a53co408c6d39444d41f0@mail.gmail.com> Message-ID: If you're really interested, here is a link to the webcast of the Chairman's comments. Click on "Regulation S-P: Privacy of Consumer Financial Information" under March 4. http://www.sec.gov/news/openmeetings.shtml -----Original Message----- From: Mark Simon [mailto:msimon2 at eclipsecurityllc.com] Sent: Wednesday, March 12, 2008 12:31 PM To: Miller, Terry; Rob Shavell; dataloss at attrition.org Subject: SEC Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Personal Information Terry- Thanks for calling to our attention proposed amendments to SEC Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Personal Information. I have some additional information I'd like to add to your posting. The SEC is seeking comments on its proposed amendments at http://www.sec.gov/cgi-bin/ruling-comments?ruling=s70608&rule_path=/comm ents/s7-06-08&file_num=S7-06-08&action=Show_Form&title=Part%20248%20-%20 Regulation%20S-P:%20Privacy%20of%20Consumer%20Financial%20Information%20 and%20Safeguarding%20Personal%20Information The amendments are expected to affect more than 17,000 covered institutions. The proposal is at http://www.sec.gov/rules/proposed/2008/34-57427.pdf Prompting the proposal is the following finding by the SEC: "We have become concerned with the significant increase in the number of information security breaches that have come to light in recent years and the potential created by such breaches for misuse of personal financial information, including identity theft. We are concerned that some firms do not regularly reevaluate and update their safeguarding programs to deal with increasingly sophisticated methods of attack. To help prevent and address security breaches at covered institutions, we propose to require more specific standards for safeguarding personal information, including standards for responding to data security breaches." The SEC has yet to publish its proposed regulatory amendments in the Federal Register. Once publication occurs, there will be a 60-day comment period. The regulation amendments could take effect shortly thereafter. -- Mark S. Simon, Director of Regulatory Compliance Consulting Eclipsecurity, LLC Mobile: (224) 612-3101 Office: (847) 850-5088 Toll Free: (877) 369-5331 www.eclipsecurityLLC.com -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Miller, Terry Sent: Wednesday, March 12, 2008 9:16 AM To: Rob Shavell; dataloss at attrition.org Subject: Re: [Dataloss] A data security breach legislation question Note that on March 4 the SEC proposed expanding privacy Regulation S-P which is based on GLBA. The proposed expansion, which is based in large part on existing banking and FTC regulations, would include a national notification requirement. The requirement may preempt certain state laws which allow for such preemption. Here is the proposal, which is now out for comment. http://www.sec.gov/rules/proposed/2008/34-57427.pdf Terry This email, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this email is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this email is prohibited. If you have received this email in error, please notify the sender by replying to this message and delete this email immediately. From jericho at attrition.org Wed Mar 12 18:20:25 2008 From: jericho at attrition.org (security curmudgeon) Date: Wed, 12 Mar 2008 18:20:25 +0000 (UTC) Subject: [Dataloss] follow-up: MTV Breach Underscores Company's Need For DLP Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.crn.com/security/206902848 By Stefanie Hoffman ChannelWeb March 10, 2008 MTV Networks might still be reeling after the leakage of 5,000 confidential files containing personal and sensitive employee information were illegally accessed by an individual outside the company. But experts say that the incident might prompt companies to reevaluate data loss protection capabilities throughout their networks. The security breach occurred when data was compromised over an Internet connection on an employee's computer, according to a statement released by the network Friday. An internal memo by Catherine Houser, executive vice president of Human Resources at MTV Networks, said that the compromised personal information included names, birth dates, Social Security numbers and compensation data of network employees. A Reuters report said that MTV declined to provide any further information about the number of affected employees or the nature of the compromised information. MTV is currently conducting an investigation regarding the breach. While the network notified law enforcement and a credit monitoring company to alert and protect the identities of the affected employees, it was not immediately clear whether the password protected files were opened or actively exploited. [..] From macwheel99 at wowway.com Wed Mar 12 18:05:43 2008 From: macwheel99 at wowway.com (Al Mac Wheel) Date: Wed, 12 Mar 2008 12:05:43 -0600 Subject: [Dataloss] GAO on Gov Mishandling of Private Data Message-ID: <6.2.1.2.1.20080312120354.04270d20@pop3.mail.wowway.com> Privacy: Government Use of Data from Information Resellers Could Include Better Protections, by Linda D. Koontz, director, information management issues, before the Subcommittee on Information Policy, Census, and National Archives, House Committee on Oversight and Government Reform. GAO-08-543T, March 11. http://www.gao.gov/cgi-bin/getrpt?GAO-08-543T Highlights - http://www.gao.gov/highlights/d08543thigh.pdf - Al Mac From jericho at attrition.org Wed Mar 12 19:08:01 2008 From: jericho at attrition.org (security curmudgeon) Date: Wed, 12 Mar 2008 19:08:01 +0000 (UTC) Subject: [Dataloss] GAO Finds Data Protection Lagging Message-ID: [Belated, apologies -jericho] ---------- Forwarded message ---------- From: InfoSec News http://www.washingtonpost.com/wp-dyn/content/article/2008/02/25/AR2008022503120.html By Christopher Lee Washington Post Staff Writer February 26, 2008 Despite a steady stream of embarrassing computer security breaches, many major federal agencies still are doing too little to safeguard the sensitive personal information in their possession, according to congressional investigators. Only two of 24 agencies studied by the Government Accountability Office in a report released last week had implemented all five security measures recommended by the Office of Management and Budget to protect personal information. The top performers included the Treasury Department and the Department of Transportation. The worst were the Small Business Administration and the National Science Foundation, neither of which had adopted any of the measures, according to Sen. Norm Coleman (R-Minn.), one of two senators who requested the study. But officials at both agencies said yesterday that they had completed most or all of the recommended measures since GAO investigators last visited them in October. [..] From mhill at idtexperts.com Wed Mar 12 19:05:42 2008 From: mhill at idtexperts.com (Michael Hill, CITRMS) Date: Wed, 12 Mar 2008 15:05:42 -0400 Subject: [Dataloss] A data security breach legislation question In-Reply-To: References: <03CB35A095056340A769529ED1536F771B2C8E38@exchnorwalk-3.ads.trilegiant.com><025801c882cc$12f710e0$0202a8c0@RebeccaHerold><47D5975F.6060707@susanorrconsulting.com><9541644d0803120530n5562a53co408c6d39444d41f0@mail.gmail.com><041701c8844d$c8b78e00$0202a8c0@RebeccaHerold> Message-ID: I couldn't agree with you more that credit monitoring that companies offer after the breach is misleading the individuals that they are now protected in becoming a victim. And offer it for one year as if they'll be OK after the year is up. With that being said, almost half of the recent 10 breaches are from the medical industry. Medical identity theft has been promi?nently featured in numerous magazines and television in the last 8?10 months, but most experts don?t know what to do with it. Many are recommending or providing credit moni?toring as a solution; but what is it about someone using your medical information that would ever make you think that it could be detected by credit monitoring? I'd have to say the same for fraud alerts and credit freezes. Mike Michael Hill Certified Identity Theft Risk Management Specialist IDT Consultants 404-216-3751 "If You Think You're Not At Risk, Think Again!" NOTICE: This email and any attachment to it is confidential and protected by law and intended for the use of the individual(s) or entity named on the email. This information and all email information from the sender is not legal advice nor legal representation and should not be construed as legal advice nor legal representation. Check with your attorney in your State for legal advice. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination or distribution of this communication is prohibited. If you have received this communication in error, please notify the sender via return email and delete it completely from your email system. If you have printed a copy of the email, please destroy it immediately. ----- Original Message ----- From: Craig Muller To: dataloss at attrition.org Sent: Wednesday, March 12, 2008 11:25 AM Subject: Re: [Dataloss] A data security breach legislation question Hi Rob, I believe companies are offering credit monitoring because they are concerned with lawsuits and public perception. Little do they know that credit monitoring is a costly and less effective solution than one of the free alternative, fraud alerts. It?s unfortunate that promotion of credit monitoring gives the false impression that consumers are protected from identity theft if they pay for credit monitoring. I would much rather get a phone call when someone is attempting to access my credit report (fraud alerts) than to be notified electronically after it has been accessed. Plus the fraud alert is free. Regards, Craig Craig Muller VP Identity Services 714.417.9984 craig at freeidentityprotect.com www.freeidentityprotect.com ----- Original Message ----- From: "Rob Shavell" To: Sent: Wednesday, March 12, 2008 7:30 AM Subject: Re: [Dataloss] A data security breach legislation question > hi all, > the question i have around US data breach notification legislation is this: > > "why are we counting states?" > > if most legislation applies to affected record-holders if they are > residents and 95% of breaches already either happen in a state with a > law or include records of persons residing in such states, then... > hasn't this basically become a necessity? > > in other words, organizations had better just notify to be in compliance. > > following from this: what is the importance to an organization of > reading through particulars of state by state legislation when they > can just follow California, notify everyone, and be in compliance? > > bonus question: in your opinion, why are so many companies choosing to > include credit monitoring services for those affected? a) altruism b) > just not that costly c) concern about downstream law-suits d) ? > > rgds, > rob > > > > > On 10/03/2008, Susan Orr wrote: >> I was just looking at the various states the other day, and there are >> some differences - some exempt encrypted information, some exclude >> financial institutions and others that are covered under other existing >> federal and state laws like GLBA. One state I believe exempts "state >> agencies" Oklahoma I think. >> >> Didn't know it was up to 40, last I saw was 38. I'll have to check it >> out, thanks. >> >> >> Rebecca Herold wrote: >> > Counting the District of Columbia, as of the end of October it was 40; see >> > http://www.privacyguidance.com/files/statebreachnotificationlaws10.19.07.pdf >> > >> > Best regards, >> > >> > Rebecca Herold >> > ----- Original Message ----- No virus found in this outgoing message. Checked by AVG. Version: 7.5.518 / Virus Database: 269.21.7/1325 - Release Date: 3/11/2008 1:41 PM ------------------------------------------------------------------------------ _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080312/661798a2/attachment.html From chris at cwalsh.org Wed Mar 12 20:00:50 2008 From: chris at cwalsh.org (Chris Walsh) Date: Wed, 12 Mar 2008 15:00:50 -0500 Subject: [Dataloss] A data security breach legislation question In-Reply-To: <9541644d0803120530n5562a53co408c6d39444d41f0@mail.gmail.com> References: <03CB35A095056340A769529ED1536F771B2C8E38@exchnorwalk-3.ads.trilegiant.com> <025801c882cc$12f710e0$0202a8c0@RebeccaHerold> <47D5975F.6060707@susanorrconsulting.com> <9541644d0803120530n5562a53co408c6d39444d41f0@mail.gmail.com> Message-ID: <20080312200050.GA68704@fripp.cwalsh.org> On Wed, Mar 12, 2008 at 04:30:23AM -0800, Rob Shavell wrote: > > following from this: what is the importance to an organization of > reading through particulars of state by state legislation when they > can just follow California, notify everyone, and be in compliance? There are substantial differences among the state laws. In NC, the data needn't be computerized. In several (not CA) states, a report must be made to the state as well as to impacted parties. In some states, encryption gets you off the hook, in others, redaction is good enough. In others, even a password(!) is good enough. I understand the "meet the strictest requirement" philosophy, but California isn't it. Until there is consistency across states, a la the uniform commercial code, it behooves you to be up on what each state requires. That said, "somebody" should just offer this as a service. IANAL, but it seems like the kind of thing that would be quite easy to do. cw From John.Brinkerhoff at urs.org Wed Mar 12 21:14:04 2008 From: John.Brinkerhoff at urs.org (John.Brinkerhoff at urs.org) Date: Wed, 12 Mar 2008 15:14:04 -0600 Subject: [Dataloss] Fla. Medical Records Sold as Scrap in Salt Lake City Utah Message-ID: Medical records of 28 Central Florida Regional Hospital patients were sold at a Salt Lake City surplus store as "scrap paper". Link to story: http://www.ksl.com/?nid=157&sid=2821438 From bgivens at privacyrights.org Wed Mar 12 23:21:08 2008 From: bgivens at privacyrights.org (Beth Givens) Date: Wed, 12 Mar 2008 16:21:08 -0700 Subject: [Dataloss] A data security breach legislation question In-Reply-To: References: <03CB35A095056340A769529ED1536F771B2C8E38@exchnorwalk-3.ads.trilegiant.com> <025801c882cc$12f710e0$0202a8c0@RebeccaHerold> <47D5975F.6060707@susanorrconsulting.com> <9541644d0803120530n5562a53co408c6d39444d41f0@mail.gmail.com> <041701c8844d$c8b78e00$0202a8c0@RebeccaHerold> Message-ID: <7.0.1.0.2.20080312154704.04632848@privacyrights.org> Security freezes are even more effective than fraud alerts in preventing identity theft in situations where the breached data ends up in the hands of fraudsters. If your credit reports are "frozen," creditors cannot obtain access to them at all. The fraudster who is attempting to open an instant credit account at, say, the local Circuit City store so he or she can buy goods with a high street value on the black market will be turned away. The sales clerk at Circuit City will not be able to access the victim's credit report to make that all-important credit check. But there is a fee to sign up for security freezes with each of the 3 credit bureaus. If an individual wants the ultimate protection, AND they do not plan to be in the market for any credit-related products in the near future including renting an apartment, it makes sense to go with the freeze. FYI, freezes are usually free to bona fide ID theft victims. Freezes are a good idea for senior citizens who own their homes outright and who have all the credit they need. They then have the peace of mind that they don't need to worry about new-account fraud, which is the more pernicious form of identity fraud (versus existing-account fraud) and the most difficult and time-consuming to recover from. By the way, the freeze laws were implemented because creditors were not always checking for fraud alerts. Many simply ignored them and did not make those phone calls to individuals who had established the fraud alerts. We here at the Privacy Rights Clearinghouse have talked with numerous victims of identity theft over the years who have told us that creditors paid no attention to their fraud alerts and went ahead and issued credit to the identity thief nonetheless. I would like to see security freeze laws amended to require *free* freezes for individuals affected by data breaches, especially for breaches in which Social Security numbers have been compromised. SSNs are the key to new-account fraud. Here's a good link for freeze information from Consumers Union: http://www.consumersunion.org/campaigns/learn_more/003484indiv.html Beth Givens Director, Privacy Rights Clearinghouse The information, advice, and suggestions contained in this email should be used as an information source and not as legal advice. Beth Givens, Director Privacy Rights Clearinghouse 3100 - 5th Ave., Suite B San Diego, CA 92103 Voice: 619-298-3396 Fax: 619-298-5681 bgivens at privacyrights.org http://www.privacyrights.org +++++++++++++++++++++++++++++++++++++ Join our email newsletter. http://www.privacyrights.org/subscribe.htm From lyger at attrition.org Wed Mar 12 23:42:33 2008 From: lyger at attrition.org (lyger) Date: Wed, 12 Mar 2008 23:42:33 +0000 (UTC) Subject: [Dataloss] MA: Personal Data Potentially Compromised in Hack Message-ID: http://www.thecrimson.com/article.aspx?ref=522487 Last month's hack of a Harvard Graduate School of Arts and Sciences (GSAS) Web server may have compromised 10,000 sets of personal information from applicants and students, including 6,600 Social Security numbers and 500 Harvard ID numbers, the University said today. Harvard began notifying those who may be affected today, after an investigation determined that the University could no longer stand by its initial conclusion that no personal information had been accessed and disseminated. [...] From jericho at attrition.org Thu Mar 13 10:09:21 2008 From: jericho at attrition.org (security curmudgeon) Date: Thu, 13 Mar 2008 10:09:21 +0000 (UTC) Subject: [Dataloss] HealthNow data goes missing as laptop vanishes Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.buffalonews.com/145/story/296415.html By Jonathan Epstein The Buffalo News 03/11/08 HealthNow New York has alerted 40,000 members in Western and Northeastern New York that they may be at risk for identity theft, after a former employee?s laptop computer went missing with confidential information several months ago. The Buffalo-based parent of Blue- Cross BlueShield of Western New York sent letters late last week to the affected customers, even though officials are still not certain what, if anything, was on the computer. Based on the company?s investigation, the potential information includes names, dates of birth, Social Security numbers, addresses, employer group names, and health insurance identifier numbers. However, there was no health or medical claims information involved, spokeswoman Karen Merkel-Liberatore said late Monday. HealthNow has arranged for any affected member to receive a one-year free membership in Equifax Credit Watch, to monitor for identity theft. But the company has no plans to re-assign new health insurance identification numbers en masse, though it will do so at the request of any individual members, Merkel-Liberatore said. [..] From lyger at attrition.org Thu Mar 13 18:58:49 2008 From: lyger at attrition.org (lyger) Date: Thu, 13 Mar 2008 18:58:49 +0000 (UTC) Subject: [Dataloss] Update: Harvard student database hacked, posted on BitTorrent Message-ID: http://www.news.com/8301-10789_3-9893174-57.html?part=rss&subj=news&tag=2547-1_3-0-5 Harvard says about 10,000 of last year's applicants may have had their personal information compromised. At least 6,600 Social Security numbers were exposed. Worse, a compressed 125 M-byte file containing the stolen student data is currently available via BitTorrent, a peer-to-peer network. [.] A BitTorrent file containing the stolen data includes a note that reads in part "maybe you don't like it but this is to demonstrate that persons like tgatton(admin of the server) in they don't know how to secure a website." The BitTorrent file consists of a server backup of the GSAS site with a full directory structure and three databases: joomla.slq, the main database; contacts.sql which is a database of contacts; and hgs.sql, a miscellaneous file. [...] From bkdelong at pobox.com Thu Mar 13 19:11:39 2008 From: bkdelong at pobox.com (B.K. DeLong) Date: Thu, 13 Mar 2008 15:11:39 -0400 Subject: [Dataloss] Update: Harvard student database hacked, posted on BitTorrent In-Reply-To: References: Message-ID: I'm up at SourceBoston right now with limited access - what are the FERPA repercussions for this breach? On Thu, Mar 13, 2008 at 2:58 PM, lyger wrote: > > http://www.news.com/8301-10789_3-9893174-57.html?part=rss&subj=news&tag=2547-1_3-0-5 > > Harvard says about 10,000 of last year's applicants may have had their > personal information compromised. At least 6,600 Social Security numbers > were exposed. Worse, a compressed 125 M-byte file containing the stolen > student data is currently available via BitTorrent, a peer-to-peer > network. > > [.] > > A BitTorrent file containing the stolen data includes a note that reads in > part "maybe you don't like it but this is to demonstrate that persons like > tgatton(admin of the server) in they don't know how to secure a website." > The BitTorrent file consists of a server backup of the GSAS site with a > full directory structure and three databases: joomla.slq, the main > database; contacts.sql which is a database of contacts; and hgs.sql, a > miscellaneous file. > > [...] > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor your > traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml > -- B.K. DeLong (K3GRN) bkdelong at pobox.com +1.617.797.8471 http://www.wkdelong.org Son. http://www.ianetsec.com Work. http://www.bostonredcross.org Volunteer. http://www.carolingia.eastkingdom.org Service. http://bkdelong.livejournal.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org From sovrevage at gmail.com Thu Mar 13 20:45:18 2008 From: sovrevage at gmail.com (=?ISO-8859-1?Q?Stian_=D8vrev=E5ge?=) Date: Thu, 13 Mar 2008 21:45:18 +0100 Subject: [Dataloss] Update: Harvard student database hacked, posted on BitTorrent In-Reply-To: References: Message-ID: On Thu, Mar 13, 2008 at 7:58 PM, lyger wrote: > > http://www.news.com/8301-10789_3-9893174-57.html?part=rss&subj=news&tag=2547-1_3-0-5 > > Harvard says about 10,000 of last year's applicants may have had their > personal information compromised. At least 6,600 Social Security numbers > were exposed. Worse, a compressed 125 M-byte file containing the stolen > student data is currently available via BitTorrent, a peer-to-peer > network. > > [.] > > A BitTorrent file containing the stolen data includes a note that reads in > part "maybe you don't like it but this is to demonstrate that persons like > tgatton(admin of the server) in they don't know how to secure a website." > The BitTorrent file consists of a server backup of the GSAS site with a > full directory structure and three databases: joomla.slq, the main > database; contacts.sql which is a database of contacts; and hgs.sql, a > miscellaneous file. > > [...] According to http://thepiratebay.org/tor/4031271/harvard_s_hack the file was published almost a month ago (16. feb). -- Stian ?vrev?ge From lyger at attrition.org Fri Mar 14 11:52:40 2008 From: lyger at attrition.org (lyger) Date: Fri, 14 Mar 2008 11:52:40 +0000 (UTC) Subject: [Dataloss] UT: Possibly Thousands Of Patient's Information Compromised With Lap Top Theft Message-ID: http://www.kutv.com/content/news/topnews/story.aspx?content_id=5843cde8-1fb5-4945-b396-df5b682ddbb4 Possibly 4,800 patient's information could be compromised, when a laptop with names, social security numbers and personal health information was stolen from University Healthcare over two weeks ago. The theft happened back on February 25th. The hospital says that someone broke into a locked office and took a lap top and a flash drive. The hospital does not believe that whoever stole the laptop was searching for the patient's information. [...] From lyger at attrition.org Sat Mar 15 07:18:04 2008 From: lyger at attrition.org (lyger) Date: Sat, 15 Mar 2008 07:18:04 +0000 (UTC) Subject: [Dataloss] Call to Arms: In Search of Bigger DLDOS Message-ID: http://attrition.org/news/content/08-03-15.001.html Call to Arms: In Search of Bigger DLDOS Sat Mar 15 00:02:11 EST 2008 Lyger Over the past few months, Attrition.org has received numerous requests about enhancements to the Data Loss Database - Open Source (DLDOS). As much as we would like to accomodate every request and provide a more complete and more accurate data set, just as the Open Source Vulnerability Database strives for the same goal, sometimes the resources "just aren't there". We generally receive suggestions via email and ponder them while adding new events and updating archived ones, but we had to ask ourselves, "how much can we really do on our own?". The Data Loss Mail List currently has over 1,200 active subscribers and we feel that it has been a valuable source of information regarding data loss events, legislative matters, and technical discussion. With that in mind, it's sometimes frustrating knowing that we could enhance and improve upon the current data set, but simply don't have the time to manage all of it ourselves. So, all of a sudden, *light bulb* - why not ask for a little help? Why not make the database more of a "community project"? Why not have anyone offer suggestions, submit changes, and we can incorporate those changes if they meet general (and informal) standards? Actually, that's what we wanted (and suggested) in the first place. However, much like OSVDB, that hasn't happened. So, instead of just mailing us with ideas for new columns, criteria, and specific field updates, we want to invite everyone to download the current database (which generally updates at least five or six times a week), make changes, and send it back to us with a quick note as to what was changed and why it was changed. [...] From jericho at attrition.org Mon Mar 17 08:46:17 2008 From: jericho at attrition.org (security curmudgeon) Date: Mon, 17 Mar 2008 08:46:17 +0000 (UTC) Subject: [Dataloss] Our P2P Investigation Turns Up Business Data Galore Message-ID: [Great.. loads of billing data, health records and more, but absolutely no details. Fun project and nice resulting article, but no follow through on properly warning the companies or consumers? -- jericho] ---------- Forwarded message ---------- From: InfoSec News http://www.informationweek.com/story/showArticle.jhtml?articleID=206903417 By Avi Baumstein InformationWeek March 17, 2008 Are peer-to-peer networks really filled with sensitive corporate data just waiting to be plucked and abused? It seems unlikely--surely people wouldn't be that sloppy. Like a 19th century prospector, I decided to dip my pan into the stream to see what I could find. The results were shocking and scary--loads of confidential business documents and enough personal information to ruin any number of lives and create PR nightmares for quite a few companies. Among the business documents were spreadsheets, billing data, health records, RFPs, internal audits, product specs, and meeting notes, all found in a quick expedition, using simple tools. It's doubtful that so many people were sharing such sensitive files on purpose. More likely, the users, or even their children, had installed a P2P program to download music or a TV show, and clicked "OK" to all the questions during the install process. One of those questions is which folder to share files from, and often the default is the Windows My Documents folder. The result was plain--and in many ways worse than the lost laptops that have made so much news, because the files are available to the entire world and leave no trace when they're taken. If my sampling is any indication, it's clearly time to add P2P file sharing to your list of security threats. [..] From mhill at idtexperts.com Mon Mar 17 04:31:01 2008 From: mhill at idtexperts.com (Michael Hill, CITRMS) Date: Mon, 17 Mar 2008 00:31:01 -0400 Subject: [Dataloss] =?iso-8859-1?q?FL=3A_Firefighters=27_Personal_Informat?= =?iso-8859-1?q?ion_Published_On_City=27s_Web_Site?= Message-ID: http://www.cfnews13.com/News/Local/2008/3/16/firefighters_personal_information_published_on_citys_web_site.html MINNEOLA -- Nine Minneola firefighters are trying to keep their names clean after their personal information ended up on the city's Web site. The city clerk accidentally published the information. Social security numbers, phone numbers, addresses and personal information from union application cards found its way onto the city's Web site for over 36 hours. The city clerk was updating the agenda for this week's city council meeting where the city will vote on recognizing the new union. "The city clerk in this case, she does hundreds of thousands of pieces of document. This one slipped by. It's nothing intentional. We apologize," said Minneola Mayor David Yeager. Minneola is giving all nine firefighters a one-year subscription to a credit monitoring service. The union president said he realizes this was an honest mistake. The city manager is investigating the incident. There is no word on whether or not the city clerk will be disciplined Michael Hill Certified Identity Theft Risk Management Specialist IDT Consultants 404-216-3751 "If You Think You're Not At Risk, Think Again!" NOTICE: This email and any attachment to it is confidential and protected by law and intended for the use of the individual(s) or entity named on the email. This information and all email information from the sender is not legal advice nor legal representation and should not be construed as legal advice nor legal representation. Check with your attorney in your State for legal advice. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination or distribution of this communication is prohibited. If you have received this communication in error, please notify the sender via return email and delete it completely from your email system. If you have printed a copy of the email, please destroy it immediately. From lyger at attrition.org Mon Mar 17 17:09:19 2008 From: lyger at attrition.org (lyger) Date: Mon, 17 Mar 2008 17:09:19 +0000 (UTC) Subject: [Dataloss] Mass. bankers report data breach at retailer Message-ID: http://www.boston.com/business/ticker/2008/03/mass_bankers_re.html The Massachusetts Bankers Association is warning consumers about another data breach involving a major retailer. The association said today that about a third of its 200 member banks have been contacted by Visa and MasterCard. The alerts advised that some of the credit and debit cards the banks issued could be at risk. Credit card companies haven't named the retailer in the breach, which is believed to affect consumers in Massachusetts and northern New England states. [...] From lyger at attrition.org Mon Mar 17 21:06:01 2008 From: lyger at attrition.org (lyger) Date: Mon, 17 Mar 2008 21:06:01 +0000 (UTC) Subject: [Dataloss] ME: Hannaford: Data Breach May Have Exposed Millions To Fraud Message-ID: http://www.wmur.com/news/15621249/detail.html Hannaford Bros. supermarket chain announced Monday a security breach that led to thefts of customer credit and debit card numbers. Hannaford says the security breach affects all of its 165 stores in the Northeast, 106 Sweetbay stores in Florida and a smaller number of independent groceries that sell Hannaford products. The company puts the number of unique credit and debit card numbers that were potentially exposed to fraud at 4.2 million. The company is currently aware of about 1,800 cases of reported fraud related to the security breach. The Massachusetts Bankers Association said one-third of its 200 member banks have been contacted by Visa and MasterCard about the problem. [...] From jericho at attrition.org Mon Mar 17 21:11:29 2008 From: jericho at attrition.org (security curmudgeon) Date: Mon, 17 Mar 2008 21:11:29 +0000 (UTC) Subject: [Dataloss] Two weeks to contain a security breach?!?!? (fwd) Message-ID: ---------- Forwarded message ---------- From: Richard M. Smith "Hannaford became aware of the breach Feb. 27. Investigators later discovered that the data breach began on Dec. 7; it wasn't contained until March 10, said Carol Eleazer, Hannaford's vice president of marketing in Scarborough." http://ap.google.com/article/ALeqM5ipET-mkUFMHvZNMr5WJkcg82NHIwD8VFDD0O0 Breach Exposes 4.2M Credit, Debit Cards By DAVID SHARP - 24 minutes ago PORTLAND, Maine (AP) - A security breach at an East Coast supermarket chain exposed 4.2 million credit and debit card numbers and led to 1,800 cases of fraud, the Hannaford Bros. grocery chain announced Monday. Hannaford said credit and debit card numbers were stolen during the card authorization process and about 4.2 million unique account numbers were exposed. The breach affected all of its 165 stores in the Northeast, 106 Sweetbay stores in Florida and a smaller number of independent groceries that sell Hannaford products. The company is aware of about 1,800 cases of fraud reported so far relating to the breach. No personal data such as names, addresses or telephone numbers were divulged - just account numbers. [..] From lyger at attrition.org Mon Mar 17 23:32:18 2008 From: lyger at attrition.org (lyger) Date: Mon, 17 Mar 2008 23:32:18 +0000 (UTC) Subject: [Dataloss] Hannaford Information Request Message-ID: Forwarded to the list by request: ---------- Forwarded message ---------- From: kerber at globe.com To: lyger (lyger at attrition.org) Date: Mon, 17 Mar 2008 19:09:38 -0400 Hello all, Ross Kerber here, I'm a Boston Globe business reporter. I'm interested in learning more about exactly what happened in the case of the breach disclosed by Hannaford Bros. on Monday, and what's being done about it. If you know any more details, could you email me directly or call? Also I'm interested if you could provide me any documents, notices etc. that Visa, MCard or another party might have sent out that would shed any more light on what happened. Thanks & rgds -- Ross Ross Kerber Staff Reporter Boston Globe Business News tel 617 929 2959 fax 617 929 3183 kerber at globe.com From fergdawg at netzero.net Tue Mar 18 05:36:54 2008 From: fergdawg at netzero.net (Paul Ferguson) Date: Tue, 18 Mar 2008 05:36:54 GMT Subject: [Dataloss] Utah Division of Finance Reports Security Breach Message-ID: <20080317.223654.23165.0@webmail24.vgs.untd.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I hadn't seen this one come across the list... An all-too-familiar story. Via The Desert Morning News. [snip] Computer files containing the personal information of approximately 500 individuals may have been accessed by unauthorized persons during a security breach at the Utah Division of Finance. However, Department of Administrative Services spokeswoman Vicki Schoenfeld said in a press release an initial investigation indicates it is highly unlikely the person who breached the computer system was able to access the personal information. As a precautionary measure, the Department of Administrative Services will make every effort to contact all individuals whose personal information was potentially exposed, Schoenfeld said. "We are now taking steps to determine the amount of information, if any, that was accessed by unauthorized persons. Utah attorney general special agents assigned to the Identity Theft Task Force are investigating this matter," Schoenfeld said. State computer systems withstand more than 100,000 potential attacks a day, according to the press release. The state encourages individuals to be proactive and visit the IRIS ID Theft information and reporting Web site, www.idtheft.utah.gov, for precautionary information about preventing identity theft. [snip] Link: http://deseretnews.com/article/1,5143,695261923,00.html - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFH31Txq1pz9mNUZTMRApefAJ9TV7O25bPLJIDm5fzT53wsZJKC2wCeII7U Z1FIAxoBygYhKwAksVTtyKk= =/677 -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/ From lyger at attrition.org Tue Mar 18 11:55:44 2008 From: lyger at attrition.org (lyger) Date: Tue, 18 Mar 2008 11:55:44 +0000 (UTC) Subject: [Dataloss] NY: Some BU students' Social Security info e-mailed to others Message-ID: http://www.pressconnects.com/apps/pbcs.dll/article?AID=/20080317/NEWS01/803170361 The Social Security numbers of more than 300 Binghamton University students were accidentally e-mailed to a list of hundreds of other students on Friday. A university employee mistakenly sent an e-mail attachment containing the names, grade point averages and Social Security numbers of junior and senior accounting students to another group of 288 School of Management students. There has been no indication that any students' information has been misused, BU spokeswoman Gail Glover said Monday night. From lyger at attrition.org Tue Mar 18 17:10:56 2008 From: lyger at attrition.org (lyger) Date: Tue, 18 Mar 2008 17:10:56 +0000 (UTC) Subject: [Dataloss] follow-up: Tentative settlement in Certegy data breach Message-ID: http://www.scmagazineus.com/Tentative-settlement-in-Certegy-data-breach/article/108088/ A proposed legal settlement by Certegy Check Services, which lost the personal financial information of millions of Americans last fall in an insider-related data breach, is a "mixed bag" that falls short of protecting the victims, security analysts told SCMagazine US.com. The tentative settlement between Certegy and class-action lawyers is now under review by U.S. District Court Judge Steven D. Merryday in Tampa, Fla. If accepted, it would offer only partial help to some of the 8.4 million customers whose personal information was stolen by a Certegy employee over a five-year period. Under terms of the agreement, Certegy would offer credit and bank account monitoring, identity theft reimbursement capped at $4 million, reimbursement of some credit monitoring fees, and enhanced security. The settlement calls for Certegy to give consumers a free one-year subscription to Experian's Triple Alert, a $4.95 monthly service that monitors credit reports for evidence of fraudulent activity. The plan limits those eligible to about 1.25 million consumers whose credit card or debit card information was stolen. [...] From roy at rant-central.com Tue Mar 18 22:29:09 2008 From: roy at rant-central.com (Roy M. Silvernail) Date: Tue, 18 Mar 2008 18:29:09 -0400 Subject: [Dataloss] Two weeks to contain a security breach?!?!? (fwd) In-Reply-To: References: Message-ID: <47E04235.80000@rant-central.com> security curmudgeon wrote: > > ---------- Forwarded message ---------- From: Richard M. Smith > > > "Hannaford became aware of the breach Feb. 27. Investigators later > discovered that the data breach began on Dec. 7; it wasn't contained > until March 10, said Carol Eleazer, Hannaford's vice president of > marketing in Scarborough." Speaking as someone who is at risk from this breach (I shop at Hannaford weekly, if not more often), I have to wonder about one detail that has been mentioned but not extensively discussed. Hannaford's web site has a sort-of press release that includes this quote: > The intrusion affected Hannaford stores, Sweetbay stores in Florida > and certain independently-owned retail locations in the Northeast > that carry Hannaford products. Why would "independently-owned retail locations... that carry Hannaford products" settle their credit card transactions over Hannaford's network? I would expect that an independent retailer would be settling credit card transactions over their bank's system, or perhaps using a consolidation broker. Am I just naive? -- Roy M. Silvernail is roy at rant-central.com, and you're not "It's just this little chromium switch, here." - TFT http://www.rant-central.com From lyger at attrition.org Tue Mar 18 22:55:06 2008 From: lyger at attrition.org (lyger) Date: Tue, 18 Mar 2008 22:55:06 +0000 (UTC) Subject: [Dataloss] update: Man charged in theft of VA computers Message-ID: http://www.indystar.com/apps/pbcs.dll/article?AID=/20080318/LOCAL/80318064/0/BUSINESS A former patient at the Roudebush VA Medical Center has been charged in the disappearance of hospital computer equipment that contained the records of nearly 12,000 patients. "According to the probable cause affidavit, computer equipment including a laptop computer, computer screens and printers were taken from the VA facility on November 13 of last year," the Marion County prosecutor.s office said in a news release. Joseph A. Radican, 50, Indianapolis, was arrested Monday on one count of Class D felony theft after investigators identified him from surveillance video. A probable cause affidavit, a sworn police statement filed in support of the charge, identifies him as a former patient at the facility. [...] From lyger at attrition.org Wed Mar 19 00:53:44 2008 From: lyger at attrition.org (lyger) Date: Wed, 19 Mar 2008 00:53:44 +0000 (UTC) Subject: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! Message-ID: http://attrition.org/security/rant/z/rapid7.html Tue Mar 18 16:10:57 EST 2008 d2d You are a security vendor. You sell the mightiest security doohickey the world has ever seen. It does it all, including "...ensuring your network is safe from hackers..." and amazingly it "...scans for Web site and database vulnerabilities that hackers can use to capture credit card information without you being aware". Since your doohickey does what no others have ever successfully managed to do, you can tout your client list proudly, and pimp your customer implementations liberally. UNTIL... One of your customers joins the etiolated top 10 with a massive hacker perpetrated data loss incident. OUCH. [...] From jpole at jcpa.com Wed Mar 19 01:56:36 2008 From: jpole at jcpa.com (Jamie C. Pole) Date: Tue, 18 Mar 2008 21:56:36 -0400 Subject: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! In-Reply-To: References: Message-ID: <7DF4DA8C-AC21-4B00-B413-51B0119518E9@jcpa.com> Yup. And does anyone doubt that a company using Qualys would be in the same boat? All of these vendors that sell non-functioning crapware are seriously damaging the efficacy of online commerce moving forward. They sell a false sense of security. Nothing more. PCI compliance in a box? Yeah, right... Then again, Visa is also very much to blame. Until Visa gets serious about PCI compliance and starts certifying expert security practitioners, rather than clueless companies with big checkbooks, this is just going to keep happening over and over again. Visa should be paying expert security practitioners to do PCI compliance assessments, rather than having the big consulting companies pay THEM for the privilege of saying they are certified to conduct PCI assessments. All of these automated vulnerability assessment processes achieve the same result - they identify only the lowest of the low-hanging fruit. Automated tools might identify the exposures that script kiddies are looking for, but they most certainly can't identify the exposures that motivated and competent hackers are looking for. Show me an automated tool that can identify vulnerabilities that are contingent on the successful exploit of other vulnerabilities, and I just might change my mind. I'm not going to hold my breath, because companies are too wrapped up in buying automated scans for $19.99 per host. As we can see, they always get exactly what they pay for. What exactly do they think they are buying?? What's even worse is that there are "security consultants" running around telling the world that they base their entire vulnerability assessment offering on some of these useless tools. Oh, well... Jamie On Mar 18, 2008, at 8:53 PM, lyger wrote: > > http://attrition.org/security/rant/z/rapid7.html > > Tue Mar 18 16:10:57 EST 2008 > d2d > > You are a security vendor. You sell the mightiest security doohickey > the world > has ever seen. It does it all, including "...ensuring your network > is safe from > hackers..." and amazingly it "...scans for Web site and database > vulnerabilities that hackers can use to capture credit card > information without > you being aware". Since your doohickey does what no others have ever > successfully managed to do, you can tout your client list proudly, > and pimp > your customer implementations liberally. > > UNTIL... > > One of your customers joins the etiolated top 10 with a massive hacker > perpetrated data loss incident. > > OUCH. > > [...] > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and > monitor your > traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml > From fergdawg at netzero.net Wed Mar 19 06:19:32 2008 From: fergdawg at netzero.net (Paul Ferguson) Date: Wed, 19 Mar 2008 06:19:32 GMT Subject: [Dataloss] Web site breach of The Dental Network exposes patients? information Message-ID: <20080318.231932.11132.0@webmail03.vgs.untd.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Via Personal Health Information Privacy. [snip] A security breach of The Dental Network web site left access to member personal data, including names, Social Security numbers, address(es) and dates of birth unprotected for approximately two weeks. According to a letter dated March 10th to the New Hampshire Department of Justice, TDN discovered the breach on February 20th. The Dental Network is an independent licensee of the Blue Cross and Blue Shield Association. TDN retained Identity Safeguards, who notified those affected and is providing one year of free credit monitoring and free credit restoration services should they be needed. The company also set up a web site at http://ids.thedentalnet.org/ According to the FAQ on the site, TDN secured members? data within minutes of detecting the problem. [snip] More: http://www.phiprivacy.net/?p=114 - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFH4LBxq1pz9mNUZTMRAlOZAJ9I3pv1cOMDTbjdrRNBVNbwGl6TCQCgo3sW 0Q3mHZEGhb7qq1COZIDsZE8= =dd2N -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/ From msimon at eclipsecurityllc.com Wed Mar 19 15:45:56 2008 From: msimon at eclipsecurityllc.com (Mark Simon) Date: Wed, 19 Mar 2008 10:45:56 -0500 Subject: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! In-Reply-To: <7DF4DA8C-AC21-4B00-B413-51B0119518E9@jcpa.com> References: <7DF4DA8C-AC21-4B00-B413-51B0119518E9@jcpa.com> Message-ID: The false sense of comfort with various security products is due to the lack of transparency concerning breach occurrences. It is the rare case where an exploited vulnerability is identified and described in detail for the public. As embarrassing as it may be, we need to share more details about breach incidents. Organizations should be encouraged to redact and anonymously publish post-incident reports so the public, including other information security professionals, can learn about security tools that have failed to help TJX and many others prevent or earlier uncover intruder activities. It would also help if trusted organizations, such as US-CERT, would provide anonymity and publication facilities allowing organizations to report details concerning breach occurrences. Congress passed the Communications Decency Act (CDA) in 1996. The Act contains language under the heading - Protection for Good Samaritan blocking and screening of offensive material - which provides, "No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider." CDA 230 further provides that "[n]o cause of action may be brought and no liability may be imposed under any State or local law that is inconsistent with this section." So, find a publisher and get publishing. Mark. -- Mark S. Simon, Director of Regulatory Compliance Consulting Eclipsecurity, LLC Mobile: (224) 612-3101 Office: (847) 850-5088 Toll Free: (877) 369-5331 www.eclipsecurityLLC.com Lock-in success. Because information travels... The information contained in this message may be CONFIDENTIAL and is for the intended addressee only. Any unauthorized use, dissemination of the information or copying of this message is prohibited. If you are not the intended addressee, please notify the sender immediately and delete this message. -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Jamie C. Pole Sent: Tuesday, March 18, 2008 8:57 PM To: dataloss at attrition.org Subject: Re: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! Yup. And does anyone doubt that a company using Qualys would be in the same boat? All of these vendors that sell non-functioning crapware are seriously damaging the efficacy of online commerce moving forward. They sell a false sense of security. Nothing more. PCI compliance in a box? Yeah, right... Then again, Visa is also very much to blame. Until Visa gets serious about PCI compliance and starts certifying expert security practitioners, rather than clueless companies with big checkbooks, this is just going to keep happening over and over again. Visa should be paying expert security practitioners to do PCI compliance assessments, rather than having the big consulting companies pay THEM for the privilege of saying they are certified to conduct PCI assessments. All of these automated vulnerability assessment processes achieve the same result - they identify only the lowest of the low-hanging fruit. Automated tools might identify the exposures that script kiddies are looking for, but they most certainly can't identify the exposures that motivated and competent hackers are looking for. Show me an automated tool that can identify vulnerabilities that are contingent on the successful exploit of other vulnerabilities, and I just might change my mind. I'm not going to hold my breath, because companies are too wrapped up in buying automated scans for $19.99 per host. As we can see, they always get exactly what they pay for. What exactly do they think they are buying?? What's even worse is that there are "security consultants" running around telling the world that they base their entire vulnerability assessment offering on some of these useless tools. Oh, well... Jamie On Mar 18, 2008, at 8:53 PM, lyger wrote: > > http://attrition.org/security/rant/z/rapid7.html > > Tue Mar 18 16:10:57 EST 2008 > d2d > > You are a security vendor. You sell the mightiest security doohickey > the world has ever seen. It does it all, including "...ensuring your > network is safe from hackers..." and amazingly it "...scans for Web > site and database vulnerabilities that hackers can use to capture > credit card information without you being aware". Since your doohickey > does what no others have ever successfully managed to do, you can tout > your client list proudly, and pimp your customer implementations > liberally. > > UNTIL... > > One of your customers joins the etiolated top 10 with a massive hacker > perpetrated data loss incident. > > OUCH. > > [...] > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor > your traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml > _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml From Ben.Jackson at state.ma.us Wed Mar 19 16:26:21 2008 From: Ben.Jackson at state.ma.us (Jackson, Ben (ITD)) Date: Wed, 19 Mar 2008 12:26:21 -0400 Subject: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! In-Reply-To: <7DF4DA8C-AC21-4B00-B413-51B0119518E9@jcpa.com> References: <7DF4DA8C-AC21-4B00-B413-51B0119518E9@jcpa.com> Message-ID: <291B0CA2464D8246A568A726488736080828F294@ES-MSG-007.es.govt.state.ma.us> A co-worker pointed out that they have updated their press release with a general "not our fault!" text: http://rapid7.com/docs/rapid7-hannaford.pdf -- Ben Jackson - Sr. Security Engineer - Commonwealth of Massachusetts ben.jackson at state.ma.us - +1-617-626-4575 (v) - +1-617-626-4459 (f) "Security software is no replacement for secure software" -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Jamie C. Pole Sent: Tuesday, March 18, 2008 9:57 PM To: dataloss at attrition.org Subject: Re: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! Yup. And does anyone doubt that a company using Qualys would be in the same boat? All of these vendors that sell non-functioning crapware are seriously damaging the efficacy of online commerce moving forward. They sell a false sense of security. Nothing more. PCI compliance in a box? Yeah, right... Then again, Visa is also very much to blame. Until Visa gets serious about PCI compliance and starts certifying expert security practitioners, rather than clueless companies with big checkbooks, this is just going to keep happening over and over again. Visa should be paying expert security practitioners to do PCI compliance assessments, rather than having the big consulting companies pay THEM for the privilege of saying they are certified to conduct PCI assessments. All of these automated vulnerability assessment processes achieve the same result - they identify only the lowest of the low-hanging fruit. Automated tools might identify the exposures that script kiddies are looking for, but they most certainly can't identify the exposures that motivated and competent hackers are looking for. Show me an automated tool that can identify vulnerabilities that are contingent on the successful exploit of other vulnerabilities, and I just might change my mind. I'm not going to hold my breath, because companies are too wrapped up in buying automated scans for $19.99 per host. As we can see, they always get exactly what they pay for. What exactly do they think they are buying?? What's even worse is that there are "security consultants" running around telling the world that they base their entire vulnerability assessment offering on some of these useless tools. Oh, well... Jamie On Mar 18, 2008, at 8:53 PM, lyger wrote: > > http://attrition.org/security/rant/z/rapid7.html > > Tue Mar 18 16:10:57 EST 2008 > d2d > > You are a security vendor. You sell the mightiest security doohickey > the world has ever seen. It does it all, including "...ensuring your > network is safe from hackers..." and amazingly it "...scans for Web > site and database vulnerabilities that hackers can use to capture > credit card information without you being aware". Since your doohickey > does what no others have ever successfully managed to do, you can tout > your client list proudly, and pimp your customer implementations > liberally. > > UNTIL... > > One of your customers joins the etiolated top 10 with a massive hacker > perpetrated data loss incident. > > OUCH. > > [...] > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor > your traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml > _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml From jpole at jcpa.com Wed Mar 19 16:48:05 2008 From: jpole at jcpa.com (Jamie C. Pole) Date: Wed, 19 Mar 2008 12:48:05 -0400 Subject: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! In-Reply-To: <291B0CA2464D8246A568A726488736080828F294@ES-MSG-007.es.govt.state.ma.us> References: <7DF4DA8C-AC21-4B00-B413-51B0119518E9@jcpa.com> <291B0CA2464D8246A568A726488736080828F294@ES-MSG-007.es.govt.state.ma.us> Message-ID: <007f01c889e1$01595de0$040c19a0$@com> OMG! After reading that update, I'm speechless. Are we supposed to believe that in the midst of their corporate hara-kiri preparations, Hannaford took the time to tell Rapid7 THAT IT WASN'T THEIR FAULT?!? Not too long ago, CD Universe was sued out of existence over less than 100,000 lost card numbers. This loss is in the millions. I'm sure their FIRST concern was to tell Rapid7 that it wasn't their fault. Having worked on numerous high-profile incidents, I find it highly unlikely that Hannaford is in any position to make such a statement. Also, please explain exactly how it is that credit card processing systems that would obviously be covered by PCI requirements were not covered by the tool upon which Hannaford's PCI compliance is based?? I believe the release contains the following statement - "NeXpose will be used to scan devices in Hannaford's networks and at point-of-sale in its 158 retail supermarkets and food and drug stores, ensuring the protection of customers' credit card data and other information." Doesn't seem like it did that, does it? I wonder what kind of back room deal led to that paragraph. Free license/support for a year? I liked it better when Rapid7 took down any mention of the relationship. At least then they had some credibility left. Now, any shred of credibility is gone. As far as the NeXpose tool, it's obvious how well it's working - THE USER GOT HACKED. Unbelievable... I'm gearing up to present a seminar on vulnerability management for some Federal banking regulators. You'd better believe this whole situation is going to become a doosey of a case study. Jamie -----Original Message----- From: Jackson, Ben (ITD) [mailto:Ben.Jackson at state.ma.us] Sent: Wednesday, March 19, 2008 12:26 PM To: Jamie C. Pole; dataloss at attrition.org Subject: RE: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! A co-worker pointed out that they have updated their press release with a general "not our fault!" text: http://rapid7.com/docs/rapid7-hannaford.pdf -- Ben Jackson - Sr. Security Engineer - Commonwealth of Massachusetts ben.jackson at state.ma.us - +1-617-626-4575 (v) - +1-617-626-4459 (f) "Security software is no replacement for secure software" -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Jamie C. Pole Sent: Tuesday, March 18, 2008 9:57 PM To: dataloss at attrition.org Subject: Re: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! Yup. And does anyone doubt that a company using Qualys would be in the same boat? All of these vendors that sell non-functioning crapware are seriously damaging the efficacy of online commerce moving forward. They sell a false sense of security. Nothing more. PCI compliance in a box? Yeah, right... Then again, Visa is also very much to blame. Until Visa gets serious about PCI compliance and starts certifying expert security practitioners, rather than clueless companies with big checkbooks, this is just going to keep happening over and over again. Visa should be paying expert security practitioners to do PCI compliance assessments, rather than having the big consulting companies pay THEM for the privilege of saying they are certified to conduct PCI assessments. All of these automated vulnerability assessment processes achieve the same result - they identify only the lowest of the low-hanging fruit. Automated tools might identify the exposures that script kiddies are looking for, but they most certainly can't identify the exposures that motivated and competent hackers are looking for. Show me an automated tool that can identify vulnerabilities that are contingent on the successful exploit of other vulnerabilities, and I just might change my mind. I'm not going to hold my breath, because companies are too wrapped up in buying automated scans for $19.99 per host. As we can see, they always get exactly what they pay for. What exactly do they think they are buying?? What's even worse is that there are "security consultants" running around telling the world that they base their entire vulnerability assessment offering on some of these useless tools. Oh, well... Jamie On Mar 18, 2008, at 8:53 PM, lyger wrote: > > http://attrition.org/security/rant/z/rapid7.html > > Tue Mar 18 16:10:57 EST 2008 > d2d > > You are a security vendor. You sell the mightiest security doohickey > the world has ever seen. It does it all, including "...ensuring your > network is safe from hackers..." and amazingly it "...scans for Web > site and database vulnerabilities that hackers can use to capture > credit card information without you being aware". Since your doohickey > does what no others have ever successfully managed to do, you can tout > your client list proudly, and pimp your customer implementations > liberally. > > UNTIL... > > One of your customers joins the etiolated top 10 with a massive hacker > perpetrated data loss incident. > > OUCH. > > [...] > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor > your traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml > _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml From lyger at attrition.org Wed Mar 19 17:47:20 2008 From: lyger at attrition.org (lyger) Date: Wed, 19 Mar 2008 17:47:20 +0000 (UTC) Subject: [Dataloss] MI: Paperwork came from evicted realty company Message-ID: http://abclocal.go.com/wjrt/story?section=news/local&id=6029957 The personal information of hundreds of local residents is now out in public view. Social Security numbers and financial records of customers of a Flint-based realty mortgage company have been found in a dumpster. Affordable Realty occupied office space inside the Ben Agree building on Dort Highway for years. The company was evicted and all of its sensitive customer information ended up outside in a dumpster or on the ground nearby. [...] From adam at homeport.org Wed Mar 19 17:46:48 2008 From: adam at homeport.org (Adam Shostack) Date: Wed, 19 Mar 2008 13:46:48 -0400 Subject: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! In-Reply-To: References: <7DF4DA8C-AC21-4B00-B413-51B0119518E9@jcpa.com> Message-ID: <20080319174648.GB7272@homeport.org> I agree with you, but I'll go further. First and foremost, it's generally not that embarrassing. With 900+ incidents in the DLDOS, and 14000 Federal incidents according to the latest GAO report, it is now clear we have a problem which is beyond one organization. Organizations should talk about what went wrong in some level of detail. New reporting forms, subject to FOIA requests, are already asking for this. Anonymization prevents in-depth follow-on research, What we need to do is (1) overcome the perception of embarrassment and (2) figure out if there's any real risk in publishing more in-depth information. My expectation is there is not. (Andrew and I talk about this in some depth in The New School of Information Security.) Adam On Wed, Mar 19, 2008 at 10:45:56AM -0500, Mark Simon wrote: | The false sense of comfort with various security products is due to the | lack of transparency concerning breach occurrences. It is the rare case | where an exploited vulnerability is identified and described in detail | for the public. | | As embarrassing as it may be, we need to share more details about breach | incidents. Organizations should be encouraged to redact and anonymously | publish post-incident reports so the public, including other information | security professionals, can learn about security tools that have failed | to help TJX and many others prevent or earlier uncover intruder | activities. | | It would also help if trusted organizations, such as US-CERT, would | provide anonymity and publication facilities allowing organizations to | report details concerning breach occurrences. Congress passed the | Communications Decency Act (CDA) in 1996. The Act contains language | under the heading - Protection for Good Samaritan blocking and screening | of offensive material - which provides, "No provider or user of an | interactive computer service shall be treated as the publisher or | speaker of any information provided by another information content | provider." CDA 230 further provides that "[n]o cause of action may be | brought and no liability may be imposed under any State or local law | that is inconsistent with this section." | | So, find a publisher and get publishing. | | Mark. | | -- | Mark S. Simon, Director of Regulatory Compliance Consulting | Eclipsecurity, LLC | Mobile: (224) 612-3101 | Office: (847) 850-5088 | Toll Free: (877) 369-5331 | | www.eclipsecurityLLC.com | | | Lock-in success. Because information travels... | | | The information contained in this message may be CONFIDENTIAL and is for | the intended addressee only. Any unauthorized use, dissemination of the | information or copying of this message is prohibited. If you are not the | intended addressee, please notify the sender immediately and delete this | message. | | | | | -----Original Message----- | From: dataloss-bounces at attrition.org | [mailto:dataloss-bounces at attrition.org] On Behalf Of Jamie C. Pole | Sent: Tuesday, March 18, 2008 8:57 PM | To: dataloss at attrition.org | Subject: Re: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! | | | Yup. And does anyone doubt that a company using Qualys would be in the | same boat? | | All of these vendors that sell non-functioning crapware are seriously | damaging the efficacy of online commerce moving forward. They sell a | false sense of security. Nothing more. PCI compliance in a box? | Yeah, right... | | Then again, Visa is also very much to blame. Until Visa gets serious | about PCI compliance and starts certifying expert security | practitioners, rather than clueless companies with big checkbooks, this | is just going to keep happening over and over again. Visa should be | paying expert security practitioners to do PCI compliance assessments, | rather than having the big consulting companies pay THEM for the | privilege of saying they are certified to conduct PCI assessments. | | All of these automated vulnerability assessment processes achieve the | same result - they identify only the lowest of the low-hanging fruit. | Automated tools might identify the exposures that script kiddies are | looking for, but they most certainly can't identify the exposures that | motivated and competent hackers are looking for. Show me an automated | tool that can identify vulnerabilities that are contingent on the | successful exploit of other vulnerabilities, and I just might change my | mind. I'm not going to hold my breath, because companies are too | wrapped up in buying automated scans for $19.99 per host. As we can | see, they always get exactly what they pay for. What exactly do they | think they are buying?? | | What's even worse is that there are "security consultants" running | around telling the world that they base their entire vulnerability | assessment offering on some of these useless tools. | | Oh, well... | | Jamie | | | | On Mar 18, 2008, at 8:53 PM, lyger wrote: | | > | > http://attrition.org/security/rant/z/rapid7.html | > | > Tue Mar 18 16:10:57 EST 2008 | > d2d | > | > You are a security vendor. You sell the mightiest security doohickey | > the world has ever seen. It does it all, including "...ensuring your | > network is safe from hackers..." and amazingly it "...scans for Web | > site and database vulnerabilities that hackers can use to capture | > credit card information without you being aware". Since your doohickey | | > does what no others have ever successfully managed to do, you can tout | | > your client list proudly, and pimp your customer implementations | > liberally. | > | > UNTIL... | > | > One of your customers joins the etiolated top 10 with a massive hacker | | > perpetrated data loss incident. | > | > OUCH. | > | > [...] | > _______________________________________________ | > Dataloss Mailing List (dataloss at attrition.org) | > http://attrition.org/dataloss | > | > Tenable Network Security offers data leakage and compliance monitoring | | > solutions for large and small networks. Scan your network and monitor | > your traffic to find the data needing protection before it leaks out! | > http://www.tenablesecurity.com/products/compliance.shtml | > | | _______________________________________________ | Dataloss Mailing List (dataloss at attrition.org) | http://attrition.org/dataloss | | Tenable Network Security offers data leakage and compliance monitoring | solutions for large and small networks. Scan your network and monitor | your traffic to find the data needing protection before it leaks out! | http://www.tenablesecurity.com/products/compliance.shtml | _______________________________________________ | Dataloss Mailing List (dataloss at attrition.org) | http://attrition.org/dataloss | | Tenable Network Security offers data leakage and compliance monitoring | solutions for large and small networks. Scan your network and monitor your | traffic to find the data needing protection before it leaks out! | http://www.tenablesecurity.com/products/compliance.shtml From Jonathan.Klein at calence.com Wed Mar 19 18:22:14 2008 From: Jonathan.Klein at calence.com (Klein, Jonathan) Date: Wed, 19 Mar 2008 11:22:14 -0700 Subject: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! In-Reply-To: <20080319174648.GB7272@homeport.org> Message-ID: You're not going to get companies to report for one reason: LIABILITY If corporations report incidents in detail, they could subject themselves to additional lawsuits or larger plaintiff awards based on the disclosures. Lawyers could try to use the information to prove gross negligence on the part of the corporation. You'd be lucky to get any kind of information about the details of a breach through legal disclosure, much less through voluntary reporting. Corporations don't want to be good "netizens." They are in the business of making money and providing full details about a breach is not in their best interests and provides them little to no benefit. Jonathan Klein Regional Security Director - North Region Calence, LLC www.calence.com -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Adam Shostack Sent: Wednesday, March 19, 2008 1:47 PM To: Mark Simon Cc: dataloss at attrition.org Subject: Re: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! I agree with you, but I'll go further. First and foremost, it's generally not that embarrassing. With 900+ incidents in the DLDOS, and 14000 Federal incidents according to the latest GAO report, it is now clear we have a problem which is beyond one organization. Organizations should talk about what went wrong in some level of detail. New reporting forms, subject to FOIA requests, are already asking for this. Anonymization prevents in-depth follow-on research, What we need to do is (1) overcome the perception of embarrassment and (2) figure out if there's any real risk in publishing more in-depth information. My expectation is there is not. (Andrew and I talk about this in some depth in The New School of Information Security.) Adam On Wed, Mar 19, 2008 at 10:45:56AM -0500, Mark Simon wrote: | The false sense of comfort with various security products is due to the | lack of transparency concerning breach occurrences. It is the rare case | where an exploited vulnerability is identified and described in detail | for the public. | | As embarrassing as it may be, we need to share more details about breach | incidents. Organizations should be encouraged to redact and anonymously | publish post-incident reports so the public, including other information | security professionals, can learn about security tools that have failed | to help TJX and many others prevent or earlier uncover intruder | activities. | | It would also help if trusted organizations, such as US-CERT, would | provide anonymity and publication facilities allowing organizations to | report details concerning breach occurrences. Congress passed the | Communications Decency Act (CDA) in 1996. The Act contains language | under the heading - Protection for Good Samaritan blocking and screening | of offensive material - which provides, "No provider or user of an | interactive computer service shall be treated as the publisher or | speaker of any information provided by another information content | provider." CDA 230 further provides that "[n]o cause of action may be | brought and no liability may be imposed under any State or local law | that is inconsistent with this section." | | So, find a publisher and get publishing. | | Mark. | | -- | Mark S. Simon, Director of Regulatory Compliance Consulting | Eclipsecurity, LLC | Mobile: (224) 612-3101 | Office: (847) 850-5088 | Toll Free: (877) 369-5331 | | www.eclipsecurityLLC.com | | | Lock-in success. Because information travels... | | | The information contained in this message may be CONFIDENTIAL and is for | the intended addressee only. Any unauthorized use, dissemination of the | information or copying of this message is prohibited. If you are not the | intended addressee, please notify the sender immediately and delete this | message. | | | | | -----Original Message----- | From: dataloss-bounces at attrition.org | [mailto:dataloss-bounces at attrition.org] On Behalf Of Jamie C. Pole | Sent: Tuesday, March 18, 2008 8:57 PM | To: dataloss at attrition.org | Subject: Re: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! | | | Yup. And does anyone doubt that a company using Qualys would be in the | same boat? | | All of these vendors that sell non-functioning crapware are seriously | damaging the efficacy of online commerce moving forward. They sell a | false sense of security. Nothing more. PCI compliance in a box? | Yeah, right... | | Then again, Visa is also very much to blame. Until Visa gets serious | about PCI compliance and starts certifying expert security | practitioners, rather than clueless companies with big checkbooks, this | is just going to keep happening over and over again. Visa should be | paying expert security practitioners to do PCI compliance assessments, | rather than having the big consulting companies pay THEM for the | privilege of saying they are certified to conduct PCI assessments. | | All of these automated vulnerability assessment processes achieve the | same result - they identify only the lowest of the low-hanging fruit. | Automated tools might identify the exposures that script kiddies are | looking for, but they most certainly can't identify the exposures that | motivated and competent hackers are looking for. Show me an automated | tool that can identify vulnerabilities that are contingent on the | successful exploit of other vulnerabilities, and I just might change my | mind. I'm not going to hold my breath, because companies are too | wrapped up in buying automated scans for $19.99 per host. As we can | see, they always get exactly what they pay for. What exactly do they | think they are buying?? | | What's even worse is that there are "security consultants" running | around telling the world that they base their entire vulnerability | assessment offering on some of these useless tools. | | Oh, well... | | Jamie | | | | On Mar 18, 2008, at 8:53 PM, lyger wrote: | | > | > http://attrition.org/security/rant/z/rapid7.html | > | > Tue Mar 18 16:10:57 EST 2008 | > d2d | > | > You are a security vendor. You sell the mightiest security doohickey | > the world has ever seen. It does it all, including "...ensuring your | > network is safe from hackers..." and amazingly it "...scans for Web | > site and database vulnerabilities that hackers can use to capture | > credit card information without you being aware". Since your doohickey | | > does what no others have ever successfully managed to do, you can tout | | > your client list proudly, and pimp your customer implementations | > liberally. | > | > UNTIL... | > | > One of your customers joins the etiolated top 10 with a massive hacker | | > perpetrated data loss incident. | > | > OUCH. | > | > [...] | > _______________________________________________ | > Dataloss Mailing List (dataloss at attrition.org) | > http://attrition.org/dataloss | > | > Tenable Network Security offers data leakage and compliance monitoring | | > solutions for large and small networks. Scan your network and monitor | > your traffic to find the data needing protection before it leaks out! | > http://www.tenablesecurity.com/products/compliance.shtml | > | | _______________________________________________ | Dataloss Mailing List (dataloss at attrition.org) | http://attrition.org/dataloss | | Tenable Network Security offers data leakage and compliance monitoring | solutions for large and small networks. Scan your network and monitor | your traffic to find the data needing protection before it leaks out! | http://www.tenablesecurity.com/products/compliance.shtml | _______________________________________________ | Dataloss Mailing List (dataloss at attrition.org) | http://attrition.org/dataloss | | Tenable Network Security offers data leakage and compliance monitoring | solutions for large and small networks. Scan your network and monitor your | traffic to find the data needing protection before it leaks out! | http://www.tenablesecurity.com/products/compliance.shtml _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml From k-zelonis at northwestern.edu Wed Mar 19 18:22:34 2008 From: k-zelonis at northwestern.edu (Kim Zelonis) Date: Wed, 19 Mar 2008 13:22:34 -0500 Subject: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! In-Reply-To: <20080319174648.GB7272@homeport.org> References: <7DF4DA8C-AC21-4B00-B413-51B0119518E9@jcpa.com> <20080319174648.GB7272@homeport.org> Message-ID: <002b01c889ee$33c61360$d1936981@5WD461> I agree that there are a lot of snake oil salesmen selling security products nowadays. Their overstated marketing claims prey on fear and lead to false senses of security. The Rapid 7 marketing is no exception. However, despite its stronger claims it seems like NeXpose is simply a scanning and compliance reporting tool. In order for such a tool to be effective the user must 1) configure the tool properly to include all appropriate assets and apply the correct rule sets, and 2) fix vulnerabilities once identified. It is plausible that Hannaford did not run scans against all their systems (as implied by the revised press release). Even if they did scan those systems they might have not reviewed the reports or acted on any findings. NeXpose is just a tool. I can't say whether it's a good tool, but even if it is there is still the need to skilled and informed people using. -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Adam Shostack Sent: Wednesday, March 19, 2008 12:47 PM To: Mark Simon Cc: dataloss at attrition.org Subject: Re: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! I agree with you, but I'll go further. First and foremost, it's generally not that embarrassing. With 900+ incidents in the DLDOS, and 14000 Federal incidents according to the latest GAO report, it is now clear we have a problem which is beyond one organization. Organizations should talk about what went wrong in some level of detail. New reporting forms, subject to FOIA requests, are already asking for this. Anonymization prevents in-depth follow-on research, What we need to do is (1) overcome the perception of embarrassment and (2) figure out if there's any real risk in publishing more in-depth information. My expectation is there is not. (Andrew and I talk about this in some depth in The New School of Information Security.) Adam On Wed, Mar 19, 2008 at 10:45:56AM -0500, Mark Simon wrote: | The false sense of comfort with various security products is due to the | lack of transparency concerning breach occurrences. It is the rare case | where an exploited vulnerability is identified and described in detail | for the public. | | As embarrassing as it may be, we need to share more details about breach | incidents. Organizations should be encouraged to redact and anonymously | publish post-incident reports so the public, including other information | security professionals, can learn about security tools that have failed | to help TJX and many others prevent or earlier uncover intruder | activities. | | It would also help if trusted organizations, such as US-CERT, would | provide anonymity and publication facilities allowing organizations to | report details concerning breach occurrences. Congress passed the | Communications Decency Act (CDA) in 1996. The Act contains language | under the heading - Protection for Good Samaritan blocking and screening | of offensive material - which provides, "No provider or user of an | interactive computer service shall be treated as the publisher or | speaker of any information provided by another information content | provider." CDA 230 further provides that "[n]o cause of action may be | brought and no liability may be imposed under any State or local law | that is inconsistent with this section." | | So, find a publisher and get publishing. | | Mark. | | -- | Mark S. Simon, Director of Regulatory Compliance Consulting | Eclipsecurity, LLC | Mobile: (224) 612-3101 | Office: (847) 850-5088 | Toll Free: (877) 369-5331 | | www.eclipsecurityLLC.com | | | Lock-in success. Because information travels... | | | The information contained in this message may be CONFIDENTIAL and is for | the intended addressee only. Any unauthorized use, dissemination of the | information or copying of this message is prohibited. If you are not the | intended addressee, please notify the sender immediately and delete this | message. | | | | | -----Original Message----- | From: dataloss-bounces at attrition.org | [mailto:dataloss-bounces at attrition.org] On Behalf Of Jamie C. Pole | Sent: Tuesday, March 18, 2008 8:57 PM | To: dataloss at attrition.org | Subject: Re: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! | | | Yup. And does anyone doubt that a company using Qualys would be in the | same boat? | | All of these vendors that sell non-functioning crapware are seriously | damaging the efficacy of online commerce moving forward. They sell a | false sense of security. Nothing more. PCI compliance in a box? | Yeah, right... | | Then again, Visa is also very much to blame. Until Visa gets serious | about PCI compliance and starts certifying expert security | practitioners, rather than clueless companies with big checkbooks, this | is just going to keep happening over and over again. Visa should be | paying expert security practitioners to do PCI compliance assessments, | rather than having the big consulting companies pay THEM for the | privilege of saying they are certified to conduct PCI assessments. | | All of these automated vulnerability assessment processes achieve the | same result - they identify only the lowest of the low-hanging fruit. | Automated tools might identify the exposures that script kiddies are | looking for, but they most certainly can't identify the exposures that | motivated and competent hackers are looking for. Show me an automated | tool that can identify vulnerabilities that are contingent on the | successful exploit of other vulnerabilities, and I just might change my | mind. I'm not going to hold my breath, because companies are too | wrapped up in buying automated scans for $19.99 per host. As we can | see, they always get exactly what they pay for. What exactly do they | think they are buying?? | | What's even worse is that there are "security consultants" running | around telling the world that they base their entire vulnerability | assessment offering on some of these useless tools. | | Oh, well... | | Jamie | | | | On Mar 18, 2008, at 8:53 PM, lyger wrote: | | > | > http://attrition.org/security/rant/z/rapid7.html | > | > Tue Mar 18 16:10:57 EST 2008 | > d2d | > | > You are a security vendor. You sell the mightiest security doohickey | > the world has ever seen. It does it all, including "...ensuring your | > network is safe from hackers..." and amazingly it "...scans for Web | > site and database vulnerabilities that hackers can use to capture | > credit card information without you being aware". Since your doohickey | | > does what no others have ever successfully managed to do, you can tout | | > your client list proudly, and pimp your customer implementations | > liberally. | > | > UNTIL... | > | > One of your customers joins the etiolated top 10 with a massive hacker | | > perpetrated data loss incident. | > | > OUCH. | > | > [...] | > _______________________________________________ | > Dataloss Mailing List (dataloss at attrition.org) | > http://attrition.org/dataloss | > | > Tenable Network Security offers data leakage and compliance monitoring | | > solutions for large and small networks. Scan your network and monitor | > your traffic to find the data needing protection before it leaks out! | > http://www.tenablesecurity.com/products/compliance.shtml | > | | _______________________________________________ | Dataloss Mailing List (dataloss at attrition.org) | http://attrition.org/dataloss | | Tenable Network Security offers data leakage and compliance monitoring | solutions for large and small networks. Scan your network and monitor | your traffic to find the data needing protection before it leaks out! | http://www.tenablesecurity.com/products/compliance.shtml | _______________________________________________ | Dataloss Mailing List (dataloss at attrition.org) | http://attrition.org/dataloss | | Tenable Network Security offers data leakage and compliance monitoring | solutions for large and small networks. Scan your network and monitor your | traffic to find the data needing protection before it leaks out! | http://www.tenablesecurity.com/products/compliance.shtml _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml From adam at homeport.org Wed Mar 19 19:26:39 2008 From: adam at homeport.org (Adam Shostack) Date: Wed, 19 Mar 2008 15:26:39 -0400 Subject: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! In-Reply-To: References: <20080319174648.GB7272@homeport.org> Message-ID: <20080319192639.GB14619@homeport.org> My understanding is that companies already report, under a plethora of rules, including 1386 and co, SOX, and others. My understanding is also that the liability incurs at the point of breach of duty. I think that the additional risk is small--it's becoming clear to me that current practices are not correlated with breach prevention, and we need more data about what works and what doesn't. Of course, I'm not the one disclosing, so that's easy for me to say. If there's additional risk, then it becomes a public policy discussion of the possible value of data versus the costs and shapes of liability protection for those who disclose. ADam On Wed, Mar 19, 2008 at 11:22:14AM -0700, Klein, Jonathan wrote: | You're not going to get companies to report for one reason: LIABILITY | | If corporations report incidents in detail, they could subject | themselves to additional lawsuits or larger plaintiff awards based on | the disclosures. Lawyers could try to use the information to prove gross | negligence on the part of the corporation. You'd be lucky to get any | kind of information about the details of a breach through legal | disclosure, much less through voluntary reporting. | | Corporations don't want to be good "netizens." They are in the business | of making money and providing full details about a breach is not in | their best interests and provides them little to no benefit. | | Jonathan Klein | Regional Security Director - North Region | Calence, LLC | www.calence.com | | | -----Original Message----- | From: dataloss-bounces at attrition.org | [mailto:dataloss-bounces at attrition.org] On Behalf Of Adam Shostack | Sent: Wednesday, March 19, 2008 1:47 PM | To: Mark Simon | Cc: dataloss at attrition.org | Subject: Re: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! | | I agree with you, but I'll go further. | | First and foremost, it's generally not that embarrassing. With 900+ | incidents in the DLDOS, and 14000 Federal incidents according to the | latest GAO report, it is now clear we have a problem which is beyond | one organization. | | Organizations should talk about what went wrong in some level of | detail. New reporting forms, subject to FOIA requests, are already | asking for this. Anonymization prevents in-depth follow-on research, | | What we need to do is (1) overcome the perception of embarrassment and | (2) figure out if there's any real risk in publishing more in-depth | information. My expectation is there is not. | | (Andrew and I talk about this in some depth in The New School of | Information | Security.) | | Adam | | On Wed, Mar 19, 2008 at 10:45:56AM -0500, Mark Simon wrote: | | The false sense of comfort with various security products is due to | the | | lack of transparency concerning breach occurrences. It is the rare | case | | where an exploited vulnerability is identified and described in detail | | for the public. | | | | As embarrassing as it may be, we need to share more details about | breach | | incidents. Organizations should be encouraged to redact and | anonymously | | publish post-incident reports so the public, including other | information | | security professionals, can learn about security tools that have | failed | | to help TJX and many others prevent or earlier uncover intruder | | activities. | | | | It would also help if trusted organizations, such as US-CERT, would | | provide anonymity and publication facilities allowing organizations to | | report details concerning breach occurrences. Congress passed the | | Communications Decency Act (CDA) in 1996. The Act contains language | | under the heading - Protection for Good Samaritan blocking and | screening | | of offensive material - which provides, "No provider or user of an | | interactive computer service shall be treated as the publisher or | | speaker of any information provided by another information content | | provider." CDA 230 further provides that "[n]o cause of action may be | | brought and no liability may be imposed under any State or local law | | that is inconsistent with this section." | | | | So, find a publisher and get publishing. | | | | Mark. | | | | -- | | Mark S. Simon, Director of Regulatory Compliance Consulting | | Eclipsecurity, LLC | | Mobile: (224) 612-3101 | | Office: (847) 850-5088 | | Toll Free: (877) 369-5331 | | | | www.eclipsecurityLLC.com | | | | | | Lock-in success. Because information travels... | | | | | | The information contained in this message may be CONFIDENTIAL and is | for | | the intended addressee only. Any unauthorized use, dissemination of | the | | information or copying of this message is prohibited. If you are not | the | | intended addressee, please notify the sender immediately and delete | this | | message. | | | | | | | | | | -----Original Message----- | | From: dataloss-bounces at attrition.org | | [mailto:dataloss-bounces at attrition.org] On Behalf Of Jamie C. Pole | | Sent: Tuesday, March 18, 2008 8:57 PM | | To: dataloss at attrition.org | | Subject: Re: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! | | | | | | Yup. And does anyone doubt that a company using Qualys would be in | the | | same boat? | | | | All of these vendors that sell non-functioning crapware are seriously | | damaging the efficacy of online commerce moving forward. They sell a | | | false sense of security. Nothing more. PCI compliance in a box? | | Yeah, right... | | | | Then again, Visa is also very much to blame. Until Visa gets serious | | about PCI compliance and starts certifying expert security | | practitioners, rather than clueless companies with big checkbooks, | this | | is just going to keep happening over and over again. Visa should be | | paying expert security practitioners to do PCI compliance assessments, | | rather than having the big consulting companies pay THEM for the | | privilege of saying they are certified to conduct PCI assessments. | | | | All of these automated vulnerability assessment processes achieve the | | | same result - they identify only the lowest of the low-hanging fruit. | | | Automated tools might identify the exposures that script kiddies are | | looking for, but they most certainly can't identify the exposures that | | motivated and competent hackers are looking for. Show me an automated | | tool that can identify vulnerabilities that are contingent on the | | successful exploit of other vulnerabilities, and I just might change | my | | mind. I'm not going to hold my breath, because companies are too | | wrapped up in buying automated scans for $19.99 per host. As we can | | see, they always get exactly what they pay for. What exactly do they | | think they are buying?? | | | | What's even worse is that there are "security consultants" running | | around telling the world that they base their entire vulnerability | | assessment offering on some of these useless tools. | | | | Oh, well... | | | | Jamie | | | | | | | | On Mar 18, 2008, at 8:53 PM, lyger wrote: | | | | > | | > http://attrition.org/security/rant/z/rapid7.html | | > | | > Tue Mar 18 16:10:57 EST 2008 | | > d2d | | > | | > You are a security vendor. You sell the mightiest security doohickey | | | > the world has ever seen. It does it all, including "...ensuring your | | | > network is safe from hackers..." and amazingly it "...scans for Web | | > site and database vulnerabilities that hackers can use to capture | | > credit card information without you being aware". Since your | doohickey | | | | > does what no others have ever successfully managed to do, you can | tout | | | | > your client list proudly, and pimp your customer implementations | | > liberally. | | > | | > UNTIL... | | > | | > One of your customers joins the etiolated top 10 with a massive | hacker | | | | > perpetrated data loss incident. | | > | | > OUCH. | | > | | > [...] | | > _______________________________________________ | | > Dataloss Mailing List (dataloss at attrition.org) | | > http://attrition.org/dataloss | | > | | > Tenable Network Security offers data leakage and compliance | monitoring | | | | > solutions for large and small networks. Scan your network and | monitor | | > your traffic to find the data needing protection before it leaks | out! | | > http://www.tenablesecurity.com/products/compliance.shtml | | > | | | | _______________________________________________ | | Dataloss Mailing List (dataloss at attrition.org) | | http://attrition.org/dataloss | | | | Tenable Network Security offers data leakage and compliance monitoring | | solutions for large and small networks. Scan your network and monitor | | your traffic to find the data needing protection before it leaks out! | | http://www.tenablesecurity.com/products/compliance.shtml | | _______________________________________________ | | Dataloss Mailing List (dataloss at attrition.org) | | http://attrition.org/dataloss | | | | Tenable Network Security offers data leakage and compliance monitoring | | solutions for large and small networks. Scan your network and monitor | your | | traffic to find the data needing protection before it leaks out! | | http://www.tenablesecurity.com/products/compliance.shtml | | _______________________________________________ | Dataloss Mailing List (dataloss at attrition.org) | http://attrition.org/dataloss | | Tenable Network Security offers data leakage and compliance monitoring | solutions for large and small networks. Scan your network and monitor | your | traffic to find the data needing protection before it leaks out! | http://www.tenablesecurity.com/products/compliance.shtml | _______________________________________________ | Dataloss Mailing List (dataloss at attrition.org) | http://attrition.org/dataloss | | Tenable Network Security offers data leakage and compliance monitoring | solutions for large and small networks. Scan your network and monitor your | traffic to find the data needing protection before it leaks out! | http://www.tenablesecurity.com/products/compliance.shtml From Jonathan.Klein at calence.com Wed Mar 19 19:33:35 2008 From: Jonathan.Klein at calence.com (Klein, Jonathan) Date: Wed, 19 Mar 2008 12:33:35 -0700 Subject: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! In-Reply-To: <20080319192639.GB14619@homeport.org> Message-ID: Companies have to report the breach, but not the exact circumstances that led to the breach. On the public policy issue, I agree. If you want companies to disclose the exact circumstances around a breach (exact technical details), there will have to be a shield that prevents plaintiffs attorney's from using the information in lawsuits. Corporate lawyers will be very reluctant to release any information about a breach beyond the minimum required by law. Jonathan Klein Regional Security Director - North Region Calence, LLC Main Phone: 646.428.1431 Cell Phone: 732.977.1280 Fax: 646.428.1414 One Penn Plaza, 36th Floor New York, NY 10119 www.calence.com Cisco Global Channel Partner of the Year - US/Canada -----Original Message----- From: Adam Shostack [mailto:adam at homeport.org] Sent: Wednesday, March 19, 2008 3:27 PM To: Klein, Jonathan Cc: dataloss at attrition.org Subject: Re: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! My understanding is that companies already report, under a plethora of rules, including 1386 and co, SOX, and others. My understanding is also that the liability incurs at the point of breach of duty. I think that the additional risk is small--it's becoming clear to me that current practices are not correlated with breach prevention, and we need more data about what works and what doesn't. Of course, I'm not the one disclosing, so that's easy for me to say. If there's additional risk, then it becomes a public policy discussion of the possible value of data versus the costs and shapes of liability protection for those who disclose. ADam On Wed, Mar 19, 2008 at 11:22:14AM -0700, Klein, Jonathan wrote: | You're not going to get companies to report for one reason: LIABILITY | | If corporations report incidents in detail, they could subject | themselves to additional lawsuits or larger plaintiff awards based on | the disclosures. Lawyers could try to use the information to prove gross | negligence on the part of the corporation. You'd be lucky to get any | kind of information about the details of a breach through legal | disclosure, much less through voluntary reporting. | | Corporations don't want to be good "netizens." They are in the business | of making money and providing full details about a breach is not in | their best interests and provides them little to no benefit. | | Jonathan Klein | Regional Security Director - North Region | Calence, LLC | www.calence.com | | | -----Original Message----- | From: dataloss-bounces at attrition.org | [mailto:dataloss-bounces at attrition.org] On Behalf Of Adam Shostack | Sent: Wednesday, March 19, 2008 1:47 PM | To: Mark Simon | Cc: dataloss at attrition.org | Subject: Re: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! | | I agree with you, but I'll go further. | | First and foremost, it's generally not that embarrassing. With 900+ | incidents in the DLDOS, and 14000 Federal incidents according to the | latest GAO report, it is now clear we have a problem which is beyond | one organization. | | Organizations should talk about what went wrong in some level of | detail. New reporting forms, subject to FOIA requests, are already | asking for this. Anonymization prevents in-depth follow-on research, | | What we need to do is (1) overcome the perception of embarrassment and | (2) figure out if there's any real risk in publishing more in-depth | information. My expectation is there is not. | | (Andrew and I talk about this in some depth in The New School of | Information | Security.) | | Adam | | On Wed, Mar 19, 2008 at 10:45:56AM -0500, Mark Simon wrote: | | The false sense of comfort with various security products is due to | the | | lack of transparency concerning breach occurrences. It is the rare | case | | where an exploited vulnerability is identified and described in detail | | for the public. | | | | As embarrassing as it may be, we need to share more details about | breach | | incidents. Organizations should be encouraged to redact and | anonymously | | publish post-incident reports so the public, including other | information | | security professionals, can learn about security tools that have | failed | | to help TJX and many others prevent or earlier uncover intruder | | activities. | | | | It would also help if trusted organizations, such as US-CERT, would | | provide anonymity and publication facilities allowing organizations to | | report details concerning breach occurrences. Congress passed the | | Communications Decency Act (CDA) in 1996. The Act contains language | | under the heading - Protection for Good Samaritan blocking and | screening | | of offensive material - which provides, "No provider or user of an | | interactive computer service shall be treated as the publisher or | | speaker of any information provided by another information content | | provider." CDA 230 further provides that "[n]o cause of action may be | | brought and no liability may be imposed under any State or local law | | that is inconsistent with this section." | | | | So, find a publisher and get publishing. | | | | Mark. | | | | -- | | Mark S. Simon, Director of Regulatory Compliance Consulting | | Eclipsecurity, LLC | | Mobile: (224) 612-3101 | | Office: (847) 850-5088 | | Toll Free: (877) 369-5331 | | | | www.eclipsecurityLLC.com | | | | | | Lock-in success. Because information travels... | | | | | | The information contained in this message may be CONFIDENTIAL and is | for | | the intended addressee only. Any unauthorized use, dissemination of | the | | information or copying of this message is prohibited. If you are not | the | | intended addressee, please notify the sender immediately and delete | this | | message. | | | | | | | | | | -----Original Message----- | | From: dataloss-bounces at attrition.org | | [mailto:dataloss-bounces at attrition.org] On Behalf Of Jamie C. Pole | | Sent: Tuesday, March 18, 2008 8:57 PM | | To: dataloss at attrition.org | | Subject: Re: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! | | | | | | Yup. And does anyone doubt that a company using Qualys would be in | the | | same boat? | | | | All of these vendors that sell non-functioning crapware are seriously | | damaging the efficacy of online commerce moving forward. They sell a | | | false sense of security. Nothing more. PCI compliance in a box? | | Yeah, right... | | | | Then again, Visa is also very much to blame. Until Visa gets serious | | about PCI compliance and starts certifying expert security | | practitioners, rather than clueless companies with big checkbooks, | this | | is just going to keep happening over and over again. Visa should be | | paying expert security practitioners to do PCI compliance assessments, | | rather than having the big consulting companies pay THEM for the | | privilege of saying they are certified to conduct PCI assessments. | | | | All of these automated vulnerability assessment processes achieve the | | | same result - they identify only the lowest of the low-hanging fruit. | | | Automated tools might identify the exposures that script kiddies are | | looking for, but they most certainly can't identify the exposures that | | motivated and competent hackers are looking for. Show me an automated | | tool that can identify vulnerabilities that are contingent on the | | successful exploit of other vulnerabilities, and I just might change | my | | mind. I'm not going to hold my breath, because companies are too | | wrapped up in buying automated scans for $19.99 per host. As we can | | see, they always get exactly what they pay for. What exactly do they | | think they are buying?? | | | | What's even worse is that there are "security consultants" running | | around telling the world that they base their entire vulnerability | | assessment offering on some of these useless tools. | | | | Oh, well... | | | | Jamie | | | | | | | | On Mar 18, 2008, at 8:53 PM, lyger wrote: | | | | > | | > http://attrition.org/security/rant/z/rapid7.html | | > | | > Tue Mar 18 16:10:57 EST 2008 | | > d2d | | > | | > You are a security vendor. You sell the mightiest security doohickey | | | > the world has ever seen. It does it all, including "...ensuring your | | | > network is safe from hackers..." and amazingly it "...scans for Web | | > site and database vulnerabilities that hackers can use to capture | | > credit card information without you being aware". Since your | doohickey | | | | > does what no others have ever successfully managed to do, you can | tout | | | | > your client list proudly, and pimp your customer implementations | | > liberally. | | > | | > UNTIL... | | > | | > One of your customers joins the etiolated top 10 with a massive | hacker | | | | > perpetrated data loss incident. | | > | | > OUCH. | | > | | > [...] | | > _______________________________________________ | | > Dataloss Mailing List (dataloss at attrition.org) | | > http://attrition.org/dataloss | | > | | > Tenable Network Security offers data leakage and compliance | monitoring | | | | > solutions for large and small networks. Scan your network and | monitor | | > your traffic to find the data needing protection before it leaks | out! | | > http://www.tenablesecurity.com/products/compliance.shtml | | > | | | | _______________________________________________ | | Dataloss Mailing List (dataloss at attrition.org) | | http://attrition.org/dataloss | | | | Tenable Network Security offers data leakage and compliance monitoring | | solutions for large and small networks. Scan your network and monitor | | your traffic to find the data needing protection before it leaks out! | | http://www.tenablesecurity.com/products/compliance.shtml | | _______________________________________________ | | Dataloss Mailing List (dataloss at attrition.org) | | http://attrition.org/dataloss | | | | Tenable Network Security offers data leakage and compliance monitoring | | solutions for large and small networks. Scan your network and monitor | your | | traffic to find the data needing protection before it leaks out! | | http://www.tenablesecurity.com/products/compliance.shtml | | _______________________________________________ | Dataloss Mailing List (dataloss at attrition.org) | http://attrition.org/dataloss | | Tenable Network Security offers data leakage and compliance monitoring | solutions for large and small networks. Scan your network and monitor | your | traffic to find the data needing protection before it leaks out! | http://www.tenablesecurity.com/products/compliance.shtml | _______________________________________________ | Dataloss Mailing List (dataloss at attrition.org) | http://attrition.org/dataloss | | Tenable Network Security offers data leakage and compliance monitoring | solutions for large and small networks. Scan your network and monitor your | traffic to find the data needing protection before it leaks out! | http://www.tenablesecurity.com/products/compliance.shtml From lyger at attrition.org Wed Mar 19 22:25:16 2008 From: lyger at attrition.org (lyger) Date: Wed, 19 Mar 2008 22:25:16 +0000 (UTC) Subject: [Dataloss] Consumers of Hannaford Brothers Co. Supermarkets File Class Action Suit Message-ID: http://sev.prnewswire.com/supermarkets/20080319/DC1720519032008-1.html On March 19, 2008, the law firm of Berger & Montague, PC (http://www.bergermontague.com) filed a class action suit in the U.S. District Court for the District of Maine on behalf of all consumers in the United States whose credit card or debit card data was stolen from the computer network of Hannaford Brothers Co. ("Hannaford") supermarkets. The complaint alleges that Hannaford was negligent for failing to maintain adequate computer data security of customer credit and debit card data, which was accessed and stolen by a computer hacker. On March 17, 2008, Hannaford announced on its website that there was a "data intrusion into its computer network that resulted in the theft of consumer credit and debit card numbers." The stolen data included "credit and debit card numbers and expiration dates," which were accessed from Hannaford's computer system "during transmission of card authorization." The intrusion affected all Hannaford stores located throughout the North Eastern U.S., as well as Sweetbay stores in Florida. Published news reports indicated that 4.2 million unique credit and debit card numbers have been exposed to potential fraud. To date, there have been approximately 1,800 cases of reported credit and debit card fraud stemming from the breach. [...] From msimon at creationlogic.com Wed Mar 19 22:47:11 2008 From: msimon at creationlogic.com (=?utf-8?B?TWlrZSBTaW1vbg==?=) Date: Wed, 19 Mar 2008 22:47:11 +0000 Subject: [Dataloss] Consumers of Hannaford Brothers Co. Supermarkets FileClass Action Suit In-Reply-To: References: Message-ID: <1708865911-1205966793-cardhu_decombobulator_blackberry.rim.net-1757658085-@bxe130.bisx.prod.on.blackberry> This could not be a better example of why companies hesitate to disclose details. If this lawfirm is on the ball. They will get access to the exchange with Rapid7 which, according to the press release changes, indicates potential additional negligence in that the had a tool that may have prevented this problem and failed to use it properly. Not a helpful disclosure for Hannaford with respect to the class action. Mike -----Original Message----- From: lyger Date: Wed, 19 Mar 2008 22:25:16 To:dataloss at attrition.org Subject: [Dataloss] Consumers of Hannaford Brothers Co. Supermarkets File Class Action Suit http://sev.prnewswire.com/supermarkets/20080319/DC1720519032008-1.html On March 19, 2008, the law firm of Berger & Montague, PC (http://www.bergermontague.com) filed a class action suit in the U.S. District Court for the District of Maine on behalf of all consumers in the United States whose credit card or debit card data was stolen from the computer network of Hannaford Brothers Co. ("Hannaford") supermarkets. The complaint alleges that Hannaford was negligent for failing to maintain adequate computer data security of customer credit and debit card data, which was accessed and stolen by a computer hacker. On March 17, 2008, Hannaford announced on its website that there was a "data intrusion into its computer network that resulted in the theft of consumer credit and debit card numbers." The stolen data included "credit and debit card numbers and expiration dates," which were accessed from Hannaford's computer system "during transmission of card authorization." The intrusion affected all Hannaford stores located throughout the North Eastern U.S., as well as Sweetbay stores in Florida. Published news reports indicated that 4.2 million unique credit and debit card numbers have been exposed to potential fraud. To date, there have been approximately 1,800 cases of reported credit and debit card fraud stemming from the breach. [...] _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml From jpole at jcpa.com Thu Mar 20 00:40:52 2008 From: jpole at jcpa.com (Jamie C. Pole) Date: Wed, 19 Mar 2008 20:40:52 -0400 Subject: [Dataloss] Consumers of Hannaford Brothers Co. Supermarkets File Class Action Suit In-Reply-To: <1708865911-1205966793-cardhu_decombobulator_blackberry.rim.net-1757658085-@bxe130.bisx.prod.on.blackberry> References: <1708865911-1205966793-cardhu_decombobulator_blackberry.rim.net-1757658085-@bxe130.bisx.prod.on.blackberry> Message-ID: <002101c88a23$0d3b07c0$27b11740$@com> Let's also consider the possibility the Hannaford WAS using the tool correctly, and that it just didn't work as advertised. As far as the law firm being on the ball, trust me, they are. I know this firm well, and they will absolutely include Rapid7 in their discovery process. If I was senior management at Rapid7, I would NOT be sleeping well right now. The kiss of death in this case is going to be the fact that there have been around 1800 reported cases of fraud stemming from the incident. This was not an accident. Jamie -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Mike Simon Sent: Wednesday, March 19, 2008 6:47 PM To: lyger; dataloss-bounces at attrition.org; dataloss at attrition.org Subject: Re: [Dataloss] Consumers of Hannaford Brothers Co. Supermarkets FileClass Action Suit This could not be a better example of why companies hesitate to disclose details. If this lawfirm is on the ball. They will get access to the exchange with Rapid7 which, according to the press release changes, indicates potential additional negligence in that the had a tool that may have prevented this problem and failed to use it properly. Not a helpful disclosure for Hannaford with respect to the class action. Mike From msimon at creationlogic.com Thu Mar 20 00:58:04 2008 From: msimon at creationlogic.com (Mike Simon) Date: Wed, 19 Mar 2008 17:58:04 -0700 Subject: [Dataloss] Consumers of Hannaford Brothers Co. Supermarkets File Class Action Suit In-Reply-To: <002101c88a23$0d3b07c0$27b11740$@com> References: <1708865911-1205966793-cardhu_decombobulator_blackberry.rim.net-1757658085-@bxe130.bisx.prod.on.blackberry> <002101c88a23$0d3b07c0$27b11740$@com> Message-ID: <25d3931b0803191758w65e3e5advc9e4e4bb7552c484@mail.gmail.com> I think you're right in also considering that the product was used correctly and just not up to the task, which raises an interesting but possibly off-topic question in my mind. If Rapid7 falsely attributes the incident to mis-use of their product in a public forum (the press release), essentially increasing the potential liability of Hannaford, it seems like Hannaford might have a cause of action against Rapid7. The cause of action is unrelated to the performance of their product, which I'm sure is well protected by the license agreement, but instead related to (potentially) false and (potentially) damaging statements about Hannaford's security practices. It seems to me that the statement in the revised press release has no real upside for Rapid7 true _or_ false. As someone stated earlier in this thread, they should have withdrawn the press release from their web site and taken their lumps. I'm certainly not a lawyer, and have NO knowledge of the incident, truthfulness of the subsequent Rapid7 disclaimers or really anything at all. This is intended as a discussion of hypothetical outcomes. Mike On Wed, Mar 19, 2008 at 5:40 PM, Jamie C. Pole wrote: > > Let's also consider the possibility the Hannaford WAS using the tool > correctly, and that it just didn't work as advertised. > > As far as the law firm being on the ball, trust me, they are. I know this > firm well, and they will absolutely include Rapid7 in their discovery > process. If I was senior management at Rapid7, I would NOT be sleeping well > right now. > > The kiss of death in this case is going to be the fact that there have been > around 1800 reported cases of fraud stemming from the incident. This was > not an accident. > > Jamie > > > -----Original Message----- > From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] > On Behalf Of Mike Simon > Sent: Wednesday, March 19, 2008 6:47 PM > To: lyger; dataloss-bounces at attrition.org; dataloss at attrition.org > Subject: Re: [Dataloss] Consumers of Hannaford Brothers Co. Supermarkets > FileClass Action Suit > > > > This could not be a better example of why companies hesitate to disclose > details. If this lawfirm is on the ball. They will get access to the > exchange with Rapid7 which, according to the press release changes, > indicates potential additional negligence in that the had a tool that may > have prevented this problem and failed to use it properly. Not a helpful > disclosure for Hannaford with respect to the class action. > > Mike > > > From sromanos at andrew.cmu.edu Thu Mar 20 01:05:21 2008 From: sromanos at andrew.cmu.edu (Sasha Romanosky) Date: Wed, 19 Mar 2008 21:05:21 -0400 Subject: [Dataloss] Consumers of Hannaford Brothers Co. SupermarketsFile Class Action Suit In-Reply-To: <002101c88a23$0d3b07c0$27b11740$@com> Message-ID: <005501c88a26$78bc5d20$29eaed80@sribm> Well, careful. If victims need to demonstrate actual financial loss, fraudulent charges covered by the credit card company may not be considered. That being said, let's look at what we know about choicepoint: . Fined $10M by FTC for violating fair credit reporting act, and $5M trust fund for consumer redress, . $500k toward public education campaigns about identity theft . Paid $500k for state legal fees . $10M shareholder lawsuit For a total of $26M (from around 160k records) So the claim of 1800 reported cases of identity theft (which may or may not have resulted in actual loss) may be the least of their worries. cheers, sasha > -----Original Message----- > From: dataloss-bounces at attrition.org > [mailto:dataloss-bounces at attrition.org] On Behalf Of Jamie C. Pole > Sent: Wednesday, March 19, 2008 8:41 PM > To: dataloss-bounces at attrition.org; dataloss at attrition.org > Subject: Re: [Dataloss] Consumers of Hannaford Brothers Co. > SupermarketsFile Class Action Suit > > > Let's also consider the possibility the Hannaford WAS using > the tool correctly, and that it just didn't work as advertised. > > As far as the law firm being on the ball, trust me, they are. > I know this firm well, and they will absolutely include > Rapid7 in their discovery process. If I was senior > management at Rapid7, I would NOT be sleeping well right now. > > The kiss of death in this case is going to be the fact that > there have been around 1800 reported cases of fraud stemming > from the incident. This was not an accident. > > Jamie > > -----Original Message----- > From: dataloss-bounces at attrition.org > [mailto:dataloss-bounces at attrition.org] > On Behalf Of Mike Simon > Sent: Wednesday, March 19, 2008 6:47 PM > To: lyger; dataloss-bounces at attrition.org; dataloss at attrition.org > Subject: Re: [Dataloss] Consumers of Hannaford Brothers Co. > Supermarkets FileClass Action Suit > > This could not be a better example of why companies hesitate > to disclose details. If this lawfirm is on the ball. They > will get access to the exchange with Rapid7 which, according > to the press release changes, indicates potential additional > negligence in that the had a tool that may have prevented > this problem and failed to use it properly. Not a helpful > disclosure for Hannaford with respect to the class action. > > Mike > > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance > monitoring solutions for large and small networks. Scan your > network and monitor your traffic to find the data needing > protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml > > From jpole at jcpa.com Thu Mar 20 02:05:05 2008 From: jpole at jcpa.com (Jamie C. Pole) Date: Wed, 19 Mar 2008 22:05:05 -0400 Subject: [Dataloss] Consumers of Hannaford Brothers Co. SupermarketsFile Class Action Suit References: Message-ID: <6581EA59-FE73-48D9-AB36-0F66A1F20C9E@jcpa.com> Agreed, but many of the 4.2 million compromised card numbers will be re-issued anyway. Even if there was no fraudulent actvity associated with the account. There is most definitely a cost associated with those re-issues, and I can promise that Hannaford (and any other party involved in the breach) will be made to bear much, if not all of that cost. My original point was that this was not a simple case of some script kiddie (maybe Mitnick is having a relapse?) accidentally breaching a system with a poor security posture. Most of those cases never result in financial fraud because the perpetrator either didn't realize what he/she accessed, or just wasn't looking for credit card numbers. This case is different because there have already been cases of financial fraud with credit card numbers stolen from Hannaford. And I FIRMLY believe that whatever organization signed off on Hannaford's PCI compliance bears part of the responsibility. Jamie On Mar 19, 2008, at 9:05 PM, Sasha Romanosky wrote: Well, careful. If victims need to demonstrate actual financial loss, fraudulent charges covered by the credit card company may not be considered. That being said, let's look at what we know about choicepoint: . Fined $10M by FTC for violating fair credit reporting act, and $5M trust fund for consumer redress, . $500k toward public education campaigns about identity theft . Paid $500k for state legal fees . $10M shareholder lawsuit For a total of $26M (from around 160k records) So the claim of 1800 reported cases of identity theft (which may or may not have resulted in actual loss) may be the least of their worries. cheers, sasha -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Jamie C. Pole Sent: Wednesday, March 19, 2008 8:41 PM To: dataloss-bounces at attrition.org; dataloss at attrition.org Subject: Re: [Dataloss] Consumers of Hannaford Brothers Co. SupermarketsFile Class Action Suit Let's also consider the possibility the Hannaford WAS using the tool correctly, and that it just didn't work as advertised. As far as the law firm being on the ball, trust me, they are. I know this firm well, and they will absolutely include Rapid7 in their discovery process. If I was senior management at Rapid7, I would NOT be sleeping well right now. The kiss of death in this case is going to be the fact that there have been around 1800 reported cases of fraud stemming from the incident. This was not an accident. Jamie -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Mike Simon Sent: Wednesday, March 19, 2008 6:47 PM To: lyger; dataloss-bounces at attrition.org; dataloss at attrition.org Subject: Re: [Dataloss] Consumers of Hannaford Brothers Co. Supermarkets FileClass Action Suit This could not be a better example of why companies hesitate to disclose details. If this lawfirm is on the ball. They will get access to the exchange with Rapid7 which, according to the press release changes, indicates potential additional negligence in that the had a tool that may have prevented this problem and failed to use it properly. Not a helpful disclosure for Hannaford with respect to the class action. Mike _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml From hbrown at knology.net Thu Mar 20 11:46:16 2008 From: hbrown at knology.net (Henry Brown) Date: Thu, 20 Mar 2008 06:46:16 -0500 Subject: [Dataloss] voter registration data exposed in PA Message-ID: <47E24E88.6020403@knology.net> From Infoworld.com http://tinyurl.com/27naw5 With voting in Pennsylvania's presidential primary just a month away, the state was forced to pull the plug on a voter registration Web site Tuesday after it was found to be exposing sensitive data about voters in the state. The problem lay in an online voter registration application form that was designed to simplify the task of registering to vote. State residents used it to enter their information on the Web site, which then generated a printable form that could be mailed to state election officials. Pennsylvania's Department of State disabled the registration form late Tuesday after being informed of the vulnerability by IDG News Service. Because of a Web programming error, the Web site was allowing anyone on the Internet to view the forms, which contained data such as the voter's name, date of birth, driver's license number, and political party affiliation. On some forms, the last four digits of Social Security numbers could also be seen. [...] The bug did not expose all registration data, just the information supplied by those who used the Web site's online form. About 30,000 voter registration records appeared to be available on the site. [...] From auer.daniel at gmail.com Thu Mar 20 14:04:23 2008 From: auer.daniel at gmail.com (Daniel Auer) Date: Thu, 20 Mar 2008 15:04:23 +0100 Subject: [Dataloss] German government says 500 computers were lost or stolen in three years Message-ID: <6b91b73d0803200704p78bafc98m1111bb04d52e97fb@mail.gmail.com> FRANKFURT (Thomson Financial) - The German government said about 500 of its computers where either misplaced or stolen in various administrative departments over the last three years, prompting calls from the opposition for better data protection for citizens. "This requires clarification," said Carl-Ludwig Thiele, the deputy parliamentary-group leader of the opposition FDP party, which had lodged the initial request for the number of lost computers with the government. A spokeswoman for the German interior ministry said that sensitive information on citizens cannot be retrieved from stolen computers because they are protected by a security software. http://www.cnbc.com/id/23722559/for/cnbc -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080320/8b266f49/attachment.html From allan_friedman at ksgphd.harvard.edu Thu Mar 20 15:13:08 2008 From: allan_friedman at ksgphd.harvard.edu (Allan Friedman) Date: Thu, 20 Mar 2008 10:13:08 -0500 Subject: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! In-Reply-To: References: <20080319192639.GB14619@homeport.org> Message-ID: <686cc62f0803200813q459f6e44j67e2a71c3919837@mail.gmail.com> > On the public policy issue, I agree. If you want companies to disclose > the exact circumstances around a breach (exact technical details), there > will have to be a shield that prevents plaintiffs attorney's from using > the information in lawsuits. You highlight an interesting trade-off. It may be the case that more disclosure would reduce incentives to prevent future breaches, depending on how we understand the problem. A standard policy tool for enforcing maximum diligence is the threat of lawsuits, massive ones that can wreck a corporation. If we follow this liability argument (as advanced by Schneier and other scholars of the economics of information security) then making concessions to corporate defendants can impede the end goal of less data retention and greater data protection. If we don't think we're ever going to get there, then more data about breaches for the purposes of research is clearly the greater good. This is a very interesting dynamic. I'll have to think about how to model it... Allan Friedman PhD Candidate, Public Policy Kennedy School of Government Fellow, Center for Research in Computation and Society School of Engineering and Applied Sciences Harvard University From adam at homeport.org Thu Mar 20 17:59:02 2008 From: adam at homeport.org (Adam Shostack) Date: Thu, 20 Mar 2008 13:59:02 -0400 Subject: [Dataloss] Consumers of Hannaford Brothers Co. Supermarkets FileClass Action Suit In-Reply-To: <1708865911-1205966793-cardhu_decombobulator_blackberry.rim.net-1757658085-@bxe130.bisx.prod.on.blackberry> References: <1708865911-1205966793-cardhu_decombobulator_blackberry.rim.net-1757658085-@bxe130.bisx.prod.on.blackberry> Message-ID: <20080320175901.GA32576@homeport.org> So I understand and sympathize with what you're saying. At the same time, they are legally mandated to disclose, and a large disclosure is likely to trigger a lawsuit and discovery. That's the society in which we live. It seems that shaping the news might well make more sense. I'm influenced here by Barbara Kellerman's "When Should a Leader Apologize and When Not?," (Harvard Business Review, April 2006.) which is well worth reading. Adam On Wed, Mar 19, 2008 at 10:47:11PM +0000, Mike Simon wrote: | This could not be a better example of why companies hesitate to disclose details. If this lawfirm is on the ball. They will get access to the exchange with Rapid7 which, according to the press release changes, indicates potential additional negligence in that the had a tool that may have prevented this problem and failed to use it properly. Not a helpful disclosure for Hannaford with respect to the class action. | | Mike | -----Original Message----- | From: lyger | | Date: Wed, 19 Mar 2008 22:25:16 | To:dataloss at attrition.org | Subject: [Dataloss] Consumers of Hannaford Brothers Co. Supermarkets File | Class Action Suit | | | | http://sev.prnewswire.com/supermarkets/20080319/DC1720519032008-1.html | | On March 19, 2008, the law firm of Berger & Montague, PC | (http://www.bergermontague.com) filed a class action suit in the U.S. | District Court for the District of Maine on behalf of all consumers in the | United States whose credit card or debit card data was stolen from the | computer network of Hannaford Brothers Co. ("Hannaford") supermarkets. | | The complaint alleges that Hannaford was negligent for failing to maintain | adequate computer data security of customer credit and debit card data, | which was accessed and stolen by a computer hacker. | | On March 17, 2008, Hannaford announced on its website that there was a | "data intrusion into its computer network that resulted in the theft of | consumer credit and debit card numbers." The stolen data included "credit | and debit card numbers and expiration dates," which were accessed from | Hannaford's computer system "during transmission of card authorization." | The intrusion affected all Hannaford stores located throughout the North | Eastern U.S., as well as Sweetbay stores in Florida. | | Published news reports indicated that 4.2 million unique credit and debit | card numbers have been exposed to potential fraud. To date, there have | been approximately 1,800 cases of reported credit and debit card fraud | stemming from the breach. | | [...] | _______________________________________________ | Dataloss Mailing List (dataloss at attrition.org) | http://attrition.org/dataloss | | Tenable Network Security offers data leakage and compliance monitoring | solutions for large and small networks. Scan your network and monitor your | traffic to find the data needing protection before it leaks out! | http://www.tenablesecurity.com/products/compliance.shtml | _______________________________________________ | Dataloss Mailing List (dataloss at attrition.org) | http://attrition.org/dataloss | | Tenable Network Security offers data leakage and compliance monitoring | solutions for large and small networks. Scan your network and monitor your | traffic to find the data needing protection before it leaks out! | http://www.tenablesecurity.com/products/compliance.shtml From adam at homeport.org Thu Mar 20 18:08:24 2008 From: adam at homeport.org (Adam Shostack) Date: Thu, 20 Mar 2008 14:08:24 -0400 Subject: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! In-Reply-To: <686cc62f0803200813q459f6e44j67e2a71c3919837@mail.gmail.com> References: <20080319192639.GB14619@homeport.org> <686cc62f0803200813q459f6e44j67e2a71c3919837@mail.gmail.com> Message-ID: <20080320180823.GD32576@homeport.org> On Thu, Mar 20, 2008 at 10:13:08AM -0500, Allan Friedman wrote: | > On the public policy issue, I agree. If you want companies to disclose | > the exact circumstances around a breach (exact technical details), there | > will have to be a shield that prevents plaintiffs attorney's from using | > the information in lawsuits. | | You highlight an interesting trade-off. It may be the case that more | disclosure would reduce incentives to prevent future breaches, | depending on how we understand the problem. | | A standard policy tool for enforcing maximum diligence is the threat | of lawsuits, massive ones that can wreck a corporation. If we follow | this liability argument (as advanced by Schneier and other scholars of | the economics of information security) then making concessions to | corporate defendants can impede the end goal of less data retention | and greater data protection. | | If we don't think we're ever going to get there, then more data about | breaches for the purposes of research is clearly the greater good. | This is a very interesting dynamic. I'll have to think about how to | model it... For this policy to be effective, costs must be aligned with a failure to take effective measures. Today, we lack the data to asses how effective various 'best practices' or standards are. Gene Kim and company have done work showing that a few part of COBIT are key, and others are not correlated with they outcomes they studied. (There's a CERIAS talk video you can find.) There's claims that Hannaford was PCI complaint. Shouldn't that have made them secure? So lawsuits today are random. With better data, we may be able to better attribute blame. Perhaps this shapes a temporary liability shield, with a goal of revisiting it later, or allowing case law to shape it for a while? Adam From msimon at creationlogic.com Thu Mar 20 18:25:20 2008 From: msimon at creationlogic.com (Mike Simon) Date: Thu, 20 Mar 2008 11:25:20 -0700 Subject: [Dataloss] Consumers of Hannaford Brothers Co. Supermarkets File Class Action Suit In-Reply-To: <1206019023.5790.18.camel@MYTUX> References: <1708865911-1205966793-cardhu_decombobulator_blackberry.rim.net-1757658085-@bxe130.bisx.prod.on.blackberry> <002101c88a23$0d3b07c0$27b11740$@com> <25d3931b0803191758w65e3e5advc9e4e4bb7552c484@mail.gmail.com> <1206019023.5790.18.camel@MYTUX> Message-ID: <25d3931b0803201125y2ef99386m550b2b064a763e93@mail.gmail.com> I've been quiet on the topic of certification, compliance and fault based on these ideas so far, but I'm hearing some pretty strong statements that I have problems with. The idea that a certification or endorsement of compliance to a standard of protection should make the certifying body responsible if data in subsequently lost seems a bit harsh considering that the certifying agency had no control of the operation of the compromised systems after they did their testing. Essentially certification/compliance typically shows that at a specific point in time the system met certain conditions - nothing more. If the testing was never done, or it was done and the results falsified that's one thing. Holding the auditors responsible for all system behavior after that point in time is hard to fathom. For me, that points to an increased need to audit IT practices in some kind of continuous improvement loop (CMM level 5) rather than trying to hang auditors out to dry every time someone mis configures their firewall a few weeks after the last audit. To answer your question, I would hold Visa responsible if they had anything to do with falsely certifying conditions at Hannaford to be safe, but not for putting in place a mechanism designed to improve the overall stance of their partners and not somehow making it perfect. On Thu, Mar 20, 2008 at 6:17 AM, Rodney wrote: > > Wouldn't you include Visa in the discovery if they certified Rapid7? I use > PayPal as my gateway and if anything ever happened I would sing names like > canary. > > Rodney Wise > > South East Ostrich Supply > http://www.seostrich.com > > > > > On Wed, 2008-03-19 at 17:58 -0700, Mike Simon wrote: > > > > I think you're right in also considering that the product was used > correctly and just not up to the task, which raises an interesting but > possibly off-topic question in my mind. If Rapid7 falsely attributes > the incident to mis-use of their product in a public forum (the press > release), essentially increasing the potential liability of Hannaford, > it seems like Hannaford might have a cause of action against Rapid7. > The cause of action is unrelated to the performance of their product, > which I'm sure is well protected by the license agreement, but instead > related to (potentially) false and (potentially) damaging statements > about Hannaford's security practices. > > It seems to me that the statement in the revised press release has no > real upside for Rapid7 true _or_ false. As someone stated earlier in > this thread, they should have withdrawn the press release from their > web site and taken their lumps. > > I'm certainly not a lawyer, and have NO knowledge of the incident, > truthfulness of the subsequent Rapid7 disclaimers or really anything > at all. This is intended as a discussion of hypothetical outcomes. > > Mike > > On Wed, Mar 19, 2008 at 5:40 PM, Jamie C. Pole wrote: > > > > Let's also consider the possibility the Hannaford WAS using the tool > > correctly, and that it just didn't work as advertised. > > > > As far as the law firm being on the ball, trust me, they are. I know this > > firm well, and they will absolutely include Rapid7 in their discovery > > process. If I was senior management at Rapid7, I would NOT be sleeping > well > > right now. > > > > The kiss of death in this case is going to be the fact that there have > been > > around 1800 reported cases of fraud stemming from the incident. This was > > not an accident. > > > > Jamie > > > > > > -----Original Message----- > > From: dataloss-bounces at attrition.org > [mailto:dataloss-bounces at attrition.org] > > On Behalf Of Mike Simon > > Sent: Wednesday, March 19, 2008 6:47 PM > > To: lyger; dataloss-bounces at attrition.org; dataloss at attrition.org > > Subject: Re: [Dataloss] Consumers of Hannaford Brothers Co. Supermarkets > > FileClass Action Suit > > > > > > > > This could not be a better example of why companies hesitate to disclose > > details. If this lawfirm is on the ball. They will get access to the > > exchange with Rapid7 which, according to the press release changes, > > indicates potential additional negligence in that the had a tool that may > > have prevented this problem and failed to use it properly. Not a helpful > > disclosure for Hannaford with respect to the class action. > > > > Mike > > > > > > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor your > traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml > > > Rodney Wise > > South East Ostrich Supply > http://www.seostrich.com > (803) 741-5636 From ewhite at avrenter.com Thu Mar 20 19:22:29 2008 From: ewhite at avrenter.com (Edward White) Date: Thu, 20 Mar 2008 15:22:29 -0400 Subject: [Dataloss] Consumers of Hannaford Brothers Co. Supermarkets File Class Action Suit References: <1708865911-1205966793-cardhu_decombobulator_blackberry.rim.net-1757658085-@bxe130.bisx.prod.on.blackberry><002101c88a23$0d3b07c0$27b11740$@com><25d3931b0803191758w65e3e5advc9e4e4bb7552c484@mail.gmail.com><1206019023.5790.18.camel@MYTUX> <25d3931b0803201125y2ef99386m550b2b064a763e93@mail.gmail.com> Message-ID: <361C9E2A6FE55842BA9A883952C3DC8C6534A1@mail1.avrenter.com> There ought to be a law that retailers are not allowed to strip the personal data from debit and credit cards when they pass through their systems to the credit card companies. If a customer voluteers there mailing information, that is one thing, but there is a whole market behind the scenes in the retail industry where by personal information of their clients is bought and sold. This is done supposedly so the retailers can better address their target markets. If the retailers did not have the info, there would be no data to breach. This is the first measure to protect consumers, there many others, I do not have the time to go into it right now. -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Mike Simon Sent: Thursday, March 20, 2008 2:25 PM To: Rodney Cc: dataloss at attrition.org Subject: Re: [Dataloss] Consumers of Hannaford Brothers Co. SupermarketsFile Class Action Suit I've been quiet on the topic of certification, compliance and fault based on these ideas so far, but I'm hearing some pretty strong statements that I have problems with. The idea that a certification or endorsement of compliance to a standard of protection should make the certifying body responsible if data in subsequently lost seems a bit harsh considering that the certifying agency had no control of the operation of the compromised systems after they did their testing. Essentially certification/compliance typically shows that at a specific point in time the system met certain conditions - nothing more. If the testing was never done, or it was done and the results falsified that's one thing. Holding the auditors responsible for all system behavior after that point in time is hard to fathom. For me, that points to an increased need to audit IT practices in some kind of continuous improvement loop (CMM level 5) rather than trying to hang auditors out to dry every time someone mis configures their firewall a few weeks after the last audit. To answer your question, I would hold Visa responsible if they had anything to do with falsely certifying conditions at Hannaford to be safe, but not for putting in place a mechanism designed to improve the overall stance of their partners and not somehow making it perfect. On Thu, Mar 20, 2008 at 6:17 AM, Rodney wrote: > > Wouldn't you include Visa in the discovery if they certified Rapid7? I use > PayPal as my gateway and if anything ever happened I would sing names like > canary. > > Rodney Wise > > South East Ostrich Supply > http://www.seostrich.com > > > > > On Wed, 2008-03-19 at 17:58 -0700, Mike Simon wrote: > > > > I think you're right in also considering that the product was used > correctly and just not up to the task, which raises an interesting but > possibly off-topic question in my mind. If Rapid7 falsely attributes > the incident to mis-use of their product in a public forum (the press > release), essentially increasing the potential liability of Hannaford, > it seems like Hannaford might have a cause of action against Rapid7. > The cause of action is unrelated to the performance of their product, > which I'm sure is well protected by the license agreement, but instead > related to (potentially) false and (potentially) damaging statements > about Hannaford's security practices. > > It seems to me that the statement in the revised press release has no > real upside for Rapid7 true _or_ false. As someone stated earlier in > this thread, they should have withdrawn the press release from their > web site and taken their lumps. > > I'm certainly not a lawyer, and have NO knowledge of the incident, > truthfulness of the subsequent Rapid7 disclaimers or really anything > at all. This is intended as a discussion of hypothetical outcomes. > > Mike > > On Wed, Mar 19, 2008 at 5:40 PM, Jamie C. Pole wrote: > > > > Let's also consider the possibility the Hannaford WAS using the tool > > correctly, and that it just didn't work as advertised. > > > > As far as the law firm being on the ball, trust me, they are. I know this > > firm well, and they will absolutely include Rapid7 in their discovery > > process. If I was senior management at Rapid7, I would NOT be sleeping > well > > right now. > > > > The kiss of death in this case is going to be the fact that there have > been > > around 1800 reported cases of fraud stemming from the incident. This was > > not an accident. > > > > Jamie > > > > > > -----Original Message----- > > From: dataloss-bounces at attrition.org > [mailto:dataloss-bounces at attrition.org] > > On Behalf Of Mike Simon > > Sent: Wednesday, March 19, 2008 6:47 PM > > To: lyger; dataloss-bounces at attrition.org; dataloss at attrition.org > > Subject: Re: [Dataloss] Consumers of Hannaford Brothers Co. Supermarkets > > FileClass Action Suit > > > > > > > > This could not be a better example of why companies hesitate to disclose > > details. If this lawfirm is on the ball. They will get access to the > > exchange with Rapid7 which, according to the press release changes, > > indicates potential additional negligence in that the had a tool that may > > have prevented this problem and failed to use it properly. Not a helpful > > disclosure for Hannaford with respect to the class action. > > > > Mike > > > > > > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor your > traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml > > > Rodney Wise > > South East Ostrich Supply > http://www.seostrich.com > (803) 741-5636 _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml From james_ritchie at sbcglobal.net Thu Mar 20 20:44:15 2008 From: james_ritchie at sbcglobal.net (James Ritchie, CISA, QSA) Date: Thu, 20 Mar 2008 16:44:15 -0400 Subject: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! In-Reply-To: <20080320180823.GD32576@homeport.org> References: <20080319192639.GB14619@homeport.org> <686cc62f0803200813q459f6e44j67e2a71c3919837@mail.gmail.com> <20080320180823.GD32576@homeport.org> Message-ID: <47E2CC9F.5020903@sbcglobal.net> Being compliant does not mean being secure and being secure does not mean being compliant. What most people forget with all the compliance is that constant vigilance must be maintained. Does that mean daily, weekly, monthly, quarterly, or annually that you have to verify that the controls are working appropriately? What I think will be the outcome is if appropriate due diligence and due care can be shown as fact, the liability will be reduced or eliminated. They will compare the actions taken and of similar size companies to see if what they had done was appropriate. To make any company 100% secure, the cost of security would be so prohibited, the company would be bankrupt. There has to be a balance and reasonable effort shown. Adam Shostack wrote: > On Thu, Mar 20, 2008 at 10:13:08AM -0500, Allan Friedman wrote: > | > On the public policy issue, I agree. If you want companies to disclose > | > the exact circumstances around a breach (exact technical details), there > | > will have to be a shield that prevents plaintiffs attorney's from using > | > the information in lawsuits. > | > | You highlight an interesting trade-off. It may be the case that more > | disclosure would reduce incentives to prevent future breaches, > | depending on how we understand the problem. > | > | A standard policy tool for enforcing maximum diligence is the threat > | of lawsuits, massive ones that can wreck a corporation. If we follow > | this liability argument (as advanced by Schneier and other scholars of > | the economics of information security) then making concessions to > | corporate defendants can impede the end goal of less data retention > | and greater data protection. > | > | If we don't think we're ever going to get there, then more data about > | breaches for the purposes of research is clearly the greater good. > | This is a very interesting dynamic. I'll have to think about how to > | model it... > > For this policy to be effective, costs must be aligned with a failure > to take effective measures. Today, we lack the data to asses how > effective various 'best practices' or standards are. Gene Kim and > company have done work showing that a few part of COBIT are key, and > others are not correlated with they outcomes they studied. (There's a > CERIAS talk video you can find.) There's claims that Hannaford was > PCI complaint. Shouldn't that have made them secure? > > So lawsuits today are random. With better data, we may be able to > better attribute blame. Perhaps this shapes a temporary liability > shield, with a goal of revisiting it later, or allowing case law to > shape it for a while? > > Adam > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor your > traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml > > -- James Ritchie CISA, PCI-QSA, ASV, MCSE, MCP+I, M-CIW-D, CIW-CI, Inet+, Network+, A+ Linkedin http://www.linkedin.com/pub/1/b89/433 Attachments with this email, not explicitly referenced, should not be opened. Always scan your email and their associated attachments for viruses prior to opening. This message and any accompanying documents are confidential and may contain information covered under the Privacy Act, 5 USC 552(a), the Health Insurance Portability and Accountability Act (PL 104-191), or the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521 and its various implementing regulations and must be protected in accordance with those provisions. Unauthorized disclosure or failure to maintain the confidentiality of the information may result in civil or criminal sanctions. This e-mail is strictly confidential and intended solely for the addressee. Should you not be the intended addressee you have no right to any information contained in this e-mail. If you received this message by mistake you are kindly requested to inform us of this and to destroy the message. From ADAIL at sunocoinc.com Thu Mar 20 20:50:56 2008 From: ADAIL at sunocoinc.com (DAIL, WILLARD A) Date: Thu, 20 Mar 2008 16:50:56 -0400 Subject: [Dataloss] Consumers of Hannaford Brothers Co. SupermarketsFile Class Action Suit In-Reply-To: <361C9E2A6FE55842BA9A883952C3DC8C6534A1@mail1.avrenter.com> Message-ID: Wait, are you saying the personal information should be stored with the transaction information? The card brands and issuers basically require the merchant to store the PAN for a period after the sale in order to investigate chargebacks. Most companies strip away any personally identifiable information and store the PAN along with the sale information in order to reduce the amount of data being store. Certainly we wouldn't want to increase the data merchants are required to store? In most cases, when you hear of a company storing too much information, it wasn't because they were actually doing anything with it, it's because their payment systems are so old the original currency accepted was "wampum" shells, and the merchant is too cheap or uninformed to make any changes. A few merchants do mine data , but most only store the credit card information because the issuers will make them "eat" a chargeback if they do not have the sales record. Merchants could agree to accept that charge and store nothing, but the prices of goods will simply increase to cover the reduced margins. Alternatively, the issuers could implement chargeback procedures that didn't require the merchants store data the settlement providers don't want to store. -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Edward White Sent: Thursday, March 20, 2008 2:22 PM To: Mike Simon Cc: dataloss at attrition.org Subject: Re: [Dataloss] Consumers of Hannaford Brothers Co. SupermarketsFile Class Action Suit There ought to be a law that retailers are not allowed to strip the personal data from debit and credit cards when they pass through their systems to the credit card companies. If a customer voluteers there mailing information, that is one thing, but there is a whole market behind the scenes in the retail industry where by personal information of their clients is bought and sold. This is done supposedly so the retailers can better address their target markets. If the retailers did not have the info, there would be no data to breach. This is the first measure to protect consumers, there many others, I do not have the time to go into it right now. -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Mike Simon Sent: Thursday, March 20, 2008 2:25 PM To: Rodney Cc: dataloss at attrition.org Subject: Re: [Dataloss] Consumers of Hannaford Brothers Co. SupermarketsFile Class Action Suit I've been quiet on the topic of certification, compliance and fault based on these ideas so far, but I'm hearing some pretty strong statements that I have problems with. The idea that a certification or endorsement of compliance to a standard of protection should make the certifying body responsible if data in subsequently lost seems a bit harsh considering that the certifying agency had no control of the operation of the compromised systems after they did their testing. Essentially certification/compliance typically shows that at a specific point in time the system met certain conditions - nothing more. If the testing was never done, or it was done and the results falsified that's one thing. Holding the auditors responsible for all system behavior after that point in time is hard to fathom. For me, that points to an increased need to audit IT practices in some kind of continuous improvement loop (CMM level 5) rather than trying to hang auditors out to dry every time someone mis configures their firewall a few weeks after the last audit. To answer your question, I would hold Visa responsible if they had anything to do with falsely certifying conditions at Hannaford to be safe, but not for putting in place a mechanism designed to improve the overall stance of their partners and not somehow making it perfect. On Thu, Mar 20, 2008 at 6:17 AM, Rodney wrote: > > Wouldn't you include Visa in the discovery if they certified Rapid7? I use > PayPal as my gateway and if anything ever happened I would sing names like > canary. > > Rodney Wise > > South East Ostrich Supply > http://www.seostrich.com > > > > > On Wed, 2008-03-19 at 17:58 -0700, Mike Simon wrote: > > > > I think you're right in also considering that the product was used > correctly and just not up to the task, which raises an interesting but > possibly off-topic question in my mind. If Rapid7 falsely attributes > the incident to mis-use of their product in a public forum (the press > release), essentially increasing the potential liability of Hannaford, > it seems like Hannaford might have a cause of action against Rapid7. > The cause of action is unrelated to the performance of their product, > which I'm sure is well protected by the license agreement, but instead > related to (potentially) false and (potentially) damaging statements > about Hannaford's security practices. > > It seems to me that the statement in the revised press release has no > real upside for Rapid7 true _or_ false. As someone stated earlier in > this thread, they should have withdrawn the press release from their > web site and taken their lumps. > > I'm certainly not a lawyer, and have NO knowledge of the incident, > truthfulness of the subsequent Rapid7 disclaimers or really anything > at all. This is intended as a discussion of hypothetical outcomes. > > Mike > > On Wed, Mar 19, 2008 at 5:40 PM, Jamie C. Pole wrote: > > > > Let's also consider the possibility the Hannaford WAS using the tool > > correctly, and that it just didn't work as advertised. > > > > As far as the law firm being on the ball, trust me, they are. I know this > > firm well, and they will absolutely include Rapid7 in their discovery > > process. If I was senior management at Rapid7, I would NOT be sleeping > well > > right now. > > > > The kiss of death in this case is going to be the fact that there have > been > > around 1800 reported cases of fraud stemming from the incident. This was > > not an accident. > > > > Jamie > > > > > > -----Original Message----- > > From: dataloss-bounces at attrition.org > [mailto:dataloss-bounces at attrition.org] > > On Behalf Of Mike Simon > > Sent: Wednesday, March 19, 2008 6:47 PM > > To: lyger; dataloss-bounces at attrition.org; dataloss at attrition.org > > Subject: Re: [Dataloss] Consumers of Hannaford Brothers Co. Supermarkets > > FileClass Action Suit > > > > > > > > This could not be a better example of why companies hesitate to disclose > > details. If this lawfirm is on the ball. They will get access to the > > exchange with Rapid7 which, according to the press release changes, > > indicates potential additional negligence in that the had a tool that may > > have prevented this problem and failed to use it properly. Not a helpful > > disclosure for Hannaford with respect to the class action. > > > > Mike > > > > > > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor your > traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml > > > Rodney Wise > > South East Ostrich Supply > http://www.seostrich.com > (803) 741-5636 _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments. From rwise29210 at gmail.com Thu Mar 20 20:51:43 2008 From: rwise29210 at gmail.com (Rodney) Date: Thu, 20 Mar 2008 16:51:43 -0400 Subject: [Dataloss] Consumers of Hannaford Brothers Co. Supermarkets File Class Action Suit In-Reply-To: <25d3931b0803191758w65e3e5advc9e4e4bb7552c484@mail.gmail.com> References: <1708865911-1205966793-cardhu_decombobulator_blackberry.rim.net-1757658085-@bxe130.bisx.prod.on.blackberry> <002101c88a23$0d3b07c0$27b11740$@com> <25d3931b0803191758w65e3e5advc9e4e4bb7552c484@mail.gmail.com> Message-ID: <1206046304.5790.59.camel@MYTUX> Lets not forget the Hacker Safe Seal from CA. Again it is automated and the breach that occurred is real, but how many websites had the test ran and said "OMG" and then acted on the report? Wal-Mart is in business for a reason, low prices. If you need a solution that will make you better off from taking it that you were before, shouldn't you do this? I agree it should be a starting point not an "end all do all" finish, but automated system scans can, if used properly, stop SOME of the attempts to hack into networks. Visa is not protecting the networks. Lawyers don't protect networks. CSOs can protect networks ONLY if the infrastructure of the corporation will let them... yea right, like that happens every day. Who is really capable of guarding the fort of our identities? Government with the "Real (hackable) RFID? I don't know. In who should we trust? I am just a student studying Computer Network Security but the whole system seems "wacked out" to me. When the computer stops functioning properly, isn't it time to reboot? Can this system be rebooted? Rodney Wise South East Ostrich Supply http://www.seostrich.com On Wed, 2008-03-19 at 17:58 -0700, Mike Simon wrote: > I think you're right in also considering that the product was used > correctly and just not up to the task, which raises an interesting but > possibly off-topic question in my mind. If Rapid7 falsely attributes > the incident to mis-use of their product in a public forum (the press > release), essentially increasing the potential liability of Hannaford, > it seems like Hannaford might have a cause of action against Rapid7. > The cause of action is unrelated to the performance of their product, > which I'm sure is well protected by the license agreement, but instead > related to (potentially) false and (potentially) damaging statements > about Hannaford's security practices. > > It seems to me that the statement in the revised press release has no > real upside for Rapid7 true _or_ false. As someone stated earlier in > this thread, they should have withdrawn the press release from their > web site and taken their lumps. > > I'm certainly not a lawyer, and have NO knowledge of the incident, > truthfulness of the subsequent Rapid7 disclaimers or really anything > at all. This is intended as a discussion of hypothetical outcomes. > > Mike > > On Wed, Mar 19, 2008 at 5:40 PM, Jamie C. Pole wrote: > > > > Let's also consider the possibility the Hannaford WAS using the tool > > correctly, and that it just didn't work as advertised. > > > > As far as the law firm being on the ball, trust me, they are. I know this > > firm well, and they will absolutely include Rapid7 in their discovery > > process. If I was senior management at Rapid7, I would NOT be sleeping well > > right now. > > > > The kiss of death in this case is going to be the fact that there have been > > around 1800 reported cases of fraud stemming from the incident. This was > > not an accident. > > > > Jamie > > > > > > -----Original Message----- > > From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] > > On Behalf Of Mike Simon > > Sent: Wednesday, March 19, 2008 6:47 PM > > To: lyger; dataloss-bounces at attrition.org; dataloss at attrition.org > > Subject: Re: [Dataloss] Consumers of Hannaford Brothers Co. Supermarkets > > FileClass Action Suit > > > > > > > > This could not be a better example of why companies hesitate to disclose > > details. If this lawfirm is on the ball. They will get access to the > > exchange with Rapid7 which, according to the press release changes, > > indicates potential additional negligence in that the had a tool that may > > have prevented this problem and failed to use it properly. Not a helpful > > disclosure for Hannaford with respect to the class action. > > > > Mike > > > > > > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor your > traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080320/5746badc/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3165 bytes Desc: not available Url : http://attrition.org/pipermail/dataloss/attachments/20080320/5746badc/attachment-0001.bin From adam at homeport.org Thu Mar 20 21:21:25 2008 From: adam at homeport.org (Adam Shostack) Date: Thu, 20 Mar 2008 17:21:25 -0400 Subject: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! In-Reply-To: <47E2CC9F.5020903@sbcglobal.net> References: <20080319192639.GB14619@homeport.org> <686cc62f0803200813q459f6e44j67e2a71c3919837@mail.gmail.com> <20080320180823.GD32576@homeport.org> <47E2CC9F.5020903@sbcglobal.net> Message-ID: <20080320212124.GK32576@homeport.org> On Thu, Mar 20, 2008 at 04:44:15PM -0400, James Ritchie, CISA, QSA wrote: | Being compliant does not mean being secure and being secure does not | mean being compliant. What most people forget with all the compliance | is that constant vigilance must be maintained. Does that mean daily, | weekly, monthly, quarterly, or annually that you have to verify that the | controls are working appropriately? What I think will be the outcome is | if appropriate due diligence and due care can be shown as fact, the | liability will be reduced or eliminated. They will compare the actions | taken and of similar size companies to see if what they had done was | appropriate. To make any company 100% secure, the cost of security would | be so prohibited, the company would be bankrupt. There has to be a | balance and reasonable effort shown. How do you "compare the actions of similar size companies?" That's a secret. What's a reasonable effort? That's a secret too. What happens? That's no longer a secret, thanks to mandatory breach disclosure. ADam | Adam Shostack wrote: | > On Thu, Mar 20, 2008 at 10:13:08AM -0500, Allan Friedman wrote: | > | > On the public policy issue, I agree. If you want companies to disclose | > | > the exact circumstances around a breach (exact technical details), there | > | > will have to be a shield that prevents plaintiffs attorney's from using | > | > the information in lawsuits. | > | | > | You highlight an interesting trade-off. It may be the case that more | > | disclosure would reduce incentives to prevent future breaches, | > | depending on how we understand the problem. | > | | > | A standard policy tool for enforcing maximum diligence is the threat | > | of lawsuits, massive ones that can wreck a corporation. If we follow | > | this liability argument (as advanced by Schneier and other scholars of | > | the economics of information security) then making concessions to | > | corporate defendants can impede the end goal of less data retention | > | and greater data protection. | > | | > | If we don't think we're ever going to get there, then more data about | > | breaches for the purposes of research is clearly the greater good. | > | This is a very interesting dynamic. I'll have to think about how to | > | model it... | > | > For this policy to be effective, costs must be aligned with a failure | > to take effective measures. Today, we lack the data to asses how | > effective various 'best practices' or standards are. Gene Kim and | > company have done work showing that a few part of COBIT are key, and | > others are not correlated with they outcomes they studied. (There's a | > CERIAS talk video you can find.) There's claims that Hannaford was | > PCI complaint. Shouldn't that have made them secure? | > | > So lawsuits today are random. With better data, we may be able to | > better attribute blame. Perhaps this shapes a temporary liability | > shield, with a goal of revisiting it later, or allowing case law to | > shape it for a while? | > | > Adam | > | > _______________________________________________ | > Dataloss Mailing List (dataloss at attrition.org) | > http://attrition.org/dataloss | > | > Tenable Network Security offers data leakage and compliance monitoring | > solutions for large and small networks. Scan your network and monitor your | > traffic to find the data needing protection before it leaks out! | > http://www.tenablesecurity.com/products/compliance.shtml | > | > | | -- | James Ritchie | CISA, PCI-QSA, ASV, MCSE, MCP+I, M-CIW-D, CIW-CI, Inet+, Network+, A+ | | Linkedin http://www.linkedin.com/pub/1/b89/433 | | Attachments with this email, not explicitly referenced, should not be opened. Always scan your email and their associated attachments for viruses prior to opening. | | This message and any accompanying documents are confidential and may contain information covered under the Privacy Act, 5 USC 552(a), the Health Insurance Portability and Accountability Act (PL 104-191), or the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521 and its various implementing regulations and must be protected in accordance with those provisions. Unauthorized disclosure or failure to maintain the confidentiality of the information may result in civil or criminal sanctions. | | This e-mail is strictly confidential and intended solely for the addressee. Should you not be the intended addressee you have no right to any information contained in this e-mail. If you received this message by mistake you are kindly requested to inform us of this and to destroy the message. | | _______________________________________________ | Dataloss Mailing List (dataloss at attrition.org) | http://attrition.org/dataloss | | Tenable Network Security offers data leakage and compliance monitoring | solutions for large and small networks. Scan your network and monitor your | traffic to find the data needing protection before it leaks out! | http://www.tenablesecurity.com/products/compliance.shtml From tblackmore at tslad.com Thu Mar 20 21:50:28 2008 From: tblackmore at tslad.com (Tracy Blackmore) Date: Thu, 20 Mar 2008 14:50:28 -0700 Subject: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! References: <20080319192639.GB14619@homeport.org> <686cc62f0803200813q459f6e44j67e2a71c3919837@mail.gmail.com> <20080320180823.GD32576@homeport.org> <47E2CC9F.5020903@sbcglobal.net> Message-ID: Something I haven't seen in this thread is... Many companies give either consultants or manufacturers loads of money to 'secure' them or 'verify' that they are secure. being a consultant myself I've seen this all too often. This (obviously) does little to actually secure anything! To properly secure something companies must create a culture of security - starting with solid policies that are more than pieces of paper that sit in a book until the auditor needs them. Only with these policies that define the who, what, when, where, why, and how can good controls be put into place that support those policies. Any old fool can purchase a firewall and put it on the network - but I could tell you stories of how many I've come across with the old Any/Any rule because of lack of proper policies. And then companies like Qualys... I think they offer a great service - but too many companies think that just because they use that service that they are secure. Qualys does NOTHING but offer information. How a company uses that information, if at all, is up to the company! Me personally? I'd take security out of the hands of the IT department! Give it to a non-IT CSO who is dedicated to developing that culture of security with the proper policies to back it up. With that, proper guidance can be passed on to the IT department to deploy the controls necessary to support them. Tracy Blackmore, CISSP Independent Consultant T.S. Lad, Inc. www.tslad.com ________________________________ From: dataloss-bounces at attrition.org on behalf of James Ritchie, CISA, QSA Sent: Thu 3/20/2008 1:44 PM To: dataloss at attrition.org Subject: Re: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! Being compliant does not mean being secure and being secure does not mean being compliant. What most people forget with all the compliance is that constant vigilance must be maintained. Does that mean daily, weekly, monthly, quarterly, or annually that you have to verify that the controls are working appropriately? What I think will be the outcome is if appropriate due diligence and due care can be shown as fact, the liability will be reduced or eliminated. They will compare the actions taken and of similar size companies to see if what they had done was appropriate. To make any company 100% secure, the cost of security would be so prohibited, the company would be bankrupt. There has to be a balance and reasonable effort shown. Adam Shostack wrote: > On Thu, Mar 20, 2008 at 10:13:08AM -0500, Allan Friedman wrote: > | > On the public policy issue, I agree. If you want companies to disclose > | > the exact circumstances around a breach (exact technical details), there > | > will have to be a shield that prevents plaintiffs attorney's from using > | > the information in lawsuits. > | > | You highlight an interesting trade-off. It may be the case that more > | disclosure would reduce incentives to prevent future breaches, > | depending on how we understand the problem. > | > | A standard policy tool for enforcing maximum diligence is the threat > | of lawsuits, massive ones that can wreck a corporation. If we follow > | this liability argument (as advanced by Schneier and other scholars of > | the economics of information security) then making concessions to > | corporate defendants can impede the end goal of less data retention > | and greater data protection. > | > | If we don't think we're ever going to get there, then more data about > | breaches for the purposes of research is clearly the greater good. > | This is a very interesting dynamic. I'll have to think about how to > | model it... > > For this policy to be effective, costs must be aligned with a failure > to take effective measures. Today, we lack the data to asses how > effective various 'best practices' or standards are. Gene Kim and > company have done work showing that a few part of COBIT are key, and > others are not correlated with they outcomes they studied. (There's a > CERIAS talk video you can find.) There's claims that Hannaford was > PCI complaint. Shouldn't that have made them secure? > > So lawsuits today are random. With better data, we may be able to > better attribute blame. Perhaps this shapes a temporary liability > shield, with a goal of revisiting it later, or allowing case law to > shape it for a while? > > Adam > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor your > traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml > > -- James Ritchie CISA, PCI-QSA, ASV, MCSE, MCP+I, M-CIW-D, CIW-CI, Inet+, Network+, A+ Linkedin http://www.linkedin.com/pub/1/b89/433 Attachments with this email, not explicitly referenced, should not be opened. Always scan your email and their associated attachments for viruses prior to opening. This message and any accompanying documents are confidential and may contain information covered under the Privacy Act, 5 USC 552(a), the Health Insurance Portability and Accountability Act (PL 104-191), or the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521 and its various implementing regulations and must be protected in accordance with those provisions. Unauthorized disclosure or failure to maintain the confidentiality of the information may result in civil or criminal sanctions. This e-mail is strictly confidential and intended solely for the addressee. Should you not be the intended addressee you have no right to any information contained in this e-mail. If you received this message by mistake you are kindly requested to inform us of this and to destroy the message. _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080320/595836cf/attachment.html From james_ritchie at sbcglobal.net Thu Mar 20 21:30:08 2008 From: james_ritchie at sbcglobal.net (James Ritchie, CISA, QSA) Date: Thu, 20 Mar 2008 17:30:08 -0400 Subject: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! In-Reply-To: <20080320212124.GK32576@homeport.org> References: <20080319192639.GB14619@homeport.org> <686cc62f0803200813q459f6e44j67e2a71c3919837@mail.gmail.com> <20080320180823.GD32576@homeport.org> <47E2CC9F.5020903@sbcglobal.net> <20080320212124.GK32576@homeport.org> Message-ID: <47E2D760.1050703@sbcglobal.net> This is where documentation is key on what was done. Due diligence and due care are legal terms. from FindLaw legal dictionary: *1**:* such diligence as a reasonable person under the same circumstances would use*:* use of reasonable but not necessarily exhaustive efforts (/called also _reasonable diligence_/) /Note: /Due diligence/ is used most often in connection with the performance of a professional or fiduciary duty, or with regard to proceeding with a court action. /Due care/ is used more often in connection with general tort actions./ Adam Shostack wrote: > On Thu, Mar 20, 2008 at 04:44:15PM -0400, James Ritchie, CISA, QSA wrote: > | Being compliant does not mean being secure and being secure does not > | mean being compliant. What most people forget with all the compliance > | is that constant vigilance must be maintained. Does that mean daily, > | weekly, monthly, quarterly, or annually that you have to verify that the > | controls are working appropriately? What I think will be the outcome is > | if appropriate due diligence and due care can be shown as fact, the > | liability will be reduced or eliminated. They will compare the actions > | taken and of similar size companies to see if what they had done was > | appropriate. To make any company 100% secure, the cost of security would > | be so prohibited, the company would be bankrupt. There has to be a > | balance and reasonable effort shown. > > How do you "compare the actions of similar size companies?" That's a > secret. What's a reasonable effort? That's a secret too. What > happens? That's no longer a secret, thanks to mandatory breach > disclosure. > > ADam > > | Adam Shostack wrote: > | > On Thu, Mar 20, 2008 at 10:13:08AM -0500, Allan Friedman wrote: > | > | > On the public policy issue, I agree. If you want companies to disclose > | > | > the exact circumstances around a breach (exact technical details), there > | > | > will have to be a shield that prevents plaintiffs attorney's from using > | > | > the information in lawsuits. > | > | > | > | You highlight an interesting trade-off. It may be the case that more > | > | disclosure would reduce incentives to prevent future breaches, > | > | depending on how we understand the problem. > | > | > | > | A standard policy tool for enforcing maximum diligence is the threat > | > | of lawsuits, massive ones that can wreck a corporation. If we follow > | > | this liability argument (as advanced by Schneier and other scholars of > | > | the economics of information security) then making concessions to > | > | corporate defendants can impede the end goal of less data retention > | > | and greater data protection. > | > | > | > | If we don't think we're ever going to get there, then more data about > | > | breaches for the purposes of research is clearly the greater good. > | > | This is a very interesting dynamic. I'll have to think about how to > | > | model it... > | > > | > For this policy to be effective, costs must be aligned with a failure > | > to take effective measures. Today, we lack the data to asses how > | > effective various 'best practices' or standards are. Gene Kim and > | > company have done work showing that a few part of COBIT are key, and > | > others are not correlated with they outcomes they studied. (There's a > | > CERIAS talk video you can find.) There's claims that Hannaford was > | > PCI complaint. Shouldn't that have made them secure? > | > > | > So lawsuits today are random. With better data, we may be able to > | > better attribute blame. Perhaps this shapes a temporary liability > | > shield, with a goal of revisiting it later, or allowing case law to > | > shape it for a while? > | > > | > Adam > | > > | > _______________________________________________ > | > Dataloss Mailing List (dataloss at attrition.org) > | > http://attrition.org/dataloss > | > > | > Tenable Network Security offers data leakage and compliance monitoring > | > solutions for large and small networks. Scan your network and monitor your > | > traffic to find the data needing protection before it leaks out! > | > http://www.tenablesecurity.com/products/compliance.shtml > | > > | > > | > | -- > | James Ritchie > | CISA, PCI-QSA, ASV, MCSE, MCP+I, M-CIW-D, CIW-CI, Inet+, Network+, A+ > | > | Linkedin http://www.linkedin.com/pub/1/b89/433 > | > | Attachments with this email, not explicitly referenced, should not be opened. Always scan your email and their associated attachments for viruses prior to opening. > | > | This message and any accompanying documents are confidential and may contain information covered under the Privacy Act, 5 USC 552(a), the Health Insurance Portability and Accountability Act (PL 104-191), or the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521 and its various implementing regulations and must be protected in accordance with those provisions. Unauthorized disclosure or failure to maintain the confidentiality of the information may result in civil or criminal sanctions. > | > | This e-mail is strictly confidential and intended solely for the addressee. Should you not be the intended addressee you have no right to any information contained in this e-mail. If you received this message by mistake you are kindly requested to inform us of this and to destroy the message. > | > | _______________________________________________ > | Dataloss Mailing List (dataloss at attrition.org) > | http://attrition.org/dataloss > | > | Tenable Network Security offers data leakage and compliance monitoring > | solutions for large and small networks. Scan your network and monitor your > | traffic to find the data needing protection before it leaks out! > | http://www.tenablesecurity.com/products/compliance.shtml > > > -- James Ritchie CISA, PCI-QSA, ASV, MCSE, MCP+I, M-CIW-D, CIW-CI, Inet+, Network+, A+ Linkedin http://www.linkedin.com/pub/1/b89/433 Attachments with this email, not explicitly referenced, should not be opened. Always scan your email and their associated attachments for viruses prior to opening. This message and any accompanying documents are confidential and may contain information covered under the Privacy Act, 5 USC 552(a), the Health Insurance Portability and Accountability Act (PL 104-191), or the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521 and its various implementing regulations and must be protected in accordance with those provisions. Unauthorized disclosure or failure to maintain the confidentiality of the information may result in civil or criminal sanctions. This e-mail is strictly confidential and intended solely for the addressee. Should you not be the intended addressee you have no right to any information contained in this e-mail. If you received this message by mistake you are kindly requested to inform us of this and to destroy the message. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080320/4908976a/attachment.html From chris at cwalsh.org Thu Mar 20 21:48:41 2008 From: chris at cwalsh.org (Chris Walsh) Date: Thu, 20 Mar 2008 16:48:41 -0500 Subject: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! In-Reply-To: References: <20080319192639.GB14619@homeport.org> <686cc62f0803200813q459f6e44j67e2a71c3919837@mail.gmail.com> <20080320180823.GD32576@homeport.org> <47E2CC9F.5020903@sbcglobal.net> Message-ID: <20080320214841.GA15563@fripp.cwalsh.org> IANAL, but this question of "due diligence" and comparing oneself to one's competitors begs the question -- what harm (in the legal sense) has been done here to anyone whose CC or debit card # was revealed? Does your answer vary depending on whether there was fraud associated with that card #? From adam at homeport.org Thu Mar 20 21:56:05 2008 From: adam at homeport.org (Adam Shostack) Date: Thu, 20 Mar 2008 17:56:05 -0400 Subject: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! In-Reply-To: <47E2D760.1050703@sbcglobal.net> References: <20080319192639.GB14619@homeport.org> <686cc62f0803200813q459f6e44j67e2a71c3919837@mail.gmail.com> <20080320180823.GD32576@homeport.org> <47E2CC9F.5020903@sbcglobal.net> <20080320212124.GK32576@homeport.org> <47E2D760.1050703@sbcglobal.net> Message-ID: <20080320215605.GM32576@homeport.org> I am familiar with the concept of due dilligence. It generally depends on a shared understanding of what levels of work are considered normal, standard or expected in a field. I believe that in computer security, (as another poster has pointed out) you can find "experts" who'll support a great variety of arguments, making concepts such as "normal and customary care" impossible and expensive to attempt to pin down. Adam On Thu, Mar 20, 2008 at 05:30:08PM -0400, James Ritchie, CISA, QSA wrote: | This is where documentation is key on what was done.? Due diligence and due | care are legal terms. from FindLaw legal dictionary: | | 1: such diligence as a reasonable person under the same circumstances would use | : use of reasonable but not necessarily exhaustive efforts | (called also reasonable diligence) | Note: Due diligence is used most often in connection with the performance of a | professional or fiduciary duty, or with regard to proceeding with a court | action. Due care is used more often in connection with general tort actions. | Adam Shostack wrote: | | On Thu, Mar 20, 2008 at 04:44:15PM -0400, James Ritchie, CISA, QSA wrote: | | Being compliant does not mean being secure and being secure does not | | mean being compliant. What most people forget with all the compliance | | is that constant vigilance must be maintained. Does that mean daily, | | weekly, monthly, quarterly, or annually that you have to verify that the | | controls are working appropriately? What I think will be the outcome is | | if appropriate due diligence and due care can be shown as fact, the | | liability will be reduced or eliminated. They will compare the actions | | taken and of similar size companies to see if what they had done was | | appropriate. To make any company 100% secure, the cost of security would | | be so prohibited, the company would be bankrupt. There has to be a | | balance and reasonable effort shown. | | How do you "compare the actions of similar size companies?" That's a | secret. What's a reasonable effort? That's a secret too. What | happens? That's no longer a secret, thanks to mandatory breach | disclosure. | | ADam | | | Adam Shostack wrote: | | > On Thu, Mar 20, 2008 at 10:13:08AM -0500, Allan Friedman wrote: | | > | > On the public policy issue, I agree. If you want companies to disclose | | > | > the exact circumstances around a breach (exact technical details), there | | > | > will have to be a shield that prevents plaintiffs attorney's from using | | > | > the information in lawsuits. | | > | | | > | You highlight an interesting trade-off. It may be the case that more | | > | disclosure would reduce incentives to prevent future breaches, | | > | depending on how we understand the problem. | | > | | | > | A standard policy tool for enforcing maximum diligence is the threat | | > | of lawsuits, massive ones that can wreck a corporation. If we follow | | > | this liability argument (as advanced by Schneier and other scholars of | | > | the economics of information security) then making concessions to | | > | corporate defendants can impede the end goal of less data retention | | > | and greater data protection. | | > | | | > | If we don't think we're ever going to get there, then more data about | | > | breaches for the purposes of research is clearly the greater good. | | > | This is a very interesting dynamic. I'll have to think about how to | | > | model it... | | > | | > For this policy to be effective, costs must be aligned with a failure | | > to take effective measures. Today, we lack the data to asses how | | > effective various 'best practices' or standards are. Gene Kim and | | > company have done work showing that a few part of COBIT are key, and | | > others are not correlated with they outcomes they studied. (There's a | | > CERIAS talk video you can find.) There's claims that Hannaford was | | > PCI complaint. Shouldn't that have made them secure? | | > | | > So lawsuits today are random. With better data, we may be able to | | > better attribute blame. Perhaps this shapes a temporary liability | | > shield, with a goal of revisiting it later, or allowing case law to | | > shape it for a while? | | > | | > Adam | | > | | > _______________________________________________ | | > Dataloss Mailing List (dataloss at attrition.org) | | > http://attrition.org/dataloss | | > | | > Tenable Network Security offers data leakage and compliance monitoring | | > solutions for large and small networks. Scan your network and monitor your | | > traffic to find the data needing protection before it leaks out! | | > http://www.tenablesecurity.com/products/compliance.shtml | | > | | > | | | | -- | | James Ritchie | | CISA, PCI-QSA, ASV, MCSE, MCP+I, M-CIW-D, CIW-CI, Inet+, Network+, A+ | | | | Linkedin http://www.linkedin.com/pub/1/b89/433 | | | | Attachments with this email, not explicitly referenced, should not be opened. Always scan your email and their associated attachments for viruses prior to opening. | | | | This message and any accompanying documents are confidential and may contain information covered under the Privacy Act, 5 USC 552(a), the Health Insurance Portability and Accountability Act (PL 104-191), or the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521 and its various implementing regulations and must be protected in accordance with those provisions. Unauthorized disclosure or failure to maintain the confidentiality of the information may result in civil or criminal sanctions. | | | | This e-mail is strictly confidential and intended solely for the addressee. Should you not be the intended addressee you have no right to any information contained in this e-mail. If you received this message by mistake you are kindly requested to inform us of this and to destroy the message. | | | | _______________________________________________ | | Dataloss Mailing List (dataloss at attrition.org) | | http://attrition.org/dataloss | | | | Tenable Network Security offers data leakage and compliance monitoring | | solutions for large and small networks. Scan your network and monitor your | | traffic to find the data needing protection before it leaks out! | | http://www.tenablesecurity.com/products/compliance.shtml | | | | | | | -- | James Ritchie | CISA, PCI-QSA, ASV, MCSE, MCP+I, M-CIW-D, CIW-CI, Inet+, Network+, A+ | | Linkedin http://www.linkedin.com/pub/1/b89/433 | | Attachments with this email, not explicitly referenced, should not be opened. Always scan your email and their associated attachments for viruses prior to opening. | | This message and any accompanying documents are confidential and may contain information covered under the Privacy Act, 5 USC 552(a), the Health Insurance Portability and Accountability Act (PL 104-191), or the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521 and its various implementing regulations and must be protected in accordance with those provisions. Unauthorized disclosure or failure to maintain the confidentiality of the information may result in civil or criminal sanctions. | | This e-mail is strictly confidential and intended solely for the addressee. Should you not be the intended addressee you have no right to any information contained in this e-mail. If you received this message by mistake you are kindly requested to inform us of this and to destroy the message. | From kmcpoyle at kmrdpartners.com Thu Mar 20 22:00:08 2008 From: kmcpoyle at kmrdpartners.com (Kevin McPoyle) Date: Thu, 20 Mar 2008 18:00:08 -0400 Subject: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! In-Reply-To: <20080320214841.GA15563@fripp.cwalsh.org> Message-ID: What I find interesting is the recognition among the readers and pundits that this is an imperfect world with respect to security. With that in mind, I'm unclear as to why organizations don't transfer a portion of this risk to others through an insurance product? It seems rational and clearly represents some mitigating of a scenario that will happen, not if, when. Policies are readily available, negotiable and clearly a deal compared to other costs. No one like to "waste" money on insurance...until there is a claim. The supermarket had D&O with which to fend off the legal dogs. Why don't they have a "cyber" policy? Whose making these good decisions? -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Chris Walsh Sent: Thursday, March 20, 2008 5:49 PM To: Tracy Blackmore Cc: dataloss at attrition.org Subject: Re: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! IANAL, but this question of "due diligence" and comparing oneself to one's competitors begs the question -- what harm (in the legal sense) has been done here to anyone whose CC or debit card # was revealed? Does your answer vary depending on whether there was fraud associated with that card #? _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml From sromanos at andrew.cmu.edu Thu Mar 20 22:29:54 2008 From: sromanos at andrew.cmu.edu (Sasha Romanosky) Date: Thu, 20 Mar 2008 18:29:54 -0400 Subject: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! Message-ID: <00c001c88ad9$ebeaa960$29eaed80@sribm> Whoops, wrote too soon: http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1306207, 00.html (Thanks to a student post for pointing this out.) > -----Original Message----- > From: Sasha Romanosky [mailto:sromanos at andrew.cmu.edu] > Sent: Thursday, March 20, 2008 6:27 PM > To: 'dataloss at attrition.org' > Subject: RE: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! > > > To my knowledge, this firm in Canada is the one that offers > data breach insurance: > > From SANS NewsBites Vol. 10 Num. 22: > --Canadian Firm to Offer Data Breach Insurance (March 13, > 2008) As data security breaches appear more and more > frequently in the news, at least one Canadian insurance > company is starting to offer a product that would cover costs > incurred by companies when they have suffered a data privacy > breach. The policy would cover the cost of fixing computer > damage as well as costs associated with customer notification > and reimbursement and compensation paid to credit card > companies for losses from fraud. The coverage is structured > to address Canadian data privacy laws. > http://www.theglobeandmail.com/servlet/story/LAC.20080313.RINS > URANCE13/TPStory/Business > > [Editor's Note (Schultz): Insurance against security > incidents in general has not caught on all that well in the > information security arena for a number of reasons. However, > this new type of insurance is likely to fare much better > because of the widespread concern about and high likelihood > of data security breaches.] > > cheers, > sasha > www.romanosky.net > > > -----Original Message----- > > From: dataloss-bounces at attrition.org > > [mailto:dataloss-bounces at attrition.org] On Behalf Of Kevin McPoyle > > Sent: Thursday, March 20, 2008 6:00 PM > > To: Chris Walsh; Tracy Blackmore > > Cc: dataloss at attrition.org > > Subject: Re: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! > > > > What I find interesting is the recognition among the readers and > > pundits that this is an imperfect world with respect to security. > > With that in mind, I'm unclear as to why organizations > don't transfer > > a portion of this risk to others through an insurance product? It > > seems rational and clearly represents some mitigating of a scenario > > that will happen, not if, when. Policies are readily available, > > negotiable and clearly a deal compared to other costs. No > one like to > > "waste" money on insurance...until there is a claim. The > supermarket > > had D&O with which to fend off the legal dogs. > > Why don't they have a "cyber" policy? > > Whose making these good decisions? > > > > -----Original Message----- > > From: dataloss-bounces at attrition.org > > [mailto:dataloss-bounces at attrition.org] On Behalf Of Chris Walsh > > Sent: Thursday, March 20, 2008 5:49 PM > > To: Tracy Blackmore > > Cc: dataloss at attrition.org > > Subject: Re: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! > > > > IANAL, but this question of "due diligence" and comparing > oneself to > > one's competitors begs the question -- what harm (in the > legal sense) > > has been done here to anyone whose CC or debit card # was revealed? > > Does your answer vary depending on whether there was fraud > associated > > with that card #? > > > > > > _______________________________________________ > > Dataloss Mailing List (dataloss at attrition.org) > > http://attrition.org/dataloss > > > > Tenable Network Security offers data leakage and compliance > > monitoring solutions for large and small networks. Scan your > > network and monitor your traffic to find the data needing > > protection before it leaks out! > > http://www.tenablesecurity.com/products/compliance.shtml > > _______________________________________________ > > Dataloss Mailing List (dataloss at attrition.org) > > http://attrition.org/dataloss > > > > Tenable Network Security offers data leakage and compliance > > monitoring solutions for large and small networks. Scan your > > network and monitor your traffic to find the data needing > > protection before it leaks out! > > http://www.tenablesecurity.com/products/compliance.shtml > > > > From macadamiamac at gmail.com Fri Mar 21 01:15:23 2008 From: macadamiamac at gmail.com (macadamiamac) Date: Thu, 20 Mar 2008 15:15:23 -1000 Subject: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! In-Reply-To: <00c001c88ad9$ebeaa960$29eaed80@sribm> References: <00c001c88ad9$ebeaa960$29eaed80@sribm> Message-ID: A Qualsys (a good system) - or equivalent installation, insurance and whatever other components a business may implement to protect its PII data is not a set it and forget it procedure. Kryptonite proof it ain't. No system is 100% immune from all risk. A savvy CTSO, with the cooperation and support of senior management will implement all of the components: training its personnel, hard and software firewalls, changing passwords periodically, encrypting data in use, purging data no longer needed, periodic random testing of the system, and whatever else to reduce risk of data loss - internal and external. An even smarter management team will have all of the foregoing incorporated into its culture and have on deck 1)a breach management plan; 2)notification and PR templates; 3) a recovery plan; and, 4) a re$erve or insurance. There are federal regulations - [see FTC 12 CFR ? 315 et. seq. of the FACT Act], becoming effective in November 2008 that mandate that financial institutions, their providers and anyone else who deals with consumer credit (and the PII data necessary to conduct their business), implement a host of must dos or face penalties. A not in compliance business that suffers a breach will be subject to: * Civil Liability - Actual damages sustained if identity is stolen as a result of corporate inaction or statutory damages up to $1,000 per affected individual; * Class-Action Lawsuits - If large numbers of individuals are affected, they may be able to bring class-action suits and get punitive damages; * Federal Fines - Up to $2,500 for each violation; and * State Fines - Up to $1,000 for each violation depending upon jurisdiction. So maybe a little insurance isn't such a bad idea, n'est pas? Sanford Lung Honolulu (yes, there are ID fraudsters in paradise) http://www.identitysafeguards.com >Whoops, wrote too soon: > >http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1306207, >00.html >(Thanks to a student post for pointing this out.) > > >> -----Original Message----- >> From: Sasha Romanosky [mailto:sromanos at andrew.cmu.edu] >> Sent: Thursday, March 20, 2008 6:27 PM >> To: 'dataloss at attrition.org' >> Subject: RE: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! >> >> >> To my knowledge, this firm in Canada is the one that offers >> data breach insurance: >> >> From SANS NewsBites Vol. 10 Num. 22: >> --Canadian Firm to Offer Data Breach Insurance (March 13, >> 2008) As data security breaches appear more and more >> frequently in the news, at least one Canadian insurance >> company is starting to offer a product that would cover costs >> incurred by companies when they have suffered a data privacy >> breach. The policy would cover the cost of fixing computer >> damage as well as costs associated with customer notification >> and reimbursement and compensation paid to credit card >> companies for losses from fraud. The coverage is structured >> to address Canadian data privacy laws. >> http://www.theglobeandmail.com/servlet/story/LAC.20080313.RINS >> URANCE13/TPStory/Business >> >> [Editor's Note (Schultz): Insurance against security >> incidents in general has not caught on all that well in the >> information security arena for a number of reasons. However, >> this new type of insurance is likely to fare much better >> because of the widespread concern about and high likelihood >> of data security breaches.] >> >> cheers, >> sasha >> www.romanosky.net >> >> > -----Original Message----- >> > From: dataloss-bounces at attrition.org >> > [mailto:dataloss-bounces at attrition.org] On Behalf Of Kevin McPoyle >> > Sent: Thursday, March 20, 2008 6:00 PM >> > To: Chris Walsh; Tracy Blackmore >> > Cc: dataloss at attrition.org >> > Subject: Re: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! >> > >> > What I find interesting is the recognition among the readers and >> > pundits that this is an imperfect world with respect to security. > > > With that in mind, I'm unclear as to why organizations >> don't transfer >> > a portion of this risk to others through an insurance product? It >> > seems rational and clearly represents some mitigating of a scenario >> > that will happen, not if, when. Policies are readily available, >> > negotiable and clearly a deal compared to other costs. No >> one like to >> > "waste" money on insurance...until there is a claim. The >> supermarket >> > had D&O with which to fend off the legal dogs. >> > Why don't they have a "cyber" policy? >> > Whose making these good decisions? >> > >> > -----Original Message----- >> > From: dataloss-bounces at attrition.org >> > [mailto:dataloss-bounces at attrition.org] On Behalf Of Chris Walsh >> > Sent: Thursday, March 20, 2008 5:49 PM >> > To: Tracy Blackmore >> > Cc: dataloss at attrition.org >> > Subject: Re: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! >> > >> > IANAL, but this question of "due diligence" and comparing >> oneself to >> > one's competitors begs the question -- what harm (in the >> legal sense) >> > has been done here to anyone whose CC or debit card # was revealed? >> > Does your answer vary depending on whether there was fraud >> associated >> > with that card #? >> > >> > >> > _______________________________________________ >> > Dataloss Mailing List (dataloss at attrition.org) >> > http://attrition.org/dataloss >> > >> > Tenable Network Security offers data leakage and compliance >> > monitoring solutions for large and small networks. Scan your >> > network and monitor your traffic to find the data needing >> > protection before it leaks out! >> > http://www.tenablesecurity.com/products/compliance.shtml >> > _______________________________________________ >> > Dataloss Mailing List (dataloss at attrition.org) >> > http://attrition.org/dataloss >> > >> > Tenable Network Security offers data leakage and compliance >> > monitoring solutions for large and small networks. Scan your >> > network and monitor your traffic to find the data needing >> > protection before it leaks out! >> > http://www.tenablesecurity.com/products/compliance.shtml >> > >> > > >_______________________________________________ >Dataloss Mailing List (dataloss at attrition.org) >http://attrition.org/dataloss > >Tenable Network Security offers data leakage and compliance monitoring >solutions for large and small networks. Scan your network and monitor your >traffic to find the data needing protection before it leaks out! >http://www.tenablesecurity.com/products/compliance.shtml > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080320/a3453f0e/attachment.html From Msc at vrtinsurance.com Fri Mar 21 01:42:43 2008 From: Msc at vrtinsurance.com (Manny Cho) Date: Thu, 20 Mar 2008 18:42:43 -0700 Subject: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! In-Reply-To: References: <00c001c88ad9$ebeaa960$29eaed80@sribm> Message-ID: <3672B0E1061D2E43A8296561C72549883D8E9C@SBS.vrt.local> I agree with Sanford in that this incident (and all of the other loss notices that post every day to this site) is indicative of the fact that the idea of "one solution" or one perfect product is just not a reality today. I do believe that companies are trying to do the right thing and are investing the dollars as best as they can to comply with the myriad of privacy and regulatory guidelines (PCI, CISSP, HIPAA, GLB, SOX, etc) that govern their day to day business practices. Unfortunately, what the best security product / service can not eliminate is the system user (i.e. the human factor) - which would also include the use of independent contractors where we believe a lot of vulnerabilities exist - and this is why we feel that True Privacy / Security for any company requires IT, Human Resources, Finance, Legal and finally insurance to work together and implement data security best practices to protect the data, train and update their employees and set up contingencies (that include p.r., legal notices and insurance) to respond to an event. What can/will be implemented by each company is a function of time, money and resources. Having seen a number of companies go through these incidents, I can say that those companies that are more proactive in their data risk management have reduced their potential third party liabilities and helped to maintain customer / client loyalty. The final piece of the puzzle is the insurance component - most commonly referred to as Cyber Liability and/or Security and Privacy Liability. In the U.S., there are a number of carriers (10+) providing coverage that can respond to third party individual and class action suits for breach of privacy. Many policies will also respond to administrative and regulatory actions for defense costs and fines and penalties. Some will also provide coverage for your expenses - p.r., forensics, extra expense, third party monitoring services - due to the event. Like software, each carrier has subtle nuances to their program, your broker should work with you to develop the right program to fit your individual risk profile. Manny manny at vrtinsurance.com www.vrtinsurance.com - Vantage, Resolve and Trust ________________________________ From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of macadamiamac Sent: Thursday, March 20, 2008 6:15 PM To: Sasha Romanosky Cc: dataloss at attrition.org Subject: Re: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! A Qualsys (a good system) - or equivalent installation, insurance and whatever other components a business may implement to protect its PII data is not a set it and forget it procedure. Kryptonite proof it ain't. No system is 100% immune from all risk. A savvy CTSO, with the cooperation and support of senior management will implement all of the components: training its personnel, hard and software firewalls, changing passwords periodically, encrypting data in use, purging data no longer needed, periodic random testing of the system, and whatever else to reduce risk of data loss - internal and external. An even smarter management team will have all of the foregoing incorporated into its culture and have on deck 1)a breach management plan; 2)notification and PR templates; 3) a recovery plan; and, 4) a re$erve or insurance. There are federal regulations - [see FTC 12 CFR ? 315 et. seq. of the FACT Act], becoming effective in November 2008 that mandate that financial institutions, their providers and anyone else who deals with consumer credit (and the PII data necessary to conduct their business), implement a host of must dos or face penalties. A not in compliance business that suffers a breach will be subject to: * Civil Liability - Actual damages sustained if identity is stolen as a result of corporate inaction or statutory damages up to $1,000 per affected individual; * Class-Action Lawsuits - If large numbers of individuals are affected, they may be able to bring class-action suits and get punitive damages; * Federal Fines - Up to $2,500 for each violation; and * State Fines - Up to $1,000 for each violation depending upon jurisdiction. So maybe a little insurance isn't such a bad idea, n'est pas? Sanford Lung Honolulu (yes, there are ID fraudsters in paradise) http://www.identitysafeguards.com ________________________________ Whoops, wrote too soon: http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1306207, 00.html (Thanks to a student post for pointing this out.) > -----Original Message----- > From: Sasha Romanosky [mailto:sromanos at andrew.cmu.edu] > Sent: Thursday, March 20, 2008 6:27 PM > To: 'dataloss at attrition.org' > Subject: RE: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! > > > To my knowledge, this firm in Canada is the one that offers > data breach insurance: > > From SANS NewsBites Vol. 10 Num. 22: > --Canadian Firm to Offer Data Breach Insurance (March 13, > 2008) As data security breaches appear more and more > frequently in the news, at least one Canadian insurance > company is starting to offer a product that would cover costs > incurred by companies when they have suffered a data privacy > breach. The policy would cover the cost of fixing computer > damage as well as costs associated with customer notification > and reimbursement and compensation paid to credit card > companies for losses from fraud. The coverage is structured > to address Canadian data privacy laws. > http://www.theglobeandmail.com/servlet/story/LAC.20080313.RINS > URANCE13/TPStory/Business > > [Editor's Note (Schultz): Insurance against security > incidents in general has not caught on all that well in the > information security arena for a number of reasons. However, > this new type of insurance is likely to fare much better > because of the widespread concern about and high likelihood > of data security breaches.] > > cheers, > sasha > www.romanosky.net > > > -----Original Message----- > > From: dataloss-bounces at attrition.org > > [mailto:dataloss-bounces at attrition.org] On Behalf Of Kevin McPoyle > > Sent: Thursday, March 20, 2008 6:00 PM > > To: Chris Walsh; Tracy Blackmore > > Cc: dataloss at attrition.org > > Subject: Re: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! > > > > What I find interesting is the recognition among the readers and > > pundits that this is an imperfect world with respect to security. > > With that in mind, I'm unclear as to why organizations > don't transfer > > a portion of this risk to others through an insurance product? It > > seems rational and clearly represents some mitigating of a scenario > > that will happen, not if, when. Policies are readily available, > > negotiable and clearly a deal compared to other costs. No > one like to > > "waste" money on insurance...until there is a claim. The > supermarket > > had D&O with which to fend off the legal dogs. > > Why don't they have a "cyber" policy? > > Whose making these good decisions? > > > > -----Original Message----- > > From: dataloss-bounces at attrition.org > > [mailto:dataloss-bounces at attrition.org] On Behalf Of Chris Walsh > > Sent: Thursday, March 20, 2008 5:49 PM > > To: Tracy Blackmore > > Cc: dataloss at attrition.org > > Subject: Re: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! > > > > IANAL, but this question of "due diligence" and comparing > oneself to > > one's competitors begs the question -- what harm (in the > legal sense) > > has been done here to anyone whose CC or debit card # was revealed? > > Does your answer vary depending on whether there was fraud > associated > > with that card #? > > > > > > _______________________________________________ > > Dataloss Mailing List (dataloss at attrition.org) > > http://attrition.org/dataloss > > > > Tenable Network Security offers data leakage and compliance > > monitoring solutions for large and small networks. Scan your > > network and monitor your traffic to find the data needing > > protection before it leaks out! > > http://www.tenablesecurity.com/products/compliance.shtml > > _______________________________________________ > > Dataloss Mailing List (dataloss at attrition.org) > > http://attrition.org/dataloss > > > > Tenable Network Security offers data leakage and compliance > > monitoring solutions for large and small networks. Scan your > > network and monitor your traffic to find the data needing > > protection before it leaks out! > > http://www.tenablesecurity.com/products/compliance.shtml > > > > _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080320/2fba8adc/attachment.html From rchicker at etiolated.org Fri Mar 21 02:28:32 2008 From: rchicker at etiolated.org (rchick) Date: Thu, 20 Mar 2008 22:28:32 -0400 Subject: [Dataloss] Lasell College says hacker accessed personal data Message-ID: Lasell College says hacker accessed personal dataWHDH-TV March. 20, 2008 NEWTON, Mass. -- Lasell College says a hacker accessed data containing personal information on about 20,000 current and former students, faculty, staff and alumni. The college told The Boston Globe on Wednesday it has no evidence that the information, which included names and Social Security numbers, has been misused. But it has sent an e-mail notice to the people who may be affected. more... http://www.msnbc.msn.com/id/23726420 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080320/b1075fa9/attachment.html From chris at cwalsh.org Fri Mar 21 02:54:26 2008 From: chris at cwalsh.org (Chris Walsh) Date: Thu, 20 Mar 2008 21:54:26 -0500 Subject: [Dataloss] fringe: Contractors breach Barack Obama's passport file Message-ID: <0B0DC159-5980-42F5-87A4-7B10D1736FF4@cwalsh.org> The State Department said last night that it had fired two contract employees and disciplined a third for accessing Sen. Barack Obama's passport file. Obama's presidential campaign immediately called for a "complete investigation." State Department spokesman Tom Casey said the employees had individually looked into Obama's passport file on Jan. 9, Feb. 21 and March 14. To access such a file, the employees must first acknowledge a pledge to keep the information private. The employees were each caught because of a computer-monitoring system that is triggered when the passport accounts of a "high-profile person" are accessed, he said. The system was put in place after the State Department was embroiled in a scandal involving the access of the passport records of then-presidential candidate Bill Clinton in 1992. "The State Department has strict policies and controls on access to passport records by government and contract employees," Casey said. The department uses contract employees to help with data entry, customer service and other administration tasks. The employee involved in the March 14 incident has only been disciplined so far, because the probe of that incident is continuing, an official said. Though the workers were caught by a computer system that focuses on high-profile people, Casey said that a computer report is generated on every access to passport records and that spot checks are taken to ensure that employees are not violating the Privacy Act. http://www.washingtonpost.com/wp-dyn/content/article/2008/03/20/AR2008032003422.html?hpid=topnews [Obviously, these "strict controls" are detective, not preventative.] From james_ritchie at sbcglobal.net Fri Mar 21 04:25:51 2008 From: james_ritchie at sbcglobal.net (James Ritchie, CISA, QSA) Date: Thu, 20 Mar 2008 23:25:51 -0500 Subject: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! In-Reply-To: <3672B0E1061D2E43A8296561C72549883D8E9C@SBS.vrt.local> References: <00c001c88ad9$ebeaa960$29eaed80@sribm> <3672B0E1061D2E43A8296561C72549883D8E9C@SBS.vrt.local> Message-ID: <47E338CF.2080907@sbcglobal.net> I agree that no one solution can make a company secure. Everyone knows that a layered approach is stronger and does not put all the eggs in one basket. What most people forget when dealing with compliance ( legal, regulatory, internal, and contractual) is that many of them are 1) Start with Senior Management - has to be a top down approach. 2) Based on Risk Management - reduce risk to acceptable levels by risk mitigation, risk avoidance, risk acceptance, or insurance 3) Must be ongoing and continuous improvement 4) Must be have a return on investment 5) Cannot be cost prohibitive - Cannot expect to spend a million for preventative measure when the lost of the asset would only cost 100,000 6) Must be documented to allow an independent third-party to come to the same conclusions. Gartner Group and others constantly state that a holistic approach has to be taken to address the 4 forms of compliance in one process, not a bunch of individual process, and has to be incorporated into the culture of the company. How many companies actually do that? Manny Cho wrote: > > I agree with Sanford in that this incident (and all of the other loss > notices that post every day to this site) is indicative of the fact > that the idea of ?one solution? or one perfect product is just not a > reality today.? > > > > I do believe that companies are trying to do the right thing and are > investing the dollars as best as they can to comply with the myriad of > privacy and regulatory guidelines (PCI, CISSP, HIPAA, GLB, SOX, etc) > that govern their day to day business practices. Unfortunately, what > the best security product / service can not eliminate is the system > user (i.e. the human factor) ? /which would also include the use of > independent contractors where we believe a lot of vulnerabilities > exist/ - and this is why we feel that True Privacy / Security for any > company requires IT, Human Resources, Finance, Legal and finally > insurance to work together and implement data security best practices > to protect the data, train and update their employees and set up > contingencies (that include p.r., legal notices and insurance) to > respond to an event. > > > > What can/will be implemented by each company is a function of time, > money and resources. Having seen a number of companies go through > these incidents, I can say that those companies that are more > proactive in their data risk management have reduced their potential > third party liabilities and helped to maintain customer / client > loyalty.? > > > > The final piece of the puzzle is the insurance component - most > commonly referred to as Cyber Liability and/or Security and Privacy > Liability.? In the U.S., there are a number of carriers (10+) > providing coverage that can respond to third party individual and > class action suits for breach of privacy.? Many policies will also > respond to administrative and regulatory actions for defense costs and > fines and penalties.? Some will also provide coverage for your > expenses ? p.r., forensics, extra expense, third party monitoring > services ? due to the event.? Like software, each carrier has subtle > nuances to their program, your broker should work with you to develop > the right program to fit your individual risk profile. > > > > Manny > > manny at vrtinsurance.com > > www.vrtinsurance.com ? Vantage, Resolve > and Trust > > > > > > > > ------------------------------------------------------------------------ > > *From:* dataloss-bounces at attrition.org > [mailto:dataloss-bounces at attrition.org] *On Behalf Of *macadamiamac > *Sent:* Thursday, March 20, 2008 6:15 PM > *To:* Sasha Romanosky > *Cc:* dataloss at attrition.org > *Subject:* Re: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! > > > > A Qualsys (a good system) - or equivalent installation, > insurance and whatever other components a business may implement to > protect its PII data is not a set it and forget it procedure. > Kryptonite proof it ain't. No system is 100% immune from all risk. > > A savvy CTSO, with the cooperation and support of senior > management will implement all of the components: training its > personnel, hard and software firewalls, changing passwords > periodically, encrypting data in use, purging data no longer needed, > periodic random testing of the system, and whatever else to reduce > risk of data loss - internal and external. > > An even smarter management team will have all of the foregoing > incorporated into its culture and have on deck 1)a breach management > plan; 2)notification and PR templates; 3) a recovery plan; and, 4) a > re$erve or insurance. > > > > There are federal regulations - [see FTC 12 CFR ? 315 et. seq. > of the FACT Act], becoming effective in November 2008 that mandate > that financial institutions, their providers and anyone else who deals > with consumer credit (and the PII data necessary to conduct their > business), implement a host of must dos or face penalties. > > > > A not in compliance business that suffers a breach will be > subject to: > > * Civil Liability - Actual damages sustained if identity is > stolen as a result of corporate inaction or statutory damages up to > $1,000 per affected individual; > > * Class-Action Lawsuits - If large numbers of individuals are > affected, they may be able to bring class-action suits and get > punitive damages; > > * Federal Fines - Up to $2,500 for each violation; and > > * State Fines - Up to $1,000 for each violation depending upon > jurisdiction. > > > > So maybe a little insurance isn't such a bad idea, n'est pas? > > > > Sanford Lung > > Honolulu (yes, there are ID fraudsters in paradise) > > http://www.identitysafeguards.com > > > > ------------------------------------------------------------------------ > > > > > >> Whoops, wrote too soon: >> >> http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1306207, >> 00.html >> (Thanks to a student post for pointing this out.) >> >> >> > -----Original Message----- >> > From: Sasha Romanosky [mailto:sromanos at andrew.cmu.edu] >> > Sent: Thursday, March 20, 2008 6:27 PM >> > To: 'dataloss at attrition.org' >> > Subject: RE: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! >> > >> > >> > To my knowledge, this firm in Canada is the one that offers >> > data breach insurance: >> > >> > From SANS NewsBites Vol. 10 Num. 22: >> > --Canadian Firm to Offer Data Breach Insurance (March 13, >> > 2008) As data security breaches appear more and more >> > frequently in the news, at least one Canadian insurance >> > company is starting to offer a product that would cover costs >> > incurred by companies when they have suffered a data privacy >> > breach. The policy would cover the cost of fixing computer >> > damage as well as costs associated with customer notification >> > and reimbursement and compensation paid to credit card >> > companies for losses from fraud. The coverage is structured >> > to address Canadian data privacy laws. >> > http://www.theglobeandmail.com/servlet/story/LAC.20080313.RINS >> > URANCE13/TPStory/Business >> > >> > [Editor's Note (Schultz): Insurance against security >> > incidents in general has not caught on all that well in the >> > information security arena for a number of reasons. However, >> > this new type of insurance is likely to fare much better >> > because of the widespread concern about and high likelihood >> > of data security breaches.] >> > >> > cheers, >> > sasha >> > www.romanosky.net >> > >> > > -----Original Message----- >> > > From: dataloss-bounces at attrition.org >> > > [mailto:dataloss-bounces at attrition.org] On Behalf Of Kevin McPoyle >> > > Sent: Thursday, March 20, 2008 6:00 PM >> > > To: Chris Walsh; Tracy Blackmore >> > > Cc: dataloss at attrition.org >> > > Subject: Re: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! >> > > >> > > What I find interesting is the recognition among the readers and >> > > pundits that this is an imperfect world with respect to security. >> >> > > With that in mind, I'm unclear as to why organizations >> > don't transfer >> > > a portion of this risk to others through an insurance product? It >> > > seems rational and clearly represents some mitigating of a scenario >> > > that will happen, not if, when. Policies are readily available, >> > > negotiable and clearly a deal compared to other costs. No >> > one like to >> > > "waste" money on insurance...until there is a claim. The >> > supermarket >> > > had D&O with which to fend off the legal dogs. >> > > Why don't they have a "cyber" policy? >> > > Whose making these good decisions? >> > > >> > > -----Original Message----- >> > > From: dataloss-bounces at attrition.org >> > > [mailto:dataloss-bounces at attrition.org] On Behalf Of Chris Walsh >> > > Sent: Thursday, March 20, 2008 5:49 PM >> > > To: Tracy Blackmore >> > > Cc: dataloss at attrition.org >> > > Subject: Re: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! >> > > >> > > IANAL, but this question of "due diligence" and comparing >> > oneself to >> > > one's competitors begs the question -- what harm (in the >> > legal sense) >> > > has been done here to anyone whose CC or debit card # was revealed? >> > > Does your answer vary depending on whether there was fraud >> > associated >> > > with that card #? >> > > >> > > >> > > _______________________________________________ >> > > Dataloss Mailing List (dataloss at attrition.org) >> > > http://attrition.org/dataloss >> > > >> > > Tenable Network Security offers data leakage and compliance >> > > monitoring solutions for large and small networks. Scan your >> > > network and monitor your traffic to find the data needing >> > > protection before it leaks out! >> > > http://www.tenablesecurity.com/products/compliance.shtml >> > > _______________________________________________ >> > > Dataloss Mailing List (dataloss at attrition.org) >> > > http://attrition.org/dataloss >> > > >> > > Tenable Network Security offers data leakage and compliance >> > > monitoring solutions for large and small networks. Scan your >> > > network and monitor your traffic to find the data needing >> > > protection before it leaks out! >> > > http://www.tenablesecurity.com/products/compliance.shtml >> > > >> > > >> >> _______________________________________________ >> Dataloss Mailing List (dataloss at attrition.org) >> http://attrition.org/dataloss >> >> Tenable Network Security offers data leakage and compliance monitoring >> solutions for large and small networks. Scan your network and monitor >> your >> traffic to find the data needing protection before it leaks out! >> http://www.tenablesecurity.com/products/compliance.shtml >> > > > ------------------------------------------------------------------------ > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor your > traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml > -- James Ritchie CISA, PCI-QSA, ASV, MCSE, MCP+I, M-CIW-D, CIW-CI, Inet+, Network+, A+ Linkedin http://www.linkedin.com/pub/1/b89/433 Attachments with this email, not explicitly referenced, should not be opened. Always scan your email and their associated attachments for viruses prior to opening. This message and any accompanying documents are confidential and may contain information covered under the Privacy Act, 5 USC 552(a), the Health Insurance Portability and Accountability Act (PL 104-191), or the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521 and its various implementing regulations and must be protected in accordance with those provisions. Unauthorized disclosure or failure to maintain the confidentiality of the information may result in civil or criminal sanctions. This e-mail is strictly confidential and intended solely for the addressee. Should you not be the intended addressee you have no right to any information contained in this e-mail. If you received this message by mistake you are kindly requested to inform us of this and to destroy the message. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080320/83b4bfda/attachment-0001.html From enelson at secureprivacysolutions.com Fri Mar 21 03:39:38 2008 From: enelson at secureprivacysolutions.com (Eric Nelson) Date: Thu, 20 Mar 2008 20:39:38 -0700 Subject: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! In-Reply-To: References: <20080319192639.GB14619@homeport.org> <686cc62f0803200813q459f6e44j67e2a71c3919837@mail.gmail.com> <20080320180823.GD32576@homeport.org> <47E2CC9F.5020903@sbcglobal.net> Message-ID: <000601c88b05$358c1790$a0a446b0$@com> I absolutely agree - securing information is only a part of privacy laws and principles. A culture of security and privacy starts with an understanding of the company's culture, recognition of privacy and security as a risk, an understanding of applicable laws and regulations (GLBA, FACTA, FTC Fair Information Practices, etc.), and policy development that includes both privacy and security policies. Tracy's comments below, who, what, when, where, and why, should apply to both processes ("hands-on") and technology controls. Technology can support those policies, but it's ongoing training and awareness that will truly develop a culture of privacy. Management and employee performance reviews should include privacy and security awareness as a key metric, especially in a business process or role that has access to customers or customer data. Great discussion - Eric Nelson, CIPP President Secure Privacy Solutions www.SecurePrivacySolutions.com From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Tracy Blackmore Sent: Thursday, March 20, 2008 2:50 PM To: James Ritchie, CISA, QSA; dataloss at attrition.org Subject: Re: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! Something I haven't seen in this thread is... Many companies give either consultants or manufacturers loads of money to 'secure' them or 'verify' that they are secure. being a consultant myself I've seen this all too often. This (obviously) does little to actually secure anything! To properly secure something companies must create a culture of security - starting with solid policies that are more than pieces of paper that sit in a book until the auditor needs them. Only with these policies that define the who, what, when, where, why, and how can good controls be put into place that support those policies. Any old fool can purchase a firewall and put it on the network - but I could tell you stories of how many I've come across with the old Any/Any rule because of lack of proper policies. And then companies like Qualys... I think they offer a great service - but too many companies think that just because they use that service that they are secure. Qualys does NOTHING but offer information. How a company uses that information, if at all, is up to the company! Me personally? I'd take security out of the hands of the IT department! Give it to a non-IT CSO who is dedicated to developing that culture of security with the proper policies to back it up. With that, proper guidance can be passed on to the IT department to deploy the controls necessary to support them. Tracy Blackmore, CISSP Independent Consultant T.S. Lad, Inc. www.tslad.com _____ From: dataloss-bounces at attrition.org on behalf of James Ritchie, CISA, QSA Sent: Thu 3/20/2008 1:44 PM To: dataloss at attrition.org Subject: Re: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! Being compliant does not mean being secure and being secure does not mean being compliant. What most people forget with all the compliance is that constant vigilance must be maintained. Does that mean daily, weekly, monthly, quarterly, or annually that you have to verify that the controls are working appropriately? What I think will be the outcome is if appropriate due diligence and due care can be shown as fact, the liability will be reduced or eliminated. They will compare the actions taken and of similar size companies to see if what they had done was appropriate. To make any company 100% secure, the cost of security would be so prohibited, the company would be bankrupt. There has to be a balance and reasonable effort shown. Adam Shostack wrote: > On Thu, Mar 20, 2008 at 10:13:08AM -0500, Allan Friedman wrote: > | > On the public policy issue, I agree. If you want companies to disclose > | > the exact circumstances around a breach (exact technical details), there > | > will have to be a shield that prevents plaintiffs attorney's from using > | > the information in lawsuits. > | > | You highlight an interesting trade-off. It may be the case that more > | disclosure would reduce incentives to prevent future breaches, > | depending on how we understand the problem. > | > | A standard policy tool for enforcing maximum diligence is the threat > | of lawsuits, massive ones that can wreck a corporation. If we follow > | this liability argument (as advanced by Schneier and other scholars of > | the economics of information security) then making concessions to > | corporate defendants can impede the end goal of less data retention > | and greater data protection. > | > | If we don't think we're ever going to get there, then more data about > | breaches for the purposes of research is clearly the greater good. > | This is a very interesting dynamic. I'll have to think about how to > | model it... > > For this policy to be effective, costs must be aligned with a failure > to take effective measures. Today, we lack the data to asses how > effective various 'best practices' or standards are. Gene Kim and > company have done work showing that a few part of COBIT are key, and > others are not correlated with they outcomes they studied. (There's a > CERIAS talk video you can find.) There's claims that Hannaford was > PCI complaint. Shouldn't that have made them secure? > > So lawsuits today are random. With better data, we may be able to > better attribute blame. Perhaps this shapes a temporary liability > shield, with a goal of revisiting it later, or allowing case law to > shape it for a while? > > Adam > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor your > traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml > > -- James Ritchie CISA, PCI-QSA, ASV, MCSE, MCP+I, M-CIW-D, CIW-CI, Inet+, Network+, A+ Linkedin http://www.linkedin.com/pub/1/b89/433 Attachments with this email, not explicitly referenced, should not be opened. Always scan your email and their associated attachments for viruses prior to opening. This message and any accompanying documents are confidential and may contain information covered under the Privacy Act, 5 USC 552(a), the Health Insurance Portability and Accountability Act (PL 104-191), or the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521 and its various implementing regulations and must be protected in accordance with those provisions. Unauthorized disclosure or failure to maintain the confidentiality of the information may result in civil or criminal sanctions. This e-mail is strictly confidential and intended solely for the addressee. Should you not be the intended addressee you have no right to any information contained in this e-mail. If you received this message by mistake you are kindly requested to inform us of this and to destroy the message. _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080320/81d19ee5/attachment.html From macwheel99 at wowway.com Fri Mar 21 17:20:57 2008 From: macwheel99 at wowway.com (Al Mac Wheel) Date: Fri, 21 Mar 2008 11:20:57 -0600 Subject: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! In-Reply-To: <3672B0E1061D2E43A8296561C72549883D8E9C@SBS.vrt.local> References: <00c001c88ad9$ebeaa960$29eaed80@sribm> <3672B0E1061D2E43A8296561C72549883D8E9C@SBS.vrt.local> Message-ID: <6.2.1.2.1.20080321104207.03d33cb0@pop3.mail.wowway.com> An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080321/04878d42/attachment.html From hbrown at knology.net Fri Mar 21 21:57:34 2008 From: hbrown at knology.net (Henry Brown) Date: Fri, 21 Mar 2008 16:57:34 -0500 Subject: [Dataloss] Medical records sold to highest bidder for $5.00 (KY) Message-ID: <47E42F4E.7010703@knology.net> http://www.wjla.com/news/stories/0308/505349.html [...] The man, who wants to remain anonymous, thought he was getting a bargain when he bid five dollars, sight unseen, for whatever was in the storage unit. It's the way storage auctions work when the person who owns the items inside gets behind on payments. "Once I got a chance to explore the bin, it was all medical records." All of the records from Mitchellville's Atlantic Chiropractic Office, dating from the mid-90's. The records were all unexpectedly person with social security numbers, medical histories and billing information listed. [...] The owner of Atlantic Chiropractic, Dr. Douglas Weaver, said he wouldn't explain on camera, but he told an ABC 7/NewsChannel 8's Emily Schmidt he forgot the medical records were in the unit. He moved them there years ago after buying the practice from Dr. Steven Vaughn, whose name was on actually on all the records. [...] From james_ritchie at sbcglobal.net Sat Mar 22 01:36:34 2008 From: james_ritchie at sbcglobal.net (James Ritchie, CISA, QSA) Date: Fri, 21 Mar 2008 20:36:34 -0500 Subject: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! In-Reply-To: <6.2.1.2.1.20080321104207.03d33cb0@pop3.mail.wowway.com> References: <00c001c88ad9$ebeaa960$29eaed80@sribm> <3672B0E1061D2E43A8296561C72549883D8E9C@SBS.vrt.local> <6.2.1.2.1.20080321104207.03d33cb0@pop3.mail.wowway.com> Message-ID: <47E462A2.20104@sbcglobal.net> Here is an article that is very relevant to the concepts that have been talked about under this thread. This is from an attorney and dealing with PCI contractual compliance. Once you finish reading the document, it would not be a far stretch for a civil suit on a data breach (not just PCI related) but using the require controls of the DSS as a standard of due care. All company executives, time to start having your legal staff involved with each any every piece of compliance that your company faces. Here is the link. http://infoseccompliance.blogspot.com/2008/02/legal-implications-risks-and-problems.html Al Mac Wheel wrote: > There will never be one perfect solution for all enterprises and > government agencies. > > The risks are different depending on: > * The nature of the data and software that needs to be protected, from > what kinds of threats, which vary with the industry. > * The computer operating system, computer languages supported, access > methods. > * Just as a lot of software was designed for a long ago reality, when > the needs were less sophisticated, many buildings have security holes > ... false ceilings that a human can travel over, circumventing locked > doors, being the most obvious. > * If a company does not own the building where their offices are > located, the landlord has keys to the place, which may be accessible > to a dishonest employee. Also there may be other businesses in the > same building, with weaker security. Crooks break into the weakest > link, then get through the building into their ultimate target. > * In our interconnected world, other enterprises can connect to our > systems ... some of this is mandated by government regulations, some > of it due to how our business functions. Let's suppose we have given > access to our systems to tech support, consultants, auditors, etc. & > let's suppose that outfit gets penetrated ... can the penetration > extend to all the places they have access to? We know there are > viruses that target e-banking software, so that if we do electronic > financial transfers ... everyone we do business with can be a weak link. > > However, there can be some standards that cross systems. > > Some upgrades require temporary relaxing of some security. There are > inspections that should be run after all upgrades, to ensure that > certain security standards are once again in place. They should be > run whether or not the people, doing the upgrades, knowingly relaxed > any standards. > > In addition to inspection to see if embezzlement going on, there can > also be inspection to see if people are keying sensitive information > into data areas whose labeling is non-sensitive information. > > It is not enough to train people, and pass out policy manuals. There > has to be a process of testing that the people are following the > rules, such as not to photocopy or fax certain sensitive information, > to have encryption on portable data storage devices that leave company > property, to lock facilities properly every night, promptly report > anything lost or stolen. > > Testing software changes is done because we expect that something may > go wrong, so the test data base should not contain sensitive data on > real people, but rather data that is a simulation of the data to be > tested. > > I had suggested in my work place ... the IBM OS tracks software and > data usage ... I can show how heavily we use what ... the auditors can > be told what is used to run our business on a regular basis ... they > can designate 2-3 programs, data sets, etc. to be inspected by a > computer auditor who is an expert on our application systems to > produce a report on what this is really doing, how accurate it is, to > be matched with the external auditors statement of how it has been > represented to them by the end users. Do the two stories match? > Depending on the results, they see how frequent it is wise to pick > other such samples in future audits. > > I had suggested this due to the multiplicity of PC tools on people > personal work stations & end users divorced from internal logic of the > tools, or software designed by co-workers, and the evolving business, > where we are depending on tools designed years ago, for realities that > no longer exist today. > > Manny Cho wrote: >> I agree with Sanford in that this incident (and all of the other loss >> notices that post every day to this site) is indicative of the fact >> that the idea of ?one solution? or one perfect product is just not a >> reality today. > ------------------------------------------------------------------------ > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor your > traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml > -- James Ritchie CISA, PCI-QSA, ASV, MCSE, MCP+I, M-CIW-D, CIW-CI, Inet+, Network+, A+ Linkedin http://www.linkedin.com/pub/1/b89/433 Attachments with this email, not explicitly referenced, should not be opened. Always scan your email and their associated attachments for viruses prior to opening. This message and any accompanying documents are confidential and may contain information covered under the Privacy Act, 5 USC 552(a), the Health Insurance Portability and Accountability Act (PL 104-191), or the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521 and its various implementing regulations and must be protected in accordance with those provisions. Unauthorized disclosure or failure to maintain the confidentiality of the information may result in civil or criminal sanctions. This e-mail is strictly confidential and intended solely for the addressee. Should you not be the intended addressee you have no right to any information contained in this e-mail. If you received this message by mistake you are kindly requested to inform us of this and to destroy the message. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080321/c5b00545/attachment.html From lyger at attrition.org Sat Mar 22 18:11:15 2008 From: lyger at attrition.org (lyger) Date: Sat, 22 Mar 2008 18:11:15 +0000 (UTC) Subject: [Dataloss] CA: Stolen PC had Agilent workers' personal data Message-ID: http://www.mercurynews.com/peninsula/ci_8660115?nclick_check=1&forced=true A laptop containing sensitive and unencrypted personal data on 51,000 current and former employees of Agilent Technologies was stolen from the car of an Agilent vendor March 1 in San Francisco, the company said in a letter mailed to former employees this week. The data includes employee names, Social Security numbers, home addresses and details of stock options and other stock-related awards. In the letter, Agilent blamed the San Jose vendor, Stock & Option Solutions, for failing to scramble or otherwise safeguard the data - "in violation of the contracted agreement." [...] From hobbit at avian.org Sat Mar 22 19:19:26 2008 From: hobbit at avian.org (*Hobbit*) Date: Sat, 22 Mar 2008 19:19:26 +0000 (GMT) Subject: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! Message-ID: <20080322191926.2C231C305@relayer.avian.org> Can I offer a little sideways perspective on this? I want to touch on *complacency*, i.e. the little ruts people get into which are largely driven by stupid defaults in application programs -- such as email clients. Take a thorough look through the enclosed, which is one of the recent messages in this thread in its full glory as it rolled in here, without hiding behind any of the formatting stuff that your mail-clients may be automatically applying to render it in some more palatable format. This, folks, is what's really going on underneath, and I'd like to draw your attention to several aspects that everyone should be thinking about: Blind top-posting -- do you think everyone's short-term memory is really that bad? What point[s] do you think you're responding to, since you didn't do the courtesy of pulling them out specifically? Multiple levels of useless re-quote Numerous repeats of the list trailer tag and "Tenable" ad Those annoying and completely ineffective "confidentiality" tags -- think about how even more useless they are in a block REQUOTE of a message, at which point you've totally lost control over where any of that data is going All the bloated microsoft-flavor dreck in the HTML part Does anyone really think any one READS all that re-quoted junk? Wouldn't it be better to just leave it off, make a policy of not including it, and save everyone a little bandwidth [and in my mind, credibility as to one's competence in dealing with email]? Is this festival of fluff what you want out there as your professional image? What if this exchange were an in-house discussion of some truly sensitive material, which at some point suffered a leak along the way? With a single message like the below escaping due to fat-fingering or malfeasance or whatever, now an intruder has the WHOLE context captured starting from zero, where if the people involved had instead sent only the amount of info needed to continue the discussion to those who already know what's being discussed, that would leave much remaining to guesswork. As you look through the trashpile below you may begin to see that it would give away fewer details about your own computing environment, too. It is easy to restore plenty of context in one or two sentences if you really think your audience has totally forgotten what was going on in the meantime. And far and away makes your added points more effective. Ideas similar to this should be part of solid working policy, too. So please give this some thought, and get into those configuration screens and uncheck those "quote entire message" and "send HTML format" checkboxes. Break out of the complacency box and think about what you're really doing. Help make the net a cleaner and quieter place, and protecting your own interests that much easier. You and your colleagues will someday thank me for pointing it out. _H* === forwarded mess follows === From: "Eric Nelson" To: "'Tracy Blackmore'" , "'James Ritchie, CISA, QSA'" , Date: Thu, 20 Mar 2008 20:39:38 -0700 Subject: Re: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! This is a multipart message in MIME format. --===============1734797476== Content-Type: multipart/alternative; boundary="----=_NextPart_000_0007_01C88ACA.892D3F90" Content-Language: en-us This is a multipart message in MIME format. ------=_NextPart_000_0007_01C88ACA.892D3F90 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit I absolutely agree - securing information is only a part of privacy laws and principles. A culture of security and privacy starts with an understanding of the company's culture, recognition of privacy and security as a risk, an understanding of applicable laws and regulations (GLBA, FACTA, FTC Fair Information Practices, etc.), and policy development that includes both privacy and security policies. Tracy's comments below, who, what, when, where, and why, should apply to both processes ("hands-on") and technology controls. Technology can support those policies, but it's ongoing training and awareness that will truly develop a culture of privacy. Management and employee performance reviews should include privacy and security awareness as a key metric, especially in a business process or role that has access to customers or customer data. Great discussion - Eric Nelson, CIPP President Secure Privacy Solutions www.SecurePrivacySolutions.com From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Tracy Blackmore Sent: Thursday, March 20, 2008 2:50 PM To: James Ritchie, CISA, QSA; dataloss at attrition.org Subject: Re: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! Something I haven't seen in this thread is... Many companies give either consultants or manufacturers loads of money to 'secure' them or 'verify' that they are secure. being a consultant myself I've seen this all too often. This (obviously) does little to actually secure anything! To properly secure something companies must create a culture of security - starting with solid policies that are more than pieces of paper that sit in a book until the auditor needs them. Only with these policies that define the who, what, when, where, why, and how can good controls be put into place that support those policies. Any old fool can purchase a firewall and put it on the network - but I could tell you stories of how many I've come across with the old Any/Any rule because of lack of proper policies. And then companies like Qualys... I think they offer a great service - but too many companies think that just because they use that service that they are secure. Qualys does NOTHING but offer information. How a company uses that information, if at all, is up to the company! Me personally? I'd take security out of the hands of the IT department! Give it to a non-IT CSO who is dedicated to developing that culture of security with the proper policies to back it up. With that, proper guidance can be passed on to the IT department to deploy the controls necessary to support them. Tracy Blackmore, CISSP Independent Consultant T.S. Lad, Inc. www.tslad.com _____ From: dataloss-bounces at attrition.org on behalf of James Ritchie, CISA, QSA Sent: Thu 3/20/2008 1:44 PM To: dataloss at attrition.org Subject: Re: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! Being compliant does not mean being secure and being secure does not mean being compliant. What most people forget with all the compliance is that constant vigilance must be maintained. Does that mean daily, weekly, monthly, quarterly, or annually that you have to verify that the controls are working appropriately? What I think will be the outcome is if appropriate due diligence and due care can be shown as fact, the liability will be reduced or eliminated. They will compare the actions taken and of similar size companies to see if what they had done was appropriate. To make any company 100% secure, the cost of security would be so prohibited, the company would be bankrupt. There has to be a balance and reasonable effort shown. Adam Shostack wrote: > On Thu, Mar 20, 2008 at 10:13:08AM -0500, Allan Friedman wrote: > | > On the public policy issue, I agree. If you want companies to disclose > | > the exact circumstances around a breach (exact technical details), there > | > will have to be a shield that prevents plaintiffs attorney's from using > | > the information in lawsuits. > | > | You highlight an interesting trade-off. It may be the case that more > | disclosure would reduce incentives to prevent future breaches, > | depending on how we understand the problem. > | > | A standard policy tool for enforcing maximum diligence is the threat > | of lawsuits, massive ones that can wreck a corporation. If we follow > | this liability argument (as advanced by Schneier and other scholars of > | the economics of information security) then making concessions to > | corporate defendants can impede the end goal of less data retention > | and greater data protection. > | > | If we don't think we're ever going to get there, then more data about > | breaches for the purposes of research is clearly the greater good. > | This is a very interesting dynamic. I'll have to think about how to > | model it... > > For this policy to be effective, costs must be aligned with a failure > to take effective measures. Today, we lack the data to asses how > effective various 'best practices' or standards are. Gene Kim and > company have done work showing that a few part of COBIT are key, and > others are not correlated with they outcomes they studied. (There's a > CERIAS talk video you can find.) There's claims that Hannaford was > PCI complaint. Shouldn't that have made them secure? > > So lawsuits today are random. With better data, we may be able to > better attribute blame. Perhaps this shapes a temporary liability > shield, with a goal of revisiting it later, or allowing case law to > shape it for a while? > > Adam > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor your > traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml > > -- James Ritchie CISA, PCI-QSA, ASV, MCSE, MCP+I, M-CIW-D, CIW-CI, Inet+, Network+, A+ Linkedin http://www.linkedin.com/pub/1/b89/433 Attachments with this email, not explicitly referenced, should not be opened. Always scan your email and their associated attachments for viruses prior to opening. This message and any accompanying documents are confidential and may contain information covered under the Privacy Act, 5 USC 552(a), the Health Insurance Portability and Accountability Act (PL 104-191), or the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521 and its various implementing regulations and must be protected in accordance with those provisions. Unauthorized disclosure or failure to maintain the confidentiality of the information may result in civil or criminal sanctions. This e-mail is strictly confidential and intended solely for the addressee. Should you not be the intended addressee you have no right to any information contained in this e-mail. If you received this message by mistake you are kindly requested to inform us of this and to destroy the message. _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml ------=_NextPart_000_0007_01C88ACA.892D3F90 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Re: [Dataloss] rant: Abandon Ship! Data Loss Ahoy!

I absolutely agree – securing information is only a = part of privacy laws and principles.  A culture of security and privacy = starts with an understanding of the company’s culture, recognition of = privacy and security as a risk, an understanding of applicable laws and = regulations (GLBA, FACTA, FTC Fair Information Practices, etc.), and policy = development that includes both privacy and security policies.  Tracy’s = comments below, who, what, when, where, and why, should apply to both processes = (“hands-on”) and technology controls.

 

Technology can support those policies, but it’s = ongoing training and awareness that will truly develop a culture of = privacy.  Management and employee performance reviews should include privacy and security = awareness as a key metric, especially in a business process or role that has = access to customers or customer data.

 

Great discussion –

 

Eric Nelson, CIPP

President

Secure Privacy Solutions

www.SecurePrivacySolutions= .com

 

 

From:= dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] = On Behalf Of Tracy Blackmore
Sent: Thursday, March 20, 2008 2:50 PM
To: James Ritchie, CISA, QSA; dataloss at attrition.org
Subject: Re: [Dataloss] rant: Abandon Ship! Data Loss = Ahoy!

 

Something I haven't seen in this thread = is...

 

Many companies give either consultants or manufacturers loads of money to = 'secure' them or 'verify' that they are secure.  being a consultant myself = I've seen this all too often.  This (obviously) does little to actually = secure anything!

 

To properly secure something companies must create a culture of security - starting with solid policies that are more than pieces of paper that sit = in a book until the auditor needs them.

 

Only with these policies that define the who, what, when, where, why, and how = can good controls be put into place that support those = policies.

 

Any old fool can purchase a firewall and put it on the network - but I could = tell you stories of how many I've come across with the old Any/Any rule = because of lack of proper policies.

 

And then companies like Qualys... I think they offer a great service - but = too many companies think that just because they use that service that they are secure.  Qualys does NOTHING but offer information.  How a = company uses that information, if at all, is up to the = company!

 

Me personally? I'd take security out of the hands of the IT = department!  Give it to a non-IT CSO who is dedicated to developing that culture of = security with the proper policies to back it up.  With that, proper guidance can = be passed on to the IT department to deploy the controls necessary to = support them.

 

Tracy Blackmore, CISSP

Independent Consultant

T.S. Lad, Inc.

 

 

 

From: dataloss-bounces at attrition.org on = behalf of James Ritchie, CISA, QSA
Sent: Thu 3/20/2008 1:44 PM
To: dataloss at attrition.org
Subject: Re: [Dataloss] rant: Abandon Ship! Data Loss = Ahoy!

Being compliant does not mean being = secure and being secure does not
mean being compliant.  What most people forget with all the = compliance
is that constant vigilance must be maintained.  Does that mean = daily,
weekly, monthly, quarterly, or annually that you have to verify that = the
controls are working appropriately? What I think will be the outcome = is
if appropriate due diligence and due care can be shown as fact, the
liability will be reduced or eliminated.  They will compare the = actions
taken and of similar size companies to see if what they had done was
appropriate. To make any company 100% secure, the cost of security = would
be so prohibited, the company would be bankrupt.  There has to be = a
balance and reasonable effort shown.

Adam Shostack wrote:
> On Thu, Mar 20, 2008 at 10:13:08AM -0500, Allan Friedman wrote:
> | >  On the public policy issue, I agree. If you want = companies to disclose
> | >  the exact circumstances around a breach (exact = technical details), there
> | >  will have to be a shield that prevents plaintiffs = attorney's from using
> | >  the information in lawsuits.
> |
> | You highlight an interesting trade-off. It may be the case that = more
> | disclosure would reduce incentives to prevent future = breaches,
> | depending on how we understand the problem.
> |
> | A standard policy tool for enforcing maximum diligence is the = threat
> | of lawsuits, massive ones that can wreck a corporation. If we = follow
> | this liability argument (as advanced by Schneier and other = scholars of
> | the economics of information security) then making concessions = to
> | corporate defendants can impede the end goal of less data = retention
> | and greater data protection.
> |
> | If we don't think we're ever going to get there, then more data = about
> | breaches for the purposes of research is clearly the greater = good.
> | This is a very interesting dynamic. I'll have to think about how = to
> | model it...
>
> For this policy to be effective, costs must be aligned with a = failure
> to take effective measures.  Today, we lack the data to asses = how
> effective various 'best practices' or standards are.  Gene Kim = and
> company have done work showing that a few part of COBIT are key, = and
> others are not correlated with they outcomes they studied.  = (There's a
> CERIAS talk video you can find.)  There's claims that = Hannaford was
> PCI complaint. Shouldn't that have made them secure?
>
> So lawsuits today are random.  With better data, we may be = able to
> better attribute blame.  Perhaps this shapes a temporary = liability
> shield, with a goal of revisiting it later, or allowing case law = to
> shape it for a while?
>
> Adam
>
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss<= br> >
> Tenable Network Security offers data leakage and compliance = monitoring
> solutions for large and small networks. Scan your network and = monitor your
> traffic to find the data needing protection before it leaks = out!
> http://= www.tenablesecurity.com/products/compliance.shtml
>
>  

--
James Ritchie
CISA, PCI-QSA, ASV, MCSE, MCP+I, M-CIW-D, CIW-CI, Inet+, Network+, = A+

Linkedin http://www.linkedin.com/pu= b/1/b89/433

Attachments with this email, not explicitly referenced, should not be = opened. Always scan your email and their associated attachments for viruses = prior to opening.

This message and any accompanying documents are confidential and may = contain information covered under the Privacy Act, 5 USC 552(a), the Health = Insurance Portability and Accountability Act (PL 104-191), or the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521 and its various = implementing regulations and must be protected in accordance with those provisions. Unauthorized disclosure or failure to maintain the confidentiality of = the information may result in civil or criminal sanctions. 

This e-mail is strictly confidential and intended solely for the = addressee. Should you not be the intended addressee you have no right to any = information contained in this e-mail. If you received this message by mistake you = are kindly requested to inform us of this and to destroy the message.

_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss<= br>
Tenable Network Security offers data leakage and compliance = monitoring
solutions for large and small networks. Scan your network and monitor = your
traffic to find the data needing protection before it leaks out!
http://= www.tenablesecurity.com/products/compliance.shtml

------=_NextPart_000_0007_01C88ACA.892D3F90-- --===============1734797476== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml --===============1734797476==-- From lyger at attrition.org Sat Mar 22 21:27:40 2008 From: lyger at attrition.org (lyger) Date: Sat, 22 Mar 2008 21:27:40 +0000 (UTC) Subject: [Dataloss] rant: Abandon Ship! Data Loss Ahoy! In-Reply-To: <20080322191926.2C231C305@relayer.avian.org> References: <20080322191926.2C231C305@relayer.avian.org> Message-ID: On this note, we're closing this thread to any off-topic replies, including general non-dataloss related security banter. Please visit the following link for clarification. http://attrition.org/pipermail/dataloss/2008-January/001916.html Lyger On Sat, 22 Mar 2008, *Hobbit* wrote: ": " Can I offer a little sideways perspective on this? I want to touch ": " on *complacency*, i.e. the little ruts people get into which are ": " largely driven by stupid defaults in application programs -- such ": " as email clients. Take a thorough look through the enclosed, which ": " is one of the recent messages in this thread in its full glory ": " as it rolled in here, without hiding behind any of the formatting ": " stuff that your mail-clients may be automatically applying to ": " render it in some more palatable format. This, folks, is what's ": " really going on underneath, and I'd like to draw your attention ": " to several aspects that everyone should be thinking about: From lyger at attrition.org Sat Mar 22 21:56:21 2008 From: lyger at attrition.org (lyger) Date: Sat, 22 Mar 2008 21:56:21 +0000 (UTC) Subject: [Dataloss] Rhode Island says disk with Social Security numbers is missing Message-ID: http://www.southcoasttoday.com/apps/pbcs.dll/article?AID=/20080321/NEWS/803210414/-1/NEWS01 A state computer disk containing the Social Security numbers of nearly 1,400 people is missing, the state Department of Administration announced Friday. The department said there was no evidence that any number had been misused or that the disk had fallen into the hands of an unauthorized person. It was working with the Rhode Island State Police to find the disk. "We do not believe that it was stolen, we just believe it was misplaced at this point in time," said Melanie Marcaccio, the department's deputy personnel director. "We don't believe that individuals outside of the organization had any access to that data at any point in that time." [...] From lyger at attrition.org Sun Mar 23 15:31:15 2008 From: lyger at attrition.org (lyger) Date: Sun, 23 Mar 2008 15:31:15 +0000 (UTC) Subject: [Dataloss] NC: WCU ID security breached Message-ID: http://www.citizen-times.com/apps/pbcs.dll/article?AID=/20080323/NEWS01/80322062 The news arrived by mail, and it was unsettling. Someone had hacked into a computer and had access to the Social Security numbers of 555 graduates of Western Carolina University who had signed up for a newsletter. [.] The compromised information was on a computer server managed by the Department of Business Computer Information Systems and Economics. And it was hacked several times, as long ago as 2006, said Bil Stahl, chief information officer at WCU. "We know the data was taken off the server, but we don.t have any evidence that their data was used," he said. Social Security numbers were included in the stolen information because up until last fall, campuses in the University of North Carolina system could use those digits as student identification numbers. While the practice was stopped then, old data on servers remains vulnerable. [...] From lyger at attrition.org Mon Mar 24 02:09:44 2008 From: lyger at attrition.org (lyger) Date: Mon, 24 Mar 2008 02:09:44 +0000 (UTC) Subject: [Dataloss] Patients' Data on Stolen Laptop Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2008/03/23/AR2008032301753.html A government laptop computer containing sensitive medical information on 2,500 patients enrolled in a National Institutes of Health study was stolen in February, potentially exposing seven years' worth of clinical trial data, including names, medical diagnoses and details of the patients' heart scans. The information was not encrypted, in violation of the government's data-security policy. NIH officials made no public comment about the theft and did not send letters notifying the affected patients of the breach until last Thursday -- almost a month later. They said they hesitated because of concerns that they would provoke undue alarm. The handling of the incident is reminiscent of a 2006 theft from the home of a Department of Veterans Affairs employee of a laptop with personal information about veterans and active-duty service members. In that case, VA officials waited 19 days before announcing the theft. [...] From lyger at attrition.org Tue Mar 25 01:06:11 2008 From: lyger at attrition.org (lyger) Date: Tue, 25 Mar 2008 01:06:11 +0000 (UTC) Subject: [Dataloss] AU: COMMENTARY: Get ready for dataloss reporting laws Message-ID: http://searchsecurity.techtarget.com.au/topics/article.asp?DocID=6101268 It's naive in the extreme to assume there have been no major dataloss incidents involving Australian companies over the last few years. Recently the folks at flowingdata.com generated a chart based on the Attrition.org dataloss archive showing the 10 largest dataloss incidents since 2000. The frequency of reported incidents appears to dramatically increase over timeline, suggesting the problem is getting much, much worse. On the surface of things the apparent acceleration of serious incidents involving consumer data does appear alarming. However, it's more likely things have always been this bad. The only reason serious dataloss incidents are now being reported in the United States (the flowingdata.com chart includes one UK incident) is almost certainly the result of the introduction of mandatory dataloss disclosure laws there. Since the state legislature in California passed its pioneering laws forcing companies to inform their customers when their data has leaked, 38 US States have followed suit, with many more in the process of updating their legislation to fall in line. As the reporting laws have been introduced, more companies have been forced to disclose incidents, so the stats are looking grim. Truth is, it's probably always been this bad. [...] From jericho at attrition.org Tue Mar 25 09:22:35 2008 From: jericho at attrition.org (security curmudgeon) Date: Tue, 25 Mar 2008 09:22:35 +0000 (UTC) Subject: [Dataloss] follow-up: Personal data on stolen NIH laptop was not encrypted Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://federaltimes.com/index.php?S=3442638 By ELISE CASTELLI FederalTimes.com March 24, 2008 Personal data on a stolen National Institutes of Health laptop was not secured by encryption measures, as federal regulations require. As a result, medical data on nearly 2,500 patients is at risk following the February theft of a laptop from the locked trunk of a laboratory researchers car. The [National Heart, Lung and Blood Institute] recognizes that such information should not have been stored in an unencrypted form on a laptop computer, said Elizabeth Nabel, director of NHLBI, a division of NIH. However, at the time of the theft, the laptop was off and protected by a password that would take considerable computer sophistication to crack, she said in a March 24 statement. [..] From lyger at attrition.org Wed Mar 26 12:51:57 2008 From: lyger at attrition.org (lyger) Date: Wed, 26 Mar 2008 12:51:57 +0000 (UTC) Subject: [Dataloss] update: Patient data exposed online Message-ID: (originally reported 03/19/08) http://attrition.org/pipermail/dataloss/2008-March/002075.html http://www.baltimoresun.com/news/health/bal-te.md.dental26mar26,0,4823354.story A CareFirst BlueCross BlueShield dental HMO accidentally exposed personal information, including Social Security numbers, of about 75,000 members on a public Web site last month and didn't notify them until about three weeks later. The Dental Network, which is owned by CareFirst, informed the members - mostly Maryland and District of Columbia residents - that their names, addresses, dates of birth and Social Security numbers had been posted on its Web site for two weeks in February because of a technical error. The company says that to its knowledge, no one has misused the information. But it says "the risk ... should be taken seriously" and has offered members 12 months of free credit monitoring, as well as information about contacting the three credit bureaus to place a fraud alert on their account. [...] From lyger at attrition.org Wed Mar 26 14:07:16 2008 From: lyger at attrition.org (lyger) Date: Wed, 26 Mar 2008 14:07:16 +0000 (UTC) Subject: [Dataloss] FL: Broward School officials told to watch personal finances Message-ID: ---------- Forwarded message ---------- From: rchick (etiolated.org) Date: Wed, 26 Mar 2008 09:23:16 -0400 Subject: Broward School officials told to watch personal finances Broward School officials told to watch personal finances March 15, 2008 COCONUT CREEK, Fla. (AP) -- Broward School District officials are asking employees to closely monitor their financial records after a Coconut Creek high school student hacked into a district computer and collected personal data. The Atlantic Technical High School senior collected social Security numbers and addresses of district employees. The school district employs more than 35,000 people. A district spokesman says the student has been suspended for two weeks, pending expulsion. http://www1.wsvn.com/news/articles/local/MI80080/ From rforno at infowarrior.org Thu Mar 27 03:12:05 2008 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 26 Mar 2008 23:12:05 -0400 Subject: [Dataloss] At Least 20 Big-Name Passports Breached Message-ID: At Least 20 Big-Name Passports Breached Last Edited: Wednesday, 26 Mar 2008, 6:47 PM EDT http://www.myfoxdc.com/myfox/pages/News/Detail?contentId=6140974&version=2&l ocale=EN-US&layoutCode=TSTY&pageId=3.3.1 WASHINGTON -- State Department workers viewed passport applications containing personal information about high-profile Americans, including the late Playboy playmate Anna Nicole Smith, at least 20 times since January 2007, The Associated Press has learned. That total is far more than disclosed last week with the news that presidential candidates Hillary Rodham Clinton, John McCain and Barack Obama had been victims of improper snooping. An internal department review has found the additional instances of department employees or contractors looking at computerized passport files of politicians and celebrities, according to preliminary results. It has not been determined if the new cases also involved improper peeking, officials familiar with the review said Wednesday. Smith's case, however, seems legitimate, the officials said. The review is not complete and the exact number of cases was not yet clear. They spoke on condition of anonymity because the review is going on at the same time as the department's internal watchdog investigates passport record security related to the breaches involving the White House candidates. Smith died in the Bahamas in February 2007. The review of her passport file appears to have come after a legitimate request from the U.S. Embassy in the Bahamas for information needed to complete her death certificate, the officials said. From lyger at attrition.org Thu Mar 27 03:57:16 2008 From: lyger at attrition.org (lyger) Date: Thu, 27 Mar 2008 03:57:16 +0000 (UTC) Subject: [Dataloss] AL: Programmer who stole drive containing one million bank records gets 42 months Message-ID: (wow... this one apparently was really under the radar... - lyger) http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9072198 A former programmer at Birmingham, Ala.-based Compass Bank who stole a hard drive containing one million customer records and used some of that information to commit debit-card fraud was sentenced last week to 42 months in prison by an Alabama District Court judge. James Kevin Real was also ordered to pay back the more than $32,000 that he and accomplice Laray Byrd fraudulently withdrew from customer accounts between May and July of last year using those counterfeit debit cards. The Compass Bank compromise is one of the largest bank-related breaches yet revealed, in terms of the number of customer records that were potentially exposed. The incident, however, appears to have surfaced for the first time only after the Birmingham News carried a story on the sentencing last week. [...] From chris at cwalsh.org Thu Mar 27 15:04:21 2008 From: chris at cwalsh.org (Chris Walsh) Date: Thu, 27 Mar 2008 10:04:21 -0500 Subject: [Dataloss] At Least 20 Big-Name Passports Breached In-Reply-To: References: Message-ID: <20080327150421.GA52332@fripp.cwalsh.org> Reports I read said that as part of their training, contractors are told to bring up the file on somebody (whom they pick). Most trainees pick a relative, the article said. This is of concern on several levels, the most obvious of which is the blatant disregard for privacy that it shows. In 30 seconds, I could rewrite this training regime to preserve privacy -- just have trainees be instructed to bring up a record which exists solely for training! John Q Public of 123 Main St., Anytown USA comes to mind. The fact that live data is used for training, when the contents are sensitive is quite disheartening. This is a systemic problem, not one that just impacts Senators or dead celebrities. cw On Wed, Mar 26, 2008 at 11:12:05PM -0400, Richard Forno wrote: > At Least 20 Big-Name Passports Breached > Last Edited: Wednesday, 26 Mar 2008, 6:47 PM EDT > > http://www.myfoxdc.com/myfox/pages/News/Detail?contentId=6140974&version=2&l > ocale=EN-US&layoutCode=TSTY&pageId=3.3.1 > > > WASHINGTON -- State Department workers viewed passport applications > containing personal information about high-profile Americans, including the > late Playboy playmate Anna Nicole Smith, at least 20 times since January > 2007, The Associated Press has learned. From lyger at attrition.org Thu Mar 27 18:11:21 2008 From: lyger at attrition.org (lyger) Date: Thu, 27 Mar 2008 18:11:21 +0000 (UTC) Subject: [Dataloss] PA: Lost computer data prompts firm to notify 3,500 Message-ID: http://www.baltimoresun.com/news/local/bal-data0326,0,5806005.story A Pittsburgh-based shareholder services firm has notified about 3,500 individuals -- some of them Maryland residents -- that the company lost a box of computer data tapes last month storing personal information including names, Social Security numbers and possibly bank account numbers, a spokesman said Wednesday. BNY Mellon Shareowner Services, which assists clients such as MetLife, sent letters to affected shareholders of such clients offering them 12 months of free credit monitoring and other assistance, according to a letter received by one affected investor. [...] From mhozven at tealeaf.com Thu Mar 27 18:15:18 2008 From: mhozven at tealeaf.com (Max Hozven) Date: Thu, 27 Mar 2008 11:15:18 -0700 Subject: [Dataloss] At Least 20 Big-Name Passports Breached In-Reply-To: <20080327150421.GA52332@fripp.cwalsh.org> References: <20080327150421.GA52332@fripp.cwalsh.org> Message-ID: <771A26039D33ED489E23D9614DE630DD080E9E93@SFMAIL02.tealeaf.com> Another seemingly simple solution would be to flag certain high-profile accounts with an option that requires a supervisor's electronic okay to open a record. It seems like what they have now is that certain accounts are flagged as high-profile (government officials, celebrities, etc) and the management is notified AFTER somebody pulls up the record. Kind of like closing the barn door after the cows have left. -Max -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Chris Walsh Sent: Thursday, March 27, 2008 8:04 AM To: Richard Forno Cc: dataloss at attrition.org Subject: Re: [Dataloss] At Least 20 Big-Name Passports Breached Reports I read said that as part of their training, contractors are told to bring up the file on somebody (whom they pick). Most trainees pick a relative, the article said. This is of concern on several levels, the most obvious of which is the blatant disregard for privacy that it shows. In 30 seconds, I could rewrite this training regime to preserve privacy -- just have trainees be instructed to bring up a record which exists solely for training! John Q Public of 123 Main St., Anytown USA comes to mind. The fact that live data is used for training, when the contents are sensitive is quite disheartening. This is a systemic problem, not one that just impacts Senators or dead celebrities. cw On Wed, Mar 26, 2008 at 11:12:05PM -0400, Richard Forno wrote: > At Least 20 Big-Name Passports Breached Last Edited: Wednesday, 26 Mar > 2008, 6:47 PM EDT > > http://www.myfoxdc.com/myfox/pages/News/Detail?contentId=6140974&versi > on=2&l > ocale=EN-US&layoutCode=TSTY&pageId=3.3.1 > > > WASHINGTON -- State Department workers viewed passport applications > containing personal information about high-profile Americans, > including the late Playboy playmate Anna Nicole Smith, at least 20 > times since January 2007, The Associated Press has learned. _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml From allan_friedman at ksgphd.harvard.edu Thu Mar 27 18:59:23 2008 From: allan_friedman at ksgphd.harvard.edu (Allan Friedman) Date: Thu, 27 Mar 2008 14:59:23 -0400 Subject: [Dataloss] At Least 20 Big-Name Passports Breached In-Reply-To: <771A26039D33ED489E23D9614DE630DD080E9E93@SFMAIL02.tealeaf.com> References: <20080327150421.GA52332@fripp.cwalsh.org> <771A26039D33ED489E23D9614DE630DD080E9E93@SFMAIL02.tealeaf.com> Message-ID: <686cc62f0803271159w3987025ape3a9bd8f1f76de4a@mail.gmail.com> > Another seemingly simple solution would be to flag certain high-profile > accounts with > an option that requires a supervisor's electronic okay to open a record. Flagging or escalating is fine for presidential candidates and probably academy award winners, but where does that leave you and me, who happen to live next door to anyone with access to a major database. Access control and least privilege are huge privacy issues that we haven't even started to get into: they are human scale rather than technical. > Another seemingly simple solution would be to flag certain high-profile > accounts with > an option that requires a supervisor's electronic okay to open a record. > It seems like what they have now is that certain accounts are flagged as > high-profile > (government officials, celebrities, etc) and the management is notified > AFTER somebody > pulls up the record. Kind of like closing the barn door after the cows > have left. > > -Max > > > > -----Original Message----- > From: dataloss-bounces at attrition.org > [mailto:dataloss-bounces at attrition.org] On Behalf Of Chris Walsh > Sent: Thursday, March 27, 2008 8:04 AM > To: Richard Forno > Cc: dataloss at attrition.org > Subject: Re: [Dataloss] At Least 20 Big-Name Passports Breached > > Reports I read said that as part of their training, contractors are told > to bring up the file on somebody (whom they pick). Most trainees pick a > relative, the article said. > > This is of concern on several levels, the most obvious of which is the > blatant disregard for privacy that it shows. In 30 seconds, I could > rewrite this training regime to preserve privacy -- just have trainees > be instructed to bring up a record which exists solely for training! > John Q Public of 123 Main St., Anytown USA comes to mind. > > The fact that live data is used for training, when the contents are > sensitive is quite disheartening. This is a systemic problem, not one > that just impacts Senators or dead celebrities. > > cw > On Wed, Mar 26, 2008 at 11:12:05PM -0400, Richard Forno wrote: > > At Least 20 Big-Name Passports Breached Last Edited: Wednesday, 26 Mar > > > 2008, 6:47 PM EDT > > > > http://www.myfoxdc.com/myfox/pages/News/Detail?contentId=6140974&versi > > on=2&l > > ocale=EN-US&layoutCode=TSTY&pageId=3.3.1 > > > > > > WASHINGTON -- State Department workers viewed passport applications > > containing personal information about high-profile Americans, > > including the late Playboy playmate Anna Nicole Smith, at least 20 > > times since January 2007, The Associated Press has learned. > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor > your traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor your > traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml > From mhozven at tealeaf.com Thu Mar 27 23:33:28 2008 From: mhozven at tealeaf.com (Max Hozven) Date: Thu, 27 Mar 2008 16:33:28 -0700 Subject: [Dataloss] At Least 20 Big-Name Passports Breached In-Reply-To: <686cc62f0803271159w3987025ape3a9bd8f1f76de4a@mail.gmail.com> References: <20080327150421.GA52332@fripp.cwalsh.org><771A26039D33ED489E23D9614DE630DD080E9E93@SFMAIL02.tealeaf.com> <686cc62f0803271159w3987025ape3a9bd8f1f76de4a@mail.gmail.com> Message-ID: <771A26039D33ED489E23D9614DE630DD080EA1A0@SFMAIL02.tealeaf.com> Well, I don't know if we'll ever find a way to hide our contact info (name, address, phone, etc) from public databases as this inevitably ends up in county records, etc and gets sucked into databases. Regarding identity theft for the purpose of siphoning off bank-accounts (which is one of the worst-case end result risks), etc, maybe corporations need to add an option of "anonymous" accounts, like the "Swiss Bank Accounts" where you are only identified by a number. They could also issue you an electronic card, where you would enter your account-number and it would generate you an "effective" account number to use for customer service like a cell-phone, that communicates back to the company's base for keys/instructions). Similar to a cryptographic card some companies use for VPN access, etc. So if John Smith opened an account (at a branch, where some identification was provided), they would issue him account number 123456789 and an electronic card. When he calls the bank to do a transaction, he enters 123456789 on his personal electronic card, and gets his effective account number for the day "358749123"). So, for someone to pose as John Smith, so siphon some money out of his account, they'd have to jump a number of hurdles. In the end, everything is hackable, but adding hurdles, should lower the probability of an effective hack. Adding the overhead of electronic cards, etc, isn't cheap, adds complexity, etc, but would be a nice option for some people. And this doesn't solve the problem of people opening up new accounts, to perpetrate identity theft. -Max Note: Opinions expressed are solely my own. -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Allan Friedman Sent: Thursday, March 27, 2008 11:59 AM To: dataloss at attrition.org Subject: Re: [Dataloss] At Least 20 Big-Name Passports Breached > Another seemingly simple solution would be to flag certain > high-profile accounts with an option that requires a supervisor's > electronic okay to open a record. Flagging or escalating is fine for presidential candidates and probably academy award winners, but where does that leave you and me, who happen to live next door to anyone with access to a major database. Access control and least privilege are huge privacy issues that we haven't even started to get into: they are human scale rather than technical. > Another seemingly simple solution would be to flag certain > high-profile accounts with an option that requires a supervisor's > electronic okay to open a record. > It seems like what they have now is that certain accounts are flagged > as high-profile (government officials, celebrities, etc) and the > management is notified AFTER somebody pulls up the record. Kind of > like closing the barn door after the cows have left. > > -Max From jericho at attrition.org Fri Mar 28 09:18:47 2008 From: jericho at attrition.org (security curmudgeon) Date: Fri, 28 Mar 2008 09:18:47 +0000 (UTC) Subject: [Dataloss] Identity breach affects hospital Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.whittierdailynews.com/news/ci_8710866 By Airan Scruby Staff Writer Whitter Daily News 03/26/2008 WHITTIER - About 5,000 past and current employees at Presbyterian Intercommunity Hospital had their private information stolen, officials said Wednesday. The data included Social Security numbers, birth dates, full names and other records stored on a desktop computer that was stolen from a Fullerton data management group on Feb. 11. In addition to the 5,000 employees, another 35,000 identities from 18 other companies were stored on the computer, officials said. According to hospital Human Resources Vice President Lon Orey, the employees will be given a one-year subscription to LifeLock, a group which tracks the user's information and guards it from illegal use. "We take the treatment of employee information very seriously," Orey said, "and we will continue to do everything we can to protect them." A letter informing employees that their information was in jeopardy was dated March13, more than a month after the breach. [..] From macwheel99 at wowway.com Fri Mar 28 06:14:49 2008 From: macwheel99 at wowway.com (Al Mac Wheel) Date: Fri, 28 Mar 2008 00:14:49 -0600 Subject: [Dataloss] PlayStation Network Message-ID: <6.2.1.2.1.20080328000643.02ebed60@pop3.mail.wowway.com> A vulnerability in the PlayStation Network may have given hackers access to PSN passwords as well as the personal info of the Network's users, Sony revealed earlier today. The company maintains that the loss of vital credit card info is "very unlikely Sony says it has since fixed the vulnerability http://blog.wired.com/games/2008/03/sony-warns-of-p.html - Al Mac From james.kerr at ceelox.com Fri Mar 28 14:38:03 2008 From: james.kerr at ceelox.com (Jim Kerr) Date: Fri, 28 Mar 2008 10:38:03 -0400 Subject: [Dataloss] At Least 20 Big-Name Passports Breached In-Reply-To: <771A26039D33ED489E23D9614DE630DD080EA1A0@SFMAIL02.tealeaf.com> References: <20080327150421.GA52332@fripp.cwalsh.org><771A26039D33ED489E23D9614DE630DD080E9E93@SFMAIL02.tealeaf.com> <686cc62f0803271159w3987025ape3a9bd8f1f76de4a@mail.gmail.com> <771A26039D33ED489E23D9614DE630DD080EA1A0@SFMAIL02.tealeaf.com> Message-ID: <000601c890e1$57694fe0$063befa0$@kerr@ceelox.com> We have had tremendous success in protecting identities within the banking industrie by use of biometric technology. The customer can pass credentials with more safety than pin numbers and pictures of ducks. Elecronic card with temporary credentials is much more expensive and complicated than simply using a virtually hack proof 25 character password that is remembered by the uniqueness of a fingerprint. From allan_friedman at ksgphd.harvard.edu Fri Mar 28 14:50:24 2008 From: allan_friedman at ksgphd.harvard.edu (Allan Friedman) Date: Fri, 28 Mar 2008 10:50:24 -0400 Subject: [Dataloss] At Least 20 Big-Name Passports Breached In-Reply-To: <8095289642414518766@unknownmsgid> References: <20080327150421.GA52332@fripp.cwalsh.org> <771A26039D33ED489E23D9614DE630DD080E9E93@SFMAIL02.tealeaf.com> <686cc62f0803271159w3987025ape3a9bd8f1f76de4a@mail.gmail.com> <771A26039D33ED489E23D9614DE630DD080EA1A0@SFMAIL02.tealeaf.com> <8095289642414518766@unknownmsgid> Message-ID: <686cc62f0803280750h43a8863fv36a58475f73e3aea@mail.gmail.com> On Fri, Mar 28, 2008 at 10:38 AM, wrote: > We have had tremendous success in protecting identities within the banking > industrie by use of biometric technology. The customer can pass credentials > with more safety than pin numbers and pictures of ducks. I'd love to learn more about this, particularly how it scales across bureaucracies, particularly if the customer isn't present. I'm not thinking about public databases but large private ones that have many people with many different functions doing different things, (e.g. medical records). I'm guessing that to prevent the above mentioned passport file snooping from happening to some one not on a pre-specified watch list you would need to a) reorganize the data architecture of the entire system b) overlay a pretty strong identity layer c) introduce secure credentialing that allow a yes/no query without leaking more info d) probably some chunk of all of the above. As long as access to databases is fairly unsupervised inside the organization, you're going to see identity theft. allan From james.kerr at ceelox.com Fri Mar 28 15:14:06 2008 From: james.kerr at ceelox.com (Jim Kerr) Date: Fri, 28 Mar 2008 11:14:06 -0400 Subject: [Dataloss] At Least 20 Big-Name Passports Breached In-Reply-To: <686cc62f0803280750h43a8863fv36a58475f73e3aea@mail.gmail.com> References: <20080327150421.GA52332@fripp.cwalsh.org> <771A26039D33ED489E23D9614DE630DD080E9E93@SFMAIL02.tealeaf.com> <686cc62f0803271159w3987025ape3a9bd8f1f76de4a@mail.gmail.com> <771A26039D33ED489E23D9614DE630DD080EA1A0@SFMAIL02.tealeaf.com> <8095289642414518766@unknownmsgid> <686cc62f0803280750h43a8863fv36a58475f73e3aea@mail.gmail.com> Message-ID: <002a01c890e6$5e8e21b0$1baa6510$@kerr@ceelox.com> The fact of true accountability would address this issue. If a person needs to swipe a finger to gain access to information then that person knows there is a proof positive audit trail of that event (unlike a password that could be socially engineered or taken from under the keyboard). This would deter users from this activity knowing that their credentials could not be assumed by another. This is probably how it is happening so frequently. Just assume someone else's identity and have at it. a) There would be no reorganizing infrastructure since the technology available is non invasive to provide the credentialing. b) Again biometric technology gives you the ability to use 25 character passwords that don't need to be remembered (or typed in) and the print is converted into a proprietary algorithm that is encrypted in an AES 256 cipher. c) This could be done and again the accountabilty factor will dramatically reduce attempts. -----Original Message----- From: allan.friedman at gmail.com [mailto:allan.friedman at gmail.com] On Behalf Of Allan Friedman Sent: Friday, March 28, 2008 10:50 AM To: james.kerr at ceelox.com Cc: mhozven at tealeaf.com; dataloss at attrition.org Subject: Re: [Dataloss] At Least 20 Big-Name Passports Breached On Fri, Mar 28, 2008 at 10:38 AM, wrote: > We have had tremendous success in protecting identities within the banking > industrie by use of biometric technology. The customer can pass credentials > with more safety than pin numbers and pictures of ducks. I'd love to learn more about this, particularly how it scales across bureaucracies, particularly if the customer isn't present. I'm not thinking about public databases but large private ones that have many people with many different functions doing different things, (e.g. medical records). I'm guessing that to prevent the above mentioned passport file snooping from happening to some one not on a pre-specified watch list you would need to a) reorganize the data architecture of the entire system b) overlay a pretty strong identity layer c) introduce secure credentialing that allow a yes/no query without leaking more info d) probably some chunk of all of the above. As long as access to databases is fairly unsupervised inside the organization, you're going to see identity theft. allan From Troy.Casey at McKesson.com Fri Mar 28 15:58:49 2008 From: Troy.Casey at McKesson.com (Casey, Troy # Atlanta) Date: Fri, 28 Mar 2008 11:58:49 -0400 Subject: [Dataloss] At Least 20 Big-Name Passports Breached In-Reply-To: <002a01c890e6$5e8e21b0$1baa6510$@kerr@ceelox.com> Message-ID: Someone is over-selling the accuracy of biometrics. Thanks, I've seen the false-positive and false-negative rates for fingerprint scanners, and I'm not buying. I'll stick with my 14-character password. And not only are biometrics far less accurate than the vendors advertise, they are prohibitively expensive for the types of large enterprises that house a lot of the subject data. Further, I will contend that if companies that don't monitor their audit logs today add biometrics, no meaningful improvement to security is achieved. If companies that don't bother to lock down data access to only those with a true "need to know" adopt biometrics, they only achieve the illusion of security. Real security requires that companies make the investment of time and effort to first lock down access to only those with a need to know, then maintain those access controls ongoing AND invest in personnel and technologies to review application audit logs - assuming they wrote their applications to audit access - then PROSECUTE violators of the access policy whenever they are found. How many of you are working at companies that are willing to erode their profits by making such investments? No technology is a panacea, and in the absence of these measures all that new technology will achieve is the illusion of security -- which is far more dangerous than a clear understanding of where security is lacking. As long as we as a society both accept the proliferation of our data as somehow not constituting a privacy violation, and kid ourselves that some silver bullet is going to solve the security problem, identity theft will never be solved. Yeesh, Troy Troy D. Casey -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Jim Kerr Sent: Friday, March 28, 2008 11:14 AM To: 'Allan Friedman' Cc: dataloss at attrition.org Subject: Re: [Dataloss] At Least 20 Big-Name Passports Breached The fact of true accountability would address this issue. If a person needs to swipe a finger to gain access to information then that person knows there is a proof positive audit trail of that event (unlike a password that could be socially engineered or taken from under the keyboard). This would deter users from this activity knowing that their credentials could not be assumed by another. This is probably how it is happening so frequently. Just assume someone else's identity and have at it. a) There would be no reorganizing infrastructure since the technology available is non invasive to provide the credentialing. b) Again biometric technology gives you the ability to use 25 character passwords that don't need to be remembered (or typed in) and the print is converted into a proprietary algorithm that is encrypted in an AES 256 cipher. c) This could be done and again the accountabilty factor will dramatically reduce attempts. -----Original Message----- From: allan.friedman at gmail.com [mailto:allan.friedman at gmail.com] On Behalf Of Allan Friedman Sent: Friday, March 28, 2008 10:50 AM To: james.kerr at ceelox.com Cc: mhozven at tealeaf.com; dataloss at attrition.org Subject: Re: [Dataloss] At Least 20 Big-Name Passports Breached On Fri, Mar 28, 2008 at 10:38 AM, wrote: > We have had tremendous success in protecting identities within the > banking industrie by use of biometric technology. The customer can > pass credentials > with more safety than pin numbers and pictures of ducks. I'd love to learn more about this, particularly how it scales across bureaucracies, particularly if the customer isn't present. I'm not thinking about public databases but large private ones that have many people with many different functions doing different things, (e.g. medical records). I'm guessing that to prevent the above mentioned passport file snooping from happening to some one not on a pre-specified watch list you would need to a) reorganize the data architecture of the entire system b) overlay a pretty strong identity layer c) introduce secure credentialing that allow a yes/no query without leaking more info d) probably some chunk of all of the above. As long as access to databases is fairly unsupervised inside the organization, you're going to see identity theft. allan _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml From allan_friedman at ksgphd.harvard.edu Fri Mar 28 13:11:20 2008 From: allan_friedman at ksgphd.harvard.edu (Allan Friedman) Date: Fri, 28 Mar 2008 09:11:20 -0400 Subject: [Dataloss] what do you think of a dataloss workshop? Message-ID: <686cc62f0803280611u7472047ci3b62cbb7a1a17d63@mail.gmail.com> [If this is not the right place to discuss this, let's take it elsewhere] Given the great and increasingly dense and complex discussion on this list, I wonder whether there would be any interest in assembling for a workshop / mini-conference? I'd be happy to try to organize one here at Harvard sometime next fall. Thoughts? I feel that many of the discussions we are having here overlap or abut much of the other discussions in privacy and security. Sitting down and drawing up a clear understanding of the critical areas of dataloss, and how it impacts business and law will be helpful. Is this redundant? Unnecessary? Here is my general idea, purely as a strawman. 1) Probably just one day, mid fall 2008 2) Some combination of panels and academic paper presentation, with a keynote and at least one breakout session 3) Content: 50% academic (econ, law, tech, policy) 25% business, 25% public policy/ advocacy 4) We would need to define dataloss as a reasonably coherent clump to prevent the typical privacy rehashing, or making it too broad to be useful. Also, it should be more focused than a run of the mill enterprise/organization security conference. 5) Topics: breach laws, econ models, technical solutions, understanding liability, metrics and quant 6) Ideally, the workshop could be summarized to produce a research agenda and/or a policy agenda 7) In my experience, breakout discussion sessions can be very productive in knowledge distillation. If this is not a horrible idea, who would be interested in attending? Speaking or presenting research? Helping organize? Vendor participation or sponsorship? allan Allan Friedman PhD Candidate, Public Policy Kennedy School of Government Fellow, Center for Research in Computation and Society School of Engineering and Applied Sciences Harvard University From jericho at attrition.org Fri Mar 28 16:59:41 2008 From: jericho at attrition.org (security curmudgeon) Date: Fri, 28 Mar 2008 16:59:41 +0000 (UTC) Subject: [Dataloss] follow-up: TJX Assents to Audits Of Data-Security System Message-ID: ---------- Forwarded message ---------- From: Richard M. Smith In a press release, TJX, of Framingham, Mass., said it disagreed with the allegations in the FTC complaint, noting that prior to the breach, the company's data security "was similar to that of many major retailers." http://online.wsj.com/article/SB120664225435369131.html?mod=todays_us_marketplace TJX Assents to Audits Of Data-Security System By JOSEPH PEREIRA March 28, 2008 TJX Cos., which last year disclosed a major data-security breach, agreed to have its systems that safeguard customers' credit-card data audited every other year for the next two decades under a settlement with the Federal Trade Commission. The FTC said the discount retailer failed to take "readily available security measures" to protect its customers' data, allowing an intruder to gain access to tens of millions of credit cards and the personal information of 455,000 consumers. "Banks have claimed that tens of millions of dollars in fraudulent charges have been made on the cards and millions of cards have been cancelled and reissued," the FTC said. Financial penalties aren't part of the agreement. The FTC has yet to receive authority from Congress to assess fines, despite multiple petitions. The agency chastised the retailer for not encrypting the data, establishing firewalls, using complex passwords or regularly updating antivirus software to make it difficult for hackers to steal customers' financial data. [..] From bkdelong at pobox.com Fri Mar 28 16:55:37 2008 From: bkdelong at pobox.com (B.K. DeLong) Date: Fri, 28 Mar 2008 12:55:37 -0400 Subject: [Dataloss] what do you think of a dataloss workshop? In-Reply-To: <686cc62f0803280611u7472047ci3b62cbb7a1a17d63@mail.gmail.com> References: <686cc62f0803280611u7472047ci3b62cbb7a1a17d63@mail.gmail.com> Message-ID: The model of Metricon/MiniMetricon (http://www.securitymetrics.org) might be a nice, workable model to follow and with RSA around the corner, there might be quite a few list members attending to warrant at least a "Meetup" somewhere. Lyger, perhaps an "Are you going to RSA?" thread for people to use for the basis of connecting? On Fri, Mar 28, 2008 at 9:11 AM, Allan Friedman < allan_friedman at ksgphd.harvard.edu> wrote: > [If this is not the right place to discuss this, let's take it elsewhere] > > Given the great and increasingly dense and complex discussion on this > list, I wonder whether there would be any interest in assembling for a > workshop / mini-conference? I'd be happy to try to organize one here > at Harvard sometime next fall. Thoughts? > > I feel that many of the discussions we are having here overlap or abut > much of the other discussions in privacy and security. Sitting down > and drawing up a clear understanding of the critical areas of > dataloss, and how it impacts business and law will be helpful. Is this > redundant? Unnecessary? > > Here is my general idea, purely as a strawman. > 1) Probably just one day, mid fall 2008 > 2) Some combination of panels and academic paper presentation, with a > keynote and at least one breakout session > 3) Content: 50% academic (econ, law, tech, policy) 25% business, 25% > public policy/ advocacy > 4) We would need to define dataloss as a reasonably coherent clump to > prevent the typical privacy rehashing, or making it too broad to be > useful. Also, it should be more focused than a run of the mill > enterprise/organization security conference. > 5) Topics: breach laws, econ models, technical solutions, > understanding liability, metrics and quant > 6) Ideally, the workshop could be summarized to produce a research > agenda and/or a policy agenda > 7) In my experience, breakout discussion sessions can be very > productive in knowledge distillation. > > If this is not a horrible idea, who would be interested in attending? > Speaking or presenting research? Helping organize? Vendor > participation or sponsorship? > > allan > > Allan Friedman > PhD Candidate, Public Policy > Kennedy School of Government > Fellow, Center for Research in Computation and Society > School of Engineering and Applied Sciences > Harvard University > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor your > traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml > -- B.K. DeLong (K3GRN) bkdelong at pobox.com +1.617.797.8471 http://www.wkdelong.org Son. http://www.ianetsec.com Work. http://www.bostonredcross.org Volunteer. http://www.carolingia.eastkingdom.org Service. http://bkdelong.livejournal.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080328/76a3de6c/attachment.html From jericho at attrition.org Fri Mar 28 17:02:52 2008 From: jericho at attrition.org (security curmudgeon) Date: Fri, 28 Mar 2008 17:02:52 +0000 (UTC) Subject: [Dataloss] follow-up: Advanced tactic targeted grocer - 'Malware' stole Hannaford data Message-ID: [Software was installed at each of the roughly 300 stores.. i'm sure we'd all love to know how that happened. I have a feeling the bad guys didn't compromise all 300 machines. - jericho] http://www.boston.com/news/local/articles/2008/03/28/advanced_tactic_targeted_grocer/ A massive data breach at Hannaford Brothers Cos. was caused by a "new and sophisticated" method in which software was secretly installed on servers at every one of its grocery stores, the company told Massachusetts regulators this week. The unauthorized intrusion the company disclosed on March 17 stemmed from software that intercepted card data from customers as they paid with plastic at store checkout counters, and sent the data overseas, Hannaford's top lawyer said in a letter sent to Attorney General Martha Coakley and Governor Deval Patrick's Office of Consumer Affairs and Business Regulation. The software was installed on computer servers at each of the roughly 300 stores operated by Hannaford and its partners. Hannaford did not say how the software might have been placed on so many servers, and company spokeswoman Carol Eleazer said the company continues to investigate how the software was installed and other specifics of the breach. The Secret Service, which pursues currency crimes, is conducting its own investigation. [..] From lyger at attrition.org Fri Mar 28 17:10:28 2008 From: lyger at attrition.org (lyger) Date: Fri, 28 Mar 2008 17:10:28 +0000 (UTC) Subject: [Dataloss] what do you think of a dataloss workshop? In-Reply-To: References: <686cc62f0803280611u7472047ci3b62cbb7a1a17d63@mail.gmail.com> Message-ID: Both the workshop and thread sound like good ideas. For the thread, however, I'd like to ask that everyone PLEASE be careful with quoting and trimming off excessive footers when replying to the list. All list mails are archived on attrition.org and disk space is not an infinite resource. http://attrition.org/pipermail/dataloss/2008-March/002118.html Yeah. What he said. On Fri, 28 Mar 2008, B.K. DeLong wrote: ": " The model of Metricon/MiniMetricon (http://www.securitymetrics.org) might be ": " a nice, workable model to follow and with RSA around the corner, there might ": " be quite a few list members attending to warrant at least a "Meetup" ": " somewhere. ": " ": " Lyger, perhaps an "Are you going to RSA?" thread for people to use for the ": " basis of connecting? ": " ": " On Fri, Mar 28, 2008 at 9:11 AM, Allan Friedman < ": " allan_friedman at ksgphd.harvard.edu> wrote: ": " ": " > [If this is not the right place to discuss this, let's take it elsewhere] ": " > ": " > Given the great and increasingly dense and complex discussion on this ": " > list, I wonder whether there would be any interest in assembling for a ": " > workshop / mini-conference? I'd be happy to try to organize one here ": " > at Harvard sometime next fall. Thoughts? ": " > ": " > I feel that many of the discussions we are having here overlap or abut ": " > much of the other discussions in privacy and security. Sitting down ": " > and drawing up a clear understanding of the critical areas of ": " > dataloss, and how it impacts business and law will be helpful. Is this ": " > redundant? Unnecessary? From h at hpjt.net Fri Mar 28 17:38:39 2008 From: h at hpjt.net (H) Date: Fri, 28 Mar 2008 13:38:39 -0400 Subject: [Dataloss] what do you think of a dataloss workshop? In-Reply-To: <686cc62f0803280611u7472047ci3b62cbb7a1a17d63@mail.gmail.com> Message-ID: Allan, Good idea. I can't imagine less than strong interest from the private sector. Hugh FNM Investigations/Forensics -----Original Message----- From: Allan Friedman [mailto:allan_friedman at ksgphd.harvard.edu] Sent: Friday, March 28, 2008 9:11 AM To: dataloss at attrition.org Subject: [Dataloss] what do you think of a dataloss workshop? [If this is not the right place to discuss this, let's take it elsewhere] Given the great and increasingly dense and complex discussion on this list, I wonder whether there would be any interest in assembling for a workshop / mini-conference? I'd be happy to try to organize one here at Harvard sometime next fall. Thoughts? ... From bkdelong at pobox.com Fri Mar 28 18:08:32 2008 From: bkdelong at pobox.com (B.K. DeLong) Date: Fri, 28 Mar 2008 14:08:32 -0400 Subject: [Dataloss] Are you going to RSA? Message-ID: Alas, I am not. But I'm starting the thread in hopes of a mini-Meetup or other such gathering and group participation in relevant discussion. However, (work hat temporarily on), one of the Managing Partners at IANS will be speaking on/presenting a relevant topic and our Lead Analyst Allan Carey will be there. Jack Phillips, IANS Founder and Managing Partner, has been selected to lead the Moderation of HBR Case: "Boss, I Think Someone Stole our Customer Data?" session at the RSA Conference on Tuesday, April 8, 2008. The session will be formatted similar to the IANS style of peer-to-peer information sharing. You need pre-register for the session via this link - http://www.rsaconference.com/2008/US/Conference_Program/Peer2Peer_Sessions.aspx Session Details: Session Code: P2P-105B Session Title: Moderation of HBR Case: "Boss, I Think Someone Stole our Customer Data" Scheduled Date/Time: Tuesday, April 08 01:30 PM - YELLOW ROOM 111 Session Abstract: The October 2007 issue of Harvard Business Review featured a case study entitled, "Boss I think someone stole our customer data". Discussion topics for this session include: forensics, media relations, leadership, communications to management, disaster recovery plans, and state and federal disclosure regulations. -- B.K. DeLong (K3GRN) bkdelong at pobox.com +1.617.797.8471 http://www.wkdelong.org Son. http://www.ianetsec.com Work. http://www.bostonredcross.org Volunteer. http://www.carolingia.eastkingdom.org Service. http://bkdelong.livejournal.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080328/fda351b4/attachment.html From james.kerr at ceelox.com Fri Mar 28 18:02:13 2008 From: james.kerr at ceelox.com (Jim Kerr) Date: Fri, 28 Mar 2008 14:02:13 -0400 Subject: [Dataloss] what do you think of a dataloss workshop? In-Reply-To: <686cc62f0803280611u7472047ci3b62cbb7a1a17d63@mail.gmail.com> References: <686cc62f0803280611u7472047ci3b62cbb7a1a17d63@mail.gmail.com> Message-ID: <004a01c890fd$da0f98c0$8e2eca40$@kerr@ceelox.com> I could have the former Attorney General John Ashcroft speak at a Harvard workshop. You can listen to his keynote speech he gave a couple of weeks ago at Infosec www.ceelox.com -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Allan Friedman Sent: Friday, March 28, 2008 9:11 AM To: dataloss at attrition.org Subject: [Dataloss] what do you think of a dataloss workshop? [If this is not the right place to discuss this, let's take it elsewhere] Given the great and increasingly dense and complex discussion on this list, I wonder whether there would be any interest in assembling for a workshop / mini-conference? I'd be happy to try to organize one here at Harvard sometime next fall. Thoughts? I feel that many of the discussions we are having here overlap or abut much of the other discussions in privacy and security. Sitting down and drawing up a clear understanding of the critical areas of dataloss, and how it impacts business and law will be helpful. Is this redundant? Unnecessary? Here is my general idea, purely as a strawman. 1) Probably just one day, mid fall 2008 2) Some combination of panels and academic paper presentation, with a keynote and at least one breakout session 3) Content: 50% academic (econ, law, tech, policy) 25% business, 25% public policy/ advocacy 4) We would need to define dataloss as a reasonably coherent clump to prevent the typical privacy rehashing, or making it too broad to be useful. Also, it should be more focused than a run of the mill enterprise/organization security conference. 5) Topics: breach laws, econ models, technical solutions, understanding liability, metrics and quant 6) Ideally, the workshop could be summarized to produce a research agenda and/or a policy agenda 7) In my experience, breakout discussion sessions can be very productive in knowledge distillation. If this is not a horrible idea, who would be interested in attending? Speaking or presenting research? Helping organize? Vendor participation or sponsorship? allan Allan Friedman PhD Candidate, Public Policy Kennedy School of Government Fellow, Center for Research in Computation and Society School of Engineering and Applied Sciences Harvard University _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml From lyger at attrition.org Fri Mar 28 18:29:48 2008 From: lyger at attrition.org (lyger) Date: Fri, 28 Mar 2008 18:29:48 +0000 (UTC) Subject: [Dataloss] UK: Lost Details Of 180 NHS Staff Found Message-ID: http://news.sky.com/skynews/article/0,,91211-1311056,00.html The payroll details of around 180 NHS staff lost in a street in Stevenage have been recovered by police. Capita, the company who run the NHS payroll service, have confirmed documents relating to Leicester NHS Trust have now been found. On Friday 21 March the papers were discovered in a street in Stevenage. The police were informed. The information includes names, addresses, bank details and national insurance numbers. [...] From chris at cwalsh.org Fri Mar 28 19:50:23 2008 From: chris at cwalsh.org (Chris Walsh) Date: Fri, 28 Mar 2008 14:50:23 -0500 Subject: [Dataloss] what do you think of a dataloss workshop? In-Reply-To: <686cc62f0803280611u7472047ci3b62cbb7a1a17d63@mail.gmail.com> References: <686cc62f0803280611u7472047ci3b62cbb7a1a17d63@mail.gmail.com> Message-ID: <20080328195023.GA59365@fripp.cwalsh.org> I think it is an outstanding idea. cw On Fri, Mar 28, 2008 at 09:11:20AM -0400, Allan Friedman wrote: > [If this is not the right place to discuss this, let's take it elsewhere] > > Given the great and increasingly dense and complex discussion on this > list, I wonder whether there would be any interest in assembling for a > workshop / mini-conference? I'd be happy to try to organize one here > at Harvard sometime next fall. Thoughts? > From ckraber at ds3datavaulting.com Fri Mar 28 20:02:33 2008 From: ckraber at ds3datavaulting.com (Craig Kraber) Date: Fri, 28 Mar 2008 16:02:33 -0400 Subject: [Dataloss] what do you think of a dataloss workshop? In-Reply-To: <20080328195023.GA59365@fripp.cwalsh.org> References: <686cc62f0803280611u7472047ci3b62cbb7a1a17d63@mail.gmail.com> <20080328195023.GA59365@fripp.cwalsh.org> Message-ID: <7161205031CD5745B60173B07B80721C21453E27D0@hqexch01.ds3net.com> I agree, this is a topic that will generate quite a bit of interest and interaction. Please count me in. Craig Craig Kraber DS3 DataVaulting LLC 703-230-3250-Office 703-328-9075-Cell To Learn More About DS3 DataVaulting Please Visit Our Website www.ds3datavaulting.com -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Chris Walsh Sent: Friday, March 28, 2008 3:50 PM To: Allan Friedman Cc: dataloss at attrition.org Subject: Re: [Dataloss] what do you think of a dataloss workshop? I think it is an outstanding idea. cw On Fri, Mar 28, 2008 at 09:11:20AM -0400, Allan Friedman wrote: > [If this is not the right place to discuss this, let's take it > elsewhere] > > Given the great and increasingly dense and complex discussion on this > list, I wonder whether there would be any interest in assembling for a > workshop / mini-conference? I'd be happy to try to organize one here > at Harvard sometime next fall. Thoughts? > _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml From Garvin.Louie at alliedinfosecurity.com Fri Mar 28 20:06:22 2008 From: Garvin.Louie at alliedinfosecurity.com (Garvin Louie - Allied InfoSecurity) Date: Fri, 28 Mar 2008 16:06:22 -0400 Subject: [Dataloss] what do you think of a dataloss workshop? In-Reply-To: <686cc62f0803280611u7472047ci3b62cbb7a1a17d63@mail.gmail.com> References: <686cc62f0803280611u7472047ci3b62cbb7a1a17d63@mail.gmail.com> Message-ID: Great idea Allan! I'm semi-local and would be willing to help as much I can. I'll send you a message offline. Cheers, Garvin Louie Allied InfoSecurity -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Allan Friedman Sent: Friday, March 28, 2008 9:11 AM To: dataloss at attrition.org Subject: [Dataloss] what do you think of a dataloss workshop? [If this is not the right place to discuss this, let's take it elsewhere] Given the great and increasingly dense and complex discussion on this list, I wonder whether there would be any interest in assembling for a workshop / mini-conference? I'd be happy to try to organize one here at Harvard sometime next fall. Thoughts? I feel that many of the discussions we are having here overlap or abut much of the other discussions in privacy and security. Sitting down and drawing up a clear understanding of the critical areas of dataloss, and how it impacts business and law will be helpful. Is this redundant? Unnecessary? Here is my general idea, purely as a strawman. 1) Probably just one day, mid fall 2008 2) Some combination of panels and academic paper presentation, with a keynote and at least one breakout session 3) Content: 50% academic (econ, law, tech, policy) 25% business, 25% public policy/ advocacy 4) We would need to define dataloss as a reasonably coherent clump to prevent the typical privacy rehashing, or making it too broad to be useful. Also, it should be more focused than a run of the mill enterprise/organization security conference. 5) Topics: breach laws, econ models, technical solutions, understanding liability, metrics and quant 6) Ideally, the workshop could be summarized to produce a research agenda and/or a policy agenda 7) In my experience, breakout discussion sessions can be very productive in knowledge distillation. If this is not a horrible idea, who would be interested in attending? Speaking or presenting research? Helping organize? Vendor participation or sponsorship? allan Allan Friedman PhD Candidate, Public Policy Kennedy School of Government Fellow, Center for Research in Computation and Society School of Engineering and Applied Sciences Harvard University _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml From ihackstuff at gmail.com Fri Mar 28 20:38:07 2008 From: ihackstuff at gmail.com (j0hnny) Date: Fri, 28 Mar 2008 16:38:07 -0400 Subject: [Dataloss] what do you think of a dataloss workshop? In-Reply-To: References: <686cc62f0803280611u7472047ci3b62cbb7a1a17d63@mail.gmail.com> Message-ID: <5897c29b0803281338q70413e0dja282d7458c47e7c3@mail.gmail.com> I, too am interested in attending and would speak as well, if invited to do so. My current talk ("No Tech Hacking", based on my latest book) is doing very well. The DEFCON version (geared towards a hacker crowd) is archived here: http://video.google.com/videoplay?docid=-2160824376898701015 Johnny "I'm Johnny. I hack stuff" http://johnny.ihackstuff.com -- Hackers For Charity Quickstats: Microprojects Completed: 3 Active: 4 Registered Volunteers: 175 Funds raised: $US 4,000(+); $L 22,000 From lyger at attrition.org Fri Mar 28 20:58:37 2008 From: lyger at attrition.org (lyger) Date: Fri, 28 Mar 2008 20:58:37 +0000 (UTC) Subject: [Dataloss] OH: University Reports Data Breach Message-ID: http://www.washingtonpost.com/wp-dyn/content/article/2008/03/28/AR2008032802398.html Antioch University says one of its computer systems that contained personal information on about 70,000 people was breached by an unauthorized intruder three times last year. [.] The breached system contains names, Social Security numbers, academic records and payroll documents for current and former students, applicants and employees going back to 1996. [...] From james_ritchie at sbcglobal.net Sat Mar 29 16:55:43 2008 From: james_ritchie at sbcglobal.net (James Ritchie, CISA, QSA) Date: Sat, 29 Mar 2008 11:55:43 -0500 Subject: [Dataloss] what do you think of a dataloss workshop? In-Reply-To: <5897c29b0803281338q70413e0dja282d7458c47e7c3@mail.gmail.com> References: <686cc62f0803280611u7472047ci3b62cbb7a1a17d63@mail.gmail.com> <5897c29b0803281338q70413e0dja282d7458c47e7c3@mail.gmail.com> Message-ID: <47EE748F.2050409@sbcglobal.net> Besides adding a section on business governance and their fiduciary responsibility and how it relates to protecting data assets within their perimeter Maybe we can have a workshop on creating a certification that could address all compliance issues. When they build boats, they all have to meet US Coast Guard regulations and inspections. The NMMA certification exceeds Coast Guard requirements and is a non-profit org. Is it possible to bring together one certification that can bring in legal, regulatory, contractual, and internal compliance while creating baseline security that should address all issues? j0hnny wrote: > I, too am interested in attending and would speak as well, if invited > to do so. My current talk ("No Tech Hacking", based on my latest book) > is doing very well. The DEFCON version (geared towards a hacker crowd) > is archived here: > > http://video.google.com/videoplay?docid=-2160824376898701015 > > Johnny > > "I'm Johnny. I hack stuff" > http://johnny.ihackstuff.com > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080329/a64c4670/attachment.html From lyger at attrition.org Sat Mar 29 17:13:40 2008 From: lyger at attrition.org (lyger) Date: Sat, 29 Mar 2008 17:13:40 +0000 (UTC) Subject: [Dataloss] CA: San Quentin loses data on 3,500 visitors Message-ID: http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/03/29/BA4KVSJ9O.DTL A flash memory drive containing names, birth dates and driver's license numbers of more than 3,500 people who either volunteered or visited San Quentin State Prison in a group tour has been lost, a prison official said Friday. The flash drive was used to move the data each evening from the prison's administrative office near the parking lot to computers at the two entrance gates to the facility to allow guards to identify volunteers or groups, such as college students, that tour the prison, said Samuel Robinson, a San Quentin spokesman. "What happens is that we have to transport that information out to individual areas where we let people through" onto prison grounds, he said. "It's our security measure to walk the flash drive." [...] From hbrown at knology.net Sat Mar 29 20:32:41 2008 From: hbrown at knology.net (Henry Brown) Date: Sat, 29 Mar 2008 15:32:41 -0500 Subject: [Dataloss] LexisNexis Settles with FTC Message-ID: <47EEA769.1050004@knology.net> From the Palm Beach Florida Post http://tinyurl.com/2tr6p6 The LexisNexis Group of British publishing giant Reed Elsevier Inc. has agreed to a settlement with the Federal Trade Commission over data breaches that compromised the personal information of thousands of Americans at its Seisint unit in Boca Raton. Under the deal reached Thursday, LexisNexis agrees to maintain a wide-ranging data security program, to be confirmed by periodic third-party audits. But it avoided a stiff fine such as the one levied against former rival ChoicePoint, which paid $15 million to settle similar charges two years ago. The FTC was able to fine ChoicePoint because credit reports were taken, and under the Fair Credit Reporting Act, the agency can levy fines in those instances. With LexisNexis, no credit reports were taken. [...] From hbrown at knology.net Sat Mar 29 23:55:10 2008 From: hbrown at knology.net (Henry Brown) Date: Sat, 29 Mar 2008 18:55:10 -0500 Subject: [Dataloss] Museum of Science in Boston MA posts patrons data Message-ID: <47EED6DE.8050203@knology.net> From the Boston Globe http://tinyurl.com/2mfcdv March 28, 2008 The Museum of Science has notified 140 patrons that their names, credit card numbers, and other personal information were exposed on the museum's website because of a contractor's error, but officials said there has been no evidence of fraud or identity theft. Museum officials mailed notices Wednesday to the affected credit card holders, who took classes at the museum. They also notified another 183 people whose personal, but not financial, information was exposed. Officials learned March 13 that a file of information from the course-registration database, which also included contact information and credit card expiration dates, could be reached through the museum's website. A museum spokesman said the file's visibility was an inadvertent mistake, not a malicious attack. The information was supposed to be stored on the internal server. "There's no indication the information was accessed for improper or fraudulent purposes," said Sofiya Cabalquinto. The exposed file was created in early 2007 by an information contractor working on the museum's computer systems. It included information about students' specific classroom requirements or health concerns, such as allergies, but Cabalquinto said associating the information with specific students would be difficult. The file was immediately removed, she said. She was unable to say how long the information was available. Officials learned of the problem from someone outside the museum who stumbled upon the information during a random search. "We take the privacy and security of our visitors' information very seriously and have taken steps to ensure such incidents do not recur in the future," the museum said in a statement. From mhill at idtexperts.com Sun Mar 30 03:10:10 2008 From: mhill at idtexperts.com (Michael Hill, CITRMS) Date: Sat, 29 Mar 2008 23:10:10 -0400 Subject: [Dataloss] GA: Thief steals records of former, current DHR employees Message-ID: http://www.ajc.com/traffic/content/metro/stories/2008/03/27/theft_0328.html A thief has stolen computer records containing identifying information on current and former employees of the state Department of Human Resources, including names, Social Security numbers, birth dates and home contact information, officials said Thursday. DHR officials say the theft occurred about March 19. An external hard drive that stored a database was removed "by an unauthorized person," according to a statement issued by the agency. The statement did not say how many employees are affected, but the agency employs about 19,000 people. DHR officials didn't respond to a request for information on the number of employees involved. The agency sent letters to all employees affected by the security breach, urging them to review all credit and other financial records. [..] Gov. Sonny Perdue said through a spokesman that the theft heightens concerns about computer security in state government. "The governor is not happy about where the government is on this," said spokesman Bert Brantley. Last year, the state lost personal information on 2.9 million enrollees in Medicaid and PeachCare for Kids programs. After the recent theft, Perdue signed an executive order calling for a single set of information security reporting standards for all state agencies. [..] Michael Hill Certified Identity Theft Risk Management Specialist IDT Consultants 404-216-3751 "If You Think You're Not At Risk, Think Again!" NOTICE: This email and any attachment to it is confidential and protected by law and intended for the use of the individual(s) or entity named on the email. This information and all email information from the sender is not legal advice nor legal representation and should not be construed as legal advice nor legal representation. Check with your attorney in your State for legal advice. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination or distribution of this communication is prohibited. If you have received this communication in error, please notify the sender via return email and delete it completely from your email system. If you have printed a copy of the email, please destroy it immediately. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080329/cdfa350b/attachment.html From g.vickers at qut.edu.au Mon Mar 31 01:40:20 2008 From: g.vickers at qut.edu.au (Greg Vickers) Date: Mon, 31 Mar 2008 11:40:20 +1000 Subject: [Dataloss] what do you think of a dataloss workshop? In-Reply-To: <686cc62f0803280611u7472047ci3b62cbb7a1a17d63@mail.gmail.com> References: <686cc62f0803280611u7472047ci3b62cbb7a1a17d63@mail.gmail.com> Message-ID: <47F04104.707@qut.edu.au> Hi all, Allan Friedman wrote: > [If this is not the right place to discuss this, let's take it elsewhere] > > Given the great and increasingly dense and complex discussion on this > list, I wonder whether there would be any interest in assembling for a Sounds great, I have a thought for your Oceanic list members, myself included, the AusCERT conference is coming up soon for 2008 (http://conference.auscert.org.au/conf2008/) It may be too late to organise a meeting for this year, but for next year, I'd definitely stop by a Birds of a Feather or something :) -- Greg Vickers Phone: +61 7 3138 6902 IT Security Engineer & Project Manager Queensland University of Technology, CRICOS No. 00213J From CLHEUREU at standard.com Sun Mar 30 20:23:16 2008 From: CLHEUREU at standard.com (Colette L'Heureux) Date: Sun, 30 Mar 2008 13:23:16 -0700 Subject: [Dataloss] what do you think of a dataloss workshop? In-Reply-To: <7161205031CD5745B60173B07B80721C21453E27D0@hqexch01.ds3net.com> Message-ID: I would love to attend and help out if possible Colette L'Heureux Information Security Analyst III Standard Insurance Company clheureu at standard.com -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Craig Kraber Sent: Friday, March 28, 2008 1:03 PM To: Chris Walsh; Allan Friedman Cc: dataloss at attrition.org Subject: Re: [Dataloss] what do you think of a dataloss workshop? I agree, this is a topic that will generate quite a bit of interest and interaction. Please count me in. Craig Craig Kraber DS3 DataVaulting LLC 703-230-3250-Office 703-328-9075-Cell To Learn More About DS3 DataVaulting Please Visit Our Website www.ds3datavaulting.com -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Chris Walsh Sent: Friday, March 28, 2008 3:50 PM To: Allan Friedman Cc: dataloss at attrition.org Subject: Re: [Dataloss] what do you think of a dataloss workshop? I think it is an outstanding idea. cw On Fri, Mar 28, 2008 at 09:11:20AM -0400, Allan Friedman wrote: > [If this is not the right place to discuss this, let's take it > elsewhere] > > Given the great and increasingly dense and complex discussion on this > list, I wonder whether there would be any interest in assembling for a > workshop / mini-conference? I'd be happy to try to organize one here > at Harvard sometime next fall. Thoughts? > _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml