From: Brian Martin (bmartin[at]attrition.org)
To: "Cortez, Linda" (lcortez@coxsmith.com)
Cc: officers[at]opensecurityfoundation.org, lbarton@frostbank.com, 
    "Gillette, Meagan" (mgillette@coxsmith.com), "Huffman, Bart" (bhuffman@coxsmith.com)
Date: Wed, 7 Apr 2010 17:56:21 +0000 (UTC)
Subject: Re: Frost Bank -- False and Misleading Incident Report


Hi Linda,

: Please see the attached correspondence.

I am sorry, but due to the numerous vulnerabilities in PDF software (e.g.,
Adobe, Foxit) [1], we generally do not open PDF attachments from untrusted
sources.

Please re-send your correspondence as a plain text document.

Further, please direct all mails to officers[at]opensecurityfoundation.org
(in the CC now).

Thank you,

Brian Martin
Open Security Foundation (OSF)

[1] http://osvdb.org/search?search%5Bvuln_title%5D=adobe&search%5Btext_type%5D=titles
    http://osvdb.org/search?search%5Bvuln_title%5D=foxit&search%5Btext_type%5D=titles

From: Brian Martin (bmartin[at]attrition.org)
To: Jake Kouns (jkouns[at]opensecurityfoundation.org)
Cc: Officers (officers[at]opensecurityfoundation.org)
Date: Wed, 7 Apr 2010 19:02:27 +0000 (UTC)
Subject: Re: Fwd: Frost Bank -- False and Misleading Incident Report


Dave and I are chatting, I made a few changes to the incident:

http://datalossdb.org/incidents/288-about-9300-customers-debit-card-information-stolen-from-the-database-of-an-unnamed-national-retailer

* 100 -> 9300, per the article (we had it wrong). 9300 were compromised,
  only 100 were verified as abused and money taken from account.

* Changed ? to PRIMARY org, which moved Frost Bank to other affected

* SITE WIDE, dave changed "other organizations" to "Other
  Affected/Involved Organizations". this is more accurate across the
  board, not just for Frost.

* The primary org of "?" is renamed to "Unknown Organization" so it
  displays better and is more clear to the user

* I added a comment to the incident mentioning the change in number and
  moving frost to secondary.

With the change away from primary, rewording how they are involved and
primary now saying 'unknown', going to see if the lawyers will accept that
(they won't I bet, they invested money in a lawyer, they likely want
more).

I am going to reply to the lawyers now, mentioning these changes, and see
if that resolves the issue.

.b

From: Brian Martin (bmartin[at]attrition.org)
To: "Cortez, Linda" (lcortez@coxsmith.com)
Cc: officers[at]opensecurityfoundation.org, lbarton@frostbank.com, 
    "Gillette, Meagan" (mgillette@coxsmith.com), "Huffman, Bart" (bhuffman@coxsmith.com)
Date: Wed, 7 Apr 2010 20:21:00 +0000 (UTC)
Subject: Re: Frost Bank -- False and Misleading Incident Report

Hi Linda,

First off, thank you for resending as plain text, it is very helpful. Comments 
and disposition inline:

: Re:????? False and Misleading Incident Report on www.datalossdb.org (the "Website")
: This firm and I represent Frost Bank with respect to a false and 
: misleading incident report concerning it on the Website (the "Erroneous 
: Incident Report", located at : [links]
: The Erroneous Incident Report falsely indicates that Frost Bank was the 
: subject of a "HACK" of customer data.  In actuality, Frost Bank did not 
: experience the "hack" nor did Frost Bank experience any other form of 
: data theft in connection with the subject incident.

Per the 'SA Business' article that is the primary source for this event:


http://www.mysanantonio.com/business/MYSA051906_01E_frosttheft_216bbd06_html.html

 "Hackers dipped into the accounts of about 100 Frost Bank customers   
  after they took Visa debit card information from the database of an   
  unnamed national retailer and went on a spending spree, Frost
  officials said Thursday."

 "The cyber intruders gained access to about 9,300 Frost debit card   
  accounts but used less than 1 percent of them, Scott said."

Frost Bank was not 'hacked', but they certainly experienced data theft in 
connection with the subject incident, as confirmed by Frost Bank Senior Vice 
President Sharion Scott in the article. This makes Frost bank an 'affected 
organization' and not the 'primary organization' by DatalossDB cataloging 
standards.

: The actual incident involved the theft of records from an unrelated 
: credit card processor's system.? Visa notified Frost Bank that a number 
: of its customer cards were affected, and Frost publicly addressed the 
: situation to protect its customers.? Contrary to the portrayal on the 
: Website, the data breach had absolutely nothing to do with any of Frost 
: Bank's computer systems or any data in Frost Bank's possession, custody, 
: or control.  It is my understanding that this error has previously been 
: brought to your attention, yet you failed to respond or to remove the 
: Erroneous Incident Report from the Website.

Your understanding of how we were contacted was not entirely accurate I 
would guess. We received two comments submitted to that page from an 
*anonymous* source(s). No contact information was left for us to 
follow-up, verify and ask questions as needed to clarify the incident. 
The comment made no mention that it was done by a Frost employee. As you 
can guess, we cannot act on anonymous information without some verification 
or collaboration from an unbiased third-party. While we could not act on 
it, we did post the comments in full with the hope that someone would come 
forward with more information that could be verified. Despite the anonymous 
comments, we performed due diligence and checked our web server logs to 
try to ascertain who left them. We found that the comments were made from 
209.184.178.1 which is registered to Frost Bank:

forced /home/armchairlawyer# whois 209.184.178.1
AT&T Internet Services SBCIS-SIS80 (NET-209-184-0-0-1)
                                 209.184.0.0 - 209.184.255.255
Frost National Bank SBCIS-082102150726 (NET-209-184-178-0-1)
                                 209.184.178.0 - 209.184.178.255

Since a Frost Bank employee made the comments, and did so in a fashion that 
was not transparent, we acted in a responsible manner. After the first 
comment, we made sure the entry stated it was an unknown merchant, as the 
anonymous comment suggested and posted the comment in full.

Given that the second comment said "This issue had nothing to do with FROST 
BANK", when Frost was clearly involved in a tangential manner, that comment 
was obviously false and we simply could not act on it as a valid source of 
information. Frost bank did not contact us directly, via e-mail, as you did. 
Given the method of contact, assuming that is the 'contact' you refer to, 
that was not something we could act on. OSF considers this e-mail to be the 
first formal contact by Frost Bank (via your firm) where we are relatively 
sure of the identity of the parties taking issue with the entry. Before this 
mail, the IP address only told us a Frost Bank employee commented, but not 
who it was or if they were in a position to speak on behalf of the bank.

That said..

After reviewing the incident, OSF has made several changes to the page. These 
changes have been made because we strive for accurate information, and we wish 
to accurately catalog the incident. We hope that the changes satisfy Frost Bank:

* The primary organization is now listed as "Unknown Organization" instead  
  of "?". This makes it more clear that the company actually responsible  
  for the dataloss is unknown to us at this time.

* The term "other organizations" was not the best way to describe affected  
  companies in cases like this. That wording has been changed to "Other  
  Affected/Involved Organizations".

* Frost Bank has been re-categorized as "Other Affected/Involved  
  Organizations".

* Per the 'SA Business' article, the affected records have been updated  
  from 100 to 9,300. The article quotes Scott as saying 9,300 were  
  affected, but only 100 were abused in some fashion (money withdrawn).

* I have added a comment to the entry explaining these changes briefly,  
  specifically stating "Frost Bank has been updated as an 'affected  
  organization' and 'unknown' is listed as the primary now."

Further, if Frost Bank has a public statement regarding this incident, we will 
be happy to link to it, or host it on our site. Even better, if Frost Bank 
would confirm the affected merchant, we could make the entry more helpful to 
consumers and more accurately show how Frost Bank was involved.

: The Erroneous Incident Report has damaged and continues to damage Frost 
: Bank's goodwill and business relations.  

Frost Bank's goodwill is certainly in question after their improper handling 
of contacting OSF. Had they e-mailed us to begin with, rather than resorting 
to anonymous comments, this likely would have been easily resolved. Instead, 
they opted not to follow the generally accepted 'chain of command' in dealing 
with situations like this. While that is extremely fortunate for you (one can 
assume your hourly rate is impressive), it is unfortunate for the Open 
Security Foundation, as we are a 501(c)(3) non-profit volunteer-based 
organization simply trying to help with consumer awareness regarding data 
security and data loss.

: The Erroneous Incident Report constitutes libel per se, not subject to 
: any privilege or immunity, and may give rise to other causes of action

The activity of OSF is not libel per se, as the information published was not 
done with malice. OSF performed due diligence, attempted to catalog the incident 
accurately in a good-faith effort and responded in a reasonable manner to 
improper methods of contact from Frost Bank. With a Frost Bank senior officer 
on public record stating that the bank was involved in the incident, the 
information we published is not a false statement.

As such, our actions do not meet the criteria for libel or defamation.

: and legal rights and remedies.? We hope that the failure to respond to 
: Frost Bank's prior notification is not a result of willful behavior, but 
: if so, such behavior may give rise to heightened damages and/or 
: penalties under the law.

I have explained the 'prior notification' in greater detail than was 
explained to you by Frost Bank. Notification was done anonymously, with no 
method to contact Frost Bank for validation of the comments. We acted in 
good faith and have been readily available when contacted through appropriate 
channels (e.g., e-mail) as you have witnessed first hand.

: Please remove the Erroneous Incident Report from the Website 
: immediately, ..

No.

: Any failure to respond appropriately may result in legal action without 
: further notice.  If you have any questions, do not hesitate to contact 
: me.

Since OSF has acted and responded appropriately, you can skip the legal action, thanks.

Brian Martin
President / COO
Open Security Foundation

From: Brian Martin (brian[at]opensecurityfoundation.org)
Date: Thu, Apr 8, 2010 at 1:45 PM
Subject: Re: Frost Bank -- False and Misleading Incident Report
To: "Huffman, Bart" (bhuffman@coxsmith.com)
Cc: officers[at]opensecurityfoundation.org, 
    "Gillette, Meagan" (mgillette@coxsmith.com), lbarton@frostbank.com

Hi Bart,

: As an initial matter, I do not agree with your assertions regarding the
: prior efforts of Frost Bank to address (using functionality  provided by
: your Website) the erroneous listing on your Website.  In fact, it is my
: understanding that the Frost Bank representative actually did provide his
: contact information ?  again, using the functionality provided on the
: Website for comments.  He obviously had no control over what your team or
: your software did with that information.

I understand why you do not agree, you are being paid hourly to represent
and agree with your client. However, your client is not being honest with
you, at least partially. While OSF does not have a log retention policy that
allows us to show the first comment, we do have the related log for the
second comment made from Frost Bank:

Processing ProposedChangesController#create (for 209.184.178.1 at 2010-03-12
10:07:51) [POST]  Parameters:
{"incident_id"=>"288-about-100-customers-debit-card-information-stolen-from-the-database-of-an-unnamed-national-retailer",
"commit"=>"Propose Change",
"authenticity_token"=>"5PtNmSyOxH1ULQ5qmqpmoH3YoCcw/3tG1kfZYRfucNI=",
"proposed_change"=>{"captcha_key"=>"2b232f9a9459202877a39a587cd5eef973a360a3",
"captcha"=>"WESVVO", "reference_url"=>"www.maste
rcard.com", "changed_value"=>"This issue had nothing to do with FROST
BANK.\r\nPlease remove any reference to FROST BANK as it is creating undue
concern and is erroneous and inappropriate.\r\nThe incident described here
was strictly related to a Master Card merchant and not FROST."}}

If you look carefully at this log, you will see the IP address (belonging to
Frost Bank), the date and time it was posted, which incident it was posted
to, all kinds of techno-gobbledygook followed by the comment. The only way
we had any indication this came from Frost Bank is the IP address. As I
previously stated, we do not know who at Frost Bank made the comment or if
they were authorized to speak on behalf of the bank. Your client did not
provide any contact information, as the comment was made anonymously. If
your client had created an account (free for anyone to do), he could have
associated his name and contact information with it before posting the
comment.

: I encourage you to re-read the (sensationalized) press article you
: reference below.  In any event, Frost Bank did *not* have anything to do
: with the subject incident, which as we understand it (and as the Website
: portrays it) involves the ?hack? or theft of data.  Contrary to your
: characterization below, Frost did *not* experience any data theft ?
: rather, the ?hackers? (of an unrelated processor, the identity of which was
: not disclosed by the payment card brand) apparently used data *they stole
: elsewhere* to misappropriate funds from Frost Bank accounts.  Beyond any
: doubt, those ?hackers? used the misappropriated data to obtain funds, goods,
: or services from numerous companies, not just Frost Bank.

I encourage you to re-read the glorious DatalossDB site and my mail. We
understand and agree that Frost Bank was not "hacked". We disagree on it
"not having anything to do with the subject incident". Let me break this
down in simple terms:

1. A national retailer was compromised (e.g., "hacked"), and a lot of
   personal data was taken
2. Among that information, 9,300 account numbers of Frost Bank customers
   were present
3. The bad guys used 100 of those account numbers to transfer funds.

None of those points are in dispute, other than your untenable claims. Frost
Bank gave a statement to the author of that "sensationalized" article and
confirmed that Frost Bank records were part of the data taken from the
national merchant. That makes them having "something" to do with the
incident, as at least 100 people had additional information compromised when
the bad guys logged into those accounts. You are trying to use lawyerly
words and apply them to a technical incident, which does not work. Records
can 'belong' to one party but exist in many places and be kept in custody by
a second or third party, which is the case here. Let me focus on your own
words above here:

    "Frost did *not* experience any data theft ? rather, the ?hackers? (of
     an unrelated processor ..) apparently used data *they stole elsewhere* 
     to misappropriate funds from Frost Bank accounts."

Read the last six words of that sentence please. Frost Bank was clearly
related in a tangential manner, which DatalossDB tracks and disclaims
appropriately.

: As an aside, even if those ?hackers? stole the data of up to 9300 Frost
: Bank customers (a figure I have not confirmed, and as to which I certainly
: would not rely on a news article), that number is particularly immaterial
: and misleading in connection with the Erroneous Incident Report, and your
: revision in that regard is inflammatory and not appreciated.  Among other
: things, neither the number 100 nor the number 9300 is related or calculated
: to relate to the number of records that were stolen from someone else
: (which, as I understand it, is supposed to be the subject of the report).

If you feel that the article on mysanantonio.com is in error, have you
contacted them to ask for a retraction or clarification? The article quotes
a senior official with Frost Bank who explicitly gave the 9,300 figure to
the reporter it seems. If that is not the case, you certainly cannot
begrudge us for using it as a public source of information. If the
journalist or publication releases a retraction stating those numbers are
inaccurate, we will modify our information accordingly.

I find it interesting that you "certainly would not rely on a news article"
when you likely do it every single day of your adult life. Unless you are a
rare person that reads no newspapers, watches no news shows, reads no
magazines and avoids all web sites with 'news', then at some point you have
relied on a news article for information.

The 100 and 9300 numbers are not calculated at all. You are right, our goal
is to publish the total number of cards affected in any given incident, but
we simply do not have that information. As you have said several times, we
do not even have confirmation of the national retailer. If you read back to
the comment posted by your client, Frost Bank, their inclusion of the URL "
www.mastercard.com" is very interesting. Can we take that as confirmation of
the retailer that was compromised? If not, could you or Frost Bank explain
why they are providing us with misleading and erroneous information
themselves?

Your assertion that "our revision" of these numbers is "inflammatory and not
appreciated". We clearly documented the numbers and the source of the
information. The article mentions "100" and "9300", and our site mentions
"9300". The original report on our site had an error, stating "100" records
were compromised, when in fact, around 100 were abused of the 9300
compromised, as confirmed by Frost Bank Senior Vice President Sharion Scott.
Sir, your accusations that we revised the numbers in some inflammatory fashion 
is libel per se. To accuse a 501(c)(3) non-profit of having some agenda or 
vendetta against one of thousands of companies that appear on our page is 
ridiculous and unfounded. If you look at our site more closely, you will see 
that this situation is very common and Frost is not the first to appear in the 
database under these circumstances:


http://datalossdb.org/search?query=unknown+organization

: Even as modified by you, the Erroneous Incident Report is false and
: misleading.  Frost Bank is still the only organization associated with this
: report (and the number of records in the title), and the listing of Frost
: Bank as an ?Organization? (on one web page, next to a prominent ?HACK? sign)
: or as an ?Other Affected/Involved Organization? (on another web page, where
: Frost Bank is the only identified entity, without any further explanation)
: improperly suggests to your website users that Frost Bank was ?hacked?,
: which is absolutely not the case.

Perhaps we are not reading the same page?

http://datalossdb.org/incidents/288-about-9300-customers-debit-card-information-stolen-from-the-database-of-an-unnamed-national-retailer

Your claim "without any further explanation" is erroneous. The first comment
by an OSF staff member reads:

"We're told that Frost bank isn't the only bank involved in this.
Unfortunately, we have no further details. If anyone has any additional
information, please feel free to contact us."

: Again, Frost Bank requires that the Erroneous Incident Report be
: immediately removed.   If you are unwilling to do so but wish to consider a
: further revision, I would welcome the opportunity to discuss whether we can
: agree upon a revision that would cure the misleading nature of the current
: posting.

We have made it perfectly clear that we strive for accurate information, and
are willing to make revisions to reach that exact goal. We further offered
to host a statement from Frost Bank explaining the incident, and we are
still trying to find out additional information about the incident, namely
the national retailer (please read above re: Mastercard), other affected
organizations and a total number of records. If you or Frost Bank could
assist us with that, it would go a long way in letting us further enhance
the entry to better represent what happened surrounding the incident. We
asked in the last mail for Frost Bank to provide a statement and we again
encourage them to do so.

As I said in the previous mail, we absolutely will not remove the entire
entry. To do that based on legal threats from an affected organization
betrays certain principles and morals we have. These mails seem to be a
strong effort to minimize public exposure regarding the incident, rather
than an attempt to provide accurate information. We sincerely hope that is
not the purpose of retaining a lawyer and sending a cease and desist as you
have done.

: Given your expressed objectives, I hope and expect that we can resolve this
: matter amicably in a manner calculated to present accurate information to
: your website?s users.  I look forward to hearing from you.

Again, I want to emphasize this because it is important to us, Frost Bank
and their customers. Our purpose is to provide accurate information that
summarizes data loss incidents to make consumers aware of the risks
surrounding data retention, data loss and the resulting consequences on both
organizations and their customers. If Frost Bank can assist us with that, I
am sure we can resolve this amicably in a manner that is beneficial to Frost
Bank, DatalossDB and consumers everywhere.

Brian Martin
President / COO
Open Security Foundation