From lyger at attrition.org Fri Sep 1 09:50:35 2006 From: lyger at attrition.org (lyger) Date: Fri, 1 Sep 2006 09:50:35 -0400 (EDT) Subject: [Dataloss] Personal information of 2, 100 VCU students exposed online Message-ID: Courtesy PogoWasRight.org: http://www.timesdispatch.com/servlet/Satellite?pagename=RTD%2FMGArticle%2FRTD_BasicArticle&c=MGArticle&cid=1149190342537&path=!news&s=1045855934842 BY GARY ROBERTSON TIMES-DISPATCH STAFF WRITER Sep 1, 2006 Human error caused the names, Social Security numbers and e-mail addresses of about 2,100 current and former Virginia Commonwealth University students to be available online for eight months, the school says. VCU announced yesterday that it is contacting affected students, but there is no indication that their information has been viewed or used. According to VCU, the personal information of freshmen and graduate engineering students from the fall semester of 1998 through 2005 was unintentionally placed in a folder available on the Internet. VCU said the problem was discovered Tuesday by a student who Googled her name and found personal information. The data became exposed in January when files on a School of Engineering server were moved to an insecure folder. [...] From lyger at attrition.org Fri Sep 1 17:19:18 2006 From: lyger at attrition.org (lyger) Date: Fri, 1 Sep 2006 17:19:18 -0400 (EDT) Subject: [Dataloss] Follow-up to AT&T Breach Message-ID: Courtesy Fergie's Tech Blog: http://fergdawg.blogspot.com/ http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2006/09/01/BUGVBKSUIE1.DTL When AT&T said in a press release this week that "unauthorized persons illegally hacked into a computer system and accessed personal data" from thousands of DSL customers, it wasn't telling the whole story. Internal company documents show that the security breach was only the first step in a more elaborate scam that involved bogus e-mail being sent to AT&T customers that attempted to trick them into revealing additional info that could be used for widespread fraud or identity theft. [...] From lyger at attrition.org Fri Sep 1 18:15:31 2006 From: lyger at attrition.org (lyger) Date: Fri, 1 Sep 2006 18:15:31 -0400 (EDT) Subject: [Dataloss] Personal Data Of Chicago Employees Stolen Message-ID: (Please look for the following sentence: "However, the firm believes the risk of identity theft or misuse of the information is low, because the computer was protected by User ID and a complicated password, the release said." Unbelievable. - lyger) Courtesy PogoWasRight.org http://www.wbbm780.com/pages/77513.php?contentType=4&contentId=198758 Thousands of city employees could be at risk of identity theft following the theft of a laptop computer from a city contractor, and a delay of more than a year in reporting the theft to the proper personnel within the company, according to a release from the Mayor.s office. Nationwide Retirement Solutions, the provider of deferred compensation services for City of Chicago employees has notified the city that a laptop computer containing personal information about customers was stolen from the home of one of its employees, according to the release. NRS, which has provided services for city employees since 2004, is notifying affected individuals by letter and offering free credit-monitoring service for a year, which includes $25,000 of identity theft insurance, according to the release. [...] From lyger at attrition.org Fri Sep 1 22:50:43 2006 From: lyger at attrition.org (lyger) Date: Fri, 1 Sep 2006 22:50:43 -0400 (EDT) Subject: [Dataloss] Auditor Loss Of Wells Fargo Data Alleged Message-ID: Courtesy PogoWasRight.org http://www.securitypronews.com/news/securitynews/spn-45-20060901AuditorLossOfWellsFargoDataAlleged.html A two-page letter obtained by SecurityProNews claimed a notebook computer containing personal information about Wells Fargo employees has been stolen from an auditor's vehicle. The letter, dated August 28th, said the computer and a data disk were stolen from the locked trunk of an unnamed auditor. The auditor contacted Wells Fargo and law enforcement, and both are investigating the theft. "The auditor had your information because we are required by the Internal Revenue Service to have our health plans audited by independent qualified public accountants," the letter read. "We have no indication that the information has been accessed or misused." Employee data including names, Social Security numbers, and information about prescription drug claim cost and dates made during 2005 under the Wells Fargo health plan, was on the disk. [...] From hbrown at knology.net Sat Sep 2 07:31:14 2006 From: hbrown at knology.net (Henry Brown) Date: Sat, 02 Sep 2006 06:31:14 -0500 Subject: [Dataloss] Personal Data Of Chicago Employees Stolen In-Reply-To: References: Message-ID: <44F96B82.4030507@knology.net> From another source http://www.belleville.com/mld/belleville/news/politics/15419930.htm ... While the theft was reported to local police and the company, an internal communications problem kept the company's team that investigates stolen computers from finding out about it until this July, according to the city. ... lyger wrote: > (Please look for the following sentence: "However, the firm believes the > risk of identity theft or misuse of the information is low, because the > computer was protected by User ID and a complicated password, the release > said." Unbelievable. - lyger) > > Courtesy PogoWasRight.org > > http://www.wbbm780.com/pages/77513.php?contentType=4&contentId=198758 > > Thousands of city employees could be at risk of identity theft following > the theft of a laptop computer from a city contractor, and a delay of more > than a year in reporting the theft to the proper personnel within the > company, according to a release from the Mayor.s office. > > Nationwide Retirement Solutions, the provider of deferred compensation > services for City of Chicago employees has notified the city that a laptop > computer containing personal information about customers was stolen from > the home of one of its employees, according to the release. > > NRS, which has provided services for city employees since 2004, is > notifying affected individuals by letter and offering free > credit-monitoring service for a year, which includes $25,000 of identity > theft insurance, according to the release. > > [...] > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 142 million compromised records in 323 incidents over 6 years. > > > > > > From cwalsh at cwalsh.org Sat Sep 2 14:03:54 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Sat, 2 Sep 2006 13:03:54 -0500 Subject: [Dataloss] Additional FMCSA details Message-ID: <7E955EBB-02C8-46CC-AD99-7083D3416544@cwalsh.org> Press release with additional details at http://www.fmcsa.dot.gov/ about/news/news-releases/2006/082806.htm From macwheel99 at sigecom.net Sat Sep 2 16:47:59 2006 From: macwheel99 at sigecom.net (Al Mac) Date: Sat, 02 Sep 2006 15:47:59 -0500 Subject: [Dataloss] Police tips for Breach prevention Message-ID: <6.2.1.2.0.20060902153441.04593100@mail.sigecom.net> An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060902/c0b537fc/attachment.html From george at myitaz.com Tue Sep 5 10:38:28 2006 From: george at myitaz.com (George Toft) Date: Tue, 05 Sep 2006 07:38:28 -0700 Subject: [Dataloss] Police tips for Breach prevention In-Reply-To: <6.2.1.2.0.20060902153441.04593100@mail.sigecom.net> References: <6.2.1.2.0.20060902153441.04593100@mail.sigecom.net> Message-ID: <44FD8BE4.6070108@myitaz.com> New York Times coverage about what's happening in the ID Theft Capitol - Phoenix: http://www.nytimes.com/national/nationalspecial2/index.html This is their main page with many articles. Some interesting numbers they toss out: - 1 in 20 working adults are using fake SSN's - 1 in 6 adults in Phoenix have had their ID stolen. (I'm still not sure they really mean had their personal information stolen - there is a bit of a difference.) - Much of the information is stolen by meth addicts. [George's comment: I tried to reproduce the Scottsdale meth addict's ID information farming technique by looking up my own information on the County Recorder's web site. All the images with my signature and account information were unavailable, so it looks like Maricopa County made it more difficult as a result of this story. I wonder if I can still purchase official copies of the documents for a nominal charge? Of course it might be a little suspicious if I purchased 1000 copies - maybe this is the deterrent?] They draw some interesting conclusions: - The IRS has the capability to identify the stolen SSN's but chooses not to pursue it. - The SSA also has this capability, but chooses not to as collecting SS tax revenue from illegals is money that never has to be repaid. It's a free subsidy. [George's comment: A simple database query on the order of "select all SSN's with birth dates less than 16 years ago and having more than $1 of reported income" would be really easy to do. However, with 5% of the workforce working under fake ID's, paying taxes, and spending their money in *this* country, what incentive is there for the government to do anything about it? Why would they spend money (tracking down and deporting illegals) to reduce tax revenue? I went to a workforce development presentation in Tempe last week, and they claim that by 2010, there will be a shortage of 10 million *skilled* workers in the US. Again, what is the incentive to stop this problem?] Living in Phoenix, I can vouch for most of what these articles are pointing out, including personally knowing victims of drug-addict ID thieves and children deprived of benefits because their ID was stolen. A high percentage of businesses I've spoken with have employed illegal immigrants with stolen ID's. Contrary to the articles, these businesses usually did not know the ID's were stolen, rather, they found out via IRS/INS inquiries or via background checks. This problem is huge in Arizona - the more people I talk to, the more rampant I see it is. George Toft, CISSP, MSIS My IT Department www.myITaz.com 480-544-1067 Confidential data protection experts for the financial industry. Al Mac wrote: > > Here is a good article by a Police Detective on the many things that > work places ought to be doing to prevent data breaches, but most are not. > > *Businesses And Governmental Agencies Contribute to The Identity Theft > Problem* > > *By: Salem Police Detective Paul Henninger* > > I recently talked with a person in prison who had been the mastermind of > a major identity theft ring operating throughout Oregon. I asked him > about of the relationship between ?meth? and the people who commit > identity theft. He told me, ?They are as husband and wife.? > > The myth that most personal information is stolen directly from the > victim is not true. A national study showed that 70% of all stolen > personal information is taken from a business. > > [...] > > Did you know that if you call the Oregon DMV information call center > using the published number, there is a good chance you will be talking > with an Inmate (convicted felon) at the Coffee Creek Correctional > Facility (prison) in Wilsonville? This is part of the State of Oregon > prisoner work plan. You won?t be told you?re talking to a prisoner > unless you ask. > > They have computer access to some of your personal information. DMV > officials have told me they have set up strictly enforced protocols to > prevent prisoners from using the system to commit identity theft. > > http://www.salem-news.com/articles/august032006/id_theft_tip_8306.php > > > ------------------------------------------------------------------------ > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 143 million compromised records in 326 incidents over 6 years. > > From lyger at attrition.org Tue Sep 5 14:44:13 2006 From: lyger at attrition.org (lyger) Date: Tue, 5 Sep 2006 14:44:13 -0400 (EDT) Subject: [Dataloss] RSS Feeds Now Available for News and Dataloss Message-ID: http://attrition.org/news/content/06-09-05.001.html Tue Sep 5 13:53:31 EDT 2006 Jericho and Lyger You asked for it, so we are (finally) providing. As of today, attrition.org now hosts not one, but TWO, yes, TWO RSS feeds. Thanks to the evil genius of Cancer Omega, the Current News and Dataloss pages are now fully RSS capable for those of you too lazy to read your email or click on the damn pages every day! Yay us! Yes, evil genius, because Cancer Omega implemented the entire thing with one annoying caveat imposed upon his creative center.. "you can't use PHP". Attrition don't play that. For those of you who are interested in subscribing to these feeds, the links are right here: http://attrition.org/rss/attrition_news.rss http://attrition.org/rss/attrition_dataloss.rss [...] From macwheel99 at sigecom.net Tue Sep 5 14:18:34 2006 From: macwheel99 at sigecom.net (Al Mac) Date: Tue, 05 Sep 2006 13:18:34 -0500 Subject: [Dataloss] Lloyds of London vs. Florida ATM Message-ID: <6.2.1.2.0.20060905130508.0437b880@mail.sigecom.net> Did the ATM have a camera & can it be programmed to raise suspicions when the same person makes many consecutive transactions on different accounts? Could his fingerprints be retrieved from any discarded cards, or those the ATM held onto? PORT ST. LUCIE ? The thin white man worked the local ATM for hours, using phone cards programmed with credit card numbers from with numbers from Lloyd's of London customers to steal more than $20,000. He made more than 300 transactions at First Peoples Bank, on three consecutive days beginning last Saturday. [,,,] http://www1.tcpalm.com/tcp/local_news/article/0,2545,TCP_16736_4961553,00.html From lyger at attrition.org Tue Sep 5 20:19:40 2006 From: lyger at attrition.org (lyger) Date: Tue, 5 Sep 2006 20:19:40 -0400 (EDT) Subject: [Dataloss] An amazing use of DLDOS Message-ID: Our friends at mailerblog.com have applied attrition.org's Data Loss Database - Open Source in quite a cool way: http://www.mailerblog.com/dataloss/dataloss.php If anyone else has any ideas, the raw data can be found here: http://attrition.org/dataloss/dataloss.csv From jericho at attrition.org Wed Sep 6 03:03:37 2006 From: jericho at attrition.org (security curmudgeon) Date: Wed, 6 Sep 2006 03:03:37 -0400 (EDT) Subject: [Dataloss] Former TSA workers' data exposed Message-ID: Courtesy: "Fergie", a.k.a. Paul Ferguson ---------- Forwarded message ---------- http://www.usatoday.com/news/washington/2006-09-06-tsa-identities_x.htm Former TSA workers' data exposed Posted 9/6/2006 1:10 AM ET By Thomas Frank, USA TODAY The Transportation Security Administration is warning 1,195 of its former employees that a contractor may have mailed their Social Security numbers and birth dates to the wrong addresses and left them open to identity fraud. The error, acknowledged in letters the TSA mailed in late August to each of the former employees, is the latest in a series of data breaches that may have exposed workers in both private and government jobs to identity thieves. "Making a mistake like this is abominable," said Beth Givens, director of the Privacy Rights Clearinghouse, an advocate for consumer privacy. "You've got an agency whose mission is security." The TSA is part of the Homeland Security Department. Its 55,000 employees primarily run airport security. [..] From cwalsh at cwalsh.org Wed Sep 6 10:39:36 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Wed, 6 Sep 2006 09:39:36 -0500 Subject: [Dataloss] An amazing use of DLDOS In-Reply-To: References: Message-ID: <20060906143924.GA20713@cwalsh.org> Nice. These records need a unique identifier to facilitate linkage of information from other tables. For example, I have: address stock symbol exchange NAIC industry code Date of actual breach Date of breach discovery Links to primary sources (NY state reporting forms, notice letters) for many of these. Perhaps you can backfill a unique identifier into the CSV file for now, and when future records are added, they can look like this: CWALSH-MMDDYYYY-nnn This way, you will not have any collisions (unless another C. Walsh comes along), and you will not need to pre-assign blocks of numbers to anyone who wishes to report. Should John Smith and Jim Smith both decide to get into the act, then perhaps the dreaded "jsmith02" solution can be adopted. If someone objects to a tag like 'cwalsh' going into the db, then they would need to say so. Presumably, a privacy-conscious group like this will be able to work through the issue. This is all off the top of my head as far as the implementation, but I have thought at some length about the need for an identifier. Thoughts? Chris P.S. I love how these guys write something spiffy in 3 days. I am eager to see what can be done with an "expanded" DB. I "know", for example, that Google Maps could be used to great effect with this information. If I could code my way out of a wet paper bag, I'd be on the case. On Tue, Sep 05, 2006 at 08:19:40PM -0400, lyger wrote: > > Our friends at mailerblog.com have applied attrition.org's Data Loss > Database - Open Source in quite a cool way: > > http://www.mailerblog.com/dataloss/dataloss.php > > If anyone else has any ideas, the raw data can be found here: > > http://attrition.org/dataloss/dataloss.csv > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 143 million compromised records in 337 incidents over 6 years. > From macwheel99 at sigecom.net Wed Sep 6 02:11:24 2006 From: macwheel99 at sigecom.net (Al Mac) Date: Wed, 06 Sep 2006 01:11:24 -0500 Subject: [Dataloss] Medicare Medicaid and TriCare breaches Message-ID: <6.2.1.2.0.20060906010348.04708d40@mail.sigecom.net> An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060906/d7210119/attachment.html From george at myitaz.com Wed Sep 6 13:24:03 2006 From: george at myitaz.com (George Toft) Date: Wed, 06 Sep 2006 10:24:03 -0700 Subject: [Dataloss] An amazing use of DLDOS In-Reply-To: <20060906143924.GA20713@cwalsh.org> References: <20060906143924.GA20713@cwalsh.org> Message-ID: <44FF0433.40903@myitaz.com> What would also make the database really useful for research is if we could categorize the primary (and secondary) causes of the loss. For example: pri_cause - laptop theft sec_cause - policy violation What is important to me as I make presentations are the percentages of dataloss relating to stolen laptops or burglaries. Institutions involved come up as well. Nice to have would be the category of businesses affected (Government, University, Medical, Financial) and perhaps the regulations affecting the data loser (HIPAA, GLBA, FACTA, SOX, or State Legislation). Some of this is obvious, some requires research. George Toft, CISSP, MSIS My IT Department www.myITaz.com 480-544-1067 Confidential data protection experts for the financial industry. Chris Walsh wrote: > Nice. > > These records need a unique identifier to facilitate linkage of information > from other tables. > > For example, I have: > > address > stock symbol > exchange > NAIC industry code > Date of actual breach > Date of breach discovery > Links to primary sources (NY state reporting forms, notice letters) > > for many of these. > > Perhaps you can backfill a unique identifier into the CSV file for now, > and when future records are added, they can look like this: > > CWALSH-MMDDYYYY-nnn > > This way, you will not have any collisions > (unless another C. Walsh comes along), and you will not need to pre-assign > blocks of numbers to anyone who wishes to report. Should John Smith and > Jim Smith both decide to get into the act, then perhaps the dreaded "jsmith02" > solution can be adopted. > > If someone objects to a tag like 'cwalsh' going into the db, then > they would need to say so. Presumably, a privacy-conscious group like > this will be able to work through the issue. > > This is all off the top of my head as far as the implementation, but I have > thought at some length about the need for an identifier. > > Thoughts? > > Chris > > P.S. I love how these guys write something spiffy in 3 days. I am eager > to see what can be done with an "expanded" DB. I "know", for example, that > Google Maps could be used to great effect with this information. If I could > code my way out of a wet paper bag, I'd be on the case. > > > On Tue, Sep 05, 2006 at 08:19:40PM -0400, lyger wrote: > >>Our friends at mailerblog.com have applied attrition.org's Data Loss >>Database - Open Source in quite a cool way: >> >>http://www.mailerblog.com/dataloss/dataloss.php >> >>If anyone else has any ideas, the raw data can be found here: >> >>http://attrition.org/dataloss/dataloss.csv >>_______________________________________________ >>Dataloss Mailing List (dataloss at attrition.org) >>http://attrition.org/dataloss >>Tracking more than 143 million compromised records in 337 incidents over 6 years. >> > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 143 million compromised records in 337 incidents over 6 years. > > > > From cwalsh at cwalsh.org Wed Sep 6 14:50:52 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Wed, 6 Sep 2006 13:50:52 -0500 Subject: [Dataloss] An amazing use of DLDOS In-Reply-To: <44FF0433.40903@myitaz.com> References: <20060906143924.GA20713@cwalsh.org> <44FF0433.40903@myitaz.com> Message-ID: <20060906185040.GA20759@cwalsh.org> On Wed, Sep 06, 2006 at 10:24:03AM -0700, George Toft wrote: > What would also make the database really useful for research is if we > could categorize the primary (and secondary) causes of the loss. For > example: > pri_cause - laptop theft > sec_cause - policy violation Forget about sec_cause :^) For pri_cause, you often find that it was a compromised web site. So, that could mean an application flaw (SQL injection), a misconfigured web server, poor or no authentication, a braindead firewall, etc. The same logic applies to other compromises. You get the general "cause", but not what really happened. It is frustrating, but sort of interesting. Sometimes, what happened is perfectly clear: An auditor left a laptop containing customer data, including SSN, name, and salary in a locked car in Hoboken NJ. The car was broken into, and the laptop stolen. The laptop was password-protected, but the data were not encrypted. For a large proportion of cases, all you know is what was compromised, but not *how* (or even, when). I forgot to mention in my earlier post that for the cases I have "on file", I also specify whether reporting was mandated by state law, whether such reporting occurred, and what form the notice took (mail, email, phone, etc). The sector (banking, etc) is easily obtained by looking at the NAICS code, which is the industrial classification often used by academic researchers in the social sciences. cw http://www.census.gov/epcd/www/naics.html From macwheel99 at sigecom.net Thu Sep 7 02:28:17 2006 From: macwheel99 at sigecom.net (Al Mac) Date: Thu, 07 Sep 2006 01:28:17 -0500 Subject: [Dataloss] An amazing use of DLDOS In-Reply-To: <44FF0433.40903@myitaz.com> References: <20060906143924.GA20713@cwalsh.org> <44FF0433.40903@myitaz.com> Message-ID: <6.2.1.2.0.20060907012504.04595560@mail.sigecom.net> I know there have been 5 incidents with Ernst & Young but only 2 in the data base, perhaps because some get associated with the outfit they were auditing. Many incidents nowadays have two places ... the one responsible for the data, and the one that managed to lose it. I suggest a source url, although in some cases the original news story may die. Al Mac From lyger at attrition.org Thu Sep 7 08:10:06 2006 From: lyger at attrition.org (lyger) Date: Thu, 7 Sep 2006 08:10:06 -0400 (EDT) Subject: [Dataloss] An amazing use of DLDOS In-Reply-To: <6.2.1.2.0.20060907012504.04595560@mail.sigecom.net> References: <20060906143924.GA20713@cwalsh.org> <44FF0433.40903@myitaz.com> <6.2.1.2.0.20060907012504.04595560@mail.sigecom.net> Message-ID: On Thu, 7 Sep 2006, Al Mac wrote: ": " I know there have been 5 incidents with Ernst & Young but only 2 in the ": " data base, perhaps because some get associated with the outfit they were ": " auditing. Many incidents nowadays have two places ... the one responsible ": " for the data, and the one that managed to lose it. ": " ": " I suggest a source url, although in some cases the original news story may die. ": " ": " Al Mac That was the intent of the ThirdParty and ThirdPartyName columns, in which E&Y is listed once for the Hotels.com breach. If we're missing two other breaches related to E&Y, please let us know and we'll update accordingly. Per http://attrition.org/dataloss/dldoskey.html : All other columns should be self explanatory. The RefPage column refers to the html page on attrition.org that hosts an archived news story (attrition.org/dataloss/[year]/); these have since been moved into subdirectories sorted by year and month. Please feel free to add columns and plug in missing data as needed. If you find an error or missing entry, please email us and we'll update our copy of the data accordingly. Any other suggestions, comments, or concerns, please email us. From lyger at attrition.org Thu Sep 7 11:21:11 2006 From: lyger at attrition.org (lyger) Date: Thu, 7 Sep 2006 11:21:11 -0400 (EDT) Subject: [Dataloss] Chase Trashes Tapes With Client Info Message-ID: Courtesy PogoWasRight.org http://news.moneycentral.msn.com/provider/providerarticle.asp?feed=AP&Date=20060907&ID=6002314 September 07, 2006 10:24 AM ET Chase Card Services, a unit of JPMorgan Chase & Co., on Thursday said it is notifying 2.6 million Circuit City credit card holders that computer tapes containing their personal information were mistakenly thrown in the trash. After an investigation by federal and local authorities, Chase said it believes the tapes -- which were stored in a locked box and contained some card holders' Social Security numbers -- were compacted, destroyed and buried in a landfill. The company said it has been monitoring the affected accounts, including current and former card holders, and has not found any misuse of personal information. [...] From cwalsh at cwalsh.org Thu Sep 7 12:49:10 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Thu, 7 Sep 2006 11:49:10 -0500 Subject: [Dataloss] An amazing use of DLDOS In-Reply-To: <6.2.1.2.0.20060907012504.04595560@mail.sigecom.net> References: <20060906143924.GA20713@cwalsh.org> <44FF0433.40903@myitaz.com> <6.2.1.2.0.20060907012504.04595560@mail.sigecom.net> Message-ID: <20060907164856.GA6263@cwalsh.org> On Thu, Sep 07, 2006 at 01:28:17AM -0500, Al Mac wrote: > I know there have been 5 incidents with Ernst & Young but only 2 in the > data base, perhaps because some get associated with the outfit they were > auditing In one situation, E+Y and Goldman Sachs reported the same breach (stolen E+Y laptop) separately. In principle, this can lead to OVERreporting of breach volume. See these documents which E+Y and Goldman provided to New York state officials, as required by law: http://www.cwalsh.org/BreachInfo/primary_sources/index4.html http://www.cwalsh.org/BreachInfo/primary_sources/pages/page_88.html http://www.cwalsh.org/BreachInfo/primary_sources/pages/page_89.html http://www.cwalsh.org/BreachInfo/primary_sources/pages/page_90.html http://www.cwalsh.org/BreachInfo/primary_sources/pages/page_91.html http://www.cwalsh.org/BreachInfo/primary_sources/pages/page_92.html http://www.cwalsh.org/BreachInfo/primary_sources/pages/page_93.html http://www.cwalsh.org/BreachInfo/primary_sources/pages/page_94.html From lyger at attrition.org Thu Sep 7 18:29:08 2006 From: lyger at attrition.org (lyger) Date: Thu, 7 Sep 2006 18:29:08 -0400 (EDT) Subject: [Dataloss] FTC fines xanga.com $1 million over children's info Message-ID: (fringe related, but if you have kids (or even if you don't...)) For Release: September 7, 2006 Xanga.com to Pay $1 Million for Violating Children's Online Privacy Protection Rule Civil Penalty Against Social Networking Site Is Largest Ever for a COPPA Violation Social networking Web site operators Xanga.com, Inc. and its principals, Marc Ginsburg and John Hiler, will pay a $1 million civil penalty for allegedly violating the Children's Online Privacy Protection Act (COPPA) and its implementing Rule, under the terms of a settlement with the Federal Trade Commission announced today. According to the FTC, Xanga.com collected, used, and disclosed personal information from children under the age of 13 without first notifying parents and obtaining their consent. The penalty is the largest ever assessed by the FTC for a COPPA violation, and is more than twice the next largest penalty. The complaint charges that the defendants had actual knowledge they were collecting and disclosing personal information from children. The Xanga site stated that children under 13 could not join, but then allowed visitors to create Xanga accounts even if they provided a birth date indicating they were under 13. Further, they failed to notify the children's parents of their information practices or provide the parents with access to and control over their children's information. The defendants created 1.7 million Xanga accounts over the past five years for users who submitted age information indicating they were under 13. More at http://www.ftc.gov/opa/2006/09/xanga.htm From adam at homeport.org Thu Sep 7 18:40:47 2006 From: adam at homeport.org (Adam Shostack) Date: Thu, 7 Sep 2006 18:40:47 -0400 Subject: [Dataloss] An amazing use of DLDOS In-Reply-To: <20060906185040.GA20759@cwalsh.org> References: <20060906143924.GA20713@cwalsh.org> <44FF0433.40903@myitaz.com> <20060906185040.GA20759@cwalsh.org> Message-ID: <20060907224047.GD26057@homeport.org> On Wed, Sep 06, 2006 at 01:50:52PM -0500, Chris Walsh wrote: | On Wed, Sep 06, 2006 at 10:24:03AM -0700, George Toft wrote: | > What would also make the database really useful for research is if we | > could categorize the primary (and secondary) causes of the loss. For | > example: | > pri_cause - laptop theft | > sec_cause - policy violation | | | Forget about sec_cause :^) | | For pri_cause, you often find that it was a compromised web site. So, that | could mean an application flaw (SQL injection), a misconfigured web server, | poor or no authentication, a braindead firewall, etc. The same logic | applies to other compromises. You get the general "cause", but not what | really happened. It is frustrating, but sort of interesting. I've been thinking for a bit that it would be great if reporters had a document that helped guide them to ask interesting, probing questions about these failures. We might provide similar guideance to the agencies who accept these reports on what questions they should offer up on their sites. Adam From lyger at attrition.org Thu Sep 7 19:37:23 2006 From: lyger at attrition.org (lyger) Date: Thu, 7 Sep 2006 19:37:23 -0400 (EDT) Subject: [Dataloss] An amazing use of DLDOS In-Reply-To: <20060907224047.GD26057@homeport.org> References: <20060906143924.GA20713@cwalsh.org> <44FF0433.40903@myitaz.com> <20060906185040.GA20759@cwalsh.org> <20060907224047.GD26057@homeport.org> Message-ID: On Thu, 7 Sep 2006, Adam Shostack wrote: ": " I've been thinking for a bit that it would be great if reporters had a ": " document that helped guide them to ask interesting, probing questions ": " about these failures. We might provide similar guideance to the ": " agencies who accept these reports on what questions they should offer ": " up on their sites. ": " ": " Adam Unfortunately, most interviews seem top go like this: Reporter: What exactly was the nature of this breach? PR-Dude: A [laptop] was stolen on mm/dd/yyyy from [pizza hut] Reporter: Was there personally identifiable information on the [laptop]? PR-Dude: We have yet to ascertain what type of data was on the [laptop]. Reporter: Do you know how many people may have been affected? PR-Dude: We're still in the process of compiling numbers. We have 3.75 billion clients, but apparently only 12 may have been affected. Those 12 will possibly be given free credit reporting for a year and be entered into the Federal Witness Protection Program. Reporter: Errr.... ok... PR-Dude: In addition, all data on the [laptop] was password protected. People shouldn't worry. Really. We mean that. But we're still going to notify them. Just in case. You know. Reporter: ... PR-Dude: Encryption? I didn't understand the question. Reporter: I didn't ask one... PR-Dude: Oh. My bad. Move to strike... (Sorry, Adam... just had to get that out...) :) From blitz at strikenet.kicks-ass.net Thu Sep 7 21:58:57 2006 From: blitz at strikenet.kicks-ass.net (blitz) Date: Thu, 07 Sep 2006 21:58:57 -0400 Subject: [Dataloss] An amazing use of DLDOS In-Reply-To: <6.2.1.2.0.20060907012504.04595560@mail.sigecom.net> References: <20060906143924.GA20713@cwalsh.org> <44FF0433.40903@myitaz.com> <6.2.1.2.0.20060907012504.04595560@mail.sigecom.net> Message-ID: <7.0.1.0.2.20060907215444.03af8820@strikenet.kicks-ass.net> And perhaps, a repository for the story, as they seem to conveniently "disappear". Looking that database over, I seemed to miss the NY State Disability breach, PLUS the DOD service-members breach. (I seriously might of missed them, but I checked NYS listings, and saw no mention for example). Even IF they were recovered, they deserve filing, as no one can be absolutely SURE they were not compromised, and that might take months to years to become an issue. At 02:28 9/7/2006, you wrote: >I know there have been 5 incidents with Ernst & Young but only 2 in the >data base, perhaps because some get associated with the outfit they were >auditing. Many incidents nowadays have two places ... the one responsible >for the data, and the one that managed to lose it. > >I suggest a source url, although in some cases the original news >story may die. > >Al Mac > > >_______________________________________________ >Dataloss Mailing List (dataloss at attrition.org) >http://attrition.org/dataloss >Tracking more than 143 million compromised records in 337 incidents >over 6 years. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060907/80dfabe7/attachment.html From DH1759 at aol.com Fri Sep 8 04:37:19 2006 From: DH1759 at aol.com (DH1759 at aol.com) Date: Fri, 8 Sep 2006 04:37:19 EDT Subject: [Dataloss] Personal Data Of Chicago Employees Stolen Message-ID: Here is a link to the letter sent out by Nationwide to the affected members - _http://www.chicagofop.org/Updates/links/nrs.pdf_ (http://www.chicagofop.org/Updates/links/nrs.pdf) In a message dated 9/1/2006 5:27:45 P.M. Central Standard Time, lyger at attrition.org writes: (Please look for the following sentence: "However, the firm believes the risk of identity theft or misuse of the information is low, because the computer was protected by User ID and a complicated password, the release said." Unbelievable. - lyger) Courtesy PogoWasRight.org http://www.wbbm780.com/pages/77513.php?contentType=4&contentId=198758 Thousands of city employees could be at risk of identity theft following the theft of a laptop computer from a city contractor, and a delay of more than a year in reporting the theft to the proper personnel within the company, according to a release from the Mayor.s office. Nationwide Retirement Solutions, the provider of deferred compensation services for City of Chicago employees has notified the city that a laptop computer containing personal information about customers was stolen from the home of one of its employees, according to the release. NRS, which has provided services for city employees since 2004, is notifying affected individuals by letter and offering free credit-monitoring service for a year, which includes $25,000 of identity theft insurance, according to the release. [...] _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tracking more than 142 million compromised records in 323 incidents over 6 years. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060908/d691f966/attachment.html From lyger at attrition.org Fri Sep 8 12:09:05 2006 From: lyger at attrition.org (lyger) Date: Fri, 8 Sep 2006 12:09:05 -0400 (EDT) Subject: [Dataloss] Canada - BMO laptop on lam Message-ID: Courtesy PogoWasRight.org http://ottsun.canoe.ca/News/OttawaAndRegion/2006/09/08/1814249-sun.html HUNDREDS of banking customers have been told to monitor their accounts after a laptop containing personal information was stolen from a downtown Ottawa branch. Stolen computer contains personal data for 900 of bank's clients A spokesman for BMO Bank of Montreal confirmed yesterday that a laptop containing clients' personal information went missing last May from its Capital Centre branch on Laurier Ave. W. Michael Edmonds said the data of less than 900 clients was on the laptop when it went missing from the branch. "To this date, we're not aware that any information has been used for any fraudulent activity," Edmonds said yesterday, noting that the bank is monitoring the accounts. [...] From lyger at attrition.org Fri Sep 8 12:13:40 2006 From: lyger at attrition.org (lyger) Date: Fri, 8 Sep 2006 12:13:40 -0400 (EDT) Subject: [Dataloss] Florida National Guard - Laptop theft triggers security review Message-ID: Again from the fine folks at PogoWasRight.org: http://www.floridatoday.com/apps/pbcs.dll/article?AID=/20060907/BREAKINGNEWS/60907027/1086 BRADENTON - The Florida National Guard was conducting a security review Thursday after a laptop computer assigned to one of its soldiers was stolen in a car burglary. No classified information was on the computer stolen Tuesday from a soldier's personal vehicle, said Florida Department of Military Affairs spokesman Jon Myatt. The laptop contains training and administrative records - including social security numbers - of up to 100 Florida National Guard soldiers. "We're doing everything we can do to protect the unit," Myatt said. "The soldiers were aware if they were affected. Not a lot of personal information was on this laptop. An identity thief would need a lot more information." [...] From privacylaws at sbcglobal.net Fri Sep 8 12:32:01 2006 From: privacylaws at sbcglobal.net (Saundra Kae Rubel) Date: Fri, 8 Sep 2006 09:32:01 -0700 Subject: [Dataloss] New PCI standards Message-ID: <000d01c6d364$50379c90$210110ac@saundrad38b17a> Hello As a tangent to dataloss. For those of you that have been waiting on pins and needles for the new PCI data security standards (PCI DSS); finally they are here. https://www.pcisecuritystandards.org/ Saundra Kae Rubel, CIPP -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060908/fc115510/attachment.html From afrech at gmail.com Sat Sep 9 09:17:59 2006 From: afrech at gmail.com (Andre) Date: Sat, 9 Sep 2006 09:17:59 -0400 Subject: [Dataloss] Second Life game compromises 600K members Message-ID: <23f9012e0609090617s5540c295peda09c1b52e26d9b@mail.gmail.com> As of this morning, Second life reports 648,420 members. http://secondlife.com/corporate/bulletin.php ---------- Forwarded message ---------- From: Linden Lab Date: Sep 9, 2006 12:07 AM Subject: Important Second Life Security Bulletin and FAQ Hello Second Lifers, As announced on our website at http://secondlife.com/corporate/bulletin.php and corporate blog at http://blog.secondlife.com/?tag=security, Second Life discovered an attack on our servers on September 6, 2006. The full security bulletin is reprinted below, followed by a FAQ that includes important security advice for our community. =================== SECURITY BULLETIN *SAN FRANCISCO, CA. (September 8, 2006)* - Linden Lab reported today that it is notifying its community of a database breach, which potentially exposed customer data including the unencrypted names and addresses, and the encrypted passwords and encrypted payment information of all Second Life users. Unencrypted credit card information, which is stored on a separate database, was not compromised. The breach was discovered on September 6, 2006 and promptly repaired. The company then launched a detailed investigation that revealed an intruder was able to access the Second Life databases utilizing a "Zero-Day Exploit" through third-party software utilized on Second Life servers. Due to the nature of the attack, the company cannot determine which individual data were exposed. The company's technical investigation is ongoing. "We're taking a very conservative approach and assuming passwords were compromised and therefore we're requiring users to change their Second Life passwords immediately," said Cory Ondrejka, CTO of Linden Lab. "While we realize this is an inconvenience for residents, we believe it's the safest course of action. We place the highest priority on protecting customer data and will continue to take aggressive measures to protect the privacy and security of the community." Linden Lab advises all users to take appropriate precautions against misuse of personal information. To reduce the risk of fraud, Linden Lab will not contact individuals by phone or any other method asking for private information unless it is in response to an inquiry from the individual user. =================== FREQUENTLY ASKED QUESTIONS Q: I can't log in to Second Life. How can I regain login access? A: As a security precaution, all Second Life account passwords have been invalidated. You need to establish a new password in order to log in. You can receive instructions for changing your password by visiting http://secondlife.com/password. Please note that we are updating the password request process - if you have recently tried that page and could not change your password, please try again. Q: Was my account information compromised? A: We discovered that a database was accessed by the intruder, and we are able to determine the aggregate size of the data that was downloaded through the intrusion. The database accessed includes customer account information, including Second Life account names, real-life name and contact information in unencrypted form. Account passwords and payment information (consisting of credit card numbers and Paypal transaction IDs) are stored in this same database in encrypted form. However, there is no way to identify which data were accessed at the level of individual users, only the aggregate size of the downloads returned from the intruding database queries. We are conducting further investigation to try to determine the class of data exposed. Q. Is my information still at risk from another attacker? A: The compromised system was rebuilt and made more secure. We will be announcing additional plans for security improvements in a post to come on our blog, at http://blog.secondlife.com/?tag=security. Q: Should I be concerned that encrypted password and encrypted payment information may have been exposed? Is the encryption unbreakable? A: We use an MD-5 hash (scramble function) and salt (additional data) to encode passwords and payment information, an industry standard technique that is commonly regarded as difficult to defeat. However, no hash or encryption is unbreakable, given enough time and computing power. If you believe that you may be the victim of credit card fraud, you should contact your credit card company. If you use your Second Life password on other websites, online services, or any other services, you should change the password on that service as well. You can find additional tips for protection of your identity online at http://www.privacy.ca.gov/sheets/cis1english.htm. Q: What kind of attack was used to gain access to the Second Life databases? Has the identity of the attacker been established? A: We have gathered a significant amount of information regarding the attack and the attacker. However, because the investigation is ongoing, we cannot provide very detailed information regarding the type of attack or identity of the attacker. We can disclose that the intrusion path took advantage of a "zero-day exploit" in third-party web software. Q: What was the timing of the attack and Linden Lab's investigation? A: Our forensic investigation began on September 6, 2006. Based on this investigation, the intrusion attempts may have started as early as September 3, 2006. However, we have not found evidence of successful database access occurring before September 5, 2006. On September 6, 2006, unusual activity in our database logs revealed the attack to Linden Lab, and we investigated, found and closed the intrusion on the same day. At that point, there was no evidence that databases containing customer identity information had been compromised. For the following two days, the focus of our investigation was to determine the extent of the database access and the nature of the data downloaded from our system. On September 8, 2006, we concluded that there was a substantial likelihood that customer account information could have been accessed. The investigation is ongoing and we will report further results as they become available at http://blog.secondlife.com/?tag=security. Sincerely, Linden Lab and the Second Life team From lyger at attrition.org Sat Sep 9 14:53:32 2006 From: lyger at attrition.org (lyger) Date: Sat, 9 Sep 2006 14:53:32 -0400 (EDT) Subject: [Dataloss] Medicare Medicaid and TriCare breaches Message-ID: From: Al Mac The "over 40%" with security breaches in the last 2 years (impacting over 100 million people covered by these public health care programs) = 47 % for Medicare Advantage; 44 % for Medicaid agencies; 42 % for Medicare FFS contractors; 38 % for DoD Tricare contractors. In studying the GAO report I was particularly struck by: * Many Federal Contractors and State Medicaid Agencies experience privacy breaches but not all are required to report breaches to federal agencies. * The GAO, in this survey, did not delve into the frequency or severity of the reported breaches; * The claim that these rates are comparable to the rate reported by commercial health insurers, where 46% of commercial health insurers reported at least one privacy breach from January thru June 2005, according to a HIPAA Compliance Survey: HIMSS/Phoenix Health Systems, U.S. Healthcare Industry Summer 2005 (August 2005). My e-friend Bob Speth got me url on more recent Winter 2006 HIPAA survey of 324 organizations: http://www.hipaadvisory.com/action/surveynew/results/winter2006.htm According to this: * data security incidents plague 1/3 of Providers and Payers; * in the last 6 months, 60% of the Provider organizations have experienced privacy breaches, which is same as in prior reports, while the rate of incidents for Payer organizations has risen from 45% to 66%; * the majority of organizations with breaches have had one to five separate incidents, but 20% have had six or more incidents; * 55% of health care providers claim to be compliant with HIPAA security standards; * 72% of heallh care payers are reportedly compliant; * subtract these #s from 100% to see #s not up to HIPAA standards, which some people feel do not go far enough... for example, mitigation does not include informing the patients whose medical records got breached. It is evident to me from these numbers that the government knows a heck of a lot more about what organizations are experiencing privacy breaches than what has leaked out to the news media. We are still seeing only the tip of an iceberg. The GAO, an investigative arm of the US Congress, looked into the outsourcing of personal health services for Medicare, Medicaid, and TRICARE, finding a total of 378 entities doing the work, of which over 40% have recently experienced privacy breaches. Privacy Hot Topic: Domestic and Offshore Outsourcing of Personal Information in Medicare, Medicaid, and TRICARE. GAO-06-676, September 5. http://www.gao.gov/cgi-bin/getrpt?GAO-06-676 Highlights - http://www.gao.gov/highlights/d06676high.pdf From lyger at attrition.org Sat Sep 9 16:29:38 2006 From: lyger at attrition.org (lyger) Date: Sat, 9 Sep 2006 16:29:38 -0400 (EDT) Subject: [Dataloss] Minnesota - Thousands of students have IDs at risk after computer theft Message-ID: Courtesy PogoWasRight.org http://www.twincities.com/mld/pioneerpress/news/local/15475291.htm A pair of computers containing the personal information - in some cases Social Security numbers - of thousands of University of Minnesota students was stolen from a campus office. Now officials are scrambling to let past and present students know their identities may be in danger. The computers, stolen in August from the desk of a program coordinator at the university's Institute of Technology, contained data on 13,084 students who joined the school as freshmen between the fall of 1992 and 2006. Files included such information as names, birth dates, addresses, phone numbers, the high school they attended, student identification numbers, grades and test scores, and academic probation. And, in hundreds of cases, Social Security numbers. University spokesman Daniel Wolter said the university's main effort is focused on contacting 603 past students whose Social Security numbers were stolen. [...] From anonadmin at pogowasright.org Sat Sep 9 19:37:38 2006 From: anonadmin at pogowasright.org (anonadmin at pogowasright.org) Date: Sat, 9 Sep 2006 18:37:38 -0500 (CDT) Subject: [Dataloss] Cousins face ID theft and fraud charges for stealing medical records in Florida Message-ID: <4153.66.90.118.12.1157845058.squirrel@www.pogowasright.org> http://www.sun-sentinel.com/news/local/southflorida/sfl-dfraud09sep09,0,7481801.story?coll=sfla-home-headlines Combining an "unwholesome criminal trilogy" of identity theft, medical privacy violations and health-care fraud, two cousins stole the personal information of more than 1,100 Cleveland Clinic patients and billed more than $2.8 million in Medicare charges, federal prosecutors said Friday. more at link... From dissent at pogowasright.org Mon Sep 11 14:59:21 2006 From: dissent at pogowasright.org (dissent at pogowasright.org) Date: Mon, 11 Sep 2006 13:59:21 -0500 Subject: [Dataloss] Identity Theft Scare Hits Closing Indy Business Message-ID: <20060911135921.u3kswl1j85d44c00@www.pogowasright.org> Sell the company and just dump the employees' files in a dumpster... oh yeah, that works for me... http://www.theindychannel.com/news/9818472/detail.html [...] Several employees of Telesource said they climbed into the Dumpster to retrieve the documents. The employees said their company had just been bought out by another company called Vekstar, and that the office at U.S. 31 and Shelby Street was being cleaned out and shut down. "I found all the employees' files with all the personal information with them," said Stephanie Stewart. "It had their Social Security numbers and date of birth. There were photocopies of driver's licenses, photocopies of Social Security cards." From byurcik at ncsa.uiuc.edu Tue Sep 12 10:32:31 2006 From: byurcik at ncsa.uiuc.edu (Bill Yurcik) Date: Tue, 12 Sep 2006 09:32:31 -0500 (CDT) Subject: [Dataloss] draft paper performing breach analysis (url within) Message-ID: I have been working with a student to perform analysis on privacy breaches using systematic database queries to an event dataset manually combined from both the PrivacyRights and Attrition event lists (jan 2005 to june 2006). the draft paper is available at this url: title: "Beyond Media Hype: Empirical Analysis of Disclosed Privacy Breaches 2005-2006 and a DataSet/Database Foundation for Future Work" I invite feedback from the insightful readers of this list and will try my best to incorporate your feedback directly into the paper, I am also hoping this work will spark other similar efforts... Please reply to me directly but if you see potential for an interesting discussion thread please also feel free to post to the dataloss mailing list and I will see your feedback there also... Cheers! - Bill Yurcik a final version of this paper will be published/presented at the following workshop: 1st Workshop on the Economics of Securing the Information Infrastructure (WESII) , Washington DC USA, October 23-24, 2006. From lyger at attrition.org Tue Sep 12 17:22:15 2006 From: lyger at attrition.org (lyger) Date: Tue, 12 Sep 2006 17:22:15 -0400 (EDT) Subject: [Dataloss] Europe May Require Data Breach Notification Message-ID: Courtesy Fergie's Tech Blog: http://fergdawg.blogspot.com/ http://www.out-law.com/default.aspx?page=7287 The European Commission has published proposals for a law change that would force telecoms firms to notify regulators and customers of all breaches of their data security. A similar law in California has resulted in a stream of data breaches being made public. In a consultation on changes to the EU framework on telecoms regulation the EC proposes that all providers of "electronic communications networks or services" be forced to notify customers and regulators of any breaches of security that would result in their personal data being made available to others. The current EU Directive only instructs network providers to notify customers of security risks. It does not cover security breaches. [...] From lyger at attrition.org Tue Sep 12 20:42:57 2006 From: lyger at attrition.org (lyger) Date: Tue, 12 Sep 2006 20:42:57 -0400 (EDT) Subject: [Dataloss] B.C. facility loses public's personal data Message-ID: Courtesy PogoWasRight.org http://www.canada.com/victoriatimescolonist/news/story.html?id=e1b03e3e-d043-4e64-9a09-415a24636751&k=71796 Chad Skelton, CanWest News Service Published: Tuesday, September 12, 2006 VANCOUVER -- Computer tapes containing the private health and welfare records of "hundreds of thousands" of British Columbians were discovered missing from the government's main data centre in Victoria last year and have never been found, according to a confidential government investigation obtained by the Vancouver Sun. Poor record-keeping at the facility, which is run by Telus, means it's impossible to confirm exactly what happened to the 31 tapes, although the report speculates they were most likely destroyed in error or borrowed by a government staffer who forgot to return them. However, the report warns that their disappearance is serious and "may have resulted in the inadvertent disclosure of the data contents." That's a concern, the report warns, because some of the data on the tapes is so sensitive that it could be used "for the purposes of identity theft" or to "create fraudulent Care Cards" to defraud the government. Yet the report, which was conducted for the province by KPMG, went on to recommend that the public not be told about the incident. "Government policy does not require individuals to be informed of a possible disclosure of personal information," the report states. "[Notification] is only suggested where an actual disclosure of personal information is known to have occurred." [...] From lyger at attrition.org Wed Sep 13 17:02:55 2006 From: lyger at attrition.org (lyger) Date: Wed, 13 Sep 2006 17:02:55 -0400 (EDT) Subject: [Dataloss] American Family Insurance Warns Customers Of Identity Theft Message-ID: Courtesy PogoWasRight.org: http://wfrv.com/topstories/local_story_256094729.html American Family Insurance is warning customers to be wary of identity theft after computer equipment was stolen in a burglary in Madison. American Family is the state's biggest insurer of homes and vehicles. It mailed letters to more than two-thousand customers alerting them to the theft at the office of an insurance agent. [...] From cwalsh at cwalsh.org Wed Sep 13 17:45:00 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Wed, 13 Sep 2006 16:45:00 -0500 Subject: [Dataloss] American Family Insurance Warns Customers Of Identity Theft In-Reply-To: References: Message-ID: Hmm. Wisconsin's notification law (http://www.legis.state.wi.us/2005/data/ acts/05Act138.pdf) says that notice should take place within 45 days. This theft was in July. These guys may have cut it rather close. On Sep 13, 2006, at 4:02 PM, lyger wrote: > > Courtesy PogoWasRight.org: > > http://wfrv.com/topstories/local_story_256094729.html > > American Family Insurance is warning customers to be wary of identity > theft after computer equipment was stolen in a burglary in Madison. > > American Family is the state's biggest insurer of homes and > vehicles. It > mailed letters to more than two-thousand customers alerting them to > the > theft at the office of an insurance agent. > > [...] > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 146 million compromised records in 345 incidents > over 6 years. > From kenton_hoover at symantec.com Wed Sep 13 18:08:48 2006 From: kenton_hoover at symantec.com (Kenton Hoover) Date: Wed, 13 Sep 2006 15:08:48 -0700 Subject: [Dataloss] American Family Insurance Warns Customers OfIdentity Theft In-Reply-To: Message-ID: Does it have the "investigation" cut-out that California's does? In California, you can not report if reporting would negatively impact an ongoing criminal investigation. I've seen that used once to bury a loss for quite a while (in fact, it may still be buried). -- Kenton A. Hoover Solutions Engineering Symantec Corporation +1.415.850.5924 kenton_hoover at symantec.com -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Chris Walsh Sent: Wednesday, 13 September, 2006 14:45 To: lyger Cc: dataloss at attrition.org Subject: Re: [Dataloss] American Family Insurance Warns Customers OfIdentity Theft Hmm. Wisconsin's notification law (http://www.legis.state.wi.us/2005/data/ acts/05Act138.pdf) says that notice should take place within 45 days. This theft was in July. These guys may have cut it rather close. On Sep 13, 2006, at 4:02 PM, lyger wrote: > > Courtesy PogoWasRight.org: > > http://wfrv.com/topstories/local_story_256094729.html > > American Family Insurance is warning customers to be wary of identity > theft after computer equipment was stolen in a burglary in Madison. > > American Family is the state's biggest insurer of homes and vehicles. > It mailed letters to more than two-thousand customers alerting them to > the theft at the office of an insurance agent. > > [...] > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss Tracking more than 146 million > compromised records in 345 incidents over 6 years. > _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tracking more than 146 million compromised records in 345 incidents over 6 years. From privacylaws at sbcglobal.net Wed Sep 13 18:26:34 2006 From: privacylaws at sbcglobal.net (Saundra Kae Rubel) Date: Wed, 13 Sep 2006 15:26:34 -0700 Subject: [Dataloss] American Family Insurance Warns Customers OfIdentityTheft In-Reply-To: Message-ID: <000001c6d783$acc7a310$210110ac@saundrad38b17a> See part (5) at page 2 of that specific law: (5) REQUEST BY LAW ENFORCEMENT NOT TO NOTIFY. A law enforcement agency may, in order to protect an investigation or homeland security, ask an entity not to provide a notice that is otherwise required under sub. (2) for any period of time and the notification process required under sub. (2) shall begin at the end of that time period. Notwithstanding subs. (2) and (3), if an entity receives such a request, the entity may not provide notice of or publicize an unauthorized acquisition of personal information, except as authorized by the law enforcement agency that made the request. -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Kenton Hoover Sent: Wednesday, September 13, 2006 3:09 PM To: dataloss at attrition.org Subject: Re: [Dataloss] American Family Insurance Warns Customers OfIdentityTheft Does it have the "investigation" cut-out that California's does? In California, you can not report if reporting would negatively impact an ongoing criminal investigation. I've seen that used once to bury a loss for quite a while (in fact, it may still be buried). -- Kenton A. Hoover Solutions Engineering Symantec Corporation +1.415.850.5924 kenton_hoover at symantec.com -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Chris Walsh Sent: Wednesday, 13 September, 2006 14:45 To: lyger Cc: dataloss at attrition.org Subject: Re: [Dataloss] American Family Insurance Warns Customers OfIdentity Theft Hmm. Wisconsin's notification law (http://www.legis.state.wi.us/2005/data/ acts/05Act138.pdf) says that notice should take place within 45 days. This theft was in July. These guys may have cut it rather close. On Sep 13, 2006, at 4:02 PM, lyger wrote: > > Courtesy PogoWasRight.org: > > http://wfrv.com/topstories/local_story_256094729.html > > American Family Insurance is warning customers to be wary of identity > theft after computer equipment was stolen in a burglary in Madison. > > American Family is the state's biggest insurer of homes and vehicles. > It mailed letters to more than two-thousand customers alerting them to > the theft at the office of an insurance agent. > > [...] > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss Tracking more than 146 million > compromised records in 345 incidents over 6 years. > _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tracking more than 146 million compromised records in 345 incidents over 6 years. _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tracking more than 146 million compromised records in 345 incidents over 6 years. From lyger at attrition.org Wed Sep 13 19:06:19 2006 From: lyger at attrition.org (lyger) Date: Wed, 13 Sep 2006 19:06:19 -0400 (EDT) Subject: [Dataloss] Moderator note: Editing Message-ID: Sorry for the quick message, but we would like to ask that if you reply to a list post, please take a few seconds to remove any extraneous quoting from your replies, especially footers. Keeps message sizes down and makes threads easier to follow. Less filling, tastes great :) Lyger From patrick at pmueller.org Wed Sep 13 19:40:08 2006 From: patrick at pmueller.org (Patrick Mueller) Date: Wed, 13 Sep 2006 18:40:08 -0500 Subject: [Dataloss] American Family Insurance Warns Customers Of Identity Theft In-Reply-To: References: Message-ID: <7.0.1.0.2.20060913183758.0377f2c0@pmueller.org> Even if a covered entity exceeds the 45 days, there is no public or private enforcement mechanism anyway. -- Patrick At 04:45 PM 9/13/2006, you wrote: >Hmm. > >Wisconsin's notification law (http://www.legis.state.wi.us/2005/data/ >acts/05Act138.pdf) says that notice should take place within 45 >days. This theft was in July. > >These guys may have cut it rather close. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060913/704a3fa4/attachment.html From lyger at attrition.org Thu Sep 14 17:09:39 2006 From: lyger at attrition.org (lyger) Date: Thu, 14 Sep 2006 17:09:39 -0400 (EDT) Subject: [Dataloss] Nikon: Customer information mistakenly released on Web site Message-ID: Courtesy PogoWasRight.org http://www.ledger-enquirer.com/mld/ledgerenquirer/news/local/15519104.htm Personal information on more than 3,200 subscribers of a magazine published by Nikon Inc. was available on a Web site before the breach was discovered, the imaging company said Thursday. Details including names, addresses and credit card numbers for 3,235 people could be seen over a nine-hour period on a Web site for Nikon World magazine, but only nine new subscribers gained access to the information, the company said. Workers at an Alabama camera store told the Montgomery Advertiser they discovered the problem Wednesday morning as one of them tried to subscribe to the magazine, which is published quarterly. "That just can't happen. With ID theft, with all the theft of personal data, you just can't make mistake like this," Michael Nimmer, retail manager at Capitol Filmworks, told the newspaper. "Customers will leave you and go to other places." [...] From lyger at attrition.org Thu Sep 14 17:14:24 2006 From: lyger at attrition.org (lyger) Date: Thu, 14 Sep 2006 17:14:24 -0400 (EDT) Subject: [Dataloss] Illinois - DOC employees receive ID theft alert Message-ID: One more from the friendly folks at PogoWasRight.org: http://www.lincolncourier.com/story.asp?SID=2949&SEC=8 The Illinois Department of Corrections has asked its employees to take precautions against identity theft after a department report that contained some workers' personal information recently was found outside the agency's grounds. The report, which hasn't been publicly identified, contained the names, salaries and Social Security numbers of what the department characterized as "many" of its employees. Corrections spokesman Derek Schnapp said Wednesday he couldn't release how many employee names were on the document or when or where it was found. Schnapp did say the document is back in the agency's possession. [...] From roy at rant-central.com Thu Sep 14 18:25:41 2006 From: roy at rant-central.com (Roy M. Silvernail) Date: Thu, 14 Sep 2006 18:25:41 -0400 Subject: [Dataloss] VA does a followup on their earlier form letter Message-ID: <4509D6E5.50101@rant-central.com> I found another VA form letter in my mailbox today. Over the signature of R. James Nicholson, it says in part: "Based on the results of forensic tests, the Federal Bureau of Investigation (FBI) has told us that they are highly confident the sensitive data were not accessed. Given the FBI's high degree of confidence that the information was not compromised, individual credit monitoring will not be necessary." Why do I not feel any more secure because of this? -- Roy M. Silvernail is roy at rant-central.com, and you're not "It's just this little chromium switch, here." - TFT CRM114->procmail->/dev/null->bliss http://www.rant-central.com From lyger at attrition.org Fri Sep 15 11:01:59 2006 From: lyger at attrition.org (lyger) Date: Fri, 15 Sep 2006 11:01:59 -0400 (EDT) Subject: [Dataloss] Found computer drive had Mercy patient data on it Message-ID: http://www.mercedsunstar.com/local/story/12717958p-13413952c.html By Carol Reiter Last Updated: September 15, 2006, 01:54:07 AM PDT A computer memory card with 295 patient names, Social Security numbers, birthdates and medical record numbers was lost by a Mercy Medical Center Merced employee and found months after the card was created. Because of the possibility that someone could have accessed the unencrypted small memory card, all of the patients were notified Wednesday by certified mail that their privacy may have been invaded. Only one patient's actual medical record was on the card. Robert McLaughlin, spokesman for Mercy, said the card was created in 2005 when computer files of Mercy's two campuses, Dominican and Community, were being combined into a new computer database. The employee, who worked in the information technology department of Mercy, created the card to find out what the best way to access patient records was: by name, date of birth or Social Security number. [...] From lyger at attrition.org Fri Sep 15 19:57:39 2006 From: lyger at attrition.org (lyger) Date: Fri, 15 Sep 2006 19:57:39 -0400 (EDT) Subject: [Dataloss] Florida - Employees' Personal Information Found In Dumpster Message-ID: (dumpster diving... third time in the last week? the new "laptop theft" for the media pouncers? you decide... - lyger) Courtesy PogoWasRight.org http://www.wesh.com/iteam/9857657/detail.html Things as simple as a name and Social Security number could make someone a victim of identity theft. How would you feel if that information was just tossed in the trash? Personal information was found on Wednesday night in a Dumpster of a closed restaurant on International Drive, WESH 2 News reported. WESH 2 I-team reporter Michelle Meredith tried to get answers at the now out-of-business Whistle Junction on International Drive. [...] From cwalsh at cwalsh.org Fri Sep 15 20:08:27 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Fri, 15 Sep 2006 19:08:27 -0500 Subject: [Dataloss] Breach notice: Cooks Illustrated Message-ID: <4A5A3D22-BE85-4EDF-BD93-2B5794A21A6D@cwalsh.org> This one is from the state of North Carolina's response to my FOIA request. I am assigning it a UID of "CW-0001". All information is verbatim from the printout they sent me. Company Name Cooks Illustrated Date Notified 3/02/06 Breach Date 1/31/2006 Event Unauthorized access to files NC Residents Impacted 3162 From cwalsh at cwalsh.org Fri Sep 15 20:13:04 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Fri, 15 Sep 2006 19:13:04 -0500 Subject: [Dataloss] Breach notice: Mortgage Lenders Network USA Message-ID: This one is another from the state of North Carolina's response to my FOIA request. I am assigning it a UID of "CW-0002". All information is verbatim from the printout they sent me. Company Name Mortgage Lenders Network USA Date Notified 05/24/06 Breach Date 5/5/2006 Event employee theft of consumer data files NC Residents Impacted 5424 From cwalsh at cwalsh.org Fri Sep 15 20:16:08 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Fri, 15 Sep 2006 19:16:08 -0500 Subject: [Dataloss] Breach notice: Security Savings Bank Message-ID: <65455BAF-90B5-4CBB-B66B-76D40F8EF269@cwalsh.org> This one is another from the state of North Carolina's response to my FOIA request. I am assigning it a UID of "CW-0003". All information is verbatim from the printout they sent me. Company Name Security Savings Bank Date Notified 06/01/06 Breach Date 5/25/2006 Event website 'phished' from Spain for 2 hours - website visitors directed to other sites that asked for user id, password, account numbers, and card numbers NC Residents Impacted 13 From cwalsh at cwalsh.org Fri Sep 15 20:18:37 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Fri, 15 Sep 2006 19:18:37 -0500 Subject: [Dataloss] Breach notice: Impac Message-ID: <70A4DEF6-7B30-4AEF-9CE3-4DF4F5BCF136@cwalsh.org> This one is another from the state of North Carolina's response to my FOIA request. I am assigning it a UID of "CW-0004". All information is verbatim from the printout they sent me. Company Name Impac Date Notified 06/02/06 Breach Date 4/21-23/06 Event Stolen laptops (stolen from company - locked offices) NC Residents Impacted 92 From cwalsh at cwalsh.org Fri Sep 15 20:22:40 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Fri, 15 Sep 2006 19:22:40 -0500 Subject: [Dataloss] Breach notice: Fish and Richardson Message-ID: This one is another from the state of North Carolina's response to my FOIA request. I am assigning it a UID of "CW-0005". All information is verbatim from the printout they sent me. Company Name Fish & Richardson Date Notified 07/06/06 Breach Date 6/12/2006 Event stolen laptop - stolen from home of employee; names and SSNs of current and forme employees with data being in a filed that was deleted even from the recycle bin NC Residents Impacted 10 From cwalsh at cwalsh.org Fri Sep 15 20:22:40 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Fri, 15 Sep 2006 19:22:40 -0500 Subject: [Dataloss] Breach notice: Fish and Richardson Message-ID: This one is another from the state of North Carolina's response to my FOIA request. I am assigning it a UID of "CW-0005". All information is verbatim from the printout they sent me. Company Name Fish & Richardson Date Notified 07/06/06 Breach Date 6/12/2006 Event stolen laptop - stolen from home of employee; names and SSNs of current and forme employees with data being in a filed that was deleted even from the recycle bin NC Residents Impacted 10 From cwalsh at cwalsh.org Fri Sep 15 20:25:24 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Fri, 15 Sep 2006 19:25:24 -0500 Subject: [Dataloss] Breach notice: BCTGM Local 192 Union Message-ID: <69B16834-9D80-4DF4-9A16-7C4B412FF770@cwalsh.org> This one is another from the state of North Carolina's response to my FOIA request. I am assigning it a UID of "CW-0006". All information is verbatim from the printout they sent me. Company Name BCTGM Local 192 Union Date Notified 07/21/06 Breach Date July 2006 Event displayed SSN on sign in roster and union election NC Residents Impacted 140 From bkdelong at pobox.com Fri Sep 15 20:24:47 2006 From: bkdelong at pobox.com (B.K. DeLong) Date: Fri, 15 Sep 2006 20:24:47 -0400 Subject: [Dataloss] Breach notice: Cooks Illustrated In-Reply-To: <4A5A3D22-BE85-4EDF-BD93-2B5794A21A6D@cwalsh.org> References: <4A5A3D22-BE85-4EDF-BD93-2B5794A21A6D@cwalsh.org> Message-ID: <6.2.3.4.2.20060915202409.0799c430@mail.bkdelong.org> So....wait - was this in the news or did you just FOIA this into public view? I'm a subscriber and I never heard anything. At 08:08 PM 9/15/2006, Chris Walsh wrote: >This one is from the state of North Carolina's response to my FOIA >request. > >I am assigning it a UID of "CW-0001". > >All information is verbatim from the printout they sent me. > >Company Name >Cooks Illustrated > >Date Notified >3/02/06 > >Breach Date >1/31/2006 > >Event >Unauthorized access to files > >NC Residents Impacted >3162 > > >_______________________________________________ >Dataloss Mailing List (dataloss at attrition.org) >http://attrition.org/dataloss >Tracking more than 146 million compromised records in 349 incidents >over 6 years. -- B.K. DeLong (K3GRN) bkdelong at pobox.com +1.617.797.8471 http://www.wkdelong.org Son. http://www.haloworldwide.com Work. http://www.bostonredcross.org Volunteer. http://www.brain-stream.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org From lyger at attrition.org Sat Sep 16 08:10:12 2006 From: lyger at attrition.org (lyger) Date: Sat, 16 Sep 2006 08:10:12 -0400 (EDT) Subject: [Dataloss] Unisys Computer Recovered Message-ID: Courtesy InfoSec News and WK: http://www.eweek.com/article2/0,1895,2016271,00.asp By Wayne Rash September 14, 2006 WASHINGTON - The Office of the Inspector General of the Department of Veterans Affairs is reporting that an office computer reported stolen from a Unisys Corp. office in Virginia has been recovered, and a Washington, D.C., resident has been arrested in the case. According to a VA spokesperson, the arrest took place yesterday, Sept. 13. Arrested in the case was Khalil Abdullah-Raheem, an employee of a contractor that provides temporary labor to Unisys. Abdullah-Raheem was charged in federal court in Alexandria, Va., yesterday for theft of government property and released on a $50,000 personal recognizance bond. According to the announcement, investigators don't believe that the alleged thief was after the personal information of the 16,000 veterans treated at the VA Medical Centers in Pittsburgh and Philadelphia. The FBI is currently conducting a forensic analysis of the computer to see if the veterans information was compromised after it was stolen. [...] From Dissent at pogowasright.org Sat Sep 16 02:44:17 2006 From: Dissent at pogowasright.org (Dissent) Date: Sat, 16 Sep 2006 02:44:17 -0400 Subject: [Dataloss] Howard Rice Data on Stolen Laptop Message-ID: <7.0.0.16.2.20060916024121.0247d0c8@nowhere.org> As many as 500 current and former employees of San Francisco's Howard, Rice, Nemerovski, Canady, Falk & Rabkin may be at risk of identity theft after a laptop computer containing confidential employee pension plan information was stolen from an auditor. The firm sent a notice to current and former partners, associates and staff in mid-August alerting them of the security breach. "Given the circumstances of the theft, we think it is highly unlikely that the laptop was purloined because the thief knew that Howard, Rice employee names and Social Security numbers were resident on the computer," the letter stated. "Nonetheless, we want to treat this potential information breach with utmost caution." California law requires all businesses to notify customers and employees if there is a danger that their personal data might have been compromised. The laptop, owned by an employee of accounting firm Morris, Davis & Chan in Oakland, contained thousands of documents, including three spreadsheets with the name and Social Security number of all active and terminated Howard, Rice employees with a remaining balance in the firm's pension plans, as well as 401(k) and profit-sharing account information. The computer was taken from the trunk of the auditor's car, parked in a public lot. Howard, Rice executive director Michelle Johnson said the firm sent the notice to everyone as soon as the firm found out about the theft and has offered free credit reporting for anyone whose information had been on the stolen computer. "This wasn't a theft of our property. All we know is that the computer was stolen, and so far we are not aware of anybody having their information compromised," Johnson said. On Aug. 28, the firm sent an update saying that the information on the computer had not been encrypted but had been password protected. [...] http://www.law.com/jsp/legaltechnology/pubArticleLT.jsp?id=1158311123646 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.405 / Virus Database: 268.12.4/449 - Release Date: 9/15/2006 From Dissent at pogowasright.org Sat Sep 16 02:59:48 2006 From: Dissent at pogowasright.org (Dissent) Date: Sat, 16 Sep 2006 02:59:48 -0400 Subject: [Dataloss] Beaumont error raises care and privacy issues Message-ID: <7.0.0.16.2.20060916025818.0252e870@nowhere.org> Beaumont Hospital mistakenly mailed medical reports on three patients to a retired dentist in Texas, an error that delayed vital information from reaching the patients' doctor and raised privacy and health care concerns at a hospital with past privacy issues. Sensitive medical reports containing test results, dates of birth and patient identification numbers were sent in error to retired dentist Eugene Derricotte of San Antonio in July and August, violating privacy standards set forth in the Health Insurance Portability & Accountability Act of 1996. ... The disclosures come after the hospital came under fire in August for losing a laptop computer that contained information on 28,473 of its home care patients, including Social Security numbers, addresses and dates of birth. The laptop was recovered; no patient data had been breached. [...] http://www.detnews.com/apps/pbcs.dll/article?AID=/20060916/LIFESTYLE03/609160350 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.405 / Virus Database: 268.12.4/449 - Release Date: 9/15/2006 From Dissent at pogowasright.org Sat Sep 16 03:01:09 2006 From: Dissent at pogowasright.org (Dissent) Date: Sat, 16 Sep 2006 03:01:09 -0400 Subject: [Dataloss] UTSA hunts computer hacker but says no information stolen Message-ID: <7.0.0.16.2.20060916025949.0249cff0@nowhere.org> Officials at the University of Texas at San Antonio are searching for a computer hacker who jeopardized the security of records for tens of thousands of students and faculty members. ... The university sent out 64,000 letters Friday to those affected, including 53,000 current and former students and 11,000 faculty and staff members. Gabler said the unauthorized access was discovered Aug. 16 during a routine risk assessment of the university's computer servers, which caught the problem before any information was taken. "We confirmed that no data was copied, altered or taken out of the server," Gabler said. [...] http://www.mysanantonio.com/news/metro/stories/MYSA091606.02B.UTSAHACKER.2e77063.html -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.405 / Virus Database: 268.12.4/449 - Release Date: 9/15/2006 From lyger at attrition.org Sat Sep 16 20:12:40 2006 From: lyger at attrition.org (lyger) Date: Sat, 16 Sep 2006 20:12:40 -0400 (EDT) Subject: [Dataloss] Breach notice: Cooks Illustrated In-Reply-To: <4A5A3D22-BE85-4EDF-BD93-2B5794A21A6D@cwalsh.org> References: <4A5A3D22-BE85-4EDF-BD93-2B5794A21A6D@cwalsh.org> Message-ID: oops... previous mail should have been CW-0002. sorry... On Fri, 15 Sep 2006, Chris Walsh wrote: ": " This one is from the state of North Carolina's response to my FOIA ": " request. ": " ": " I am assigning it a UID of "CW-0001". ": " ": " All information is verbatim from the printout they sent me. ": " ": " Company Name ": " Cooks Illustrated ": " ": " Date Notified ": " 3/02/06 ": " ": " Breach Date ": " 1/31/2006 ": " ": " Event ": " Unauthorized access to files ": " ": " NC Residents Impacted ": " 3162 From lyger at attrition.org Sat Sep 16 20:26:03 2006 From: lyger at attrition.org (lyger) Date: Sat, 16 Sep 2006 20:26:03 -0400 (EDT) Subject: [Dataloss] Breach notice: Cooks Illustrated In-Reply-To: <4A5A3D22-BE85-4EDF-BD93-2B5794A21A6D@cwalsh.org> References: <4A5A3D22-BE85-4EDF-BD93-2B5794A21A6D@cwalsh.org> Message-ID: Heh, since my previous email was probably confusing, I'll actually finish this one before hitting send. :) First, would like to thank Chris for providing the information he found through FOIA requests to NY and NC. We're adding these to DLDOS as we can find more information, and the Mortgage Lenders Network USA breach has been added as CW-0002. Second, if anyone finds any links to news stories regarding these breaches, please feel free to pass them on so we can add them to DLDOS and the attrition.org archives. We're still looking, but several sets of eyes are certainly better than one. Thanks, Lyger On Fri, 15 Sep 2006, Chris Walsh wrote: ": " This one is from the state of North Carolina's response to my FOIA ": " request. ": " ": " I am assigning it a UID of "CW-0001". ": " ": " All information is verbatim from the printout they sent me. ": " ": " Company Name ": " Cooks Illustrated ": " ": " Date Notified ": " 3/02/06 ": " ": " Breach Date ": " 1/31/2006 ": " ": " Event ": " Unauthorized access to files ": " ": " NC Residents Impacted ": " 3162 From adam at homeport.org Sat Sep 16 20:49:32 2006 From: adam at homeport.org (Adam Shostack) Date: Sat, 16 Sep 2006 20:49:32 -0400 Subject: [Dataloss] Breach notice: BCTGM Local 192 Union In-Reply-To: <69B16834-9D80-4DF4-9A16-7C4B412FF770@cwalsh.org> References: <69B16834-9D80-4DF4-9A16-7C4B412FF770@cwalsh.org> Message-ID: <20060917004932.GC2267@homeport.org> Can I suggest you use a longer identifier, or are you planning to give up after the first 10,000 breaches? On Fri, Sep 15, 2006 at 07:25:24PM -0500, Chris Walsh wrote: | This one is another from the state of North Carolina's response to my | FOIA request. | | I am assigning it a UID of "CW-0006". | | All information is verbatim from the printout they sent me. | | Company Name | BCTGM Local 192 Union | | Date Notified | 07/21/06 | | Breach Date | July 2006 | | Event | displayed SSN on sign in roster and union election | | NC Residents Impacted | 140 | | _______________________________________________ | Dataloss Mailing List (dataloss at attrition.org) | http://attrition.org/dataloss | Tracking more than 146 million compromised records in 349 incidents over 6 years. | From adam at homeport.org Sat Sep 16 20:47:57 2006 From: adam at homeport.org (Adam Shostack) Date: Sat, 16 Sep 2006 20:47:57 -0400 Subject: [Dataloss] Breach notice: Cooks Illustrated In-Reply-To: <4A5A3D22-BE85-4EDF-BD93-2B5794A21A6D@cwalsh.org> References: <4A5A3D22-BE85-4EDF-BD93-2B5794A21A6D@cwalsh.org> Message-ID: <20060917004757.GA2267@homeport.org> This is known--you should check out this blog. http://www.emergentchaos.com/archives/2006/02/crispier_breach.html :) On Fri, Sep 15, 2006 at 07:08:27PM -0500, Chris Walsh wrote: | This one is from the state of North Carolina's response to my FOIA | request. | | I am assigning it a UID of "CW-0001". | | All information is verbatim from the printout they sent me. | | Company Name | Cooks Illustrated | | Date Notified | 3/02/06 | | Breach Date | 1/31/2006 | | Event | Unauthorized access to files | | NC Residents Impacted | 3162 | | | _______________________________________________ | Dataloss Mailing List (dataloss at attrition.org) | http://attrition.org/dataloss | Tracking more than 146 million compromised records in 349 incidents over 6 years. | From lyger at attrition.org Sat Sep 16 21:09:50 2006 From: lyger at attrition.org (lyger) Date: Sat, 16 Sep 2006 21:09:50 -0400 (EDT) Subject: [Dataloss] Breach notice: BCTGM Local 192 Union In-Reply-To: <20060917004932.GC2267@homeport.org> References: <69B16834-9D80-4DF4-9A16-7C4B412FF770@cwalsh.org> <20060917004932.GC2267@homeport.org> Message-ID: On Sat, 16 Sep 2006, Adam Shostack wrote: ": " Can I suggest you use a longer identifier, or are you planning to give ": " up after the first 10,000 breaches? ": " ": " ": " On Fri, Sep 15, 2006 at 07:25:24PM -0500, Chris Walsh wrote: ": " | This one is another from the state of North Carolina's response to my ": " | FOIA request. ": " | ": " | I am assigning it a UID of "CW-0006". We actually discussed this at length over several emails. As it stands, we still have well under 400 breaches listed in DLDOS. Even at a rate of one per day from this point forward, that would be another 26 years or so until we cross into the 5-digit realm. At that point, our future generations will probably be able to figure out how to switch out the existing identifier in mere nanoseconds. :) From adam at homeport.org Sat Sep 16 21:12:15 2006 From: adam at homeport.org (Adam Shostack) Date: Sat, 16 Sep 2006 21:12:15 -0400 Subject: [Dataloss] Breach notice: BCTGM Local 192 Union In-Reply-To: References: <69B16834-9D80-4DF4-9A16-7C4B412FF770@cwalsh.org> <20060917004932.GC2267@homeport.org> Message-ID: <20060917011215.GA3978@homeport.org> On Sat, Sep 16, 2006 at 09:09:50PM -0400, lyger wrote: | | | On Sat, 16 Sep 2006, Adam Shostack wrote: | | ": " Can I suggest you use a longer identifier, or are you planning to give | ": " up after the first 10,000 breaches? | ": " | ": " | ": " On Fri, Sep 15, 2006 at 07:25:24PM -0500, Chris Walsh wrote: | ": " | This one is another from the state of North Carolina's response to my | ": " | FOIA request. | ": " | | ": " | I am assigning it a UID of "CW-0006". | | We actually discussed this at length over several emails. As it stands, | we still have well under 400 breaches listed in DLDOS. Even at a rate of | one per day from this point forward, that would be another 26 years or so | until we cross into the 5-digit realm. | | At that point, our future generations will probably be able to figure out | how to switch out the existing identifier in mere nanoseconds. :) There's *no way* this system will still be operational by the year 2000. And memory is sooo expensive! More seriously, 1) I expect the rate to climb substantially as companies realize that breaches happen and 2) the year bits in CVE are really useful. Adam From Dissent at pogowasright.org Sun Sep 17 09:40:02 2006 From: Dissent at pogowasright.org (Dissent) Date: Sun, 17 Sep 2006 09:40:02 -0400 Subject: [Dataloss] Federal loan Web site left unprotected Message-ID: <7.0.0.16.2.20060917093713.02489150@nowhere.org> Complications from a computer software upgrade caused a security breach that left loan borrowers' private information, such as their Social Security numbers, unprotected online. The problem occurred from the evening of Aug. 20 to the morning of Aug. 22 on the Web site of Direct Loans. Direct Loans is part of the William D. Ford Federal Direct Loan Program within the Dept. of Education and Federal Student Aid. Anyone who used the Web site and performed the same transaction at the same time in the same part of the system as another user could have had his or her data exposed, Bushman said. ... She estimated that 21,000 accounts of the more than six million on the system could have been affected. All those potentially affected already would have been notified, she said. [...] http://www.press-citizen.com/apps/pbcs.dll/article?AID=/20060917/NEWS01/609170310/1079/NEWS01 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.405 / Virus Database: 268.12.4/449 - Release Date: 9/15/2006 From blitz at strikenet.kicks-ass.net Sun Sep 17 20:58:33 2006 From: blitz at strikenet.kicks-ass.net (blitz) Date: Sun, 17 Sep 2006 20:58:33 -0400 Subject: [Dataloss] Federal loan Web site left unprotected In-Reply-To: <7.0.0.16.2.20060917093713.02489150@nowhere.org> References: <7.0.0.16.2.20060917093713.02489150@nowhere.org> Message-ID: <7.0.1.0.2.20060917205730.042f3e88@strikenet.kicks-ass.net> What part of "DON'T USE PRODUCTION DATA" do they not understand? Sheesh! At 09:40 9/17/2006, you wrote: >Complications from a computer software upgrade caused a security >breach that left loan borrowers' private information, such as their >Social Security numbers, unprotected online. > >The problem occurred from the evening of Aug. 20 to the morning of >Aug. 22 on the Web site of Direct Loans. Direct Loans is part of the >William D. Ford Federal Direct Loan Program within the Dept. of >Education and Federal Student Aid. > >Anyone who used the Web site and performed the same transaction at >the same time in the same part of the system as another user could >have had his or her data exposed, Bushman said. > >... She estimated that 21,000 accounts of the more than six million >on the system could have been affected. All those potentially >affected already would have been notified, she said. > >[...] > >http://www.press-citizen.com/apps/pbcs.dll/article?AID=/20060917/NEWS01/609170310/1079/NEWS01 > > >-- >No virus found in this outgoing message. >Checked by AVG Free Edition. >Version: 7.1.405 / Virus Database: 268.12.4/449 - Release Date: 9/15/2006 > > >_______________________________________________ >Dataloss Mailing List (dataloss at attrition.org) >http://attrition.org/dataloss >Tracking more than 146 million compromised records in 349 incidents >over 6 years. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060917/32abc56a/attachment.html From ADAIL at sunocoinc.com Mon Sep 18 12:54:08 2006 From: ADAIL at sunocoinc.com (DAIL, ANDY) Date: Mon, 18 Sep 2006 12:54:08 -0400 Subject: [Dataloss] Federal loan Web site left unprotected Message-ID: <8CA58E707BB1C44385FA71D02B7A1C8EC7073F@mds3aex0e.USISUNOCOINC.com> Far too many organizations think it's acceptable to shortcut that requirement by taking information that was "formerly known as production data" and using it for test because it's already in the production format, and, "Well, the data is no longer current enough to be considered 'live' or 'production'." There is a great deal of pressure on IT groups to save time and money. >From a strictly time management and book keeping perspective it seems like a logical idea. But, developers don't seem to remember the fact that even though the data is no longer of use to the company, the consumers aren't quite finished using those numbers yet. You know, Social Security Numbers, Drivers License Numbers, dates of birth. Their managers seem willing to gamble that it won't happen to them, and are willing to take the risk to save the time and cost of developing mock data. The cost of addressing one incident would change their minds if the money to remediate came from their cost centers. Andy Dail Sunoco PCI Project Manager -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of blitz Sent: Sunday, September 17, 2006 7:59 PM To: Dissent Cc: dataloss at attrition.org Subject: Re: [Dataloss] Federal loan Web site left unprotected What part of "DON'T USE PRODUCTION DATA" do they not understand? Sheesh! At 09:40 9/17/2006, you wrote: Complications from a computer software upgrade caused a security breach that left loan borrowers' private information, such as their Social Security numbers, unprotected online. The problem occurred from the evening of Aug. 20 to the morning of Aug. 22 on the Web site of Direct Loans. Direct Loans is part of the William D. Ford Federal Direct Loan Program within the Dept. of Education and Federal Student Aid. Anyone who used the Web site and performed the same transaction at the same time in the same part of the system as another user could have had his or her data exposed, Bushman said. ... She estimated that 21,000 accounts of the more than six million on the system could have been affected. All those potentially affected already would have been notified, she said. [...] http://www.press-citizen.com/apps/pbcs.dll/article?AID=/20060917/NEWS01/ 609170310/1079/NEWS01 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.405 / Virus Database: 268.12.4/449 - Release Date: 9/15/2006 _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tracking more than 146 million compromised records in 349 incidents over 6 years. -- This message has been scanned for viruses and dangerous content by MailScanner , and is believed to be clean. This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060918/0f8da32d/attachment.html From cwalsh at cwalsh.org Mon Sep 18 13:46:18 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Mon, 18 Sep 2006 12:46:18 -0500 Subject: [Dataloss] Federal loan Web site left unprotected In-Reply-To: <8CA58E707BB1C44385FA71D02B7A1C8EC7073F@mds3aex0e.USISUNOCOINC.com> References: <8CA58E707BB1C44385FA71D02B7A1C8EC7073F@mds3aex0e.USISUNOCOINC.com> Message-ID: <20060918174616.GB17275@cwalsh.org> In this case it looks like, regardless of the data, they had rather fundamental concurrency issues that were not revealed in testing. That suggests that the testing was done by one person. From lyger at attrition.org Mon Sep 18 17:33:22 2006 From: lyger at attrition.org (lyger) Date: Mon, 18 Sep 2006 17:33:22 -0400 (EDT) Subject: [Dataloss] 4,000 people at risk of ID theft, state says Message-ID: http://www.freep.com/apps/pbcs.dll/article?AID=2006609160352 September 16, 2006 BY KIM NORRIS FREE PRESS STAFF WRITER The Michigan Department of Community Health will offer identity theft protection to more than 4,000 current and former Michigan residents who have been participating in a scientific study because an apparent theft may have put personal information at risk. A flash drive -- a portable storage device containing names, current addresses, telephone, Social Security numbers and birth dates of the people participating in the study -- has been missing from a secured floor in an MDCH building since Aug. 4 and is presumed to have been stolen, MDCH spokesman T.J. Bucholz said. The missing data did not include any health information, medical records or laboratory information. [...] From lyger at attrition.org Mon Sep 18 17:42:36 2006 From: lyger at attrition.org (lyger) Date: Mon, 18 Sep 2006 17:42:36 -0400 (EDT) Subject: [Dataloss] Emergent Chaos: Is It Time To End the Breaches Category? Message-ID: (Adam and Chris, hope you don't mind, but I find this to be relevant and newsworthy considering the time and effort you've both spent on this topic - lyger) http://www.emergentchaos.com/archives/2006/09/is_it_time_to_end_the_bre.html Looking back to February of 2005, that companies routinely lose control of data entrusted to them was known mostly to security professionals and enthusiasts. Breaches were swept under the rug, and the scope and breadth of the problem was unknown. Thanks to Choicepoint's dedication to bringing about public debate on the issue, the outstanding reporting of Bob Sullivan and others, and my unholy fascination with it, and Chris's dedication in finding data, things have changed. This blog became an important source of information and analysis, and I'm very pleased to have contributed to the changes. The stories are now mainstream, and more broad. Things like "Payroll Giant [ADP] Gives Scammer Personal Data of Hundreds of Thousands of Investors" make ABC news. (Names and addresses, not SSNs.) [...] From Dissent at pogowasright.org Mon Sep 18 20:05:17 2006 From: Dissent at pogowasright.org (Dissent) Date: Mon, 18 Sep 2006 20:05:17 -0400 Subject: [Dataloss] Leak of guns list has link to ruling Message-ID: <7.0.0.16.2.20060918200407.025d1a78@nowhere.org> Berks County Sheriff Barry J. Jozwiak was trying to comply with a court order to create a more secure list of gun-permit holders when an outside contractor left at least some of the list exposed on the Internet, officials said Thursday. [Jozwiak]... previously said a Canon Technology Solutions employee was creating a more secure Web-based gun-permit list and inadvertently failed to turn on security software to protect the information over the Labor Day weekend. Fred Hershey, a county information-systems manager, said someone in China viewed the Web site, but apparently did not download information. The site contained the names, addresses, Social Security numbers and other personal information of some of the 25,000 gun-permit holders. [...] http://www.tmcnet.com/usubmit/2006/09/15/1898313.htm From Dissent at pogowasright.org Mon Sep 18 20:07:43 2006 From: Dissent at pogowasright.org (Dissent) Date: Mon, 18 Sep 2006 20:07:43 -0400 Subject: [Dataloss] Private data still public on Ohio office's Web site Message-ID: <7.0.0.16.2.20060918200655.0260a438@nowhere.org> COLUMBUS - Nearly seven months after the issue made headlines, some Social Security numbers remain available on documents accessible through the Ohio Secretary of State's Internet Web site. James Lee, spokesman for Secretary Ken Blackwell, said yesterday a software program removed 97 percent of private information that some lenders erroneously included on secured-loan documents that are routinely scanned and made available on the Internet. [...] http://toledoblade.com/apps/pbcs.dll/article?AID=/20060915/NEWS24/609150359/-1/NEWS From Dissent at pogowasright.org Mon Sep 18 20:06:53 2006 From: Dissent at pogowasright.org (Dissent) Date: Mon, 18 Sep 2006 20:06:53 -0400 Subject: [Dataloss] (UK) Post office 'dumped customer details in bin' Message-ID: <7.0.0.16.2.20060918200522.025d6cb0@nowhere.org> An investigation has been launched into allegations that a post office dumped customers' personal details in a dustbin. Campaign group Scamsdirect claim they found post office customers' bank details, National Insurance numbers, passport numbers and other personal information in a bin on a public street. The Information Commissioner's Office (ICO) is already investigating similar allegations against branches of the NatWest and its parent company, the Royal Bank of Scotland, in the same area and is looking into possible breaches of the Data Protection Act by the Southampton branch. [...] http://news.uk.msn.com/Article.aspx?cp-documentid=925558 From Dissent at pogowasright.org Mon Sep 18 20:09:45 2006 From: Dissent at pogowasright.org (Dissent) Date: Mon, 18 Sep 2006 20:09:45 -0400 Subject: [Dataloss] [Archive] Police laptop sold at car-boot sale Message-ID: <7.0.0.16.2.20060918200750.025c9f48@nowhere.org> Scottish police have been embarrassed by the appearance of a confidential laptop at a car-boot sale. The laptop contained road accident crash victim pictures, according to the BBC. The Lothian and Borders Police had disposed of the unwanted device through a third-party 'specialist' firm, it said. It was bought at a Glasgow car-boot sale by a computer engineer. The computer's hard drive also held data on 200 police officers, yet the system was not password-protected. [...] http://www.pcadvisor.co.uk/blogs/index.cfm?entryid=431&blogid=4 From lyger at attrition.org Mon Sep 18 20:22:48 2006 From: lyger at attrition.org (lyger) Date: Mon, 18 Sep 2006 20:22:48 -0400 (EDT) Subject: [Dataloss] Attrition.org and PogoWasRight.org Collaborate on DataLoss Message-ID: http://attrition.org/dataloss/06-09-18.001.html Mon Sep 18 16:10:33 EDT 2006 Attrition Staff Attrition.org and PogoWasRight.org would like to announce the beginning of a new collaborative effort that we feel will enhance the resources provided by both sites. Beginning on Saturday, September 16, 2006, Dissent and AnonAdmin from PogoWasRight.org are the new co-moderators of the Data Loss Mail List and the Data Loss Web Page. In return, Lyger from attrition.org has created a user account with PogoWasRight.org to provide news, commentary, and additional support and/or resources as needed. Both sites will continue to remain independent in content and focus. However, resources will be shared willingly, openly, and freely with no commercialization or compensation provided to either group (other than the ph4t sh3ll 4cc0un7z, y0). [...] From adam at homeport.org Mon Sep 18 20:23:59 2006 From: adam at homeport.org (Adam Shostack) Date: Mon, 18 Sep 2006 20:23:59 -0400 Subject: [Dataloss] Emergent Chaos: Is It Time To End the Breaches Category? In-Reply-To: References: Message-ID: <20060919002359.GA25245@homeport.org> Not at all! I was planning to drop a note here tonight. If I may plug, we're going to be *highly* on topic this week, and I'll feel bad about posting all the blog posts to this list. Adam On Mon, Sep 18, 2006 at 05:42:36PM -0400, lyger wrote: | | (Adam and Chris, hope you don't mind, but I find this to be relevant and | newsworthy considering the time and effort you've both spent on this topic | - lyger) | | http://www.emergentchaos.com/archives/2006/09/is_it_time_to_end_the_bre.html | | Looking back to February of 2005, that companies routinely lose control of | data entrusted to them was known mostly to security professionals and | enthusiasts. Breaches were swept under the rug, and the scope and breadth | of the problem was unknown. Thanks to Choicepoint's dedication to bringing | about public debate on the issue, the outstanding reporting of Bob | Sullivan and others, and my unholy fascination with it, and Chris's | dedication in finding data, things have changed. This blog became an | important source of information and analysis, and I'm very pleased to have | contributed to the changes. The stories are now mainstream, and more | broad. Things like "Payroll Giant [ADP] Gives Scammer Personal Data of | Hundreds of Thousands of Investors" make ABC news. (Names and addresses, | not SSNs.) | | [...] | _______________________________________________ | Dataloss Mailing List (dataloss at attrition.org) | http://attrition.org/dataloss | Tracking more than 146 million compromised records in 349 incidents over 6 years. | From Dissent at pogowasright.org Mon Sep 18 20:48:27 2006 From: Dissent at pogowasright.org (Dissent) Date: Mon, 18 Sep 2006 20:48:27 -0400 Subject: [Dataloss] Personal Information Stolen From DePaul Hospital Message-ID: <7.0.0.16.2.20060918204711.0258b7b0@nowhere.org> [...] someone has stolen two computers from the Radiation Therapy department at DePaul Medical Center in Norfolk. This affects a little more that 100 patients of the Radiation Therapy department. According a letter from the office of Executive Vice President Daniel S. Duggan to The Oncology Associates of Virginia, the computer thefts happened on August 28th and most recently on September 11th. They were stolen from the patient care area. [....] http://www.wtkr.com/Global/story.asp?S=5423927&nav=ZolHbyvj From lyger at attrition.org Mon Sep 18 22:56:42 2006 From: lyger at attrition.org (lyger) Date: Mon, 18 Sep 2006 22:56:42 -0400 (EDT) Subject: [Dataloss] Fringe: "Top 5 Data Breach Causes" Message-ID: http://it.slashdot.org/article.pl?sid=06/09/18/2039221 "In a key step to help businesses better understand and protect themselves against the risks of fraud, Visa USA and the U.S. Chamber of Commerce announced the five leading causes of data breaches and offered specific prevention strategies. The report states that the most common cause of data compromise is a merchant's or a service provider's encoding of sensitive information on the card's magnetic stripe in violation of the PCI Data Security Standard. The other four are related to IT security, which can be improved simply by following common-sense guidelines." Here is the report on the U.S. Chamber of Commerce site (PDF). " http://www.uschamber.com/NR/rdonlyres/eyzkc6zyokejn5n64o7vpmgvqxyd7dodczr= puc5tpqzoinz5gq7mpy3puuct43h6cgtr4kf3hmpx6hugw5kiktflzyh/top_5_alert.pdf [...] From lyger at attrition.org Tue Sep 19 11:41:43 2006 From: lyger at attrition.org (lyger) Date: Tue, 19 Sep 2006 11:41:43 -0400 (EDT) Subject: [Dataloss] Life is good suffers security breach Message-ID: http://www.boston.com/business/ticker/2006/09/life_is_good_su.html Boston-based retailer Life is good is having a bad day -- and so might some of its customers. The company today disclosed a security breach in which hackers accessed a database containing 9,250 customers' credit card numbers. [...] From lyger at attrition.org Wed Sep 20 10:24:21 2006 From: lyger at attrition.org (lyger) Date: Wed, 20 Sep 2006 10:24:21 -0400 (EDT) Subject: [Dataloss] Berry College: Security breach on students' personal information Message-ID: http://news.mywebpal.com/partners/680/public/news748399.html Berry College President Dr. Stephen R. Briggs informed the campus community of a potential security breach this morning. College officials were notified late Monday afternoon that student information included on applications for need-based federal aid filed during the 2005-06 academic year has been misplaced by an external financial aid consultant. This data, including student name, Social Security number and reported family income, involves 2,093 students or potential students who submitted a Free Application for Federal Student Aid (FAFSA) to Berry in 2005-06. Of those, 1,322 are currently enrolled at the college. At this time, there is no evidence that any of the data has been used for fraudulent purposes, college officials say. Briggs informed the Berry community of the potential breach via e-mail Wednesday morning. He noted that at no time were the administrative or student databases compromised and that, based on what is known at this time, no first-year students have been affected. [...] From Dissent at pogowasright.org Wed Sep 20 18:53:32 2006 From: Dissent at pogowasright.org (Dissent) Date: Wed, 20 Sep 2006 18:53:32 -0400 Subject: [Dataloss] World Wide Web of Trouble for Some Savannah Drivers Message-ID: <7.0.0.16.2.20060920185239.024e1150@nowhere.org> More than 8,800 people have letters in their mailboxes from the City of Savannah saying their personal information may have been compromised. With dozens of servers carrying millions of names and files, Savannah IT director Jerry Cornish says the city is very conscious of computer security. But it was a small mistake online that left a big security breach behind. "We had poked a hole in the firewall to allow that access," said Cornish. "Those text files were exposed to the internet." The pictures and video taken by the red light cameras were available for whoever committed the offense. Unfortunately, those pictures and video, along with personal information, was available to anyone who searched for them for a seven-month-long period. That means, along with video of red light running, names, addresses, birth dates, and in some cases social security numbers were there for the taking. All available just by searching for someone's name through Google. [... ] http://www.wtoctv.com/Global/story.asp?S=5436458&nav=0qq6 From Dissent at pogowasright.org Thu Sep 21 09:47:24 2006 From: Dissent at pogowasright.org (Dissent) Date: Thu, 21 Sep 2006 09:47:24 -0400 Subject: [Dataloss] Left in a vehicle Pima County vaccination records for 2, 500 are stolen Message-ID: <7.0.0.16.2.20060921094611.02576268@nowhere.org> An estimated 2,500 clients of the Pima County Health Department are getting letters telling them their vaccine records - left in an employee's car - have been stolen along with the vehicle. The theft took place Sept. 12 from a South Side health department office parking lot, officials said. The records, from summer vaccine clinics, were to have been taken to the department's downtown office. No Social Security numbers or addresses were in the records but names, dates of birth and ZIP codes were. [... ] http://www.tucsoncitizen.com/daily/local/26924.php From cwalsh at cwalsh.org Thu Sep 21 20:54:21 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Thu, 21 Sep 2006 19:54:21 -0500 Subject: [Dataloss] Breach notice: Cooks Illustrated In-Reply-To: References: <4A5A3D22-BE85-4EDF-BD93-2B5794A21A6D@cwalsh.org> Message-ID: <525E9413-5246-4BF1-A0E9-E852DE2A9825@cwalsh.org> I just got a Freedom of Info response from NY related to my most recent request. The good folks at Cooks Illustrated report to NY that 11K NYers got potentially exposed. So, 3K in NC, 11K in NY. I'm no statistician, but we might be talking hundreds of thousands altogether? Who knows, when they *don't have to report this centrally*. (Thus endeth my rant for tonight) I remark briefly on this latest bunch o' reports from NY at http:// www.emergentchaos.com/archives/2006/09/breach_data.html I'll be doing data entry on all of these reports probably over the weekend. On Sep 16, 2006, at 7:26 PM, lyger wrote: > > Heh, since my previous email was probably confusing, I'll actually > finish > this one before hitting send. :) > > First, would like to thank Chris for providing the information he > found > through FOIA requests to NY and NC. We're adding these to DLDOS as > we can > find more information, and the Mortgage Lenders Network USA breach has > been added as CW-0002. From lyger at attrition.org Thu Sep 21 23:48:09 2006 From: lyger at attrition.org (lyger) Date: Thu, 21 Sep 2006 23:48:09 -0400 (EDT) Subject: [Dataloss] Census Bureau loses hundreds of laptops Message-ID: Courtesy Cancer Omega (attrition.org): http://www.cnn.com/2006/US/09/21/missing.laptops.ap/index.html POSTED: 9:56 p.m. EDT, September 21, 2006 WASHINGTON (AP) -- The Commerce Department has lost 1,137 laptop computers since 2001, most of them assigned to the Census Bureau, officials said Thursday night. The Census Bureau, the main collector of information about Americans, lost 672 computers. Of those, 246 contained some personal data, the department said in a statement. However, no personal information from any of the missing computers has been known to have been improperly used, the department said. The number of people affected by the equipment losses could not be determined, the department said. "All of the equipment that was lost or stolen contained protections to prevent a breach of personal information," said Commerce Secretary Carlos M. Gutierrez. "The amount of missing computers is high, but fortunately, the vulnerability for data misuse is low." [...] From lyger at attrition.org Fri Sep 22 08:13:49 2006 From: lyger at attrition.org (lyger) Date: Fri, 22 Sep 2006 08:13:49 -0400 (EDT) Subject: [Dataloss] FTC hasn't paid victims of breach at ChoicePoint Message-ID: Courtesy InfoSec News and WK: http://www.boston.com/business/globe/articles/2006/09/21/ftc_hasnt_paid_victims_of_breach_at_choicepoint/ By Associated Press September 21, 2006 ATLANTA -- Nearly eight months after regulators trumpeted a settlement with ChoicePoint Inc. over a data breach, the government has not paid any money to victims from a $5 million fund that was to be set up as part of the agreement. The Federal Trade Commission also has not yet implemented procedures for how the 800 fraud victims it has identified so far can be compensated from the fund, nor has it hired anyone to administer it , said FTC spokeswoman Claudia Bourne Farrell. ``That's under review," Farrell said Tuesday. Responding to an open records request by the Associated Press, Farrell said the commission is trying to develop a plan to distribute the money efficiently. Jessica Rich, assistant director of the FTC's division of privacy and identity theft, said in a statement yesterday that ``law enforcement is still identifying victims, and we want to make sure we have the right people." [...] From george at myitaz.com Fri Sep 22 11:50:40 2006 From: george at myitaz.com (George Toft) Date: Fri, 22 Sep 2006 08:50:40 -0700 Subject: [Dataloss] Breach notice: Cooks Illustrated In-Reply-To: <4A5A3D22-BE85-4EDF-BD93-2B5794A21A6D@cwalsh.org> References: <4A5A3D22-BE85-4EDF-BD93-2B5794A21A6D@cwalsh.org> Message-ID: <45140650.4060200@myitaz.com> I think it would be beneficial to the group as a whole to discuss how one files a FOIA request - what is involved, how long it takes, etc. Since many companies call the FBI when there is a breach, perhaps a FOIA request filed with them might be beneficial? George Toft, CISSP, MSIS My IT Department www.myITaz.com 480-544-1067 Confidential data protection experts for the financial industry. Chris Walsh wrote: > This one is from the state of North Carolina's response to my FOIA > request. > > I am assigning it a UID of "CW-0001". > > All information is verbatim from the printout they sent me. > > Company Name > Cooks Illustrated > > Date Notified > 3/02/06 > > Breach Date > 1/31/2006 > > Event > Unauthorized access to files > > NC Residents Impacted > 3162 > > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 146 million compromised records in 349 incidents over 6 years. > > > > From bkdelong at pobox.com Fri Sep 22 12:23:01 2006 From: bkdelong at pobox.com (B.K. DeLong) Date: Fri, 22 Sep 2006 12:23:01 -0400 Subject: [Dataloss] Breach notice: Cooks Illustrated In-Reply-To: <45140650.4060200@myitaz.com> References: <4A5A3D22-BE85-4EDF-BD93-2B5794A21A6D@cwalsh.org> <45140650.4060200@myitaz.com> Message-ID: Except at that point it would be considered an investigation and thus all information is undisclosable. On 9/22/06, George Toft wrote: > > I think it would be beneficial to the group as a whole to discuss how > one files a FOIA request - what is involved, how long it takes, etc. > > Since many companies call the FBI when there is a breach, perhaps a FOIA > request filed with them might be beneficial? > > George Toft, CISSP, MSIS > My IT Department > www.myITaz.com > 480-544-1067 > > Confidential data protection experts for the financial industry. > > > Chris Walsh wrote: > > This one is from the state of North Carolina's response to my FOIA > > request. > > > > I am assigning it a UID of "CW-0001". > > > > All information is verbatim from the printout they sent me. > > > > Company Name > > Cooks Illustrated > > > > Date Notified > > 3/02/06 > > > > Breach Date > > 1/31/2006 > > > > Event > > Unauthorized access to files > > > > NC Residents Impacted > > 3162 > > > > > > _______________________________________________ > > Dataloss Mailing List (dataloss at attrition.org) > > http://attrition.org/dataloss > > Tracking more than 146 million compromised records in 349 incidents over > 6 years. > > > > > > > > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 146 million compromised records in 361 incidents over 6 > years. > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060922/ce239fae/attachment.html From cwalsh at cwalsh.org Fri Sep 22 12:37:52 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Fri, 22 Sep 2006 11:37:52 -0500 Subject: [Dataloss] FOIA fundamentals (OT) In-Reply-To: <45140650.4060200@myitaz.com> References: <4A5A3D22-BE85-4EDF-BD93-2B5794A21A6D@cwalsh.org> <45140650.4060200@myitaz.com> Message-ID: <20060922163739.GA27594@cwalsh.org> A good starting point is http://www.gwu.edu/~nsarchiv/nsa/foia.html From adam at homeport.org Fri Sep 22 12:51:17 2006 From: adam at homeport.org (Adam Shostack) Date: Fri, 22 Sep 2006 12:51:17 -0400 Subject: [Dataloss] Breach Analysis Message-ID: <20060922165117.GA31164@homeport.org> As Lyger mentioned on Monday, this has been a focused week at Emergent Chaos, with quite a few posts that are likely of interest to readers here: * Is It Time To End the Breaches Category http://www.emergentchaos.com/archives/2006/09/is_it_time_to_end_the_bre.html * What's Next in Breach Analysis http://www.emergentchaos.com/archives/2006/09/whats_next_in_breach_anal.html * Emergent Breach research http://www.emergentchaos.com/archives/2006/09/emergent_breach_research.html * CSO Breach SOP == FUD? http://www.emergentchaos.com/archives/2006/09/cso_breach_sop_fud.html * Breach Data http://www.emergentchaos.com/archives/2006/09/breach_data.html * The Future's So Bright, Let's Not Wear Blinders http://www.emergentchaos.com/archives/2006/09/the_futures_so_bright_let.html From bkdelong at pobox.com Fri Sep 22 12:53:23 2006 From: bkdelong at pobox.com (B.K. DeLong) Date: Fri, 22 Sep 2006 12:53:23 -0400 Subject: [Dataloss] ATMs vulnerable to digital break-ins Message-ID: This has been floating around all week if not longer: http://www.schneier.com/blog/archives/2006/09/programming_atm.html but I think it's very important to get the word out as the media seems slow on the uptake. I've received multiple second-hand reports of successes with Triton, tranax and MANY other brands of ATMs with Master Passwords available from manuals found online. - in some cases on the vendor Web sites. Regardless of whether the vendors take it down, they've been out in the wild for who knows how many years and I believe they retain information of transactions in the system accessible in this admin mode.I think of how many kiosk ATMs I've used in the last few weeks at hotels and in the train station etc. Am I over reacting? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060922/b7c40367/attachment.html From cwalsh at cwalsh.org Fri Sep 22 15:31:04 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Fri, 22 Sep 2006 14:31:04 -0500 Subject: [Dataloss] ATMs vulnerable to digital break-ins In-Reply-To: References: Message-ID: <20060922193052.GA9925@cwalsh.org> On Fri, Sep 22, 2006 at 12:53:23PM -0400, B.K. DeLong wrote: > Am I over reacting? I got the Tranax admin pw in 15 seconds of googling. I found the Triton manuals in another 10 seconds, once I learned (from a link in the Tranax results!) that Triton was a popular brand of ATMs for 7-11 or gas station deployment. Those manuals have the passwords, of course. Among the fun things you can do (aside from the banal theft of cash) is view or print the ATMs' journal. I, obviously, have not tried this, but sources tell me that these journals are based on ISO 8583, so in principle could contain all sorts of the kind of info readers of this list might care about. How would you like to see the names and card numbers of the last few people that used an ATM before you did? In a setting where many of these users use debit or credit cards -- perhaps an airport lounge -- this could be an interesting way to get card numbers. An added benefit is that you know the real card owner is in transit but was recently nearby, this making (I think) fraud detection less likely to fire. If I had decent info on what these ATMs journals actually *do* record, rather than what the spec says they *could* record, I could do more than sketch a possible attack. cw From anonadmin at pogowasright.org Fri Sep 22 19:10:36 2006 From: anonadmin at pogowasright.org (anonadmin at pogowasright.org) Date: Fri, 22 Sep 2006 18:10:36 -0500 (CDT) Subject: [Dataloss] Missing Computers At CU-Boulder Contained I.D. Information, Investigation Is Underway Message-ID: <2614.66.90.118.12.1158966636.squirrel@www.pogowasright.org> http://www.colorado.edu/news/releases/2006/308.html The Leeds School of Business at the University of Colorado at Boulder has issued letters to a number of students whose names and other information were stored on two computers that were found to be missing during the school's move to temporary quarters last May. Letters of notification are being sent to the 1,372 students and former students today, Sept. 22. To date, no known identify-theft cases have resulted from the possible data breach involving the business school computers. The letters include information about how to protect against potential fraud and identity theft. The computers were placed in storage last May and were to be taken out of storage the week of August 28, when it was discovered that one was missing. A second computer subsequently was found to be missing. An investigation has been underway since late August. It is not yet known whether the computers were misplaced or have been stolen. more... From cwalsh at cwalsh.org Fri Sep 22 19:36:34 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Fri, 22 Sep 2006 18:36:34 -0500 Subject: [Dataloss] Purdue warns 2400 that SSNs were revealed Message-ID: Purdue Notifies Students of Potential Security Breach Via http://www.insideindianabusiness.com/newsitem.asp?ID=19775 InsideINdianaBusiness.com Report 9/22/2006 4:32:49 PM Purdue University is notifying more than 2,400 people that were students in 2000 that a computer containing their personal information may have been accessed remotely by unauthorized people. The possible breach was discovered during a security check of an administrative workstation in the Department of Chemistry. Officials say software may have been installed remotely on the hard drive to permit the files containing names and social security numbers to be downloaded. Source: Inside INdiana Business Press Release WEST LAFAYETTE, Ind. - Purdue University is informing people who were students in 2000 that a single desktop computer containing information about them may have been accessed by unauthorized individuals. The possibility was discovered this month during a security check of an administrative workstation in the Department of Chemistry. The incident involved a file dated Feb. 4, 2000, that contained personal identifying information, including Social Security numbers, names, school, classification, major and e-mail addresses for 2,482 students. A total of 2,672 records were involved, but some did not contain Social Security numbers. According to a preliminary analysis of the computer, an unauthorized person may have gained access to the hard drive remotely and installed software that would have permitted files to be downloaded. "We have no direct evidence that any unauthorized person viewed or downloaded data, but we know that the computer had been compromised," said Jeffrey Vitter, dean of the College of Science, in which the chemistry department is located. "We are trying to alert every individual whose information was in the file." Because the information in the document is six years old, the College of Science worked with the Purdue University Development Office to acquire current addresses. Anyone who does not receive a letter but believes he or she may have been in the affected group can contact Purdue at (866) 307-8520 to inquire. More information about the incident also is available online. At the site, there are links to the Federal Trade Commission, where a complaint about fraud or identity theft can be filed, as well as links to apply for a credit report. [....] From lyger at attrition.org Fri Sep 22 22:39:17 2006 From: lyger at attrition.org (lyger) Date: Fri, 22 Sep 2006 22:39:17 -0400 (EDT) Subject: [Dataloss] Los Angeles - "Straight Outta Compton" Message-ID: (as asked before, is "dumpster diving" the new "laptop theft" for the media? even better (or worse), will we see journos jumping into trash for a story now? seems to be about the third or fourth time in the last week... - lyger) http://www.nbc4.tv/news/9909867/detail.html What easier way to steal your identity than if your personal financial information is sitting in the trash for hundreds of people to grab? Documents about you -- the government threw out. We uncovered another breach of security that might include your personal and financial information -- information tossed in the trash at a courthouse. SAMUEL STEELE: That's my Social Security number, the correct everything, my birth date, driver's license and address. [...] From Dissent at pogowasright.org Sat Sep 23 04:35:44 2006 From: Dissent at pogowasright.org (Dissent) Date: Sat, 23 Sep 2006 04:35:44 -0400 Subject: [Dataloss] Files stolen from Allstate agent's car Message-ID: <7.0.0.16.2.20060923043351.02606dd8@nowhere.org> http://www.thestar.com/NASApp/cs/ContentServer?pagename=thestar/Layout/Article_Type1&c=Article&cid=1158961811095&call_pageid=968350072197&col=969048863851 A sales agent has told Allstate Canada Inc. that files of 60 to 70 Toronto policyholders were stolen from his automobile. The home and auto insurer, the slogan for which is "You're in good hands," said yesterday managers did not learn of the theft until 12 days after it occurred. As an extra precaution, Allstate said, staff contacted or left messages for 107 of the agent's clients yesterday, more than the number of files reported missing. ... Agents often carry two or three files when visiting clients, she said, but must keep other files locked in an office cabinet. Allstate had just completed an education program about the importance of protecting customer information. From Dissent at pogowasright.org Sat Sep 23 04:33:14 2006 From: Dissent at pogowasright.org (Dissent) Date: Sat, 23 Sep 2006 04:33:14 -0400 Subject: [Dataloss] Garland man indicted for illegal dumping Message-ID: <7.0.0.16.2.20060923043013.02601870@nowhere.org> http://www.heraldbanner.com/local/local_story_266015851.html A Garland man has been indicted on a charge of illegal dumping at a site northwest of Quinlan. Amid the mounds of debris on land owned by Stefan Gradinaru, investigators say they found boxes of private medical records containing the names and personal information of patients of a local physician. [...] Environmental Enforcement Officer Mike Pierce said the documents appeared to have come from a physician living in Dallas, who has a Greenville practice and who kept some records at his house, which Gradinaru was hired to remodel. From Dissent at pogowasright.org Sat Sep 23 13:48:45 2006 From: Dissent at pogowasright.org (Dissent) Date: Sat, 23 Sep 2006 13:48:45 -0400 Subject: [Dataloss] Erlanger employees' names, identification lost Message-ID: <7.0.0.16.2.20060923134609.0255ea10@nowhere.org> http://www.tfponline.com/absolutenm/templates/breaking.aspx?articleid=5100&zoneid=41 Thousands of Erlanger hospital employees' names and personal identifying information stored electronically disappeared from a locked office on Sept. 15, and employees are hearing about the loss in letters sent to their homes this weekend, hospital officials said. ... According to the letters, sent Friday afternoon to about 4,150 current and former employees thought to be affected and about 2,050 current employees who were not, the names and accompanying personal information were stored on a USB storage device, also known as a "jump drive." The database information was limited to names and Social Security numbers, Erlanger officials said. ... Erlanger officials said an employee who was authorized to use the information was working with the data in a "secured area," and noticed on Sept. 15 that the device was missing. It remains unclear whether the information was lost, misplaced, or was stolen. Erlanger officials said there was no sign of a break-in to the office where the employee was working. "This guy was working on it ... it was on his desk, and then it was gone," Erlanger board Chairman Bob Johnson said. He said he thinks the storage device was thrown away accidentally. "It should take care of itself," he said. "I don't think it was one of those situations where somebody was trying to steal identities." [...] From Dissent at pogowasright.org Sat Sep 23 14:01:27 2006 From: Dissent at pogowasright.org (Dissent) Date: Sat, 23 Sep 2006 14:01:27 -0400 Subject: [Dataloss] (followup) Indiana takes action on prescription privacy Message-ID: <7.0.0.16.2.20060923135537.02596168@nowhere.org> http://www.wthr.com/Global/story.asp?S=5446810&nav=9Tai This summer, 13 Investigates found dozens of local pharmacies trashed their customers' privacy. In fact, we found local drug stores simply tossed out personal health information about hundreds of people. In some cases, we found pharmacies continued to do it even after we showed them the problem. On Thursday, the Indiana Board of Pharmacy announced it is targeting 30 pharmacies for a state investigation. "We filed consumer complaints against all of the pharmacies that were part of your report and there is an investigation ongoing right now with the attorney general's office with regard to those complaints," Allain said. [...] Don't know if it appeared on this list, but the original story on trashing privacy was at http://www.wthr.com/Global/story.asp?S=5201721&nav=9Tai From Dissent at pogowasright.org Sun Sep 24 08:19:55 2006 From: Dissent at pogowasright.org (Dissent) Date: Sun, 24 Sep 2006 08:19:55 -0400 Subject: [Dataloss] Computers with patient data stolen from Nagasaki hospital Message-ID: <7.0.0.16.2.20060924081730.025a0b40@nowhere.org> http://www.yomiuri.co.jp/dy/national/20060924TDY02007.htm Six notebook computers with data on about 9,000 patients have been stolen from Nagasaki University Hospital of Medicine and Dentistry in Nagasaki, a university official said. The data contained names, gender, dates of birth, and diagnoses of people who visited the hospital's hematology division since the early 1990s, the official said. [...] The computers also contained data on another 3,000 patients' symptoms, though their names had been encoded. The data, based on patients' medical files, had been stored there for educational and academic purposes, and some of them contained detailed descriptions on the patient's medical histories, the official said. [...] From Dissent at pogowasright.org Sun Sep 24 08:21:38 2006 From: Dissent at pogowasright.org (Dissent) Date: Sun, 24 Sep 2006 08:21:38 -0400 Subject: [Dataloss] Kenya Revenue Authority computers stolen Message-ID: <7.0.0.16.2.20060924081956.0259fc68@nowhere.org> http://www.eastandard.net/hm_news/news.php?articleid=1143958667 Burglars entered the heavily guarded Kenya Revenue Authority (KRA) offices at Times Tower and stole computers containing crucial information. [...] A KRA official said the computers had crucial data on tax returns and it is likely that the data had no back up. From jlewis at packetnexus.com Sun Sep 24 05:39:45 2006 From: jlewis at packetnexus.com (Jason Lewis) Date: Sun, 24 Sep 2006 05:39:45 -0400 Subject: [Dataloss] What is my data worth? Message-ID: <45165261.6040002@packetnexus.com> I was reading about various lawsuits against companies/entities that have had data breaches and I got to thinking. Has anyone done any research into how valuable my data is? I would think that would go a long way in estimating losses. For example, an advertiser is interested in target demographics, how much will they pay for info about me and my spending habit, credit card debt, loans, etc. How much is the average consumer's data worth? Is it even reasonable to try and figure out that cost when trying to punish entities that lose the information? jas From macwheel99 at sigecom.net Sun Sep 24 11:52:25 2006 From: macwheel99 at sigecom.net (Al Mac) Date: Sun, 24 Sep 2006 10:52:25 -0500 Subject: [Dataloss] EU may mandate data breach notification (OT) Message-ID: <6.2.1.2.0.20060924104438.027eac30@mail.sigecom.net> Like the laws of many US states, there are apparent holes in the protection proposed. It may only cover breaches at equivalent of ISPs and phone companies. The EC proposes that all providers of "electronic communications networks or services" be forced to notify customers and regulators of any breaches of security that would result in their personal data being made available to others. The current EU Directive only instructs network providers to notify customers of security risks. It does not cover security breaches. http://www.theregister.co.uk/2006/09/13/europe_data_breach_law/ From macwheel99 at sigecom.net Sun Sep 24 11:31:45 2006 From: macwheel99 at sigecom.net (Al Mac) Date: Sun, 24 Sep 2006 10:31:45 -0500 Subject: [Dataloss] Standard Gov breach notification (OT) Message-ID: <6.2.1.2.0.20060924102119.027ee2e0@mail.sigecom.net> Federal agencies have been losing laptop computers, including those with personal data, without public notification and sometimes undetected by the government. Agencies are now disclosing the information, because House Government Reform Committee chairman Tom Davis (R-Va.) requested summaries of data breaches over the last several years. As a result, the situation requires a strong governmentwide policy on public notification, including strengthening legislation he has introduced, Davis said. The most flagrant violator among agency responses so far is the Commerce Department, which reported that 1,137 laptops had been lost, stolen or misplaced since 2001. It also is missing 46 flash or ?thumb? drives and 16 handheld computers. Of these, 672 of the missing laptops were from the Census Bureau, and 246 of those contained personally identifiable information. [...] The Federal Information Security Management Act guides agencies in protecting federal information, operations and assets. In Davis? annual FISMA scorecard, the federal government averages D+. Among FISMA provisions, agencies are required to report data breaches to the U.S. Computer Emergency Readiness Team (US-CERT) within the Homeland Security Department. [.. ] In July, Davis and Rep. Henry Waxman (D-Calif.) asked all cabinet-level agencies, the Office of Personnel Management and the Social Security Administration to report any ?loss or compromise of sensitive personal information held by the federal government since Jan.1, 2003.? Agencies were to deliver a summary of each incident by July 24. To date, 13 agencies have responded, including the Social Security Administration and the Energy and Veterans Affairs departments. The Homeland Security Department has partially responded. Three agencies have not yet responded? the Treasury, Defense and Health and Human Services departments?a committee spokesman said. [..] http://www.gcn.com/online/vol1_no1/42081-1.html From lawyer at carpereslegalis.com Sun Sep 24 15:27:43 2006 From: lawyer at carpereslegalis.com (Marjorie Simmons) Date: Sun, 24 Sep 2006 12:27:43 -0700 Subject: [Dataloss] What is my data worth? In-Reply-To: <45165261.6040002@packetnexus.com> Message-ID: <000f01c6e00f$94a3c590$0901a8c0@Lakshmi> Not only reasonable, but an imperative. Tort lawsuits require the plaintiff show: Duty ---> Breach ---> Causation ---> Damages Without damages, there is no suit, and this has been the major stumbling block to almost all suits so far. ### | -----Original Message----- | From: dataloss-bounces at attrition.org | [mailto:dataloss-bounces at attrition.org] On Behalf Of Jason Lewis | Sent: Sunday, September 24, 2006 2:40 am | To: dataloss at attrition.org | Subject: [Dataloss] What is my data worth? | | I was reading about various lawsuits against companies/entities that | have had data breaches and I got to thinking. Has anyone done any | research into how valuable my data is? I would think that would go a | long way in estimating losses. | | For example, an advertiser is interested in target demographics, how | much will they pay for info about me and my spending habit, | credit card | debt, loans, etc. | | How much is the average consumer's data worth? Is it even | reasonable to | try and figure out that cost when trying to punish entities that lose | the information? | | jas | _______________________________________________ | Dataloss Mailing List (dataloss at attrition.org) | http://attrition.org/dataloss | Tracking more than 146 million compromised records in 366 | incidents over 6 years. | | From jericho at attrition.org Mon Sep 25 03:19:52 2006 From: jericho at attrition.org (security curmudgeon) Date: Mon, 25 Sep 2006 03:19:52 -0400 (EDT) Subject: [Dataloss] 93,754,333 Examples of Data Nonchalance Message-ID: http://www.nytimes.com/2006/09/25/technology/25link.html 93,754,333 Examples of Data Nonchalance By TOM ZELLER Jr. Published: September 25, 2006 Less than two years into the great cultural awakening to the vulnerability of personal data, companies and institutions of every shape and size like the data broker ChoicePoint, the credit card processor CardSystems Solutions, media companies like Time Warner and dozens of colleges and universities across the land have collectively fumbled 93,754,333 private records. Or at least thats the rough figure the Privacy Rights Clearinghouse, a consumer advocacy organization in San Diego, has tallied thus far. [..] From george at myitaz.com Mon Sep 25 02:22:44 2006 From: george at myitaz.com (George Toft) Date: Sun, 24 Sep 2006 23:22:44 -0700 Subject: [Dataloss] What is my data worth? In-Reply-To: <45165261.6040002@packetnexus.com> References: <45165261.6040002@packetnexus.com> Message-ID: <451775B4.3010308@myitaz.com> Numbers I've seen . . . According to Consumer Reports, the average phishing theft victim suffers an $800 loss. Let us assume that the same metric can be used for "general" ID theft. In 2002, an ID thief employed at the same company where I was working was busted for selling ID's on the Internet for $50/each. He ripped off a competitor's employee database and was selling it off. Sad thing was the FBI was tracking him for 4 years before they busted him. I've read of numbers higher and lower than that, but that's about the going wholesale rate for an ID. Retail seems to be about $140, based on a NY Times article. Liability considerations . . . I'm not sure this metric could be used to establish damages, but it would weigh heavily in proving negligence. Assume a CPA has 500 client's information stored on a hard drive. Using the numbers above, that hard drive is worth $25K - $70K (wholesale vs retail). If someone regulated by Federal Regulations (GLBA) failed to take the required actions to protect a $25K device that caused 500 people $800 damage each (total of $400K in damages), I think the plaintiffs have a good case for a suit. Many states are writing a stipulation into their data protection laws where the victim can recover actual costs from ID theft from the company that lost it. IMHO, it would be a clear case of negligence to not spend the few thousand dollars to protect yourself from a 6 figure law suit. Disclaimer: I am not a lawyer. Personal story . . . I met with a CPA recently. We discussed his obligations under GLBA to protect his client's information. His only question was whether or not his insurance company required a risk assessment (which GLBA requires). He had absolutely no intension of complying with GLBA unless his insurance company required it. I then explained the scenario to my insurance company and asked them if they would pay out on a liability law suit if I failed to comply with Federal Law. Their answer: maybe. Final tidbit . . . I have yet to meet a company regulated by GLBA that was in full compliance. I would even go so far as to say 95% of the companies bound by this regulation have never heard of it, therefore don't know their obligations. (Based on telephone interviews we've conducted in Phoenix, that number is closer to 98%.) The problem is only going to get worse. George Toft, CISSP, MSIS My IT Department www.myITaz.com 480-544-1067 Confidential data protection experts for the financial industry. Jason Lewis wrote: > I was reading about various lawsuits against companies/entities that > have had data breaches and I got to thinking. Has anyone done any > research into how valuable my data is? I would think that would go a > long way in estimating losses. > > For example, an advertiser is interested in target demographics, how > much will they pay for info about me and my spending habit, credit card > debt, loans, etc. > > How much is the average consumer's data worth? Is it even reasonable to > try and figure out that cost when trying to punish entities that lose > the information? > > jas > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 146 million compromised records in 366 incidents over 6 years. > > > > From macwheel99 at sigecom.net Mon Sep 25 11:01:09 2006 From: macwheel99 at sigecom.net (Al Mac) Date: Mon, 25 Sep 2006 10:01:09 -0500 Subject: [Dataloss] What is my data worth? In-Reply-To: <45165261.6040002@packetnexus.com> References: <45165261.6040002@packetnexus.com> Message-ID: <6.2.1.2.0.20060925095719.043421e0@mail.sigecom.net> Patrick O'Beirne supplied these going prices for the stolen data. I would not be surprised if some are sting sites operated by law enforcement. >http://www.thepost.ie/ezineSBP/story.asp?storyid=17505 >One web site which sells fake ID for as little as ?42 is >www.espionage-store.com. > >Another website, www.camouflagepassports.net, sells camouflage passports - >passports for countries no longer in existence - for between ?540 and ?648. From lyger at attrition.org Mon Sep 25 13:46:05 2006 From: lyger at attrition.org (lyger) Date: Mon, 25 Sep 2006 13:46:05 -0400 (EDT) Subject: [Dataloss] Recovery - University of Colorado Boulder follow-up Message-ID: http://www.thedenverchannel.com/news/9924211/detail.html POSTED: 4:21 am MDT September 25, 2006 One of two computers containing Social Security numbers and other personal information on nearly 1,400 students or former students from the University of Colorado's business school has been found, but the other is still missing. No cases of identity theft have been reported, and no financial or credit card data was on the computers, university spokeswoman Jeannine Malmsbury said on Friday. Malmsbury said university police were investigating. They don't know if the computer was misplaced or stolen. [...] From Dissent at pogowasright.org Mon Sep 25 14:51:11 2006 From: Dissent at pogowasright.org (Dissent) Date: Mon, 25 Sep 2006 14:51:11 -0400 Subject: [Dataloss] Thousands of GE Employees Could be at Risk of ID Theft Message-ID: <7.0.0.16.2.20060925145010.0257d880@nowhere.org> http://www.wten.com/Global/story.asp?S=5452721&nav=6uyN There is news this morning that thousands of current and former GE employees could be at risk for identity theft. A company employee's laptop computer was recently stolen from his locked hotel room while he was traveling on business. The laptop contained names and social security numbers for about 50-thousand GE employees across the country. A GE spokesman tells NEWS10 that there is no reason to believe that any data is being used criminally, but he says all employees are being offered a one year subscription to a credit monitoring service. From lyger at attrition.org Tue Sep 26 13:29:45 2006 From: lyger at attrition.org (lyger) Date: Tue, 26 Sep 2006 13:29:45 -0400 (EDT) Subject: [Dataloss] Financial Firms Losing Data Message-ID: (Since I know Chris wouldn't do this himself...) ;) http://www.darkreading.com/document.asp?doc_id=104574&f_src=darkreading_section_296 SEPTEMBER 26, 2006 Which would be more likely to suffer data theft, a university or financial institution? If you've been reading the news lately, you probably said "university." But in New York, it's a different story. Nearly half of the 64 data breach incidents reported in the state between March and May of this year were by financial institutions and insurance companies -- not educational institutions, according to a researcher who's gathering the data. Only three of the 64 incidents were reported by schools, he says. Interestingly, most of the financial institutions' breaches weren't driven by hackers, says Chris Walsh, an information security architect who is independently researching breach trends using data from New York. "About two thirds of them reported a lost computer, and that's not counting lost tapes." [...] From bkdelong at pobox.com Tue Sep 26 13:53:52 2006 From: bkdelong at pobox.com (B.K. DeLong) Date: Tue, 26 Sep 2006 10:53:52 -0700 Subject: [Dataloss] Financial Firms Losing Data In-Reply-To: References: Message-ID: Nice job, Chris. I thought that I've seen more re: stolen laptops than digital break-ins. On 9/26/06, lyger wrote: > > > (Since I know Chris wouldn't do this himself...) ;) > > > http://www.darkreading.com/document.asp?doc_id=104574&f_src=darkreading_section_296 > > SEPTEMBER 26, 2006 > > Which would be more likely to suffer data theft, a university or financial > institution? > > If you've been reading the news lately, you probably said "university." > But in New York, it's a different story. Nearly half of the 64 data breach > incidents reported in the state between March and May of this year were by > financial institutions and insurance companies -- not educational > institutions, according to a researcher who's gathering the data. Only > three of the 64 incidents were reported by schools, he says. > > Interestingly, most of the financial institutions' breaches weren't driven > by hackers, says Chris Walsh, an information security architect who is > independently researching breach trends using data from New York. "About > two thirds of them reported a lost computer, and that's not counting lost > tapes." > > [...] > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 146 million compromised records in 366 incidents over 6 > years. > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060926/7435fd46/attachment.html From ziplock at pogowasright.org Tue Sep 26 14:36:31 2006 From: ziplock at pogowasright.org (ziplock) Date: Tue, 26 Sep 2006 14:36:31 -0400 (EDT) Subject: [Dataloss] GE Laptop With 50, 000 Employee Names, Data Stolen From Hotel Message-ID: <4780.66.90.118.12.1159295791.squirrel@www.pogowasright.org> http://www.bloomberg.com/apps/news?pid=20601103&sid=abYZEjwImupI&refer=us Sept. 26 (Bloomberg) -- General Electric Co. said an employee's laptop computer containing the names and Social Security numbers of 50,000 current and former GE workers was stolen from a locked hotel room earlier this month. ``We believe this was a random criminal act,'' GE said in a Sept. 22 letter sent to the affected employees that was obtained by Bloomberg News. There's no indication the data on the laptop and its external hard drive were accessed, company spokesman Russell Wilkerson said today. GE, which is working with law enforcement officials, isn't disclosing the location or day of the theft because the incident is still under investigation, Wilkerson said. General Electric immediately began notifying the employees whose names were on the laptop and offered them one free year of the company's identity- theft and credit-protection monitoring service, Wilkerson said. From blitz at strikenet.kicks-ass.net Tue Sep 26 14:46:27 2006 From: blitz at strikenet.kicks-ass.net (blitz) Date: Tue, 26 Sep 2006 14:46:27 -0400 Subject: [Dataloss] New Laws Further Protect New York Consumers from Becoming Victims of Identity Theft Message-ID: <7.0.1.0.2.20060926144448.05c19cc8@macronet.net> http://www.state.ny.us/governor/press/06/0926061.html FOR IMMEDIATE RELEASE: September 26, 2006 GOVERNOR SIGNS NEW LAWS TO PROTECT NEW YORKERS AGAINST IDENTITY THEFT ---------- New Laws Further Protect New York Consumers from Becoming Victims of Identity Theft Governor George E. Pataki announced today that he signed three measures into law that will further protect New York?s consumers and their privacy. These bills establish the Consumer Communication Records Privacy Act, place limits on the use and disclosure of Social Security account numbers, and further clarify and define what is considered a computer crime. ?These important new laws are yet another step towards ensuring that New York consumers do not fall victim to identity theft,? Governor Pataki said. ?As criminals continue to come up with new schemes to steal consumer?s personal information, we must enact stronger laws that ensure the safety and privacy of our consumers and protect them from identity theft. These three laws address the needs of our consumers and their families, while continuing to demonstrate that New York remains a leader in the fight against identity theft." Senate Majority Leader Joseph L. Bruno said, ?The Senate has always made it a priority to protect consumers from identity theft and do everything we can to strengthen and update our laws to protect people?s personal information from theft and abuse. With these three new laws, sponsored by Senators Charles Fuschillo, Tom Morahan and Jim Wright, we are strengthening and updating our laws to further protect consumers.? Assembly Speaker Sheldon Silver said, ?Identity theft is a growing problem with severe consequences. Victims face significant financial losses and complicated credit problems that could take years to correct. These measures continue our on-going efforts to protect consumers and increase penalties for offenders.? Teresa A. Santiago, Chairperson and Executive Director of the New York State Consumer Protection Board, said, ?These new laws will give New Yorkers -- and New York law enforcement agencies -- an enormous amount of help in fighting Identity Theft, as well as malicious attacks on home computers. We encourage all New Yorkers to take advantage of these new laws by filing complaints and letting the authorities know when there are violations of these laws.? Consumer Communication Records Privacy Act The Consumer Communication Records Privacy Act, sponsored by Senator Charles Fuschillo and Assemblyman Jeffrey Dinowitz (S.6723/A.12033), protects consumers by prohibiting the sale, fraudulent transfer, or solicitation of a consumers telephone records without consent from the consumer. This information is confidential and protected by both telephone companies and telephone consumers, and unauthorized release of telephone records harms consumers by taking away their sense of privacy, safety and security. Senator Charles J. Fuschillo, Jr., Chairman of the Senate's Consumer Protection Committee, said, ?The fact that someone could so easily invade the privacy of another by obtaining their phone records was so offensive that we needed to act. This new law will prevent the distribution of one's calls without their consent.? Assemblyman Jeffrey Dinowitz said, ?Until the signing of this bill, one?s cell phone logs could be sold by unscrupulous individuals. This bill would close that loophole in the law and provide important protections for cell phone users in New York.? Protecting Social Security Numbers To guard against the potential misuse of Social Security account numbers (SSN), Senator Thomas Morahan and Assemblywoman Audrey Pheffer sponsored a bill (S.6909C/A.10076D) that will enact a new law placing limits on the use and dissemination of this information. Specifically, the new law: * prohibits the intentional communication of an individual?s SSN to the general public; * restrict businesses? ability to print an individual?s SSN on mailings or on any card or tag required to access products, services, or benefits; * prohibit businesses from requiring an individual to transmit his or her encrypted SSN over the Internet; and * Require businesses that possess SSNs to implement appropriate safeguards and limit unnecessary employee access to SSNs. Senator Thomas Morahan said, ?An individual's Social Security number is the key to enormous access to their personal and financial information and this new law will put in place new limits and protections to ensure that number does not fall into the wrong hands.? Assemblywoman Audrey Pheffer said, ?The Assembly, and in particular the Consumer Protections Committee, has made enacting meaningful identity theft measures a top consumer priority. As part of our ongoing efforts, the committee last year held hearings on regulating the use of Social Security numbers by private businesses and state agencies. This review was instrumental in crafting this new law in order to protect residents from unauthorized use of personal information and identity theft.? Strengthened Laws for Computer Crimes As consumers become more heavily reliant on computers to accomplish everyday tasks such as paying bills, and online-shopping, it is important to ensure that laws are in place to protect these consumers from computer-based fraud. A new measure, sponsored by Assemblyman Richard Brodsky and Senator James Wright (A.891F/S.5005F), keeps up with continually evolving computer technology by further defining and clarifying New York State?s Penal Law as it pertains to the unauthorized use of computers. This measure strengthens existing law to allow for the prosecution of those who intentionally disrupt, steal personal information, and plant malicious programs on consumer?s computers without authorization. Senator James Wright said, ?Computer technology is constantly evolving, making everyday tasks more convenient, but the changes in technology also place us at risk for identity theft and fraud. This law makes it easier to prosecute those who intentionally commit these crimes and to protect consumers.? Assemblyman Richard Brodsky said, ?This law ? the first anti-spyware law in New York ? is a way to prosecute those who dump thousands of malicious spyware, adware and other viruses onto people?s computers. Thieves no longer have to break into one?s home to steal vital information; they can do it remotely with the same devastating results. We have an obligation to do everything we can to stop thieves from invading people?s computers and prosecuting those who do.? Existing Identity Theft Protection These new identity theft laws build upon existing laws that are designed to safeguard consumers from identity theft schemes. Earlier this year, the Governor signed into a law, a comprehensive set of measures allowing consumers to proactively defend themselves against identity thieves, require businesses to properly discard documents and records containing personal information, and prohibit individuals from deceptively soliciting sensitive information from Internet users. The Security Freeze Law allows consumers, who are either identity theft victims or are concerned that they might be at risk of having their identities stolen, to cut off an identity thief's access to credit, loans, leases, goods and services by placing a ?freeze? on their consumer credit report. The Disposal of Personal Records Law requires any business to properly dispose of records containing personal information through one of the following means: shredding, destruction, modification, or other reasonable action to ensure that no unauthorized person will have access to the personal information. This law will ensure that disposed records containing personal information are not a source that thieves rely upon to commit identity theft. The Anti-Phishing Act of 2006 prohibits the deceptive solicitation of personal information through electronic communications. Phishing is the act of sending an e-mail to an Internet user, falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. The scammer lures the potential victim out of a sea of internet users for passwords and financial data. ?Phishing? accounts for nearly 25% of all Internet fraud. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060926/0e6ef09e/attachment.html From lyger at attrition.org Tue Sep 26 17:52:31 2006 From: lyger at attrition.org (lyger) Date: Tue, 26 Sep 2006 17:52:31 -0400 (EDT) Subject: [Dataloss] DLDOS typo - Medica total (06/05) Message-ID: Thanks to Dennis Opacki, an error in the total for the Medica breach in the Data Loss Database (Open Source) has been found. The total for Medica (DL-0089) inadvertently included and extra zero, pushing the reported total from 1.2 million to 12 million. DLDOS has been updated and the revised total affected now stands at just over 136 million instead of the original (erroneous) total of over 146 million. Apologies for any inconveniences, Lyger From Dissent at pogowasright.org Tue Sep 26 19:24:51 2006 From: Dissent at pogowasright.org (Dissent) Date: Tue, 26 Sep 2006 19:24:51 -0400 Subject: [Dataloss] Oregon: Attorney General settles with Providence over data breach Message-ID: <7.0.0.16.2.20060926192138.024579f8@nowhere.org> http://www.kgw.com/business/stories/kg_w092606_health_providence_settlement.1cafd2ec.html Providence Health System and state Attorney General Hardy Myers filed a settlement agreement Tuesday over a data breach at the health system. In December 2005, backup tapes and computer disks with personal information on 365,000 patients were stolen from a Providence employee's car. The data was not encrypted. The attorney general's office said it had no confirmed reports of identity theft associated with the case. As part of the settlement, Providence will continue to provide free credit monitoring services for patients who may have been affected. It will also provide credit restoration to any patients who become a victim of identity theft. The company must increase its security programs and also pay patients for any direct financial losses related to the breach. The settlement brings the nine-month investigation to an end. Myer's office said the case is the largest data breach ever reported in Oregon. From Dissent at pogowasright.org Wed Sep 27 09:01:48 2006 From: Dissent at pogowasright.org (Dissent) Date: Wed, 27 Sep 2006 09:01:48 -0400 Subject: [Dataloss] Watchdog barks over laptop theft Message-ID: <7.0.0.16.2.20060927085813.0255aae0@nowhere.org> http://www.edmontonsun.com/News/Alberta/2006/09/27/1905123-sun.html Alberta's privacy watchdog rapped the knuckles of a financial services company yesterday after a laptop computer was stolen containing the personal information of 8,000 Alberta physicians. An employee of MD Management Ltd., a subsidiary of the Canadian Medical Association, found the computer stolen from his Jeep on June 19. The Office of the Information and Privacy Commissioner was told of the theft June 30. [... ] Adhopia said there was no evidence to suggest any of the data was misused. It included physicians' names, ages, specialties, home addresses and their total financial assets with MD Management. [...] From Dissent at pogowasright.org Wed Sep 27 11:55:53 2006 From: Dissent at pogowasright.org (Dissent) Date: Wed, 27 Sep 2006 11:55:53 -0400 Subject: [Dataloss] Surging Losses, but Few Victims in Data Breaches Message-ID: <7.0.0.16.2.20060927115307.02563e00@nowhere.org> http://www.nytimes.com/2006/09/27/technology/circuits/27lost.htm (reg. req.) [... ] Regardless of the data breach, a rise in financial fraud has not surfaced. Visa and MasterCard report that about 2 percent of the card accounts lost or stolen in the last 18 months have been used to make fraudulent purchases. That is within the range of the 1.5 percent and 4 percent of consumers who reported being victims of financial fraud or identity theft, surveys say. Card companies say that fraud losses in 2005 over all were about 6 cents per $100 for merchandise bought on credit, a low level that has varied little in the last few years. (Numbers were much higher years ago; for example, in 1992, losses accounted for nearly 16 cents per $100 for merchandise bought on credit.) "The amount of fraud from these data breaches is remarkably small," said Chris Thom, the chief risk officer for MasterCard. [... ] From blitz at strikenet.kicks-ass.net Wed Sep 27 15:57:50 2006 From: blitz at strikenet.kicks-ass.net (blitz) Date: Wed, 27 Sep 2006 15:57:50 -0400 Subject: [Dataloss] Surging Losses, but Few Victims in Data Breaches In-Reply-To: <7.0.0.16.2.20060927115307.02563e00@nowhere.org> References: <7.0.0.16.2.20060927115307.02563e00@nowhere.org> Message-ID: <7.0.1.0.2.20060927155551.05d80cc0@strikenet.kicks-ass.net> IF, you believe them....making this number look small is a way to keep faith in their payment systems up. Creative accounting isn't new, and especially when they're the beneficiary of it. With card companies charging rates that border on usery, they can hide a LOT! At 11:55 9/27/2006, you wrote: >http://www.nytimes.com/2006/09/27/technology/circuits/27lost.htm (reg. req.) > > >[... ] > > >Regardless of the data breach, a rise in financial fraud has not >surfaced. Visa and MasterCard report that about 2 percent of the card >accounts lost or stolen in the last 18 months have been used to make >fraudulent purchases. That is within the range of the 1.5 percent and >4 percent of consumers who reported being victims of financial fraud >or identity theft, surveys say. > >Card companies say that fraud losses in 2005 over all were about 6 >cents per $100 for merchandise bought on credit, a low level that has >varied little in the last few years. (Numbers were much higher years >ago; for example, in 1992, losses accounted for nearly 16 cents per >$100 for merchandise bought on credit.) > >"The amount of fraud from these data breaches is remarkably small," >said Chris Thom, the chief risk officer for MasterCard. > >[... ] > >_______________________________________________ >Dataloss Mailing List (dataloss at attrition.org) >http://attrition.org/dataloss >Tracking more than 136 million compromised records in 375 incidents >over 6 years. > > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060927/26ea6a3e/attachment.html From lyger at attrition.org Wed Sep 27 18:48:53 2006 From: lyger at attrition.org (lyger) Date: Wed, 27 Sep 2006 18:48:53 -0400 (EDT) Subject: [Dataloss] Article: The Cold, Hard Costs of Data Exposure Message-ID: (since the question of "how much is my data worth" was asked earlier this week, here's more for the discussion) Courtesy Dissent from pogowasright.org http://www.esj.com/News/article.aspx?EditorialsID=2169 Again and again the stories surface; only the names seem to change. Company X reports a data breach after a laptop is stolen or a server is hacked, exposing Y numbers of customers to potential identity theft. The common response to these incidents includes notifying the affected customers (as required by various state laws) and (usually) offering a year.s free credit monitoring service. What's untold is how much the episode is costing Company X, over and above the humiliation outlay. "Our estimate is that the cost ranges from $25 to $150 per impacted record," said Jon Oltsik, analyst at the Enterprise Strategy Group. More visible, national companies tend to spend more, he noted, as they have to notify people nationwide and stand more risk of losing their customers as a result of the incident. Local firms with minimal competition, such as a community hospital, can mount a less elaborate response, he said. [...] From george at myitaz.com Wed Sep 27 19:23:23 2006 From: george at myitaz.com (George Toft) Date: Wed, 27 Sep 2006 16:23:23 -0700 Subject: [Dataloss] Article: The Cold, Hard Costs of Data Exposure In-Reply-To: References: Message-ID: <451B07EB.7020107@myitaz.com> PGP Study says the direct, indirect, and opportunity cost is $140 for each record lost. They also say 20% of the customers leave, and an additional 40% are looking for a new provider. Reference: PGP Research Report ? Summary Lost Customer Information: What Does a Data Breach Cost Companies? http://www.securitymanagement.com/library/Ponemon_DataStudy0106.pdf Cheers! George Toft, CISSP, MSIS My IT Department www.myITaz.com 480-544-1067 Confidential data protection experts for the financial industry. lyger wrote: > (since the question of "how much is my data worth" was asked earlier this > week, here's more for the discussion) > > Courtesy Dissent from pogowasright.org > > http://www.esj.com/News/article.aspx?EditorialsID=2169 > > Again and again the stories surface; only the names seem to change. > Company X reports a data breach after a laptop is stolen or a server is > hacked, exposing Y numbers of customers to potential identity theft. The > common response to these incidents includes notifying the affected > customers (as required by various state laws) and (usually) offering a > year.s free credit monitoring service. > > What's untold is how much the episode is costing Company X, over and above > the humiliation outlay. "Our estimate is that the cost ranges from $25 to > $150 per impacted record," said Jon Oltsik, analyst at the Enterprise > Strategy Group. More visible, national companies tend to spend more, he > noted, as they have to notify people nationwide and stand more risk of > losing their customers as a result of the incident. Local firms with > minimal competition, such as a community hospital, can mount a less > elaborate response, he said. > > [...] > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 136 million compromised records in 375 incidents over 6 years. > > > > From jericho at attrition.org Wed Sep 27 19:37:07 2006 From: jericho at attrition.org (security curmudgeon) Date: Wed, 27 Sep 2006 19:37:07 -0400 (EDT) Subject: [Dataloss] Article: The Cold, Hard Costs of Data Exposure In-Reply-To: <451B07EB.7020107@myitaz.com> References: <451B07EB.7020107@myitaz.com> Message-ID: : PGP Study says the direct, indirect, and opportunity cost is $140 for : each record lost. They also say 20% of the customers leave, and an : additional 40% are looking for a new provider. I have a hard time believing that 20% of customers leave as a result of dataloss. At least in the U.S., people are lazy. They will fall into that 40% that are 'looking' for a new provider, but the amount that actually go through the hassle of switching? I have a feeling it is a lot less. I haven't read either of these studies but another thing that comes to mind is what about the situations where they can't leave? Veteran's Affairs or other agencies/companies that have the information based on your past, you can't just "drop them". And finally, after you leave, the company still holds onto old customer records for years. From cwalsh at cwalsh.org Wed Sep 27 19:41:27 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Wed, 27 Sep 2006 18:41:27 -0500 Subject: [Dataloss] Article: The Cold, Hard Costs of Data Exposure In-Reply-To: References: <451B07EB.7020107@myitaz.com> Message-ID: <20060927234116.GA4387@cwalsh.org> It cannot be true that 20% leave. If they did, revenue would be off by 20%. If that happened, stock prices would reflect it IMMEDIATELY. Therefore, either by a happy coincidence only the lousy, unprofitable customers leave, or the number is not correct. Chris From kenton_hoover at symantec.com Wed Sep 27 19:58:28 2006 From: kenton_hoover at symantec.com (Kenton Hoover) Date: Wed, 27 Sep 2006 16:58:28 -0700 Subject: [Dataloss] Article: The Cold, Hard Costs of Data Exposure In-Reply-To: <20060927234116.GA4387@cwalsh.org> Message-ID: A survey taken in 2005 says the number is 5.7%, not 20%. -- Kenton A. Hoover Solutions Engineering Symantec Corporation +1.415.850.5924 kenton_hoover at symantec.com -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Chris Walsh Sent: Wednesday, 27 September, 2006 16:41 To: security curmudgeon Cc: dataloss at attrition.org Subject: Re: [Dataloss] Article: The Cold, Hard Costs of Data Exposure It cannot be true that 20% leave. If they did, revenue would be off by 20%. If that happened, stock prices would reflect it IMMEDIATELY. Therefore, either by a happy coincidence only the lousy, unprofitable customers leave, or the number is not correct. Chris _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tracking more than 136 million compromised records in 375 incidents over 6 years. From tom at trustoncorp.com Wed Sep 27 19:59:38 2006 From: tom at trustoncorp.com (Tom Fragala) Date: Wed, 27 Sep 2006 19:59:38 -0400 Subject: [Dataloss] Article: The Cold, Hard Costs of Data Exposure In-Reply-To: <20060927234116.GA4387@cwalsh.org> Message-ID: 20% of customers leaving doesn't equal 20% revenue decline. Unless you make the delusive assumption that all customers buy the same number of products/service at the same price. And it also assumes that all the customers leave at about same time. any high volume industry suffers from churn and many of those that leave might have left anyway. the bottom line is it's too broad an assumption overall. > -----Original Message----- > From: dataloss-bounces at attrition.org [mailto:dataloss- > bounces at attrition.org] On Behalf Of Chris Walsh > Sent: Wednesday, September 27, 2006 4:41 PM > To: security curmudgeon > Cc: dataloss at attrition.org > Subject: Re: [Dataloss] Article: The Cold, Hard Costs of Data Exposure > > It cannot be true that 20% leave. If they did, revenue would be off by > 20%. If that happened, stock prices would reflect it IMMEDIATELY. > > Therefore, either by a happy coincidence only the lousy, unprofitable > customers leave, or the number is not correct. > > Chris > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 136 million compromised records in 375 incidents over 6 > years. > From Dissent at pogowasright.org Thu Sep 28 08:06:36 2006 From: Dissent at pogowasright.org (Dissent) Date: Thu, 28 Sep 2006 08:06:36 -0400 Subject: [Dataloss] North Carolina: Computer, data stolen from DMV Message-ID: <7.0.0.16.2.20060928080523.025fba78@nowhere.org> http://www.newsobserver.com/102/story/491642.html The state Division of Motor Vehicles is notifying 16,000 motorists that someone broke into the agency's driver's license office in Louisburg and took a computer containing their personal information. The computer was used to store information for driver's licenses issued over the past 18 months, between March 2005 and Sept. 10, according to the DMV. The information includes names, addresses, dates of birth, driver's license numbers, Social Security numbers and, in some cases, immigration visa information, DMV officials said. [...] From Dissent at pogowasright.org Thu Sep 28 09:23:52 2006 From: Dissent at pogowasright.org (Dissent) Date: Thu, 28 Sep 2006 09:23:52 -0400 Subject: [Dataloss] Workplace files tempt ID thieves Message-ID: <7.0.0.16.2.20060928092029.024fa828@nowhere.org> Sent on by lyger: http://www.heraldnet.com/stories/06/09/28/100loc_a1files001.cfm A trip to the Stevens Hospital emergency room left dozens of people with unexpected financial headaches. That's because a manager for a billing company hired on a contract basis by doctors at the Edmonds hospital stole patients' credit card numbers. She gave the information to her brother, who investigators believe then went on a spending spree, buying thousands of dollars worth of clothes and gift cards over the Internet. Federal officials said this case is one of a growing number of identity thefts involving insiders who steal and sell personal information they get on the job. [...] From Dissent at pogowasright.org Thu Sep 28 09:41:16 2006 From: Dissent at pogowasright.org (Dissent) Date: Thu, 28 Sep 2006 09:41:16 -0400 Subject: [Dataloss] ID Thieves Turn Sights on Smaller E-Businesses Message-ID: <7.0.0.16.2.20060928093802.02601310@nowhere.org> http://www.washingtonpost.com/wp-dyn/content/article/2006/09/28/AR2006092800333_pf.html [...] While public attention has remain fixed on a series of high-profile data losses or database breaches at federal government agencies, large corporations and universities, experts who study financial fraud say hackers increasingly are targeting small, commercial Web sites. In some cases, criminals are able to gain real-time access to the sites' transaction information, allowing them to steal valid credit card numbers and quickly charge large numbers of fraudulent purchases. Small e-businesses offer fewer total victims, but they often present a softer target, either due to flaws in the software merchants use to process online orders or an over reliance on outsourced Web site security. Cole's and Galloway's information was recorded being traded in an online chat room by Dan Clements, co-founder of CardCops.com, a fraud prevention service that monitors underground chat rooms where criminals trade in stolen credit cards and information used to commit identity theft. Clements said many smaller online merchants use generic shopping cart software that they fail to maintain with the latest software security patches. [...] Related blog by Brian Krebs: http://blog.washingtonpost.com/securityfix/2006/09/shopadmins_and_the_id_theft_cy.html From ziplock at pogowasright.org Thu Sep 28 10:22:05 2006 From: ziplock at pogowasright.org (ziplock) Date: Thu, 28 Sep 2006 10:22:05 -0400 (EDT) Subject: [Dataloss] Six charged in breakup of AOL identity theft ring Message-ID: <1798.66.90.118.12.1159453325.squirrel@www.pogowasright.org> http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9003691&source=rss_news50 Six men have been charged with orchestrating a phishing scheme that targeted AOL users, the Department of Justice said Wednesday. The men are accused of harvesting thousands of AOL e-mail addresses and then infecting victims' PCs with malicious software that would prevent them from logging on to AOL without entering their credit card numbers, bank account numbers and other personal information. Under the scam, victims would receive fake e-mail greeting cards that would silently infect their computers with the log-on software, according to a grand jury indictment. Victims were also spammed with phoney e-mail messages that claimed to have come from AOL's billing department. [...] From Dissent at pogowasright.org Thu Sep 28 12:12:58 2006 From: Dissent at pogowasright.org (Dissent) Date: Thu, 28 Sep 2006 12:12:58 -0400 Subject: [Dataloss] 13-Year Sentence In Website I.D. Theft Case Message-ID: <7.0.0.16.2.20060928121125.02604d60@nowhere.org> http://www.wcpo.com/news/2006/local/09/28/id_theft.html an identity theft suspect has been sentenced to 13 years behind bars for crimes that led to a change in a Hamilton County agency's website. Traci Southerland, of Cincinnati, stole 100 identities and nearly $500,000. She and seven other people used personal information they got from the Hamilton County Clerk of Courts' website to access credit cards and make counterfeit checks. Because of the crimes, the website has now blocked access to court documents containing personal information. From Dissent at pogowasright.org Thu Sep 28 17:56:11 2006 From: Dissent at pogowasright.org (Dissent) Date: Thu, 28 Sep 2006 17:56:11 -0400 Subject: [Dataloss] Corrections, IDOT latest to suffer losses of personal information Message-ID: <7.0.0.16.2.20060928175243.02552240@nowhere.org> http://www.belleville.com/mld/belleville/news/state/15631910.htm SPRINGFIELD, Ill. - More than a year after state agencies were caught throwing sensitive documents into the trash, two Illinois agencies admit they recently mishandled personal information about their employees. The Corrections Department said its information breach involved "virtually all" of its 13,500 employees but would provide no details. The Department of Transportation said its problem involved only about 40 workers and the documents never left the building. [...] In a letter dated Sept. 12, Corrections Director Roger Walker told Senate President Emil Jones and House Speaker Michael Madigan that a payroll report supplied by the Department of Human Services containing the names, salaries, and Social Security numbers of most department employees "was found at an outside location, where it should not have been." [...] At the Transportation Department, state auditors found documents in hallway recycling bins that included the names of about 40 people and their Social Security numbers, spokesman Matt Vanover said. "The documents never left the building and were not accessed" by outsiders, Vanover said. No state audit has yet been released that addresses the incident. The agency knows who's responsible for the disposal but feels no disciplinary action is necessary, he added. Documents obtained by The Associated Press show that after that disposal, IDOT lawyer Ellen Schanzle-Haskins sent a memo alerting the affected employees. [...] From lyger at attrition.org Fri Sep 29 14:07:10 2006 From: lyger at attrition.org (lyger) Date: Fri, 29 Sep 2006 14:07:10 -0400 (EDT) Subject: [Dataloss] Iowa: UI warns research subjects of possible security breach Message-ID: http://www.press-citizen.com/apps/pbcs.dll/article?AID=/20060929/NEWS01/60929003/1079 >From University News Services: The University of Iowa is contacting subjects in research studies following attacks on a computer in which personal information about those subjects was stored. The computer, used by UI psychology professor Michael O'Hara and UI psychiatry professor Scott Stuart, contained the Social Security numbers of some 14,500 subjects who were participants in research studies on maternal and child health from 1995 until the present. "All persons whose information may have possibly been exposed are being notified and advised on what actions they may take to protect their confidential information," said O'Hara. [...] From lyger at attrition.org Fri Sep 29 20:33:54 2006 From: lyger at attrition.org (lyger) Date: Fri, 29 Sep 2006 20:33:54 -0400 (EDT) Subject: [Dataloss] Kentucky - State sends out letters with Social Security numbers visible Message-ID: Courtesy PogoWasRight.org: http://www.kentucky.com/mld/kentucky/news/state/15641024.htm ROGER ALFORD Associated Press FRANKFORT, Ky. - Letters sent to 146,000 government employees in Kentucky inadvertently displayed each of their Social Security numbers on the front, prompting Attorney General Greg Stumbo to issue a warning about possible identity theft. "The Social Security number is the key that unlocks many doors for identity thieves," Stumbo said in statement. "With that information, an identity thief has access to a host of information about consumers." The Kentucky Personnel Cabinet sent the letters to employees in state agencies, community and technical colleges, school districts, health departments and other offices covered by the state's insurance program. The letters provided routine information about enrollment in the coverage plan for next year. The Social Security numbers were included as the first nine digits in 14-digit codes that were clearly visible in the address window of each of the envelopes. [...] From lyger at attrition.org Sat Sep 30 11:54:51 2006 From: lyger at attrition.org (lyger) Date: Sat, 30 Sep 2006 11:54:51 -0400 (EDT) Subject: [Dataloss] DLDOS: grand massive updates Message-ID: With the help of Dissent from PogoWasRight.org, the Data Loss Database (Open Source) (aka DLDOS) has now been updated to 390 events. We're currently in the process of trying to backfill events recorded in the years 2005 and 2006. For those interested in downloading the updated database, it can be found here: http://attrition.org/dataloss/dataloss.csv Note to mention: It may change by the minute, so please check back frequently. :) Lyger