From lyger at attrition.org Tue Aug 1 11:17:11 2006 From: lyger at attrition.org (lyger) Date: Tue, 1 Aug 2006 11:17:11 -0400 (EDT) Subject: [Dataloss] Poly heist risks identity thefts Message-ID: http://www.sanluisobispo.com/mld/sanluisobispo/news/15169992.htm Posted on Tue, Aug. 01, 2006 By Sally Connell Cal Poly has notified 3,020 current and former students that their names and Social Security numbers were on a laptop computer stolen earlier this month from a physics professor's San Luis Obispo home. Cal Poly used names and Social Security numbers on class lists before 2004, according to Vicki Stover, campus information security officer. The informational letter, which Cal Poly is required under state law to distribute to those affected, went to students who took the physics and astronomy lectures taught by physics professor John Mottman from 1994 to 2004. Cal Poly is trying to change its practice of using Social Security numbers as the main identifier for students, something that was once common in the halls of higher education. [...] From lyger at attrition.org Tue Aug 1 17:54:26 2006 From: lyger at attrition.org (lyger) Date: Tue, 1 Aug 2006 17:54:26 -0400 (EDT) Subject: [Dataloss] Kentucky - U.S. Bank offers help after data theft Message-ID: (I'd like to see the definition of "a very small number"...) http://news.cincypost.com/apps/pbcs.dll/article?AID=/20060801/NEWS02/608010363 Publication date: 08-01-2006 U.S. Bank has offered free credit monitoring to customers whose personal information was stolen recently from the car of a bank employee. Bank spokesman Steve Dale said the names, phone numbers and Social Security numbers of a "very small" number of customers were in the briefcase that was stolen in Covington from the employee's car. He would not divulge the number of customers, the exact location of the theft or the date of the theft. No account information was in the briefcase, he said. Dale said the bank on Friday started the process of notifying the customers involved, apologizing and offering them remedies to help safeguard their identities from theft. [...] From lyger at attrition.org Wed Aug 2 16:44:08 2006 From: lyger at attrition.org (lyger) Date: Wed, 2 Aug 2006 16:44:08 -0400 (EDT) Subject: [Dataloss] West Virginia - Agency says laptop with client info stolen Message-ID: http://www.dailymail.com/news/News/2006080217/ By The Associated Press Wednesday August 02, 2006 BECKLEY -- The West Virginia Division of Rehabilitation Services is warning clients that one of its laptop computers containing their personal information has been stolen. The information includes clients' names, addresses, Social Security numbers and telephone numbers. The computer has been missing since July 24, said Tracy Carr, a spokeswoman for the agency in Kanawha County. The agency sent clients a letter on July 26 informing them of the theft. [...] From lyger at attrition.org Wed Aug 2 16:58:57 2006 From: lyger at attrition.org (lyger) Date: Wed, 2 Aug 2006 16:58:57 -0400 (EDT) Subject: [Dataloss] Mississippi - Belhaven College data stolen Message-ID: http://www.clarionledger.com/apps/pbcs.dll/article?AID=/20060802/NEWS/608020375 By Jimmie E. Gates and Marti Covington August 2, 2006 A laptop computer stolen last month from a Belhaven College employee contained names and Social Security numbers of college employees, leaving them vulnerable to identity theft. Belhaven College President Roger Parrott confirmed Tuesday the stolen computer contained some personal information on employees. But Parrott said he didn't know how many of the private school's roughly 300 employees' personal information was compromised by the theft. Parrott notified faculty and staff of the situation in a memo July 25. "The computer of the auditor did have several sophisticated levels of security on it, so we are hopeful the thief won't be able to open it and will just toss it out," Parrott said in the memo obtained by The Clarion-Ledger. "However, we all need to be aware of anything that looks suspicious in your credit rating, and to be extra cautious of someone calling and claiming to have your Social Security number and trying to get more information from you." [...] From macwheel99 at sigecom.net Wed Aug 2 16:41:57 2006 From: macwheel99 at sigecom.net (Al Mac) Date: Wed, 02 Aug 2006 15:41:57 -0500 Subject: [Dataloss] U of Wisconsin Madison Credit Union customers victimized Message-ID: <6.2.1.2.0.20060802144744.02f3e040@mail.sigecom.net> Here is a post from a family member of a victim to another discussion list, with clarification of what might be going on. Initially the victim wondered if the bank had suffered a data loss, and just not yet reported it. I am not yet seeing anything in the news to substantiate this theory. Someone appeared to have used an ATM in California to transfer her money July 24, then withdraw it, cleaning out the account, at about the same time that she was in Illinois, making legitimate purchases. Customer Service http://www.uwcu.org/ has been unable to explain what is going on, or why they closed the account. I have not yet seen if the bank returned to her the ATM card that got stuck in the machine, or acknowledges that they have it ... that would explain whether it was confiscated by a bank, or was taken by ATM scammer. I think that if banks were to make an entry in people's accounts when they confiscated cards, that might make it easier for people to figure out the difference. http://groups.yahoo.com/group/VeeWire/message/5617 http://groups.yahoo.com/group/VeeWire/message/5618 She is not the only victim of crimes involving this same institution. Someone is making suspicious phone calls impersonating being a representative of the Credit Union. http://morningsentinel.mainetoday.com/news/local/2986774.shtml The US Gov has regulations for banks verifying the identity of on-line users, which some banks have trouble complying with. The Credit Union claims they have good security there. http://www.computerworld.com.au/index.php/id;1445341393;fp;4;fpid;1398720840 https://secure.uwcu.org/onlinesecurity/SafeGuards.asp Perhaps she is victim of an ATM scam. However, it does not sound like the fraudulent activity occurred in the same place as the ATM card got swiped. I have stated before that I only use ATM machines that are associated with banks, not any that may be fakes. This is also a good reason to have a reasonable limit on how much can be taken out of an account in any given day. http://www.cbsnews.com/stories/2003/02/21/eveningnews/main541555.shtml http://www.utexas.edu/police/alerts/atm_scam/ http://www.snopes.com/inboxer/scams/atmtheft.htm http://www.snopes.com/crime/warnings/atmcamera.asp UW campus is in the process of changing to ATMs from a different bank. http://www.uwmpost.com/article/c58b6a040cb18c88010cc7b1098b000b From lyger at attrition.org Fri Aug 4 03:11:18 2006 From: lyger at attrition.org (lyger) Date: Fri, 4 Aug 2006 03:11:18 -0400 (EDT) Subject: [Dataloss] California - Many Dollar Tree Customers Suspect Financial Fraud Message-ID: SACRAMENTO, Calif. -- Hundreds of customers at Dollar Tree discount stores have reported money stolen from their bank accounts due to unauthorized ATM withdrawals. The Secret Service is leading a major investigation into the allegations, which arose from stores in Carmichael, Modesto and elsewhere. The Secret Service offered few details about the case, but one spokesman said "it's big." A Dollar Tree spokesman also would not comment, but stated, "We are cooperating with local authorities in this situation." A Dollar Tree store on Manzanita Avenue in Carmichael is believed to be one location in the West where a suspected fraud operation has resulted in customer financial data being stolen and used for theft. [...] From lyger at attrition.org Fri Aug 4 18:31:40 2006 From: lyger at attrition.org (lyger) Date: Fri, 4 Aug 2006 18:31:40 -0400 (EDT) Subject: [Dataloss] California - Many Dollar Tree Customers Suspect Financial Fraud Message-ID: As one subscriber pointed out, I forgot the link to the story below. Sorry.. http://www.kcra.com/news/9606826/detail.html ---------- Forwarded message ---------- From: lyger To: dataloss at attrition.org Date: Fri, 4 Aug 2006 03:11:18 -0400 (EDT) Subject: [Dataloss] California - Many Dollar Tree Customers Suspect Financial Fraud SACRAMENTO, Calif. -- Hundreds of customers at Dollar Tree discount stores have reported money stolen from their bank accounts due to unauthorized ATM withdrawals. The Secret Service is leading a major investigation into the allegations, which arose from stores in Carmichael, Modesto and elsewhere. The Secret Service offered few details about the case, but one spokesman said "it's big." A Dollar Tree spokesman also would not comment, but stated, "We are cooperating with local authorities in this situation." A Dollar Tree store on Manzanita Avenue in Carmichael is believed to be one location in the West where a suspected fraud operation has resulted in customer financial data being stolen and used for theft. [...] From cwalsh at cwalsh.org Fri Aug 4 19:10:39 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Fri, 4 Aug 2006 18:10:39 -0500 Subject: [Dataloss] Hospital laptop walks away during disaster drill, patient data back to 2000 does, too Message-ID: <16483933-EA6C-4136-A359-1B08DEDD0F06@cwalsh.org> [Production data during testing? Auditors LOVE that one. HIPAA, you say?] From http://www.poughkeepsiejournal.com/apps/pbcs.dll/article?AID=/ 20060802/BUSINESS/60802004 Stolen hospital laptop had patient data dating back to 2000 By Irwin M. Goldberg A computer containing personal identification information of 257,800 Vassar Brothers Medical Center patients was stolen in June, hospital officials said. The laptop computer was taken from the emergency department sometime between June 23 and June 26. It contained information on hospital patients dating back to 2000, but only had personally identifying information such as Social Security numbers and dates of birth for 257,800, officials said during a conference call with the Journal. The center notified those patients with a letter dated July 17, though some people didn't receive the letter until Tuesday. According to the letter, a copy of which was obtained by the Journal, the computer was password protected and there is "no evidence that the hard drive has been inappropriately accessed.'' Doug Murphy, a Wappingers resident, said he and his wife received the letter Tuesday. "Why did it take two weeks to get to me'' and "Why are Social Security numbers on laptops; shouldn't they be on a hard drive in someone's office, not a laptop where someone can walk out the door with it?'' he asked. The laptop was used as part of a disaster drill May 21 and had the hospital's master patient index on it, said Florie Munroe, chief compliance officer for Vassar Brothers. It was one of several machines throughout the hospital that had this data downloaded as part of the drill, she said. The thought was that in a disaster, the hospital would need to function without access to its network, spokeswoman Jeanine Agnolet said. Since the theft was reported June 26, the data on the other machines has been erased, said Dave Ping, vice president of strategic planning and business development. The laptop computer is used to gather initial patient information at people's bedsides. It was secured by a cable lock to a mobile cart in the emergency department. City and state police were notified of the theft June 26, Munroe said. The computer has not been located, though security videotapes have been reviewed. One reason for the delay in notifying patients was to make sure only those patients whose identities may have been compromised were sent a letter, Munroe said. There were other names in the database, but they had no personally- identifying information associated with them. They may have had a medical data number or other incomplete data, she said. "The 257,800 people contacted had personally identifying information (in the database) which pointed to individuals and could be misued,'' she said. From cwalsh at cwalsh.org Fri Aug 4 23:09:55 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Fri, 4 Aug 2006 22:09:55 -0500 Subject: [Dataloss] Stolen laptop reveals PII of 1500 Toyota job applicants Message-ID: Via http://www.woai.com/news/local/story.aspx? content_id=DB231CD9-22CB-4335-9256-6CAE88476600 Security Breach at Toyota Plant LAST UPDATE: 8/4/2006 4:47:20 AM Posted By: Walker Robinson This story is available on your cell phone at mobile.woai.com. A security breach at the Toyota plant was being investigated Thursday after a laptop computer containing personal information for more than a thousand people was stolen, News 4 WOAI learned. The laptop belonged to an independent contractor who was testing people applying for jobs at the plant, officials said. The computer was stolen after-hours. Toyota officials were sending out notices to people whose information may have been compromised. More than 100,000 people have applied for jobs at the Toyota plant, and the personal information of applicants and employees could be in jeopardy, officials said. The stolen laptop contained the names and social security numbers of 1,500 people. The computer was locked in the plant's exercise facility, but company officials said someone found they key to the facility and took the laptop. Toyota officials told News 4 WOAI they believe the thief wanted the computer, not the files with personal information. ?We take very seriously the safeguarding of personal information and we are reviewing our security procedures to see if we can strengthen them further,? a company spokesman told News 4 WOAI. The case has been turned over to San Antonio Police investigators, Toyota officials said. From lyger at attrition.org Sat Aug 5 08:51:01 2006 From: lyger at attrition.org (lyger) Date: Sat, 5 Aug 2006 08:51:01 -0400 (EDT) Subject: [Dataloss] Matrix Bancorp computers taken in daytime heist Message-ID: http://washington.bizjournals.com/denver/stories/2006/07/31/daily97.html The Denver Business Journal - 6:11 PM MDT August 4, 2006 Matrix Bancorp Inc. disclosed late Friday that it was investigating the theft of two personal computers from the bank's downtown branch on Friday, July 28, one of which contained personal account information on an undisclosed number of customers. The bank said in a news release that thieves apparently entered offices in the company's headquarters tower at 17th and California streets in Denver between 1:30 and 2:30 p.m., and removed the laptop computers while staffers were away from their desks. One computer contains what the bank called "certain proprietary information regarding Matrix Capital Bank and some of its customers ... " The data, the bank said, is fully encrypted and password-protected, and there's no evidence that any confidential information has been compromised or used illicitly. [...] From george at myitaz.com Sat Aug 5 11:38:10 2006 From: george at myitaz.com (George Toft) Date: Sat, 05 Aug 2006 08:38:10 -0700 Subject: [Dataloss] Hospital laptop walks away during disaster drill, patient data back to 2000 does, too In-Reply-To: <16483933-EA6C-4136-A359-1B08DEDD0F06@cwalsh.org> References: <16483933-EA6C-4136-A359-1B08DEDD0F06@cwalsh.org> Message-ID: <44D4BB62.4040904@myitaz.com> Chris Walsh wrote: > According to the letter, a copy of which was obtained by the Journal, > the computer was password protected and there is "no evidence that > the hard drive has been inappropriately accessed.'' It takes about 3 minutes to change the Administrator password (10 if it's your first time) using a common tool found on the Internet if you have physical access to the Windows PC. And without possession of the laptop, how can they state that the hard drive has not been accessed in any fashion, appropriate or inappropriate? George Toft, CISSP, MSIS My IT Department www.myITaz.com 480-544-1067 Confidential data protection experts for the financial industry. From blitz at strikenet.kicks-ass.net Sat Aug 5 18:12:26 2006 From: blitz at strikenet.kicks-ass.net (blitz) Date: Sat, 05 Aug 2006 18:12:26 -0400 Subject: [Dataloss] Hospital laptop walks away during disaster drill, patient data back to 2000 does, too In-Reply-To: <44D4BB62.4040904@myitaz.com> References: <16483933-EA6C-4136-A359-1B08DEDD0F06@cwalsh.org> <44D4BB62.4040904@myitaz.com> Message-ID: <7.0.1.0.2.20060805181011.03b45a80@strikenet.kicks-ass.net> Its a simple matter as you know, to remove the drive, Norton ghost it to another, and then the laptop could be returned, alleviating fears of the data loss. Even more insidious, is they could just report it's been recovered. Then the culprits (assuming the data is their target) can have all the time they want to use the data for whatever purposes. At 11:38 8/5/2006, you wrote: >Chris Walsh wrote: > > According to the letter, a copy of which was obtained by the Journal, > > the computer was password protected and there is "no evidence that > > the hard drive has been inappropriately accessed.'' > >It takes about 3 minutes to change the Administrator password (10 if >it's your first time) using a common tool found on the Internet if you >have physical access to the Windows PC. And without possession of the >laptop, how can they state that the hard drive has not been accessed in >any fashion, appropriate or inappropriate? > >George Toft, CISSP, MSIS >My IT Department >www.myITaz.com >480-544-1067 > >Confidential data protection experts for the financial industry. > > >_______________________________________________ >Dataloss Mailing List (dataloss at attrition.org) >http://attrition.org/errata/dataloss/ -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060805/e991ffcd/attachment.html From lyger at attrition.org Sun Aug 6 11:59:54 2006 From: lyger at attrition.org (lyger) Date: Sun, 6 Aug 2006 11:59:54 -0400 (EDT) Subject: [Dataloss] Teens arrested in VA laptop theft Message-ID: http://www.cnn.com/2006/US/08/05/laptop.arrests.ap/index.html Saturday, August 5, 2006; Posted: 7:02 p.m. EDT (23:02 GMT) WASHINGTON (AP) -- Two teenagers were arrested Saturday in the theft of a laptop and hard drive containing sensitive data on up to 26.5 million veterans and military personnel, authorities said. The government-owned equipment was stolen May 3 during a burglary at the Maryland home of a Veterans Affairs employee. The laptop and hard drive were turned into the FBI on June 28 by an unidentified person in response to a $50,000 reward offer. The equipment contained the names, Social Security numbers and birth dates of veterans discharged since 1975, in what was the worst-ever breach of government data. Jesus Alex Pineda, 19, and Christian Brian Montano, 19, both of Rockville, Maryland, were arrested early Saturday, Montgomery County police said. Pineda was charged with first-degree burglary and theft over $500. Montano was charged with first-degree burglary, conspiracy to commit first-degree burglary, theft over $500, and conspiracy to commit theft over $500. Police said charges were pending against a third male suspect who is a juvenile. [...] From macwheel99 at sigecom.net Sun Aug 6 12:08:45 2006 From: macwheel99 at sigecom.net (Al Mac) Date: Sun, 06 Aug 2006 11:08:45 -0500 Subject: [Dataloss] WSU finds, fixes computer security breaches Message-ID: <6.2.1.2.0.20060806105932.04ab9eb0@mail.sigecom.net> Someone gained unauthorized access to three computers in Wichita State University's College of Fine Arts box office and to a university server in the psychology department. The intrusion apparently was meant to store music and digital files for downloading by third parties, WSU said. The box-office workstations contained credit card information for about 2,000 patrons. This intrusion was discovered June 29, then University personnel took immediate action to secure the workstations. The psychology department server held data regarding about 40 applicants to the department's doctoral program. This intrusion discovered July 18, and fixed by ending the storing of private information on the psychology department server. The investigation found a flaw in the way online applications were processed, which now has been fixed. "While there is no evidence that any personal information was accessed, we have sent letters and are taking steps to contact individuals who could have had their information accessed," said Ravi Pendse, chief information officer and associate vice president for academic affairs and research. [..] http://www.kansas.com/mld/kansas/15174146.htm http://www.bizjournals.com/wichita/stories/2006/07/31/daily7.html From macwheel99 at sigecom.net Sun Aug 6 16:11:41 2006 From: macwheel99 at sigecom.net (Al Mac) Date: Sun, 06 Aug 2006 15:11:41 -0500 Subject: [Dataloss] Hattiesburg MS City Hall Computer Disk Drives stolen Message-ID: <6.2.1.2.0.20060806150423.045dbeb0@mail.sigecom.net> Hattiesburg police search for leads in a June break-in at City Hall of computers and 18 hard drives containing private data on thousands of employees and contractors, registered voters, and people who had paid water system bills via direct deposit, including names addresses, social security #s, bank account numbers.. None of the people, whose private data was on the stolen equipment, have had their data used fraudulently, yet. A surveillance video saw 2 men doing the break in, and the FBI is helping to enhance that video. Apparently the city saved money by no monitoring of surveillance video until discovery of $ 150,000.00 worth of property been stolen, not counting the value of the personal data. City Hall is now having a specialist come in to review security arrangements. http://www.hattiesburgamerican.com/apps/pbcs.dll/article?AID=/20060707/NEWS01/607070313/1002 http://www.hattiesburgamerican.com/apps/pbcs.dll/article?AID=/20060805/NEWS01/608050305/1002 From blitz at strikenet.kicks-ass.net Mon Aug 7 10:56:56 2006 From: blitz at strikenet.kicks-ass.net (blitz) Date: Mon, 07 Aug 2006 10:56:56 -0400 Subject: [Dataloss] AOL in massive PII release Message-ID: <7.0.1.0.2.20060807105456.03a34a20@macronet.net> http://www.techcrunch.com/2006/08/06/aol-proudly-releases-massive-amounts-of-user-search-data "The utter stupidity of this is staggering. AOL has released very private data about its users without their permission. While the AOL username has been changed to a random ID number, the abilitiy to analyze all searches by a single user will often lead people to easily determine who the user is, and what they are up to. The data includes personal names, addresses, social security numbers and everything else someone might type into a search box. The most serious problem is the fact that many people often search on their own name, or those of their friends and family, to see what information is available about them on the net. Combine these ego searches with porn queries and you have a serious embarrassment. Combine them with "buy ecstasy" and you have evidence of a crime. Combine it with an address, social security number, etc., and you have an identity theft waiting to happen. The possibilities are endless. " -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060807/3ffee8e7/attachment.html From lyger at attrition.org Mon Aug 7 17:26:02 2006 From: lyger at attrition.org (lyger) Date: Mon, 7 Aug 2006 17:26:02 -0400 (EDT) Subject: [Dataloss] Details on AOL search log disclosure Message-ID: (from Dave Farber's IP list) Begin forwarded message: Date: August 7, 2006 1:12:38 PM EDT Subject: Re: [IP] AOL Releases Search Logs from 500,000 Users A search for an SSN shaped regex on the full AOL search data returns a 191 results including repeat searches. Many of these have full names, and at least a dozen include either an addresses, drivers license number, date of birth or some combination of the three in the same query. There's no telling how much more information an aggregation of other queries by those same user ID would yield. From DOpacki at Covestic.com Mon Aug 7 17:37:50 2006 From: DOpacki at Covestic.com (Dennis Opacki) Date: Mon, 7 Aug 2006 14:37:50 -0700 Subject: [Dataloss] Details on AOL search log disclosure In-Reply-To: References: Message-ID: <28D4A3F7-B40A-4F9F-B496-F97D4BD03284@mimectl> Interesting. At least there seems to be a potential to mine these data for some useful threat metrics. -Dennis Opacki From: lyger Sent: Mon 8/7/2006 2:26 PM To: dataloss at attrition.org Subject: [Dataloss] Details on AOL search log disclosure (from Dave Farber's IP list) Begin forwarded message: Date: August 7, 2006 1:12:38 PM EDT Subject: Re: [IP] AOL Releases Search Logs from 500,000 Users A search for an SSN shaped regex on the full AOL search data returns a 191 results including repeat searches. Many of these have full names, and at least a dozen include either an addresses, drivers license number, date of birth or some combination of the three in the same query. There's no telling how much more information an aggregation of other queries by those same user ID would yield. _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/errata/dataloss/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060807/75fa74c7/attachment.html From lyger at attrition.org Mon Aug 7 22:09:31 2006 From: lyger at attrition.org (lyger) Date: Mon, 7 Aug 2006 22:09:31 -0400 (EDT) Subject: [Dataloss] PSA HealthCare Announces Data Security Update Message-ID: Courtesy Beth Givens and Privacy Rights Clearinghouse: http://www.forbes.com/businesswire/feeds/businesswire/2006/08/04/businesswire20060804005479r1.html 08.04.06, 4:40 PM ET PSA HealthCare (Nasdaq: PSAI) today announced that a company-owned laptop computer was stolen from an employee's vehicle in a public parking lot. The laptop computer contained certain personal information of approximately 51,000 current and former patients, including names and social security numbers and, in a limited number of cases, personal health information. The laptop computer was password protected and PSA has no indication that any of the information has been accessed or misused. However, PSA will begin to contact the affected individuals in order to provide them with steps to take to protect themselves from any possible misuse of their personal information. [...] From cwalsh at cwalsh.org Mon Aug 7 23:03:41 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Mon, 7 Aug 2006 22:03:41 -0500 Subject: [Dataloss] Details on AOL search log disclosure In-Reply-To: References: Message-ID: <3BE49C84-F576-4787-824A-979799F90054@cwalsh.org> They must have a more selective regex than mine. I got 260 hits. Selecting those results which also contain the word 'social' results in 22 hits, with many that are clearly attempts to look up the records of a specific individual -- often supplying an address and DOB as well as an SSN. The regex I used is: /(?!000)([0-6]\d{2}|7([0-6]\d|7[012]))([ -]+?)(?!00)\d\d\3(?!0000)\d{4}/ It is a minor variant of one found at http://www.regexlib.com/ REDetails.aspx?regexp_id=535 (Checking for CC#s now....) On Aug 7, 2006, at 4:26 PM, lyger wrote: > > (from Dave Farber's IP list) > > Begin forwarded message: > > Date: August 7, 2006 1:12:38 PM EDT > Subject: Re: [IP] AOL Releases Search Logs from 500,000 Users > > > A search for an SSN shaped regex on the full AOL search data > returns a 191 > results including repeat searches. Many of these have full names, > and at least > a dozen include either an addresses, drivers license number, date > of birth or > some combination of the three in the same query. There's no > telling how much > more information an aggregation of other queries by those same user > ID would > yield. > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/errata/dataloss/ From josh at root.net Mon Aug 7 23:00:27 2006 From: josh at root.net (Joshua Reich) Date: Mon, 07 Aug 2006 23:00:27 -0400 Subject: [Dataloss] Details on AOL search log disclosure In-Reply-To: <3BE49C84-F576-4787-824A-979799F90054@cwalsh.org> References: <3BE49C84-F576-4787-824A-979799F90054@cwalsh.org> Message-ID: <44D7FE4B.8090806@root.net> Now that we all have the list -- how ethical are we being by using it, for whatever purposes? Which ethical guidelines apply in this circumstance. (would type more but sliced hand opened a harddrive last night) Josh Reich From lyger at attrition.org Tue Aug 8 00:21:12 2006 From: lyger at attrition.org (lyger) Date: Tue, 8 Aug 2006 00:21:12 -0400 (EDT) Subject: [Dataloss] Details on AOL search log disclosure In-Reply-To: <44D7FE4B.8090806@root.net> References: <3BE49C84-F576-4787-824A-979799F90054@cwalsh.org> <44D7FE4B.8090806@root.net> Message-ID: On Mon, 7 Aug 2006, Joshua Reich wrote: ": " Now that we all have the list -- how ethical are we being by using it, for ": " whatever purposes? ": " ": " Which ethical guidelines apply in this circumstance. ": " ": " (would type more but sliced hand opened a harddrive last night) ": " ": " Josh Reich Not an easy question to answer, but a good one. First, AOL did actually remove the original list from their public web space, which was a wise move. However, they didn't do so until copies were distributed across the internet. At this point, no legal action will be able to remove the data from hard drives across the world. Second, ethics. There will probably be several differing opinions regarding distribution and use of the list or dataset. Personally, I have seen raw sets of breached data. Was I happy about it? No. Did it make me uncomfortable? Yes. Did I seek the opinions of others in the security industry about viewing said data? Absolutely. The best piece of advice I received was this: Do no harm. Look, but don't touch. Don't distribute for commercial gain. Try to understand the data itself, but don't use it for anything other than self-education. Side note: make sure any data breach is reported to the appropriate people, whether company supervisors or law enforcement authorities. If you know something, they should too. From macwheel99 at sigecom.net Tue Aug 8 00:52:44 2006 From: macwheel99 at sigecom.net (Al Mac) Date: Mon, 07 Aug 2006 23:52:44 -0500 Subject: [Dataloss] Vets records on PC gone from VA contractor Unisys Message-ID: <6.2.1.2.0.20060807232530.04b8beb0@mail.sigecom.net> An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060808/e2a20c25/attachment.html From blitz at strikenet.kicks-ass.net Tue Aug 8 02:51:07 2006 From: blitz at strikenet.kicks-ass.net (blitz) Date: Tue, 08 Aug 2006 02:51:07 -0400 Subject: [Dataloss] AOL Takes Down Site With Users' Search Data Message-ID: <7.0.1.0.2.20060808025010.03af6500@macronet.net> http://www.washingtonpost.com/wp-dyn/content/article/2006/08/07/AR2006080701150_pf.html AOL Takes Down Site With Users' Search Data Personal Details Posted in 'Screw-Up' By Ellen Nakashima Washington Post Staff Writer Tuesday, August 8, 2006; D01 AOL issued an apology yesterday for posting on a public Web site 20 million keyword searches conducted by hundreds of thousands of its subscribers from March to May. But the company's admission that it made a mistake did little to quell a barrage of criticism from bloggers and privacy advocates who questioned the company's security practices and said the data breach raised the risk of identity theft. "This was a screw-up and we're angry and upset about it," the company said in a statement. "Although there was no personally-identifiable data linked to these accounts, we're absolutely not defending this. It was a mistake, and we apologize." The posted data were similar to what the U.S. Justice Department had been seeking when it subpoenaed Internet companies, including AOL, last year. AOL complied and handed over search terms that were not linked to individuals. Google Inc. fought the subpoena in court and won. The AOL data was posted at the end of last month on a special AOL Web site designed by the company so researchers could learn more about how people look for information on the Internet. The company removed the data over the weekend when bloggers discovered it. The Washington Post did not review the full 439-megabyte data set but contacted bloggers who had looked at it. For the posted data, each person using AOL's search engine was assigned a unique number to maintain anonymity, the company said. But some privacy experts said scrutinizing a user's searches could reveal information to help deduce the person's identity. Michael Arrington, editor of the blog TechCrunch, said some of the data contained credit card numbers, Social Security numbers, addresses and names. "People put anything they can think of into the search boxes," he said. Based on his analysis so far, out of 20 million queries, the number that contained sensitive personal financial information such as credit card and Social Security numbers is probably "in the hundreds," he said. "Most people aren't stupid enough to type their Social Security numbers in a search engine, but it's definitely enough to make AOL look stupid," he said. Some bloggers said some of the information available included queries on how to kill one's spouse and child pornography. Experts said people search for all sorts of personal data -- including their own names -- with the assumption that it will remain private. "I search on myself," said David H. Holtzman, president of GlobalPOV, a blog and consulting firm on privacy and security and author of the forthcoming book "Privacy Lost." "Now you think you have a disease or you have some emotional issue -- I'm a single parent and I'm always looking for things. All of a sudden there's a correlation between my name and something very private that I don't expect to have dumped all over the Internet." Kevin Bankston, an attorney with the San Francisco-based Electronic Frontier Foundation, said AOL's apology was appreciated but the damage had already been done. "The horse is out of the barn," he said. "The data's out there and been copied. This incident highlights the dangers of these companies storing so much intimate data about their users." The mishap was rooted in an effort by AOL to design a Web site aimed at helping researchers do their jobs more effectively by including AOL open-source data tools, company spokesman Andrew Weinstein said. A technician posted the data to the site without running them past an in-house privacy department, not realizing the implications, Weinstein said. An internal investigation is underway to determine what happened and how to prevent future occurrences, he said. However, Weinstein also noted that identifying an individual by search terms alone is difficult because someone could have typed in a friend's name or address instead of his own. The AOL search network had 42.7 million unique visitors in May, so the total data set covered 1.5 percent of search users that month. The 20 million search records represent about one-third of 1 percent of the total searches conducted on the AOL network in that period, the company said. The data were gleaned from searches conducted by people with AOL user accounts in the United States. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060808/2788612f/attachment.html From lyger at attrition.org Tue Aug 8 18:13:04 2006 From: lyger at attrition.org (lyger) Date: Tue, 8 Aug 2006 18:13:04 -0400 (EDT) Subject: [Dataloss] Virginia Advises Insurance Agents of Security Breach Message-ID: http://www.insurancejournal.com/news/east/2006/08/08/71296.htm August 8, 2006 Virginia's Bureau of Insurance is advising all insurance agents in the state that their social security number may have been accessible on the bureau's website for a six-week period of time. The social security numbers were not shown on any web page, but officials fear a savvy computer user could have found them using the source code tool of a web browser. Although officials said the likelihood of finding an SSN was remote, access would have been possible from June 13 through July 31, 2006. The bureau said it immediately corrected the programming error the same day it was discovered. The inadvertent access to an agent's SSN was caused during an upgrade to the bureau's web-site feature that allows the public to look up agency and agent information. This on-line feature is specifically designed to allow consumers to check whether an agency or individual is licensed in Virginia. It also shows the insurance companies to which an agent has been appointed to offer and sell their products. [...] From jericho at attrition.org Tue Aug 8 18:54:01 2006 From: jericho at attrition.org (security curmudgeon) Date: Tue, 8 Aug 2006 18:54:01 -0400 (EDT) Subject: [Dataloss] Details on AOL search log disclosure In-Reply-To: <44D7FE4B.8090806@root.net> References: <3BE49C84-F576-4787-824A-979799F90054@cwalsh.org> <44D7FE4B.8090806@root.net> Message-ID: : Now that we all have the list -- how ethical are we being by using it, : for whatever purposes? : : Which ethical guidelines apply in this circumstance. : : (would type more but sliced hand opened a harddrive last night) Hopefully more will pipe up on this isssue, especially any lawyers lurking around. There are a couple issues that I see here. First, having the list in general can be debated. If I have such a list, is it unethical? It depends on how I obtained it really. If I hack a server or trick a person into giving it to me, no. If I get it from a popular torrent site and thousands of people are reading through it as I download it, i'd say no. Just possessing it in that circumstance isn't necessarily unethical but again, what am I doing with it? Another key point to think about when debating the "possession of such a list" angle, is if the victim knows about the disclosure. In the case of the AOL list, they know it was leaked out so I don't see myself (or anyone on this list) having an obligation to report it to them. If I was under the impression that AOL wasn't aware, it would be an ethical duty to report it to them or law enforcement. Moving on from that issue, once we have the list and resolve any ethical dilemna in possession.. what are we doing with it? Anyone doing analysis on the content of the list attempting to determine the extent of disclosure, I don't see a problem with that. Obviously if you are browsing it looking for sensitive information to use in a crime or questionable activity, sure it crosses the boundary of ethical use. From cwalsh at cwalsh.org Tue Aug 8 23:23:43 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Tue, 8 Aug 2006 22:23:43 -0500 Subject: [Dataloss] Univ of Wyoming investigates possible alumni breach Message-ID: <81477392-35F7-4FD8-A2EC-06FC2156CD27@cwalsh.org> News Release UW Investigates Possible Data Security Breach Aug. 8, 2006 -- The University of Wyoming is investigating a possible security breach of the university's Advance Alumni Database. The possible compromise of information in this database was identified and reported to university officials by persons with authorized access. UW President Tom Buchanan has directed UW Vice President for Information Technology Robert Aylward to retain an independent firm to evaluate whether a compromise of alumni information occurred and, if it did, the cause and extent of the situation. Questions should be directed to Aylward at (307) 766-4860. Posted on Tuesday, August 08, 2006 http://www.uwyo.edu/news/showrelease.asp?id=9565 From henryojo at yahoo.com Wed Aug 9 08:41:39 2006 From: henryojo at yahoo.com (henry ojo) Date: Wed, 9 Aug 2006 13:41:39 +0100 (BST) Subject: [Dataloss] Teens arrested in VA laptop theft Message-ID: <20060809124139.62399.qmail@web56112.mail.re3.yahoo.com> henry ojo wrote: It.s beginning to look like trying to kill a fly on a glass door with a shotgun, with the news of teenagers being responsible for the theft. The downside being the thieves don't even know how ' valuable' the data they have stolen is, till the fire brigade storms in with sirens blaring and lights flashing because a cat got stuck up a tree. Henry Ojo BSc CISA HISP BS7799 Auditor www.efortresses.ie Cell: 00353 874182266 Office:+(0) 7958430094 Fax :+(0) 7092 0950843 --------------------------------- The all-new Yahoo! Mail goes wherever you go - free your email address from your Internet provider. Henry Ojo BSc CISA HISP BS7799 Auditor www.efortresses.ie Cell: 00353 874182266 Office:+(0) 7958430094 Fax :+(0) 7092 0950843 --------------------------------- Copy addresses and emails from any email account to Yahoo! Mail - quick, easy and free. Do it now... -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060809/2f6e2b4b/attachment.html From lyger at attrition.org Wed Aug 9 10:13:48 2006 From: lyger at attrition.org (lyger) Date: Wed, 9 Aug 2006 10:13:48 -0400 (EDT) Subject: [Dataloss] Bank of America/VISA breach? Message-ID: A question posed by a member of another mailing list, forwarded with permission. All responses will be forwarded to the author: ____________________________________ Date: Tue, 8 Aug 2006 18:08:02 -0400 A friend of mine just had his Bank of America Visa debit card cancelled because BOA said that VISA just informed them that there was a "massive compromise" of Visa debit cards. Anyone know what's up? Date: Tue, 8 Aug 2006 20:15:56 -0400 (EDT) My friend got a call from BOA saying that there has been a "massive" compromise of Visa debit cards and his card might be affected. As a precaution, BOA is cancelling his old card and mailing him a new one. But there is an interesting twist. BOA wouldn't be cancelling the card for another hour to give my friend time to make one last withdrawl. He rushed over to his local ATM, but he tried to take out too much money when he went over his daily limit. When he tried a second withdrawl at lower amount, but the ATM said his card was cancelled. From rforno at infowarrior.org Wed Aug 9 10:16:49 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 09 Aug 2006 10:16:49 -0400 Subject: [Dataloss] Bank of America/VISA breach? In-Reply-To: Message-ID: That's interesting -- I had someone email me yesterday asking if I knew anything about Chase servers being compromised.....which I said I didn't. Just passing along the RUMINT in case there's any corroboration here. -rf On 8/9/06 10:13 AM, "lyger" wrote: > > A question posed by a member of another mailing list, forwarded with > permission. All responses will be forwarded to the author: > > ____________________________________ > > > Date: Tue, 8 Aug 2006 18:08:02 -0400 > > A friend of mine just had his Bank of America Visa debit card cancelled > because BOA said that VISA just informed them that there was a "massive > compromise" of Visa debit cards. Anyone know what's up? > > Date: Tue, 8 Aug 2006 20:15:56 -0400 (EDT) > > My friend got a call from BOA saying that there has been a "massive" > compromise of Visa debit cards and his card might be affected. As a > precaution, BOA is cancelling his old card and mailing him a new one. But > there is an interesting twist. BOA wouldn't be cancelling the card for > another hour to give my friend time to make one last withdrawl. He rushed > over to his local ATM, but he tried to take out too much money when he > went over his daily limit. When he tried a second withdrawl at lower > amount, but the ATM said his card was cancelled. > > > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 142 million compromised records in 296 incidents over 6 > years. > From macwheel99 at sigecom.net Wed Aug 9 12:26:02 2006 From: macwheel99 at sigecom.net (Al Mac) Date: Wed, 09 Aug 2006 11:26:02 -0500 Subject: [Dataloss] Linens & Things Stolen Receipts in Sterling Virginia Message-ID: <6.2.1.2.0.20060809112200.04c82e00@mail.sigecom.net> Sheriff's spokesman Kraig Troxell says a folder holding about 90 receipts was taken from the store sometime around 8 p.m. The receipts show both the full account number and the name of the credit or debit card holder Authorities say the information on the receipts could be used to create a fake card or to make fraudulent online purchases. Shoppers are urged to contact their bank or credit card company. This affects shoppers on Saturday.Aug 5. http://www.wjla.com/news/stories/0806/351119.html From macwheel99 at sigecom.net Wed Aug 9 12:46:25 2006 From: macwheel99 at sigecom.net (Al Mac) Date: Wed, 09 Aug 2006 11:46:25 -0500 Subject: [Dataloss] Credit Card slips Oasis clothing store in Britain Message-ID: <6.2.1.2.0.20060809114105.04c81790@mail.sigecom.net> A bundle of store receipts was found in the street. Each contained full card account #, expiration date, customer signature. Speculation abounds how many slips were there before remainder were found by a concerned citizen, and how they came to be lying in the street in the first place. http://www.thisisdorset.net/display.var.841695.0.credit_card_fraud_fear_as_slips_found_in_road.php From rforno at infowarrior.org Wed Aug 9 16:04:01 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 09 Aug 2006 16:04:01 -0400 Subject: [Dataloss] Transportation Department Laptop Stolen Message-ID: Transportation Department Laptop Stolen Missing Computer Could Compromise Data of Florida Residents http://www.washingtonpost.com/wp-dyn/content/article/2006/08/09/AR2006080901 177_pf.html By Christopher Lee and Del Quentin Wilber Washington Post Staff Writers Wednesday, August 9, 2006; 3:42 PM A laptop computer belonging to the federal Department of Transportation inspector general's office was stolen last month, putting the sensitive personal information of nearly 133,000 Florida residents at risk, Acting Inspector General Todd J. Zinser said today. The laptop, assigned to a special agent in the Miami office, was stolen from a government vehicle on July 27 in Doral, Fla., Zinser told Florida Gov. Jeb Bush (R) today in a letter obtained by The Washington Post. The computer contains the names, Social Security numbers, birthdates and addresses of 42,792 Florida residents who hold a pilot's license; 80,667 people in the Miami-Dade County area who hold commercial driver's licenses; 9,496 people who took personal driver's license tests or obtained their license from an examining facility near Tampa, the letter said. "While we do not have reason to believe that the perpetrators targeted the laptop based on any knowledge of its data contents, we are nonetheless taking all possible steps to inform Florida residents," Zinser wrote. "We will be working with members of Congress, federal agencies, state and local agencies, the news media, and trucking and aviation organizations to further ensure that the individuals are aware of the situation and of the steps they may take to protect themselves from misuse of their personal information." Zinser wrote that a team of special agents has been dispatched to the Miami area to work with Miami-Dade police in investigating what happened to the laptop. A reward will be offered for its return, he wrote. "We regret this matter and take our responsibilities seriously," Zinser wrote. "We have taken action and will continue to take steps necessary to prevent this from happening again." The theft is just the latest in a string of embarrassing data breaches reported by a wide variety of federal agencies. The highest profile incident of its kind was a May 3 burglary at the home of a Department of Veterans Affairs data analyst. Thieves made off with a laptop and external hard drive containing the names, birthdates, and Social Security numbers of as many as 26.5 million veterans and active duty service members, raising fears of mass identity theft. The computer equipment was later recovered and two men were arrested and charged with the burglary last week. Authorities do not believe the sensitive data had been accessed. The department took a public relations hit for its handling of the incident, including a nearly three week delay in disclosing the theft to Congress and the public. The bad news has kept coming at the Department of Veterans Affairs. The department announced yesterday that a desktop computer containing sensitive personal information for as many as 38,000 patients at VA hospitals in Pennsylvania had gone missing from a VA contractor's Reston office. Some of the data breaches are new, and some are merely newly disclosed as the high-profile VA case pressured agency officials to come clean about security lapses. In recent weeks, data breaches involving hundreds to thousands of people have been disclosed at the Department of Agriculture, the Department of Energy, the Department of the Navy, the Social Security Administration and the Internal Revenue Service. An Office of Management and Budget official testified in early June that federal agencies experience dozens of smaller-scale information security breaches every year, often involving government issued laptops that are lost or stolen while on business travel or when taken home. Chris Dancy, a spokesman for the Aircraft Owners and Pilots Association, said that the Florida theft concerned his group, which represents more than 400,000 pilots. "Exactly in the same way that the loss of the VA computer caused concerns for members of the military and veterans, we are very concerned anytime there is the possibility of identity theft involving our members or airmen in general," he said. Zinser wrote that he learned of the laptop theft on July 31, but was unaware that the computer contained sensitive personal information on Florida residents until Saturday, when the IG's office began investigating exactly what was in the laptop and dispatched its agents to Florida. He did not notify Florida lawmakers or the governor until today, after the Washington Post called the IG's office to inquire about a tip about the theft. In 2005, the Department of Transportation earned a C-minus on the annual federal computer security report card compiled by the House Government Reform Committee. The government-wide average for 2005 was a D-plus, but there were wide variations -- the Social Security Administration got an A-plus, while the departments of Defense and Homeland Security earned F's. The report card measures compliance with the 2002 Federal Information Security Management Act, which requires agencies to test their systems, develop cyber-security plans and report on their progress. ? 2006 The Washington Post Company From macwheel99 at sigecom.net Wed Aug 9 22:28:52 2006 From: macwheel99 at sigecom.net (Al Mac) Date: Wed, 09 Aug 2006 21:28:52 -0500 Subject: [Dataloss] Skimming Insider Crime on Smart Cards Message-ID: <6.2.1.2.0.20060809211245.04808dd0@mail.sigecom.net> An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060809/9f5e9104/attachment.html From lyger at attrition.org Thu Aug 10 07:33:26 2006 From: lyger at attrition.org (lyger) Date: Thu, 10 Aug 2006 07:33:26 -0400 (EDT) Subject: [Dataloss] Update: Another VA computer missing Message-ID: Courtesy InfoSec News and WK - story correction http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9002252 By Linda Rosencrance August 08, 2006 Computerworld Editor's note: Due to an editing error, an earlier version of this story incorrectly said the stolen computer was a laptop. The U.S. Department of Veterans Affairs yesterday announced that a desktop computer containing the personal information on 38,000 veterans is missing from the office of Unisys Corp., the subcontractor hired to assist in insurance collection for the VA's medical centers in Pittsburgh and Philadelphia. "VA's inspector general, the FBI and local law enforcement are conducting a thorough investigation of this matter," Secretary of Veterans Affairs R. James Nicholson said in a statement. Unisys told the VA on Aug. 3 that the computer was missing from its Reston, Va., offices. The VA immediately sent a team to Unisys to help search for the missing computer and to determine exactly what information it contained. The VA said it believes the data involved is limited to veterans who received treatment at the two Pennsylvania medical centers during the past four years. According to the agency, the desktop computer may have contained patients' names, addresses, Social Security numbers and dates of birth, the names of their insurance companies, billing information, dates of military service and claims data that may include some medical information. The VA estimates that the computer contained information on approximately 5,000 patients treated at a center in Philadelphia, approximately 11,000 patients treated at a Pittsburgh facility and about 2,000 deceased patients. The VA is also investigating the possibility that the computer contained information on another 20,000 people who received care through the Pittsburgh medical center. [...] From jon.passki at hursk.com Thu Aug 10 08:54:17 2006 From: jon.passki at hursk.com (Jon Passki) Date: Thu, 10 Aug 2006 07:54:17 -0500 Subject: [Dataloss] Details on AOL search log disclosure In-Reply-To: References: <3BE49C84-F576-4787-824A-979799F90054@cwalsh.org> <44D7FE4B.8090806@root.net> Message-ID: <2FDF22C4-DAD7-44A7-B9D8-6D350D81FD3E@hursk.com> On Aug 8, 2006, at 5:54 PM, security curmudgeon wrote: > > : Now that we all have the list -- how ethical are we being by > using it, > : for whatever purposes? > : > : Which ethical guidelines apply in this circumstance. > : > : (would type more but sliced hand opened a harddrive last night) > > Hopefully more will pipe up on this isssue, especially any lawyers > lurking around. > > There are a couple issues that I see here. First, having the list in > general can be debated. If I have such a list, is it unethical? It > depends > on how I obtained it really. Disagree. Principles can relate to possession or usage. Now, what school of ethics are you? (^_^) I feel a massive online debate about to start... > If I hack a server or trick a person into > giving it to me, no. If I get it from a popular torrent site and > thousands > of people are reading through it as I download it, i'd say no. Just > possessing it in that circumstance isn't necessarily unethical but > again, > what am I doing with it? It's about principles, which can relate to possession, if appropriate. Since this is not data about you but others (I'm assuming you don't use AOL (^_^), ethics should apply even with possession. In my school of ethics, I see something as being ethical if it benefits, without harm, society, myself, and those impacted by what's in question, w/o going against my principles. We could debate ad nauseam what principles are at play here, so let's not. So, for me, I would ask myself if it does benefit, without harm, society, myself, and the people who are within the data set for me to gather, analyze, or report on that information, without violating my principles. At the minimum, is there a benefit? Sure. A reasonable person can state that privacy is in the good of society and examples can be made from this dataset that show an absence of privacy since it was leaked. One could conclude that no agency should ever get a massive amount of data without all parties being informed, since privacy would be violated. And, with this, one can point to the AT&T vs. EFF case and shake a finger at the gov't. Has that been done already? Yes, many parties have reported on the ease of figuring out private information and individuals [1]. So, what other benefit are you going to provide to society or the person w/i the dataset? If you're snickering while you look at the data, it's probably unethical (^_^) Since most people on this list, I'll assume, are in the information security biz, then we are often at times custodians to other peoples' data (OPD, ya you know me). The same ethics code should apply here, too. [1] http://news.google.com/?ncl=http://computerworld.com/blogs/node/ 3191&hl=en > Another key point to think about when debating > the "possession of such a list" angle, is if the victim knows about > the > disclosure. In the case of the AOL list, they know it was leaked > out so I > don't see myself (or anyone on this list) having an obligation to > report > it to them. If I was under the impression that AOL wasn't aware, it > would > be an ethical duty to report it to them or law enforcement. Could it be of benefit? Reasonably speaking, mass media has probably a larger impact than an individual's announcement at this point, so there's probably no real benefit. > Moving on from that issue, once we have the list and resolve any > ethical > dilemna in possession.. what are we doing with it? Anyone doing > analysis > on the content of the list attempting to determine the extent of > disclosure, I don't see a problem with that. Obviously if you are > browsing > it looking for sensitive information to use in a crime or questionable > activity, sure it crosses the boundary of ethical use. See my short dissertation above (^_^) Cheers, Jon From lyger at attrition.org Fri Aug 11 13:24:04 2006 From: lyger at attrition.org (lyger) Date: Fri, 11 Aug 2006 13:24:04 -0400 (EDT) Subject: [Dataloss] Washington - Madrona patients may face ID theft Message-ID: Courtesy pogowasright.org http://news.bellinghamherald.com/apps/pbcs.dll/article?AID=/20060811/NEWS09/608110341 Madrona Medical Group is asking thousands of patients to watch their credit reports after a former employee was charged with illegally downloading patient files onto his personal laptop computer. Madrona officials don't believe the files were copied or used for identity theft, but they sent letters this week to more than 6,000 patients anyway, asking them to take steps to make sure no one uses the information illegally. The records include patients' names, addresses, Social Security numbers and dates of birth. "There is no evidence that this individual actually transferred information to any other source," said Dr. Erick Laine, CEO of Madrona Medical Group, a large multispecialty practice in Bellingham. But Madrona officials are required by law to let patients know of the security breach, he said. [...] From lyger at attrition.org Sat Aug 12 00:38:11 2006 From: lyger at attrition.org (lyger) Date: Sat, 12 Aug 2006 00:38:11 -0400 (EDT) Subject: [Dataloss] Will AOL Goof Trigger New U.S. Law? Message-ID: Courtesy Richard Forno and Infowarrior (infowarrior.org) Will AOL Goof Trigger New U.S. Law? By Frederick Lane August 10, 2006 11:04AM http://www.sci-tech-today.com/story.xhtml?story_id=02300000MCAG The bill would require Internet companies to destroy obsolete electronic data, and particularly data that could be used to individually identify consumers. The bill would also instruct the Federal Trade Commission to set up standards for the maintenance and destruction of data, and enforce the provisions of the law. The news that AOL released the search histories of 658,000 of its users is renewing calls for federal legislation to protect consumer privacy online. In the wake of the disclosure, Representative Edward Markey (D-Mass.) urged his colleagues to take action on privacy legislation he proposed in February of this year. "Technology is the engine which will drive our economy into the next century, but the success of this technology balances on the public trust," Markey said. "If 2005 was the year of the data breach, I want to make sure that 2006 is the year of safeguarding the privacy of American citizens by introducing legislation to prevent the stockpiling of private citizens personal data." [...] From lyger at attrition.org Mon Aug 14 23:04:55 2006 From: lyger at attrition.org (lyger) Date: Mon, 14 Aug 2006 23:04:55 -0400 (EDT) Subject: [Dataloss] Veterans Affairs to protect data on laptops Message-ID: Courtesy Richard Forno and infowarrior.org: By Anne Broache http://news.com.com/Veterans+Affairs+to+protect+data+on+laptops/2100-1029_3- 6105477.html Story last modified Mon Aug 14 14:54:16 PDT 2006 One week after news that another computer from the U.S. Department of Veterans Affairs had gone missing, the agency announced plans to beef up safeguards on all of its machines. In the next week, the agency plans to begin installing data encryption software on its laptop and desktop machines, VA Secretary R. James Nicholson said Monday. Data on portable media such as flash drives and CDs will also be protected. "A system-wide encryption program will be a tremendous step forward in improving the safety and security of sensitive veteran information," Nicholson said in a statement. The planned upgrade is the agency's latest effort to step up vigilance over its computer systems, after the high-profile theft of a laptop and an external hard drive that housed sensitive information on more than 26 million veterans and active military personnel. The equipment was stolen from the Maryland home of a Veterans Affairs Department employee in early May and was ultimately recovered in June--but not before an uproar ensued among politicians and other watchdogs. Police arrested two teenagers in connection with the incident last week. Days later, the agency said it was investigating reports of a new theft--this time of a desktop machine from the Reston, Va., offices of Unisys, a subcontractor hired to assist with insurance collections for Department of Veterans Affairs medical centers in Pennsylvania. The agency estimated that the computer contained information on about 38,000 veterans--2,000 of whom were deceased. The Department of Veterans Affairs' laptop computers will be the first to receive the new encryption software. They will be given products made by GuardianEdge and Trust Digital, which market themselves as mobile security specialists. The agency said it awarded a $3.7 million contract last week to SMS, a Syracuse, N.Y.-based company owned by a "service-disabled" veteran, to carry out the upgrade. Final testing of the products is currently under way, and installation is set to begin on Aug. 18. The agency hopes to have 100 percent of its laptops covered within four weeks of that date, with desktop machines to follow. From lyger at attrition.org Tue Aug 15 09:16:39 2006 From: lyger at attrition.org (lyger) Date: Tue, 15 Aug 2006 09:16:39 -0400 (EDT) Subject: [Dataloss] Second laptop from DOT in Miami is also missing Message-ID: http://www.miami.com/mld/miamiherald/15274879.htm Posted on Tue, Aug. 15, 2006 The U.S. Department of Transportation inspector general's office is hunting for not one, but two missing laptops from Miami that disappeared in the past three months, The Miami Herald learned Monday. Last week, authorities confirmed that a Miami-based agent with the inspector general's office lost a laptop filled with the unencrypted personal information of 133,000 Floridians -- the latest in a string of embarrassing data breaches by federal agencies. In late April, one of the agent's bosses reported her laptop stolen from an Orlando hotel where she was organizing a national transportation fraud conference. Barbara L. Barnet, special agent-in-charge of the DOT inspector general's Miami office, told an Orange County sheriff's investigator that her missing Dell laptop contained ``several case files which are not encrypted due to computer conversions at work.'' Barnet said she left the laptop inside a locked conference room at the Orlando Wyndham Resort for approximately 45 minutes on April 24. When she returned, the door to the conference room was open, a hotel employee was inside and the computer was gone. [...] From macwheel99 at sigecom.net Tue Aug 15 22:09:59 2006 From: macwheel99 at sigecom.net (Al Mac) Date: Tue, 15 Aug 2006 21:09:59 -0500 Subject: [Dataloss] U of KY computer security oops Message-ID: <6.2.1.2.0.20060815210020.042e1bc0@mail.sigecom.net> An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060815/e78e9dc9/attachment.html From cwalsh at cwalsh.org Wed Aug 16 00:14:21 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Tue, 15 Aug 2006 23:14:21 -0500 Subject: [Dataloss] Oh *that* UK Message-ID: Via http://www.first.org/newsroom/globalsecurity/43840.html UK accidently releases Social Security numbers The Social Security numbers of about 700 University of Kentucky students may have been accidentally released publicly in two incidents recently, school officials said Tuesday. In a statement from the school, officials said about 630 students? names and Social Security numbers were posted on UK?s financial aid Web site between Friday and Monday. The mistake was discovered Monday afternoon, and the information was removed, officials said. They said they have received no reports of anyone affected by the release. Courier-Journal, August 16, 2006 02:43 GMT+01 http://www.courier-journal.com/apps/pbcs.dll/article?AID=/20060815/ NEWS01/60815036/1008 [This isn't a first for UK -- http://www.kentucky.com/mld/ heraldleader/14717374.htm] From cwalsh at cwalsh.org Wed Aug 16 00:18:26 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Tue, 15 Aug 2006 23:18:26 -0500 Subject: [Dataloss] GRR. Sorry about the dupe, folks. Message-ID: I thought I checked -- Al's message was off the screen. cw From george at myitaz.com Wed Aug 16 09:32:13 2006 From: george at myitaz.com (George Toft) Date: Wed, 16 Aug 2006 06:32:13 -0700 Subject: [Dataloss] hard drive destruction Message-ID: <44E31E5D.5050704@myitaz.com> Just wondering what the group feels is an adequate level of destruction for a hard drive that contains personal financial information . . . A. Using software to wipe the drive to DOD 5200.28 spec. B. Cutting the platters in half (great big saw that essentially chops the drive into two pieces). C. Drilling out the center of the platter with a 2" drill bit. D. Hard drive degausser. E. Other - please specify. -- George Toft, CISSP, MSIS My IT Department www.myITaz.com 480-544-1067 Confidential data protection experts for the financial industry. From hobbit at avian.org Wed Aug 16 09:46:19 2006 From: hobbit at avian.org (*Hobbit*) Date: Wed, 16 Aug 2006 13:46:19 +0000 (GMT) Subject: [Dataloss] hard drive destruction Message-ID: <20060816134619.89090C32A@relayer.avian.org> For the 99% case, "dd if=/dev/zero of=/dev/hda" from a linux distrib booted to a shell will probably suffice. Or maybe from /dev/random, which would take much longer. I wouldn't think scammers in Nigeria or wherever are the ones going after old drives with magnetic-force microscopy or in-depth head-signal analysis... Clearly, the answer is to fill the drive up with pr0n and then send it off! _H* From kravietz at post.pl Wed Aug 16 10:49:03 2006 From: kravietz at post.pl (Pawel Krawczyk) Date: Wed, 16 Aug 2006 16:49:03 +0200 Subject: [Dataloss] hard drive destruction In-Reply-To: <44E31E5D.5050704@myitaz.com> References: <44E31E5D.5050704@myitaz.com> Message-ID: <44E3305F.9070504@post.pl> George Toft wrote: > Just wondering what the group feels is an adequate level of destruction > for a hard drive that contains personal financial information . . . [...] > E. Other - please specify. > My company has just started working with a chemical factory to dissolve hard drives in acid, so at the end of the day you can get a bottle of yellow fluid that WAS your hard drive. Now they're working to make the procedure to conform with Polish regulations about processing classified data. Pawel Krawczyk Bolanda Networks, Poland From joe at layeredsecurity.net Wed Aug 16 11:05:49 2006 From: joe at layeredsecurity.net (Joe Francis) Date: Wed, 16 Aug 2006 10:05:49 -0500 (CDT) Subject: [Dataloss] hard drive destruction In-Reply-To: <20060816134619.89090C32A@relayer.avian.org> References: <20060816134619.89090C32A@relayer.avian.org> Message-ID: I agree. To worry about microscopy on the drive, it means that the FBI/CIA/NSA or another TLA is after you ... in which case they'll probably just kick in your door if they know where you live (which they must if they are stealing your trash). I personally "dd if=/dev/zero of=/dev/hda && dd if=/dev/urandom of=/dev/hda" and then run a drill bit through the drive (not right down the middle of the spindle, but somewhere to the side but still hit the platters). I think I drill moreso because it's fun than any other reason, though :) Really paranoid places have grinders that can reduce any media (drives, removable devices, CDs, etc) to a powder. On Wed, 16 Aug 2006, *Hobbit* wrote: > For the 99% case, "dd if=/dev/zero of=/dev/hda" from a linux distrib > booted to a shell will probably suffice. Or maybe from /dev/random, > which would take much longer. I wouldn't think scammers in Nigeria > or wherever are the ones going after old drives with magnetic-force > microscopy or in-depth head-signal analysis... > > Clearly, the answer is to fill the drive up with pr0n and then > send it off! > > _H* > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 142 million compromised records in 303 incidents over 6 years. > > > From angelo at combatingidtheft.com Wed Aug 16 10:52:47 2006 From: angelo at combatingidtheft.com (Angelo Manoloules) Date: Wed, 16 Aug 2006 10:52:47 -0400 Subject: [Dataloss] hard drive destruction In-Reply-To: <44E31E5D.5050704@myitaz.com> Message-ID: <000501c6c143$a3e39b10$89cefea9@angelolaptop> Thermite Grenade--just melt it down--that's the only guarantee that no one else can do anything with it. Angelo "Retired Special Forces" www.CombatingIDTheft.biz -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of George Toft Sent: Wednesday, August 16, 2006 9:32 AM To: dataloss at attrition.org Subject: [Dataloss] hard drive destruction Just wondering what the group feels is an adequate level of destruction for a hard drive that contains personal financial information . . . A. Using software to wipe the drive to DOD 5200.28 spec. B. Cutting the platters in half (great big saw that essentially chops the drive into two pieces). C. Drilling out the center of the platter with a 2" drill bit. D. Hard drive degausser. E. Other - please specify. -- George Toft, CISSP, MSIS My IT Department www.myITaz.com 480-544-1067 Confidential data protection experts for the financial industry. _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tracking more than 142 million compromised records in 303 incidents over 6 years. From ADAIL at sunocoinc.com Wed Aug 16 10:58:15 2006 From: ADAIL at sunocoinc.com (DAIL, ANDY) Date: Wed, 16 Aug 2006 10:58:15 -0400 Subject: [Dataloss] hard drive destruction Message-ID: <8CA58E707BB1C44385FA71D02B7A1C8EC706DD@mds3aex0e.USISUNOCOINC.com> If you plan to dispose of the drive, a 10 lb sledge hammer works just fine, and is much less of a hazard than having employees play with power tools. If you want the recycle the drive, the DoD Standards (below) of a 3-time over-write will usually suffice. National Industrial Security Program Operating Manual Description: Section 5. Software and Data Files........................................................8-5-1 Subsection 8-5-3: 1. Overwriting Media. Overwriting is a software procedure that replaces the data previously stored on magnetic storage media with a predefined set of meaningless data. Overwriting is an acceptable method for clearing. Only approved overwriting software that is compatible with the specific hardware intended for overwriting will be used. Use of such software will be coordinated in advance with the Customer. The success of the overwrite procedure will be verified through random sampling of the overwritten media. The effectiveness of the overwrite procedure may be reduced by several factors: ineffectiveness of the overwrite procedures, equipment failure (e.g., misalignment of read/write heads), or inability to overwrite bad sectors or tracks or information in inter-record gaps. To clear magnetic disks, overwrite all locations three (3) times (first time with a character, second time with its complement, and the third time with a random character). Items which have been cleared must remain at the previous level of classification and remain in a secure, controlled environment. 3. Sanitizing Media. Sanitization removes information from media such that data recovery using any known technique or analysis is prevented. Sanitizing is a two-step process that includes removing data from the media in accordance with Table 3 and removing all classified labels, markings, and activity logs. National Institute of Standards and Technology Description: CSL BULLETIN Advising users on computer systems technology DISPOSITION OF SENSITIVE AUTOMATED INFORMATION Sanitization means the removal of data from storage media so that, for all practical purposes, the data cannot be retrieved. Some instances in which sanitization must be considered include whenever media is transferred from one organization to another, when equipment is declared surplus, and when organizations dispose of media. Sanitization: Why Be Concerned? In the past, reports have surfaced that federal agencies have disposed of surplus information technology (IT) equipment without taking appropriate measures to erase the information stored on the system's media. This can lead to the disclosure of sensitive information, embarrassment to the agency, costly investigations, and other consequences which could have been avoided. Employees throw away old diskettes believing that "erasing" the files on the diskette has made the data unretrievable. In reality, however, "erasing" a file simply removes the "pointer" to that file. The pointer tells the computer where the file is physically stored on the disk. Without this pointer, the files will not appear on a directory listing of the diskette's files. This does not mean that the file was removed from the diskette. (Commonly available utility programs can often retrieve information that is presumed "deleted.") Fortunately, with foresight and appropriate planning, these situations can be avoided. Techniques for Media Sanitization Three techniques are commonly used for media sanitization: overwriting, degaussing, and destruction. Overwriting and degaussing are the methods recommended for disposition of sensitive automated information. (Users of classified systems may also have to be concerned with data remanence. This refers to the residual information left behind once media has been in some way erased.) Security officers should be consulted for appropriate guidance. Overwriting Overwriting is an effective method of clearing data from magnetic media. As the name implies, overwriting utilizes a program to write (1s, 0s, or a combination of both) onto the location of the media where the file to be sanitized is located. The number of times that media is overwritten depends on the level of sensitivity of the information. Overwriting should not be confused with merely deleting the pointer to a file, as discussed above. Degaussing Degaussing is a method to magnetically erase data from magnetic media. Two types of degaussers exist: strong magnets and electric degaussers. Degaussers are tested by the Department of Defense; those which meet their requirements are placed on the Degausser Products List (DPL) of the National Security Agency's (NSA) Information Systems Security Products and Services Catalogue. Destruction The final method of sanitization is destruction of the media. NCSC-TG-025 provides specifics on this method and its applicability. Shredding diskettes, after removing the outer protective casing, is also an option for unclassified media. Employee Training and Awareness Most employees who utilize IT systems also use, and in fact are often the custodians of, magnetic media. It is therefore important for agencies to give the issue of media sanitization appropriate attention in the agency computer security training and awareness program. Employees should understand the following essential elements: 1. Media containing sensitive information should not be released without appropriate sanitization. 2. File deletion functions (e.g., the DEL command on MS-DOS) usually can be expected to remove only the pointer to a file (i.e., the file is often still recoverable). 3. When data is removed from storage media, every precaution should be taken to remove duplicate versions that may exist on the same or other storage media, back-up files, temporary files, hidden files, or extended memory. 4. Media in surplus equipment should be sanitized. Andy Dail Sunoco PCI Project Manager -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of George Toft Sent: Wednesday, August 16, 2006 8:32 AM To: dataloss at attrition.org Subject: [Dataloss] hard drive destruction Just wondering what the group feels is an adequate level of destruction for a hard drive that contains personal financial information . . . A. Using software to wipe the drive to DOD 5200.28 spec. B. Cutting the platters in half (great big saw that essentially chops the drive into two pieces). C. Drilling out the center of the platter with a 2" drill bit. D. Hard drive degausser. E. Other - please specify. -- George Toft, CISSP, MSIS My IT Department www.myITaz.com 480-544-1067 Confidential data protection experts for the financial industry. _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tracking more than 142 million compromised records in 303 incidents over 6 years. This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments. From blitz at strikenet.kicks-ass.net Wed Aug 16 11:57:51 2006 From: blitz at strikenet.kicks-ass.net (blitz) Date: Wed, 16 Aug 2006 11:57:51 -0400 Subject: [Dataloss] hard drive destruction In-Reply-To: <44E31E5D.5050704@myitaz.com> References: <44E31E5D.5050704@myitaz.com> Message-ID: <7.0.1.0.2.20060816115317.03b95ec0@strikenet.kicks-ass.net> Generally, Im for recycling drives as much as possible, for not too many have the resources to access an electron microscope needed to see anything left over after a DOD approved wipe and rewrite scheme. If it were National security, incineration is the only way, as you'd be dealing with entities with the time and money. PII theft is usually a crime of opportunity. A DOD 5200.28 wipe should suffice. At 09:32 8/16/2006, you wrote: >Just wondering what the group feels is an adequate level of destruction >for a hard drive that contains personal financial information . . . > >A. Using software to wipe the drive to DOD 5200.28 spec. > >B. Cutting the platters in half (great big saw that essentially chops >the drive into two pieces). > >C. Drilling out the center of the platter with a 2" drill bit. > >D. Hard drive degausser. > >E. Other - please specify. > >-- >George Toft, CISSP, MSIS >My IT Department >www.myITaz.com >480-544-1067 > >Confidential data protection experts for the financial industry. >_______________________________________________ >Dataloss Mailing List (dataloss at attrition.org) >http://attrition.org/dataloss >Tracking more than 142 million compromised records in 303 incidents >over 6 years. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060816/2bc1da21/attachment.html From cwalsh at cwalsh.org Wed Aug 16 12:05:31 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Wed, 16 Aug 2006 11:05:31 -0500 Subject: [Dataloss] hard drive destruction In-Reply-To: <7.0.1.0.2.20060816115317.03b95ec0@strikenet.kicks-ass.net> References: <44E31E5D.5050704@myitaz.com> <7.0.1.0.2.20060816115317.03b95ec0@strikenet.kicks-ass.net> Message-ID: <20060816160529.GB29089@cwalsh.org> Agreed on the sufficiency of wiping. For disks that are dead, or that are obsolete, I used to use a combination of the drill and hammer methods. Where some sort of paper trail is warranted, I would probably go with a service, even though I suspect they are pricey. cw From ADAIL at sunocoinc.com Wed Aug 16 12:09:10 2006 From: ADAIL at sunocoinc.com (DAIL, ANDY) Date: Wed, 16 Aug 2006 12:09:10 -0400 Subject: [Dataloss] hard drive destruction Message-ID: <8CA58E707BB1C44385FA71D02B7A1C8EC706DE@mds3aex0e.USISUNOCOINC.com> Don't forget contractual and cost considerations either. For instance, we have computers in over 5,000 gas stations. When a hard drive goes out in one of those PC's, our contract with Dell requires us to send in the old drive in order to receive a new one under warranty. We could pay extra and just get a new drive and destroy the old one, but why make it more expensive? We ensure the drive is clean, then we ship it to Austin. It adds a step, but it is still cheaper than buying new drives all the time (funny how those $100, 500 GB drives at CompUSA never seem to make it onto my commercial account ordering lists). Too many decision makers are led down the most expensive solution to a problem for the sake of ease, because of paranoia or inexperienced staff. The more simple and inexpensive the solution (assuming it is effective, or adequate compensating controls can be deployed), the more likely it is to be followed by staff, and the more likely I am to still be managing the effort next year. :) Andy Dail Sunoco PCI Project Manager -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of blitz Sent: Wednesday, August 16, 2006 10:58 AM To: George Toft Cc: dataloss at attrition.org Subject: Re: [Dataloss] hard drive destruction Generally, Im for recycling drives as much as possible, for not too many have the resources to access an electron microscope needed to see anything left over after a DOD approved wipe and rewrite scheme. If it were National security, incineration is the only way, as you'd be dealing with entities with the time and money. PII theft is usually a crime of opportunity. A DOD 5200.28 wipe should suffice. At 09:32 8/16/2006, you wrote: Just wondering what the group feels is an adequate level of destruction for a hard drive that contains personal financial information . . . A. Using software to wipe the drive to DOD 5200.28 spec. B. Cutting the platters in half (great big saw that essentially chops the drive into two pieces). C. Drilling out the center of the platter with a 2" drill bit. D. Hard drive degausser. E. Other - please specify. -- George Toft, CISSP, MSIS My IT Department www.myITaz.com 480-544-1067 Confidential data protection experts for the financial industry. _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tracking more than 142 million compromised records in 303 incidents over 6 years. -- This message has been scanned for viruses and dangerous content by MailScanner , and is believed to be clean. This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20060816/08d7e29b/attachment.html From macwheel99 at sigecom.net Wed Aug 16 13:52:32 2006 From: macwheel99 at sigecom.net (Al Mac) Date: Wed, 16 Aug 2006 12:52:32 -0500 Subject: [Dataloss] hard drive destruction In-Reply-To: <44E31E5D.5050704@myitaz.com> References: <44E31E5D.5050704@myitaz.com> Message-ID: <6.2.1.2.0.20060816124700.029d8520@mail.sigecom.net> I agree that it is best to have professionals do the obliteration, because most businesses do not have personnel with relevant skills and check lists to take care of all computers they done with. However, there needs to be certification that the professionals actually do what they contracted to do. There have been breaches where some computer trade-in place was supposed to wipe disk on the old system, then the used market gets the confidential data not erased. The computer trade-in place had dropped the ball. This also applies to passing old company computers to employees, or sales direct to other companies who accept hand me down equipment. There have been breaches in that area also. Al Mac From ADAIL at sunocoinc.com Wed Aug 16 14:45:40 2006 From: ADAIL at sunocoinc.com (DAIL, ANDY) Date: Wed, 16 Aug 2006 14:45:40 -0400 Subject: [Dataloss] hard drive destruction Message-ID: <8CA58E707BB1C44385FA71D02B7A1C8EC706E0@mds3aex0e.USISUNOCOINC.com> Very excellent points. This whole security and accountability issue adds a new level of complexity to outsourcing and offshoring IT capabilities. Data breaches aside, when SoX moves from 404 to 409, I cannot help but wonder how some business entities will demonstrate compliance, when all of their physical data handling occurs outside of their physical control. It is deceptively easy to comply with security requirements on paper. Of course The Information Security ISO 17799 and ISO 27001 will add additional levels of complexity. The combination of executive accountability (in terms of actually going to jail) for financial data, and the vulnerability of personal data (often stored on the same systems) will make the next 5 years.... Interesting. Andy Dail Sunoco PCI Project Manager -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Al Mac Sent: Wednesday, August 16, 2006 12:53 PM To: dataloss at attrition.org Subject: Re: [Dataloss] hard drive destruction I agree that it is best to have professionals do the obliteration, because most businesses do not have personnel with relevant skills and check lists to take care of all computers they done with. However, there needs to be certification that the professionals actually do what they contracted to do. There have been breaches where some computer trade-in place was supposed to wipe disk on the old system, then the used market gets the confidential data not erased. The computer trade-in place had dropped the ball. This also applies to passing old company computers to employees, or sales direct to other companies who accept hand me down equipment. There have been breaches in that area also. Al Mac _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tracking more than 142 million compromised records in 303 incidents over 6 years. This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments. From hbrown at knology.net Wed Aug 16 20:27:07 2006 From: hbrown at knology.net (Henry Brown) Date: Wed, 16 Aug 2006 19:27:07 -0500 Subject: [Dataloss] Chevron Laptop gone missing Message-ID: <44E3B7DB.2080607@knology.net> http://tinyurl.com/r3rtd Chevron may have pocketed record profits of $4.35 billion in the most recent quarter, but that wasn't enough to protect the names and Social Security numbers of potentially tens of thousands of employees. The San Ramon oil giant sent an e-mail to U.S. workers Monday warning that a laptop computer "was stolen from an employee of an independent public accounting firm who was auditing our employee savings, health and disability plans." ... From jericho at attrition.org Thu Aug 17 09:23:27 2006 From: jericho at attrition.org (security curmudgeon) Date: Thu, 17 Aug 2006 09:23:27 -0400 (EDT) Subject: [Dataloss] Survey: 81% of U.S. firms lost laptops with sensitive data in the past year Message-ID: Courtesy of WK / ISN: ---------- Forwarded message ---------- http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9002493 By Linda Rosencrance August 16, 2006 Computerworld Loss of confidential data -- including intellectual property, business documents, customer data and employee records -- is a pervasive problem among U.S. companies, according to a survey released yesterday by Ponemon Institute LLC and Vontu Inc., a San Francisco-based provider of data loss prevention products. Eighty-one percent of companies surveyed reported the loss of one or more laptops containing sensitive information during the past 12 months, according to the survey, which queried nearly 500 information security professionals. One of the main reasons corporate data security breaches occur is because companies don't know where their sensitive or confidential business information resides within the network or enterprise systems, Larry Ponemon, chairman of the Ponemon Institute, said in a statement. "This lack of knowledge, coupled with insufficient controls over data stores, can pose a serious threat for both business and governmental organizations," Ponemon said. "Moreover, the danger doesn't stop at the network, but includes employees' and contractors' laptop computers and other portable storage devices." Ponemon, whose research firm is based in Elk Rapids, Mich., is also a columnist for Computerworld. Other findings of the study include the following: * Handheld devices and laptops ranked highest among storage devices that posed the greatest risk for sensitive corporate data, followed by Universal Serial Bus memory sticks, desktop systems and shared file servers. * Sixty-four percent of companies surveyed reported that they have never conducted an inventory of sensitive consumer information. * Sixty-four percent also reported never having taken an inventory of employee data. * Eighty-one percent of respondents reported that protecting sensitive "data at rest" is a priority this year, and 89% predicted that it will be a priority next year. The survey defines data at rest as all electronic information found on storage devices within an organization's IT infrastructure. Asked "How long would it take to determine what actual sensitive data was on a lost or stolen laptop, desktop, file server or mobile device?" the most frequent answer was "never," according to the survey. More than 53% of respondents believed that their companies would be unable to determine what sensitive or confidential information resided on a USB memory stick if it was lost or stolen. And approximately 49% of respondents said that their companies would be unable to determine what lost data resided on a handheld or comparable mobile device, according to the survey. "Corporations are clearly struggling with the challenges of identifying and protecting sensitive data, as well as developing successful strategies for securing confidential information stored among the myriad devices that make up today's data networks," said Ponemon. "Our findings point to the shockingly high risk to both business and consumers of undiscovered confidential data, but we believe that the data also serve as a compass to help point organizations toward effective solutions to this vexing problem." According to Pete Lindstrom, an analyst at Spire Security LLC in Malvern, Pa., organizations can take the following steps to protect sensitive data. 1. Identify your most significant data elements. That's often personal information, but it could also be intellectual property, financial data or something else. 2. Determine where this data exists on your network, and where it is most likely to leak. Laptops are the typical answer here, but e-mail is another possibility. And some people are concerned about backup tapes or laptop outputs such as USB drives and CDs. 3. Monitor the network and possibly the endpoint for this information, and take appropriate action. In the beginning, this is simply logging. You could also prevent/block it, or even better encrypt it. 4. Encrypt data in the places where it is most likely to rest. 5. Plan your rights management strategy now. Data is ubiquitous. In the future, organizations will have another option for data encryption, said Stephen Northcutt, president of the SANS Institute, a Bethesda, Md.-based cybersecurity training and certification company. "The newest laptops and desktops are shipping with something called the Trusted Platform Module, and it's a chip that's designed for secure storage so it was built to play very nicely with [public-key infrastructure]," Northcutt said. "It's really a thing of the future. The laptops are shipping now, the software is available now, but the implementations don't exist right this second. "We think this will really be the final answer," he said. "In the meantime, [organizations] are going to have to go with a third-party solution to [encrypt their data]." From lyger at attrition.org Thu Aug 17 09:26:06 2006 From: lyger at attrition.org (lyger) Date: Thu, 17 Aug 2006 09:26:06 -0400 (EDT) Subject: [Dataloss] Chain reports stolen laptop to employees Message-ID: http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2006/08/17/BUG11KJOOV1.DTL About 1,200 employees at Williams-Sonoma may be at risk of identify theft after a laptop computer containing personal information was stolen from an auditor. The San Francisco home-furnishing chain sent an e-mail to current and former employees earlier this month alerting them to the theft. "Although the information contained on the computer was not encrypted, it was password protected," the letter stated. "Despite this level of protection, the potential does exist that your personal information may be accessed and/or disclosed by unauthorized individuals." Williams-Sonoma said it has arranged free credit monitoring for its employees. [...] From macwheel99 at sigecom.net Thu Aug 17 02:41:58 2006 From: macwheel99 at sigecom.net (Al Mac) Date: Thu, 17 Aug 2006 01:41:58 -0500 Subject: [Dataloss] hard drive destruction In-Reply-To: <8CA58E707BB1C44385FA71D02B7A1C8EC706E0@mds3aex0e.USISUNOCO INC.com> References: <8CA58E707BB1C44385FA71D02B7A1C8EC706E0@mds3aex0e.USISUNOCOINC.com> Message-ID: <6.2.1.2.0.20060817003234.04517570@mail.sigecom.net> Remember that SOX only applies to companies doing business in USA that are traded on the stock market. Many large companies are privately held. Looking at recent large breaches Ernst & Young ... multiple breaches with records on different companies * BP employees * Cisco employees * Hotels.com * IBM employees * Nokia employees * Sun Microsystems employees I think they are based in Britain, so different laws may be applicable than those in USA Hummingbird in Canada breached 1,300,000 US students these are public companies in USA American Insurance Group ... 930,000 Automated Data Processing .. hundreds of thousands IBM ... 17,781,462 Marsh Insurance ... 540,000 . I do not believe the American Red Cross is several incidents, big one = 1 million people or American Institute of Certified Public Accountants (330,000) or Vassar Brothers Medical Center (257,800) It might be of interest to know what proportion of breaches occurred at institutions not covered by SOX CFR GLBA HIPPA etc. In other words the only rules that applied to them were the breach disclosure laws, and good governance without any mandate for it.. Alphabet soup of some data security standards http://www.unbeatenpathintl.com/ITstandards/source/1.html I think a large proportion of breaches overall have been at Colleges and Universities. I don't think any of them are covered by SOX. However, the number of victims per academia incident generally smaller compared to incidents by Government and Financial Institutions ... I think the banks are heavily regulated, such as by GLBA, bank regulators, and the credit card standards, and most of them public companies. There's also the question of what industries appear to have avoided having any significant breaches, and the numbers of non-victims (because no breaches) involved there. >This whole security and accountability issue adds a new level of >complexity to outsourcing and offshoring IT capabilities. Data breaches >aside, when SoX moves from 404 to 409, I cannot help but wonder how some >business entities will demonstrate compliance, when all of their >physical data handling occurs outside of their physical control. It is >deceptively easy to comply with security requirements on paper. > >Of course The Information Security ISO 17799 and ISO 27001 will add >additional levels of complexity. The combination of executive >accountability (in terms of actually going to jail) for financial data, >and the vulnerability of personal data (often stored on the same >systems) will make the next 5 years.... Interesting. > >Andy Dail >Sunoco PCI Project Manager From george at myitaz.com Thu Aug 17 12:17:15 2006 From: george at myitaz.com (George Toft) Date: Thu, 17 Aug 2006 09:17:15 -0700 Subject: [Dataloss] hard drive destruction In-Reply-To: References: <20060816134619.89090C32A@relayer.avian.org> Message-ID: <44E4968B.4050607@myitaz.com> speaking of grinders . . . http://www.semshred.com/content535.html George Toft, CISSP, MSIS My IT Department www.myITaz.com 480-544-1067 Confidential data protection experts for the financial industry. Joe Francis wrote: > I agree. To worry about microscopy on the drive, it means that the > FBI/CIA/NSA or another TLA is after you ... in which case they'll probably > just kick in your door if they know where you live (which they must if > they are stealing your trash). > > I personally "dd if=/dev/zero of=/dev/hda && dd if=/dev/urandom > of=/dev/hda" and then run a drill bit through the drive (not right down > the middle of the spindle, but somewhere to the side but still hit the > platters). I think I drill moreso because it's fun than any other reason, > though :) > > Really paranoid places have grinders that can reduce any media (drives, > removable devices, CDs, etc) to a powder. > > > > On Wed, 16 Aug 2006, *Hobbit* wrote: > > >>For the 99% case, "dd if=/dev/zero of=/dev/hda" from a linux distrib >>booted to a shell will probably suffice. Or maybe from /dev/random, >>which would take much longer. I wouldn't think scammers in Nigeria >>or wherever are the ones going after old drives with magnetic-force >>microscopy or in-depth head-signal analysis... >> >>Clearly, the answer is to fill the drive up with pr0n and then >>send it off! >> >>_H* >>_______________________________________________ >>Dataloss Mailing List (dataloss at attrition.org) >>http://attrition.org/dataloss >>Tracking more than 142 million compromised records in 303 incidents over 6 years. >> >> >> > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 142 million compromised records in 303 incidents over 6 years. > > > > From lyger at attrition.org Thu Aug 17 21:30:20 2006 From: lyger at attrition.org (lyger) Date: Thu, 17 Aug 2006 21:30:20 -0400 (EDT) Subject: [Dataloss] Tennessee: 10 stolen HCA computers contained people's records Message-ID: Courtesy pogowasright.org http://www.kansas.com/mld/kansas/news/state/15297743.htm Posted on Thu, Aug. 17, 2006 Rose French, Associated Press NASHVILLE, Tenn. - HCA Inc. said 10 computers containing Medicare and Medicaid billing information and records of employees and physicians were stolen from one of the company's regional offices. HCA officials won't say where or when the theft occurred because they believe that might help the thieves, who authorities believe were after computer hardware, not personal identity information. "We don't want to tip them off they may have information that they might use to perpetuate identity theft," said HCA spokesman Jeff Prescott. The Nashville-based for-profit hospital operator reports on its Web site that the FBI is investigating the incident. The computers held thousands of files on Medicare and Medicaid patients treated at HCA hospitals in Colorado, Kansas, Louisiana, Mississippi, Oklahoma, Oregon, Texas or Washington state between 1996 and 2006. The machines contained some patient names and Social Security numbers but no addresses or dates of birth. [...] From dano at well.com Fri Aug 18 09:24:13 2006 From: dano at well.com (dano) Date: Fri, 18 Aug 2006 06:24:13 -0700 Subject: [Dataloss] Florida Dept of Transportation loses laptop, 40K pilots' data Message-ID: From the online publication of Aircraft Owners and Pilots Association (US), ePilot: AOPA ePilot Volume 8, Issue 33 August 18, 2006 AOPA MEMBERS OUTRAGED OVER LOSS OF PERSONAL INFO AOPA President Phil Boyer fired off a blistering letter to the Department of Transportation's inspector general after the loss of a government laptop computer exposed tens of thousands of Florida pilots to the risk of identity theft. The letter was a follow-up to Boyer's phone conversation with the inspector general last week right after AOPA learned about the incident. The laptop, stolen from a government agent's car, included the names, addresses, and Social Security numbers of some 40,000 pilots, all the information a thief needs to obtain fraudulent credit cards or loans. Boyer told Acting DOT Inspector General Todd Zinser that AOPA members were "outraged that such sensitive personal information would be left unsecured." Ironically, the FAA has stopped using Social Security numbers for new pilot certificate numbers, is allowing pilots to change their old certificate numbers, and has removed certificate numbers from its Web site. From lyger at attrition.org Fri Aug 18 18:10:02 2006 From: lyger at attrition.org (lyger) Date: Fri, 18 Aug 2006 18:10:02 -0400 (EDT) Subject: [Dataloss] California: State workers warned about missing personal data Message-ID: Courtesy pogowasright.org http://sacramento.bizjournals.com/sacramento/stories/2006/08/14/daily44.html Sacramento Business Journal - 10:18 AM PDT Friday A computer tape containing the names, mailing addresses and Social Security numbers of 9,468 employees at the California Department of Mental Health cannot be located, director Stephen Mayberg said late Thursday. Department officials do not believe employees' personal information has been accessed because specific equipment is needed to read the computer tape, Mayberg said. However, as soon as the department learned that the tape could not be located, officials decided to notify employees and offer ways for them to protect their personal information. An e-mail sent out Thursday night suggests that workers protect themselves from the possibility of identity theft by placing a fraud alert on their credit files with the major credit reporting services, Experian, Equifax, Trans Union. A similar letter will also be mailed to all department employees. [...] From macwheel99 at sigecom.net Sun Aug 20 12:57:33 2006 From: macwheel99 at sigecom.net (Al Mac) Date: Sun, 20 Aug 2006 11:57:33 -0500 Subject: [Dataloss] Youngstown Ohio Jury Info Breach Message-ID: <6.2.1.2.0.20060820114412.04279040@mail.sigecom.net> Prospective jury members fill out questionnaires which include names, addresses and occupations of potential jurors and their families Because of a local defense lawyer's release of personal information about jurors, which resulted in postponement of a trial, Mahoning County's five general division common pleas judges will soon be discussing reforms Judge Evans decided to postpone a felony assault case, and do the trial with a different jury, after lawyer for defendant shared jury questionnaires with the accused's step father and minister. The judges are now discussing a proposed new rule to prohibit release of information from the questionnaires to anyone but court personnel with a need to know, without a judge's permission. The lawyer acknowledged giving the jury questionnaires to the accused's stepfather and minister, but said there was no rule preventing him from doing so. A deputy sheriff then reported seeing one of the people to whom a juror questionnaire had been given, hand the questionnaire to another person in the courtroom. http://www.vindy.com/content/local_regional/320036781852634.php From lyger at attrition.org Mon Aug 21 09:15:52 2006 From: lyger at attrition.org (lyger) Date: Mon, 21 Aug 2006 09:15:52 -0400 (EDT) Subject: [Dataloss] Wired News: Privacy Debacle Hall of Fame Message-ID: (some pretty interesting choices here, especially number one... - lyger) http://www.wired.com/news/politics/privacy/0,71622-0.html?tw=rss.index Earlier this month AOL publicly released a data trove: 500,000 search queries culled from three months of user traffic on its search engine. The company claimed it was trying to help researchers by providing "anonymized" search information, but experts and the public were shocked at how easy it was to figure out who had been searching on what. Apparently, AOL's anonymizing process didn't include removing names, addresses and Social Security numbers. Although the company has since apologized and taken the data down, there are at least half-a-dozen mirrors still out there for all to browse. This may have been one of the dumbest privacy debacles of all time, but it certainly wasn't the first. Here are ten other privacy snafus that made the world an unsafer place. Despite the obvious flaws of rankings, we have attempted one as follows, in descending order: 10. ChoicePoint data spill: ChoicePoint, one of the largest data brokers in the world, in early 2005 admitted that it had released sensitive data on roughly 163,000 people to fraudsters who signed up as ChoicePoint customers starting in 2001. At least 800 cases of identity theft resulted. Sued by the FTC, the company paid $15 million in a settlement earlier this year -- at least $5 million of which goes to the consumers whose lives they ruined. 9. VA laptop theft: In May, two teenagers stole a laptop from the Veterans Association that contained financial information on more than 25 million veterans, as well as people on active duty. Electronic Frontier Foundation staff attorney Kurt Opsahl said this is one of the worst data breaches in recent memory because of its sheer scale: "The database contained the names, Social Security numbers and dates of birth of as many as 26.5 million veterans and their families, though allegedly recovered without evidence of the thieves obtaining access." The case also raised awareness about how many unprotected, private databases are floating around on easily-stolen, mobile devices. When the laptop was recovered, it appeared that none of the data had been disturbed -- but only time will tell. [...] From lyger at attrition.org Tue Aug 22 13:25:58 2006 From: lyger at attrition.org (lyger) Date: Tue, 22 Aug 2006 13:25:58 -0400 (EDT) Subject: [Dataloss] Aflac clients' data stolen Message-ID: Courtesy PogoWasRight.org http://www.charleston.net/assets/webPages/departmental/news/Stories.aspx?section=business&tableId=103737&pubDate=8/22/2006 Insurance giant Aflac said Monday that a laptop computer containing personal information on hundreds of customers was stolen from an agent's car in the Greenville area. The computer contained names, addresses, Social Security numbers and birth dates of 612 policy holders, said spokeswoman Laura Kane. After the theft was reported, the Columbus, Ga.-based company notified all affected customers in a letter dated Aug. 11. Kane said the insurer, also known as American Family Life Assurance Co., believes the computer was taken by an opportunistic thief, not someone who was after the data on it. The information is protected by a password, she said. Also, the computer is equipped with tracking software that will alert officials when the computer is connected to the Internet. [...] From lyger at attrition.org Tue Aug 22 14:12:34 2006 From: lyger at attrition.org (lyger) Date: Tue, 22 Aug 2006 14:12:34 -0400 (EDT) Subject: [Dataloss] Hospital Laptop Computer Containing Patient Information Stolen Message-ID: Courtesy Audit (attrition.org) http://www.clickondetroit.com/news/9716061/detail.html 28,400 Home Care Patients Affected POSTED: 10:32 am EDT August 22, 2006 UPDATED: 1:49 pm EDT August 22, 2006 TROY, Mich. -- Troy Beaumont Hospital officials are asking for your help Tuesday in recovering a stolen laptop computer containing patient information. The laptop computer was stolen on Aug. 5, according to hospital officials. The computer was in the rear of the vehicle of a Beaumont Home Care nurse, which was stolen from outside a senior center on Agnes Street on Detroit, said Chris Hengstebeck, director of security at Troy Beaumont Hospital. The vehicle was recovered about a mile from the location, but the laptop remained missing, according to Hengstebeck. The Dell D-400 computer (serial No. 5MZ1F61) was turned off at the time and in a nylon case, Hengstebeck said. He said the computer is used to document patient care and includes personal information such as names, addresses, Social Security numbers and insurance information on 28,400 Home Care patients served over the last three years. [...] From cwalsh at cwalsh.org Tue Aug 22 23:09:32 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Tue, 22 Aug 2006 22:09:32 -0500 Subject: [Dataloss] Aflac clients' data stolen In-Reply-To: References: Message-ID: <26575568-3F7F-4DD2-9B4C-61C3158A1679@cwalsh.org> This reads just like the laptop theft from Aflac that occurred on December 12, 2005, exposing the PII of 257 people, except the earlier theft was from a car parked in Hoboken, NJ. On Aug 22, 2006, at 12:25 PM, lyger wrote: > > Courtesy PogoWasRight.org > > http://www.charleston.net/assets/webPages/departmental/news/ > Stories.aspx?section=business&tableId=103737&pubDate=8/22/2006 > > Insurance giant Aflac said Monday that a laptop computer containing > personal information on hundreds of customers was stolen from an > agent's > car in the Greenville area. From rforno at infowarrior.org Tue Aug 22 23:24:35 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 22 Aug 2006 23:24:35 -0400 Subject: [Dataloss] Privacy Working Group RFP Message-ID: Lauren is one of those folks who is a thought leader in the realm of IT, security, policy, and related matters. Dare I say someone I respect and look up to myself. -rf < - > The observant reader will note that despite the rising tide of concerns regarding search query privacy, the industry as a whole is still pretty much in a state of denial, made all the more confusing by various signals from the U.S. Department of Justice. This is turning into such a mess that it's becoming difficult to even keep the various participants and their positions completely clear. There is every reason to believe that without heroic action by the players involved, we may be heading toward a privacy, legislative, and judicial nightmare. But maybe there's a way out. < - > Therefore, I propose the formation of a high-level Internet working group/consortium dedicated specifically to the cooperative discussion of these issues and the formulation of possible policy and technology constructs that can be applied toward their amelioration. Such a working group would be as open as possible, though proprietary concerns would likely necessitate some closed aspects if progress is to be accelerated as much as possible. < - > http://lauren.vortex.com/archive/000188.html From lyger at attrition.org Wed Aug 23 13:21:57 2006 From: lyger at attrition.org (lyger) Date: Wed, 23 Aug 2006 13:21:57 -0400 (EDT) Subject: [Dataloss] Education Department working to fix software after student loan data breach Message-ID: http://www.startribune.com/484/story/631186.html Associated Press Last update: August 23, 2006 . 11:54 AM WASHINGTON. The Education Department was working to fix a software glitch in its student loan Web site after users complained that they could see other people's personal data. The department said Wednesday that only a "limited number'' of the program's 6.4 million borrowers were believed to be affected after the problem began Sunday, since not all use the online system. It did not specify how many. The program involves holders of federal direct student loans, not those who have loans managed through private companies. The department blamed the data breach on a routine software upgrade, conducted by Dallas-based contractor Affiliated Computers Services Inc., that appeared to mix up data for different borrowers when they accessed the Web site. Since Sunday, four borrowers have complained, a spokeswoman said. [...] From lyger at attrition.org Wed Aug 23 21:05:46 2006 From: lyger at attrition.org (lyger) Date: Wed, 23 Aug 2006 21:05:46 -0400 (EDT) Subject: [Dataloss] Stolen laptop returned to Beaumont Hospital Message-ID: (follow-up to previous post) Courtesy Audit (attrition.org) http://freep.com/apps/pbcs.dll/article?AID=/20060823/NEWS99/60823026 August 23, 2006 By Kim Norris A stolen laptop filled with medical and personal information of more than 28,000 patients of Beaumont Hospital Home Care was returned Wednesday, without any of the patients. information accessed, Beaumont Hospital officials said. Several unnamed employees have since been disciplined, officials said. The laptop computer was inside a car belonging to a home care nurse care when the car was stolen Aug. 5 on Agnes Street in Detroit. It was recovered Wednesday after hospital security officials received more about 50 tips from area residents responding to a hotline number disseminated by local media. [...] From info2006 at worldprivacyforum.org Thu Aug 24 15:22:39 2006 From: info2006 at worldprivacyforum.org (World Privacy Forum) Date: Thu, 24 Aug 2006 12:22:39 -0700 Subject: [Dataloss] Stolen laptop returned to Beaumont Hospital In-Reply-To: References: Message-ID: From the Detroit Free Press article: "Hospital officials said an independent computer expert determined that the laptop?s patient information was not accessed during the time it was missing. Yet, they added that the agency will continue to offer free credit monitoring to the 28,473 patients whose information was on the laptop." I've seen several media reports saying similar things such as "the data wasn't accessed" after post-breach recovery of computers. What isn't being said, of course, is that the entire drive could have been copied without specific data being accessed. The "data wasn't accessed" statements need some substantial qualifiers, I think. This is a real flaw in some of the reporting on this issue -- my hope is that even the most general reporting of this becomes more tuned into the copy issue. While not everyone will know how to copy a drive without leaving footprints, the professionals will. Pam Dixon On Aug 23, 2006, at 6:05 PM, lyger wrote: > > (follow-up to previous post) > > Courtesy Audit (attrition.org) > > http://freep.com/apps/pbcs.dll/article?AID=/20060823/NEWS99/60823026 > > August 23, 2006 > By Kim Norris > > A stolen laptop filled with medical and personal information of more > than > 28,000 patients of Beaumont Hospital Home Care was returned Wednesday, > without any of the patients. information accessed, Beaumont Hospital > officials said. > > Several unnamed employees have since been disciplined, officials said. > > The laptop computer was inside a car belonging to a home care nurse > care > when the car was stolen Aug. 5 on Agnes Street in Detroit. It was > recovered Wednesday after hospital security officials received more > about > 50 tips from area residents responding to a hotline number > disseminated by > local media. > > [...] > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 142 million compromised records in 307 incidents > over 6 years. > > > From george at myitaz.com Thu Aug 24 16:49:36 2006 From: george at myitaz.com (George Toft) Date: Thu, 24 Aug 2006 13:49:36 -0700 Subject: [Dataloss] Stolen laptop returned to Beaumont Hospital In-Reply-To: References: Message-ID: <44EE10E0.1000000@myitaz.com> In the wake of similar statements in the VA laptop case, I talked to a computer forensics expert and he confirmed that as long as Windows was not used to access the drive, then the markers used to indicate file access will remain intact and indicate no access. It is not unreasonable to assume that a savvy ID thief would make a copy of the drive using Linux. Now they have a copy of the drive, the original is "untouched" and the marketing spin machine touts "nobody accessed the data." It's all marketing spin to downplay the seriousness of their mistake because nobody likes to admit to their customers that they screwed up. George Toft, CISSP, MSIS My IT Department www.myITaz.com 480-544-1067 Confidential data protection experts for the financial industry. World Privacy Forum wrote: > From the Detroit Free Press article: > > "Hospital officials said an independent computer expert determined that > the laptop?s patient information was not accessed during the time it > was missing. Yet, they added that the agency will continue to offer > free credit monitoring to the 28,473 patients whose information was on > the laptop." > > I've seen several media reports saying similar things such as "the data > wasn't accessed" after post-breach recovery of computers. What isn't > being said, of course, is that the entire drive could have been copied > without specific data being accessed. The "data wasn't accessed" > statements need some substantial qualifiers, I think. This is a real > flaw in some of the reporting on this issue -- my hope is that even the > most general reporting of this becomes more tuned into the copy issue. > While not everyone will know how to copy a drive without leaving > footprints, the professionals will. > > Pam Dixon > > > > > On Aug 23, 2006, at 6:05 PM, lyger wrote: > > >>(follow-up to previous post) >> >>Courtesy Audit (attrition.org) >> >>http://freep.com/apps/pbcs.dll/article?AID=/20060823/NEWS99/60823026 >> >>August 23, 2006 >>By Kim Norris >> >>A stolen laptop filled with medical and personal information of more >>than >>28,000 patients of Beaumont Hospital Home Care was returned Wednesday, >>without any of the patients. information accessed, Beaumont Hospital >>officials said. >> >>Several unnamed employees have since been disciplined, officials said. >> >>The laptop computer was inside a car belonging to a home care nurse >>care >>when the car was stolen Aug. 5 on Agnes Street in Detroit. It was >>recovered Wednesday after hospital security officials received more >>about >>50 tips from area residents responding to a hotline number >>disseminated by >>local media. >> >>[...] >> >>_______________________________________________ >>Dataloss Mailing List (dataloss at attrition.org) >>http://attrition.org/dataloss >>Tracking more than 142 million compromised records in 307 incidents >>over 6 years. >> >> >> > > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 142 million compromised records in 307 incidents over 6 years. > > > > From lyger at attrition.org Fri Aug 25 09:48:09 2006 From: lyger at attrition.org (lyger) Date: Fri, 25 Aug 2006 09:48:09 -0400 (EDT) Subject: [Dataloss] Oregon: Beaverton school staff personal data stolen Message-ID: http://www.oregonlive.com/metrowest/oregonian/index.ssf?/base/metro_west_news/1156217123179890.xml&coll=7 Tuesday, August 22, 2006 Beaverton school officials have notified about 1,600 employees that time slips revealing personal information were missing following a July 24 break-in. School officials sent letters home late last week, notifying staff members of the theft. The school district will provide a year of credit reporting to the full-time teachers, substitutes and other staff whose Social Security numbers were printed on the slips. "We're encouraging people to follow up on the letter and enroll in the program," said Sue Robertson, associate superintendent for human resources and support. [...] From macwheel99 at sigecom.net Fri Aug 25 21:22:17 2006 From: macwheel99 at sigecom.net (Al Mac) Date: Fri, 25 Aug 2006 20:22:17 -0500 Subject: [Dataloss] FMCSA laptop stolen from a government vehicle in Baltimore Message-ID: <6.2.1.2.0.20060825201449.04320040@mail.sigecom.net> This is a separate story from the SLASHDOT discussion of Baltimore Police not able to recover a stolen laptop programmed to call home to identify where it ended up, in the hands of a Verizon customer, after being stolen. The people affected in this latest Baltimore laptop story are some with commercial driver's licenses from Alabama, California, Florida, Georgia, Illinois, Kentucky, Maryland, North Carolina, New Jersey, New York, Pennsylvania, Texas and Virginia and Washington, D.C. The Federal Motor Carrier Safety Administration, part of the Department of Transportation, said a the laptop was stolen Tuesday from a government-owned vehicle, and was reported to Baltimore police. FMCSA said the computer might contain names, dates of birth and commercial driver's license numbers of 193 people from 40 motor carrier companies. It does not contain financial or medical information, the agency said. [...] http://www.thewbalchannel.com/news/9741267/detail.html From hbrown at knology.net Sat Aug 26 05:56:45 2006 From: hbrown at knology.net (Henry Brown) Date: Sat, 26 Aug 2006 04:56:45 -0500 Subject: [Dataloss] Dominion Resources laptop lost Message-ID: <44F01ADD.3040603@knology.net> APPARENTLY "we" can tell whether data has been accessed even when the computer is still missing. http://tinyurl.com/osa85 " A spokesman for Dominion Resources has confirmed that two laptop computers containing employee information have been stolen. Company security and local law enforcement are investigating the theft, which apparently occurred earlier this month. Law officers have indicated that sensitive information contained on the computers has not been accessed. Dominion has notified the workers affected and advised them to takes steps to prevent identity theft. No customer information was on the computers, the company said. " From lyger at attrition.org Sat Aug 26 10:58:54 2006 From: lyger at attrition.org (lyger) Date: Sat, 26 Aug 2006 10:58:54 -0400 (EDT) Subject: [Dataloss] Hacker swipes PortTix data Message-ID: Courtesy PogoWasRight.org http://pressherald.mainetoday.com/news/local/060826tickethack.shtml Credit card information for about 2,000 people who ordered tickets online through PortTix, Merrill Auditorium's ticketing agency, was stolen this week when someone hacked into the PortTix Web site. The breach was discovered Wednesday after someone called to report the possibility that the information was compromised, said Janice Bailey, PortTix executive director. She declined to reveal the caller's identity. Bailey said the Web site was secured immediately and an outside audit was performed to make sure the site could not be breached again. Portland police are investigating the breach, she said. [...] From macwheel99 at sigecom.net Sat Aug 26 19:26:54 2006 From: macwheel99 at sigecom.net (Al Mac) Date: Sat, 26 Aug 2006 18:26:54 -0500 Subject: [Dataloss] U of South Carolina 6,000 students Message-ID: <6.2.1.2.0.20060826182031.0432b840@mail.sigecom.net> USC is working on a computer upgrade to a system that does not store Social Security #s etc. and not a moment too soon. The University of South Carolina is warning 6,000 current and former students that some of their personal information may have been accessed by an intruder into the school's computer system. A security audit this summer determined a university computer server was accessed from outside the system in September 2005. The intruder could have acquired a database used by the university post office that had the names, Social Security numbers and birthdays of about 6,000 students. The university sent letters to the students. It is the second time in four months the university has had to inform students that someone other than authorized university personnel had access to their personal information. In April, about 1,400 students' names, Social Security numbers and birth dates were e-mailed accidentally to as many as 1,000 students in the Hospitality, Retail and Sports Management Program. [...] http://www.thestate.com/mld/thestate/news/local/15369806.htm From lyger at attrition.org Sat Aug 26 22:03:03 2006 From: lyger at attrition.org (lyger) Date: Sat, 26 Aug 2006 22:03:03 -0400 (EDT) Subject: [Dataloss] Sovereign Bank Warns Customers Personal Data May Have Been Breached Message-ID: Courtesy Fergie's Tech Blog: http://fergdawg.blogspot.com/ http://www.boston.com/news/local/massachusetts/articles/2006/08/25/bank_warns_customers_personal_data_may_have_been_breached/ Sovereign Bank is warning thousands of customers that their personal data may have been stolen along with three managers' laptops taken earlier this month in Massachusetts. Bank officials said fewer than 1 percent of customers in the New England and Mid-Atlantic area may have been affected, the Standard-Times of New Bedford reported. "There's no information any of the accounts have been compromised," bank spokesman Carl Brown told the newspaper. He would not say how many letters were sent to customers Aug. 21, but said it was in the thousands. "We do consider this as a serious matter; we want to do everything we can," Brown said. "Police are investigating, and we're conducting our own internal investigation." [...] From cwalsh at cwalsh.org Sun Aug 27 19:51:24 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Sun, 27 Aug 2006 18:51:24 -0500 Subject: [Dataloss] Stolen laptop returned to Beaumont Hospital In-Reply-To: <44EE10E0.1000000@myitaz.com> References: <44EE10E0.1000000@myitaz.com> Message-ID: <20060827235122.GB8509@cwalsh.org> Indeed, the ability to copy a disk w/out altering it is necessary in order for evidence to hold up in court. If the police change the disk by examining it, then how could the defense independently examine the same body of evidence? http://www.cftt.nist.gov/disk_imaging.htm is a useful link, IMO. Chris On Thu, Aug 24, 2006 at 01:49:36PM -0700, George Toft wrote: > In the wake of similar statements in the VA laptop case, I talked to a > computer forensics expert and he confirmed that as long as Windows was > not used to access the drive, then the markers used to indicate file > access will remain intact and indicate no access. From anonadmin at pogowasright.org Mon Aug 28 12:23:50 2006 From: anonadmin at pogowasright.org (anonadmin at pogowasright.org) Date: Mon, 28 Aug 2006 11:23:50 -0500 (CDT) Subject: [Dataloss] N.M. Judicial Branch data exposure Message-ID: <32913.162.40.239.121.1156782230.squirrel@www.pogowasright.org> For eight days last spring, an unsecured document containing names, birth dates, Social Security numbers, home addresses and other personal information on some 1,500 New Mexican employees of the state judicial branch was posted on a state computer server. http://www.freenewmexican.com/news/48386.html From lyger at attrition.org Tue Aug 29 17:54:15 2006 From: lyger at attrition.org (lyger) Date: Tue, 29 Aug 2006 17:54:15 -0400 (EDT) Subject: [Dataloss] Verizon gaffe lets customer details slip Message-ID: Courtesy InfoSec News and WK: http://news.com.com/Verizon+gaffe+lets+customer+details+slip/2100-1029_3-6109883.html By Joris Evers Staff Writer, CNET News.com Published: August 25, 2006, 5:11 PM PDT Verizon Wireless this week accidentally distributed a file with limited details on more than 5,000 customers outside the company, potentially giving identity thieves a toehold. The Microsoft Excel spreadsheet file was e-mailed on Monday and includes names, e-mail addresses, cell phone numbers and cell phone models of 5,210 Verizon Wireless customers, going by a copy of the file obtained by CNET News.com. All of the customers have Motorola Razr phones, according to the spreadsheet. The spreadsheet was inadvertently sent to about 1,800 people, all Verizon Wireless subscribers, according to a follow-up e-mail apologizing for the gaffe that the mobile carrier sent on Thursday. The Excel file was attached to an ad for a Bluetooth wireless headset, instead of the electronic order form that was supposed to be sent. "Verizon Wireless takes the security, confidentiality and integrity of your personal information very seriously, and we deeply regret this error," the company said in the Thursday e-mail. It said that it has already implemented additional quality control procedures and process improvements to prevent a re-occurrence. [...] From jericho at attrition.org Tue Aug 29 18:00:11 2006 From: jericho at attrition.org (security curmudgeon) Date: Tue, 29 Aug 2006 18:00:11 -0400 (EDT) Subject: [Dataloss] Verizon gaffe lets customer details slip In-Reply-To: References: Message-ID: : Courtesy InfoSec News and WK: : : http://news.com.com/Verizon+gaffe+lets+customer+details+slip/2100-1029_3-6109883.html >From the article: The information in the document is limited and does not immediately expose those listed to fraud, the company said in its apology. Yet it recommends that people affected review their bills more carefully and add a password to their account by calling 1-866-861-5096. Great.. they give you a number to a sales office and it isn't monitored 24/7 either. Most credit card companies have a 24/7 response for fraud related issues, but Verizon doesn't? Glad to see they really treat this seriously. From lyger at attrition.org Tue Aug 29 22:33:59 2006 From: lyger at attrition.org (lyger) Date: Tue, 29 Aug 2006 22:33:59 -0400 (EDT) Subject: [Dataloss] (no subject) Message-ID: Courtesy Fergie's Tech Blog: http://fergdawg.blogspot.com/ http://www.msnbc.msn.com/id/14575839/ AT&T Inc. said Tuesday that computer hackers illegally accessed credit card data and other personal information from several thousand customers who bought DSL equipment from AT&T's online store. The phone company said it is notifying "fewer than 19,000" customers whose data was accessed over the past weekend. The company said it noticed the hacking "within hours," immediately shut down the online store, notified credit card companies and is working with law enforcement agencies to investigate the incident and find the hackers. [...] From lyger at attrition.org Tue Aug 29 22:40:08 2006 From: lyger at attrition.org (lyger) Date: Tue, 29 Aug 2006 22:40:08 -0400 (EDT) Subject: [Dataloss] Washington State Healthcare Provider Issues Security Advisory on Stolen Laptop Message-ID: Courtesy Fergie's Tech Blog: http://fergdawg.blogspot.com/ http://seattlepi.nwsource.com/local/283006_compass29ww.html Everett-based Compass Health has issued a security advisory to clients that one of its laptop computers was stolen in late June - but there is no indication that the personal data and social security numbers contained in the computer were used for identity theft. The advisory affects a limited number of people, including those served by Catholic Community Services and SeaMar. Both groups have Seattle offices. People affected by this theft should have received letters from Compass Health, an agency that helps people who suffer from mental illness. [...] From hbrown at knology.net Wed Aug 30 06:49:34 2006 From: hbrown at knology.net (Henry Brown) Date: Wed, 30 Aug 2006 05:49:34 -0500 Subject: [Dataloss] Dept of Education contractor laptop stolen In-Reply-To: References: Message-ID: <44F56D3E.9070903@knology.net> Laptops with sensitive data stolen from Education contractor http://govexec.com/dailyfed/0806/082906p1.htm Two laptop computers believed to contain unencrypted personal information about 43 grant reviewers were stolen from an Education Department contractor in Washington, D.C., earlier this month. ... From lyger at attrition.org Wed Aug 30 09:03:33 2006 From: lyger at attrition.org (lyger) Date: Wed, 30 Aug 2006 09:03:33 -0400 (EDT) Subject: [Dataloss] Valley Baptist Medical Center: Web Leak Message-ID: Courtesy PogoWasRight.org: http://www.newschannel5.tv/2006/8/29/28085/-Personal-Information-Posted-on-Hospital-Web-Site- Tuesday, August 29, 2006 Posted: 06:39 PM HARLINGEN - A computer glitch on a hospital web site left some people at risk for identity theft. Names, birth dates, and social security numbers of various healthcare workers were posted on Valley Baptist Medical Center's web site late last week. The personal information came from an online application filled out by workers who provide services and bill the hospital. The mistake was first discovered by a Houston resident visiting the web site. "I was shocked, " says Maria Hinojosa. A victim of identity theft herself, Hinojosa says she realized something was very wrong. Hinojosa provided NEWSCHANNEL 5 with four names of the potential 73 victims. [...] From lyger at attrition.org Wed Aug 30 18:41:29 2006 From: lyger at attrition.org (lyger) Date: Wed, 30 Aug 2006 18:41:29 -0400 (EDT) Subject: [Dataloss] Introducing the Data Loss Database - Open Source Message-ID: http://attrition.org/dataloss/dldos.html Wed Aug 30 18:27:24 EDT 2006 Since July of 2005, attrition.org has been tracking data loss and data theft incidents not just from the United States, but across the world. Our archives go back to the year 2000, and with over 142 MILLION records compromised in over 300 incidents across six years, we would finally like to introduce a very basic and rudimentiary database that will assist others in tracking these incidents. DLDOS (Data Loss Database - Open Source) is a simple flat comma seperated value file that can be imported into your database of choice, whether it be MySQL, Microsoft Access, or Oracle (good luck). We provide the date, the company that reported the breach, the type of data impacted, the number of records impacted, third party companies involved, and a few other sortable items that may be of interest. At this point, attrition.org is not hosting an actual database itself, but the raw data is free and available for use as long as attrition.org is credited for the use of said data. Really, we're not trying to be jerks, but if you're going to use our data in your research, be it a web site or paper written for a commercial entity, just give us a shout out please. Attrition.org's main data loss page can be found here: http://attrition.org/dataloss/ Attrition.org's Data Loss Mail List information: http://attrition.org/security/dataloss.html Please feel free to use this information, build on it, grow on it, and share it. Updates to the raw data will be provided by attrition.org weekly, if not daily. Share and share alike; distribute and learn. From lyger at attrition.org Thu Aug 31 08:05:44 2006 From: lyger at attrition.org (lyger) Date: Thu, 31 Aug 2006 08:05:44 -0400 (EDT) Subject: [Dataloss] Teen MySpace ignored "private" Message-ID: (fringe dataloss topic, not to be included in DLDOS, but possibly of interest - lyger) >From Al Mac (macwheel99_at_sigecom.net): A security hole in the popular MySpace social networking site allowed users to view entries marked "private, for months before it was fixed. {...} http://www.net-security.org/news.php?id=12151 From bkdelong at pobox.com Thu Aug 31 08:14:20 2006 From: bkdelong at pobox.com (B.K. DeLong) Date: Thu, 31 Aug 2006 08:14:20 -0400 Subject: [Dataloss] Teen MySpace ignored "private" In-Reply-To: References: Message-ID: <6.2.3.4.2.20060831081117.05a6b4a0@mail.brain-stream.net> It looks like the method used to "hide" the data was pretty pathetic. I wouldn't even call it a security hole - using the CSS property display:none; is Web design and simply does not display anything in that block, leaving the content in the original source code. At 08:05 AM 8/31/2006, lyger wrote: >(fringe dataloss topic, not to be included in DLDOS, but possibly of >interest - lyger) > > >From Al Mac (macwheel99_at_sigecom.net): > >A security hole in the popular MySpace social networking site allowed >users to view entries marked "private, for months before it was fixed. > >{...} > >http://www.net-security.org/news.php?id=12151 >_______________________________________________ >Dataloss Mailing List (dataloss at attrition.org) >http://attrition.org/dataloss >Tracking more than 142 million compromised records in 321 incidents >over 6 years. -- B.K. DeLong (K3GRN) bkdelong at pobox.com +1.617.797.8471 http://www.wkdelong.org Son. http://www.haloworldwide.com Work. http://www.bostonredcross.org Volunteer. http://www.brain-stream.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org From lyger at attrition.org Thu Aug 31 09:33:43 2006 From: lyger at attrition.org (lyger) Date: Thu, 31 Aug 2006 09:33:43 -0400 (EDT) Subject: [Dataloss] LabCorp - Patient info on stolen computer Message-ID: Courtesy PogoWasRight.org http://www.thnt.com/apps/pbcs.dll/article?AID=/20060831/NEWS/608310428/1001 Home News Tribune Online 08/31/06 By KEN TARBOUS A medical lab is notifying patients that a computer with sensitive personal information was stolen from its Prospect Plains Road sample-collection center. LabCorp is identifying patients who may have had their names and Social Security numbers on a computer stolen from its Monroe Patient Service Center and notifying those people by mail, said Pamela Sherry, LabCorp's senior vice president of corporate communications. "We have no reason to believe the information is being used improperly," Sherry said. The information, which was scrambled and password protected, did not include birth dates or test results, Sherry said. Sherry did not say how many patients had their personal information placed on the computer or how many people were receiving letters about the theft. [...] From lyger at attrition.org Thu Aug 31 11:33:53 2006 From: lyger at attrition.org (lyger) Date: Thu, 31 Aug 2006 11:33:53 -0400 (EDT) Subject: [Dataloss] Domino's: Pizza receipts land in trash Message-ID: Courtesy hypronix http://vancouver.24hrs.ca/TopStory/home.html By John Pigeon, 24 HOURS When Mark Schroeder slapped a pizza dinner on his Visa card in Whistler three years ago, he never thought that his Visa receipt would end up in a dumpster behind a Domino's franchise office in Port Coquitlam. But on Tuesday afternoon when 24 hours followed an anonymous tip to the dumpster off Kingsway Avenue, Schroeder's credit-card slip, complete with account number, expiry date and name, was among thousands in a trash container. "I can't even think of a word to describe how upset I am right now. What can you say?" Schroeder said from his home in Pemberton. "I'm kind of awestruck, actually, that they would do something like this and treat their customers with such a lack of respect." The anonymous tipster felt the same way when he came across the dumpster, overflowing with credit-card slips and card imprints, on his morning walk to work. [...]