From lyger at attrition.org Tue May 2 18:28:08 2006 From: lyger at attrition.org (lyger) Date: Tue, 2 May 2006 18:28:08 -0400 (EDT) Subject: [Dataloss] Ohio University - electronic data stolen Message-ID: http://www.ohio.com/mld/beaconjournal/14481057.htm The FBI is investigating two thefts of electronic data at Ohio University, school officials said Monday. The university said it discovered April 24 that someone gained unauthorized access to records in a computer system that supports the school's alumni relations department. The records included biographical information for more than 300,000 people and organizations, including 137,000 Social Security numbers, the university said. The breach did not involve credit card or bank account information. University spokesman Bill Sams said investigators haven't found evidence that the information has been used illegally. [...] From jericho at attrition.org Wed May 3 03:36:41 2006 From: jericho at attrition.org (security curmudgeon) Date: Wed, 3 May 2006 03:36:41 -0400 (EDT) Subject: [Dataloss] Iron Mountain loses more backup tapes Message-ID: Courtesy of WK and ISN: ---------- Forwarded message ---------- http://www.techworld.com/security/news/index.cfm?newsID=5915 By Chris Mellor Techworld 02 May 2006 Accident-prone Iron Mountain has mislaid more backup tapes containing personal information. On April 6th, a driver reported that backup tapes belonging to the Long Island Rail Road (LIRR) and another customer had gone missing. The LIRR tapes contained personal information about 17,000 past and current employees - virtually everyone who has every worked for the concern. The second customer's tapes did not contain personal information. So far no evidence of theft has been found; the tapes have apparently just been mislaid. The LIRR is providing a paid-for one year account with a credit check and identity theft monitoring service - a costly exercise for 17,000 people. Iron Mountain has previously lost backup tapes belonging to Times Warner in March, 2005. These covered 600,000 current and past employees. From jericho at attrition.org Wed May 3 03:37:58 2006 From: jericho at attrition.org (security curmudgeon) Date: Wed, 3 May 2006 03:37:58 -0400 (EDT) Subject: [Dataloss] Aetna Loses Laptop Containing Customer Data Message-ID: Following up on Chris Walsh's post from April 27, more information courtesy of WK and ISN: ---------- Forwarded message ---------- http://www.consumeraffairs.com/news04/2006/05/aetna_laptop.html By Martin H. Bosworth ConsumerAffairs.Com May 1, 2006 An employee of health insurance giant Aetna lost a laptop containing data on 38,000 customers, the company said. The information included names, addresses, and Social Security numbers, but no financial information. The individuals were employees of companies who bought group health coverage from Aetna. The companies asked not to be identified. Aetna spokesperson Cynthia Michener declined to verify where the theft took place, or if any of the information had been used. In a subsequent statement, Aetna CEO Ronald Michener claimed the laptop had been secured with "strong password protection," and that the employee responsible "did not follow corporate policies." "We have offered to pay for credit monitoring services for our affected members to help prevent any potential misuse of the information, and we are contacting each affected individual directly with information on how to access this service," Michener said. The Aetna CEO also claimed that the company would be augmenting its data security structure to ensure all their employees followed proper procedure in the future. Michener also said that Aetna was contacting all affected individuals, and would be offering them free credit monitoring for an unspecified period of time, to ensure they were protected from possible fraud or identity theft. The theft or loss of laptops has been the latest trend in data breaches, with over 500,000 individuals potentially affected as a result of laptops being stolen or misplaced in the last six months. Companies affected have included Hewlett-Packard, Verizon, Ameriprise, and Ford. [..] From dano at well.com Wed May 3 10:21:07 2006 From: dano at well.com (dano) Date: Wed, 3 May 2006 07:21:07 -0700 Subject: [Dataloss] [media] US radio show about data loss Message-ID: In the US on Tuesday the American Public Media radio show "Marketplace" did a story on data loss, especially highlighting laptop loss and theft. It did not present anything new to readers of this list, but pulled together a representative list that the show's listeners may not have been aware of. (also available in RSS and mp3 feeds) TEXT OF STORY KAI RYSSDAL: You think you're doing pretty well with Internet security, don't you. Protecting your passwords and not giving out information. Well, smart as you are, the bad guys are even smarter. There were two surveys out this week from Web security companies. They say hackers aren't wasting time with viruses, anymore. They're jumping through corporate security flaws the day they're discovered. Which is how Social Security numbers can be taken from office networks. Credit-card numbers, too. Never mind what happens when laptops are stolen outright. Here's Sean Cole. SEAN COLE: I've been trying to figure out a way to really bring home the mangnitude of this corporate laptop theft problem. And I figured the best way was to use Marketplace's tried-and-true method of imparting a whole lot of information in a very short period of time. And so, ladies and gentlemen, let's do the numbers. About 18,000 Bank of America customers got a memo back in May saying their Social Secuirty numbers were on a laptop stolen out of an employee's car. That same month a laptop was stolen from a branch of Omega World Travel, containing the credit card info of 80,000 Department of Justice workers. Not to be outdone, Bank of America had another laptop stolen in August. In November, 161,000 Boeing employees were told that a laptop containing their Social Security numbers was lifted. Geddit? Boeing? Lifted? In February, Ernst and Young was hit. In March it was Fidelity. As I was writing this paragraph, Boeing called again to say that, since we talked, another laptop was grabbed away from an HR rep at an airport. We're talking, at least, 14 different companies, three state governmental agencies, five hospitals and nine colleges and universities. You're listening to Marketplace! Of course, the thieves probably don't know there's a bunch of sensitive information on these laptops. In any case, they never seem to find it. All the companies I talked to said the data was password-protected and that there's been no fraud as a result of the thefts . . . yet. But password shmassword, the data's still vulnerable. So the companies have had to send out these really awkward apology letters. JONATHAN ZITTRAIN: And you can imagine, they're starting to get better at drafting these things. You know, here's your spring newsletter. And you have some good news with it and then at the bottom . . . And by the way, we lost a bunch of your personal data and please call this number. This is Jonathan Zittrain, a co-founder of the Berkman Center for Internet and Society at Harvard Law School. He says he's not surprised that all of this information is walking around on portable computers. People want to be productive on the run, he says. But he says there are pretty sure-fire ways to protect sensitive information. Like, encrypting it, or leaving the data on the main server and remotely tunneling through the Internet to work with it. ZITTRAIN: And it's strange that it's taken as long as it has to really have these practices not only shape up but to be implemented and I think there are still a number of companies out there, many of whom have employees who haven't implemented even the basics of encryption and data security. For example, there's this financial services company called Ameriprise. It's an off-shoot of American Express. Encryption of sensitive data is company policy at Ameriprise. But when a laptop was stolen from an employee's car in December, it turned out the data on it was not encrypted - including the Social Security numbers of about 68,000 financial advisors. So the company fired the employee and basically told the rest of its staff not to be like him. STEVEN CONNOLY: We shared with them where the policies are located, that they should read up on them, that they should know the policies. Steven Connolly is director of communications at Ameriprise. CONNOLLY: Some of the policies are about encryption. They also include things like securing physical assets of the company like computer laptops. COLE: Like, not putting it in your car, basically. CONNOLLY: Yeah. But education . . . even re-education can only go so far. GREG VAN PELT: Even with all the technological solutions, there's the human element where you have to trust your colleagues. Greg Van Pelt is a senior vice president at Providence Health and Services, a health care system that operates in the northwest. Providence Health has had four laptops stolen from employee cars since September. Smash and grab jobs. Though one was more of a "Lift the door handle and grab" job. Car was unlocked. VAN PELT: You have to educate. You have to reeducate. And then you have to trust. Worse yet . . . In December a bunch of computer back-up discs and tapes were stolen out of an employees car. They contained information on 365,000 Providence Health patients. And no, the company hadn't fully encrypted everything. Though it has now. The problem is Providence Health kind of has to carry this stuff around on laptops. It does home visits, updating patient information on the spot. Nonetheless, Van Pelt says the thefts have changed the company's attitude toward laptops a little bit. VAN PELT: All I can tell you, everybody in the organization is very aware and they rarely leave the office. COLE: The laptops do. VAN PELT: Yes. COLE: Do they stay in locked cars? VAN PELT: Yes. But only in the trunk, Van Pelt says, not the back seat. Plus, he says, field reps have wireless now so they're carrying around less information than they used to. Still, understandably, patients haven't reacted too well. NEVA CAVATAIO: It's a bummer. It's a drag. I try so hard to protect my information. This is Neva Cavataio, a soon-to-be graduate student in Portland. She gets some of her medication through Providence. She got a letter back in March saying her information was on one of the stolen laptops. CAVATAIO: And you see these news reports everybody's ramming down everyone's throat: You gotta be careful with your stuff. . . . And then you give it to a hospital, which you think that they're advocates of patient privacy and stuff, and then they're leaving it thrown in the back seat of a car and it gets broken into. Cavataio says Providence is paying a credit monitoring service to keep an eye on her pariticulars for a year, a common "I'm sorry" that companies offer in this situation. And not a cheap one. Boeing, for instance, has had 80,000 people sign up for that service. Boeing is also actually doing something about this kind of five-finger information theft. New rule: No downloading sensitive employee data onto laptops. In Boston, I'm Sean Cole for Marketplace. From lyger at attrition.org Thu May 4 16:59:17 2006 From: lyger at attrition.org (lyger) Date: Thu, 4 May 2006 16:59:17 -0400 (EDT) Subject: [Dataloss] Idaho utility hard drives and data turn up on eBay Message-ID: (makes me wonder what type of customer and employee data may have been found.. - lyger) http://computerworld.com/securitytopics/security/story/0,10801,111148,00.html News Story by Sharon Fisher MAY 04, 2006 (COMPUTERWORLD) - Anybody with five bucks and a little patience may be able to score sensitive corporate or customer data on eBay. If your organization has engaged in the common practice of disk drive recycling -- selling unneeded disk drives directly or through a service -- company data might wind up for sale on eBay Inc.'s auction site, even if the drives have been wiped first. Idaho Power Co. discovered that possibility last week as it scrambled to track down company disk drives that had been sold on eBay without having been scrubbed first. The Boise, Idaho-based utility serves approximately 460,000 customers in the southern part of Idaho and in eastern Oregon. Data on the drives, which had been used in servers, contained proprietary company information such as memos, correspondence with some customers and confidential employee information, the company said. [...] From lyger at attrition.org Thu May 4 17:13:17 2006 From: lyger at attrition.org (lyger) Date: Thu, 4 May 2006 17:13:17 -0400 (EDT) Subject: [Dataloss] Idaho Power Co. - answering my own question Message-ID: http://www.nwcn.com/statenews/idaho/stories/NW_042906idahopowerEL.82d38eea.html [...] It happened after the company's hard drives were sold on eBay - with confidential still intact company memos and the names and personal information of hundreds of Idaho Power employees. KTVB conducted the investigation in conjunction with its NBC affiliate in Cincinnati, where the hard drives were actually bought. KTVB then told Idaho Power about the issue. They then issued a press release to the media late Friday afternoon. As a result of the investigation, Idaho Power will no longer recycle or sell computer hard drives. In all, four hard drives were bought by a computer security expert in Cincinnati, Ohio. He was able to retrieve hundreds of thousands of confidential company documents from Idaho Power. The drives contain everything from employee names and social security numbers - even confidential memos to the company.s CEO. [...] From ellenm at net.tamu.edu Thu May 4 20:47:32 2006 From: ellenm at net.tamu.edu (Ellen L Mitchell) Date: Thu, 04 May 2006 19:47:32 -0500 Subject: [Dataloss] Personal info found on sold government computers Message-ID: <20060505004732.9FBE31589B@net.tamu.edu> http://www.gwinnettdailypost.com/index.php?s=&url_channel_id=32&url_article_id=14588&url_subchannel_id=&change_well_id=2 Personal info found on sold government computers 05/02/2006 ATLANTA--The state is halting the sale of government surplus computers, after private citizens' personal information turned up on computers bought by a bargain hunter. Joe Kim, director of legal service for the state Department of Administrative Services, said the sale of government surplus computers has been put on hold. Credit card numbers, birth dates and Social Security numbers of citizens were still on the hard drives of computers which state workers failed to erase before they were sold, WSB-TV reported. More than 150 surplus computers were in one man's work shed. The dates of birth and social numbers of a Douglas County family were found on a surplus Department Human Resources computer hard drive. Computers from a psychiatric hospital in Rome contained thousands of patient records on a single hard drive, the station reported. Kim said surplus computers won't be sold until government agencies become more consistent with the Department of Administrative Services. policy of erasing all information from computers before selling them. "We need more insurance from agencies," Kim said. "We'll either remove the data or destroy the computers ourselves." @2001-2005 Host Communications, Inc. From lyger at attrition.org Fri May 5 12:24:50 2006 From: lyger at attrition.org (lyger) Date: Fri, 5 May 2006 12:24:50 -0400 (EDT) Subject: [Dataloss] Analysis: Data breach notification law unlikely this year Message-ID: http://computerworld.com/securitytopics/security/story/0,10801,111197,00.html News Story by Grant Gross MAY 05, 2006 (IDG NEWS SERVICE) - In the wake of a series of data breaches in early 2005, the U.S. Congress seemed ready to move quickly on legislation that would require companies to notify customers when their personal information had been compromised. Now, more than a year after data breaches at ChoicePoint Inc. and LexisNexis set off a national debate about identification theft and data security, time is running out for Congress to pass a law before it finishes business this year. Some proponents of a national breach notification law say it's unlikely that Congress will be able to pass a law by then. Lawmakers have introduced more than 10 bills dealing with data breach notification since early 2005. The bills differ in several ways, including varying requirements about when a breached company should notify customers and whether consumers should be able to freeze their credit reports following a breach. Beyond the confusion about the differences in the bills, five congressional committees have claimed jurisdiction over some of the data breach bills. "It's certainly a popular and pro-consumer issue to tackle," said David Sohn, a staff counsel at the Center for Democracy and Technology, a privacy and civil rights advocacy group. "It's difficult to see how Congress will reconcile all the bills." [...] From lyger at attrition.org Fri May 5 18:06:32 2006 From: lyger at attrition.org (lyger) Date: Fri, 5 May 2006 18:06:32 -0400 (EDT) Subject: [Dataloss] Wells Fargo Warns of Possible Data Theft Message-ID: http://www.msnbc.msn.com/id/12647549/ Wells Fargo & Co., the second-largest U.S. mortgage lender, Friday said a computer containing confidential data about mortgage customers and prospective customers is missing and may have been stolen. San Francisco-based Wells Fargo, which is also the No. 5 U.S. bank and serves more than 23 million customers, said a "global express shipping company" had been delivering the computer from one of the bank's facilities to another. The missing data include names, addresses, Social Security numbers and mortgage loan deposit numbers. Wells Fargo said there is no indication that anyone has misused the data, or accessed the data without authorization. [...] From lyger at attrition.org Tue May 9 20:09:21 2006 From: lyger at attrition.org (lyger) Date: Tue, 9 May 2006 20:09:21 -0400 (EDT) Subject: [Dataloss] Webroot uncovers thousands of stolen identities Message-ID: http://www.infoworld.com/article/06/05/09/78139_HNTrojanrebery_1.html By Paul Roberts May 09, 2006 Spyware researchers at Webroot Software. have uncovered a stash of tens of thousands of stolen identities from 125 countries that they believe were collected by a new variant of a Trojan horse program the company is calling Trojan-Phisher-Rebery. The FBI is investigating the stolen information, which was discovered on a password-protected FTP (File Transfer Protocol) server in the U.S. and is believed to be connected to a Trojan horse that is installed from the Web site teens7(dot)com. The information, organized by country, includes names, phone numbers, social security numbers, and user log-ins and passwords for tens of thousands of Web sites, according to information provided to InfoWorld by Webroot. The discovery is just the latest evidence of rampant identity theft by online criminals who use malicious Web sites, common software vulnerabilities and keylogging software to harvest information from unsuspecting Web surfers. [...] From lyger at attrition.org Tue May 9 21:41:51 2006 From: lyger at attrition.org (lyger) Date: Tue, 9 May 2006 21:41:51 -0400 (EDT) Subject: [Dataloss] Are Clinic Visits On Credit Reports? Message-ID: (from a data loss standpoint, maybe this falls more under "possibility of unknown or unwilling exposure" and not loss or theft. comments encouraged. - lyger) http://redtape.msnbc.com/2006/05/are_clinic_visi.html Posted: Tuesday, May 9 at 03:00 am CT by Bob Sullivan Mike Herwig looked at his credit report recently and saw something even more disturbing than past due accounts. He saw the words "Starlite Recovery Center." As the name hints, Starlite is a drug and alcohol treatment clinic in Texas. Herwig, a 36-year-old Boston resident, received treatment for alcoholism there two years ago and wanted that to remain secret. But now he fears he's been outed as a recovering addict in front of future employers, landlords, insurance companies and any other organization that pulls his credit report. Experian, which issued the credit report, says Herwig's fears are unfounded. Starlite's name is omitted from copies of the report given to others and appears only on Herwig's personal report, according to Experian.s Don Girard. In fact, federal law prohibits credit bureaus from listing the name of any medical treatment facility on a credit report furnished to lenders or employers, he said. Still, Herwig's story is instructive about the alarming things that can appear on credit reports, and the kind of rights consumers have. [...] From lyger at attrition.org Wed May 10 00:23:50 2006 From: lyger at attrition.org (lyger) Date: Wed, 10 May 2006 00:23:50 -0400 (EDT) Subject: [Dataloss] Discussion regarding breach notification Message-ID: Some topical thoughts and possible material for discussion from Emergent Chaos: http://www.emergentchaos.com/archives/2006/05/breach_notification_the_n.html http://www.emergentchaos.com/archives/2006/05/half_empty.html (from Chris Walsh's post): "I think Adam is too kind to Arizona's new breach law. My issues have to do with how various elements of the law might be interpreted: "materially compromises": Maybe I am reading too much Sarbanes-Oxley stuff and my sense of what constitutes materiality has been warped, but I would need to be reassured that this term means something "smaller" than it does in the SOX context. I realize this language is present in practically all breach laws, as well as HIPAA, etc. "acquisition and access" -- so if I simply hack in (gain "access"), but the audit trail doesn't show that I did "acquire" PII, you get to keep quiet? How would acquisition be established? "substantial economic loss" -- So credit card numbers are no biggie, since liability is limited to an insubstantial amount? "reasonably likely" -- So, losing the PII of a bunch of people with no credit history, or those who have been demonstrated (by ID Analytics, or even the FTC) to be unlikely victims (like children on public assistance, say) gets you out of notifying?" [...] From lyger at attrition.org Wed May 10 12:40:14 2006 From: lyger at attrition.org (lyger) Date: Wed, 10 May 2006 12:40:14 -0400 (EDT) Subject: [Dataloss] Utility may face investigation for sale of unscrubbed drives Message-ID: Courtesy: InfoSec News http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9000333 Sharon Fisher May 09, 2006 State and federal regulatory agencies have not yet determined whether Idaho Power faces any penalties after a salvage operator offered unscrubbed hard disk drives for sale on eBay Inc.'s auction Web site. The utility had sold 230 disks to a salvage operator, who sold 84 on eBay. Most of the drives have been returned to Idaho Power. The incident was disclosed earlier this month. The Federal Trade Commission would not confirm or deny whether the incident is under investigation. "In theory, there are different statutes that might come into play, but whether it was a basis for action would depend on the underlying circumstances," said Alain Sheer, an attorney in the division of privacy and identity protection in the bureau of consumer protection for the FTC, in Washington. [...] From lyger at attrition.org Wed May 10 14:38:40 2006 From: lyger at attrition.org (lyger) Date: Wed, 10 May 2006 14:38:40 -0400 (EDT) Subject: [Dataloss] U.S. military cracks down on stolen computer drives Message-ID: Follow-up to an April list post via the L.A. Times: http://www.latimes.com/news/nationworld/world/la-fg-disks10apr10,0,5854905,full.story ) Updated: 9:46 p.m. ET May 8, 2006 http://www.msnbc.msn.com/id/12694212/ BAGRAM, Afghanistan - Computer storage devices containing sensitive military information stolen from the U.S. base here and widely available in shops last month are now hard to find. The U.S. military has increased security measures to prevent Afghan workers from slipping the small portable flash drives into their pockets in order to sell them to shops near the main American base in Afghanistan, a U.S. spokesman and shopkeepers said Monday. One shopkeeper said Afghan workers on the Bagram base are now scrutinized carefully on their way out. "They even look in their shoes," said the 40-year-old shopkeeper, who would only give his first name, Amruddin. In April, dozens of used flash drives were available in markets here. Drives viewed by The Associated Press had the Social Security numbers of hundreds of soldiers, including four generals, and lists of troops who completed nuclear, chemical and biological warfare training. [...] From lyger at attrition.org Wed May 10 18:22:35 2006 From: lyger at attrition.org (lyger) Date: Wed, 10 May 2006 18:22:35 -0400 (EDT) Subject: [Dataloss] Bush creates task force to fight 'horror' of identity theft Message-ID: http://www.physorg.com/news66496317.html US President George W. Bush on Wednesday announced the creation of a top-level task force to combat what he called "horror stories" associated with the rapidly growing crime of identity theft. "Identity theft is a serious problem in America," the president told reporters after meeting with victims who described to him the personal and financial impact of such crimes. "I have just listened to the horror stories from fellow citizens who have had their identities stolen. I listened to their ideas about how the federal government can help in the response, in not only dealing with those who commit the crime but helping those who have been victimized," Bush said. Identity theft, in which a person's personal and financial information is stolen and his or her identity is assumed by another, affected some 3.6 million US households -- or about three percent of the total in the United States -- over a six-month period in 2004, according to a US Justice Department report issued last month. [...] From lyger at attrition.org Wed May 10 22:01:58 2006 From: lyger at attrition.org (lyger) Date: Wed, 10 May 2006 22:01:58 -0400 (EDT) Subject: [Dataloss] Privacy Breach Impact Calculator Message-ID: (Use at your own risk. Personally, I don't see this "calculator" as being particularly helpful for several reasons, but those who have an interest in quantifying costs of privacy breaches may have fun with it.) http://www.informationshield.com/privacybreachcalc.html From cwalsh at cwalsh.org Thu May 11 10:12:11 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Thu, 11 May 2006 09:12:11 -0500 Subject: [Dataloss] Lloyds TSB admits chip and Pin flawed Message-ID: <20060511141210.GC31977@cwalsh.org> [ got this from a closed mailing list -- may have some relevance ] Title: Lloyds TSB admits chip and Pin flawed Author: Sean Poulter Source: Daily Mail Excerpt: A major bank has finally conceded that serious flaws in the new chip and PIN system has opened it up to fraud. Lloyds TSB admitted a surge in thefts by gangs who clone debit and credit cards then plunder accounts at ATMs overseas. The crooks not only steal the card details, but also the four digit Pin codes which have replaced signatures to authorise purchases. The cloned cards are then used to make repeated raids on accounts using foreign cash machines because these transactions take longer to show up as a rogue spending pattern in banks' security procedures. The Daily Mail has learned that the monitoring systems of some banks do not include cash withdrawals from foreign ATMs as they have assumed ATMs are secure. The industry has focused fraud detection on card purchases. Yesterday Lloyds, which has 15m personal account customers in the UK, admitted the problem and said it had moved to close gaps in its security system. A spokesman said: 'In recent weeks, we have identified an increase in fraud via overseas cash machines. For complete article see: http://www.thisismoney.co.uk/saving-and-banking/article.html?in_article_id=408976&in_page_id=2&ito=1565 From lyger at attrition.org Thu May 11 12:35:12 2006 From: lyger at attrition.org (lyger) Date: Thu, 11 May 2006 12:35:12 -0400 (EDT) Subject: [Dataloss] Real estate services firm settles privacy, security charges with FTC Message-ID: Computers used by Nations Holding were hacked, exposing customer data http://computerworld.com/action/article.do?command=viewArticleBasic&articleId=9000362 May 10, 2006 (Computerworld) -- Real estate services company Nations Holding Co. (NHC) and its president have settled a charge by the Federal Trade Commission that they violated federal privacy and security laws. The settlement involves NHC and a subsidiary, Nations Title Agency Inc. (NTA), according to a statement from the FTC. The FTC said that even though NHC had promised consumers that it had "physical, electronic and procedural safeguards" in place to protect their confidential financial information, the Prairie Village, Kan.-based company's computers were hacked and data was exposed. In addition, customers' confidential financial information was dumped in the trash, the FTC said. The settlement between NHC and its president, Christopher Likens, bars deceptive claims about privacy and security policies and requires that the company implement a comprehensive information security program and obtain audits by an independent third-party security professional every other year for 20 years. Officials at NHC, which serves customers in 44 states, could not be reached for comment. [...] From cwalsh at cwalsh.org Thu May 11 12:53:32 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Thu, 11 May 2006 11:53:32 -0500 Subject: [Dataloss] Ohio University -- 3rd breach Message-ID: <20060511165325.GA22309@cwalsh.org> Student info accessed in 3rd data breach at Ohio University Akron Beacon Journal - Akron,OH,USA ... health information. The breach was discovered a week ago. The university reported two data thefts in late April. Someone gained ... [Via a Google Alert] From rforno at infowarrior.org Thu May 11 12:56:00 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 11 May 2006 12:56:00 -0400 Subject: [Dataloss] New data security proposal surfaces in Congress Message-ID: New data security proposal surfaces in Congress By Anne Broache http://news.com.com/New+data+security+proposal+surfaces+in+Congress/2100-734 8_3-6071216.html Story last modified Thu May 11 09:45:04 PDT 2006 WASHINGTON--A new proposal in Congress would force anyone who possesses electronic personal data to report "major" security breaches to federal authorities before alerting consumers--or face hefty fines and even imprisonment. The 11-page House of Representatives bill aims to deter identity thieves and dismantle cybercrime operations, such as phishing scams, that swipe personal information. It was introduced this week by House Judiciary Committee Chairman James Sensenbrenner and backed by three Republicans and one Democrat. Because of inadequate enforcement tools, "the scope and frequency of cybercrime is growing rapidly and now includes many intentional criminal syndicates and is threatening our economy, safety and prosperity," said Rep. Howard Coble, the North Carolina Republican who presided over Thursday's hearing. This measure, called the Cybersecurity Enhancement and Consumer Data Protection Act, is part of a constellation of proposals in Congress that seek to respond to a slew of high-profile data breaches that became public during the last year or two. Proposed solutions range from notification of data breaches to restricting some uses of Social Security numbers. The Republican-backed bill would require "whoever owns or possesses data in electronic form" that contains personally identifiable information--such as a person's name, Social Security number, or date of birth--to inform the U.S. Secret Service or the Federal Bureau of Investigation within two weeks of discovering a "major breach." Those law enforcement officials could then decide to delay notification to consumers by as much as 30 days if they determine that disclosure would harm criminal investigations or national security. The bill defines "major breach" as any incident that involves personal information of 10,000 or more individuals, databases owned by the federal government, or personal data about federal employees or contractors involved in "national security matters or law enforcement." Refusing to comply with the rules could result in up to five years in prison or fines of $50,000 for each day that the intrusion is not reported--an idea endorsed by the Justice Department. Balking at penalties Critics have raised the question of whether criminal penalties are appropriate. In a letter to the Coble, Ken Wasch, president of the Software and Information Industry Association, questioned whether the establishment of a new crime for failure to notify when a breach has occurred is "an appropriate response to combating the pernicious effects of identity theft." Such a tactic inappropriately places the burden on companies and individuals hoping to safeguard data, not the criminals looking to exploit it, Wasch said. The bill differs from data security bills pending in other House committees in that it does not specifically require consumers to be notified directly of breaches. Susanna Montezemolo, a policy analyst for Consumers Union, urged politicians to "tread carefully" on the latest proposal. "The legislation does not address some of the broader consumer protection issues," such as requiring direct notification to consumers whose data has been compromised and letting them review and update their personal information periodically for accuracy, she said. Those omissions also prompted a lukewarm response to the bill from Rep. Robert "Bobby" Scott, the senior Virginia Democrat on the Judiciary panel. "Some tweaking of bill is desirable to clarify intent and application of some of its provisions," he said. Other data security bills already approved by House committees do contain more consumer-oriented requirements, and the Judiciary Committee's version appears likely to be combined with one or more of those proposals. But some of those other bills, particularly one voted out of the House Financial Services Committee in March, have also encountered criticism from consumer groups. They've said they're concerned that bill's approval would water down identity-theft protection by trumping arguably stronger laws already passed at the state level, particularly California. The Judiciary proposal focuses more on the law enforcement angle of cybercrime. In addition to the notification requirements, it would also expand the legal definition of current computer fraud laws to penalize those who unlawfully obtain personally identifiable information. It also attempts to outlaw illicit use of "botnets," defined in the bill as "the capability to gain access to or remotely control without authorization" computers belonging to financial institutions or involved in commerce. For offenders of those crimes, the bill proposes beefing up penalties to as many as 30 years in prison--rather than the existing maximum of 10- to 20-year sentences. That move received the Justice Department's endorsement but drew skepticism from Rep. Dan Lungren, the California Republican who heads a cybersecurity panel in the House Homeland Security committee. Lungren said he's concerned the bill focuses too heavily on prosecuting crimes that have already been committed and not enough on the consumer side of combating the problem. "What I'm concerned about it the lack of knowledge among consumers of what they can do to protect themselves...and I am one of those consumers," he said. The House hearing comes one day after President Bush met with identity theft victims at the White House and announced the creation of an identity theft "task force" chaired by the Attorney General and the chairman of the Federal Trade Commission. The FTC also launched its own identity theft education campaign in which it planned to dispatch videos and literature to "victim advocate" organizations for distribution to the public. From lyger at attrition.org Fri May 12 14:04:06 2006 From: lyger at attrition.org (lyger) Date: Fri, 12 May 2006 14:04:06 -0400 (EDT) Subject: [Dataloss] To fight nondigital data breaches, Iron Mountain touts shredding Message-ID: http://computerworld.com/action/article.do?command=viewArticleBasic&articleId=9000412 By Jaikumar Vijayan May 12, 2006 (Computerworld) -- Not all data compromises arise from malicious hacking incidents or from the loss of computers and storage media containing sensitive information. Data thefts often occur when companies fail to properly destroy paper documents and other media containing important information. With that in mind, Boston-based records management firm Iron Mountain Inc. this week announced a facility -- which it claimed is the largest of its kind in the world -- designed to help enterprises destroy media containing confidential information. The 55,000-square-foot facility, located in Jersey City, N.J., can shred 200 tons of paper a day and up to 48,000 tons of paper a year, said Susan Bergin, a spokeswoman for Iron Mountain's secure shredding services group. The facility uses a variety of high-end equipment to shred, grind and destroy not just paper documents but also other media, including X-rays, microfiche, computer disks, cartridges, videotapes, CDs and DVDs, she said. Sealed containers with media that needs to be destroyed will be shipped from the client's location to Iron Mountain facilities for disposal and recycling. [...] From lyger at attrition.org Fri May 12 18:53:27 2006 From: lyger at attrition.org (lyger) Date: Fri, 12 May 2006 18:53:27 -0400 (EDT) Subject: [Dataloss] Wells Fargo fesses up to data loss Message-ID: [ Wells Fargo has already been reported, but this exact scenario crossed my mind a few months ago. What if you were a client of both Ameriprise (1/25/06) and Providence Home Services (1/26/06) when they made their public announcements in the same week? Would the "total amount of people affected for the year" count for duplications? Most likely not. - lyger ] http://www.theregister.co.uk/2006/05/12/wellsfargo_computer_loss/ By Ashlee Vance in Mountain View Published Friday 12th May 2006 19:05 GMT At least one poor Hewlett Packard employee compromised by Fidelity's March laptop loss has now been told Wells Fargo lost his personal data, too. The staffer received a note this week from Wells Fargo, saying the financial institution had lost a computer packed full of sensitive data such as customers' names, addresses, Social Security numbers and Wells Fargo mortgage loan account numbers, according to a document sent to The Register. Wells Fargo has admitted the loss, telling us that it affected a "relatively small percentage of Wells Fargo customers." The company, however, has millions of customers, so it's pretty tough to tell what a "small percentage" means. [...] From rforno at infowarrior.org Mon May 15 22:51:51 2006 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 15 May 2006 22:51:51 -0400 Subject: [Dataloss] Credit card security rules to get update Message-ID: Credit card security rules to get update By Joris Evers http://news.com.com/Credit+card+security+rules+to+get+update/2100-1029_3-607 2594.html Story last modified Mon May 15 18:45:15 PDT 2006 SAN FRANCISCO--Proposed new security rules for credit card-accepting businesses will put more scrutiny on software, but let them off the hook on encryption. The update to the Payment Card Industry (PCI) Data Security Standard, due this summer, responds to evolving attacks as well as to challenges some businesses have with the encryption of consumer data, Tom Maxwell, director of e-Business and Emerging Technologies at MasterCard International, said here Monday. The proposed update includes a requirement to, by mid-2008, scan payment software for vulnerabilities, Maxwell said in a presentation at a security conference hosted by vulnerability management specialist Qualys. Currently, merchants are required to validate only that there are no security holes in their network. "There is an increase in application level attacks," Maxwell said. While security stands to benefit from a broader vulnerability scan, another proposed change to the security rules may hurt security of consumer data, critics said. The new version of PCI will offer merchants more alternatives to encryption as a way to secure consumer data. "Today, the requirement is to make all information unreadable wherever it is stored," Maxwell said. But this encryption requirement is causing so much trouble for merchants that credit card companies are having trouble dealing with requests for alternative measures, he said. In response, changes to PCI will let companies replace encryption with other types of security technology, such as additional firewalls and access controls, Maxwell said. "There will be more acceptable compensating and mitigating controls," he said. While PCI is good in principal, relaxing encryption requirements is not, said Paul Simmonds, a representative of the Jericho Forum, a group of companies that promote open security technologies. "It basically means that if you hack the system, you get the data," he said. "I can't think of a good alternative for encryption." The challenge with encryption is that older payment systems were not built to support the scrambling technology, said Qualys CEO Philippe Courtot. "Encryption is the ultimate measure of security, but the current applications have not been designed with encryption in mind," Courtot said The PCI security standard was developed by MasterCard and Visa and went into effect last year. It aims to reduce the risk of an attack by mandating the proper use of firewalls, message encryption, computer access controls and antivirus software. It also requires frequent security audits and network monitoring, and forbids the use of default passwords. Retailers that don't comply may face penalties, including fines. Copyright ?1995-2006 CNET Networks, Inc. All rights reserved. From lyger at attrition.org Tue May 16 12:04:40 2006 From: lyger at attrition.org (lyger) Date: Tue, 16 May 2006 12:04:40 -0400 (EDT) Subject: [Dataloss] Medical ID theft on the rise Message-ID: http://www.baltimoresun.com/business/bal-ambrose0515,0,5443957.column Watch out for medical identity theft By Eileen Ambrose We shred our papers and delete anything "phishy" to prevent thieves from posing as us and stealing our money. Now there's a new twist to watch out for -- medical identity theft. This is when thieves use your name or insurance information to get medical treatment. Or, they might use it to buy prescription drugs or get reimbursed by insurance companies for services you never received. That's not the worst of it. False entries on health care records mean you could end up being treated based on someone else's medical history, says Pam Dixon, executive director of the World Privacy Forum. Dixon's group last week issued a report on this crime, roughly estimating that it has ensnared 250,000 to 500,000 consumers so far. [...] From lyger at attrition.org Tue May 16 13:28:56 2006 From: lyger at attrition.org (lyger) Date: Tue, 16 May 2006 13:28:56 -0400 (EDT) Subject: [Dataloss] Congress eyes restrictions on use of Social Security numbers Message-ID: http://computerworld.com/action/article.do?command=viewArticleBasic&articleId=9000482 By Jaikumar Vijayan May 15, 2006 (Computerworld) -- The possibility that U.S. lawmakers might restrict the widespread use of Social Security numbers in commerce because of consumer privacy issues is prompting concern in the financial services industry. Such a move would rob businesses of a reliable and widely used identity-verification method while doing little to bolster consumer privacy, said Randy Lively Jr., CEO of the American Financial Services Association in Washington. Lively was one of several industry representatives who testified at a hearing last week on the use of Social Security numbers in commerce. Lively spoke before a subcommittee of the House Committee on Energy and Commerce. "The Social Security number is the only unique identifier in our country that enables a credit grantor, or a credit bureau, or a bank, or an insurance company, or an investment firm to be sure that the consumer they are doing business with" is legitimate, he said. Any attempt to change that use could disrupt the nation's economy, Lively argued. While concerns about the misuse of Social Security numbers and their link to identity theft are valid, Lively said lawmakers need to understand of the consequences of barring their use for commercial purposes. "What would be put in place if that number were to go away and a new identifier was put in place? And wouldn't that identifier be susceptible to the same kind of fraud?" Lively asked. [...] From lyger at attrition.org Tue May 16 16:58:39 2006 From: lyger at attrition.org (lyger) Date: Tue, 16 May 2006 16:58:39 -0400 (EDT) Subject: [Dataloss] GE security exec shares tips for reducing security risks Message-ID: Courtesy InfoSec News and WK: http://www.networkworld.com/news/2006/051506-ge-security.html By Bob Brown NetworkWorld.com 05/15/06 When it comes to putting data and identity thieves in their place, Peter Costa says there's no room for being Mr. Nice Guy. "Have a public hanging - they have to know you'll go after them," says Costa, who heads up enterprise security at GE Consumer Finance - Americas. Companies need to be "fanatical about prosecution," he says. Costa outlined his views (which he stressed are not all necessarily those of GE as well) for dealing with data and identity theft during a presentation at last week's CIO Forum (more from the conference [1]). The unique annual conference brings together IT suppliers and potential buyers on a cruise ship sailing out of New York City. GE will actually call the parole board when a thief's hearing is coming up to discourage the person's release, Costa says. Before prosecution, GE will wrap up a case as tightly as it can to ensure that law enforcement takes identity and data theft seriously. "You've [...] From lyger at attrition.org Wed May 17 12:52:23 2006 From: lyger at attrition.org (lyger) Date: Wed, 17 May 2006 12:52:23 -0400 (EDT) Subject: [Dataloss] Mercantile says laptop theft could put customers at risk Message-ID: http://baltimore.bizjournals.com/baltimore/stories/2006/05/08/daily37.html Baltimore Business Journal - May 12, 2006 by Rachel Sams Mercantile Bankshares Corp. said late Friday that a laptop computer containing personal information for more than 48,000 customers was stolen from an employee of subsidiary Mercantile Potomac Bank. Mercantile Potomac Bank, which serves Fairfax and Loudoun counties in Northern Virginia, said it is notifying customers about the incident. The bank said the theft appears to have been random. The stolen computer contained confidential information about some customers, including Social Security numbers and account numbers. Mercantile said there is no indication to date that any of the customer information has been misused. The bank says it contacted regulators and law enforcement after learning of the situation. The Mercantile Potomac Bank employee removed the computer from bank premises, which was a violation of Mercantile's policies, the bank said. [...] From cwalsh at cwalsh.org Wed May 17 22:35:13 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Wed, 17 May 2006 21:35:13 -0500 Subject: [Dataloss] Interesting situation in a California school district Message-ID: <29E6C0DC-BEBA-440D-BEAF-C1F839EB552F@cwalsh.org> Twenty employees (and counting) have had credit cards opened in their name over the last few days, by persons unknown. Officials are trying to find the common thread that links these people -- perhaps a breached HR system, etc. Article at http://www.modbee.com/local/story/12194138p-12937352c.html [If I was in the marketing department of a SW firm that had a product to detect this kind of "information leakage", I'd offer to deploy it at this school district for free. The ad copy would practically write itself if a compromised system (or corrupt insider) were detected by it.] From rkholmes at gmail.com Sat May 20 12:52:45 2006 From: rkholmes at gmail.com (Rob Holmes) Date: Sat, 20 May 2006 09:52:45 -0700 Subject: [Dataloss] New document on http://www.providenceidentitytheft.com Message-ID: <55bfbe200605200952l4b0adb53r40c8b25812b6e78d@mail.gmail.com> Greetings, First off I want to thank lyger and all the folks at attrition.org for providing such an amazing resource that this data loss mailing list has turned out to be. Secondly, I have added a rather interesting document to my website. It's the defendants first response to the plaintiff's first request for admissions in the class action suit that a local Portland law firm is driving. I have hotlink protection enabled on my site so posting the link in this email will be of no use to anyone. Please head to http://www.providenceidentitytheft.com and click on the downloads link at the top of the page. There you will see the entry in the table for the document. It was definitely an interesting read. Regards, Rob From cwalsh at cwalsh.org Sun May 21 10:08:51 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Sun, 21 May 2006 09:08:51 -0500 Subject: [Dataloss] Today's realities, y'know? Message-ID: Interesting article on how delay in breach notification due to ongoing law enforcement activity can play out. Uses Wells-Fargo as an example. http://www.dfw.com/mld/dfw/news/consumer_news/14634439.htm I didn't realize W-F had been hit at least seven times since 2003: From the article: In November 2003, a laptop stolen from a consultant contained confidential information about 201,000 Wells Fargo customers. In February 2004, a computer theft from a rental car driven by two bank employees involved data of nearly 38,000 customers. In March 2004, a computer theft from a bank office involved data for 35,000 Wells Fargo customers. In October 2004, four computers stolen from the office of a bank affiliate involved personal data for 460,000 Wells Fargo customers. In November 2004, Wells Fargo told customers that three computers with personal loan and mortgage information had been stolen from an Atlanta office. In April 2005, Wells Fargo notified customers that personal account information might have been sent to other customers by mistake. The latest one is another stolen computer. From lyger at attrition.org Mon May 22 13:32:38 2006 From: lyger at attrition.org (lyger) Date: Mon, 22 May 2006 13:32:38 -0400 (EDT) Subject: [Dataloss] Data on 26.5 million veterans stolen from home Message-ID: http://www.cnn.com/2006/US/05/22/vets.data.reut/index.html Monday, May 22, 2006; Posted: 1:18 p.m. EDT (17:18 GMT) WASHINGTON (Reuters) -- Personal data on about 26.5 million U.S. military veterans was stolen from the residence of a Department of Veterans Affairs data analyst who improperly took the material home, Veterans Affairs Secretary Jim Nicholson said Monday. The data included names, Social Security numbers and dates of birth for the veterans, Nicholson said, but "there is no indication at this time" that the data had been used for identify theft. Nicholson said the theft of the data took place this month, but declined to identify the employee or the location of the burglary. "The employee has been placed on administrative leave pending the outcome of the investigation. We have a full-scale investigation going on in this," Nicholson told reporters by telephone. [...] From cwalsh at cwalsh.org Mon May 22 15:32:17 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Mon, 22 May 2006 14:32:17 -0500 Subject: [Dataloss] Oops. 26 million US veterans, stolen PC Message-ID: <20060522193211.GA13364@cwalsh.org> http://www.gcn.com/online/vol1_no1/40840-1.html From lyger at attrition.org Mon May 22 17:26:05 2006 From: lyger at attrition.org (lyger) Date: Mon, 22 May 2006 17:26:05 -0400 (EDT) Subject: [Dataloss] Op-Ed: Vets Deserve Better Treatment After Data Theft Message-ID: http://redtape.msnbc.com/2006/05/vets_deserve_be.html Posted: Monday, May 22 at 03:14 pm CT by Bob Sullivan It is perhaps the largest theft of Social Security numbers to date. And the victims, who once put their lives on the line for their county, appear to be getting even less compensation than most victims of data theft. On Monday, the Veterans Administration announced that an employee had taken home data on 26.5 million veterans, and that data was stolen. It's a staggering amount, dwarfing other recent high-profile incidents at major U.S. firms like Citibank, ChoicePoint, and Bank of America. And yet, the support offered to victims by the VA is dwarfed by the support corporate America has offered in similar situations. Posted: Monday, May 22 at 03:14 pm CT by Bob Sullivan It is perhaps the largest theft of Social Security numbers to date. And the victims, who once put their lives on the line for their county, appear to be getting even less compensation than most victims of data theft. On Monday, the Veterans Administration announced that an employee had taken home data on 26.5 million veterans, and that data was stolen. It's a staggering amount, dwarfing other recent high-profile incidents at major U.S. firms like Citibank, ChoicePoint, and Bank of America. And yet, the support offered to victims by the VA is dwarfed by the support corporate America has offered in similar situations. It's become standard practice for data leakers to offer free credit monitoring to victims, so they are able to watch their credit reports daily for signs of misuse. The services are available from the credit bureaus, and cost about $10 a month. Corporations that leak data and foot the bill usually get big discounts. So far, the vets haven't been offered credit monitoring. Instead, the VA is reminding victims that they are entitled to a free copy of their credit report every year, and then basically wishing them good luck. [...] From lyger at attrition.org Tue May 23 08:40:14 2006 From: lyger at attrition.org (lyger) Date: Tue, 23 May 2006 08:40:14 -0400 (EDT) Subject: [Dataloss] OMB to agencies: Review personal data protections Message-ID: Courtesy InfoSec News and WK: http://www.gcn.com/online/vol1_no1/40842-1.html By Mary Mosquera GCN Staff 05/22/06 The Office of Management and Budget has directed agencies' senior privacy officials to review and correct any policies and processes to ensure that they protect against misuse of or unauthorized access to personally identifiable information. The memo, dated today from OMB acting director Clay Johnson, comes on the same day the Veterans Affairs Department announced that electronic data containing the personal information of up to 26.5 million veterans was stolen from the home of a VA employee. "Because federal agencies maintain significant amounts of information concerning individuals, we have a special duty to protect that information from loss and misuse," he said in the memo. The memo re-emphasizes agencies' responsibility to safeguard sensitive personally identifiable information and to train employees on their responsibilities, especially related to provisions of the Privacy Act. [...] From cwalsh at cwalsh.org Tue May 23 12:31:42 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Tue, 23 May 2006 11:31:42 -0500 Subject: [Dataloss] Vets' data theft kept secret for 19 days Message-ID: <20060523163141.GA19592@cwalsh.org> So says CNN: http://www.cnn.com/2006/US/05/23/vets.data/ "The government did not immediately announce the theft because officials had hoped to catch the culprits and did not want to tip them off about what they had stolen for fear they would sell it, the government source said. On Monday, officials abandoned that plan and alerted the public." From lyger at attrition.org Tue May 23 16:14:00 2006 From: lyger at attrition.org (lyger) Date: Tue, 23 May 2006 16:14:00 -0400 (EDT) Subject: [Dataloss] Americans want better data security laws Message-ID: http://www.fcw.com/article94613-05-23-06-Web By Michael Arnone Published on May 23, 2006 The U.S. public wants stronger federal data security legislation as its confidence wanes in current laws intended to protect them on the Internet, according to a new survey the Cybersecurity Industry Alliance released today. The April survey of 1,150 adults found that only 18 percent - less than one in five - believe that existing laws are sufficient to protect them on the Internet. The survey's results come a day after the Department of Veterans Affairs revealed that personal information of about 26.5 million veterans - including their names, Social Security numbers, disability ratings and birth dates - was stolen sometime in the past month from the home of a VA employee who took the information home without authorization. With so many Americans vulnerable to exploitation, "the survey reiterates that Americans are concerned with this issue and want to see an adequate legal framework" to protect them, said Shannon Kellogg, director of government and industry affairs at RSA Security and a member of the National Cyber Security Alliance's Board of Officers. [...] From cwalsh at cwalsh.org Tue May 23 20:26:08 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Tue, 23 May 2006 19:26:08 -0500 Subject: [Dataloss] University of Delaware (again) Message-ID: <0EECB8A4-58AF-4819-B0BB-607844E9BA9C@cwalsh.org> Public Safety server gets hit by intruder. 1076 people have name, SSN, and license number revealed. "It appears that the intruders were interested in copying at least some of the information in the database, Flatley said, and therefore it is possible that information that could lead to identity theft is in the hands of an unauthorized person." More at http://www.udel.edu/PR/UDaily/2006/may/breach052306.html From rforno at infowarrior.org Wed May 24 06:33:16 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 24 May 2006 06:33:16 -0400 Subject: [Dataloss] Agency Delayed Reporting Theft of Veterans' Data Message-ID: Agency Delayed Reporting Theft of Veterans' Data By DAVID STOUT and TOM ZELLER Jr. http://www.nytimes.com/2006/05/24/washington/24identity.html?_r=1&oref=slogi n&pagewanted=print WASHINGTON, May 23 ? The Veterans Affairs Department learned about the theft of electronic data on 26.5 million veterans shortly after it occurred, on May 3, but waited two weeks before telling law enforcement agencies, officials said Tuesday. The officials said investigators in the Justice Department and the Federal Bureau of Investigation were furious with the leaders of the veterans agency for initially trying to handle the loss of the data as an internal problem through the agency's inspector general before coming forward. Officials said the investigators in the Justice Department and F.B.I. had complained that the delay might have cost them clues to the whereabouts of the data, stored on computer disks that were stolen in a burglary on May 3 at the home of an agency employee in Maryland. A spokesman for the agency, Matt Burns, declined to comment on the timing of the announcement. The disks carried names and accompanying Social Security numbers and dates of birth, practically keys to identity in the computer age. It was not clear, in the absence of an explanation from the agency, why its officials waited for days to disclose the theft to law enforcement people and still more days to announce it to the public or what internal discussions might have prompted them to change their minds. As the department sought to reassure veterans not privy to the bureaucratic machinations here and to deal with a security lapse that was becoming a public relations disaster, some veterans were uneasy and suspicious. "Why did the V.A. wait 19 days to notify veterans?" John Rowan, president of the Vietnam Veterans of America, asked. Perhaps, Mr. Rowan suggested, the department learned that the news was about to be leaked. The wife of a disabled veteran of the gulf war, Penny Larrisey of Doylestown, Pa., expressed what countless crime victims have said. "Just right about now, the only way you can feel is you've been violated," Mrs. Larrisey said in a telephone interview. The department has emphasized that there was as yet no indication that the data, taken home without authorization by the employee, had been put to ill use. But Mrs. Larrisey, whose husband, Bob, was an Air Force sergeant, was not soothed. "This puts us in a position of one paycheck away from disaster," she said, worrying that a computer-savvy thief with access to specifics about her husband's disability payments could tap into their bank account. The authorities continued to investigate the activities of the employee, who is on administrative leave. Officials familiar with the case said that while investigators had no reason to dispute the employee's account, they were nonetheless puzzled why little else of value besides the data-laden disks were stolen. In an added twist, the officials said investigators were having trouble finding the employee but did not think that he was necessarily trying to be evasive. Several aspects remained murky, including how much communication, if any, there was between the Montgomery County police in Maryland and federal investigators about the disks. Mr. Rowan of the Vietnam veterans' group said the Veterans Affairs Department should do more than just post information on its Web site advising veterans to scrutinize their financial records and telling them what to do if they find something wrong. "The V.A. has put veterans at risk for identity theft," he said. "If this were the private sector, they would be required to provide each veteran with free credit-reporting services." A spokesman for Senator Larry E. Craig, the Idaho Republican who is chairman of the Veterans Affairs Committee, said the panel would consider just such measures when it holds a hearing on the case on Thursday morning. The spokesman, Jeff Schrade, said government agencies should treat personal data as "top secret information." Christopher Walsh, a lawyer here who specializes in security cases, said the theft conveyed a disturbing message, that "the government has paid far less attention to the issue of data security than the people think ? and far less than business." Recent federal laws entitle every consumer the right to one free credit report from each major consumer credit-reporting agency ? Experian, Equifax and TransUnion ? every year. But for closer monitoring of credit status, the kind that some consumers turn to when they fear that their records have been compromised, the companies charge a fee. Ten dollars a month after a free 30-day trial is typical. If veterans feel threatened enough to enter such arrangements, "the government ought to pay for it, in my view," Mr. Walsh said. At least two companies offering identity-theft protection, LifeLock and MyPublicInfo, said they had discount packages for veterans affected by the theft. Senator Craig's spokesman, Mr. Schrade, declined to predict what would happen at the hearing on Thursday or how the security breach would be repaired. "But," he said, "I don't think we're going to get out of this on the cheap." Maureen Balleza contributed reporting from Houston for this article. From cwalsh at cwalsh.org Wed May 24 10:49:04 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Wed, 24 May 2006 09:49:04 -0500 Subject: [Dataloss] Agency Delayed Reporting Theft of Veterans' Data In-Reply-To: References: Message-ID: <20060524144855.GA17416@cwalsh.org> Speaking of identity theft. :^) Sheesh. Chris On Wed, May 24, 2006 at 06:33:16AM -0400, Richard Forno wrote: > > Christopher Walsh, a lawyer here who specializes in security cases, said the > theft conveyed a disturbing message, that "the government has paid far less > attention to the issue of data security than the people think ? and far less > than business." From cat at reptiles.org Wed May 24 10:54:42 2006 From: cat at reptiles.org (Cat Okita) Date: Wed, 24 May 2006 10:54:42 -0400 (EDT) Subject: [Dataloss] Agency Delayed Reporting Theft of Veterans' Data In-Reply-To: <20060524144855.GA17416@cwalsh.org> References: <20060524144855.GA17416@cwalsh.org> Message-ID: <20060524105323.T37980@skink.reptiles.org> On Wed, 24 May 2006, Chris Walsh wrote: > On Wed, May 24, 2006 at 06:33:16AM -0400, Richard Forno wrote: > > Christopher Walsh, a lawyer here who specializes in security cases, said the > > theft conveyed a disturbing message, that "the government has paid far less > > attention to the issue of data security than the people think ‹ and far less > > than business." > > Speaking of identity theft. :^) > Sheesh. Bah. That's not identity theft - that's identity collision ;> (and if you work together, identity collusion...) cheers! ========================================================================== "A cat spends her life conflicted between a deep, passionate and profound desire for fish and an equally deep, passionate and profound desire to avoid getting wet. This is the defining metaphor of my life right now." From cwalsh at cwalsh.org Wed May 24 21:24:27 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Wed, 24 May 2006 20:24:27 -0500 Subject: [Dataloss] American Red Cross: somewhere between 8, 000 and a million blood donors. Notice provided via a press release and a web page Message-ID: <4C740301-051C-4088-BC27-3E6883529E90@cwalsh.org> I wrote about it at http://www.emergentchaos.com/archives/2006/05/ american_red_cross_unknow.html The summary is that a corrupt employee stole 8K lines of donor info -- name, addr, ssn The SSN was unnecessarily provided to the employee. This practice will be changed. Notice was sent to the 8K. Problem is, the Red Cross has since realized/been told that the number of people whose info may have been obtained is actually one million. They don't know for sure who was exposed, so they are sending letters to nobody, and using a web page and press release instead, as permitted by the "substitute notice" provision in the relevant law(s). From lyger at attrition.org Thu May 25 07:41:41 2006 From: lyger at attrition.org (lyger) Date: Thu, 25 May 2006 07:41:41 -0400 (EDT) Subject: [Dataloss] Many warned about Sacred Heart University computer security breach Message-ID: Courtesy InfoSec News and WK http://www.wtnh.com/Global/story.asp?S=4947217 By News Channel 8's Annie Rourke WTNH May 24, 2006 A possible security breach at Sacred Heart University but is personal information at risk? That's what some people are asking tonight after receiving a letter from Sacred Heart University stating some of their information may be at risk. The problem is some of the people warned aren't even students at the university. The letter turned up in some mailboxes Wednesday advising recipients that the security system of one of the university's computers may have been breeched and that things like their social security numbers may have been stolen. [...] From adam at homeport.org Thu May 25 07:53:11 2006 From: adam at homeport.org (Adam Shostack) Date: Thu, 25 May 2006 07:53:11 -0400 Subject: [Dataloss] Many warned about Sacred Heart University computer security breach In-Reply-To: References: Message-ID: <20060525115311.GA18479@homeport.org> I'm wondering..do SAT scores come as (name, ssn, score) tuples? Schools buy SAT and PSAT scores for marketing purposes, but what do they get when they buy? It turns out that they no longer do, but did 4 years ago. See 2nd link, below. Adam PS: http://www.collegeboard.com/highered/ra/rp/rp.html http://www.collegeboard.com/sss/help/policiesandguidelines/ssnumbers/index.html On Thu, May 25, 2006 at 07:41:41AM -0400, lyger wrote: | | Courtesy InfoSec News and WK | | http://www.wtnh.com/Global/story.asp?S=4947217 | | By News Channel 8's Annie Rourke | WTNH | May 24, 2006 | | A possible security breach at Sacred Heart University but is personal | information at risk? | | That's what some people are asking tonight after receiving a letter | from Sacred Heart University stating some of their information may be | at risk. | | The problem is some of the people warned aren't even students at the | university. | | The letter turned up in some mailboxes Wednesday advising recipients | that the security system of one of the university's computers may have | been breeched and that things like their social security numbers may | have been stolen. | | [...] | | _______________________________________________ | Dataloss Mailing List (dataloss at attrition.org) | http://attrition.org/errata/dataloss/ From cwalsh at cwalsh.org Thu May 25 20:30:01 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Thu, 25 May 2006 19:30:01 -0500 Subject: [Dataloss] Vets' info kept at home for 3 years. VA Inspector General first learned of it via "office gossip" Message-ID: http://www.first.org/newsroom/globalsecurity/26359.html Audio of the House Veterans' Affairs Committee hearing into the theft, conducted today, is available at http://veterans.house.gov/ hearings/schedule109/may06/5-25-06/5-25-06.wma From lyger at attrition.org Fri May 26 14:43:05 2006 From: lyger at attrition.org (lyger) Date: Fri, 26 May 2006 14:43:05 -0400 (EDT) Subject: [Dataloss] More info on Department of Veterans Affairs breach Message-ID: (Not to over-do the VA story, but here are a couple of links I hadn't known of before today) General information about the breach (including the phrase "extra vigilant" used four or five times): http://firstgov.gov/veteransinfo.shtml $50,000 reward offered for information leading to recovery of the stolen hardware: http://www.firstgov.gov/veterans_reward_offered.pdf From bgivens at privacyrights.org Fri May 26 14:57:18 2006 From: bgivens at privacyrights.org (Beth Givens) Date: Fri, 26 May 2006 11:57:18 -0700 Subject: [Dataloss] More info on Department of Veterans Affairs breach In-Reply-To: References: Message-ID: <6.2.5.6.2.20060526115534.05017658@privacyrights.org> The VA's information page is woefully inadequate. The VA's web page is woefully and shamefully lacking fyi. You might be interested in our tip sheet for veterans: http://www.privacyrights.org/ar/VABreach.htm We are going to add a section to our tip sheet over the weekend that suggests advocacy actions vets can take re: legislation, HIPAA complaints, and Privacy Act violations. Beth At 11:43 AM 5/26/2006, lyger wrote: >(Not to over-do the VA story, but here are a couple of links I hadn't >known of before today) > >General information about the breach (including the phrase "extra >vigilant" used four or five times): > >http://firstgov.gov/veteransinfo.shtml > >$50,000 reward offered for information leading to recovery of the stolen >hardware: > >http://www.firstgov.gov/veterans_reward_offered.pdf > >_______________________________________________ >Dataloss Mailing List (dataloss at attrition.org) >http://attrition.org/errata/dataloss/ The information, advice, and suggestions contained in this email should be used as an information source and not as legal advice. Beth Givens, Director Privacy Rights Clearinghouse 3100 - 5th Ave., Suite B San Diego, CA 92103 Voice: 619-298-3396 Fax: 619-298-5681 bgivens at privacyrights.org http://www.privacyrights.org +++++++++++++++++++++++++++++++++++++ Join our email newsletter. http://www.privacyrights.org/subscribe.html From bgivens at privacyrights.org Fri May 26 16:23:29 2006 From: bgivens at privacyrights.org (Beth Givens) Date: Fri, 26 May 2006 13:23:29 -0700 Subject: [Dataloss] Many warned about Sacred Heart University computer security breach In-Reply-To: <20060525115311.GA18479@homeport.org> References: <20060525115311.GA18479@homeport.org> Message-ID: <6.2.5.6.2.20060526132243.04f213a0@privacyrights.org> I called the phone number given below and the individual who answered said that SSNs for some individuals were included in the breached data. Beth At 04:53 AM 5/25/2006, Adam Shostack wrote: >I'm wondering..do SAT scores come as (name, ssn, score) tuples? >Schools buy SAT and PSAT scores for marketing purposes, but what do >they get when they buy? > >It turns out that they no longer do, but did 4 years ago. See 2nd >link, below. > >Adam > >PS: http://www.collegeboard.com/highered/ra/rp/rp.html >http://www.collegeboard.com/sss/help/policiesandguidelines/ssnumbers/index.html > > > >On Thu, May 25, 2006 at 07:41:41AM -0400, lyger wrote: >| >| Courtesy InfoSec News and WK >| >| http://www.wtnh.com/Global/story.asp?S=4947217 >| >| By News Channel 8's Annie Rourke >| WTNH >| May 24, 2006 >| >| A possible security breach at Sacred Heart University but is personal >| information at risk? >| >| That's what some people are asking tonight after receiving a letter >| from Sacred Heart University stating some of their information may be >| at risk. >| >| The problem is some of the people warned aren't even students at the >| university. >| >| The letter turned up in some mailboxes Wednesday advising recipients >| that the security system of one of the university's computers may have >| been breeched and that things like their social security numbers may >| have been stolen. >| >| [...] >| >| _______________________________________________ >| Dataloss Mailing List (dataloss at attrition.org) >| http://attrition.org/errata/dataloss/ >_______________________________________________ >Dataloss Mailing List (dataloss at attrition.org) >http://attrition.org/errata/dataloss/ The information, advice, and suggestions contained in this email should be used as an information source and not as legal advice. Beth Givens, Director Privacy Rights Clearinghouse 3100 - 5th Ave., Suite B San Diego, CA 92103 Voice: 619-298-3396 Fax: 619-298-5681 bgivens at privacyrights.org http://www.privacyrights.org +++++++++++++++++++++++++++++++++++++ Join our email newsletter. http://www.privacyrights.org/subscribe.html From dano at well.com Tue May 30 00:10:11 2006 From: dano at well.com (dano) Date: Mon, 29 May 2006 21:10:11 -0700 Subject: [Dataloss] LA Times on data loss from universities Message-ID: fair use for this list Colleges an Open Book for Hackers Cyber criminals find universities are rich in personal data and easier prey than banks. By Lynn Doan Times Staff Writer 7:49 PM PDT, May 29, 2006 Computer systems at universities across the nation are becoming favorite targets of hackers, and rising numbers of security breaches have exposed the personal information of thousands of students, alumni, employees and even college applicants. Since January, at least 845,000 people have had sensitive information jeopardized in 29 security failures at colleges nationwide. In these incidents, compiled by identity theft experts who monitor media reports, hackers have gained access to Social Security numbers and, in some cases, medical records. "There are so many examples within the last year demonstrating that these universities are just real, true, vulnerable targets," said Michael C. Zweiback, an assistant U.S. attorney in Los Angeles who prosecutes hackers. "All of a sudden, it seemed like we were adding on another university every week to look into." Although comprehensive statistics on breaches of college computer systems aren't collected by a single entity, industry experts agree that the situation is growing worse. Computer security is an increasing concern for all types of private groups and government agencies. Last week, the Department of Veterans Affairs confirmed that electronic records of up to 26.5 million veterans and some spouses were stolen from the home of a federal employee. Cyber security officials say hackers are realizing that colleges hold many of the same records as banks. But why hack a bank, one official asked, "when colleges are easier to get into?" Colleges accounted for the largest percentage, roughly 30%, of computer security breaches reported in the media last year, according to ChoicePoint, a consumer data-collecting firm in Georgia. FBI Special Agent Kenneth McGuire said that five years ago, his cyber crime unit in Los Angeles worked on one to three college hacking cases at a time. On a recent afternoon, his team was working with six colleges whose systems had been hacked. Arif Alikhan, who oversees computer hacking cases for the U.S. attorney in Washington, said that when he was chief of cyber crime in Los Angeles between 2001 and 2005, his caseload doubled. And for the first time in seven years, colleges identified security as the most critical issue facing their computer systems, according to a survey of about 600 colleges released this month by Educause, a nonprofit group that promotes information technology use. In a 2000 survey, security wasn't even among the top five concerns. Hackers are drawn to colleges for various reasons. In March, 41 Stanford University applicants hacked into the admissions system to see if they had been accepted. A man accused of hacking into USC's admissions system last year said he was only trying to prove that it was vulnerable. In December, hackers appear to have broken into a system at the University of Washington to find a place to store their music files. The openness that's rooted in the nature of academic institutions is partly to blame. "Students want to be downloading MP3's. Professors want a system for general research," McGuire said. "Whenever you have such large portals to information open, you're going to have vulnerability to attacks." Erich Kreidler, who teaches an engineering class at USC, said he posts everything online, including grades and final exams. "It's about convenience," he said. But convenience can have a price. Last month, the University of Texas discovered illegal access to 197,000 Social Security numbers of students, alumni and employees. Days later, a San Diego man was charged with hacking into the USC admissions system in June 2005. Ohio University confirmed its third security breach since April, together compromising 360,000 personal records and a number of patented data and intellectual property files. And Sacred Heart University in Connecticut reported last week that a security breach has compromised the Social Security numbers and some credit card numbers of 135,000 people - some of whom never applied to, worked at or attended the university. Like many universities, a spokeswoman said, Sacred Heart collects personal information from college entrance exams, college fairs and recruiting firms. Robert M. Wood, chief information security officer at USC, said the college's computer system is scanned by hackers an estimated 500,000 times a day. "It's pretty much a lot of doorknob rattling," he said. "But occasionally, they find an open door." USC has reported two security breaches in the last year. The University of California doesn't track security breaches, but ChoicePoint has logged five hacking incidents at UC campuses since January 2005. The California State University system reported at least 24 breaches since July 2003. In March, an 18-year-old New Jersey man was convicted of breaking into a dozen systems at San Diego State. He was sentenced to three years' probation and must pay the school $20,000 in restitution. John Denune, technology security officer for San Diego State, said the 2003 hack exposed the Social Security numbers of more than 200,000 people. The hacker wiggled his way through an outdated system in the drama department to reach the financial aid system. Targets of hacking have been obscure, such as 1,700-student Anderson College in South Carolina, and well-known, such as Notre Dame. Finding the money to pay for security upgrades has been a major challenge for several schools. "A university is fighting for every dollar to maintain a good education standard," said Rick Jones, an information security consultant in Los Angeles. "It doesn't necessarily allocate a security budget - at least not until it gets hit a couple times." One identity theft protection firm in Arizona is catering to the college crowd. LifeLock, which charges consumers $10 a month to protect personal data, ran a full-page newspaper advertisement after the recent University of Texas hack, targeting those affected. "We told everyone, 'You have been victimized once by the university. Take steps today,' " said Todd Davis, chief executive of LifeLock. LifeLock has also forged partnerships with the University of Oklahoma and Arizona State University and is in talks with two other institutions. As hacks ensue, college officials have had no choice but to increase security. San Diego State doubled its computer security staff after the disastrous hack of 2003, said Denune, the campus security chief. "Increasing security is expensive, it's time-consuming, and unless someone really sees the threat, it's easily put aside," he said. "This was a wake-up call." Other colleges now require students to download anti-virus and firewall software before connecting to campus systems. At Purdue University in Indiana, which reported two security breaches last year and two this year, students must change their passwords monthly to access class schedules, grades and e-mail. The efforts are part of SecurePurdue, a program the college launched a year ago to counter the rising attacks, said Steve Tally, IT spokesman for the university. "Universities are very attractive to hackers," he said. "Purdue has a very good name internationally and, unfortunately, it's brought us the kind of attention we don't want." In 2004, the college began phasing out the use of Social Security numbers to identify students and employees. In response to last year's hack, USC has reprogrammed its admissions system and requires users to change their passwords more often. A technical security department created three years ago routinely scans computers connected to USC's network looking for machines that aren't equipped with updated anti-virus software. At some colleges, new security measures have sparked complaints from students inconvenienced by lengthy virus scans and password prompts. But others say too much security is better than too little. Tyler Dolezal was one of the 197,000 individuals whose Social Security numbers had been exposed in April's breach at the University of Texas. Dolezal has spent the last month trying to place fraud alerts with credit reporting agencies - a process that turned out to be unexpectedly complex because Dolezal, 18, hasn't established credit. "These college systems hold really sensitive information on a whole lot of people," Dolezal said. "That needs to be protected as much as possible." -- If the government wants us to obey the law it should set a better example. From lyger at attrition.org Wed May 31 08:15:26 2006 From: lyger at attrition.org (lyger) Date: Wed, 31 May 2006 08:15:26 -0400 (EDT) Subject: [Dataloss] FIU Student Records Compromised By Hacker Message-ID: Courtesy InfoSec News and WK: http://cbs4.com/topstories/local_story_150225136.html By Jawan Strader May 30, 2006 (CBS4 News) WEST MIAMI-DADE Thousands of students at Florida International University have received notices in the mail warning that their personal records might have been compromised because of a computer hacker. The postcard sized letters were sent out last week warning of the breach that occurred two months ago. Some students were concerned because the size of the letter might make some think it's just junk mail. Students are also concerned because of the time that passed before the warning was put out. Part of the letter read as follows: "FIU recently discovered a computer infected with malicious software...[that] could allow an unauthorized person to gain access to a database that contained personal information, such as student and applicant names and social security numbers." Not all students received the letter because not all student records were put at risk. However, if you did receive a warning, university officials recommend you check your credit report with the three main credit reporting agencies to make sure you have not become the victim of identity theft. From cwalsh at cwalsh.org Wed May 31 10:55:47 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Wed, 31 May 2006 09:55:47 -0500 Subject: [Dataloss] FIU Student Records Compromised By Hacker In-Reply-To: References: Message-ID: <20060531145546.GC9040@cwalsh.org> These guys were also hit about a year ago: Further info: http://www.fiu.edu/pres/newsletter/may_05/may02/index.htm http://www.fiu.edu/pres/newsletter/may_05/may02/headliner.htm http://www.fiu.edu/pres/newsletter/june_05/june13/tech.htm Interesting how quiet things are this time, not that school is out. From cwalsh at cwalsh.org Wed May 31 13:13:16 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Wed, 31 May 2006 12:13:16 -0500 Subject: [Dataloss] FIU Student Records Compromised By Hacker In-Reply-To: <20060531145546.GC9040@cwalsh.org> References: <20060531145546.GC9040@cwalsh.org> Message-ID: <20060531171314.GA24307@cwalsh.org> On Wed, May 31, 2006 at 09:55:47AM -0500, Chris Walsh wrote: > > Interesting how quiet things are this time, not that school is out. Oops! That should be 'NOW' that school is out. From lyger at attrition.org Wed May 31 14:53:12 2006 From: lyger at attrition.org (lyger) Date: Wed, 31 May 2006 14:53:12 -0400 (EDT) Subject: [Dataloss] Texas Guaranteed Student Loan Corp. Reports Data Loss for 1.3M Borrowers Message-ID: http://www.bizjournals.com/austin/stories/2006/05/29/daily11.html Texas Guaranteed Student Loan Corp. says it lost a piece of equipment May 24 containing the names and Social Security numbers of about 1.3 million borrowers. The loss occurred when a company TG contracted to prepare a document management system lost the piece of equipment. The company, Hummingbird Ltd. notified TG of the loss May 26. The amount of data lost represents about 10 percent of TG's borrowers. [...] From lyger at attrition.org Wed May 31 15:08:02 2006 From: lyger at attrition.org (lyger) Date: Wed, 31 May 2006 15:08:02 -0400 (EDT) Subject: [Dataloss] Hackers gain access to server hosting bank Web sites Message-ID: (I realize this may be fringe-related, but in the event it comes out that CCNs and PINs were compromised...) Courtesy InfoSec News and WK: http://www.thestate.com/mld/thestate/business/14703801.htm Associated Press May. 31, 2006 MAPLEWOOD, Minn. - Premier Banks says there is no evidence so far that hackers stole and used consumer data when they diverted customers from Premier's Web site to a phony site that asked for customers' personal data. President Mark Novitski said the Web site was immediately shut down after a customer reported the problem. Maplewood-based Premier Banks, which operates 22 branches, was among more than 100 banks across the nation that were affected when hackers gained access to a server operated by Goldleaf Technologies Inc. of Brentwood, Tenn., on Thursday. Goldleaf is host to Web sites mostly for smaller community banks. Customers who tried to gain access to the sites were redirected to a phony Web site that asked for a user name and password. If a customer entered them, the site then asked for credit card and ATM personal-identification numbers. [...] From cwalsh at cwalsh.org Wed May 31 15:35:17 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Wed, 31 May 2006 14:35:17 -0500 Subject: [Dataloss] Texas Guaranteed Student Loan Corp. Reports Data Loss for 1.3M Borrowers In-Reply-To: References: Message-ID: <20060531193512.GA9517@cwalsh.org> I gets better: "How did this happen? Extensive investigation of this incident over the course of the Memorial Day weekend revealed that in January 2006 TG had prepared a series of files containing name and Social Security number information for use by Hummingbird, a company TG engaged to prepare a document management system. TG prepared the files for transmission by encrypting the files, protecting them with a password, and sending them to a secure site via File Transfer Protocol (FTP) for retrieval by Hummingbird. Hummingbird indicated that one of its employees then downloaded the files, decrypted them, and stored them on the piece of equipment that was subsequently lost. Hummingbird also reported that the piece of equipment was password protected. " >From http://www.tgslc.org/resources/customerdata.cfm#prevent From lyger at attrition.org Wed May 31 21:43:54 2006 From: lyger at attrition.org (lyger) Date: Wed, 31 May 2006 21:43:54 -0400 (EDT) Subject: [Dataloss] New info on VA breach: phone numbers and medical information? Message-ID: http://www.cnn.com/2006/US/05/31/veterans.data.ap/index.html Personal information on 26.5 million veterans stolen from a Veterans Affairs employee this month not only included Social Security numbers and birthdates but also in many cases phone numbers and addresses, internal documents show. Meanwhile, VA Secretary Jim Nicholson said Wednesday that he had named a former Arizona prosecutor as a special adviser for information security. The new three-month post will pinpoint security problems at the VA and develop recommendations for improvements, Nicholsons said. The three pages of memos by the VA offer new details on the scope of one of the nation's largest security breaches. The memos, written by privacy officer Mark Whitney and distributed to high-level officials shortly after the May 3 burglary, were obtained Wednesday by The Associated Press. They show that a file was breached that contained 6,744 records pertaining to "mustard gas veterans" -- or those who participated in chemical testing programs during World War II. [...]