From cwalsh at cwalsh.org Sun Oct 1 12:07:52 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Sun, 1 Oct 2006 11:07:52 -0500 Subject: [Dataloss] Credit data stolen at Indian call centres Message-ID: <23A22C97-CB8E-412E-A346-C3F31BFCA822@cwalsh.org> Credit card data, along with passport and driving licence numbers, are being stolen from call centres in India and sold to the highest bidder, an investigation has found. Middlemen are offering bulk packages of tens of thousands of credit card numbers for sale. They even have access to taped telephone conversations in which British customers disclose sensitive security information to call centre staff. Times Online, October 01, 2006 09:52 GMT+01 http://www.timesonline.co.uk/article/0,,2087-2383227,00.html [Found via http://www.first.org/newsroom/globalsecurity/ ] From lyger at attrition.org Mon Oct 2 18:20:50 2006 From: lyger at attrition.org (lyger) Date: Mon, 2 Oct 2006 18:20:50 -0400 (EDT) Subject: [Dataloss] Washington Airport Reports Worker Information Missing Message-ID: http://www.govtech.net/magazine/channel_story.php/101387 October 2, 2006 The Port of Seattle announced today that six computer disks, containing personal information for 6,939 people who work for employers at Seattle-Tacoma International Airport, are missing. "We have no reason to believe that the information has been misused by anyone," said Mark Reis, managing director at Sea-Tac. "However, we do not know at this time whether the disks were misplaced, or were removed from Port property." [...] From Dissent at pogowasright.org Mon Oct 2 20:26:42 2006 From: Dissent at pogowasright.org (Dissent) Date: Mon, 02 Oct 2006 20:26:42 -0400 Subject: [Dataloss] (Update) Sea-Tac airport worker information missing Message-ID: <7.0.0.16.2.20061002202512.02572518@nowhere.org> http://seattlepi.nwsource.com/local/287257_port02ww.html Airport director Mark Reis said he had no reason to believe the information had been misused, but he also did not know if the disks were simply misplaced or stolen outright. Reis said the information -- including name, date of birth, address, social security and driver's license numbers -- could not be used to actually make an airport worker badge. [...] From dano at well.com Mon Oct 2 22:22:47 2006 From: dano at well.com (dano) Date: Mon, 2 Oct 2006 19:22:47 -0700 Subject: [Dataloss] new dataleak, not yet in the press? Message-ID: From an email on a private list, posted about 1900 GMT. I've not seen this yet in the news, but here is part of the post: >[...] CitiBank Visa. A bit afterwards I get a call from Visa saying >my card's been stolen but no charges have been detected, "Press 1 to >cancel your card and have a new one sent out to you." Fuck off you >automated harbinger of doom. > >I call Citi to get the scoop on why they're prank calling me. > >They're canceling MILLIONS of cards today because of some security >snafu. I tell them to go ahead and kill the card and send a new one. -- He who fights monsters should see to it that in the process he does not become a monster. - Friedrich Nietszche From Dissent at pogowasright.org Tue Oct 3 05:44:47 2006 From: Dissent at pogowasright.org (Dissent) Date: Tue, 03 Oct 2006 05:44:47 -0400 Subject: [Dataloss] Willamette Educational Service District Computer Theft Sparks Student ID Theft Scare Message-ID: <7.0.0.16.2.20061003054253.02614a68@nowhere.org> [...] All but one of the desktop PCs inside it were stolen. Phone equipment and other electrical items were also taken initially, but dropped by the thieves as they left. However, the thieves kept those computers; and they could have personal information about 4,500 high school students across Oregon. An initial look at backup tapes from those seven stolen computers late Monday night did not show any personal identification information about those students; however, more tape must be reviewed before investigators know for sure. http://www.koin.com/Global/story.asp?S=5487854 From Dissent at pogowasright.org Tue Oct 3 07:22:02 2006 From: Dissent at pogowasright.org (Dissent) Date: Tue, 03 Oct 2006 07:22:02 -0400 Subject: [Dataloss] Cumberland County Employee numbers removed from Web Message-ID: <7.0.0.16.2.20061003071925.02649b68@nowhere.org> CARLISLE - Cumberland County officials did a quick computer two-step yesterday after learning the Social Security numbers of some of their 1,200 employees were on the county Web site. The information likely had been on the site for years, Chief Operating Officer John Byrne said. Fortunately, it wasn't easy to find, and there are no indications the snafu resulted in identity theft, Byrne said. [...] http://www.pennlive.com/news/patriotnews/index.ssf?/base/news/115984050588060.xml&coll=1 From ADAIL at sunocoinc.com Tue Oct 3 11:36:15 2006 From: ADAIL at sunocoinc.com (DAIL, ANDY) Date: Tue, 3 Oct 2006 11:36:15 -0400 Subject: [Dataloss] Chase Loses Data Tapes Message-ID: <8CA58E707BB1C44385FA71D02B7A1C8EC7078B@mds3aex0e.USISUNOCOINC.com> I've not seen it in the news, but I just received a letter dated Sept 18, 2006 from Chase stating they'd lost a back-up tape with a Circuit City account number first issued by First North American National Bank. Law enforcement has not been able to locate the tape, but they believe it was mistakenly marked as trash, compacted, and buried in a land fill. [insert skeptic emoticon here] Andy Dail Sunoco PCI Project Manager This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments. From lyger at attrition.org Tue Oct 3 12:26:52 2006 From: lyger at attrition.org (lyger) Date: Tue, 3 Oct 2006 12:26:52 -0400 (EDT) Subject: [Dataloss] Chase Loses Data Tapes In-Reply-To: <8CA58E707BB1C44385FA71D02B7A1C8EC7078B@mds3aex0e.USISUNOCOINC.com> References: <8CA58E707BB1C44385FA71D02B7A1C8EC7078B@mds3aex0e.USISUNOCOINC.com> Message-ID: this one? http://attrition.org/dataloss/2006/09/chase01.html On Tue, 3 Oct 2006, DAIL, ANDY wrote: ": " I've not seen it in the news, but I just received a letter dated Sept ": " 18, 2006 from Chase stating they'd lost a back-up tape with a Circuit ": " City account number first issued by First North American National Bank. ": " ": " ": " Law enforcement has not been able to locate the tape, but they believe ": " it was mistakenly marked as trash, compacted, and buried in a land fill. ": " [insert skeptic emoticon here] ": " ": " ": " Andy Dail ": " Sunoco PCI Project Manager From Dissent at pogowasright.org Wed Oct 4 11:23:24 2006 From: Dissent at pogowasright.org (Dissent) Date: Wed, 04 Oct 2006 11:23:24 -0400 Subject: [Dataloss] Rep. Mike Turner (R-OH) FOILs Census Bureau Message-ID: <7.0.0.16.2.20061004112124.0250dc28@nowhere.org> [...] Therefore, on behalf of the Subcommittee on Federalism and the Census, I have sent a letter to the director of the U.S. Census Bureau, Charles Kincannon, requesting the following information: ? The exact number of missing laptop computers, thumb drives, handheld devices and computer data discs from January 2001 to present. ? Of each missing device, the date they became missing, their last known geographic location, and which ones were encrypted. ? An itemization of what information may have been on each device. ? The Census Bureau's policy for protecting laptops, thumb drives, handheld computers and data discs from January 2001 through the present. ? A comprehensive list identifying what steps the Census Bureau is taking to recover all missing laptops, thumb drives, handheld devices, and data discs. I have requested these materials from the Census Bureau no later than Oct. 12. [...] http://www.timesgazette.com/main.asp?SectionID=1&SubSectionID=1&Articl eID=140650 From bkdelong at pobox.com Wed Oct 4 12:05:17 2006 From: bkdelong at pobox.com (B.K. DeLong) Date: Wed, 4 Oct 2006 12:05:17 -0400 Subject: [Dataloss] Rep. Mike Turner (R-OH) FOILs Census Bureau In-Reply-To: <7.0.0.16.2.20061004112124.0250dc28@nowhere.org> References: <7.0.0.16.2.20061004112124.0250dc28@nowhere.org> Message-ID: On 10/4/06, Dissent wrote: > > ? Of each missing device, the date they became missing, their last > known geographic location, and which ones were encrypted. See, here's a slippery slope - full disk encryption or data? And what data was encrypted and what was not? I also would have asked for the OS type and version as well as the authentication - password (single factor) or plus token (multiple factor). But this is a good first start. The spokespersons for these agencies always seem to say vague things like "analysis shows the data was not accessed", "the data was encrypted", "the computer had a password" etc. This should give us more accountability at least on the government side. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20061004/fa086112/attachment.html From rforno at infowarrior.org Wed Oct 4 13:15:38 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 04 Oct 2006 13:15:38 -0400 Subject: [Dataloss] Medicare Patient Data Insecure, GAO Says Message-ID: Medicare Patient Data Insecure, GAO Says By Kevin Freaking Associated Press Wednesday, October 4, 2006; D02 http://www.washingtonpost.com/wp-dyn/content/article/2006/10/03/AR2006100301 430_pf.html Security weaknesses have left millions of elderly, disabled and poor Americans vulnerable to unauthorized disclosure of their medical and other personal records, federal investigators said yesterday. The Government Accountability Office said it found 47 weaknesses in the computer system used by the Centers for Medicare and Medicaid Services to send and receive bills and to communicate with health-care providers. The agency oversees health-care programs that benefit one in four Americans. Its data are transmitted through a computer network that is privately owned and operated. The CMS did not always ensure that its contractor followed the agency's security policies and standards, according to the GAO. "As a result, sensitive, personally identifiable medical data traversing this network are vulnerable to unauthorized disclosure," the federal investigators said. CMS administrator Mark McClellan said that the agency was working to address problems cited in the report but noted that the GAO "found no evidence that confidential or sensitive information had actually been compromised." The network handling Medicare claims transmits information, such as a patient's diagnosis, drugs and treatment facility, as well as Social Security numbers, addresses and dates of birth, the investigators said. The investigators and CMS emphasized that the report focuses solely on the transmission of data. The auditors did not evaluate security controls for the servers used to store patient data. Sen. Charles E. Grassley (R-Iowa) said Medicare and Medicaid officials need to respond quickly to the GAO findings. "Beneficiaries and providers expect that sensitive health information is protected, and it's up to the agency officials to ensure the system is secure," said Grassley, chairman of the Senate Finance Committee. CMS officials said they have corrected 22 of the 47 weaknesses cited by GAO auditors. Nineteen more are scheduled to be resolved soon, and the remaining six are under review. ? 2006 The Washington Post Company From ziplock at pogowasright.org Wed Oct 4 14:28:02 2006 From: ziplock at pogowasright.org (ziplock) Date: Wed, 4 Oct 2006 14:28:02 -0400 (EDT) Subject: [Dataloss] IG: IRS not doing enough to safeguard taxpayers' privacy Message-ID: <1030.66.90.118.12.1159986482.squirrel@www.pogowasright.org> http://www.fcw.com/article96322-10-04-06-Web BY Matthew Weigelt Published on Oct. 4, 2006 The Internal Revenue Service has not done enough to protect the privacy of more than 130 million taxpayers, according to a Treasury Department Inspector General's report released Oct. 3. The agency has conducted privacy impact assessments (PIAs) on less than half of its computer system and does not adequately monitor its own application of privacy laws, according to the report from the Treasury IG For Tax Administration. The E-Government Act of 2002 and IRS guidelines require every computer system or project that collects personal information to have a current PIA on file with the agency?s privacy office. As of August 2005, the IG could not find PIAs for 130 of the 241 IRS computers systems that collect the sensitive information, according to the report. ?We attribute the missing PIAs to the lack of emphasis on privacy issues, and the decision to not require that all systems be certified and accredited,? the report states. Thus, taxpayers? identities are at a higher risk of being stolen and used unlawfully, the report found. The IG recommended that IRS officials build a searchable database of PIAs with quarterly verifications on their accuracy and reinforce the importance of PIA case documentation. The IG report recommended that officials review employee privacy training and assess whether IRS business units meet regulations. Despite failures, the IRS? Office of Privacy and Information Protection enhanced its privacy program in the past two years, according to the IG. Officials chaired a working group to review the issues and created an online privacy-training segment on its Web site. The privacy office director is responsible for administering the privacy program. Its mission is to ensure that policies and programs incorporate taxpayer and employee privacy requirements and that sensitive information remains protected, secure and private. From macwheel99 at sigecom.net Wed Oct 4 13:56:24 2006 From: macwheel99 at sigecom.net (Al Mac) Date: Wed, 04 Oct 2006 12:56:24 -0500 Subject: [Dataloss] Medicare Patient Data Insecure, GAO Says In-Reply-To: References: Message-ID: <6.2.1.2.0.20061004125157.048ebeb0@mail.sigecom.net> Here are links to the actual GAO report. The highlights summary is one page. GAO reports typically go to Congress and affected agency a few weeks before to general public, to give affected agency a final opportunity to plug security holes, before everyone is told about them. Information Security: The Centers for Medicare & Medicaid Services Needs to Improve Controls over Key Communication Network. GAO-06-750, August 30. http://www.gao.gov/cgi-bin/getrpt?GAO-06-750 Highlights - http://www.gao.gov/highlights/d06750high.pdf >Medicare Patient Data Insecure, GAO Says > >By Kevin Freaking >Associated Press >Wednesday, October 4, 2006; D02 >http://www.washingtonpost.com/wp-dyn/content/article/2006/10/03/AR2006100301 >430_pf.html Al Macintyre From Dissent at pogowasright.org Wed Oct 4 17:35:03 2006 From: Dissent at pogowasright.org (Dissent) Date: Wed, 04 Oct 2006 17:35:03 -0400 Subject: [Dataloss] (update) Willamette Education Service District Message-ID: <7.0.0.16.2.20061004173401.02609120@nowhere.org> SALEM, Ore. - No personal information was compromised in a computer theft at the Willamette Education Service District, officials said. Thieves recently made off with seven computers from the district offices. Classroom information on 4,500 students who are in school clubs was stored on the machines. A check of backup disks showed that the computers did not contain sensitive information. http://www.koin.com/Global/story.asp?S=5497214 From Dissent at pogowasright.org Thu Oct 5 07:55:59 2006 From: Dissent at pogowasright.org (Dissent) Date: Thu, 05 Oct 2006 07:55:59 -0400 Subject: [Dataloss] Cabinet filled with census files sold at auction Message-ID: <7.0.0.16.2.20061005075445.0254de68@nowhere.org> EDMONTON - Personal files of some of this year's census workers turned up in a filing cabinet at an Edmonton auction, Global TV reported Wednesday night. The files on about 75 workers from across the Prairies included their names, social insurance numbers and earnings, according to the report. [...] http://www.canada.com/edmontonjournal/news/cityplus/story.html?id=4197a8e2-8dfa-4ea5-b22a-23bdf1859d42&k=40186 From bkdelong at pobox.com Thu Oct 5 10:00:58 2006 From: bkdelong at pobox.com (B.K. DeLong) Date: Thu, 5 Oct 2006 10:00:58 -0400 Subject: [Dataloss] Committee contests IT firings due to Data Breach Message-ID: Committee contests IT firings Sean Gaffney / Staff Writer / sg245204 at ohiou.edu Brittany Kress / Editor in Chief / bk256403 at ohio.edu Two technology administrators were wrongly fired in the wake of Ohio University's network security breach, a grievance committee decided earlier this week. Tom Reid, former director of the now-dissolved Computer Network Services, and Todd Acheson, former manager of Internet and Systems, did not contribute to network security lapses that led to a series of data breaches, which was the basis for their firings, according to a letter from Administrative Senate's Grievance Committee. The letter, dated Oct. 1, also finds fault with Bill Sams, associate provost for information technology and chief information officer, for failing to address security and institutional problems before the network breaches. The Administrative Senate Grievance Committee is composed of Douglas Franklin, assistant dean of Recreation and Wellness and chair of the committee; Anne Lombard, director of Campus Life; and Cris Milligan, Mathematics Department administrator. The three interviewed Acheson and Reid, as well as Sams, to evaluate the grievance, according to the letter. http://thepost.baker.ohiou.edu/articles/2006/10/05/news/15373.html -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20061005/8e5ec989/attachment.html From Dissent at pogowasright.org Fri Oct 6 07:46:22 2006 From: Dissent at pogowasright.org (Dissent) Date: Fri, 06 Oct 2006 07:46:22 -0400 Subject: [Dataloss] FAA data in Oberlin computer lost Message-ID: <7.0.0.16.2.20061006074523.0262a6a8@nowhere.org> The names and Social Security numbers of at least 400 air traffic controllers are missing from a computer at the Cleveland Air Route Traffic Control Center in Oberlin, a union official says. Bill Liberty, president of the facility's National Air Traffic Controllers Association unit, said he was told on Monday by Eric Fox, Oberlin's air traffic control manager, that a computer hard drive with the personal information was stolen. [... ] http://www.cleveland.com/news/plaindealer/index.ssf?/base/lorain/1160124449197870.xml&coll=2 From Dissent at pogowasright.org Fri Oct 6 07:48:15 2006 From: Dissent at pogowasright.org (Dissent) Date: Fri, 06 Oct 2006 07:48:15 -0400 Subject: [Dataloss] Lost DOT Laptops: Compromised Personal Data? Message-ID: <7.0.0.16.2.20061006074711.02627390@nowhere.org> A series of data breaches at agencies under the United States Department of Transportation has put the Personal Identification Information of at least 133,000 people at risk. According to information WTOP obtained through the Freedom of Information Act, since 2001, the DOT has lost nearly 400 laptop computers and had nine instances when Personal Identification Information was lost or stolen. [...] http://www.wtopnews.com/index.php?nid=25&sid=934932 From Dissent at pogowasright.org Fri Oct 6 07:50:39 2006 From: Dissent at pogowasright.org (Dissent) Date: Fri, 06 Oct 2006 07:50:39 -0400 Subject: [Dataloss] (update) Firearm permits leak list tops 25,000 Message-ID: <7.0.0.16.2.20061006074920.02553ce8@nowhere.org> The Berks County solicitor's office has revised the account of last month's leak of county gun permit records on the Internet it says the entire list of more than 25,000 permit holders was released. The information inadvertently exposed over the Labor Day weekend included not only permit holders' names, but also birth dates, Social Security numbers, psychiatric histories and other confidential information. [...] http://www.readingeagle.com/re/news/1578158.asp From Dissent at pogowasright.org Fri Oct 6 08:07:10 2006 From: Dissent at pogowasright.org (Dissent) Date: Fri, 06 Oct 2006 08:07:10 -0400 Subject: [Dataloss] 5 Computers Stolen From Capistrano School District Message-ID: <7.0.0.16.2.20061006080540.026464f0@nowhere.org> Thieves who broke into the Capistrano Unified School District headquarters and removed five computers that could contain personal employee information remained at large Thursday, officials said. [...] The computers included information about employees enrolled in an insurance program, and likely listed names, Social Security numbers and dates of birth. The district is trying to determine the extent of information held in the computer, de Nicola said. [...] http://cbs2.com/local/local_story_278205412.html From lyger at attrition.org Fri Oct 6 13:06:00 2006 From: lyger at attrition.org (lyger) Date: Fri, 6 Oct 2006 13:06:00 -0400 (EDT) Subject: [Dataloss] Update - Vassar Brothers Medical Center laptop Message-ID: Stolen laptop contained no identifying patient information http://www.poughkeepsiejournal.com/apps/pbcs.dll/article?AID=/20061005/BUSINESS/61005013 A private investigation has determined that a laptop taken from Vassar Brothers Medical Center did not contain any personally identifying patient information, center officials said. Vassar Brothers hired Kroll, an international risk consulting company based in New York City, to investigate the contents of the laptop. Kroll's Web site says it has a division that specializes in computer forensics. After the theft was discovered in June, the center did its own internal investigation and, based on that, mailed notices to 257,800 patients whose personal data - including Social Security number, address, date of birth and name - officials believed was compromised. [...] From lyger at attrition.org Sat Oct 7 10:43:11 2006 From: lyger at attrition.org (lyger) Date: Sat, 7 Oct 2006 10:43:11 -0400 (EDT) Subject: [Dataloss] U.S. Marine Base Probes Missing Laptop Message-ID: Via Fergie's Tech Blog: http://fergdawg.blogspot.com/ http://news.yahoo.com/s/ap/20061007/ap_on_hi_te/missing_laptop A laptop computer loaded with personal information on 2,400 residents of the Camp Pendleton Marine Corps base has been lost, authorities said Friday. The computer was reported missing Tuesday by Lincoln B.P. Management Inc., which helps manage base housing. The company and Camp Pendleton are investigating. As of Friday, investigators had not found evidence that the data had been accessed, the base said in a statement. Authorities would disclose what kind of information was on the computer. [...] From ziplock at pogowasright.org Sat Oct 7 15:17:41 2006 From: ziplock at pogowasright.org (ziplock) Date: Sat, 7 Oct 2006 15:17:41 -0400 (EDT) Subject: [Dataloss] Computer lost at Camp Pendleton, contains personal information on 2, 400 residents Message-ID: <4891.66.90.118.12.1160248661.squirrel@www.pogowasright.org> LOS ANGELES (AP) - A laptop computer loaded with personal information on 2,400 residents of the Camp Pendleton Marine Corps base has been lost, authorities said Friday. The computer was reported missing Tuesday by Lincoln B.P. Management Inc., which helps manage base housing. The company and Camp Pendleton are investigating. As of Friday, investigators had not found evidence that the data had been accessed, the base said in a statement. http://www.lasvegassun.com/sunbin/stories/nat-gen/2006/oct/06/100604186.html From Dissent at pogowasright.org Mon Oct 9 11:26:11 2006 From: Dissent at pogowasright.org (Dissent) Date: Mon, 09 Oct 2006 11:26:11 -0400 Subject: [Dataloss] Data leaks hit share prices hard Message-ID: <7.0.0.16.2.20061009112541.026505b0@nowhere.org> Australian-based analyst Hydrasight has teamed up with Colorado-based researcher Enterprise Management Associates Inc. (EMA) to release a study on the current state of global enterprise information security. The report draws a comparison between the theft or breach of confidential information and computer-facilitated financial fraud and the impact it has on organizations in terms of share price. While the organizations studied were based in the U.S., the findings reflect a similar security environment in Australia. Scott Crawford, senior analyst with EMA, said within four weeks of public disclosure of details of an information breach, negative responses show up in the form of falling share prices. The impact can be disturbing, he added. "EMA recently followed the closing stock prices of six US companies which had disclosed an information security breach between February 2005 and June 2006. "Within a month of disclosure, the average price of these stocks fell by 5 percent, and remained in a range of 2.4 to 8.5 percent below that of the date of disclosure for another eight months," he said. "The stocks did not recover to pre-incident levels for nearly a year." [...] http://www.webwereld.nl/articles/43234/data-leaks-hit-share-prices-hard.html From adam at homeport.org Mon Oct 9 11:36:26 2006 From: adam at homeport.org (Adam Shostack) Date: Mon, 9 Oct 2006 11:36:26 -0400 Subject: [Dataloss] Data leaks hit share prices hard In-Reply-To: <7.0.0.16.2.20061009112541.026505b0@nowhere.org> References: <7.0.0.16.2.20061009112541.026505b0@nowhere.org> Message-ID: <20061009153626.GA7983@homeport.org> Fascinating. It contradicts "Is There a Cost to Privacy Breaches? An Event Study," which Alan Friedman presented at the Workshop on Economics of Infosec. http://weis2006.econinfosec.org/docs/40.pdf That study has a much larger dataset, and so I'm curious why EMA chose such small datasets. My thoughts on the paper are at http://www.emergentchaos.com/archives/2006/07/does_lost_data_matter.html Adam On Mon, Oct 09, 2006 at 11:26:11AM -0400, Dissent wrote: | Australian-based analyst Hydrasight has teamed up with Colorado-based | researcher Enterprise Management Associates Inc. (EMA) to release a | study on the current state of global enterprise information security. | | The report draws a comparison between the theft or breach of | confidential information and computer-facilitated financial fraud and | the impact it has on organizations in terms of share price. While the | organizations studied were based in the U.S., the findings reflect a | similar security environment in Australia. | | Scott Crawford, senior analyst with EMA, said within four weeks of | public disclosure of details of an information breach, negative | responses show up in the form of falling share prices. The impact can | be disturbing, he added. | | "EMA recently followed the closing stock prices of six US companies | which had disclosed an information security breach between February | 2005 and June 2006. | | "Within a month of disclosure, the average price of these stocks fell | by 5 percent, and remained in a range of 2.4 to 8.5 percent below | that of the date of disclosure for another eight months," he said. | | "The stocks did not recover to pre-incident levels for nearly a year." | | [...] | | http://www.webwereld.nl/articles/43234/data-leaks-hit-share-prices-hard.html | | _______________________________________________ | Dataloss Mailing List (dataloss at attrition.org) | http://attrition.org/dataloss | Tracking more than 136 million compromised records in 403 incidents over 6 years. | From bkdelong at pobox.com Mon Oct 9 11:49:38 2006 From: bkdelong at pobox.com (B.K. DeLong) Date: Mon, 9 Oct 2006 11:49:38 -0400 Subject: [Dataloss] Data leaks hit share prices hard In-Reply-To: <20061009153626.GA7983@homeport.org> References: <7.0.0.16.2.20061009112541.026505b0@nowhere.org> <20061009153626.GA7983@homeport.org> Message-ID: We could probably come up with our own study just by finding every publicly traded company in the database and look at stock price history for X days following announcement of the breech. In fact, this could almost be automated if we added the ticker symbol to the database and then created a script that took advantage of a site containing access to stock trading data via an API... On 10/9/06, Adam Shostack wrote: > > Fascinating. It contradicts "Is There a Cost to Privacy Breaches? An > Event Study," which Alan Friedman presented at the Workshop on > Economics of Infosec. > > http://weis2006.econinfosec.org/docs/40.pdf > > That study has a much larger dataset, and so I'm curious why EMA chose > > such small datasets. > > My thoughts on the paper are at > http://www.emergentchaos.com/archives/2006/07/does_lost_data_matter.html > > > > Adam > > > On Mon, Oct 09, 2006 at 11:26:11AM -0400, Dissent wrote: > | Australian-based analyst Hydrasight has teamed up with Colorado-based > | researcher Enterprise Management Associates Inc. (EMA) to release a > | study on the current state of global enterprise information security. > | > | The report draws a comparison between the theft or breach of > | confidential information and computer-facilitated financial fraud and > | the impact it has on organizations in terms of share price. While the > | organizations studied were based in the U.S., the findings reflect a > | similar security environment in Australia. > | > | Scott Crawford, senior analyst with EMA, said within four weeks of > | public disclosure of details of an information breach, negative > | responses show up in the form of falling share prices. The impact can > | be disturbing, he added. > | > | "EMA recently followed the closing stock prices of six US companies > | which had disclosed an information security breach between February > | 2005 and June 2006. > | > | "Within a month of disclosure, the average price of these stocks fell > | by 5 percent, and remained in a range of 2.4 to 8.5 percent below > | that of the date of disclosure for another eight months," he said. > | > | "The stocks did not recover to pre-incident levels for nearly a year." > | > | [...] > | > | > http://www.webwereld.nl/articles/43234/data-leaks-hit-share-prices-hard.html > | > | _______________________________________________ > | Dataloss Mailing List (dataloss at attrition.org) > | http://attrition.org/dataloss > | Tracking more than 136 million compromised records in 403 incidents over > 6 years. > | > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 136 million compromised records in 403 incidents over 6 > years. > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20061009/928e9e11/attachment.html From allan_friedman at ksgphd.harvard.edu Mon Oct 9 12:20:49 2006 From: allan_friedman at ksgphd.harvard.edu (Allan Friedman) Date: Mon, 9 Oct 2006 12:20:49 -0400 Subject: [Dataloss] Data leaks hit share prices hard In-Reply-To: References: <7.0.0.16.2.20061009112541.026505b0@nowhere.org> <20061009153626.GA7983@homeport.org> Message-ID: <686cc62f0610090920x39cf8c8aje4049942ca3143b2@mail.gmail.com> For anyone interested, the most recent copy is online here: http://www.heinz.cmu.edu/~acquisti/papers/acquisti-friedman-telang-privacy-b reaches.pdf We're working on a revised dataset that incorporates much of the recent events that members of this list have found, as well as pre-1386 events. We look forward to sharing this data when it is fully cleaned. We'll post a copy of the revised results to this list as soon as we have it. We've asked the authors for details on this study, but I'm curious about the long term implications. If you are trying to show a significant effect with a conventional event study, it's very hard to do for such a long time period and such a small sample size. If anyone is interested in doing similar studies, feel free to contact me offline. Verifying that you have the first published report and that there are no conflicting news stories that might bias the results is fairly time-intensive. allan Allan Friedman PhD Candidate, Public Policy Kennedy School of Government Harvard University On 10/9/06, dataloss-bounces at attrition.org wrote: > We could probably come up with our own study just by finding every publicly > traded company in the database and look at stock price history for X days > following announcement of the breech. In fact, this could almost be > automated if we added the ticker symbol to the database and then created a > script that took advantage of a site containing access to stock trading data > via an API... > > > On 10/9/06, Adam Shostack wrote: > > Fascinating. It contradicts "Is There a Cost to Privacy Breaches? An > > Event Study," which Alan Friedman presented at the Workshop on > > Economics of Infosec. > > > > http://weis2006.econinfosec.org/docs/40.pdf > > > > That study has a much larger dataset, and so I'm curious why EMA chose > > > > such small datasets. > > > > My thoughts on the paper are at > > > http://www.emergentchaos.com/archives/2006/07/does_lost_data_matter.html > > > > > > > > Adam > > > > > > On Mon, Oct 09, 2006 at 11:26:11AM -0400, Dissent wrote: > > | Australian-based analyst Hydrasight has teamed up with Colorado-based > > | researcher Enterprise Management Associates Inc. (EMA) to release a > > | study on the current state of global enterprise information security. > > | > > | The report draws a comparison between the theft or breach of > > | confidential information and computer-facilitated financial fraud and > > | the impact it has on organizations in terms of share price. While the > > | organizations studied were based in the U.S., the findings reflect a > > | similar security environment in Australia. > > | > > | Scott Crawford, senior analyst with EMA, said within four weeks of > > | public disclosure of details of an information breach, negative > > | responses show up in the form of falling share prices. The impact can > > | be disturbing, he added. > > | > > | "EMA recently followed the closing stock prices of six US companies > > | which had disclosed an information security breach between February > > | 2005 and June 2006. > > | > > | "Within a month of disclosure, the average price of these stocks fell > > | by 5 percent, and remained in a range of 2.4 to 8.5 percent below > > | that of the date of disclosure for another eight months," he said. > > | > > | "The stocks did not recover to pre-incident levels for nearly a year." > > | > > | [...] > > | > > | > http://www.webwereld.nl/articles/43234/data-leaks-hit-share-prices-hard.html > > | > > | _______________________________________________ > > | Dataloss Mailing List (dataloss at attrition.org) > > | http://attrition.org/dataloss > > | Tracking more than 136 million compromised records in 403 incidents over > 6 years. > > | > > _______________________________________________ > > Dataloss Mailing List (dataloss at attrition.org) > > http://attrition.org/dataloss > > Tracking more than 136 million compromised records in 403 incidents over 6 > years. > > > > > > > > > > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 136 million compromised records in 403 incidents over 6 > years. > > > > > From cwalsh at cwalsh.org Mon Oct 9 13:16:30 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Mon, 9 Oct 2006 12:16:30 -0500 Subject: [Dataloss] Data leaks hit share prices hard In-Reply-To: <686cc62f0610090920x39cf8c8aje4049942ca3143b2@mail.gmail.com> References: <7.0.0.16.2.20061009112541.026505b0@nowhere.org> <20061009153626.GA7983@homeport.org> <686cc62f0610090920x39cf8c8aje4049942ca3143b2@mail.gmail.com> Message-ID: <20061009171618.GA7590@cwalsh.org> On Mon, Oct 09, 2006 at 12:20:49PM -0400, Allan Friedman wrote: > We've asked the authors for details on this study, but I'm curious > about the long term implications. If you are trying to show a > significant effect with a conventional event study, it's very hard to > do for such a long time period and such a small sample size. Depends on how you pick that sample ;^) cw From DOpacki at Covestic.com Mon Oct 9 13:33:21 2006 From: DOpacki at Covestic.com (Dennis Opacki) Date: Mon, 9 Oct 2006 10:33:21 -0700 Subject: [Dataloss] Data leaks hit share prices hard In-Reply-To: <686cc62f0610090920x39cf8c8aje4049942ca3143b2@mail.gmail.com> References: <7.0.0.16.2.20061009112541.026505b0@nowhere.org> <20061009153626.GA7983@homeport.org> , <686cc62f0610090920x39cf8c8aje4049942ca3143b2@mail.gmail.com> Message-ID: <51468ED2-0F7A-455D-80F2-11E45249B87A@mimectl> While I am not an economist, I feel somewhat uneasy about using stock price to directly measure the effect of PR events on organizations. While employees and executives of publicly-traded companies often hold company stock and options, the largest shareholders may actually be third parties like pension and mutual funds. As I understand it, once a company makes an initial or secondary public offering, they have little financial interest in the stock. Shareholders unhappy about a breach can simply sell their shares to value-minded investors, who happily buy them at a discount. In certain circumstances, a low share price may actually benefit a company; stock buy-backs become easier and employees are less likely to exercise costly stock options. Where share price can hurt companies is in the run-up to stock based M&A activity and secondary offerings. In these situations, it seems like share price could be an indicator of long-term performance, assuming that the mergers, acquisitions and secondary offerings were good ideas to start with. I wonder if it would be interesting to isolate the impact of disclosures on these sort of strategic activities. -Dennis From: Allan Friedman Sent: Mon 10/9/2006 9:20 AM To: dataloss-bounces at attrition.org Cc: Dissent at pogowasright.org; acquisti at andrew.cmu.edu; dataloss at attrition.org Subject: Re: [Dataloss] Data leaks hit share prices hard For anyone interested, the most recent copy is online here: http://www.heinz.cmu.edu/~acquisti/papers/acquisti-friedman-telang-privacy-b reaches.pdf We're working on a revised dataset that incorporates much of the recent events that members of this list have found, as well as pre-1386 events. We look forward to sharing this data when it is fully cleaned. We'll post a copy of the revised results to this list as soon as we have it. We've asked the authors for details on this study, but I'm curious about the long term implications. If you are trying to show a significant effect with a conventional event study, it's very hard to do for such a long time period and such a small sample size. If anyone is interested in doing similar studies, feel free to contact me offline. Verifying that you have the first published report and that there are no conflicting news stories that might bias the results is fairly time-intensive. allan Allan Friedman PhD Candidate, Public Policy Kennedy School of Government Harvard University On 10/9/06, dataloss-bounces at attrition.org wrote: > We could probably come up with our own study just by finding every publicly > traded company in the database and look at stock price history for X days > following announcement of the breech. In fact, this could almost be > automated if we added the ticker symbol to the database and then created a > script that took advantage of a site containing access to stock trading data > via an API... > > > On 10/9/06, Adam Shostack wrote: > > Fascinating. It contradicts "Is There a Cost to Privacy Breaches? An > > Event Study," which Alan Friedman presented at the Workshop on > > Economics of Infosec. > > > > http://weis2006.econinfosec.org/docs/40.pdf > > > > That study has a much larger dataset, and so I'm curious why EMA chose > > > > such small datasets. > > > > My thoughts on the paper are at > > > http://www.emergentchaos.com/archives/2006/07/does_lost_data_matter.html > > > > > > > > Adam > > > > > > On Mon, Oct 09, 2006 at 11:26:11AM -0400, Dissent wrote: > > | Australian-based analyst Hydrasight has teamed up with Colorado-based > > | researcher Enterprise Management Associates Inc. (EMA) to release a > > | study on the current state of global enterprise information security. > > | > > | The report draws a comparison between the theft or breach of > > | confidential information and computer-facilitated financial fraud and > > | the impact it has on organizations in terms of share price. While the > > | organizations studied were based in the U.S., the findings reflect a > > | similar security environment in Australia. > > | > > | Scott Crawford, senior analyst with EMA, said within four weeks of > > | public disclosure of details of an information breach, negative > > | responses show up in the form of falling share prices. The impact can > > | be disturbing, he added. > > | > > | "EMA recently followed the closing stock prices of six US companies > > | which had disclosed an information security breach between February > > | 2005 and June 2006. > > | > > | "Within a month of disclosure, the average price of these stocks fell > > | by 5 percent, and remained in a range of 2.4 to 8.5 percent below > > | that of the date of disclosure for another eight months," he said. > > | > > | "The stocks did not recover to pre-incident levels for nearly a year." > > | > > | [...] > > | > > | > http://www.webwereld.nl/articles/43234/data-leaks-hit-share-prices-hard.html > > | > > | _______________________________________________ > > | Dataloss Mailing List (dataloss at attrition.org) > > | http://attrition.org/dataloss > > | Tracking more than 136 million compromised records in 403 incidents over > 6 years. > > | > > _______________________________________________ > > Dataloss Mailing List (dataloss at attrition.org) > > http://attrition.org/dataloss > > Tracking more than 136 million compromised records in 403 incidents over 6 > years. > > > > > > > > > > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 136 million compromised records in 403 incidents over 6 > years. > > > > > _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tracking more than 136 million compromised records in 403 incidents over 6 years. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20061009/22bca2c7/attachment.html From cwalsh at cwalsh.org Mon Oct 9 14:50:20 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Mon, 9 Oct 2006 13:50:20 -0500 Subject: [Dataloss] Data leaks hit share prices hard In-Reply-To: <51468ED2-0F7A-455D-80F2-11E45249B87A@mimectl> References: <7.0.0.16.2.20061009112541.026505b0@nowhere.org> <20061009153626.GA7983@homeport.org> <686cc62f0610090920x39cf8c8aje4049942ca3143b2@mail.gmail.com> <51468ED2-0F7A-455D-80F2-11E45249B87A@mimectl> Message-ID: <20061009185007.GA5726@cwalsh.org> The underlying theory is generated via the so-called efficient markets hypothesis, which holds that stock prices reflect all information available to the market about firms' expected future returns. http://en.wikipedia.org/wiki/Efficient_market_hypothesis This is a contentious issue :^) From privacylaws at sbcglobal.net Mon Oct 9 15:52:34 2006 From: privacylaws at sbcglobal.net (Saundra Kae Rubel) Date: Mon, 9 Oct 2006 12:52:34 -0700 Subject: [Dataloss] EMA/Hydrasight study In-Reply-To: <7.0.0.16.2.20061009112541.026505b0@nowhere.org> Message-ID: <000f01c6ebdc$77982530$210110ac@saundrad38b17a> Hello Has anyone actually located a copy of the study by EMA and if so can you post to list or to me? Thanks Saundra Kae Rubel, CIPP From DOpacki at Covestic.com Mon Oct 9 17:33:19 2006 From: DOpacki at Covestic.com (Dennis Opacki) Date: Mon, 9 Oct 2006 14:33:19 -0700 Subject: [Dataloss] Data leaks hit share prices hard In-Reply-To: <20061009185007.GA5726@cwalsh.org> References: <7.0.0.16.2.20061009112541.026505b0@nowhere.org> <20061009153626.GA7983@homeport.org> <686cc62f0610090920x39cf8c8aje4049942ca3143b2@mail.gmail.com> <51468ED2-0F7A-455D-80F2-11E45249B87A@mimectl>, <20061009185007.GA5726@cwalsh.org> Message-ID: An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20061009/69190a46/attachment.html From allan_friedman at ksgphd.harvard.edu Mon Oct 9 17:54:58 2006 From: allan_friedman at ksgphd.harvard.edu (Allan Friedman) Date: Mon, 9 Oct 2006 17:54:58 -0400 Subject: [Dataloss] Data leaks hit share prices hard In-Reply-To: References: <7.0.0.16.2.20061009112541.026505b0@nowhere.org> <20061009153626.GA7983@homeport.org> <686cc62f0610090920x39cf8c8aje4049942ca3143b2@mail.gmail.com> <51468ED2-0F7A-455D-80F2-11E45249B87A@mimectl> <20061009185007.GA5726@cwalsh.org> Message-ID: <686cc62f0610091454p38289b8cq6684409f4a74753a@mail.gmail.com> The idea behind an event study is the critical "all other things equal" assumption. A security has some fixed value, a piece of news becomes known to the market, and the price adjusts based on how the news is percieved. At least in theory :) One upshot is that the "event window" or the period of time examined for an impact of the new information shouldn't span too much time, since many other things also affect a security's value. Happy to take a methodological discussion offline. In my experience, they are a fairly commonly used metric, but do not pass muster among the more serious of econometricians. allan On 10/9/06, DOpacki at covestic.com wrote: > > > > Indeed, but aren't we talking about means of assessing the performance of > securities, not necessarily companies? Is it fair to conflate the two? After > all, the link you sent indicates that "the way that markets react to news > surprises is perhaps the most visible flaw in the efficient market > hypothesis". What are data breach disclosures, if not news surprises? > > -Dennis > > ________________________________ > From: Chris Walsh > Sent: Mon 10/9/2006 11:50 AM > To: Dennis Opacki > Cc: Allan Friedman; dataloss at attrition.org > Subject: Re: [Dataloss] Data leaks hit share prices hard > > > > > > The underlying theory is generated via the so-called efficient markets > hypothesis, which holds that stock prices reflect all information available > to the market about firms' expected future returns. > > http://en.wikipedia.org/wiki/Efficient_market_hypothesis > > This is a contentious issue :^) > > > From jericho at attrition.org Mon Oct 9 18:11:26 2006 From: jericho at attrition.org (security curmudgeon) Date: Mon, 9 Oct 2006 18:11:26 -0400 (EDT) Subject: [Dataloss] Dataloss discussion, debate and chatter In-Reply-To: <686cc62f0610091454p38289b8cq6684409f4a74753a@mail.gmail.com> References: <7.0.0.16.2.20061009112541.026505b0@nowhere.org> <20061009153626.GA7983@homeport.org> <686cc62f0610090920x39cf8c8aje4049942ca3143b2@mail.gmail.com> <51468ED2-0F7A-455D-80F2-11E45249B87A@mimectl> <20061009185007.GA5726@cwalsh.org> <686cc62f0610091454p38289b8cq6684409f4a74753a@mail.gmail.com> Message-ID: Hello DL subscribers! So far, we have been hopeful that the mail list would spark interesting discussion about the entire realm of dataloss. All discussion to date has been great, adding a lot of value and ideas to the list, perception of incidents, value and more. Moving forward, we still want to see this type of discussion, however, if you feel that the chatted is getting to be higher volume than expected, or not helpful to why you subscribed to the list, please e-mail lyger at attrition.org and cc jericho at attrition.org to let us know. We will use that feedback for the consideration of a seperate discussion list to cater to both types of people. Thanks! - jericho On Mon, 9 Oct 2006, Allan Friedman wrote: : The idea behind an event study is the critical "all other things : equal" assumption. A security has some fixed value, a piece of news : becomes known to the market, and the price adjusts based on how the : news is percieved. At least in theory :) : : : One upshot is that the "event window" or the period of time examined : for an impact of the new information shouldn't span too much time, : since many other things also affect a security's value. : : Happy to take a methodological discussion offline. In my experience, : they are a fairly commonly used metric, but do not pass muster among : the more serious of econometricians. : : allan : : On 10/9/06, DOpacki at covestic.com wrote: : > : > : > : > Indeed, but aren't we talking about means of assessing the performance of : > securities, not necessarily companies? Is it fair to conflate the two? After : > all, the link you sent indicates that "the way that markets react to news : > surprises is perhaps the most visible flaw in the efficient market : > hypothesis". What are data breach disclosures, if not news surprises? : > : > -Dennis : > : > ________________________________ : > From: Chris Walsh : > Sent: Mon 10/9/2006 11:50 AM : > To: Dennis Opacki : > Cc: Allan Friedman; dataloss at attrition.org : > Subject: Re: [Dataloss] Data leaks hit share prices hard : > : > : > : > : > : > The underlying theory is generated via the so-called efficient markets : > hypothesis, which holds that stock prices reflect all information available : > to the market about firms' expected future returns. : > : > http://en.wikipedia.org/wiki/Efficient_market_hypothesis : > : > This is a contentious issue :^) : > : > : > : _______________________________________________ : Dataloss Mailing List (dataloss at attrition.org) : http://attrition.org/dataloss : Tracking more than 136 million compromised records in 403 incidents over 6 years. : : From adam at homeport.org Mon Oct 9 18:08:29 2006 From: adam at homeport.org (Adam Shostack) Date: Mon, 9 Oct 2006 18:08:29 -0400 Subject: [Dataloss] Data leaks hit share prices hard In-Reply-To: <686cc62f0610091454p38289b8cq6684409f4a74753a@mail.gmail.com> References: <7.0.0.16.2.20061009112541.026505b0@nowhere.org> <20061009153626.GA7983@homeport.org> <686cc62f0610090920x39cf8c8aje4049942ca3143b2@mail.gmail.com> <51468ED2-0F7A-455D-80F2-11E45249B87A@mimectl> <20061009185007.GA5726@cwalsh.org> <686cc62f0610091454p38289b8cq6684409f4a74753a@mail.gmail.com> Message-ID: <20061009220828.GA24135@homeport.org> Absent pressure from other posters, I'd encourage discussion to remain online. I think that dataloss reporting was more interesting way back when, and now the interesting questions relate to how much value can we get from observation and analysis. I think we should use the tools we have, and try to improve them by vigorous debate. Apologies to Jericho and Lyger if I'm hijacking their list. Adam On Mon, Oct 09, 2006 at 05:54:58PM -0400, Allan Friedman wrote: | The idea behind an event study is the critical "all other things | equal" assumption. A security has some fixed value, a piece of news | becomes known to the market, and the price adjusts based on how the | news is percieved. At least in theory :) | | | One upshot is that the "event window" or the period of time examined | for an impact of the new information shouldn't span too much time, | since many other things also affect a security's value. | | Happy to take a methodological discussion offline. In my experience, | they are a fairly commonly used metric, but do not pass muster among | the more serious of econometricians. | | allan | | On 10/9/06, DOpacki at covestic.com wrote: | > | > | > | > Indeed, but aren't we talking about means of assessing the performance of | > securities, not necessarily companies? Is it fair to conflate the two? After | > all, the link you sent indicates that "the way that markets react to news | > surprises is perhaps the most visible flaw in the efficient market | > hypothesis". What are data breach disclosures, if not news surprises? | > | > -Dennis | > | > ________________________________ | > From: Chris Walsh | > Sent: Mon 10/9/2006 11:50 AM | > To: Dennis Opacki | > Cc: Allan Friedman; dataloss at attrition.org | > Subject: Re: [Dataloss] Data leaks hit share prices hard | > | > | > | > | > | > The underlying theory is generated via the so-called efficient markets | > hypothesis, which holds that stock prices reflect all information available | > to the market about firms' expected future returns. | > | > http://en.wikipedia.org/wiki/Efficient_market_hypothesis | > | > This is a contentious issue :^) | > | > | > | _______________________________________________ | Dataloss Mailing List (dataloss at attrition.org) | http://attrition.org/dataloss | Tracking more than 136 million compromised records in 403 incidents over 6 years. | From lyger at attrition.org Mon Oct 9 18:57:43 2006 From: lyger at attrition.org (lyger) Date: Mon, 9 Oct 2006 18:57:43 -0400 (EDT) Subject: [Dataloss] Troy Athens Alumni Identities May Be At Risk Message-ID: http://www.clickondetroit.com/news/10036493/detail.html Alumni of Troy Athens High School learned on Friday that their identity may be at risk. The Troy School District and Superintendent mailed out a letter to former students of the high school who graduated from 1994 to present indicating that a hard drive that was inside a guidance room was stolen. The hard drive was stolen from a computer that was having technical work done Officials made the discovery of the stolen hard drive in mid-August but failed to inform those affected because, as stated in the letter, they weren.t sure what specific information was stored on the drive. Through an investigation, the school learned that students. transcripts, test scores, addresses and Social Security numbers were saved on the stolen drive. [...] From allan_friedman at ksgphd.harvard.edu Mon Oct 9 19:19:03 2006 From: allan_friedman at ksgphd.harvard.edu (Allan Friedman) Date: Mon, 9 Oct 2006 19:19:03 -0400 Subject: [Dataloss] Methods: security price analysis (was 'Data leaks hit share prices hard') Message-ID: <686cc62f0610091619g61a33962saaa7db0ebb74d009@mail.gmail.com> First, I must admit that I lack the industry experience of Dennis and many others. I'm approaching this as a researcher. I think that share price is not a perfect indicator of company performance; heck, I'm not sure it's a terribly valid measure for how investors view a company future But in the short run, investors should and do react to news. It's not instantaneous, there are transaction costs, strategic investors, etc. . And remember, we're only interested in the marginal effect. A change in oil price doesn't fundamentally alter the underlying soundness of an oil company, but it does shift their bottom line, so a few investors might change their behavior. I believe that we should be able to learn something from examining the impact of a breach announcement on share price: 1) Does the market even notice? Here, we want to measure the effect, and test for statistical significance. Econometrics is sometimes as much art as science, but there are many ways to test whether an observed phenomenon is different from random noise. We learn something if the market does have a reaction; we also learn something if it doesn't. (I should add that demonstrating the *absence* of an effect is durn hard to validate). 2) Does the effect change over time? If market prices used to change, but now they don't, that's an interesting piece of information. 3) Other factors: In our project we are testing a long list of potential influencing factors that might affect the severity of the breach. Some of them are probably relevant to investors in particular (sector, whether it was customer or employee data) while some may not be directly applicable (type of data breached). Interpreting these findings beyond an "oh, that's interesting" involves going back to a model of incentives. We also look at announcement details and a host of other variables. Our sample size is small, but growing (I confess that I am one of the few people happy to see breach announcements in the news). allan OT - for anyone interested in the broader question of methods in security economics and policy, I will be chairing a panel at the Workshop on the Economics of Securing Information Infrastructure (http://wesii.econinfosec.org/workshop/) in DC on October 23. Registration is free and open to anyone interested. Allan Friedman PhD Candidate, Public Policy Kennedy School of Government Harvard University From acquisti at andrew.cmu.edu Tue Oct 10 09:41:47 2006 From: acquisti at andrew.cmu.edu (Alessandro Acquisti) Date: Tue, 10 Oct 2006 09:41:47 -0400 Subject: [Dataloss] Data leaks hit share prices hard In-Reply-To: <20061009153626.GA7983@homeport.org> Message-ID: <000601c6ec71$d53bbf40$6501a8c0@heinz.win.cmu.edu> Hello Adam - > Fascinating. It contradicts "Is There a Cost to Privacy Breaches? An > Event Study," which Alan Friedman presented at the Workshop on > Economics of Infosec. > > http://weis2006.econinfosec.org/docs/40.pdf My 2 cents (following up on what Allan already wrote): the results of the two studies are difficult to compare. - our (i.e., Allan, Rahul, and me) dataset contained hundreds of events - I would hazard that focusing on six events means aiming at a qualitative type of study, rather than a statistically significant one. - the problem with simply checking whether stock prices have fallen or not is that external market conditions may determine those outcomes - hence, as a measurement of performance after the event, vanilla stock prices can be misleading (the event studies methodologies we used in our paper attempt to address this problem) - for similar reasons, one should be extra cautious about suggesting linkages between an event and the stock price one year after that event - the consensus in the financial literature that pioneered event studies is that a few days after the event you can no longer exclude that what you are getting from the stock prices is simply noise. Note, however, that our regressions showed that the size of a firm was a significant predictor of its abnormal rate or return (in other words: larger firms were more affected by the breaches). One last note on the problems with using stock prices to measure a (subset of a) company's breach-related costs: even if we may not adhere to the efficient markets hypothesis, we wanted to address a simpler (and, to me, telling) question: how does the market react to privacy breaches, compared to the way it reacts to security breaches, product vulnerabilities, or other negative events? Thanks, -alessandro From bkdelong at pobox.com Tue Oct 10 10:40:49 2006 From: bkdelong at pobox.com (B.K. DeLong) Date: Tue, 10 Oct 2006 10:40:49 -0400 Subject: [Dataloss] Data leaks hit share prices hard In-Reply-To: <7.0.0.16.2.20061009112541.026505b0@nowhere.org> References: <7.0.0.16.2.20061009112541.026505b0@nowhere.org> Message-ID: Has anyone gotten ahold of the report yet? On 10/9/06, Dissent wrote: > > Australian-based analyst Hydrasight has teamed up with Colorado-based > researcher Enterprise Management Associates Inc. (EMA) to release a > study on the current state of global enterprise information security. > > The report draws a comparison between the theft or breach of > confidential information and computer-facilitated financial fraud and > the impact it has on organizations in terms of share price. While the > organizations studied were based in the U.S., the findings reflect a > similar security environment in Australia. > > Scott Crawford, senior analyst with EMA, said within four weeks of > public disclosure of details of an information breach, negative > responses show up in the form of falling share prices. The impact can > be disturbing, he added. > > "EMA recently followed the closing stock prices of six US companies > which had disclosed an information security breach between February > 2005 and June 2006. > > "Within a month of disclosure, the average price of these stocks fell > by 5 percent, and remained in a range of 2.4 to 8.5 percent below > that of the date of disclosure for another eight months," he said. > > "The stocks did not recover to pre-incident levels for nearly a year." > > [...] > > > http://www.webwereld.nl/articles/43234/data-leaks-hit-share-prices-hard.html > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 136 million compromised records in 403 incidents over 6 > years. > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20061010/082a3d01/attachment.html From ziplock at pogowasright.org Tue Oct 10 12:48:18 2006 From: ziplock at pogowasright.org (ziplock) Date: Tue, 10 Oct 2006 12:48:18 -0400 (EDT) Subject: [Dataloss] Data leaks hit share prices hard In-Reply-To: References: <7.0.0.16.2.20061009112541.026505b0@nowhere.org> Message-ID: <2526.66.90.118.12.1160498898.squirrel@www.pogowasright.org> A quick review of http://www.hydrasight.com/index.cfm doesn't reveal the report, but does show various levels of paid membership. Perhaps this report is part of their subscription service? > Has anyone gotten ahold of the report yet? From acquisti at pguardian.com Tue Oct 10 13:43:18 2006 From: acquisti at pguardian.com (Alessandro Acquisti) Date: Tue, 10 Oct 2006 13:43:18 -0400 Subject: [Dataloss] Data leaks hit share prices hard In-Reply-To: <000601c6ec71$d53bbf40$6501a8c0@heinz.win.cmu.edu> Message-ID: <011401c6ec93$9336af20$6501a8c0@heinz.win.cmu.edu> Adam: > Note, however, that our regressions showed that the size of a firm was a > significant predictor of its abnormal rate or return (in other words: > larger > firms were more affected by the breaches). that should have been "smaller" firms, as discussed in the paper. (thanks to Allan for catching this slip) Thank you, -aa > -----Original Message----- > From: dataloss-bounces at attrition.org [mailto:dataloss- > bounces at attrition.org] On Behalf Of Alessandro Acquisti > Sent: Tuesday, October 10, 2006 9:42 AM > To: 'Adam Shostack'; 'Dissent' > Cc: 'Alessandro Acquisti'; 'dataloss-attrition.org' > Subject: Re: [Dataloss] Data leaks hit share prices hard > > Hello Adam - > > > Fascinating. It contradicts "Is There a Cost to Privacy Breaches? An > > Event Study," which Alan Friedman presented at the Workshop on > > Economics of Infosec. > > > > http://weis2006.econinfosec.org/docs/40.pdf > > My 2 cents (following up on what Allan already wrote): the results of the > two studies are difficult to compare. > > - our (i.e., Allan, Rahul, and me) dataset contained hundreds of events - > I > would hazard that focusing on six events means aiming at a qualitative > type > of study, rather than a statistically significant one. > > - the problem with simply checking whether stock prices have fallen or not > is that external market conditions may determine those outcomes - hence, > as > a measurement of performance after the event, vanilla stock prices can be > misleading (the event studies methodologies we used in our paper attempt > to > address this problem) > > - for similar reasons, one should be extra cautious about suggesting > linkages between an event and the stock price one year after that event - > the consensus in the financial literature that pioneered event studies is > that a few days after the event you can no longer exclude that what you > are > getting from the stock prices is simply noise. > > Note, however, that our regressions showed that the size of a firm was a > significant predictor of its abnormal rate or return (in other words: > larger > firms were more affected by the breaches). > > One last note on the problems with using stock prices to measure a (subset > of a) company's breach-related costs: even if we may not adhere to the > efficient markets hypothesis, we wanted to address a simpler (and, to me, > telling) question: how does the market react to privacy breaches, compared > to the way it reacts to security breaches, product vulnerabilities, or > other > negative events? > > Thanks, > > -alessandro > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 136 million compromised records in 403 incidents over 6 > years. From bkdelong at pobox.com Tue Oct 10 14:03:58 2006 From: bkdelong at pobox.com (B.K. DeLong) Date: Tue, 10 Oct 2006 14:03:58 -0400 Subject: [Dataloss] CDW-G Survey on Higher Ed. Security Message-ID: More of a generalized survey but does contain some data on breaches. http://newsroom.cdwg.com/features/HEITSecurityReportCard10-10-06.pdf -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20061010/6870f831/attachment.html From adam at homeport.org Tue Oct 10 14:26:14 2006 From: adam at homeport.org (Adam Shostack) Date: Tue, 10 Oct 2006 14:26:14 -0400 Subject: [Dataloss] CDW-G Survey on Higher Ed. Security In-Reply-To: References: Message-ID: <20061010182614.GA32091@homeport.org> Thanks for passing that on. I find it disappointing that CDW chooses to release a presentation, rather than a report, but that's their choice. It's also too bad that they don't reporduce their survey instrument/list of questions, or discuss the wide variance in the number of respondants: Many slides don't mention it, slide 12 mentions 60, slide 20 mentions their survey as having 182 completed questions. Adam On Tue, Oct 10, 2006 at 02:03:58PM -0400, B.K. DeLong wrote: | More of a generalized survey but does contain some data on breaches. | | http://newsroom.cdwg.com/features/HEITSecurityReportCard10-10-06.pdf | _______________________________________________ | Dataloss Mailing List (dataloss at attrition.org) | http://attrition.org/dataloss | Tracking more than 136 million compromised records in 403 incidents over 6 years. | | From cwalsh at cwalsh.org Tue Oct 10 16:16:49 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Tue, 10 Oct 2006 15:16:49 -0500 Subject: [Dataloss] CDW-G Survey on Higher Ed. Security In-Reply-To: <20061010182614.GA32091@homeport.org> References: <20061010182614.GA32091@homeport.org> Message-ID: <20061010201632.GA12880@cwalsh.org> On Tue, Oct 10, 2006 at 02:26:14PM -0400, Adam Shostack wrote: > Thanks for passing that on. > > I find it disappointing that CDW chooses to release a presentation, > rather than a report, but that's their choice. It's also too bad that > they don't reporduce their survey instrument/list of questions, or > discuss the wide variance in the number of respondants: Many slides > don't mention it, slide 12 mentions 60, slide 20 mentions their survey > as having 182 completed questions. > I think you'd be pleased by the CIFAC studies, Adam. This is "legit" academic stuff by Virginia Rezmierski, et. al., looking at academic institutions in one sample for phase I, and then at corporate entities in phase II. I believe that in both cases, the survey instrument is provided. They're totally up front about methods, etc. http://0-www.educause.edu.csulib.ctstateu.edu/LibraryDetailPage/666?ID=SEC0409 http://0-www.educause.edu.csulib.ctstateu.edu/LibraryDetailPage/666?ID=CSD4455 Along similar lines, I am eagerly awaiting the results of the National Computer Security Survey, being performed by RAND (http://www.ncss.rand.org/). cw From allan_friedman at ksgphd.harvard.edu Tue Oct 10 16:42:33 2006 From: allan_friedman at ksgphd.harvard.edu (Allan Friedman) Date: Tue, 10 Oct 2006 16:42:33 -0400 Subject: [Dataloss] CDW-G Survey on Higher Ed. Security In-Reply-To: <20061010201632.GA12880@cwalsh.org> References: <20061010182614.GA32091@homeport.org> <20061010201632.GA12880@cwalsh.org> Message-ID: <686cc62f0610101342o14e1dc22u7c678596318b5667@mail.gmail.com> > Along similar lines, I am eagerly awaiting the results of the National Computer > Security Survey, being performed by RAND (http://www.ncss.rand.org/). The DoJ lead on that study will be on my panel at WESII. Y'all should come! Unfortunately, it will still be a few months before they release prelim results. /\llan From cwalsh at cwalsh.org Tue Oct 10 23:06:29 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Tue, 10 Oct 2006 22:06:29 -0500 Subject: [Dataloss] 2300 British PCs compromised - PII found on seized US computer Message-ID: [This one is an interesting -- where the losses are due to malice, not just stupidity. It's sad/amusing that when the London police emailed victims, few responded, assuming that the emails were a hoax] Thousands fall victim to data theft Graeme Wearden and Tom Espiner ZDNet UK October 10, 2006, 17:30 BST Police are trying to contact thousands of UK computer users who have fallen victim to an massive personal data heist. The Metropolitan Police said on Tuesday that a computer seized in the US had been found to contain personal information from around 2,300 PCs based in Britain. This included email addresses, passwords, credit card numbers and details of online transactions. According to the Metropolitan Police Computer Crime Unit, the data was stolen via a piece of malware that was secretly installed on the victim's machines. [...] More at http://news.zdnet.co.uk/0,39020330,39284001,00.htm From Dissent at pogowasright.org Wed Oct 11 08:08:08 2006 From: Dissent at pogowasright.org (Dissent) Date: Wed, 11 Oct 2006 08:08:08 -0400 Subject: [Dataloss] GOP Donors' Personal Data Disclosed in RNC Privacy Slip Message-ID: <7.0.0.16.2.20061011080649.02251b60@nowhere.org> In a breach of privacy, the Republican National Committee erroneously e-mailed a list that contained the names, races, and Social Security numbers of dozens of top Republican donors ? and that identified two of the contributors as Muslim ? to this reporter. [...] http://www.nysun.com/article/41341 From Dissent at pogowasright.org Wed Oct 11 08:02:41 2006 From: Dissent at pogowasright.org (Dissent) Date: Wed, 11 Oct 2006 08:02:41 -0400 Subject: [Dataloss] More than 4, 600 Floridians' personal data accidentally posted Message-ID: <7.0.0.16.2.20061011080158.02276c20@nowhere.org> Florida's Labor Department unwittingly posted the names and Social Security numbers of more than 4,600 of its clients on the Internet last month, only to discover the error when a Fort Walton Beach man Googled his own name, an agency spokesman said Tuesday. Since the information was not linked to any Web site, the Agency for Workforce Innovation, as the department is known, reported that it has no reason to believe anyone else accessed it. But as a precaution it sent out letters last week to the 4,624 individuals, all of whom had enrolled for services with one of the 24 regional workforce boards across the state, spokesman Warren May said. [...] http://www.palmbeachpost.com/business/content/business/epaper/2006/10/11/a1d_breach_1011.html From grexpectations at comcast.net Wed Oct 11 07:30:52 2006 From: grexpectations at comcast.net (grexpectations at comcast.net) Date: Wed, 11 Oct 2006 11:30:52 +0000 Subject: [Dataloss] security breaches as a result of email Message-ID: <101120061130.1561.452CD5EC000888140000061922070009539C0201079B0E9B0C0A9F980A9D09@comcast.net> I'm looking for examples or statistics where email (either intentional or not intentional) was the root cause of a security breach. Can anyone direct me to a web site where I may be able to locate this data? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20061011/eaf53571/attachment.html From bkdelong at pobox.com Wed Oct 11 12:54:40 2006 From: bkdelong at pobox.com (B.K. DeLong) Date: Wed, 11 Oct 2006 12:54:40 -0400 Subject: [Dataloss] Tracking consequences of data loss Message-ID: This discussion of quantifying the repercussions of a data breach has me wondering if there is a way to make a notation in DLDOS if a company is fined or sued as the result of such an incident. I'm not sure it's possible to show loss of reputation in any meaningful manner - has anyone seen cases where the perpetrator was successfully charged for causing either financial losses and loss of reputation? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20061011/87354728/attachment.html From macwheel99 at sigecom.net Wed Oct 11 13:45:59 2006 From: macwheel99 at sigecom.net (Al Mac) Date: Wed, 11 Oct 2006 12:45:59 -0500 Subject: [Dataloss] security breaches as a result of email In-Reply-To: <101120061130.1561.452CD5EC000888140000061922070009539C0201 079B0E9B0C0A9F980A9D09@comcast.net> References: <101120061130.1561.452CD5EC000888140000061922070009539C0201079B0E9B0C0A9F980A9D09@comcast.net> Message-ID: <6.2.1.2.0.20061011121904.04ff61d0@mail.sigecom.net> If you dig into archives of this list and the new http://attrition.org/dataloss/dldos.html DLDOS data base, there are several instances where we have people who are klutzes with respect to how to use e-mail, and instead of sending some communication to ONE contact, they send something out listing all info on all contacts, or they have some kind of data base of info on people and there is a mismatch on who the data is supposed to go to. For example, CSI has data base on everyone who requested FBI file on annual computer crime statistics, then they used some software package to e-mail those people with some invitation, except it mismatched ... info on person-A was sent with the invite to person-B, multiplied by however many people involved. The data base has coding http://attrition.org/dataloss/dldoskey.html as to nature of breach that could narrow you down to this kind of relevance, but this is something that continues to evolve, and be improved upon by feedback here. I do not see in the chart a coding for the nature of the breach: * laptop gone missing * dumpster diving * hacker broke in * data managers must have been computer illiterates * data managers must have been privacy illiterates * e-mail stupidity * etc. so if you do a search of the raw data, looking for "e-mail" you going to get a lot of hits that what was breached was person's e-mail address You might go to Privacy Rights Chronology http://www.privacyrights.org/ar/ChronDataBreaches.htm and study the whole thing, looking for breaches for that reason. Several different outfits are trying to track this data. As mentioned in an earlier thread, Bill Yurick and a student worked to combine the breach data at: "Beyond Media Hype: Empirical Analysis of Disclosed Privacy Breaches 2005-2006 and a DataSet/Database Foundation for Future Work" You might find their graphics informative. There are some other outfits that have done similar work, and I gave Bill links to those I was aware of, in case that would help with their efforts. If you are interested, I could dig into the e-mails I sent Bill & forward you, off line from this list. Basically I addressed suggestions for improving the report, and the state of privacy protection around the world. Al Macintyre >I'm looking for examples or statistics where email (either intentional or >not intentional) was the root cause of a security breach. Can anyone >direct me to a web site where I may be able to locate this data? From macwheel99 at sigecom.net Wed Oct 11 13:53:19 2006 From: macwheel99 at sigecom.net (Al Mac) Date: Wed, 11 Oct 2006 12:53:19 -0500 Subject: [Dataloss] Tracking consequences of data loss In-Reply-To: References: Message-ID: <6.2.1.2.0.20061011124702.04ff0050@mail.sigecom.net> Many organizations have sustained healthy fines from the FTC in the aftermath of breach investigations that found the places that got breached were negligent in some way. I have seen fines in the $ millions. At least one place has had to declare bankrupsy and go out of business, as a result of the loss of confidence in them that came about due to the circumstances of the breach, where their business was entirely dependent upon the major credit card brands trusting them or approving their security arrangements. There is also a web of lawsuits associated with trying to recover the costs of re-issuing credit and debit card accounts. Another follow-up I would like to see is which of these places were (a) governed by some security mandate that they violated (which ones) ... various gov regulations by industry, such as on this list http://www.unbeatenpathintl.com/ITstandards/source/1.html (b) seeking to achieve some security standard, such as encryption, ISO 17799 (which I think is going to be renumbered as 27002) 27001 and BS7799-3 which will become ISO 27005, credit card industry standard, DoD standard, but failed, or that they did achieve some standard, but the standard was not good enough to prevent the breach If you are unfamiliar with the ISO standards for security ... www.27000.org for info on this security standard, which is not just computer security, but also physical security (c) illiterate about security standards >This discussion of quantifying the repercussions of a data breach has me >wondering if there is a way to make a notation in DLDOS if a company is >fined or sued as the result of such an incident. I'm not sure it's >possible to show loss of reputation in any meaningful manner - has anyone >seen cases where the perpetrator was successfully charged for causing >either financial losses and loss of reputation? >_______________________________________________ >Dataloss Mailing List (dataloss at attrition.org) >http://attrition.org/dataloss >Tracking more than 136 million compromised records in 416 incidents over 6 >years. From bkdelong at pobox.com Wed Oct 11 14:30:51 2006 From: bkdelong at pobox.com (B.K. DeLong) Date: Wed, 11 Oct 2006 14:30:51 -0400 Subject: [Dataloss] Tracking consequences of data loss In-Reply-To: <6.2.1.2.0.20061011124702.04ff0050@mail.sigecom.net> References: <6.2.1.2.0.20061011124702.04ff0050@mail.sigecom.net> Message-ID: On 10/11/06, Al Mac wrote: > > There is also a web of lawsuits associated with trying to recover the > costs > of re-issuing credit and debit card accounts. Besides ChoicePoint, what others? Another follow-up I would like to see is which of these places were > (a) governed by some security mandate that they violated (which ones) ... > various gov regulations by industry, such as on this > list http://www.unbeatenpathintl.com/ITstandards/source/1.html Right......and PCI, FISA, FFIEC. With any luck there's probably a list out there that lists some of the companies in DLDOS that are subject to all of these that could simply be imported in. I think a lot of it is up to interpretation. (c) illiterate about security standards I'm not sure how scientifically measurable this is. ;) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20061011/07aa047c/attachment.html From bkdelong at pobox.com Wed Oct 11 14:02:29 2006 From: bkdelong at pobox.com (B.K. DeLong) Date: Wed, 11 Oct 2006 14:02:29 -0400 Subject: [Dataloss] security breaches as a result of email In-Reply-To: <6.2.1.2.0.20061011121904.04ff61d0@mail.sigecom.net> References: <101120061130.1561.452CD5EC000888140000061922070009539C0201079B0E9B0C0A9F980A9D09@comcast.net> <6.2.1.2.0.20061011121904.04ff61d0@mail.sigecom.net> Message-ID: On 10/11/06, Al Mac wrote: > > The data base has coding http://attrition.org/dataloss/dldoskey.html as to > nature of breach that could narrow you down to this kind of relevance, but > this is something that continues to evolve, and be improved upon by > feedback here. I do not see in the chart a coding for the nature of the > breach: > * laptop gone missing > * dumpster diving > * hacker broke in > * data managers must have been computer illiterates > * data managers must have been privacy illiterates > * e-mail stupidity > * etc. > so if you do a search of the raw data, looking for "e-mail" you going to > get a lot of hits that what was breached was person's e-mail address You make a good point - this is definitely something else we should be tracking in the DLDOS. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20061011/465b3c15/attachment.html From adam at homeport.org Wed Oct 11 14:47:05 2006 From: adam at homeport.org (Adam Shostack) Date: Wed, 11 Oct 2006 14:47:05 -0400 Subject: [Dataloss] Tracking consequences of data loss In-Reply-To: <6.2.1.2.0.20061011124702.04ff0050@mail.sigecom.net> References: <6.2.1.2.0.20061011124702.04ff0050@mail.sigecom.net> Message-ID: <20061011184705.GB14892@homeport.org> On Wed, Oct 11, 2006 at 12:53:19PM -0500, Al Mac wrote: | Many organizations have sustained healthy fines from the FTC in the | aftermath of breach investigations that found the places that got breached | were negligent in some way. I have seen fines in the $ millions. Where many is 15 out 400? Or is my mental list short of fines? | At least one place has had to declare bankrupsy and go out of business, as | a result of the loss of confidence in them that came about due to the | circumstances of the breach, where their business was entirely dependent | upon the major credit card brands trusting them or approving their security | arrangements. Cardsystems managed to sell their assets to Paybytouch. Adam From DOpacki at Covestic.com Wed Oct 11 14:51:18 2006 From: DOpacki at Covestic.com (Dennis Opacki) Date: Wed, 11 Oct 2006 11:51:18 -0700 Subject: [Dataloss] security breaches as a result of email In-Reply-To: References: <101120061130.1561.452CD5EC000888140000061922070009539C0201079B0E9B0C0A9F980A9D09@comcast.net> <6.2.1.2.0.20061011121904.04ff61d0@mail.sigecom.net>, Message-ID: <890B751C-B281-4E80-80D8-AA56D4D34E81@mimectl> I believe that what we are talking about here is "root cause analysis". Unfortunately, getting to the root cause of the event often requires a degree of sophistication and communication uncommon in companies experiencing data breaches. I usually send people interested in this sort of analysis to Rooney and Vanden Huevel's write-up[1]. While focused on quality control, it gives some good direction on causal factor charting and root cause identification. I have had luck in the past adapting it to computer security applications. -Dennis [1] http://www.asq.org/pub/qualityprogress/past/0704/qp0704rooney.pdf From: B.K. DeLong Sent: Wed 10/11/2006 11:02 AM To: Al Mac Cc: dataloss at attrition.org Subject: Re: [Dataloss] security breaches as a result of email On 10/11/06, Al Mac wrote: The data base has coding http://attrition.org/dataloss/dldoskey.html as to nature of breach that could narrow you down to this kind of relevance, but this is something that continues to evolve, and be improved upon by feedback here. I do not see in the chart a coding for the nature of the breach: * laptop gone missing * dumpster diving * hacker broke in * data managers must have been computer illiterates * data managers must have been privacy illiterates * e-mail stupidity * etc. so if you do a search of the raw data, looking for "e-mail" you going to get a lot of hits that what was breached was person's e-mail address You make a good point - this is definitely something else we should be tracking in the DLDOS. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20061011/38c17d14/attachment.html From lyger at attrition.org Wed Oct 11 15:02:33 2006 From: lyger at attrition.org (lyger) Date: Wed, 11 Oct 2006 15:02:33 -0400 (EDT) Subject: [Dataloss] Adams State College: Stolen laptop contains personal information Message-ID: http://www.alamosanews.com/main.php?story_id=13586&page=39 ALAMOSA - Adams State College Public Safety office has reported that a laptop computer stolen from the college in August contained personal information of participants in the college.s Upward Bound program. On Aug. 14, the laptop computer and an LCD projector were reported stolen from a locked closet in Richardson Hall. College staff did not realize until late Sept. The computer held a report listing 184 high school students who took part in the Upward Bound program during the past four years. The data was contained in the programs annual performance report, which is updated each year. The report is no longer kept on personal computers, said Mike Garcia, executive director of the TRIO program at the college. [...] From blitz at strikenet.kicks-ass.net Wed Oct 11 18:05:10 2006 From: blitz at strikenet.kicks-ass.net (blitz) Date: Wed, 11 Oct 2006 18:05:10 -0400 Subject: [Dataloss] Tracking consequences of data loss In-Reply-To: <20061011184705.GB14892@homeport.org> References: <6.2.1.2.0.20061011124702.04ff0050@mail.sigecom.net> <20061011184705.GB14892@homeport.org> Message-ID: <7.0.1.0.2.20061011180320.050afe10@strikenet.kicks-ass.net> And as an adjunct, the first fine ever was recently issues in a HIPPA case. Though thousands of complaints are files annually, the agency governing them seems to be protecting the doctors and hospitals instead of the paitents. At 14:47 10/11/2006, you wrote: >On Wed, Oct 11, 2006 at 12:53:19PM -0500, Al Mac wrote: >| Many organizations have sustained healthy fines from the FTC in the >| aftermath of breach investigations that found the places that got breached >| were negligent in some way. I have seen fines in the $ millions. > >Where many is 15 out 400? Or is my mental list short of fines? > >| At least one place has had to declare bankrupsy and go out of business, as >| a result of the loss of confidence in them that came about due to the >| circumstances of the breach, where their business was entirely dependent >| upon the major credit card brands trusting them or approving their security >| arrangements. > >Cardsystems managed to sell their assets to Paybytouch. > >Adam >_______________________________________________ >Dataloss Mailing List (dataloss at attrition.org) >http://attrition.org/dataloss >Tracking more than 136 million compromised records in 416 incidents >over 6 years. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20061011/de9783a2/attachment.html From lyger at attrition.org Wed Oct 11 19:28:53 2006 From: lyger at attrition.org (lyger) Date: Wed, 11 Oct 2006 19:28:53 -0400 (EDT) Subject: [Dataloss] Admin: List Reminders Message-ID: With the number of list subscribers growing in the last week weeks, I'd like to point out the following and make a few requests. 1. Please trim old footers and irrelevant quoted material out of replies. It takes only a few seconds of time and makes things easier to read and parse through for your fellow subscribers. If it's forgotten once, it's not a criminal offense. :) More than one quoted footer in a post may risk a post being discarded. 2. When responding to a list post, please don't reply-to-all. This will usually cause the original poster to receive more than one copy of your reply. If your message is intended for the list, please reply to dataloss at attrition.org. If you wish to contact the original poster directly, please mail them directly without a CC to the list or list admins. 3. This list is non-commercial in nature. Whether responding to the list or individuals directly, please do not send emails based on list content to promote commercial products or services. All such emails to the list will be immediately discarded and the sender will be subject to unsubscription. All spam-like off-list emails should be handled by the recipient(s) as they wish. Any questions, please feel to reply to me directly and not to the list. Lyger From Dissent at pogowasright.org Thu Oct 12 08:58:29 2006 From: Dissent at pogowasright.org (Dissent) Date: Thu, 12 Oct 2006 08:58:29 -0400 Subject: [Dataloss] (followup, Acxiom) Class action suit over ID theft tossed out Message-ID: <7.0.0.16.2.20061012085437.02273a90@nowhere.org> A federal judge in Arkansas has thrown out a class action lawsuit against Acxiom, which exposed massive amounts of Americans' personal information in a high-profile Internet security snafu three years ago. Even though a spammer had downloaded more than one billion records from the company, U.S. District Judge William Wilson ruled that there was no evidence that Acxiom's purloined database had been used to send junk e-mail or postal mail. Because the class action attorneys could not prove that anyone's information had actually been misused, Wilson dismissed the case and the request for damages on the grounds that any harm would be entirely speculative. "Because plaintiff has not alleged that she has suffered any concrete damages, she does not have standing under the case-or-controversy requirement," he wrote. The decision (PDF), published on Oct. 3, could prove influential in other identity fraud cases where breaches have exposed personal information such as home addresses and Social Security numbers, but there's no proof that the information has been misused. [...] http://news.com.com/Class+action+suit+over+ID+theft+tossed+out/2100-7348_3-6125028.html?tag=nefd.lede Court Opinion: http://www.politechbot.com/docs/acxiom.order.class.action.101106.pdf From Dissent at pogowasright.org Thu Oct 12 08:28:21 2006 From: Dissent at pogowasright.org (Dissent) Date: Thu, 12 Oct 2006 08:28:21 -0400 Subject: [Dataloss] (followup) University of Texas at Arlington Message-ID: <7.0.0.16.2.20061012081921.022c6c20@nowhere.org> (n.b. original report quoted uni spokesperson as saying that the electronic faculty grade books did not include SSN. Uh huh....) The personal information of about 2,500 University of Texas at Arlington students was on two computers stolen from a faculty member's home last month, school officials said. The computers stolen from Ray Springston's Fort Worth home included class rosters with students' Social Security numbers, grades, e-mail addresses and other information, the school said. Students in computer science and engineering classes between fall 2000 and fall 2006 could be affected. [...] http://www.chron.com/disp/story.mpl/metropolitan/4253257.html Related: http://oit.uta.edu/oit/ss/datatheft/ From Dissent at pogowasright.org Thu Oct 12 09:35:33 2006 From: Dissent at pogowasright.org (Dissent) Date: Thu, 12 Oct 2006 09:35:33 -0400 (EDT) Subject: [Dataloss] Hackers steal personal information from Brock University computers Message-ID: The personal information ? including some credit card and bank account numbers ? of about 70,000 people who gave money to Brock University has been stolen from the school's computers by a hacker. Terry Boak, Brock's vice-president academic, said the digital intruder had the secret passwords needed to access the file listing of possibly every individual to ever donate to the university. "It wasn't just someone who hacked in by playing around with it," Boak said. "So, you start thinking about how these passwords were obtained." Boak said the hacker tapped into the system on Sept. 22 at 5:27 p.m. ET, taking only four minutes to make off with the file containing thousands of names, birthdates and e-mail addresses. About 90 credit card numbers and some 270 bank account details were also in the file. [...] http://www.cbc.ca/technology/story/2006/10/12/tech-brock.html From bkdelong at pobox.com Thu Oct 12 14:47:23 2006 From: bkdelong at pobox.com (B.K. DeLong) Date: Thu, 12 Oct 2006 14:47:23 -0400 Subject: [Dataloss] Google Gapminder for visualizing data loss trends Message-ID: Nifty new Google Tool for visualizing trends. we could probably feed it DLDOS data and produce some interesting results. ---------- Forwarded message ---------- From: Jose Cordeiro Date: Oct 12, 2006 2:30 PM Subject: [wta-talk] New tool by Google To: owifor-admin at lists.eviangroup.org, WFSFlistserver Dear friends, There is a new cool tool for graphic visualization of trends. My understanding is that Google will eventually release a version also for extrapolations. Check out the current Beta version, and click the "Help?" button for a real nice explanation: http://tools.google.com/gapminde Additionally, there is a similar effort called Gapminder and even the WHO is starting to use it: http://www.gapminder.org/ Futuristically yours, La vie est belle! Yos? (www.cordeiro.org) Caracas, Venezuela, Americas, TerraNostra, Solar System, Milky Way, Multiverse _______________________________________________ wta-talk mailing list wta-talk at transhumanism.org http://www.transhumanism.org/mailman/listinfo/wta-talk -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20061012/1f6e4c21/attachment.html From lyger at attrition.org Fri Oct 13 10:44:35 2006 From: lyger at attrition.org (lyger) Date: Fri, 13 Oct 2006 10:44:35 -0400 (EDT) Subject: [Dataloss] Ohio Ethics Commission: Documents Seen Flying Around Neighborhood Message-ID: http://www.nbc4i.com/news/10069233/detail.html COLUMBUS, Ohio -- Hundreds of documents containing employee financial disclosure that originated with a state agency were found flying around a south side neighborhood on Thursday. The personal information was seen blowing around an alley near Hinkle Avenue, NBC 4's Beth Dal Ponte reported. Bill Ward, who lives in the area, spotted the documents and collected them. "I started to pick them up and then I realized they belonged to the Ohio Ethics Commission," Ward said. "They had Social Security numbers and financial statements, so I was worried." [...] From macwheel99 at sigecom.net Fri Oct 13 11:42:49 2006 From: macwheel99 at sigecom.net (Al Mac) Date: Fri, 13 Oct 2006 10:42:49 -0500 Subject: [Dataloss] Another Indian insider data theft exposed by UK TV Message-ID: <6.2.1.2.0.20061013103901.0475cd70@mail.sigecom.net> A man in India offered to sell the front man of a Channel 4 sting operation the credit card details of 200,000 people, the programme Dispatches will reveal tonight. (Oct 5) [..] The Channel 4 programme also claims to have found a man willing to sell the mobile phone details of 8,000 British people, and another willing to sell bank account details. [..} http://www.theregister.co.uk/2006/10/05/india_exposed/ From macwheel99 at sigecom.net Sat Oct 14 19:34:43 2006 From: macwheel99 at sigecom.net (Al Mac) Date: Sat, 14 Oct 2006 18:34:43 -0500 Subject: [Dataloss] Dollar Tree Customers Financial Fraud (follow-up) Message-ID: <6.2.1.2.0.20061014183042.046a56b0@mail.sigecom.net> A Southern California man has been indicted by a federal grand jury for alleged bank fraud involving hundreds of customers of Dollar Tree stores (in Oregon & Northern California). Authorities said Parkev Krmoian is accused of using counterfeit ATM cards to make unauthorized withdrawals. Police said the cards Krmoias was using were actually gift cards that had been encoded with ATM card information. http://www.kcra.com/news/10012058/detail.html From Dissent at pogowasright.org Sun Oct 15 15:16:17 2006 From: Dissent at pogowasright.org (Dissent) Date: Sun, 15 Oct 2006 15:16:17 -0400 (EDT) Subject: [Dataloss] Poulsbo DOL Loses Personal Information of 2, 200 Residents Message-ID: The Poulsbo office of the Department of Licensing lost a device that contained the personal information of about 2,200 North Kitsap residents. The department has sent letters informing people who made transactions at the branch during late September that a "data storage device" used to back up transaction data went missing. The device ? which DOL officials aren?t describing for security reasons ? contained names, addresses, pictures and driver?s license numbers. [...] http://www.kitsapsun.com/bsun/local/article/0,2403,BSUN_19088_5068268,00.html From bkdelong at pobox.com Mon Oct 16 10:32:23 2006 From: bkdelong at pobox.com (B.K. DeLong) Date: Mon, 16 Oct 2006 10:32:23 -0400 Subject: [Dataloss] Employee vs client data? Message-ID: It would be cool if we could begin distinguishing whether it was employee data that was lost or client data, (or both). -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20061016/ab11039f/attachment.html From allan_friedman at ksgphd.harvard.edu Mon Oct 16 11:40:58 2006 From: allan_friedman at ksgphd.harvard.edu (Allan Friedman) Date: Mon, 16 Oct 2006 11:40:58 -0400 Subject: [Dataloss] Employee vs client data? In-Reply-To: References: Message-ID: <686cc62f0610160840p4418ab2ax7a56a7a3748ac193@mail.gmail.com> > It would be cool if we could begin distinguishing whether it was employee > data that was lost or client data, (or both). There's a field for data subject my data. I also note the presence of a principle-agent relationship for data protection, for when a third party is safeguarding the data on behalf of the {employer/merchant}. Finally, the data subject could have no direct or transitive relationship with the data subject (i.e. Choicepoint). I only have it for publicly traded companies, though. I hate to keep this stuff as a shadow dataset, but since exact date and sequence of info is critical to our project, it's taken longer than expected to make sure it's good. We really look forward to sharing it soon. allan From bkdelong at pobox.com Mon Oct 16 12:04:53 2006 From: bkdelong at pobox.com (B.K. DeLong) Date: Mon, 16 Oct 2006 12:04:53 -0400 Subject: [Dataloss] Employee vs client data? In-Reply-To: <686cc62f0610160840p4418ab2ax7a56a7a3748ac193@mail.gmail.com> References: <686cc62f0610160840p4418ab2ax7a56a7a3748ac193@mail.gmail.com> Message-ID: Right - I would guess, (with credit and your permission), that Attrition & PogoWasRight.org would switch to your data set or at least import the data you've collected into their database. On 10/16/06, Allan Friedman wrote: > > > It would be cool if we could begin distinguishing whether it was > employee > > data that was lost or client data, (or both). > > There's a field for data subject my data. I also note the presence of > a principle-agent relationship for data protection, for when a third > party is safeguarding the data on behalf of the {employer/merchant}. > Finally, the data subject could have no direct or transitive > relationship with the data subject (i.e. Choicepoint). I only have it > for publicly traded companies, though. > > I hate to keep this stuff as a shadow dataset, but since exact date > and sequence of info is critical to our project, it's taken longer > than expected to make sure it's good. We really look forward to > sharing it soon. > > allan > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 137 million compromised records in 430 incidents over 6 > years. > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20061016/4870ae24/attachment.html From Dissent at pogowasright.org Mon Oct 16 12:17:47 2006 From: Dissent at pogowasright.org (Dissent) Date: Mon, 16 Oct 2006 12:17:47 -0400 (EDT) Subject: [Dataloss] Employee vs client data? In-Reply-To: References: <686cc62f0610160840p4418ab2ax7a56a7a3748ac193@mail.gmail.com> Message-ID: "B.K. DeLong" wrote: > Right - I would guess, (with credit and your permission), that > Attrition & > PogoWasRight.org would switch to your data set or at least import the > data > you've collected into their database. Just to be clear: PogoWasRight.org does not have a database. DLDOS is strictly Attrition.org's, even though we've been providing a bit of assistance with finding items for backfill, etc. Dissent From Dissent at pogowasright.org Mon Oct 16 12:45:28 2006 From: Dissent at pogowasright.org (Dissent) Date: Mon, 16 Oct 2006 12:45:28 -0400 (EDT) Subject: [Dataloss] Employee vs client data? In-Reply-To: References: Message-ID: "B.K. DeLong" wrote: > It would be cool if we could begin distinguishing whether it was employee > data that was lost or client data, (or both). It would be even cooler if our govt. actually had a clue what kinds of data were even on the thousands of govt. or govt contractor laptops etc. that have been lost or stolen by now. I think we should have a separate "clueless index" as a running total of the number of as-yet-unrecovered lost or stolen laptops, computers, flash drives or media that are gone and where we have no idea in h*ll what was even on them. Dissent From adam at homeport.org Mon Oct 16 13:27:27 2006 From: adam at homeport.org (Adam Shostack) Date: Mon, 16 Oct 2006 13:27:27 -0400 Subject: [Dataloss] Employee vs client data? In-Reply-To: References: Message-ID: <20061016172726.GA25079@homeport.org> On Mon, Oct 16, 2006 at 12:45:28PM -0400, Dissent wrote: | "B.K. DeLong" wrote: | | > It would be cool if we could begin distinguishing whether it was | employee | > data that was lost or client data, (or both). | | | It would be even cooler if our govt. actually had a clue what kinds of | data were even on the thousands of govt. or govt contractor laptops | etc. that have been lost or stolen by now. | | I think we should have a separate "clueless index" as a running total | of the number of as-yet-unrecovered lost or stolen laptops, computers, | flash drives or media that are gone and where we have no idea in h*ll | what was even on them. While I agree with you and share your frustration, I think its very important to realize that the data we're getting us under threat of being taken away by federal legislation. That legislation is being driven by the apparently reasonable demand to "harmonize" and add a ceiling to exisiting laws. I'm working very hard to generate awareness of the long term value we get from the temporary pain, and in doing so, would like to hold down the level of pain to no more than it needs to be. Calling people clueless, while fun, and perhaps even sometimes accurate, isn't going to get us where I think we want to go, which is greater and more consistent disclosure of problems. Adam From allan_friedman at ksgphd.harvard.edu Mon Oct 16 15:35:07 2006 From: allan_friedman at ksgphd.harvard.edu (Allan Friedman) Date: Mon, 16 Oct 2006 15:35:07 -0400 Subject: [Dataloss] Employee vs client data? In-Reply-To: References: <686cc62f0610160840p4418ab2ax7a56a7a3748ac193@mail.gmail.com> Message-ID: <686cc62f0610161235v13d8d992tf87248e631fabee6@mail.gmail.com> > Right - I would guess, (with credit and your permission), that Attrition & > PogoWasRight.org would switch to your data set or at least import the data > you've collected into their database. Of course we plan to publish the data set. It's just that the details required and the peculiarities of the project meant that it made more sense for us to continue to use my dataset, rather than try to synchronize immediately. There aren't too many details about the breaches themselves that I have apart from what's already in the DLDOS. Keep in mind that our unit of analysis is a company-breach-news outlet tuple, so I have a dozen entries for the BoA/Wachovia from 2005. Each news story reveals more details about the breach. You (we!) can talk about the best way to integrate that into DLDOS. I also note some of the details of the brach announcement (i.e. press release vs. got caught sending letters) and when the breach actually occured. Of course this data is still very messy. Sorry, Chris, we need one more cleaning before I'll feel confident enough about the coding to give you anything meaningful. Again, I hate to not be more open right now, but I hate sloppy work and incorrect assumptions even more. One last shameless plug for the Workshop on the Economics of Securing the Information Infrastructure. Free! In DC! Today's the last day to register: http://wesii.econinfosec.org/workshop/ allan From lyger at attrition.org Tue Oct 17 19:47:05 2006 From: lyger at attrition.org (lyger) Date: Tue, 17 Oct 2006 19:47:05 -0400 (EDT) Subject: [Dataloss] California: ID theft feared in Visalia document dump Message-ID: >From PogoWasRight.org: http://www.fresnobee.com/270/story/7934.html City officials are alerting about 200 current and former Recreation Division employees that some of their private information - including Social Security numbers - may have been compromised when someone tossed copies of city records onto a Visalia street over the weekend. Police are continuing to investigate how the copies of the city payroll records and other documents - part of a court file in an embezzlement case last year - got out into the public. The records were part of the case against Jesse Moreno, 36, who was arrested in April 2005 on suspicion of grand theft, embezzlement and hundreds of incidents of forgery. Moreno, who was a recreation supervisor with the city, allegedly faked time sheets for hourly employees and cashed the resulting paychecks to embezzle as much as $58,000. [...] From cwalsh at cwalsh.org Tue Oct 17 19:30:06 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Tue, 17 Oct 2006 18:30:06 -0500 Subject: [Dataloss] House Committee on Govt Reform releases breach staff report Message-ID: This is the one that mentions thousands of lost census bureau laptops, among other examples. Gives a sense of the size of the iceberg, and some examples. http://reform.house.gov/GovReform/News/DocumentSingle.aspx? DocumentID=51539 From lyger at attrition.org Tue Oct 17 20:33:36 2006 From: lyger at attrition.org (lyger) Date: Tue, 17 Oct 2006 20:33:36 -0400 (EDT) Subject: [Dataloss] DLDOS Update: Data Expansion (new columns) Message-ID: Thanks to input from members of the mail list and others, four new columns have been added to DLDOS: http://attrition.org/dataloss/dataloss.csv StockSymbol (if the company is listed on an exchange, does it have a symbol?) DataRecovered (was the data recovered if lost or stolen? the answer can be yes, no, or partial) ConsumerLawsuit (was a lawsuit filed against the company or companies responsible for the loss?) ArrestProsecution (was there an arrest or prosecution related to the incident) Here's the catch: to this point, we have only backfilled the first five and last five events in the database to get the ball rolling. Adding new events and backfilling older events is still taking quite a bit of time, so if anyone wants to assist with adding data to the four new columns, it would be GREATLY appreciated. Please contact me directly of you have data to contribute (preferably listed by DL-#### UID). Extra thanks (in no particular order) to Chris Walsh, Jericho, Dissent and AnonAdmin (PogoWasRight.org) Adam Shostack, and B.K. DeLong for their input on the expansion. Lyger From lyger at attrition.org Tue Oct 17 21:16:38 2006 From: lyger at attrition.org (lyger) Date: Tue, 17 Oct 2006 21:16:38 -0400 (EDT) Subject: [Dataloss] DLDOS Update: New "Type" Classification Message-ID: http://attrition.org/dataloss/dataloss.csv In order to distinguish between certain types of data loss events, the "Type" column now has a new subset: "Disposal". Previously, data lost through improper disposal was classified as either "Lost Media" or "Fraud - SE" depending on circumstances. Recently, several events have been found (either recently or in years past) as having been the result of improper disposal of personal information. Since the media seems to have jumped on the "dumpster dive" fad in the last few months, we'll try to distinguish between "disposal" and truely "lost media". Once again, thanks to all for the input. From Dissent at pogowasright.org Wed Oct 18 07:43:54 2006 From: Dissent at pogowasright.org (Dissent) Date: Wed, 18 Oct 2006 07:43:54 -0400 (EDT) Subject: [Dataloss] NC: Computer is stolen from Stokes school Message-ID: A Dell computer stolen from the Germanton Elementary School cafeteria last week contains students' Social Security numbers, Stokes County schools officials said at a board of education meeting Monday. However, any of the students' personal information on the computer is encrypted and cannot be accessed without several passwords, said Capt. Junior Palmer of the Stokes County Sheriff's Office. [...] http://www.journalnow.com/servlet/Satellite?pagename=WSJ%2FMGArticle%2FWSJ_BasicArticle&c=MGArticle&cid=1149191218069&path=!localnews&s=1037645509099 From rforno at infowarrior.org Wed Oct 18 19:36:46 2006 From: rforno at infowarrior.org (Richard Forno) Date: Wed, 18 Oct 2006 19:36:46 -0400 Subject: [Dataloss] Microsoft releases guidelines for customer privacy Message-ID: Microsoft releases guidelines for customer privacy October 18, 2006 (IDG News Service) -- Criticized in the past for an initiative that would require the company to collect and catalog personal information about its customers, Microsoft Corp. on Tuesday released an internal document about how it protects customers' privacy in the hopes that other companies will adopt similar practices. The company publicly published a 49-page document, called Microsoft?s Privacy Guidelines for Developing Software Products and Services, at the International Association of Privacy Professionals Privacy Academy 2006 in Toronto. < - > http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti cleId=9004220 The MS document directly: http://www.microsoft.com/downloads/details.aspx?FamilyID=c48cf80f-6e87-48f5- 83ec-a18d1ad2fc1f&displaylang=en From jericho at attrition.org Thu Oct 19 03:04:06 2006 From: jericho at attrition.org (security curmudgeon) Date: Thu, 19 Oct 2006 03:04:06 -0400 (EDT) Subject: [Dataloss] VISA / 1ST BANK Message-ID: Letter sent out to an unknown amount of 1st Bank customers on Oct 16. Any typos are my own. -- 1ST BANK Data Corporation 12345 W. Colfax Ave Lakewood, Colorado 80215 (303) 232-3000 October 16, 2006 [Customer Name] [Customer Address] Dear FirstBank Customer: We have been notified by Visa U.S.A. that a listing of valid Visa card numbers has been obtained by an unauthorized person or persons who gained access to a merchant card processor's transaction database. For privacy reasons, Visa cannot disclose the name of the processor. Your FirstTeller Visa Check Card number was among those that were compromised. Although we believe the possibility of your card being used for fraudulent transactions is minimal, we are going to issue you a new card which you should receive by 10/27/2006. Effective 11/01/2006, your existing FirstTeller Card, ending in ####, will no longer work. If you have not received a new card by 10/27/2006, please notify us. Any recurring payments that you have scheduled with your existing FirstTeller Card will need to be transferred to your new card. We aplogize for any inconvenience this situation may cause you. We would also like to reassure you that the compromise of information occurred at a merchant card processor's location, not FirstBank and therefore your account information at FirstBank has not been obtained by these unauthorized indivuduals. If you have any questions concerning this letter, please call us at (303)237-5000 or 1-800-964-3444 if you are outside metro Denver. Sincerely, Lovonne Maness Dat Processing Officer From lucid at unixgeeks.org Thu Oct 19 07:18:36 2006 From: lucid at unixgeeks.org (Joshua Fritsch) Date: Thu, 19 Oct 2006 04:18:36 -0700 (PDT) Subject: [Dataloss] VISA / 1ST BANK In-Reply-To: References: Message-ID: > We have been notified by Visa U.S.A. that a listing of valid Visa card > numbers has been obtained by an unauthorized person or persons who gained > access to a merchant card processor's transaction database. For privacy > reasons, Visa cannot disclose the name of the processor. For PRIVACY reasons?! So the privacy of a business that failed to secure the data of it's customers cannot be disclosed, thus preventing said customers from avoiding that business in the future. There's gotta be a lawsuit in there somewhere... -J From ziplock at pogowasright.org Thu Oct 19 10:31:17 2006 From: ziplock at pogowasright.org (ziplock) Date: Thu, 19 Oct 2006 10:31:17 -0400 (EDT) Subject: [Dataloss] VISA / 1ST BANK In-Reply-To: References: Message-ID: A replacement card is is a better reaction than most, to either do nothing or to offer credit monitoring, but the letter would have been less disturbing if they hadn't offered the "for privacy reasons" for not disclosing the processor. It's a bit like pouring salt on an open wound. From rforno at infowarrior.org Thu Oct 19 10:31:15 2006 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 19 Oct 2006 10:31:15 -0400 Subject: [Dataloss] Secret Federal Data Allegedly Used in Attack Ad Message-ID: (not exactly a breach, more likely an abuse -- if relevant, send along, otherwise divert to /null........rf) Secret Federal Data Allegedly Used in Attack Ad >From the Associated Press October 19, 2006 DENVER ? Information in an attack ad run by Rep. Bob Beauprez against his Democratic opponent for governor was obtained from a federal database available only for law enforcement, Colorado authorities said Wednesday. The Colorado Bureau of Investigation launched a criminal investigation into the ad after candidate Bill Ritter's campaign raised the possibility that the database was illegally accessed because the information could not be verified through public records. Bureau Director Robert Cantwell said the information came from the National Crime Information Center, a federal database available only to law enforcement officials. < - > http://www.latimes.com/news/nationworld/nation/la-na-adflap19oct19,1,6736697 .story?coll=la-headlines-nation From bkdelong at pobox.com Thu Oct 19 10:41:37 2006 From: bkdelong at pobox.com (B.K. DeLong) Date: Thu, 19 Oct 2006 10:41:37 -0400 Subject: [Dataloss] VISA / 1ST BANK In-Reply-To: References: Message-ID: Well, whomever it was will probably get wacked with a HUGE fine for violating PCI Security standards. I'm guessing it won't take long to determine who falls under approved card processors for Visa. On 10/19/06, ziplock wrote: > > A replacement card is is a better reaction than most, to either do nothing > or to offer credit monitoring, but the letter would have been less > disturbing if they hadn't offered the "for privacy reasons" for not > disclosing the processor. It's a bit like pouring salt on an open wound. > > > > > > > > > > > > > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 137 million compromised records in 430 incidents over 6 > years. > > > > -- B.K. DeLong (K3GRN) bkdelong at pobox.com +1.617.797.8471 http://www.wkdelong.org Son. http://www.ianetsec.com Work. http://www.bostonredcross.org Volunteer. http://www.carolingia.eastkingdom.org Service. http://bkdelong.livejournal.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20061019/809ba9df/attachment.html From lyger at attrition.org Thu Oct 19 14:33:21 2006 From: lyger at attrition.org (lyger) Date: Thu, 19 Oct 2006 14:33:21 -0400 (EDT) Subject: [Dataloss] Visa issues new alert, identifies leading causes of data breaches Message-ID: http://www.greensheet.com/PriorIssues-/061001-/8.htm Hackers target vulnerable POS systems they suspect store card data, Visa U.S.A. recently warned, and, in conjunction with the U.S. Chamber of Commerce, stated the five leading causes of data breaches and specific prevention strategies for each. Visa is aware of credit and debit card account information compromises occurring from improperly stored magnetic stripe, or track, data after transaction authorizations are completed. Track data refers to the information encoded in Tracks 1 and 2 of the mag stripe. The card Association has also observed compromises involving improperly stored card verification value 2 (CVV2) data, PINs and PIN blocks. [...] From cwalsh at cwalsh.org Thu Oct 19 16:06:32 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Thu, 19 Oct 2006 15:06:32 -0500 Subject: [Dataloss] VISA / 1ST BANK In-Reply-To: References: Message-ID: <20061019200627.GB19579@cwalsh.org> On Thu, Oct 19, 2006 at 10:41:37AM -0400, B.K. DeLong wrote: > Well, whomever it was will probably get wacked with a HUGE fine for > violating PCI Security standards. I'm guessing it won't take long to > determine who falls under approved card processors for Visa. They might get fined, but not buy Visa. Too much butter on that bread to throw it in the bin. The FTC, OTOH, may do some enforcement: http://www.emergentchaos.com/archives/2006/06/prediction.html Visa has been zealously guarding the "privacy" of these processors since at least December of 2005, when the Sam's Club stuff started to hit the fan. Even Gartner called MC and Visa out on it: http://www.emergentchaos.com/archives/2005/12/gartner_to_visa.html Chris From bkdelong at pobox.com Thu Oct 19 16:21:06 2006 From: bkdelong at pobox.com (B.K. DeLong) Date: Thu, 19 Oct 2006 16:21:06 -0400 Subject: [Dataloss] VISA / 1ST BANK In-Reply-To: <20061019200627.GB19579@cwalsh.org> References: <20061019200627.GB19579@cwalsh.org> Message-ID: Is it that hard to find out who did the card processing for 1st Bank? On 10/19/06, Chris Walsh wrote: > > On Thu, Oct 19, 2006 at 10:41:37AM -0400, B.K. DeLong wrote: > > Well, whomever it was will probably get wacked with a HUGE fine for > > violating PCI Security standards. I'm guessing it won't take long to > > determine who falls under approved card processors for Visa. > > > They might get fined, but not buy Visa. Too much butter on that bread > to throw it in the bin. > > The FTC, OTOH, may do some enforcement: > http://www.emergentchaos.com/archives/2006/06/prediction.html > > Visa has been zealously guarding the "privacy" of these processors since > at least December of 2005, when the Sam's Club stuff started to hit the > fan. Even Gartner called MC and Visa out on it: > http://www.emergentchaos.com/archives/2005/12/gartner_to_visa.html > > Chris > > -- B.K. DeLong (K3GRN) bkdelong at pobox.com +1.617.797.8471 http://www.wkdelong.org Son. http://www.ianetsec.com Work. http://www.bostonredcross.org Volunteer. http://www.carolingia.eastkingdom.org Service. http://bkdelong.livejournal.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20061019/c7cf27a1/attachment.html From DOpacki at Covestic.com Thu Oct 19 16:43:12 2006 From: DOpacki at Covestic.com (Dennis Opacki) Date: Thu, 19 Oct 2006 13:43:12 -0700 Subject: [Dataloss] VISA / 1ST BANK In-Reply-To: References: <20061019200627.GB19579@cwalsh.org>, Message-ID: <2D317A2A-894B-498F-A23A-D83F39343DE8@mimectl> The way I read the notification, it didn't sound like the processor was affiliated with 1st Bank: "We would also like to reassure you that the compromise of information occurred at a merchant card processor's location, not FirstBank and therefore your account information at FirstBank has not been obtained by these unauthorized indivuduals(SIC)." Perhaps they are just notifying customers affected by another company's gaff? Must be a bad day if they didn't even spell-check the notification before it went out.. -Dennis From: B.K. DeLong Sent: Thu 10/19/2006 1:21 PM To: Chris Walsh Cc: dataloss at attrition.org Subject: Re: [Dataloss] VISA / 1ST BANK Is it that hard to find out who did the card processing for 1st Bank? On 10/19/06, Chris Walsh wrote: On Thu, Oct 19, 2006 at 10:41:37AM -0400, B.K. DeLong wrote: > Well, whomever it was will probably get wacked with a HUGE fine for > violating PCI Security standards. I'm guessing it won't take long to > determine who falls under approved card processors for Visa. They might get fined, but not buy Visa. Too much butter on that bread to throw it in the bin. The FTC, OTOH, may do some enforcement: http://www.emergentchaos.com/archives/2006/06/prediction.html Visa has been zealously guarding the "privacy" of these processors since at least December of 2005, when the Sam's Club stuff started to hit the fan. Even Gartner called MC and Visa out on it: http://www.emergentchaos.com/archives/2005/12/gartner_to_visa.html Chris -- B.K. DeLong (K3GRN) bkdelong at pobox.com +1.617.797.8471 http://www.wkdelong.org/ Son. http://www.ianetsec.com/ Work. http://www.bostonredcross.org/ Volunteer. http://www.carolingia.eastkingdom.org/ Service. http://bkdelong.livejournal.com/ Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20061019/158f2a51/attachment.html From ADAIL at sunocoinc.com Thu Oct 19 17:05:23 2006 From: ADAIL at sunocoinc.com (DAIL, ANDY) Date: Thu, 19 Oct 2006 17:05:23 -0400 Subject: [Dataloss] VISA / 1ST BANK Message-ID: <8CA58E707BB1C44385FA71D02B7A1C8EC707E2@mds3aex0e.USISUNOCOINC.com> Depending on the industry and depending on the circumstances of the breach, it could be impossible for the merchant to notify the people affected. A lot of retail systems store credit card numbers for chargeback research, but the name of the card holder is not kept. When one of these businesses is breached they know xxxxx number of card numbers were possibly compromised, but not who the cards belong to (Magnetic stripe data being an exception). In that event the company has no choice but to notify their settlement provider, who will in turn notify the issuer, who can cross reference card numbers with card holders. Andy Dail Sunoco PCI Project Manager (918) 586-6160 -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Dennis Opacki Sent: Thursday, October 19, 2006 3:43 PM To: dataloss at attrition.org Subject: Re: [Dataloss] VISA / 1ST BANK The way I read the notification, it didn't sound like the processor was affiliated with 1st Bank: "We would also like to reassure you that the compromise of information occurred at a merchant card processor's location, not FirstBank and therefore your account information at FirstBank has not been obtained by these unauthorized indivuduals(SIC)." Perhaps they are just notifying customers affected by another company's gaff? Must be a bad day if they didn't even spell-check the notification before it went out.. -Dennis ________________________________ From: B.K. DeLong Sent: Thu 10/19/2006 1:21 PM To: Chris Walsh Cc: dataloss at attrition.org Subject: Re: [Dataloss] VISA / 1ST BANK Is it that hard to find out who did the card processing for 1st Bank? On 10/19/06, Chris Walsh wrote: On Thu, Oct 19, 2006 at 10:41:37AM -0400, B.K. DeLong wrote: > Well, whomever it was will probably get wacked with a HUGE fine for > violating PCI Security standards. I'm guessing it won't take long to > determine who falls under approved card processors for Visa. They might get fined, but not buy Visa. Too much butter on that bread to throw it in the bin. The FTC, OTOH, may do some enforcement: http://www.emergentchaos.com/archives/2006/06/prediction.html Visa has been zealously guarding the "privacy" of these processors since at least December of 2005, when the Sam's Club stuff started to hit the fan. Even Gartner called MC and Visa out on it: http://www.emergentchaos.com/archives/2005/12/gartner_to_visa.html Chris -- B.K. DeLong (K3GRN) bkdelong at pobox.com +1.617.797.8471 http://www.wkdelong.org/ Son. http://www.ianetsec.com/ Work. http://www.bostonredcross.org/ Volunteer. http://www.carolingia.eastkingdom.org/ Service. http://bkdelong.livejournal.com/ Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org/ This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20061019/0bac855a/attachment-0001.html From lyger at attrition.org Thu Oct 19 19:27:59 2006 From: lyger at attrition.org (lyger) Date: Thu, 19 Oct 2006 19:27:59 -0400 (EDT) Subject: [Dataloss] Hacker gets 5 years for accessing Army computers Message-ID: (We should probably backfill this into DLDOS for 2003, still searching for info. Courtesy Dissent from pogowasright.org) http://www.wvec.com/sharedcontent/APStories/stories/D8KRUG782.html A Wichita man who hacked into 13 U.S. Army computers to steal credit card numbers and account information was sentenced to five years in federal prison, the U.S. Attorney's Office announced Thursday. Matthew R. Decker, 21, was sentenced Monday by U.S. District Judge J. Thomas Marten after pleading guilty in July to reduced charges under a plea deal. Decker pleaded guilty to one count of accessing a protected computer and one count of possession of unauthorized credit card account access devices. [...] From jericho at attrition.org Thu Oct 19 21:01:52 2006 From: jericho at attrition.org (security curmudgeon) Date: Thu, 19 Oct 2006 21:01:52 -0400 (EDT) Subject: [Dataloss] Feds Often Clueless After Data Losses Message-ID: Courtesy of InfoSec News http://www.informationweek.com/news/showArticle.jhtml?articleID=193400392 By Gregg Keizer TechWeb News Oct 18, 2006 Federal agencies not only regularly lose personal identity data, but don't even always know what they've lost or how many Americans are affected, a recently-released House report claimed. According to the report issued by the House Government Reform Committee, which is chaired by Tom Davis (R-Va.), all 19 federal departments and agencies from which data was requested had lost or compromised personal information in the three-and-a-half years since January 2003. Some of the breaches were losses, others were the result of theft. In August 2006, for example, a Department of Defense laptop that contained personal information on 30,000 Navy applicants and prospects fell of a motorcycle driven by a recruiter. "The recruiter returned to the scene and was told by a road side worker that a car had stopped and picked up the bag," the report said. Davis's report was prompted by the May theft of a Veterans Affairs laptop and external hard drive that had the personal information of some 26.5 million veterans and active duty military personnel. The hardware was recovered about two months later; an FBI analysis concluded that none of the confidential information had been accessed on the notebook and drive. "I commend Davis for asking agencies to come forward with this information," said Paul Kurtz, executive director of the Cyber Security Industry Alliance (CSIA), an industry advocacy group that counts Citrix, McAfee, RSA, and Symantec as members. "It was a necessary step and a positive move." The Davis report concluded that data loss is a government-wide problem. "This is not restricted to the Department of Veteran Affairs or any other single agency," the report stated. More troublesome, however, was the fact that in many cases, agencies "do not know what information has been lost or how many individuals could be impacted." "That's not surprising," said Kurtz. "But it does underscore the gravity of the situation. Government is simply not giving this the attention it needs." Although Congress pondered several data breach bills in the just-concluded session, none were passed. Kurtz, who in the past has been critical of the low priority the issue was given, continued to hammer at legislators. "People's sensitive information must be secured across federal agencies. Users are confused. They hear from the private sector, such as brokerage houses, that their information is secure, but then find out it's not secure in other places, like the government. There needs to be a set of common standards." Still, Kurtz hasn't given up on the idea of national data breach and notification bill passing. "If I was a betting man, I'll take the bet [that Congress will pass something next session]. But that's because it's two years we're talking about." In fact, Congress came close to putting something on the President's desk in the 190th Congress. "This was in the top 10, but not in the top 5," Kurtz said. "There is a recognition and concern that this is a real problem. But it will take a lot of work." That shouldn't bowl over anyone who has followed the federal government's abysmal record in IT security. In the most recent security report card issued by Congress, the government as a whole pulled a dismal "D+". Eight of the 24 departments and agencies graded were given an "F". "There's definitely a connection between the grades and data losses," said Kurtz. The House report can be downloaded from here as a 15-page PDF file. http://reform.house.gov/UploadedFiles/Agency%20Breach%20Summary%20Final%20(3).pdf From Dissent at pogowasright.org Fri Oct 20 02:48:02 2006 From: Dissent at pogowasright.org (Dissent) Date: Fri, 20 Oct 2006 02:48:02 -0400 (EDT) Subject: [Dataloss] Stolen laptop held personal data of thousands of Allina patients Message-ID: A laptop computer containing the names and Social Security numbers of thousands of Allina Hospitals and Clinics obstetrics patients was stolen from a nurse's car Oct. 8, prompting alerts this week from the health-care provider to the patients. Company spokesman David Kanihan said Thursday night that there has been no indication any data have been accessed. Two passwords are needed to access the information on the laptop, he said. [...] http://www.startribune.com/462/story/754898.html From Dissent at pogowasright.org Fri Oct 20 04:49:47 2006 From: Dissent at pogowasright.org (Dissent) Date: Fri, 20 Oct 2006 04:49:47 -0400 (EDT) Subject: [Dataloss] T-Mobile reports ID-theft risk Message-ID: A laptop containing the Social Security numbers and other personal information of T-Mobile USA Inc. employees recently disappeared, putting as many as 43,000 current and former workers at risk of identity theft. However, the company based in Bellevue, Wash., says there is no indication the laptop contained customer information. In a letter to employees dated Oct. 14 and obtained Thursday by The Oregonian, T-Mobile Vice President Manny Sousa said the laptop in question disappeared from an employee's checked luggage. The laptop was protected by a password, according to the company, and Sousa's letter says T-Mobile has "no reason to believe that any employee information has been improperly accessed." [...] http://www.oregonlive.com/business/oregonian/index.ssf?/base/business/1161323496316290.xml&coll=7 From Dissent at pogowasright.org Fri Oct 20 07:07:16 2006 From: Dissent at pogowasright.org (Dissent) Date: Fri, 20 Oct 2006 07:07:16 -0400 (EDT) Subject: [Dataloss] Second laptop with student data was stolen Message-ID: University of Minnesota officials confirmed Thursday a second theft of a laptop computer this summer that contained private student data. The incident involved a U art department laptop holding about 200 student names, university IDs and grades but no Social Security numbers. It was stolen from a faculty member in June during a trip to Spain. There's no indication the data have been misused, though the loss was considered a security breach under Minnesota law. Last month, the U acknowledged two Institute of Technology laptops were stolen in August with data on more than 13,000 students who enrolled in the school as freshmen between fall 1991 and 2006. Some of those records contained Social Security numbers. [...] http://www.twincities.com/mld/twincities/news/local/15801934.htm (Reg. Req.) From blitz at strikenet.kicks-ass.net Fri Oct 20 00:22:01 2006 From: blitz at strikenet.kicks-ass.net (blitz) Date: Fri, 20 Oct 2006 00:22:01 -0400 Subject: [Dataloss] VISA / 1ST BANK In-Reply-To: <2D317A2A-894B-498F-A23A-D83F39343DE8@mimectl> References: <20061019200627.GB19579@cwalsh.org> <2D317A2A-894B-498F-A23A-D83F39343DE8@mimectl> Message-ID: <7.0.1.0.2.20061019235530.0427b570@strikenet.kicks-ass.net> I think what we're seeing is the affected companies being told by their law-vultures to release as little as possible to minimize exposure. This in its essence, limits as well, the ability of independent verification and investigation to assist others in prevention and bring guilty parties to justice. This is a trend that should be stopped ASAP. I believe they as well as we understand the time to "walk the walk" is upon us, and some serious lawsuits are in the offing in lieu of actually securing our data. The only model they will accept is one like HIPPA where the Fox guards the hen house. One more notable side effect I'm seeing is the taking on blind faith that a missing data set has been recovered and has not been tampered with. Says WHO? The FBI? They're ankle deep in these cases, and in case you don't remember recent history, they have been less than honest in evidentiary cases in the past. A company like MC or Visa certainly has the political and monetary clout to buy the results they're seeking. Don't make me laugh. Hasn't been accessed? Copied to another hard drive for eventual compromise, maybe yes, but not tampered with? The professional thieves have access to the same tools we do. Compromising even an encrypted set of data is not an IF proposition, but merely a WHEN one. Anyone who understands distributed computing knows the power of a supercomputer is well within the budget of almost anyone who puts their mind to it. Does the old cops-and-robbers line "lets lay low till the heat goes down" ring a bell? When data's gone, its GOT to be presumed compromised, period. Extend the meager protections, mail the letters, and by all means, DO NOT allow a weak data protection statute at the Federal level preempt stronger State statutes. The bottom line is all about minimizing exposure, and the clients who were compromised be dammed. We need some serious introspection of what we believe, and who we trust after the fact IMHO. Marc At 16:43 10/19/2006, you wrote: >The way I read the notification, it didn't sound like the processor >was affiliated with 1st Bank: > >"We would also like to reassure you that the compromise of >information occurred at a merchant card processor's location, not >FirstBank and therefore your account information at FirstBank has >not been obtained by these unauthorized indivuduals(SIC)." > >Perhaps they are just notifying customers affected by another >company's gaff? Must be a bad day if they didn't even spell-check >the notification before it went out.. > >-Dennis > > > >---------- >From: B.K. DeLong >Sent: Thu 10/19/2006 1:21 PM >To: Chris Walsh >Cc: dataloss at attrition.org >Subject: Re: [Dataloss] VISA / 1ST BANK > >Is it that hard to find out who did the card processing for 1st Bank? > >On 10/19/06, Chris Walsh ><cwalsh at cwalsh.org > wrote: >On Thu, Oct 19, 2006 at 10:41:37AM -0400, B.K. DeLong wrote: > > Well, whomever it was will probably get wacked with a HUGE fine for > > violating PCI Security standards. I'm guessing it won't take long to > > determine who falls under approved card processors for Visa. > > >They might get fined, but not buy Visa. Too much butter on that bread >to throw it in the bin. > >The FTC, OTOH, may do some enforcement: >http://www.emergentchaos.com/archives/2006/06/prediction.html > >Visa has been zealously guarding the "privacy" of these processors since >at least December of 2005, when the Sam's Club stuff started to hit the >fan. Even Gartner called MC and Visa out on it: >http://www.emergentchaos.com/archives/2005/12/gartner_to_visa.html > >Chris > > > > >-- >B.K. DeLong (K3GRN) >bkdelong at pobox.com >+1.617.797.8471 > >http://www.wkdelong.org/ Son. >http://www.ianetsec.com/ Work. >http://www.bostonredcross.org/ >Volunteer. >http://www.carolingia.eastkingdom.org/ >Service. >http://bkdelong.livejournal.com/ >Play. > > >PGP Fingerprint: >38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE > >FOAF: >http://foaf.brain-stream.org/ >_______________________________________________ >Dataloss Mailing List (dataloss at attrition.org) >http://attrition.org/dataloss >Tracking more than 137 million compromised records in 430 incidents >over 6 years. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20061020/4eddc4a2/attachment.html From cwalsh at cwalsh.org Fri Oct 20 11:09:21 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Fri, 20 Oct 2006 10:09:21 -0500 Subject: [Dataloss] Second laptop with student data was stolen In-Reply-To: References: Message-ID: <20061020150904.GA27565@cwalsh.org> On Fri, Oct 20, 2006 at 07:07:16AM -0400, Dissent wrote: > University of Minnesota officials confirmed Thursday a second theft of > a laptop computer this summer that contained private student data. > > The incident involved a U art department laptop holding about 200 > student names, university IDs and grades but no Social Security > numbers. It was stolen from a faculty member in June during a trip to > Spain. > > There's no indication the data have been misused, though the loss was > considered a security breach under Minnesota law. The law in MN seems typical: For the purposeses of this section, "personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements is not encrypted: (1) Social Security number; (2) driver's license number or Minnesota identification card number; or (3) account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account. I don't see how disclosure of this breach falls under this law. Of course, it's fine if they want to go above and beyond. I'm just reacting to the "loss was considered a breach" sentence. From george at myitaz.com Fri Oct 20 16:35:42 2006 From: george at myitaz.com (George Toft) Date: Fri, 20 Oct 2006 13:35:42 -0700 Subject: [Dataloss] VISA / 1ST BANK In-Reply-To: <7.0.1.0.2.20061019235530.0427b570@strikenet.kicks-ass.net> References: <20061019200627.GB19579@cwalsh.org> <2D317A2A-894B-498F-A23A-D83F39343DE8@mimectl> <7.0.1.0.2.20061019235530.0427b570@strikenet.kicks-ass.net> Message-ID: <4539331E.20909@myitaz.com> The new truth of the Digital Millennium: "Your personal information expires when you do." ~Brian Honan / SANS Until the lawmakers of Washington suffer ID Theft, nothing will change. If I were an ID thief, I would definitely dump any high profile name from my database - no need to spoil the party. And the party will continue until some high profile politico gets burned. I was in Home Depot this week at the customer service counter. A customer was telling the clerk about someone running around with his SSN. It is becomming commonplace (at least in Arizona). George Toft, CISSP, MSIS blitz wrote: > > I think what we're seeing is the affected companies being told by their > law-vultures to release as little as possible to minimize exposure. This > in its essence, limits as well, the ability of independent verification > and investigation to assist others in prevention and bring guilty > parties to justice. > This is a trend that should be stopped ASAP. I believe they as well as > we understand the time to "walk the walk" is upon us, and some serious > lawsuits are in the offing in lieu of actually securing our data. The > only model they will accept is one like HIPPA where the Fox guards the > hen house. > > One more notable side effect I'm seeing is the taking on blind faith > that a missing data set has been recovered and has not been tampered with. > Says WHO? The FBI? They're ankle deep in these cases, and in case you > don't remember recent history, they have been less than honest in > evidentiary cases in the past. A company like MC or Visa certainly has > the political and monetary clout to buy the results they're seeking. > Don't make me laugh. Hasn't been accessed? Copied to another hard drive > for eventual compromise, maybe yes, but not tampered with? The > professional thieves have access to the same tools we do. Compromising > even an encrypted set of data is not an IF proposition, but merely a > WHEN one. Anyone who understands distributed computing knows the power > of a supercomputer is well within the budget of almost anyone who puts > their mind to it. > Does the old cops-and-robbers line "lets lay low till the heat goes > down" ring a bell? > When data's gone, its GOT to be presumed compromised, period. Extend the > meager protections, mail the letters, and by all means, DO NOT allow a > weak data protection statute at the Federal level preempt stronger State > statutes. > The bottom line is all about minimizing exposure, and the clients who > were compromised be dammed. > We need some serious introspection of what we believe, and who we trust > after the fact IMHO. > Marc > > At 16:43 10/19/2006, you wrote: > >> The way I read the notification, it didn't sound like the processor >> was affiliated with 1st Bank: >> >> "We would also like to reassure you that the compromise of information >> occurred at a merchant card processor's location, not FirstBank and >> therefore your account information at FirstBank has not been obtained >> by these unauthorized indivuduals(SIC)." >> >> Perhaps they are just notifying customers affected by another >> company's gaff? Must be a bad day if they didn't even spell-check the >> notification before it went out.. >> >> -Dennis >> >> >> ------------------------------------------------------------------------ >> *From:* B.K. DeLong >> *Sent:* Thu 10/19/2006 1:21 PM >> *To:* Chris Walsh >> *Cc:* dataloss at attrition.org >> *Subject:* Re: [Dataloss] VISA / 1ST BANK >> >> Is it that hard to find out who did the card processing for 1st Bank? >> >> On 10/19/06, *Chris Walsh* > > wrote: >> >> On Thu, Oct 19, 2006 at 10:41:37AM -0400, B.K. DeLong wrote: >> > Well, whomever it was will probably get wacked with a HUGE fine for >> > violating PCI Security standards. I'm guessing it won't take long to >> > determine who falls under approved card processors for Visa. >> >> >> They might get fined, but not buy Visa. Too much butter on that >> bread >> to throw it in the bin. >> >> The FTC, OTOH, may do some enforcement: >> http://www.emergentchaos.com/archives/2006/06/prediction.html >> >> Visa has been zealously guarding the "privacy" of these processors >> since >> at least December of 2005, when the Sam's Club stuff started to >> hit the >> fan. Even Gartner called MC and Visa out on it: >> http://www.emergentchaos.com/archives/2005/12/gartner_to_visa.html >> >> Chris >> >> >> >> >> -- >> B.K. DeLong (K3GRN) >> bkdelong at pobox.com >> +1.617.797.8471 >> >> http://www.wkdelong.org/ Son >> . >> http://www.ianetsec.com/ Work. >> http://www.bostonredcross.org/ Volunteer. >> http://www.carolingia.eastkingdom.org/ Service. >> http://bkdelong.livejournal.com/ Play. >> >> >> PGP Fingerprint: >> 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE >> >> FOAF: >> http://foaf.brain-stream.org/ >> _______________________________________________ >> Dataloss Mailing List (dataloss at attrition.org) >> http://attrition.org/dataloss >> Tracking more than 137 million compromised records in 430 incidents >> over 6 years. > > > -- > This message has been scanned for viruses and > dangerous content by *MailScanner* , and is > believed to be clean. > > > ------------------------------------------------------------------------ > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 137 million compromised records in 430 incidents over 6 years. > > From lyger at attrition.org Fri Oct 20 16:59:50 2006 From: lyger at attrition.org (lyger) Date: Fri, 20 Oct 2006 16:59:50 -0400 (EDT) Subject: [Dataloss] VISA / 1ST BANK In-Reply-To: <4539331E.20909@myitaz.com> References: <20061019200627.GB19579@cwalsh.org> <2D317A2A-894B-498F-A23A-D83F39343DE8@mimectl> <7.0.1.0.2.20061019235530.0427b570@strikenet.kicks-ass.net> <4539331E.20909@myitaz.com> Message-ID: On Fri, 20 Oct 2006, George Toft wrote: ": " The new truth of the Digital Millennium: "Your personal information ": " expires when you do." ~Brian Honan / SANS Tell that to all of the dead people who are registered to vote: http://seattletimes.nwsource.com/html/localnews/2002777697_voters02m.html :) ": " Until the lawmakers of Washington suffer ID Theft, nothing will change. ": " If I were an ID thief, I would definitely dump any high profile name ": " from my database - no need to spoil the party. And the party will ": " continue until some high profile politico gets burned. But data loss <> ID theft. If data is lost or stolen regardless of an actual theft of an identity or identities, said data has been compromised even if no access can be proven. Things *can* change, but it has to start with the actual protection of personal data and not wait until the media starts screaming "IDENTITY THEFT" in the headlines. ": " I was in Home Depot this week at the customer service counter. A ": " customer was telling the clerk about someone running around with his ": " SSN. It is becomming commonplace (at least in Arizona). ": " ": " George Toft, CISSP, MSIS Out of curiousity, did he mention how it was compromised? Data breach of a third party or did someone stole his wallet? Not much could probably have been done about the latter, but the former needs to be addressed from a data protection standpoint, not an "identity theft" one. Lyger (look at all the quotes and footers i snipped, ma!) From george at myitaz.com Fri Oct 20 19:35:14 2006 From: george at myitaz.com (George Toft) Date: Fri, 20 Oct 2006 16:35:14 -0700 Subject: [Dataloss] VISA / 1ST BANK In-Reply-To: References: <20061019200627.GB19579@cwalsh.org> <2D317A2A-894B-498F-A23A-D83F39343DE8@mimectl> <7.0.1.0.2.20061019235530.0427b570@strikenet.kicks-ass.net> <4539331E.20909@myitaz.com> Message-ID: <45395D32.9000002@myitaz.com> lyger wrote: > > On Fri, 20 Oct 2006, George Toft wrote: > ": " Until the lawmakers of Washington suffer ID Theft, nothing will change. > ": " If I were an ID thief, I would definitely dump any high profile name > ": " from my database - no need to spoil the party. And the party will > ": " continue until some high profile politico gets burned. > > But data loss <> ID theft. If data is lost or stolen regardless of an > actual theft of an identity or identities, said data has been > compromised even if no access can be proven. Things *can* change, but it > has to start with the actual protection of personal data and not wait > until the media starts screaming "IDENTITY THEFT" in the headlines. I realize the difference - my information has been stolen 4 times, but my ID has not (yet). Information protection received a major blow this month now that CPA's are exempt from Gramm-Leach-Bliley (or so says my recent ASCPA newsletter). Not that many of them actually knew they were under this legislation or even cared. > ": " I was in Home Depot this week at the customer service counter. A > ": " customer was telling the clerk about someone running around with his > ": " SSN. It is becomming commonplace (at least in Arizona). > ": " > ": " George Toft, CISSP, MSIS > > Out of curiousity, did he mention how it was compromised? Data breach of > a third party or did someone stole his wallet? Not much could probably > have been done about the latter, but the former needs to be addressed from > a data protection standpoint, not an "identity theft" one. It was a conversation I overheard. What I got out of it was that his SSN was being used, not his whole ID. The issue surrounded paying for a purchase and they offered him cash, check or charge. He couldn't do check because his SSN was being abused. George From lyger at attrition.org Fri Oct 20 20:22:13 2006 From: lyger at attrition.org (lyger) Date: Fri, 20 Oct 2006 20:22:13 -0400 (EDT) Subject: [Dataloss] Personal experiences? Was Re: VISA / 1ST BANK In-Reply-To: <45395D32.9000002@myitaz.com> References: <20061019200627.GB19579@cwalsh.org> <2D317A2A-894B-498F-A23A-D83F39343DE8@mimectl> <7.0.1.0.2.20061019235530.0427b570@strikenet.kicks-ass.net> <4539331E.20909@myitaz.com> <45395D32.9000002@myitaz.com> Message-ID: On Fri, 20 Oct 2006, George Toft wrote: ": " I realize the difference - my information has been stolen 4 times, but ": " my ID has not (yet). Now *this* might pose an interesting question for list members willing to respond: By a show of hands (or reply email), how many here have ever received a breach notification or otherwise been informed that their personal information was compromised? In a related question, how many here have been actual victims of identity theft? Lyger = never. And yes, by admitting that fact, I'm probably tempting fate in a big way. ": " > Out of curiousity, did he mention how it was compromised? Data breach of ": " > a third party or did someone stole his wallet? Not much could probably ": " > have been done about the latter, but the former needs to be addressed from ": " > a data protection standpoint, not an "identity theft" one. ": " ": " It was a conversation I overheard. What I got out of it was that his ": " SSN was being used, not his whole ID. The issue surrounded paying for a ": " purchase and they offered him cash, check or charge. He couldn't do ": " check because his SSN was being abused. Interesting that his SSN was somehow tied to his checking account. I honestly don't remember if I had to give by bank that information to open my account. Good food for thought.. From lucid at unixgeeks.org Fri Oct 20 22:00:00 2006 From: lucid at unixgeeks.org (Joshua Fritsch) Date: Fri, 20 Oct 2006 19:00:00 -0700 (PDT) Subject: [Dataloss] Personal experiences? Was Re: VISA / 1ST BANK In-Reply-To: References: <20061019200627.GB19579@cwalsh.org> <2D317A2A-894B-498F-A23A-D83F39343DE8@mimectl> <7.0.1.0.2.20061019235530.0427b570@strikenet.kicks-ass.net> <4539331E.20909@myitaz.com> <45395D32.9000002@myitaz.com> Message-ID: > By a show of hands (or reply email), how many here have ever received a > breach notification or otherwise been informed that their personal > information was compromised? In a related question, how many here have > been actual victims of identity theft? Compromise, yes. Theft, no. -J From macwheel99 at sigecom.net Sat Oct 21 01:48:51 2006 From: macwheel99 at sigecom.net (Al Mac) Date: Sat, 21 Oct 2006 00:48:51 -0500 Subject: [Dataloss] Personal experiences? Was Re: VISA / 1ST BANK In-Reply-To: References: <20061019200627.GB19579@cwalsh.org> <2D317A2A-894B-498F-A23A-D83F39343DE8@mimectl> <7.0.1.0.2.20061019235530.0427b570@strikenet.kicks-ass.net> <4539331E.20909@myitaz.com> <45395D32.9000002@myitaz.com> Message-ID: <6.2.1.2.0.20061021003910.044beeb0@mail.sigecom.net> I have had one trivial notification that some personal information was compromised. I had one incident in which I initially thought I was an ID theft victim, because I was in trouble for not paying an account I did not have, but it turned out to be bank error, that still hurt my credit rating. I have ID theft insurance as a rider on my personal property insurance. I now think two waste baskets is best insurance against dumpster divers (tear up the bills, and put pieces into different garbage containers that do not get dumped at same time). > > By a show of hands (or reply email), how many here have ever received a > > breach notification or otherwise been informed that their personal > > information was compromised? In a related question, how many here have > > been actual victims of identity theft? From lawyer at carpereslegalis.com Fri Oct 20 23:25:34 2006 From: lawyer at carpereslegalis.com (Marjorie Simmons) Date: Fri, 20 Oct 2006 20:25:34 -0700 Subject: [Dataloss] VISA / 1ST BANK In-Reply-To: <7.0.1.0.2.20061019235530.0427b570@strikenet.kicks-ass.net> Message-ID: <002401c6f4c0$a5583f40$0901a8c0@Lakshmi> re show of hands: both. Actually, I had my identity stolen the first time about 30 years ago when a former 'friend' decided to impersonate me (don't know how) and social engineer a bank into giving her a loan, which she then promptly defaulted on. I was in the military at the time and this person was hundreds of miles away. I got a call from my family telling me a bank was looking for me .... --------------------------------------------------------------------------- A solution that the courts will find comfortable requires (1) following the money; and (2) showing how victims are damaged. All interested researchers should do this, i.e., match up the data losses with the derivative losses to the victims in order to show a pattern of risk that legislators will find helpful, and to show where damages lie and in what amount so victims can find recompense. Keeping the relationships straight between the parties to the compromised transactions as discussed in this instance is important to a good understanding of the limitations of available remedies. For example, data compromise scenarios can include, among others: M = Merchants CP = Card Processors PB = Presenting Banks of Card Companies RB = Receiving Banks of Victims VI = Victim Individuals M - often don't keep more than transaction numbers CP - keep account & transaction numbers, sometimes more PB - present to RB a transaction on an account RB - get notified by PB of upstream data losses So, to put these players into a scenario, we have a VI who, upon shopping with M, enters into a transaction. The M then uses the CP to process the transaction, the CP then submits the transaction to the PB, the PB then presents the transaction to the RB for payment. At some point along the way, data is compromised. Determining where in the stream of this transaction the compromise takes place is crucial to an ultimate assignment of fault, thus it is axiomatic that parties in the stream who are not at fault in the loss would decline to spread information about the loss since they will be investigated as part of the discovery of what took place. Divulging information about the loss before investigations are completed likely both impairs the investigation and results in further losses, exposing them to criminal liability. Most don't need their lawyers explain this since it is self- evident to them, if not to the general public. Generally, if a merchant or CP compromises your data, your bank will instruct you to contact the card issuer to find out who compromised your data. If it is known to them, the card issuer may or may not reveal the source of the breach, but should. Card agreements often try to preempt this type of disclosure, and this is where legislation should be targeted. ==== Here is some legal background on what is needed: In order to bring a viable lawsuit, a plaintiff must be able to show they've suffered damages. One must show: Duty ---> Breach ---> Causation ---> Damages The judiciary concerns itself with things that have a current or past impact, and if one tries to bring a suit for something that might happen in the future, the courts will generally not entertain the suit because it is not *ripe* for judicial consideration. Ripeness is an essential factor in a lawsuit. Ultimately this can mean your credit has to be hosed before you can sue. The courts generally: (1) do NOT recognize data losses per se as damages (as to the individual victims of data loss) unless the loss results in actual injury, e.g., the thief uses the data in a way that causes financial loss or physical injury to the victim; (2) DO recognize data losses as a type of damages in a suit brought by shareholders, investors, or some other classes of persons having a pecuniary interest in the 'good will' of a business that has had its 'good will' damaged by losing data. In both such cases, the loss of the data CAN result in a derivative loss to the victim that is measurable, and that result is litigable. Non-specific (outrage factor) damages are not measurable in any way except through speculation of what might be done with the compromised data in the future, and are thus called 'speculative damages': they don't qualify for consideration as damages primarily because they cannot be measured and might not happen. Having one's card(s) cancelled and reissued isn't enough as that's considered, at this point, an annoyance rather than a loss. In the short term, most data losses do not have a measurable derivative loss to the individual victim whose data has been compromised, but in the fullness of time, the loss to victims will be more measurable as thieves begin to use the data they've compiled. Connecting the dots here is the tricky part and following up on this is complex but is nonetheless absolutely necessary -- one must correlate the losses to get to damages. One cannot emphasize strongly enough that the indicators that compromised data have been used to the detriment of victims needs to be a primary area of concern for researchers in order to be able to show damages. FOIA letters to state's attorneys general requesting statistical data might yield some helpful results for a roadmap. Helpful legislation would designate generic data losses as a per se wrong carrying strict liability, and would require the data loser to, at minimum, pay for credit monitoring for each person affected, without regard to whether the feds or other investigative body think such data is 'safe'. In the US, write your congress member about this, and vote. Marjorie Simmons ### | -----Original Message----- | From: dataloss-bounces at attrition.org | [mailto:dataloss-bounces at attrition.org] On Behalf Of blitz | Sent: Thursday, October 19, 2006 9:22 pm | To: dataloss at attrition.org | Cc: kjv | Subject: Re: [Dataloss] VISA / 1ST BANK | | | I think what we're seeing is the affected companies being | told by their law-vultures to release as little as possible | to minimize exposure. This in its essence, limits as well, | the ability of independent verification and investigation to | assist others in prevention and bring guilty parties to justice. | This is a trend that should be stopped ASAP. . . . . | | One more notable side effect I'm seeing is the taking on | blind faith that a missing data set has been recovered and | has not been tampered with. . . . . | Marc | | At 16:43 10/19/2006, you wrote: | | | The way I read the notification, it didn't sound like | the processor was affiliated with 1st Bank: | . . . . | | On Thu, Oct 19, 2006 at 10:41:37AM -0400, B.K. | DeLong wrote: | | > Well, whomever it was will probably get wacked with a HUGE fine for | > violating PCI Security standards. I'm guessing it won't take long to | > determine who falls under approved card processors for Visa. | From ziplock at pogowasright.org Sat Oct 21 05:46:51 2006 From: ziplock at pogowasright.org (ziplock) Date: Sat, 21 Oct 2006 05:46:51 -0400 (EDT) Subject: [Dataloss] Personal experiences? Was Re: VISA / 1ST BANK In-Reply-To: References: <20061019200627.GB19579@cwalsh.org> <2D317A2A-894B-498F-A23A-D83F39343DE8@mimectl> <7.0.1.0.2.20061019235530.0427b570@strikenet.kicks-ass.net> <4539331E.20909@myitaz.com> <45395D32.9000002@myitaz.com> Message-ID: > By a show of hands (or reply email), how many here have ever received a > breach notification or otherwise been informed that their personal > information was compromised? In a related question, how many here have > been actual victims of identity theft? I received notification from the VA recently, but have so far not been a victim of identity theft. But that's hardly comforting, although I do see the distinction between data loss and ID theft I don't see the importance of the distinction. Would we be completely comfortable if someone stole the key to your front door, and we were unable, forever, to change the lock? Would we be comfortable if the police told us "there's no reason to believe they'll use the key to steal your stuff, no reason to believe they'll ever sell the key"? > Interesting that his SSN was somehow tied to his checking account. I > honestly don't remember if I had to give by bank that information to open > my account. Good food for thought.. I worked in the banking industry for a while, and as I recall, fed regs require you to give the (U.S.) bank your SSN to open any type account. From Kim_Nash at ziffdavis.com Sat Oct 21 08:23:05 2006 From: Kim_Nash at ziffdavis.com (Nash, Kim) Date: Sat, 21 Oct 2006 08:23:05 -0400 Subject: [Dataloss] Personal experiences? Was Re: VISA / 1ST BANK Message-ID: > By a show of hands (or reply email), how many here have ever received a > breach notification or otherwise been informed that their personal > information was compromised? In a related question, how many here have > been actual victims of identity theft? ============== Kim: neither. (Fate, leave me alone!) I'm wondering if anyone's data has been compromised by the data breach at Providence Health Care, in Oregon/Washington, early this year? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20061021/3e88995e/attachment.html From dano at well.com Sat Oct 21 12:19:52 2006 From: dano at well.com (dano) Date: Sat, 21 Oct 2006 09:19:52 -0700 Subject: [Dataloss] Personal experiences? Was Re: VISA / 1ST BANK In-Reply-To: References: <20061019200627.GB19579@cwalsh.org> <2D317A2A-894B-498F-A23A-D83F39343DE8@mimectl> <7.0.1.0.2.20061019235530.0427b570@strikenet.kicks-ass.net> <4539331E.20909@myitaz.com> <45395D32.9000002@myitaz.com> Message-ID: At 8:22 PM -0400 10/20/06, lyger wrote: >Interesting that his SSN was somehow tied to his checking account. I >honestly don't remember if I had to give by bank that information to open >my account. In the US I believe that the PATRIOT Act (post 9-11) now requires it. IANAL. From cwalsh at cwalsh.org Sat Oct 21 21:47:22 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Sat, 21 Oct 2006 20:47:22 -0500 Subject: [Dataloss] Personal experiences? Was Re: VISA / 1ST BANK In-Reply-To: References: <20061019200627.GB19579@cwalsh.org> <2D317A2A-894B-498F-A23A-D83F39343DE8@mimectl> <7.0.1.0.2.20061019235530.0427b570@strikenet.kicks-ass.net> <4539331E.20909@myitaz.com> <45395D32.9000002@myitaz.com> Message-ID: <7DF4B21B-A89D-4A6E-9790-A5B131278CC0@cwalsh.org> I don't think that strictly speaking this is part of the "know your customer" stuff, although it may be as implemented in the typical case, but in order for interest to be reported on a 1099, you have to supply a taxpayer ID number (which handily is the SSN for individuals in most cases). On Oct 21, 2006, at 4:46 AM, ziplock wrote: > > I worked in the banking industry for a while, and as I recall, fed > regs > require you to give the (U.S.) bank your SSN to open any type account. > From ziplock at pogowasright.org Sun Oct 22 09:25:38 2006 From: ziplock at pogowasright.org (ziplock) Date: Sun, 22 Oct 2006 09:25:38 -0400 (EDT) Subject: [Dataloss] Personal experiences? Was Re: VISA / 1ST BANK In-Reply-To: <7DF4B21B-A89D-4A6E-9790-A5B131278CC0@cwalsh.org> References: <20061019200627.GB19579@cwalsh.org> <2D317A2A-894B-498F-A23A-D83F39343DE8@mimectl> <7.0.1.0.2.20061019235530.0427b570@strikenet.kicks-ass.net> <4539331E.20909@myitaz.com> <45395D32.9000002@myitaz.com> <7DF4B21B-A89D-4A6E-9790-A5B131278CC0@cwalsh.org> Message-ID: Ah, did a quick google search and came up with this: http://www.fdic.gov/news/news/financial/2005/fil9105a.html Q: I am opening new bank accounts for people displaced by Hurricane Katrina. What information or identification do the Bank Secrecy Act or related regulations require me to obtain to open an account? A: Bank Secrecy Act regulations require banks to obtain certain information about a person before opening a new account and to verify the identity of individuals within a reasonable time thereafter. Under the interagency Customer Identification Program rules, before opening an account, a bank must obtain, at a minimum, an individual?s 1. name, 2. address, 3. date of birth, and 4. taxpayer identification number, which for most individuals is a social security number. [Individuals who are not U.S. persons may provide a taxpayer identification number or a number from any other government-issued document evidencing nationality or residence and bearing a photograph or similar safeguard.] From dr.spook at gmail.com Sun Oct 22 09:37:40 2006 From: dr.spook at gmail.com (Doctor Spook) Date: Sun, 22 Oct 2006 06:37:40 -0700 Subject: [Dataloss] Personal experiences? Was Re: VISA / 1ST BANK In-Reply-To: <7DF4B21B-A89D-4A6E-9790-A5B131278CC0@cwalsh.org> References: <2D317A2A-894B-498F-A23A-D83F39343DE8@mimectl> <7.0.1.0.2.20061019235530.0427b570@strikenet.kicks-ass.net> <4539331E.20909@myitaz.com> <45395D32.9000002@myitaz.com> <7DF4B21B-A89D-4A6E-9790-A5B131278CC0@cwalsh.org> Message-ID: <2113ea1f0610220637x1e830460j2961ea2f11cbb048@mail.gmail.com> On 10/21/06, Chris Walsh wrote: > I don't think that strictly speaking this is part of the "know your > customer" stuff, although it may be as implemented in the typical > case, but in order for interest to be reported on a 1099, you have to > supply a taxpayer ID number (which handily is the SSN for individuals > in most cases). > > > On Oct 21, 2006, at 4:46 AM, ziplock wrote: > > > > > I worked in the banking industry for a while, and as I recall, fed regs > > require you to give the (U.S.) bank your SSN to open any type account. You may use a "taxpayer identification" number instead, but those are becoming rarer for individuals as time passes. Many small business owners do not even realize that there is that option, in these days. I do not believe that the Patriot Act had anything to do with this requirement, since a social security number (or taxpayer ID) has required for an account circa 1970 or so. Here's a current link for the rules: http://www.fdic.gov/news/news/financial/2005/fil9105a.html Here's another for the enactment of the rules: http://www.irs.gov/irm/part4/ch26s05.html There are multiple documents that may be used to acquire a taxpayer ID, including the much maligned Mexican voting ID (a very easy document to forge). I usually recommend to small businesses that they apply for an ID, rather than using the SSN of the owner, when setting up business accounts, so that death or retirement (or ID theft) cannot disrupt the normal day to day business. -- We should not be building surveillance technology into standards. Law enforcement was not supposed to be easy. Where it is easy, it's called a police state. -- Jeff Schiller From ijunge at identityrehab.com Mon Oct 23 12:41:59 2006 From: ijunge at identityrehab.com (Ivan Junge) Date: Mon, 23 Oct 2006 10:41:59 -0600 Subject: [Dataloss] Personal experiences? Was Re: VISA / 1ST BANK In-Reply-To: Message-ID: <20061023164107.BEEC6798F0@forced.attrition.org> The US post office has compromised the security of my mail twice in the past year and sent me a breach notification. They basically said, somebody broke into your locked mailbox and took your mail... sorry. My identity has not yet been stolen. -Ivan -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of lyger Sent: Friday, October 20, 2006 6:22 PM To: dataloss at attrition.org Subject: [Dataloss] Personal experiences? Was Re: VISA / 1ST BANK On Fri, 20 Oct 2006, George Toft wrote: ": " I realize the difference - my information has been stolen 4 times, but ": " my ID has not (yet). Now *this* might pose an interesting question for list members willing to respond: By a show of hands (or reply email), how many here have ever received a breach notification or otherwise been informed that their personal information was compromised? In a related question, how many here have been actual victims of identity theft? Lyger = never. And yes, by admitting that fact, I'm probably tempting fate in a big way. ": " > Out of curiousity, did he mention how it was compromised? Data breach of ": " > a third party or did someone stole his wallet? Not much could probably ": " > have been done about the latter, but the former needs to be addressed from ": " > a data protection standpoint, not an "identity theft" one. ": " ": " It was a conversation I overheard. What I got out of it was that his ": " SSN was being used, not his whole ID. The issue surrounded paying for a ": " purchase and they offered him cash, check or charge. He couldn't do ": " check because his SSN was being abused. Interesting that his SSN was somehow tied to his checking account. I honestly don't remember if I had to give by bank that information to open my account. Good food for thought.. _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tracking more than 137 million compromised records in 430 incidents over 6 years. From lyger at attrition.org Mon Oct 23 17:48:55 2006 From: lyger at attrition.org (lyger) Date: Mon, 23 Oct 2006 17:48:55 -0400 (EDT) Subject: [Dataloss] Indiana - St. Francis contractor 'misplaces' sensitive patient info Message-ID: http://www.wthr.com/Global/story.asp?S=5578184&nav=9Tai Oct 23, 2006 04:27 PM Steve Jefferson/Eyewitness News Indianapolis - Personal information belonging to more than a quarter million hospital patients temporarily ended up in the wrong hands. A contractor for St. Francis Hospital misplaced names and Social Security numbers of 260,000 people. Now St. Francis Hospital officials hope to convince more than a quarter million patients their personal information is safe and sound. A medical records contractor called Advanced Receivable Strategy sent out 260,000 letters informing patients about a possible disclosure of their personal information. It stems from an ARS employee who lost patients' names and or Social Security number a company compact disc. [...] From hbrown at knology.net Mon Oct 23 20:59:50 2006 From: hbrown at knology.net (Henry Brown) Date: Mon, 23 Oct 2006 19:59:50 -0500 Subject: [Dataloss] Personal experiences? Was Re: VISA / 1ST BANK In-Reply-To: References: <20061019200627.GB19579@cwalsh.org> <2D317A2A-894B-498F-A23A-D83F39343DE8@mimectl> <7.0.1.0.2.20061019235530.0427b570@strikenet.kicks-ass.net> <4539331E.20909@myitaz.com> <45395D32.9000002@myitaz.com> Message-ID: <453D6586.7050701@knology.net> Breach notification twice and unrelated victim of ID theft Joshua Fritsch wrote: >> By a show of hands (or reply email), how many here have ever received a >> breach notification or otherwise been informed that their personal >> information was compromised? In a related question, how many here have >> been actual victims of identity theft? >> From SPROUT2 at aol.com Mon Oct 23 21:16:35 2006 From: SPROUT2 at aol.com (SPROUT2 at aol.com) Date: Mon, 23 Oct 2006 21:16:35 EDT Subject: [Dataloss] Personal experiences? Was Re: VISA / 1ST BANK Message-ID: <536.29257516.326ec373@aol.com> Have never received notification and have never been a victim. Please don't let this jinx me. ;-) cindy fortney In a message dated 10/23/2006 8:04:51 P.M. Central Standard Time, hbrown at knology.net writes: Breach notification twice and unrelated victim of ID theft Joshua Fritsch wrote: >> By a show of hands (or reply email), how many here have ever received a >> breach notification or otherwise been informed that their personal >> information was compromised? In a related question, how many here have >> been actual victims of identity theft? >> _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tracking more than 138 million compromised records in 441 incidents over 6 years. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20061023/177c7f10/attachment.html From lewisnic at acm.org Mon Oct 23 21:43:22 2006 From: lewisnic at acm.org (Nick Lewis) Date: Mon, 23 Oct 2006 21:43:22 -0400 Subject: [Dataloss] Personal experiences? Was Re: VISA / 1ST BANK References: <20061019200627.GB19579@cwalsh.org><2D317A2A-894B-498F-A23A-D83F39343DE8@mimectl><7.0.1.0.2.20061019235530.0427b570@strikenet.kicks-ass.net><4539331E.20909@myitaz.com><45395D32.9000002@myitaz.com> Message-ID: <021a01c6f70d$cbc13430$2a7fc14b@frankenstein> ----- Original Message ----- From: "lyger" To: Sent: Friday, October 20, 2006 8:22 PM Subject: [Dataloss] Personal experiences? Was Re: VISA / 1ST BANK > > > On Fri, 20 Oct 2006, George Toft wrote: > > ": " I realize the difference - my information has been stolen 4 times, > but > ": " my ID has not (yet). > > > Now *this* might pose an interesting question for list members willing to > respond: > > By a show of hands (or reply email), how many here have ever received a > breach notification or otherwise been informed that their personal > information was compromised? In a related question, how many here have > been actual victims of identity theft? Yes. 1 as a result of the Egghead credit card breach 5-7 years ago and another 3-5 years ago where my ISP had a security incident on the servers where the credit cards stored for billing. Nick From jericho at attrition.org Tue Oct 24 05:26:25 2006 From: jericho at attrition.org (security curmudgeon) Date: Tue, 24 Oct 2006 05:26:25 -0400 (EDT) Subject: [Dataloss] Chicago Voter Database Hacked Message-ID: http://abcnews.go.com/Politics/story?id=2601085&page=1 Chicago Voter Database Hacked Civic Group Claims It Could Have Tampered With Voter Roles By JAKE TAPPER and REBECCA ABRAHAMS Oct. 23, 2006 -- As if there weren't enough concerns about the integrity of the vote, a non-partisan civic organization today claimed it had hacked into the voter database for the 1.35 million voters in the city of Chicago. Bob Wilson, an official with the Illinois Ballot Integrity Project which bills itself as a not-for-profit civic organization dedicated to the correction of election system deficiencies tells ABC News that last week his organization hacked the database, which contains detailed information about hundreds of thousands of Chicago voters, including their Social Security numbers, and dates of birth. "It was a serious identity theft problem, but also a problem that could potentially create problems with the election," Wilson said. [..] From rforno at infowarrior.org Tue Oct 24 08:44:57 2006 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 24 Oct 2006 08:44:57 -0400 Subject: [Dataloss] Hackers Zero In on Online Stock Accounts Message-ID: Hackers Zero In on Online Stock Accounts http://www.washingtonpost.com/wp-dyn/content/article/2006/10/23/AR2006102301 257_pf.html By Ellen Nakashima Washington Post Staff Writer Tuesday, October 24, 2006; A01 Hackers have been breaking into customer accounts at large online brokerages in the United States and making unauthorized trades worth millions of dollars as part of a fast-growing new form of online fraud under investigation by federal authorities. E-Trade Financial Corp., the nation's fourth-largest online broker, said last week that "concerted rings" in Eastern Europe and Thailand caused their customers $18 million in losses in the third quarter alone. Another company, TD Ameritrade, the third-largest online broker, also has suffered losses from customer account fraud, but a spokeswoman declined to quantify the amount yesterday. "It is an industry problem," spokeswoman Katrina Becker said. "It does continue to grow." Federal regulators cited recent cases in which hackers gained access to customer accounts at several large online brokers and used the customers' funds to buy certain stocks. The hackers appeared to be trying to drive up share prices so they could sell those stocks at a profit, regulators said. The Securities and Exchange Commission and the FBI are looking into E-Trade's cases, chief executive Mitchell H. Caplan said in an earnings conference call with reporters last week. Spokesmen for the SEC and FBI declined to discuss details of those cases. Both E-Trade and TD Ameritrade have guaranteed that they will cover their clients' losses, even though they are not required to do so by law. But the problem is growing faster than public awareness of it, federal regulators said, noting that the fraud is fed by the rising use of the Internet for personal finance and the easy availability of snooping software that allows hackers to steal personal account information. "Although these schemes cleverly combine aspects of securities fraud, identity theft and hacking, what they really boil down to is outright thievery," said John Reed Stark, chief of the Office of Internet Enforcement at the SEC. "In the last couple of months we have seen a marked increase in online brokerage account intrusions." More than 10 million people have bought or sold investments online in the United States in the last few months, according to Avivah Litan, a securities analyst for the Stamford, Conn.-based Gartner Inc. The scams typically begin with a hacker obtaining customer passwords and user names, experts said. One way is by placing keystroke-monitoring software on any public computer in a library, hotel business center or airport. With the software, all keystrokes entered on the computer can be recorded and e-mailed anywhere in the world. Experts said all hackers have to do is wait until anyone types in the Web address of E-Trade, Ameritrade or another online broker, and then watch the next several dozen keystrokes, which are likely to include someone's password and login name. These emerging Internet stock schemes appear to be new versions of the widely used "pump-and-dump" e-mail scams, in which spammers send out mass e-mails containing bogus news alerts intended to manipulate stock prices. Stark said perpetrators are breaking into customer accounts and buying shares of thinly traded, microcap securities, also known as penny stocks. The hacker gains access using the customer's user name and password, then liquidates that person's existing stock holdings and uses the proceeds to buy shares in the microcap. The goal, regulators said, is to boost the price of a stock the hacker has already bought at a lower price in another account. The hacker then liquidates the stock and wires the money either to an offshore account or through a series of straw men, or dummy corporations, Stark said. The straw man may not know he is participating in fraud; he may have been told he is helping, say, an offshore business. The entire operation can take a matter of minutes, or at most, hours. "The unwitting victim opens the account in the morning and finds he or she owns thousands of shares in a microcap company that they have never heard of," Stark said. Caplan said E-Trade recently made operational changes and added technology to thwart the criminals. "We've seen that level of fraud in the last three weeks or so reduced to almost zero . . . ," he said in the conference call. Glen Mathison, a spokesman for Charles Schwab Corp., the largest online broker, said losses due to online identity theft and fraud have not reached "a material level" that would require disclosure to investors. But he added that Schwab also guarantees to reimburse clients for online losses caused by fraud. Unlike banks, brokerage accounts are not protected by Federal Deposit Insurance Corp. and other federal banking rules that ensure consumers get their money back, so the consumer must rely on the company to cover any losses. Ameritrade's Becker said the company advises clients to make sure they have good spyware detection software on their computers. Ameritrade's Web site also offers clients free software that helps detect or eliminate snooping programs. In Canada, the Investment Dealers Association, the self-regulatory arm of Canada's securities industry, is looking into similar scams. Online financial fraud has grown so serious that the Federal Financial Institutions Examination Council, a government entity that establishes standards for banks, has given U.S. financial institutions until Dec. 31 to tighten security measures for accessing online accounts. "This thing is so widespread and it has such a significant impact on the industry at large . . . that I think you're going to end up seeing structural changes in the industry," Caplan said. Staff researchers Richard Drezen and Karl Evanzz contributed to this report. From Dissent at pogowasright.org Tue Oct 24 09:16:11 2006 From: Dissent at pogowasright.org (Dissent) Date: Tue, 24 Oct 2006 09:16:11 -0400 (EDT) Subject: [Dataloss] Chicago Voter Database Hacked In-Reply-To: References: Message-ID: Some additional details here: http://www.chicagotribune.com/technology/chi-0610240029oct24,1,3303012.story?coll=chi-techtopheds-hed&ctrack=1&cset=true Chicago election officials said Monday they were forced to patch a security flaw on their Web site after a candidate found a programming error that had made private voter information vulnerable to theft for at least five years. Officials said the glitch never threatened the integrity of election records. But they now have to determine whether anyone exploited the opportunity to steal the Social Security and birth date information from more than 780,000 registered voters in the city. "We don't have any evidence that there was any theft," said Tom Leach, a spokesman for the Chicago Board of Election Commissioners. "But we don't want to be in a position where someone had their Social Security and date of birth stolen." Officials acknowledged that for the last five or six years it would have only taken a few keystrokes for a knowledgeable computer user to obtain the personal information for more than half of the 1.3 million identities in the system. Leach said that the error was fixed late Friday and that the Cook County state's attorney has been informed of the situation and the potential for identity theft. He said the board plans to hire a computer forensics expert to determine if personal information was stolen. Leach said the private information was on the Web site because when it was first created in the mid-1990s, users were allowed to search for their registration by Social Security number. That option was dropped in 2000 or 2001, he said, adding that since 2003 officials have stopped collecting full Social Security numbers from new voters. Until the bug was fixed, the private information could be viewed by using a feature in a Web browser that allows the user to see the raw data that underlie the page. [...] From bkdelong at pobox.com Tue Oct 24 10:37:25 2006 From: bkdelong at pobox.com (B.K. DeLong) Date: Tue, 24 Oct 2006 10:37:25 -0400 Subject: [Dataloss] Medical Identity Fraud Message-ID: Interesting article and possible new dataset? http://www.pittsburghlive.com/x/pittsburghtrib/news/cityregion/s_476326.html Carol Anne Hutchins, 30, of Bulger, Washington County, used Davis' insurance to obtain pain medication and medical treatment almost 40 times before police caught her in May. Hutchins received about $16,000 worth of medical treatment at facilities from Altoona to East Liverpool, Ohio. Medical identity theft, a new wrinkle in identity theft, might affect as many as 250,000 people nationwide, according to the nonprofit World Privacy Forum, the only group to issue a report on the crime. The crime is more than an inconvenience -- it can lead to potentially life-threatening mix-ups. -- B.K. DeLong (K3GRN) bkdelong at pobox.com +1.617.797.8471 http://www.wkdelong.org Son. http://www.ianetsec.com Work. http://www.bostonredcross.org Volunteer. http://www.carolingia.eastkingdom.org Service. http://bkdelong.livejournal.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org From macwheel99 at sigecom.net Tue Oct 24 13:36:24 2006 From: macwheel99 at sigecom.net (Al Mac) Date: Tue, 24 Oct 2006 12:36:24 -0500 Subject: [Dataloss] Colorado Doctor Patient Records Evicted Message-ID: <6.2.1.2.0.20061024123109.02968960@mail.sigecom.net> Sheriff's deputies evicting a bankrupt doctor from an office building simply dumped the office archives into an adjoining parking lot and scavengers were seen carting office filing cabinets presumably filled with patient information. [...] http://www.itcinstitute.com/info.aspx?id=32278 From lyger at attrition.org Tue Oct 24 17:25:11 2006 From: lyger at attrition.org (lyger) Date: Tue, 24 Oct 2006 17:25:11 -0400 (EDT) Subject: [Dataloss] Article - Why Companies Lose Private Data Message-ID: http://www.line56.com/articles/default.asp?ArticleID=7980 Lou Washington, Cincom Tuesday, October 24, 2006 Hardly a day goes by without the news reporting some gross breach of security resulting from some idiot mishandling sensitive data. As I see it, there are two culprits at work here, both of which are creating more than a little havoc in the world of data security. First, there is the malicious threat. This involves the intentional and deliberate destruction of or illicit distribution of sensitive data. Second on my list is the threat that comes from our need for convenience. We not only want our data at the office, we also want it at home, on the plane, in the car, at the beach on vacation and virtually everywhere we go. We want nice, transparent security processes that don't cause us any grief and at the same time, we expect these transparent processes to protect our data from any and all threats. To find support for my theories, I recently analyzed 205 cases of security breaches publicly reported over the past 18 months. [...] From macwheel99 at sigecom.net Tue Oct 24 15:13:18 2006 From: macwheel99 at sigecom.net (Al Mac) Date: Tue, 24 Oct 2006 14:13:18 -0500 Subject: [Dataloss] FTC closes Qchex Message-ID: <6.2.1.2.0.20061024141149.027ead50@mail.sigecom.net> A federal judge granted the Federal Trade Commission's (FTC) request for a temporary restraining order against Qchex. The San Diego-based company allows customers to create and send electronic checks drawn on any bank account without verifying that drafter's authority to access that account. Fraudsters took advantage of the flawed electronic process by creating online, e-mailing, printing, and cashing false checks. Victims include both unwary account holders whose accounts were debited, and businesses who accepted fraudulent Qchex checks as payment for goods and services. [..] http://www.itcinstitute.com/display.aspx?ID=2487 From walt.williams at gmail.com Tue Oct 24 17:26:44 2006 From: walt.williams at gmail.com (Walt Williams) Date: Tue, 24 Oct 2006 17:26:44 -0400 Subject: [Dataloss] Colorado Doctor Patient Records Evicted In-Reply-To: <6.2.1.2.0.20061024123109.02968960@mail.sigecom.net> References: <6.2.1.2.0.20061024123109.02968960@mail.sigecom.net> Message-ID: <1dfe5f1d0610241426q41c6b09foee89a13063a0490e@mail.gmail.com> http://www.worldprivacyforum.org/medicalidentitytheft.html Would certainly back up your concerns. On 10/24/06, Al Mac wrote: > Sheriff's deputies evicting a bankrupt doctor from an office building > simply dumped the office archives into an adjoining parking lot and > scavengers were seen carting office filing cabinets presumably filled with > patient information. > > [...] > http://www.itcinstitute.com/info.aspx?id=32278 > > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 138 million compromised records in 441 incidents over 6 years. > > > -- Walt Williams, CISSP, SSCP http://www.linkedin.com/pub/1/64a/453 From fsleator at earthlink.net Wed Oct 25 11:24:12 2006 From: fsleator at earthlink.net (Fred Sleator) Date: Wed, 25 Oct 2006 11:24:12 -0400 (GMT-04:00) Subject: [Dataloss] Personal experiences? Was Re: VISA / 1ST BANK Message-ID: <23905492.1161789852523.JavaMail.root@elwamui-little.atl.sa.earthlink.net> Have been an identity theft victim. Notified by some really sharp security people at Wal-Mart, of all places. Also victimized were my mother and a trainer at my gym - common factor is that we all had accounts at the same credit union. The pattern was the same - the perp used stolen information to open new accounts, used them minimally (with new addresses) for a couple of months, upped the credit limit, maxed the account, and skipped. The worst issuer appears to be Discover - they will happily let you exceed any credit limit with the expectation of hitting you with a substantial fee, an ideal situation for a scammer. -----Original Message----- >From: SPROUT2 at aol.com >Sent: Oct 23, 2006 9:16 PM >To: hbrown at knology.net, dataloss at attrition.org >Subject: Re: [Dataloss] Personal experiences? Was Re: VISA / 1ST BANK > > >Have never received notification and have never been a victim. Please don't >let this jinx me. >;-) > >cindy fortney > > >In a message dated 10/23/2006 8:04:51 P.M. Central Standard Time, >hbrown at knology.net writes: > >Breach notification twice and unrelated victim of ID theft > >Joshua Fritsch wrote: >>> By a show of hands (or reply email), how many here have ever received a >>> breach notification or otherwise been informed that their personal >>> information was compromised? In a related question, how many here have >>> been actual victims of identity theft? >>> > >_______________________________________________ >Dataloss Mailing List (dataloss at attrition.org) >http://attrition.org/dataloss >Tracking more than 138 million compromised records in 441 incidents over 6 >years. > > > > > > From privacylaws at sbcglobal.net Wed Oct 25 08:40:29 2006 From: privacylaws at sbcglobal.net (Saundra Kae Rubel) Date: Wed, 25 Oct 2006 05:40:29 -0700 Subject: [Dataloss] Cost of data breaches study released In-Reply-To: <6.2.1.2.0.20061024141149.027ead50@mail.sigecom.net> Message-ID: <001201c6f832$c1a001e0$210110ac@saundrad38b17a> Hi Some of you might be interested in the results of a cost of data breach survey sponsored by Vontu and PGP, conducted by the Ponemon Institute. You can obtain the study at www.vontu.com by registering first. Saundra Kae Rubel, CIPP International Privacy, Data Protection and Security Breach Consulting. From Dissent at pogowasright.org Thu Oct 26 09:43:48 2006 From: Dissent at pogowasright.org (Dissent) Date: Thu, 26 Oct 2006 09:43:48 -0400 (EDT) Subject: [Dataloss] Computer With Info On Colo. Human Services Dept. Clients Stolen Message-ID: A computer containing personal information of some clients of the Colorado Department of Human Services was stolen from a Dallas-based firm that operates the Family Registry. The desktop computer, which was stolen during the weekend of Oct. 13, had data on clients who were involved with child support payments. It was stored in a secure area monitored by surveillance cameras accessible only by password, said Dallas-based Affiliated Computer Services Inc. Company spokesman Kevin Lightfoot said letters were sent to the clients about the theft and advised on how to protect their information. There was no evidence of identity theft or an intent to do so, he said. Department spokeswoman Liz McDonough did not say how many clients could be affected and where the theft occurred, citing the cases involves child support. [...] http://www.thedenverchannel.com/news/10162004/detail.html From ziplock at pogowasright.org Thu Oct 26 11:49:14 2006 From: ziplock at pogowasright.org (ziplock) Date: Thu, 26 Oct 2006 11:49:14 -0400 (EDT) Subject: [Dataloss] Federal Security Drive Lost At PDX Message-ID: PORTLAND - Federal Homeland Security officials say a computer storage device that may have held personal information on current and former employees has been lost. A federal security director says they're relatively confident that it "got scraped into the trash, and it's gone." The agency has spent several days trying to determine what information was on the drive and where it had gone. The device, called a ThumbDrive, turned up missing Oct. 16 at the Transportation Security Administration's command center at Portland International Airport. The agency has about 500 employees statewide who oversee airport security checkpoints. When the device was last backed up a month ago, it contained the names, Social Security numbers, addresses and telephone numbers of the current workers and roughly 400 former ones in Oregon. http://www.koin.com/Global/story.asp?S=5590811 From Dissent at pogowasright.org Thu Oct 26 12:38:18 2006 From: Dissent at pogowasright.org (Dissent) Date: Thu, 26 Oct 2006 12:38:18 -0400 (EDT) Subject: [Dataloss] Science Centre members list stolen Message-ID: The Ontario Science Centre is apologizing to its members after a laptop containing their personal information was stolen from its Toronto offices. The Crown agency has sent a letter to members warning them to ``take appropriate steps" to secure personal and credit-card information. The province's privacy commissioner is investigating the theft on Sept. 18. Commission spokesman Bob Spence said there were two groups of stolen data ? one with just names and addresses, and another that included credit-card numbers. Spence couldn't say how many people were affected. [...] http://www.thestar.com/NASApp/cs/ContentServer?pagename=thestar/Layout/Article_Type1&c=Article&pubid=968163964505&cid=1161856749703&col=968705899037&call_page=TS_Canada&call_pageid=968332188774&call_pagepath=News/Canada From Dissent at pogowasright.org Thu Oct 26 19:08:27 2006 From: Dissent at pogowasright.org (Dissent) Date: Thu, 26 Oct 2006 19:08:27 -0400 (EDT) Subject: [Dataloss] Computer breach at Children's Hospital Message-ID: Overseas hackers have apparently accessed two computers at Children's hospital, one containing private patient data, the other billing and bank information. The hospital is preparing to send out more than 200,000 letters informing patients of the breach. It's also given the F.B.I. information for the investigation. The hackers apparently were from Germany and used computer loops through France, Turkey, and Canada, eventually landing data from Akron. "It's absolutely terrifying in this day and age where information is power," says patient Jennifer Ferrick. "Privacy is of the utmost importance in the medical field." "Social Security numbers on there, information, lot of information on there and their children and it could be scary," adds Emily Williams, also a Children's patient. There's no evidence hackers downloaded the information but they could have viewed it. [...] http://www.wkyc.com/news/news_links/links_article.aspx?storyid=58464 From lyger at attrition.org Fri Oct 27 00:05:58 2006 From: lyger at attrition.org (lyger) Date: Fri, 27 Oct 2006 00:05:58 -0400 (EDT) Subject: [Dataloss] Data Loss versus Identity Theft Message-ID: Since the topic was recently discussed, just want to toss out a few ideas and/or questions about what may or may not be topical for the mail list, attrition.org Data Loss web page, and database (DLDOS). Is it agreed that not every recorded event of "identity theft" should be considered a "data loss" event? Generally, I've considered "data loss" to mean a third party was entrusted with personally identifiable confidential information and said data was lost or stolen either maliciously or accidentially. Events like these wouldn't count: 1. A purse, wallet, or personal computer was stolen (whether secured or not), resulting in the information of a very small number of people being compromised 2. Phishing attacks, where the *end user* is ulitmately responsible for having their own information compromised through their own actions. It's getting to the point where almost every media story is equating the theft or loss of personal data with "identity theft". Some studies suggest there is little correlation between a "data loss" event and actual identity theft. So, the questions: 1. At what point, for the mail list, the various breach lists, and DLDOS, should it be said, "no, this doesn't count" 2. Can anyone come up with a reasonable definition of "data loss" and how it would differ from a reasonable definition of "identity theft"? It seems that we're crossing into grey areas in some events, so any feedback would be appreciated. Lyger From DH1759 at aol.com Fri Oct 27 01:43:29 2006 From: DH1759 at aol.com (DH1759 at aol.com) Date: Fri, 27 Oct 2006 01:43:29 EDT Subject: [Dataloss] Personal experiences? Was Re: VISA / 1ST BANK Message-ID: I have had fraudulent charges on one of my credit cards but the circumstances surrounding the charges lead me to believe that there was a breach of information at a hospital my father was admitted to. Several years ago my father became seriously ill. I have his power of attorney and am a signer on his financial accounts, Additionally, we have the same last name which is rather distinctive. Over the next several months there were numerous small ($50- $150) charges on my credit card billed under miscellaneous medical sounding businesses which I had never heard of nor authorized. Nor had I used that card for any expenses relating to my father. My spider senses tell me that somebody at the hospital somehow obtained information regarding his/my credit listing and placed these charges believing they would not be noticed under the circumstances, perhaps believing I was his wife. It was just too coincidental. I disputed them all and they were taken off my bill with no further incidents. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20061027/752b09af/attachment.html From Troy.Casey at per-se.com Fri Oct 27 09:04:10 2006 From: Troy.Casey at per-se.com (Casey, Troy # Atlanta) Date: Fri, 27 Oct 2006 09:04:10 -0400 Subject: [Dataloss] Data Loss versus Identity Theft Message-ID: The distinction seems rather clear and simple to me. Data Loss is precisely as Lyger has defined it: A third party entrusted with personally identifiable confidential information fails to maintain the confidentiality of the information, resulting in the data being lost or stolen. I would agree with the examples of things that don't count, with one caveat: if the "personal computer" in example 1 is an asset of a third party entrusted with data as described above, it's still data loss. If we're talking about an individual's PC with that individual's or his/her family's information only, it's not. If in the latter case the individual has (rightly or wrongly) placed his/her employer's data on the PC and it includes personally identifiable confidential information on third party personages with which the employer (and by proxy, the individual PC owner) is entrusted, it's again data loss. Despite the modern usage, "Identity Theft" is actually two crimes: first, other people's confidential information must be obtained. Then, the perpetrator(s) impersonate the people whose information they have - usually to commit some fraudulent transaction. In the absence of the impersonation (and/or other fraud), it's just data theft (or data loss), not "Identity Theft". So we're really talking about two very different things, and data loss may or may not lead to identity theft (although the media loves to sensationalize and will raise the spectre of identity theft wherever data loss happens). Given that, maybe the second example sheds some light on an appropriate distinction: if an individual, whether through carelessness or ignorance, loses his/her own information and that of persons well-known to them (or under their guardianship), that may be termed data loss, but I don't think it's what the subscribers to this list are interested in. Speaking for myself, I'm monitoring for data lost by Corporations and other Businesses, Non-Profits, Educational Organizations, and Government Agencies. I really could care less how many individual internet users have gotten "Phished" or if someone's home is broken into and their personal records compromised. Finally, I might suggest an additional distinction as to preventability of the loss or cases where the data holder was in some way negligent or failed to practice good security. If a third-party entity as described above makes the ill-advised decision to place confidential information on a machine connected to the internet, for example, they should be seen as responsible for the loss even if they had other safeguards in place; if on the other hand, they're evicted by the Sheriff and the Deputies place confidential information on the curb for anyone to pick up, the Sheriff is responsible for the data loss, IMHO. Caveat: IANAL. Hope this helps, Troy -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of lyger Sent: Friday, October 27, 2006 12:06 AM To: dataloss at attrition.org Subject: [Dataloss] Data Loss versus Identity Theft Since the topic was recently discussed, just want to toss out a few ideas and/or questions about what may or may not be topical for the mail list, attrition.org Data Loss web page, and database (DLDOS). Is it agreed that not every recorded event of "identity theft" should be considered a "data loss" event? Generally, I've considered "data loss" to mean a third party was entrusted with personally identifiable confidential information and said data was lost or stolen either maliciously or accidentially. Events like these wouldn't count: 1. A purse, wallet, or personal computer was stolen (whether secured or not), resulting in the information of a very small number of people being compromised 2. Phishing attacks, where the *end user* is ulitmately responsible for having their own information compromised through their own actions. It's getting to the point where almost every media story is equating the theft or loss of personal data with "identity theft". Some studies suggest there is little correlation between a "data loss" event and actual identity theft. So, the questions: 1. At what point, for the mail list, the various breach lists, and DLDOS, should it be said, "no, this doesn't count" 2. Can anyone come up with a reasonable definition of "data loss" and how it would differ from a reasonable definition of "identity theft"? It seems that we're crossing into grey areas in some events, so any feedback would be appreciated. Lyger _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tracking more than 139 million compromised records in 447 incidents over 6 years. From Dissent at pogowasright.org Fri Oct 27 10:48:25 2006 From: Dissent at pogowasright.org (Dissent) Date: Fri, 27 Oct 2006 10:48:25 -0400 (EDT) Subject: [Dataloss] San Francisco Gymboree Message-ID: San Francisco's Gymboree, the kids' clothing retailer, took a more proactive stance after a thief recently hit the company twice in the same week, making off with three laptops and potentially endangering as many as 20,000 employees. ... In letters this month to as many as 20,000 employees affected by the incident, Gymboree says only that "three laptop computers were stolen from the corporate headquarters." ... The insider said the three laptops contained unencrypted human resources data that potentially included the names and Social Security numbers of thousands of company workers. [...] http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2006/10/27/BUGQPM0HOO1.DTL From ADAIL at sunocoinc.com Fri Oct 27 10:37:45 2006 From: ADAIL at sunocoinc.com (DAIL, ANDY) Date: Fri, 27 Oct 2006 10:37:45 -0400 Subject: [Dataloss] Data Loss versus Identity Theft Message-ID: <8CA58E707BB1C44385FA71D02B7A1C8EC707FD@mds3aex0e.USISUNOCOINC.com> How about a gray area, such as a back-up tape turning up missing, but the data is highly encrypted, so very unlikely to be compromised? If the same tape is unaccounted for in some type of catastrophe, such as a data center fire, technically it is still a reportable data loss. A scale measuring, or attempting to predict the risk of misuse of missing data might be helpful, but the statistical probability predictions would take a mathematician or statistician to achieve any reasonable level of accuracy. This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments. From hbrown at knology.net Fri Oct 27 09:04:41 2006 From: hbrown at knology.net (Henry Brown) Date: Fri, 27 Oct 2006 08:04:41 -0500 Subject: [Dataloss] Data Loss versus Identity Theft Message-ID: <454203E9.20705@knology.net> Data Loss: When Data goes missing. Would offer that this could include stealing or loosing of a wallet or stealing or loosing A CD with 20 Million veterans Records. Identity Theft: When someone uses someone's else Personal Identifiable Information for their own gain. And by my "definition" Data Loss does not necessarily have to result in ID theft nor does ID theft have to be because of Data Loss. In My Opinion, the key question is: At what level of granularity does this data need to be collected/centralized? NOT certain that there is a "server farm" big enough to record every case of either data loss or ID theft, not to mention the resources required to "feed" the monster(s). From george at myitaz.com Fri Oct 27 11:10:11 2006 From: george at myitaz.com (George Toft) Date: Fri, 27 Oct 2006 08:10:11 -0700 Subject: [Dataloss] Data Loss versus Identity Theft In-Reply-To: References: Message-ID: <45422153.50302@myitaz.com> I guess I am a fan of Arizona's Notification of Compromised Personal Information law that defines a reportable event where unredacted/unencrypted personal information is exposed through a compromise of a security system. (This is my high-level interpretation - it gets more specific about having to perform an evaluation to ensure a security control was compromised, but that could take a long time before notification is made.) This definition makes no mention of 3rd parties, or number of people. It's just an event. It also covers laptops stolen out of cars. Strangely enough, I think giant loophole in the law is if there are no security controls in place, no reporting is required as security was not compromised. Common sense states otherwise. Read the text of the new AZ law here: http://www.azleg.gov/FormatDocument.asp?inDoc=/legtext/47leg/2r/bills/sb1338h.htm George Toft, CISSP, MSIS lyger wrote: > Since the topic was recently discussed, just want to toss out a few ideas > and/or questions about what may or may not be topical for the mail list, > attrition.org Data Loss web page, and database (DLDOS). > > Is it agreed that not every recorded event of "identity theft" should be > considered a "data loss" event? Generally, I've considered "data loss" to > mean a third party was entrusted with personally identifiable confidential > information and said data was lost or stolen either maliciously or > accidentially. Events like these wouldn't count: > > 1. A purse, wallet, or personal computer was stolen (whether secured or > not), resulting in the information of a very small number of people being > compromised > > 2. Phishing attacks, where the *end user* is ulitmately responsible for > having their own information compromised through their own actions. > > It's getting to the point where almost every media story is equating the > theft or loss of personal data with "identity theft". Some studies > suggest there is little correlation between a "data loss" event and actual > identity theft. So, the questions: > > 1. At what point, for the mail list, the various breach lists, and DLDOS, > should it be said, "no, this doesn't count" > > 2. Can anyone come up with a reasonable definition of "data loss" and how > it would differ from a reasonable definition of "identity theft"? It > seems that we're crossing into grey areas in some events, so any feedback > would be appreciated. > > Lyger > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 139 million compromised records in 447 incidents over 6 years. > > > > From cwalsh at cwalsh.org Fri Oct 27 14:03:01 2006 From: cwalsh at cwalsh.org (Chris Walsh) Date: Fri, 27 Oct 2006 13:03:01 -0500 Subject: [Dataloss] Data Loss versus Identity Theft In-Reply-To: <8CA58E707BB1C44385FA71D02B7A1C8EC707FD@mds3aex0e.USISUNOCOINC.com> References: <8CA58E707BB1C44385FA71D02B7A1C8EC707FD@mds3aex0e.USISUNOCOINC.com> Message-ID: <20061027180249.GA11270@cwalsh.org> IMO: Data loss - The exposure of personal information to unauthorized parties occuring via a mechanism other than deliberate or negligent release by the person to whom the information pertains. So, I put my SSN on a billboard != data loss ID theft - the use of personal information about an individual other than the actor to obtain goods/services, typically via impersonation. The distinction between the two is clear. To me, a thornier issue is whether "data loss" is itself a misnomer. In many cases, PII has been exposed to possible loss, but we have no way of knowing whether it has been obtained by any unauthorized people. I would handle the encryption question the way many state laws do -- if you expose the key and the data, then encryption doesn't provide safe harbor. To this I would add that the encryption must be using algorithms and key lengths which conform with FIPS 140-2. There's some handwaving in that last sentence, but the idea is we need to not allow ROT13 or XOR to become escape clauses. The "data center fire" example is an excellent one. Thought-provoking. To Andy's statistician or mathematician point, I would add that unless one has the raw data, one cannot begin. I wish I knew more about fraud detection networks -- the approach ID Analytics took makes sense, if only they could/would use a valid sample. Unsure if this is possible, however. cw On Fri, Oct 27, 2006 at 10:37:45AM -0400, DAIL, ANDY wrote: > > How about a gray area, such as a back-up tape turning up missing, but > the data is highly encrypted, so very unlikely to be compromised? > > If the same tape is unaccounted for in some type of catastrophe, such as > a data center fire, technically it is still a reportable data loss. > > A scale measuring, or attempting to predict the risk of misuse of > missing data might be helpful, but the statistical probability > predictions would take a mathematician or statistician to achieve any > reasonable level of accuracy. > From wpadworski at fhcs.org Fri Oct 27 14:23:21 2006 From: wpadworski at fhcs.org (Walter Padworski) Date: Fri, 27 Oct 2006 14:23:21 -0400 Subject: [Dataloss] Data Loss versus Identity Theft Message-ID: Just a thought, but the distinction between the two won't really matter if the "loss" or "theft" is being reported by NBC or CNN to 150,000 readers in the Cleveland or Tuscaloosa newspapers. Most companies are beginning to take a pro-active stance by "notifying those whose information may or has been compromised." Regardless of how a company spins it they should realize that their reputation is on the line - not to mention their pocket book. Have a fun day fella's and ladies ... P.S. anyone up to a discussion on eDiscovery - The "law" goes into effect Dec 1, 2006. >>> Chris Walsh 10/27/2006 >>> IMO: Data loss - The exposure of personal information to unauthorized parties occuring via a mechanism other than deliberate or negligent release by the person to whom the information pertains. So, I put my SSN on a billboard != data loss ID theft - the use of personal information about an individual other than the actor to obtain goods/services, typically via impersonation. The distinction between the two is clear. To me, a thornier issue is whether "data loss" is itself a misnomer. In many cases, PII has been exposed to possible loss, but we have no way of knowing whether it has been obtained by any unauthorized people. I would handle the encryption question the way many state laws do -- if you expose the key and the data, then encryption doesn't provide safe harbor. To this I would add that the encryption must be using algorithms and key lengths which conform with FIPS 140-2. There's some handwaving in that last sentence, but the idea is we need to not allow ROT13 or XOR to become escape clauses. The "data center fire" example is an excellent one. Thought-provoking. To Andy's statistician or mathematician point, I would add that unless one has the raw data, one cannot begin. I wish I knew more about fraud detection networks -- the approach ID Analytics took makes sense, if only they could/would use a valid sample. Unsure if this is possible, however. cw On Fri, Oct 27, 2006 at 10:37:45AM -0400, DAIL, ANDY wrote: > > How about a gray area, such as a back-up tape turning up missing, but > the data is highly encrypted, so very unlikely to be compromised? > > If the same tape is unaccounted for in some type of catastrophe, such as > a data center fire, technically it is still a reportable data loss. > > A scale measuring, or attempting to predict the risk of misuse of > missing data might be helpful, but the statistical probability > predictions would take a mathematician or statistician to achieve any > reasonable level of accuracy. > _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tracking more than 139 million compromised records in 447 incidents over 6 years. This message and any attachments contain information that may be confidential and privileged. If you have received this in error and are not the intended recipient, you may not use, copy or disclose this message or its contents to anyone. If you have received this message in error, please advise the sender by reply e-mail, and delete or destroy this message and its attachments. From adam at homeport.org Fri Oct 27 15:10:35 2006 From: adam at homeport.org (Adam Shostack) Date: Fri, 27 Oct 2006 15:10:35 -0400 Subject: [Dataloss] Data Loss versus Identity Theft In-Reply-To: <20061027180249.GA11270@cwalsh.org> References: <8CA58E707BB1C44385FA71D02B7A1C8EC707FD@mds3aex0e.USISUNOCOINC.com> <20061027180249.GA11270@cwalsh.org> Message-ID: <20061027191034.GA13432@homeport.org> On Fri, Oct 27, 2006 at 01:03:01PM -0500, Chris Walsh wrote: | The distinction between the two is clear. To me, a thornier issue is | whether "data loss" is itself a misnomer. In many cases, PII has been | exposed to possible loss, but we have no way of knowing whether it has | been obtained by any unauthorized people. | I think 'data loss' or 'breach' refers to the loss of the ability of the organization to control the data. What happens after that is a result of that loss of control. Lets say you have a truck full of dollar bills, and it falls apart. Let's also say that good samaratians help you pick up all the money. Do you not wonder why the truck fell apart? Do you not count it as a serious event? Recovery of the money doesn't make your loss of control any less serious, it simply means you've lucked out of some of the more serious potential impacts. Substitute "good police work" for "good samaritian" and "laptop" for "dollars" and you have the VA laptop situation. Adam From chris.j.brannigan at usps.gov Fri Oct 27 16:03:16 2006 From: chris.j.brannigan at usps.gov (Brannigan, Chris J - Washington, DC) Date: Fri, 27 Oct 2006 16:03:16 -0400 Subject: [Dataloss] Data Loss versus Identity Theft In-Reply-To: <20061027191034.GA13432@homeport.org> Message-ID: "data exposure" vs. "data loss" fwiw, I usually use the generic term "data exposure" to describe all types of data breaches, because it can include data records of any type or quantity being lost, stolen, presented on a public website inadvertently, sent by its owner to someone else by mistake, etc. In some very specific circumstances, by itself, "data exposure" can be a crime all by itself. for example, the Privacy Act of 1974 can be technically violated by a fed employee knowingly posting covered personal information on a public website. and that violation has no dependence on any one accessing or downloading that data, or making any criminal use of it. HIPAA can be violated without anyone making any use of the exposed data. "identity theft" describes a particular criminal activity defined in numerous state statutes which is performed with unauthorized personal information that may have been obtained through any number of different types of "data exposures", including loss, theft, public posting, via pre-texting, etc. Chris fwiw, CIPP/G -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Adam Shostack Sent: Friday, October 27, 2006 3:11 PM To: Chris Walsh Cc: dataloss at attrition.org Subject: Re: [Dataloss] Data Loss versus Identity Theft On Fri, Oct 27, 2006 at 01:03:01PM -0500, Chris Walsh wrote: | The distinction between the two is clear. To me, a thornier issue is | whether "data loss" is itself a misnomer. In many cases, PII has been | exposed to possible loss, but we have no way of knowing whether it has | been obtained by any unauthorized people. | I think 'data loss' or 'breach' refers to the loss of the ability of the organization to control the data. What happens after that is a result of that loss of control. Lets say you have a truck full of dollar bills, and it falls apart. Let's also say that good samaratians help you pick up all the money. Do you not wonder why the truck fell apart? Do you not count it as a serious event? Recovery of the money doesn't make your loss of control any less serious, it simply means you've lucked out of some of the more serious potential impacts. Substitute "good police work" for "good samaritian" and "laptop" for "dollars" and you have the VA laptop situation. Adam _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tracking more than 139 million compromised records in 447 incidents over 6 years. From Dissent at pogowasright.org Sat Oct 28 01:57:55 2006 From: Dissent at pogowasright.org (Dissent) Date: Sat, 28 Oct 2006 01:57:55 -0400 (EDT) Subject: [Dataloss] Savannah company's laptop theft highlights data security concerns Message-ID: A laptop owned by a Savannah accounting firm containing 401(k) information for employees of at least one company was stolen during a recent trip to New York City. The laptop, belonging to Hancock Askew & Co. LLP partner Michael McCarthy, was stolen Oct. 5. The accounting firm notified at least one of the companies - Atlanta-based Atlantis Plastics Inc. - on Oct. 9. McCarthy confirmed the theft, but said no information had been extracted from the laptop. "No information has been accessed. No information was stolen," he said. "A laptop was stolen. It happened to contain information. We have absolutely no indication that any information has been leaked to anybody." The laptop had password protection and other safeguards in place to prevent unauthorized users from accessing information, McCarthy said. He declined to specify what the other safeguards were because the information was proprietary. [...] http://savannahnow.com/node/166947 From Dissent at pogowasright.org Sat Oct 28 11:51:20 2006 From: Dissent at pogowasright.org (Dissent) Date: Sat, 28 Oct 2006 11:51:20 -0400 (EDT) Subject: [Dataloss] (Follow-up) Akron Children's Hospital Message-ID: http://www.bradenton.com/mld/bradenton/news/nation/15871658.htm Hackers broke into Akron Children's Hospital computer files over Labor Day weekend, potentially accessing names, addresses, birth dates, and Social Security numbers of about 230,000 patients and their families, as well as a database containing the bank-account information of about 12,000 donors. The hospital began notifying the families on Wednesday -- seven weeks after the breach was discovered -- by sending out 10,000 letters, followed by 120,000 more on Friday. The remaining 100,000 notifications will be sent Monday. [...] https://www.akronchildrens.org/cms/site/16e6640c0d4a89d8/index.html Akron Children's Hospital recently identified that during an expansion of its computer systems, there were unauthorized entries (breaches) into two separate computer databases. The first database contained personal information of our patients, and of the parents or guardians who provide their health insurance. This personal information included names, addresses, social security numbers and patient birth dates. We have found no evidence that any medical or financial patient information was exposed. The second breach involved a server containing information about individuals who have made donations to the hospital. This breach may have exposed personal financial information, specifically some unencrypted bank account and routing numbers. Social security numbers were not included in this database, and credit card information was protected through the highest level of encryption. [...] From ziplock at pogowasright.org Sun Oct 29 18:53:47 2006 From: ziplock at pogowasright.org (ziplock) Date: Sun, 29 Oct 2006 18:53:47 -0500 (EST) Subject: [Dataloss] Perot Systems Walks Off With Indiana Hospital's Patient Data Message-ID: It's been a while since there was a high-profile breach of Americans' personal data, but the Sisters of St. Francis, a hospital chain servicing Indiana and Illinois, wins the dubious honor of putting data theft back on the front page. St. Francis reported that an employee of Perot Systems, a contractor that was aiding the hospital with its medical billing records, walked off with three compact discs (CDs) containing the personal and medical billing information on 260,000 patients. The unidentified employee then exchanged the bag for another one, but left the CDs inside. According to hospital officials, the original bag containing the CDs was returned to the hospital, and they were "confident the data was not accessed." [...] http://www.consumeraffairs.com/news04/2006/10/st_francis_data.html From lyger at attrition.org Mon Oct 30 18:29:45 2006 From: lyger at attrition.org (lyger) Date: Mon, 30 Oct 2006 18:29:45 -0500 (EST) Subject: [Dataloss] Georgia: Social Security Numbers Posted Online Message-ID: (Posting with this question for discussion: if this is a state-wide issue but has only been reported for one county, how should (or can) the overall impact be measured for data breach lists or databases?) http://www.wsbtv.com/news/10193623/detail.html A simple online search of a Cherokee County government web site revealed social security numbers posted for all to see . and it turns out, this is happening across the state. Channel 2's Tom Regan logged on to the Cherokee County web site, entered a few common names and within a few clicks was able to obtain social security numbers for complete strangers, courtesy of the IRS and the county court web site. "I'm required by law not to alter the document and by law I cannot alter the document," said Cherokee County Clerk of Courts, Patty Baker. It applies to all county courts in Georgia - not just Cherokee. The result? People who have federal tax liens against them - sometimes for years as they dispute unpaid taxes - have their entire social security sitting out on the world wide web for anyone to see. [...] From dbloys at door.net Mon Oct 30 20:27:39 2006 From: dbloys at door.net (David Bloys) Date: Mon, 30 Oct 2006 19:27:39 -0600 Subject: [Dataloss] Georgia: Social Security Numbers Posted Online In-Reply-To: Message-ID: <003301c6fc8b$c6ac1d60$0202a8c0@Office> This is much more than just a statewide issue for Georgia. Any county, anywhere in the country that puts a federal tax lien online is exposing the Social Security number. The clerk in this case gives the same canned answer that he cannot alter the document, which is true in most states, however the breach occurs when the clerk makes the decision to publish the record online. Ms. Baker's claim that she cannot alter the document is a diversionary tactic often used by Clerk's when reporters question them as to why they have published the records online. Most states do not mandate that the clerk publish the records online or prohibit them from doing so. The decision is one of convenience. These records have always been public but could only be seen at the local repository (courhouse). Publishing them online makes them PUBLIC to everyone in the world with an internet connection. Finally, paying off the lien will not remove it from the record. Actually, it creates another breach as the tax lien release can also contain the Social Security number. This is the case for Tom Delay. The Fort Bend County, Texas website is displaying his SSN on the original lien and again, on the release that was filed two months later. The IRS has agreed to stop putting the whole numbers on the forms. Instead they will only be showing the last four digits. In affect, they are removing only that portion of the Social that an identity thief does not need. Try calling your credit card company. They will only ask for the last four digits to identify you AS you. David Bloys News For Public Officials Important news for elected officials and the citizens they serve. Get the newsletter - Its Free! -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of lyger Sent: Monday, October 30, 2006 5:30 PM To: dataloss at attrition.org Subject: [Dataloss] Georgia: Social Security Numbers Posted Online (Posting with this question for discussion: if this is a state-wide issue but has only been reported for one county, how should (or can) the overall impact be measured for data breach lists or databases?) http://www.wsbtv.com/news/10193623/detail.html A simple online search of a Cherokee County government web site revealed social security numbers posted for all to see . and it turns out, this is happening across the state. Channel 2's Tom Regan logged on to the Cherokee County web site, entered a few common names and within a few clicks was able to obtain social security numbers for complete strangers, courtesy of the IRS and the county court web site. "I'm required by law not to alter the document and by law I cannot alter the document," said Cherokee County Clerk of Courts, Patty Baker. It applies to all county courts in Georgia - not just Cherokee. The result? People who have federal tax liens against them - sometimes for years as they dispute unpaid taxes - have their entire social security sitting out on the world wide web for anyone to see. [...] _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tracking more than 139 million compromised records in 447 incidents over 6 years. From lyger at attrition.org Tue Oct 31 12:25:09 2006 From: lyger at attrition.org (lyger) Date: Tue, 31 Oct 2006 12:25:09 -0500 (EST) Subject: [Dataloss] Update: Hospital group sued over data mishap Message-ID: http://www.indystar.com/apps/pbcs.dll/article?AID=/20061031/BUSINESS/610310448/1003 The Sisters of St. Francis Health Services Inc. and its contractor are facing a lawsuit over a security lapse that potentially exposed the private information of more than 260,000 patients and others associated with the hospital system in Indiana and Illinois. The suit, filed on behalf by Greenwood resident Michael Chaney, claims the defendants violated HIPAA privacy laws and failed "to take reasonable corrective action" such as promptly notifying patients of the breach. Lawyers for Chaney say the suit is also filed on behalf of the thousands of other people whose information was potentially exposed by the incident. [...] From blitz at strikenet.kicks-ass.net Tue Oct 31 20:13:41 2006 From: blitz at strikenet.kicks-ass.net (blitz) Date: Tue, 31 Oct 2006 20:13:41 -0500 Subject: [Dataloss] Data breach report stirs security pot Message-ID: <7.0.1.0.2.20061031201132.05133ea8@strikenet.kicks-ass.net> >http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn&story.id=42370 > > >Data breach report stirs security pot > > >10/23/06 >By Mary Mosquera, > > >Davis pushes security bill, calls for OMB to step up efforts > > > > > > >Now that an unflattering report detailing data loss in 19 major agencies is >public, House Government Reform chairman Tom Davis (R-Va.) is calling for >action from the administration and Congress. > >The recent committee staff report revealed that some agencies were clueless >as to what happens to personal data in their care. The vast majority of data >breaches arose from physical theft of notebook PCs, drives and disks, or >from unauthorized use of data by employees, the report said. > >Davis said that next he will take a closer look at agencies with the most >widespread breaches. > >"I'm also intent on reaching out again to those agencies that reported few >or no incidents. I'm wondering if they simply lack the means to know if >sensitive information's been compromised," Davis said. > >The Office of Management and Budget needs to act more decisively to help >agencies secure data, he added. > >"OMB should begin by clarifying and strengthening their guidance," Davis >said. OMB, meanwhile, is contemplating its next move. > >"We appreciate the recent input of the House Government Reform Committee and >the inspectors general. We're reviewing these two reports and will use them >to inform our thinking on potential next steps," said an OMB spokeswoman. > >OMB has provided some guidance to agencies to safeguard personal information >since the May theft of a notebook PC, containing data belonging to millions >of veterans, from the home of a Veterans Affairs Department employee. > >Davis plans to work with OMB to strengthen agency guidance while also >pushing through Congress legislation that makes that guidance a requirement >in addition to other steps. > >The House recently passed the Veterans Identity and Credit Security Act of >2006, which includes legislation that Davis authored. The bill would >strengthen federal security requirements and provide for notification. Davis >will offer his legislation as a standalone bill if the Senate does not pass >the VA security bill when Congress returns next month, he said. > >"Whether the legislation is part of the VA bill or separate, I think there's >consensus that these are steps we need to take, and take now," Davis said. >Davis worked with Veterans Affairs chairman Steve Buyer (R-Ind.) to craft >the security bill. Buyer is negotiating with the Senate on the bill, a >committee spokeswoman said. > >As the committee staff report proved and VA found in its own experience, it >is important that agencies inventory all their IT systems to assess what >data is at risk and what safeguards must be imposed, Buyer said. > >"Agencies need to empower the CIO with authority and responsibility to >ensure data security compliance," he said. > >Following the flood of security breaches this year, Davis and ranking >Democrat Henry Waxman (D-Calif.) sought summaries from major agencies of >data breaches in the past three years to provide a governmentwide snapshot >of data risk. > >Federal contractors were responsible for many of the data breaches that >agencies reported, the report said. Davis wants to reaffirm that the Federal >Information Security Management Act applies to contractors. > >"If necessary, we can amend FISMA to make this even more apparent and >effective," he said. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20061031/64f88635/attachment.html From lyger at attrition.org Tue Oct 31 21:06:22 2006 From: lyger at attrition.org (lyger) Date: Tue, 31 Oct 2006 21:06:22 -0500 (EST) Subject: [Dataloss] North Dakota Humana information theft case settled Message-ID: http://www.dfw.com/mld/dfw/business/15895937.htm Humana Inc. has agreed to pay for up to two years of credit report monitoring for North Dakota customers who may have had their private financial information stolen, Insurance Commissioner Jim Poolman said. ... The settlement was in response to two unrelated incidents in which personal information about Humana customers, including Social Security numbers and birth dates, were taken. In one incident, Medicare drug benefit applications were stolen last May from an insurance agent's unlocked car in Brooklyn Park, Minn., a suburb of Minneapolis. In June, an employee of the federal Department of Health and Human Services discovered a spreadsheet on a Baltimore hotel computer that included the names of about 17,000 Humana customers. A Humana employee had called up the information and then failed to delete it. [...]