From Dissent at pogowasright.org Thu Feb 1 13:16:57 2007 From: Dissent at pogowasright.org (Dissent) Date: Thu, 1 Feb 2007 13:16:57 -0500 (EST) Subject: [Dataloss] Workers comp data stolen Message-ID: http://www.boston.com/business/ticker/2007/02/workers_comp_da.html A former state contractor allegedly accessed a workers' compensation database to steal personal information and fraudulently obtain credit, the Department of Industrial Accidents announced today. The agency said up to 1,200 people who had submitted workers' compensation claims to the state -- and their Social Security numbers -- may have been compromised, although officials have evidence that only three people had their personal information used improperly. [..] -- Privacy-related news and resources: http://www.pogowasright.org Privacy news headlines feed: http://www.pogowasright.org/backend/pogowasright.rss From Dissent at pogowasright.org Fri Feb 2 10:58:05 2007 From: Dissent at pogowasright.org (Dissent) Date: Fri, 2 Feb 2007 10:58:05 -0500 (EST) Subject: [Dataloss] San Francisco Indian Consulate Message-ID: http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2007/02/02/LAZ.TMP Thousands of visa applications and other sensitive documents, including paperwork submitted by top executives and political figures, sat for more than a month in the open yard of a San Francisco recycling center after they were dumped there by the city's Indian Consulate. [...] Information on the documents includes applicants' names, addresses, phone numbers, birth dates, professions, employers, passport numbers and photos. Accompanying letters detail people's travel plans and reasons for visiting India. "As we see it, the documents are not confidential," said B.S. Prakash, the consul general. "We would see something as confidential if it has a Social Security number or a credit card number, not a passport number." [...] ... a sampling of documents obtained by The Chronicle indicate that the boxes contained confidential paperwork for virtually everyone in California and other Western states who applied for visas to travel to India between 2002 and 2005. [...] -- Privacy-related news and resources: http://www.pogowasright.org Privacy news headlines feed: http://www.pogowasright.org/backend/pogowasright.rss From lyger at attrition.org Fri Feb 2 11:21:32 2007 From: lyger at attrition.org (lyger) Date: Fri, 2 Feb 2007 11:21:32 -0500 (EST) Subject: [Dataloss] Thief takes Wis. lawmakers' Social Security numbers Message-ID: http://www.journaltimes.com/articles/2007/02/02/ap-state-wi/d8n1ljfo0.txt Social Security numbers and other personal information on state Assemblymen and their employees were stolen from another state worker this week after she took them home to do work. An employee of the Legislative Human Resources Office took a report home to work on Wednesday night and stopped at a health club on her way, Senate Clerk Rob Marchant said in an e-mail. Her locker and others in the health club were broken into and the keys to her vehicle were stolen, Marchant said. The thief then broke into her car and took a variety of items, including a report that contained information about Assembly personnel, Marchant said. The report included employee names and Social Security numbers, he said. [...] From Dissent at pogowasright.org Fri Feb 2 11:27:52 2007 From: Dissent at pogowasright.org (Dissent) Date: Fri, 2 Feb 2007 11:27:52 -0500 (EST) Subject: [Dataloss] Thief takes Wis. lawmakers' Social Security numbers Message-ID: http://www.chippewa.com/articles/2007/02/02/ap-state-wi/d8n1ljfo0.txt Social Security numbers and other personal information on state Assemblymen and their employees were stolen from another state worker this week after she took them home to do work. An employee of the Legislative Human Resources Office took a report home to work on Wednesday night and stopped at a health club on her way, Senate Clerk Rob Marchant said in an e-mail. Her locker and others in the health club were broken into and the keys to her vehicle were stolen, Marchant said. The thief then broke into her car and took a variety of items, including a report that contained information about Assembly personnel, Marchant said. The report included employee names and Social Security numbers, he said. -- Privacy-related news and resources: http://www.pogowasright.org Privacy news headlines feed: http://www.pogowasright.org/backend/pogowasright.rss From lyger at attrition.org Fri Feb 2 16:10:13 2007 From: lyger at attrition.org (lyger) Date: Fri, 2 Feb 2007 16:10:13 -0500 (EST) Subject: [Dataloss] Hacker hits MU database Message-ID: http://www.columbiatribune.com/2007/Feb/20070202News009.asp A hacker broke into a University of Missouri system computer server last month and might have gained access to personal information, including Social Security numbers, of 1,220 researchers on four campuses. The passwords used for the system by more than 2,500 people might have been compromised as well. The university has sent e-mails and registered letters to everyone affected. [...] From lyger at attrition.org Fri Feb 2 23:15:07 2007 From: lyger at attrition.org (lyger) Date: Fri, 2 Feb 2007 23:15:07 -0500 (EST) Subject: [Dataloss] NY: Quick Thinking Prevents Massive ID Theft Heist Message-ID: (Not sure if this will be included in the Data Loss Database or web page. The story title itself seems to be so much hype... any opinions?) http://wcbstv.com/topstories/local_story_033212750.html The New York Department of State on Friday froze portions of a Web site listing commercial records that identity thieves could have used to access the Social Security Numbers of some New Yorkers -- including billionaire mogul Donald Trump. It took the department more than three hours to block the information from being viewed after The Associated Press alerted officials to the problem. [...] From lyger at attrition.org Fri Feb 2 23:21:24 2007 From: lyger at attrition.org (lyger) Date: Fri, 2 Feb 2007 23:21:24 -0500 (EST) Subject: [Dataloss] AL: Missing Veterans Affairs hard drive sparks identity theft fears Message-ID: http://www.wsls.com/servlet/Satellite?pagename=WSLS%2FMGArticle%2FSLS_BasicArticle&c=MGArticle&cid=1149192998926&path=!news!localnews The Department of Veterans Affairs (VA) today announced that an employee reported a government-owned, portable hard drive used by the employee at a Department facility in Birmingham, Ala. - and potentially containing personal information about some veterans - is missing and may have been stolen. "I am concerned about this report," said Jim Nicholson, Secretary of Veterans Affairs. "VA's Office of Inspector General and the FBI are conducting a thorough investigation into this incident. VA's Office of Information and Technology is conducting a separate review. We intend to get to the bottom of this, and we will take aggressive steps to protect and assist anyone whose information may have been involved." [...] From Dissent at pogowasright.org Sat Feb 3 02:10:50 2007 From: Dissent at pogowasright.org (Dissent) Date: Sat, 3 Feb 2007 02:10:50 -0500 (EST) Subject: [Dataloss] AL: Missing Veterans Affairs hard drive sparks identity theft fears In-Reply-To: References: Message-ID: Preliminary figures of possible number compromised in this AP report: http://www.mercurynews.com/mld/mercurynews/business/technology/16612710.htm A portable hard drive that may contain the personal information of up to 48,000 veterans may have been stolen, the Department of Veterans Affairs and a lawmaker said Friday. [...] Rep. Spencer Bachus, R-Ala., said that the personal information of up to 48,000 veterans was on the hard drive and the records of up to 20,000 of them were not encrypted. [...] -- Privacy-related news and resources: http://www.pogowasright.org Privacy news headlines feed: http://www.pogowasright.org/backend/pogowasright.rss From Dissent at pogowasright.org Sat Feb 3 04:57:10 2007 From: Dissent at pogowasright.org (Dissent) Date: Sat, 03 Feb 2007 04:57:10 -0500 Subject: [Dataloss] CTS: Thief Steals Tax Records Message-ID: <7.0.0.16.2.20070203045247.024d7588@nowhere.org> http://www.wndu.com/news/headlines/5530966.html Eight hundred people are in jeopardy of having their credit ruined, because thieves in the night stole their personal information from a Cassopolis tax preparer. [...] Kirstein owns CTS tax service on Highway M-62. Since 1985 she has been preparing returns for clients in Cassopolis, Edwardsburg, Elkhart, Ohio, Virginia, Illinois and Washington. She believes someone knew her computer possessed valuable information. "I had money in here. I had checks and nothing was taken, just the computer," says Kirstein. "If it would only concern me, if it would only affect my life it would be fine, but this is 800 people's lives. That's kind of sad. All their information is on there, bank accounts routing numbers, birthdays, social security numbers, addresses, everything is on there." [...] -- Main site: http://www.pogowasright.org Main RSS feed: http://www.pogowasright.org/backend/pogowasright.rss Breaches RSS feed: http://www.pogowasright.org/backend/breaches.rss From george at myitaz.com Sat Feb 3 23:39:44 2007 From: george at myitaz.com (George Toft) Date: Sat, 03 Feb 2007 21:39:44 -0700 Subject: [Dataloss] CTS: Thief Steals Tax Records In-Reply-To: <7.0.0.16.2.20070203045247.024d7588@nowhere.org> References: <7.0.0.16.2.20070203045247.024d7588@nowhere.org> Message-ID: <45C56390.4000205@myitaz.com> I would expect to see more of these. I met an accountant in Phoenix that had just her hard drives stolen - guess what the thief was after? This is a sore point for me - we hired a telemarketer to call every CPA in Phoenix. There was virtually no interest on the part of the CPA's to protect their customer's information from this type of event. BTW - 800 people for one firm means it's a small firm. George Toft, CISSP, MSIS My IT Department www.myITaz.com 623-203-1760 Confidential data protection experts for the financial industry. Dissent wrote: > http://www.wndu.com/news/headlines/5530966.html > > Eight hundred people are in jeopardy of having their credit ruined, > because thieves in the night stole their personal information from a > Cassopolis tax preparer. > > [...] > > > Kirstein owns CTS tax service on Highway M-62. Since 1985 she has > been preparing returns for clients in Cassopolis, Edwardsburg, > Elkhart, Ohio, Virginia, Illinois and Washington. > > She believes someone knew her computer possessed valuable > information. "I had money in here. I had checks and nothing was > taken, just the computer," says Kirstein. "If it would only concern > me, if it would only affect my life it would be fine, but this is 800 > people's lives. That's kind of sad. All their information is on > there, bank accounts routing numbers, birthdays, social security > numbers, addresses, everything is on there." > > [...] > > -- > Main site: http://www.pogowasright.org > Main RSS feed: http://www.pogowasright.org/backend/pogowasright.rss > Breaches RSS feed: http://www.pogowasright.org/backend/breaches.rss > > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 146 million compromised records in 555 incidents over 7 years. > > > > From mhozven at tealeaf.com Sun Feb 4 00:08:32 2007 From: mhozven at tealeaf.com (Max Hozven) Date: Sat, 3 Feb 2007 21:08:32 -0800 Subject: [Dataloss] CTS: Thief Steals Tax Records Message-ID: <771A26039D33ED489E23D9614DE630DD04BC8F6B@SFMAIL02.tealeaf.com> >This is a sore point for me - we hired a telemarketer to call every CPA in >Phoenix. There was virtually no interest on the part of the CPA's to >protect their customer's information from this type of event. That's pretty sad. I'd give it really good odds that an Account's own personal data would be on a hard disk they owned (and had customer data on) also. Probably for a fraction of what they make on just one tax-return, they could buy disk encryption software. -Max -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of George Toft Sent: Saturday, February 03, 2007 8:40 PM To: dataloss at attrition.org Subject: Re: [Dataloss] CTS: Thief Steals Tax Records I would expect to see more of these. I met an accountant in Phoenix that had just her hard drives stolen - guess what the thief was after? This is a sore point for me - we hired a telemarketer to call every CPA in Phoenix. There was virtually no interest on the part of the CPA's to protect their customer's information from this type of event. BTW - 800 people for one firm means it's a small firm. George Toft, CISSP, MSIS My IT Department www.myITaz.com 623-203-1760 Confidential data protection experts for the financial industry. Dissent wrote: > http://www.wndu.com/news/headlines/5530966.html > > Eight hundred people are in jeopardy of having their credit ruined, > because thieves in the night stole their personal information from a > Cassopolis tax preparer. > > [...] > > > Kirstein owns CTS tax service on Highway M-62. Since 1985 she has > been preparing returns for clients in Cassopolis, Edwardsburg, > Elkhart, Ohio, Virginia, Illinois and Washington. > > She believes someone knew her computer possessed valuable > information. "I had money in here. I had checks and nothing was > taken, just the computer," says Kirstein. "If it would only concern > me, if it would only affect my life it would be fine, but this is 800 > people's lives. That's kind of sad. All their information is on > there, bank accounts routing numbers, birthdays, social security > numbers, addresses, everything is on there." > > [...] > > -- > Main site: http://www.pogowasright.org > Main RSS feed: http://www.pogowasright.org/backend/pogowasright.rss > Breaches RSS feed: http://www.pogowasright.org/backend/breaches.rss > > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 146 million compromised records in 555 incidents over 7 years. > > > > _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tracking more than 146 million compromised records in 555 incidents over 7 years. From blitz at strikenet.kicks-ass.net Sun Feb 4 06:15:58 2007 From: blitz at strikenet.kicks-ass.net (blitz) Date: Sun, 04 Feb 2007 06:15:58 -0500 Subject: [Dataloss] CTS: Thief Steals Tax Records In-Reply-To: <45C56390.4000205@myitaz.com> References: <7.0.0.16.2.20070203045247.024d7588@nowhere.org> <45C56390.4000205@myitaz.com> Message-ID: <7.0.1.0.2.20070204061309.0428ced8@strikenet.kicks-ass.net> So one would/might postulate at this point the thieves are selecting smaller targets, with less names and info. Especially ones with less security, and obviously more to loose should they be compromised. There should be an alert to them all. At 23:39 2/3/2007, you wrote: >I would expect to see more of these. I met an accountant in Phoenix >that had just her hard drives stolen - guess what the thief was after? > >This is a sore point for me - we hired a telemarketer to call every CPA >in Phoenix. There was virtually no interest on the part of the CPA's to >protect their customer's information from this type of event. > >BTW - 800 people for one firm means it's a small firm. > >George Toft, CISSP, MSIS >My IT Department >www.myITaz.com >623-203-1760 > >Confidential data protection experts for the financial industry. > > >Dissent wrote: > > http://www.wndu.com/news/headlines/5530966.html > > > > Eight hundred people are in jeopardy of having their credit ruined, > > because thieves in the night stole their personal information from a > > Cassopolis tax preparer. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070204/4dbb0420/attachment.html From james at iqbio.net Sun Feb 4 12:57:57 2007 From: james at iqbio.net (James Childers) Date: Sun, 4 Feb 2007 09:57:57 -0800 Subject: [Dataloss] VA Breach - Stupidity Redux In-Reply-To: <7.0.1.0.2.20070204061309.0428ced8@strikenet.kicks-ass.net> References: <7.0.0.16.2.20070203045247.024d7588@nowhere.org> <45C56390.4000205@myitaz.com> <7.0.1.0.2.20070204061309.0428ced8@strikenet.kicks-ass.net> Message-ID: <88677D8E4FBE2A4C9CEF9FBF8F38E70519F974@prometheus.HQ.IQBIO.NET> Has anyone noticed how the facts are trickling out from the VA on their two data losses this month? Also, why did they issue a press release at 9PM on the Friday before the SuperBowl? Distractions? Evade and try to mitigate the damage? Last year they slowly trickled out information as well and the news was frightening once it was all added together. The testimony before Congressional committees were incredibly enlightening. This latest breach proves that they are not following their own protocols. Does anyone have any further information on the VA Breaches? We are tracking on our blog and any help would be appreciated. Any comments on the posts would be appreciated as well. James Childers iQBio http://databreaches.blogspot.com http://iqbio.blogspot.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070204/f9d4de07/attachment.html From george at myitaz.com Sun Feb 4 13:37:36 2007 From: george at myitaz.com (George Toft) Date: Sun, 04 Feb 2007 11:37:36 -0700 Subject: [Dataloss] CTS: Thief Steals Tax Records In-Reply-To: <7.0.1.0.2.20070204061309.0428ced8@strikenet.kicks-ass.net> References: <7.0.0.16.2.20070203045247.024d7588@nowhere.org> <45C56390.4000205@myitaz.com> <7.0.1.0.2.20070204061309.0428ced8@strikenet.kicks-ass.net> Message-ID: <45C627F0.20003@myitaz.com> We tried to alert them all. We published articles and ads in the Arizona Society of CPA magazine. George Toft, CISSP, MSIS My IT Department www.myITaz.com 623-203-1760 Confidential data protection experts for the financial industry. blitz wrote: > So one would/might postulate at this point the thieves are selecting > smaller targets, with less names and info. Especially ones with less > security, and obviously more to loose should they be compromised. > > */There should be an alert to them all. > > > /*At 23:39 2/3/2007, you wrote: > >> I would expect to see more of these. I met an accountant in Phoenix >> that had just her hard drives stolen - guess what the thief was after? >> >> This is a sore point for me - we hired a telemarketer to call every CPA >> in Phoenix. There was virtually no interest on the part of the CPA's to >> protect their customer's information from this type of event. >> >> BTW - 800 people for one firm means it's a small firm. >> >> George Toft, CISSP, MSIS >> My IT Department >> www.myITaz.com >> 623-203-1760 >> >> Confidential data protection experts for the financial industry. >> >> >> Dissent wrote: >> > http://www.wndu.com/news/headlines/5530966.html >> > >> > Eight hundred people are in jeopardy of having their credit ruined, >> > because thieves in the night stole their personal information from a >> > Cassopolis tax preparer. From james at iqbio.net Sun Feb 4 14:05:46 2007 From: james at iqbio.net (James Childers) Date: Sun, 4 Feb 2007 11:05:46 -0800 Subject: [Dataloss] CTS: Thief Steals Tax Records In-Reply-To: <45C627F0.20003@myitaz.com> References: <7.0.0.16.2.20070203045247.024d7588@nowhere.org> <45C56390.4000205@myitaz.com> <7.0.1.0.2.20070204061309.0428ced8@strikenet.kicks-ass.net> <45C627F0.20003@myitaz.com> Message-ID: <88677D8E4FBE2A4C9CEF9FBF8F38E70519F975@prometheus.HQ.IQBIO.NET> But let me guess what the response was to your ad ... They didn't care because it hasn't happened to them yet. Apathy coupled with stupidity is a dangerous marriage. Do small firms have to comply with GLBA or are they exempt? If so, how can they justify non-compliance? Jim Childers iQBio www.iqbio.com http://databreaches.blogspot.com -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of George Toft Sent: Sunday, February 04, 2007 10:38 AM To: blitz Cc: dataloss at attrition.org Subject: Re: [Dataloss] CTS: Thief Steals Tax Records We tried to alert them all. We published articles and ads in the Arizona Society of CPA magazine. George Toft, CISSP, MSIS My IT Department www.myITaz.com 623-203-1760 Confidential data protection experts for the financial industry. blitz wrote: > So one would/might postulate at this point the thieves are selecting > smaller targets, with less names and info. Especially ones with less > security, and obviously more to loose should they be compromised. > > */There should be an alert to them all. > > > /*At 23:39 2/3/2007, you wrote: > >> I would expect to see more of these. I met an accountant in Phoenix >> that had just her hard drives stolen - guess what the thief was after? >> >> This is a sore point for me - we hired a telemarketer to call every CPA >> in Phoenix. There was virtually no interest on the part of the CPA's to >> protect their customer's information from this type of event. >> >> BTW - 800 people for one firm means it's a small firm. >> >> George Toft, CISSP, MSIS >> My IT Department >> www.myITaz.com >> 623-203-1760 >> >> Confidential data protection experts for the financial industry. >> >> >> Dissent wrote: >> > http://www.wndu.com/news/headlines/5530966.html >> > >> > Eight hundred people are in jeopardy of having their credit ruined, >> > because thieves in the night stole their personal information from a >> > Cassopolis tax preparer. _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tracking more than 146 million compromised records in 562 incidents over 7 years. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From adam at homeport.org Sun Feb 4 14:09:56 2007 From: adam at homeport.org (Adam Shostack) Date: Sun, 4 Feb 2007 14:09:56 -0500 Subject: [Dataloss] CTS: Thief Steals Tax Records In-Reply-To: <45C627F0.20003@myitaz.com> References: <7.0.0.16.2.20070203045247.024d7588@nowhere.org> <45C56390.4000205@myitaz.com> <7.0.1.0.2.20070204061309.0428ced8@strikenet.kicks-ass.net> <45C627F0.20003@myitaz.com> Message-ID: <20070204190956.GA28408@homeport.org> So without meaning any disrespect George, I think that there are multiple fair interpretations of what's happened. 1) Arizona CPAs don't care. 2) Arizona CPAs saw your ads and decided that the risk wasn't that high. (No comment on the quality of the risk assessment.) 3) Arizona CPAs said "he's trying to drum up business" and let that color their risk assessment Similarly, your claim earlier "There was virtually no interest on the part of the CPA's to protect their customer's information" 1) could be true 2) could be that the CPAs don't know how to differentiate themselves on this basis. 3) could be that your telemarketer stinks. I'm glad to have you on the list and discussing your experience. Please don't take this as anything more than an attempt to offer alternate hypotheses. Adam On Sun, Feb 04, 2007 at 11:37:36AM -0700, George Toft wrote: | We tried to alert them all. We published articles and ads in the | Arizona Society of CPA magazine. | | George Toft, CISSP, MSIS | My IT Department | www.myITaz.com | 623-203-1760 | | Confidential data protection experts for the financial industry. | | | blitz wrote: | > So one would/might postulate at this point the thieves are selecting | > smaller targets, with less names and info. Especially ones with less | > security, and obviously more to loose should they be compromised. | > | > */There should be an alert to them all. | > | > | > /*At 23:39 2/3/2007, you wrote: | > | >> I would expect to see more of these. I met an accountant in Phoenix | >> that had just her hard drives stolen - guess what the thief was after? | >> | >> This is a sore point for me - we hired a telemarketer to call every CPA | >> in Phoenix. There was virtually no interest on the part of the CPA's to | >> protect their customer's information from this type of event. | >> | >> BTW - 800 people for one firm means it's a small firm. | >> | >> George Toft, CISSP, MSIS | >> My IT Department | >> www.myITaz.com | >> 623-203-1760 | >> | >> Confidential data protection experts for the financial industry. | >> | >> | >> Dissent wrote: | >> > http://www.wndu.com/news/headlines/5530966.html | >> > | >> > Eight hundred people are in jeopardy of having their credit ruined, | >> > because thieves in the night stole their personal information from a | >> > Cassopolis tax preparer. | _______________________________________________ | Dataloss Mailing List (dataloss at attrition.org) | http://attrition.org/dataloss | Tracking more than 146 million compromised records in 562 incidents over 7 years. | From bkdelong at pobox.com Sun Feb 4 14:27:54 2007 From: bkdelong at pobox.com (B.K. DeLong) Date: Sun, 4 Feb 2007 14:27:54 -0500 Subject: [Dataloss] CTS: Thief Steals Tax Records In-Reply-To: <20070204190956.GA28408@homeport.org> References: <7.0.0.16.2.20070203045247.024d7588@nowhere.org> <45C56390.4000205@myitaz.com> <7.0.1.0.2.20070204061309.0428ced8@strikenet.kicks-ass.net> <45C627F0.20003@myitaz.com> <20070204190956.GA28408@homeport.org> Message-ID: Data Loss and Compliance is all a game of Risk......Management. The CPAs and other folk all get together to calculate at what point an incident would be an unacceptable cost. That becomes the threshhold to determine just how much they're willing to comply - both from a "CNN moment" the result of a breach and a fine due to lack of compliance. The "loss of reputation" might encourage more awareness but the key is to get inside their head. Though keep in mind, with each younger generation the better the BS meter. ;) On 2/4/07, Adam Shostack wrote: > So without meaning any disrespect George, I think that there are > multiple fair interpretations of what's happened. > > 1) Arizona CPAs don't care. > 2) Arizona CPAs saw your ads and decided that the risk wasn't that > high. (No comment on the quality of the risk assessment.) > 3) Arizona CPAs said "he's trying to drum up business" and let that > color their risk assessment > > Similarly, your claim earlier "There was virtually no interest on the > part of the CPA's to protect their customer's information" > > 1) could be true > 2) could be that the CPAs don't know how to differentiate themselves > on this basis. > 3) could be that your telemarketer stinks. > > I'm glad to have you on the list and discussing your experience. > Please don't take this as anything more than an attempt to offer > alternate hypotheses. > > Adam > > On Sun, Feb 04, 2007 at 11:37:36AM -0700, George Toft wrote: > | We tried to alert them all. We published articles and ads in the > | Arizona Society of CPA magazine. > | > | George Toft, CISSP, MSIS > | My IT Department > | www.myITaz.com > | 623-203-1760 > | > | Confidential data protection experts for the financial industry. > | > | > | blitz wrote: > | > So one would/might postulate at this point the thieves are selecting > | > smaller targets, with less names and info. Especially ones with less > | > security, and obviously more to loose should they be compromised. > | > > | > */There should be an alert to them all. > | > > | > > | > /*At 23:39 2/3/2007, you wrote: > | > > | >> I would expect to see more of these. I met an accountant in Phoenix > | >> that had just her hard drives stolen - guess what the thief was after? > | >> > | >> This is a sore point for me - we hired a telemarketer to call every CPA > | >> in Phoenix. There was virtually no interest on the part of the CPA's to > | >> protect their customer's information from this type of event. > | >> > | >> BTW - 800 people for one firm means it's a small firm. > | >> > | >> George Toft, CISSP, MSIS > | >> My IT Department > | >> www.myITaz.com > | >> 623-203-1760 > | >> > | >> Confidential data protection experts for the financial industry. > | >> > | >> > | >> Dissent wrote: > | >> > http://www.wndu.com/news/headlines/5530966.html > | >> > > | >> > Eight hundred people are in jeopardy of having their credit ruined, > | >> > because thieves in the night stole their personal information from a > | >> > Cassopolis tax preparer. > | _______________________________________________ > | Dataloss Mailing List (dataloss at attrition.org) > | http://attrition.org/dataloss > | Tracking more than 146 million compromised records in 562 incidents over 7 years. > | > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 146 million compromised records in 562 incidents over 7 years. > > > -- B.K. DeLong (K3GRN) bkdelong at pobox.com +1.617.797.8471 http://www.wkdelong.org Son. http://www.ianetsec.com Work. http://www.bostonredcross.org Volunteer. http://www.carolingia.eastkingdom.org Service. http://bkdelong.livejournal.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org From george at myitaz.com Sun Feb 4 16:27:53 2007 From: george at myitaz.com (George Toft) Date: Sun, 04 Feb 2007 14:27:53 -0700 Subject: [Dataloss] CTS: Thief Steals Tax Records In-Reply-To: <20070204190956.GA28408@homeport.org> References: <7.0.0.16.2.20070203045247.024d7588@nowhere.org> <45C56390.4000205@myitaz.com> <7.0.1.0.2.20070204061309.0428ced8@strikenet.kicks-ass.net> <45C627F0.20003@myitaz.com> <20070204190956.GA28408@homeport.org> Message-ID: <45C64FD9.5020801@myitaz.com> No disrespect taken. Alternate hypothesis: 4) The IT guy has it all taken care of - he said so. George Toft, CISSP, MSIS My IT Department www.myITaz.com 623-203-1760 Confidential data protection experts for the financial industry. Adam Shostack wrote: > So without meaning any disrespect George, I think that there are > multiple fair interpretations of what's happened. > > 1) Arizona CPAs don't care. > 2) Arizona CPAs saw your ads and decided that the risk wasn't that > high. (No comment on the quality of the risk assessment.) > 3) Arizona CPAs said "he's trying to drum up business" and let that > color their risk assessment > > Similarly, your claim earlier "There was virtually no interest on the > part of the CPA's to protect their customer's information" > > 1) could be true > 2) could be that the CPAs don't know how to differentiate themselves > on this basis. > 3) could be that your telemarketer stinks. > > I'm glad to have you on the list and discussing your experience. > Please don't take this as anything more than an attempt to offer > alternate hypotheses. > > Adam > > On Sun, Feb 04, 2007 at 11:37:36AM -0700, George Toft wrote: > | We tried to alert them all. We published articles and ads in the > | Arizona Society of CPA magazine. > | > | George Toft, CISSP, MSIS > | My IT Department > | www.myITaz.com > | 623-203-1760 > | > | Confidential data protection experts for the financial industry. > | > | > | blitz wrote: > | > So one would/might postulate at this point the thieves are selecting > | > smaller targets, with less names and info. Especially ones with less > | > security, and obviously more to loose should they be compromised. > | > > | > */There should be an alert to them all. > | > > | > > | > /*At 23:39 2/3/2007, you wrote: > | > > | >> I would expect to see more of these. I met an accountant in Phoenix > | >> that had just her hard drives stolen - guess what the thief was after? > | >> > | >> This is a sore point for me - we hired a telemarketer to call every CPA > | >> in Phoenix. There was virtually no interest on the part of the CPA's to > | >> protect their customer's information from this type of event. > | >> > | >> BTW - 800 people for one firm means it's a small firm. > | >> > | >> George Toft, CISSP, MSIS > | >> My IT Department > | >> www.myITaz.com > | >> 623-203-1760 > | >> > | >> Confidential data protection experts for the financial industry. > | >> > | >> > | >> Dissent wrote: > | >> > http://www.wndu.com/news/headlines/5530966.html > | >> > > | >> > Eight hundred people are in jeopardy of having their credit ruined, > | >> > because thieves in the night stole their personal information from a > | >> > Cassopolis tax preparer. > | _______________________________________________ > | Dataloss Mailing List (dataloss at attrition.org) > | http://attrition.org/dataloss > | Tracking more than 146 million compromised records in 562 incidents over 7 years. > | > > From george at myitaz.com Sun Feb 4 16:45:12 2007 From: george at myitaz.com (George Toft) Date: Sun, 04 Feb 2007 14:45:12 -0700 Subject: [Dataloss] CTS: Thief Steals Tax Records In-Reply-To: <88677D8E4FBE2A4C9CEF9FBF8F38E70519F975@prometheus.HQ.IQBIO.NET> References: <7.0.0.16.2.20070203045247.024d7588@nowhere.org> <45C56390.4000205@myitaz.com> <7.0.1.0.2.20070204061309.0428ced8@strikenet.kicks-ass.net> <45C627F0.20003@myitaz.com> <88677D8E4FBE2A4C9CEF9FBF8F38E70519F975@prometheus.HQ.IQBIO.NET> Message-ID: <45C653E8.6030200@myitaz.com> The FTC clearly calls out tax preparers as being required to comply with GLBA (http://www.ftc.gov/bcp/conline/pubs/buspubs/glbshort.htm 3rd paragraph). However, in September, 2006, CPA's were able to become exempt from the privacy rule of GLBA (http://www.icpas.org/icpas/ei/gbarticle.asp). They are still required to comply with the Security Rule, which nobody seems to know about. CPA's by nature are very tight-fisted with their money, and they see this as yet another expense that has no benefit. "If it's not broke, why should I fix it?" This list's members are very proactive and forward-thinking. Securing information is obvious to us, but eludes others, so they delegate the task to "the IT guy" and it's his problem because "he understands that stuff." Problem is, a large percentage of IT Guys I've spoken with are clueless about regulatory compliance and the finer art of information security. George Toft, CISSP, MSIS My IT Department www.myITaz.com 623-203-1760 Confidential data protection experts for the financial industry. James Childers wrote: > But let me guess what the response was to your ad ... They didn't care > because it hasn't happened to them yet. > > Apathy coupled with stupidity is a dangerous marriage. > > Do small firms have to comply with GLBA or are they exempt? If so, how > can they justify non-compliance? > > Jim Childers > iQBio > www.iqbio.com > http://databreaches.blogspot.com > > -----Original Message----- > From: dataloss-bounces at attrition.org > [mailto:dataloss-bounces at attrition.org] On Behalf Of George Toft > Sent: Sunday, February 04, 2007 10:38 AM > To: blitz > Cc: dataloss at attrition.org > Subject: Re: [Dataloss] CTS: Thief Steals Tax Records > > We tried to alert them all. We published articles and ads in the > Arizona Society of CPA magazine. > > George Toft, CISSP, MSIS > My IT Department > www.myITaz.com > 623-203-1760 > > Confidential data protection experts for the financial industry. > > > blitz wrote: > >>So one would/might postulate at this point the thieves are selecting >>smaller targets, with less names and info. Especially ones with less >>security, and obviously more to loose should they be compromised. >> >>*/There should be an alert to them all. >> >> >>/*At 23:39 2/3/2007, you wrote: >> >> >>>I would expect to see more of these. I met an accountant in Phoenix >>>that had just her hard drives stolen - guess what the thief was > > after? > >>>This is a sore point for me - we hired a telemarketer to call every > > CPA > >>>in Phoenix. There was virtually no interest on the part of the CPA's > > to > >>>protect their customer's information from this type of event. >>> >>>BTW - 800 people for one firm means it's a small firm. >>> >>>George Toft, CISSP, MSIS >>>My IT Department >>>www.myITaz.com >>>623-203-1760 >>> >>>Confidential data protection experts for the financial industry. >>> >>> >>>Dissent wrote: >>> >>>>http://www.wndu.com/news/headlines/5530966.html >>>> >>>>Eight hundred people are in jeopardy of having their credit ruined, >>>>because thieves in the night stole their personal information from > > a > >>>>Cassopolis tax preparer. > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 146 million compromised records in 562 incidents over > 7 years. > > > From james at iqbio.net Sun Feb 4 16:47:48 2007 From: james at iqbio.net (James Childers) Date: Sun, 4 Feb 2007 13:47:48 -0800 Subject: [Dataloss] CTS: Thief Steals Tax Records In-Reply-To: <45C653E8.6030200@myitaz.com> References: <7.0.0.16.2.20070203045247.024d7588@nowhere.org> <45C56390.4000205@myitaz.com> <7.0.1.0.2.20070204061309.0428ced8@strikenet.kicks-ass.net> <45C627F0.20003@myitaz.com> <88677D8E4FBE2A4C9CEF9FBF8F38E70519F975@prometheus.HQ.IQBIO.NET> <45C653E8.6030200@myitaz.com> Message-ID: <88677D8E4FBE2A4C9CEF9FBF8F38E70519F976@prometheus.HQ.IQBIO.NET> An absolute recipe for disaster is when you let the I.T. "guys" make business decisions. Thanks for the info. James Childers http://www.iqbio.com http://www.clipbio.com -----Original Message----- From: George Toft [mailto:george at myitaz.com] Sent: Sunday, February 04, 2007 1:45 PM To: James Childers Cc: blitz; dataloss at attrition.org Subject: Re: [Dataloss] CTS: Thief Steals Tax Records The FTC clearly calls out tax preparers as being required to comply with GLBA (http://www.ftc.gov/bcp/conline/pubs/buspubs/glbshort.htm 3rd paragraph). However, in September, 2006, CPA's were able to become exempt from the privacy rule of GLBA (http://www.icpas.org/icpas/ei/gbarticle.asp). They are still required to comply with the Security Rule, which nobody seems to know about. CPA's by nature are very tight-fisted with their money, and they see this as yet another expense that has no benefit. "If it's not broke, why should I fix it?" This list's members are very proactive and forward-thinking. Securing information is obvious to us, but eludes others, so they delegate the task to "the IT guy" and it's his problem because "he understands that stuff." Problem is, a large percentage of IT Guys I've spoken with are clueless about regulatory compliance and the finer art of information security. George Toft, CISSP, MSIS My IT Department www.myITaz.com 623-203-1760 Confidential data protection experts for the financial industry. James Childers wrote: > But let me guess what the response was to your ad ... They didn't care > because it hasn't happened to them yet. > > Apathy coupled with stupidity is a dangerous marriage. > > Do small firms have to comply with GLBA or are they exempt? If so, how > can they justify non-compliance? > > Jim Childers > iQBio > www.iqbio.com > http://databreaches.blogspot.com > > -----Original Message----- > From: dataloss-bounces at attrition.org > [mailto:dataloss-bounces at attrition.org] On Behalf Of George Toft > Sent: Sunday, February 04, 2007 10:38 AM > To: blitz > Cc: dataloss at attrition.org > Subject: Re: [Dataloss] CTS: Thief Steals Tax Records > > We tried to alert them all. We published articles and ads in the > Arizona Society of CPA magazine. > > George Toft, CISSP, MSIS > My IT Department > www.myITaz.com > 623-203-1760 > > Confidential data protection experts for the financial industry. > > > blitz wrote: > >>So one would/might postulate at this point the thieves are selecting >>smaller targets, with less names and info. Especially ones with less >>security, and obviously more to loose should they be compromised. >> >>*/There should be an alert to them all. >> >> >>/*At 23:39 2/3/2007, you wrote: >> >> >>>I would expect to see more of these. I met an accountant in Phoenix >>>that had just her hard drives stolen - guess what the thief was > > after? > >>>This is a sore point for me - we hired a telemarketer to call every > > CPA > >>>in Phoenix. There was virtually no interest on the part of the CPA's > > to > >>>protect their customer's information from this type of event. >>> >>>BTW - 800 people for one firm means it's a small firm. >>> >>>George Toft, CISSP, MSIS >>>My IT Department >>>www.myITaz.com >>>623-203-1760 >>> >>>Confidential data protection experts for the financial industry. >>> >>> >>>Dissent wrote: >>> >>>>http://www.wndu.com/news/headlines/5530966.html >>>> >>>>Eight hundred people are in jeopardy of having their credit ruined, >>>>because thieves in the night stole their personal information from > > a > >>>>Cassopolis tax preparer. > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 146 million compromised records in 562 incidents over > 7 years. > > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From lyger at attrition.org Sun Feb 4 17:08:55 2007 From: lyger at attrition.org (lyger) Date: Sun, 4 Feb 2007 17:08:55 -0500 (EST) Subject: [Dataloss] CTS: Thief Steals Tax Records In-Reply-To: <88677D8E4FBE2A4C9CEF9FBF8F38E70519F976@prometheus.HQ.IQBIO.NET> References: <7.0.0.16.2.20070203045247.024d7588@nowhere.org> <45C56390.4000205@myitaz.com> <7.0.1.0.2.20070204061309.0428ced8@strikenet.kicks-ass.net> <45C627F0.20003@myitaz.com> <88677D8E4FBE2A4C9CEF9FBF8F38E70519F975@prometheus.HQ.IQBIO.NET> <45C653E8.6030200@myitaz.com> <88677D8E4FBE2A4C9CEF9FBF8F38E70519F976@prometheus.HQ.IQBIO.NET> Message-ID: Since I almost never get to jump into these discussions, please allow me to retort. I find a couple of the comments below to be somewhat stereotypical. "IT guys" are generally considered to be "geeks" and nothing more, even if they have years of experience in fields that have to deal with regulatory compliance issues on a daily basis. Some "IT guys" are absolutely capable of making business decisions, especially when the decision in question concerns protecting their company from bad choices made by the "business leaders" who fail to understand the basics of risk assessment and risk management, specifically those that deal with the loss of client, customer, or employee information. While it may be true that "a large percentage of IT guys" aren't as versed in regulatory compliance as their "business leader" counterparts, the same can be said for the "business leaders" who aren't concerned with the impact a data breach can have on their company and fail to enable their "IT guys" to provide valuable input into the decision-making process. Just my opinion. Lyger On Sun, 4 Feb 2007, James Childers wrote: ": " An absolute recipe for disaster is when you let the I.T. "guys" make ": " business decisions. ": " ": " Thanks for the info. ": " ": " James Childers ": " http://www.iqbio.com ": " http://www.clipbio.com ": " ": " -----Original Message----- ": " From: George Toft [mailto:george at myitaz.com] ": " Sent: Sunday, February 04, 2007 1:45 PM ": " To: James Childers ": " Cc: blitz; dataloss at attrition.org ": " Subject: Re: [Dataloss] CTS: Thief Steals Tax Records ": " ": " The FTC clearly calls out tax preparers as being required to comply with ": " ": " GLBA (http://www.ftc.gov/bcp/conline/pubs/buspubs/glbshort.htm 3rd ": " paragraph). However, in September, 2006, CPA's were able to become ": " exempt from the privacy rule of GLBA ": " (http://www.icpas.org/icpas/ei/gbarticle.asp). They are still required ": " to comply with the Security Rule, which nobody seems to know about. ": " ": " CPA's by nature are very tight-fisted with their money, and they see ": " this as yet another expense that has no benefit. "If it's not broke, ": " why should I fix it?" ": " ": " This list's members are very proactive and forward-thinking. Securing ": " information is obvious to us, but eludes others, so they delegate the ": " task to "the IT guy" and it's his problem because "he understands that ": " stuff." Problem is, a large percentage of IT Guys I've spoken with are ": " clueless about regulatory compliance and the finer art of information ": " security. ": " ": " George Toft, CISSP, MSIS ": " My IT Department ": " www.myITaz.com From james at iqbio.net Sun Feb 4 17:14:04 2007 From: james at iqbio.net (James Childers) Date: Sun, 4 Feb 2007 14:14:04 -0800 Subject: [Dataloss] CTS: Thief Steals Tax Records In-Reply-To: References: <7.0.0.16.2.20070203045247.024d7588@nowhere.org> <45C56390.4000205@myitaz.com> <7.0.1.0.2.20070204061309.0428ced8@strikenet.kicks-ass.net> <45C627F0.20003@myitaz.com> <88677D8E4FBE2A4C9CEF9FBF8F38E70519F975@prometheus.HQ.IQBIO.NET> <45C653E8.6030200@myitaz.com> <88677D8E4FBE2A4C9CEF9FBF8F38E70519F976@prometheus.HQ.IQBIO.NET> Message-ID: <88677D8E4FBE2A4C9CEF9FBF8F38E70519F977@prometheus.HQ.IQBIO.NET> Point taken... of course we are just talking about the "norms". There are exceptions to every rule. James Childers -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of lyger Sent: Sunday, February 04, 2007 2:09 PM To: dataloss at attrition.org Subject: Re: [Dataloss] CTS: Thief Steals Tax Records Since I almost never get to jump into these discussions, please allow me to retort. I find a couple of the comments below to be somewhat stereotypical. "IT guys" are generally considered to be "geeks" and nothing more, even if they have years of experience in fields that have to deal with regulatory compliance issues on a daily basis. Some "IT guys" are absolutely capable of making business decisions, especially when the decision in question concerns protecting their company from bad choices made by the "business leaders" who fail to understand the basics of risk assessment and risk management, specifically those that deal with the loss of client, customer, or employee information. While it may be true that "a large percentage of IT guys" aren't as versed in regulatory compliance as their "business leader" counterparts, the same can be said for the "business leaders" who aren't concerned with the impact a data breach can have on their company and fail to enable their "IT guys" to provide valuable input into the decision-making process. Just my opinion. Lyger On Sun, 4 Feb 2007, James Childers wrote: ": " An absolute recipe for disaster is when you let the I.T. "guys" make ": " business decisions. ": " ": " Thanks for the info. ": " ": " James Childers ": " http://www.iqbio.com ": " http://www.clipbio.com ": " ": " -----Original Message----- ": " From: George Toft [mailto:george at myitaz.com] ": " Sent: Sunday, February 04, 2007 1:45 PM ": " To: James Childers ": " Cc: blitz; dataloss at attrition.org ": " Subject: Re: [Dataloss] CTS: Thief Steals Tax Records ": " ": " The FTC clearly calls out tax preparers as being required to comply with ": " ": " GLBA (http://www.ftc.gov/bcp/conline/pubs/buspubs/glbshort.htm 3rd ": " paragraph). However, in September, 2006, CPA's were able to become ": " exempt from the privacy rule of GLBA ": " (http://www.icpas.org/icpas/ei/gbarticle.asp). They are still required ": " to comply with the Security Rule, which nobody seems to know about. ": " ": " CPA's by nature are very tight-fisted with their money, and they see ": " this as yet another expense that has no benefit. "If it's not broke, ": " why should I fix it?" ": " ": " This list's members are very proactive and forward-thinking. Securing ": " information is obvious to us, but eludes others, so they delegate the ": " task to "the IT guy" and it's his problem because "he understands that ": " stuff." Problem is, a large percentage of IT Guys I've spoken with are ": " clueless about regulatory compliance and the finer art of information ": " security. ": " ": " George Toft, CISSP, MSIS ": " My IT Department ": " www.myITaz.com _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tracking more than 146 million compromised records in 562 incidents over 7 years. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mhozven at tealeaf.com Mon Feb 5 00:42:59 2007 From: mhozven at tealeaf.com (Max Hozven) Date: Sun, 4 Feb 2007 21:42:59 -0800 Subject: [Dataloss] Police Computer Winds Up at Pa. Store Message-ID: <771A26039D33ED489E23D9614DE630DD04BC8FB7@SFMAIL02.tealeaf.com> Police Computer Winds Up at Pa. Store Friday, February 2, 2007 (02-02) 14:30 PST Columbia, Pa. (AP) -- Lancaster County detectives are trying to find out how a Columbia Police Department computer containing crime-scene photographs, autopsy photos and confidential data wound up at a computer store, prosecutors said. "The computer was turned over to this office yesterday by the owner of a computer-repair business who received it as a trade-in for a used computer system," District Attorney Donald R. Totaro said Thursday. A customer who traded the computer in at The Computer Outlet said he had obtained it from a police officer who rented him an apartment, store owner Jesse Sweigart said. ___ Information from: Intelligencer Journal, www.lancasteronline.com/pages/paper/sundaynews/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070205/fe7fca08/attachment.html From lyger at attrition.org Tue Feb 6 12:07:49 2007 From: lyger at attrition.org (lyger) Date: Tue, 6 Feb 2007 12:07:49 -0500 (EST) Subject: [Dataloss] NY: Burglary leads to ID theft concerns Message-ID: http://poststar.com/articles/2007/02/06/news/doc45c8abf57b7ae609243186.txt More than 500 people whose personal information was stolen from a Bay Street apartment where a state tax auditor lives have been notified they may be susceptible to identity theft. A Dell laptop computer, computer modem and laptop case that contained documents were stolen from the auditor's home during the Jan. 20-21 burglary. Robert Lillpop, a spokesman for the state Department of Labor, said the laptop had little personal information on it and security features that should lessen the chance of it being accessed. [...] From Dissent at pogowasright.org Tue Feb 6 12:57:50 2007 From: Dissent at pogowasright.org (Dissent) Date: Tue, 06 Feb 2007 12:57:50 -0500 Subject: [Dataloss] Metro Credit Services Message-ID: <7.0.0.16.2.20070206125412.024616a8@nowhere.org> http://www.nbc5i.com/news/10943763/detail.html Hurst police have recovered and destroyed a trash bin full of discarded personal information. Officials said the multiple boxes of documents contained medical records, phone bills and Social Security numbers belonging to thousands of people across Texas. They said the files once belonged to the defunct bill collection company Metro Credit Services, and that the owner of the building at which the company once operated threw out the documents during the weekend. [...] -- http://www.pogowasright.org http://www.pogowasright.org/backend/pogowasright.rss http://www.pogowasright.org/backend/breaches.rss From lyger at attrition.org Wed Feb 7 11:27:28 2007 From: lyger at attrition.org (lyger) Date: Wed, 7 Feb 2007 11:27:28 -0500 (EST) Subject: [Dataloss] Tapes with data about Hopkins' workers, patients, missing Message-ID: http://www.wmdt.com/wires/displaystory.asp?id=58386284 The Johns Hopkins University and the Johns Hopkins Hospital are reporting the disappearance of nine computer tapes containing personal information about university employees and hospital patients. Officials learned January 18th that eight tapes had not been returned as expected by a contractor that makes backups of the data. The tapes contained payroll information on 52-thousand past and present university employees from all units except the Applied Physics Lab. The data included Social Security numbers and, in some cases, bank account numbers. [...] From lists at merchant911.org Wed Feb 7 12:57:39 2007 From: lists at merchant911.org (Tom Mahoney) Date: Wed, 7 Feb 2007 12:57:39 -0500 Subject: [Dataloss] Data from 35,000 found during arrest In-Reply-To: References: Message-ID: Have you seen this?? http://www.mississauga.com/mi/peelpolice/story/3871125p-4478348c.html -- Tom Mahoney, Director Over 3300 Merchants united to protect themselves http://www.merchant911.org http://www.preventchargebacks.com http://preventchargebacks.blogspot.com From Dissent at pogowasright.org Wed Feb 7 13:32:33 2007 From: Dissent at pogowasright.org (Dissent) Date: Wed, 07 Feb 2007 13:32:33 -0500 Subject: [Dataloss] America's Community Bankers Survey Results Message-ID: <7.0.0.16.2.20070207133020.02528ea0@nowhere.org> Thanks to list member baforestal at earthlink.net who also submitted a link to this press release. ttp://www.prnewswire.com/cgi-bin/stories.pl?ACCT=104&STORY=/www/story/02-07-2007/0004522563&EDATE= A just-completed survey by America's Community Bankers reveals that data security continues to be a significant issue for community banks and their customers, and that card network and congressional action is necessary to address this far-reaching problem. [...] The following are some of the highlights from the ACB member survey conducted between January 26 and February 5. -- Of the 181 respondents, more than 96 percent said they issued debit cards, while 19 percent said they issued credit cards. -- In the past 24 months, 70 percent of respondents said their bank had to reissue cards due to data breaches three times or more and 39% said their bank had to reissue cards more than five times. -- Eighty-nine percent of the debit card issuers and 53 percent of the credit card issuers indicated that their customers had been affected by a data breach. -- Of those affected by a data breach, 92 percent had reissued cards to customers. While not specifically asked in the survey, cumulative data reflect that the average cost for reissuing each debit card is approximately $10-20 per card. Therefore, a bank reissuing 10,000 cards three times at an average cost of $15 per card would incur a cost of $450,000. [...] -- Main site: http://www.pogowasright.org Main RSS feed: http://www.pogowasright.org/backend/pogowasright.rss Breaches RSS feed: http://www.pogowasright.org/backend/breaches.rss From Dissent at pogowasright.org Wed Feb 7 13:40:49 2007 From: Dissent at pogowasright.org (Dissent) Date: Wed, 07 Feb 2007 13:40:49 -0500 Subject: [Dataloss] Social Security numbers found on UNL Web site Message-ID: <7.0.0.16.2.20070207134035.02568230@nowhere.org> http://www.omaha.com/index.php?u_page=1000&u_sid=2326625 A University of Nebraska-Lincoln employee accidentally posted the Social Security numbers of 72 students, professors and staff members on the university's public Web site, where they remained for more than two years before UNL officials caught the gaffe Tuesday. It's the second such security breach in the past year at UNL, twin mishaps that have a school vice chancellor vowing to tighten computer security. [...] -- Main site: http://www.pogowasright.org Main RSS feed: http://www.pogowasright.org/backend/pogowasright.rss Breaches RSS feed: http://www.pogowasright.org/backend/breaches.rss From lyger at attrition.org Thu Feb 8 00:03:02 2007 From: lyger at attrition.org (lyger) Date: Thu, 8 Feb 2007 00:03:02 -0500 (EST) Subject: [Dataloss] (article) "We recovered the laptop!" ... so what? Message-ID: http://attrition.org/dataloss/forensics.html Wed Feb 07 21:55:51 EDT 2007 Jericho and Lyger In May of 2006, the United States Department of Veterans Affairs publicly disclosed the fact that "Personal data on about 26.5 million U.S. military veterans was stolen from the residence of a Department of Veterans Affairs data analyst who improperly took the material home", prompting a mass concern that the information, if in the wrong hands, could have led to multiple cases of identity theft. At the very least, the fear that even a government entity could have let such sensitive data fall into the wrong hands led many to wonder about the data security of less protected sources. The additional fact that the breach wasn't disclosed for almost three weeks after the theft did little to initially ease those fears. Weeks later, the stolen laptop and hard drive were recovered from the back of a truck at a black market sale and sent to the United States Federal Bureau of Investigation for analysis. At the end of June 2006, the FBI issued a declaration that "the personal data on the hardware was not accessed by thieves" to which VA Secretary R. James Nicholson stated "This is a reason to be optimistic. It's a very positive note in this entire tragic event." The question that needs to be asked, however, is how could they be absolutely sure that the data wasn't accessed? Simply because the FBI said so? [...] From jericho at attrition.org Thu Feb 8 02:50:29 2007 From: jericho at attrition.org (security curmudgeon) Date: Thu, 8 Feb 2007 02:50:29 -0500 (EST) Subject: [Dataloss] [update] Massachusetts Leads National TJX Data Probe Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.eweek.com/article2/0,1895,2091585,00.asp By Evan Schuman Ziff Davis Internet February 7, 2007 Updated: The Massachusetts Attorney General is heading up a group of more than 30 states trying to force answers to how the massive TJX data breach happened. The Massachusetts Attorney General is heading up a group of more than 30 states trying to force answers to how the massive TJX Companies data breach happened. "The scope of this is very broad," Massachusetts Attorney General Martha Coakley said in an interview Feb. 7, a few hours after her office announced the multi-state probe of the apparel and home fashions retailer. "We're going to be looking at appropriate business practices and whether they put consumers at risk." She added that "businesses need to run their businesses, and they need certain amounts of information." Coakley would not identify which states are involved, only saying that "there are at least 30 who are interested in doing this." Recently, Rhode Island announced that it was pursuing its own investigation of TJX. The Rhode Island probe will continue, and Rhode Island is notat this timeparticipating in the multi-state effort led by Massachusetts, said Michael Healy, the public information officer for Rhode Island Attorney General Patrick C. Lynch. Healy added that the first meeting that Rhode Island prosecutors are having with TJX has been delayed two daysfrom Feb. 12 to Feb. 14because TJX officials said they needed more time. The TJX incident was announced in mid-January, and according to TJX statements, discovered in mid-December. That monthlong delay before public disclosure is a key issue in the Massachusetts probe. TJX has also said that the data problem began in mid-May and hadn't been discovered until mid-December, which is also something the Massachusetts group will likely examine. The $16 billion global retail chain owns T.J. Maxx and Marshall's, among other brands. Coakley stressed that her multi-state probe will not be limited to credit- and debit-card transactions, but will look at a wide range of "paperless transactions of financial information," including TJX's retention of driver's license information required to handle in-store receipt-less product returns. An issue that these multi-state data breach probes often focus on is how to compensate consumers' efforts to protect themselves. TJX, for example, has opted to not pay for credit bureau checks for consumers, arguing that such efforts wouldn't be productive in protecting consumers. One area that Rhode Island is exploring is whether retailers should pay for professionals to clean up the accounts of consumers, so consumers do not have to spend hours listening to hold music to clean up a mistake that was someone else's fault. Coakley said that Massachusetts and the other states are also actively considering such options. "It's the whole issue of who pays for the burden" in terms of both cost and time and the "inconvenience." She added: "The states recognize that the time has now come to take a look at this." Retail Center Editor Evan Schuman can be reached at Evan_Schuman (at) ziffdavis.com. Editor's Note: This story was updated to clarify Rhode Island's position with information from Rhode Island Attorney General Patrick C. Lynch. From lists at merchant911.org Wed Feb 7 20:31:30 2007 From: lists at merchant911.org (Tom Mahoney) Date: Wed, 7 Feb 2007 20:31:30 -0500 Subject: [Dataloss] Another 15000 at risk Message-ID: !5,000 potentially exposed card numbers at a Denver, Colorado ski shop http://www.summitdaily.com/article/20070207/COLUMNS/102070059/-1/rss01 -- Tom Mahoney, Director Over 3300 Merchants united to protect themselves http://www.merchant911.org http://www.preventchargebacks.com http://preventchargebacks.blogspot.com From Dissent at pogowasright.org Thu Feb 8 14:13:16 2007 From: Dissent at pogowasright.org (Dissent) Date: Thu, 08 Feb 2007 14:13:16 -0500 Subject: [Dataloss] [Follow-up] Vassar Brothers Medical Center Message-ID: <7.0.0.16.2.20070208135545.02537360@nowhere.org> In August 2006, DL reported that Vassar Brothers Medical Center had reported a stolen laptop containing PII on almost 260k patients. Original story: http://attrition.org/dataloss/2006/08/vbmc01.html Vassar Brothers issued two letters to patients following that breach: http://www.poughkeepsiejournal.com/assets/pdf/BK3538482.PDF http://www.poughkeepsiejournal.com/assets/pdf/BK6060427.PDF Subsequently, Vassar Brothers retained Kroll to investigate the theft and missing data. They then issued a press release saying that based on Kroll's investigation of network server logs, the stolen laptop did not contain any identifying patient information. The Poughkeepsie Journal has been all over this breach and just published two more articles today, which dispute some of VBMC's reported statements: Official: Data installed as part of drills http://www.poughkeepsiejournal.com/apps/pbcs.dll/article?AID=/20070208/BUSINESS/70207069/1003 and: Documents show patient data on stolen laptop http://www.poughkeepsiejournal.com/apps/pbcs.dll/article?AID=/20070208/BUSINESS/70207079 -- Main site: http://www.pogowasright.org Main RSS feed: http://www.pogowasright.org/backend/pogowasright.rss Breaches RSS feed: http://www.pogowasright.org/backend/breaches.rss From Dissent at pogowasright.org Thu Feb 8 13:55:43 2007 From: Dissent at pogowasright.org (Dissent) Date: Thu, 08 Feb 2007 13:55:43 -0500 Subject: [Dataloss] Laptop Stolen From Hospital Contains Sensitive Information Message-ID: <7.0.0.16.2.20070208135356.02586d08@nowhere.org> http://www.nbc4.com/news/10962978/detail.html Hospital administrators at St. Mary's Hospital in Leonardtown, Md., are concerned about the recent theft of a laptop that contained identifying information. Administrators said the laptop contained names, Social Security numbers and birthdates for may of the hospital's patients. [...] -- Main site: http://www.pogowasright.org Main RSS feed: http://www.pogowasright.org/backend/pogowasright.rss Breaches RSS feed: http://www.pogowasright.org/backend/breaches.rss From cwalsh at cwalsh.org Thu Feb 8 14:32:18 2007 From: cwalsh at cwalsh.org (Chris Walsh) Date: Thu, 8 Feb 2007 13:32:18 -0600 Subject: [Dataloss] [Follow-up] Vassar Brothers Medical Center In-Reply-To: <7.0.0.16.2.20070208135545.02537360@nowhere.org> References: <7.0.0.16.2.20070208135545.02537360@nowhere.org> Message-ID: <20070208193208.GA1548@cwalsh.org> Additionally - Materials filed by VBMC with the NY State Consumer Protection Board and obtained via a freedom of information request are available at http://www.cwalsh.org/BreachInfo/primary_sources/pdfs/VassarBros-20060625.PDF On Thu, Feb 08, 2007 at 02:13:16PM -0500, Dissent wrote: > In August 2006, DL reported that Vassar Brothers Medical Center had > reported a stolen laptop containing PII on almost 260k patients. > Original story: http://attrition.org/dataloss/2006/08/vbmc01.html > > Vassar Brothers issued two letters to patients following that breach: > http://www.poughkeepsiejournal.com/assets/pdf/BK3538482.PDF > http://www.poughkeepsiejournal.com/assets/pdf/BK6060427.PDF > > Subsequently, Vassar Brothers retained Kroll to investigate the theft > and missing data. They then issued a press release saying that based > on Kroll's investigation of network server logs, the stolen laptop > did not contain any identifying patient information. > > The Poughkeepsie Journal has been all over this breach and just > published two more articles today, which dispute some of VBMC's > reported statements: > > Official: Data installed as part of drills > http://www.poughkeepsiejournal.com/apps/pbcs.dll/article?AID=/20070208/BUSINESS/70207069/1003 > > and: > > Documents show patient data on stolen laptop > http://www.poughkeepsiejournal.com/apps/pbcs.dll/article?AID=/20070208/BUSINESS/70207079 > > > > > -- > Main site: http://www.pogowasright.org > Main RSS feed: http://www.pogowasright.org/backend/pogowasright.rss > Breaches RSS feed: http://www.pogowasright.org/backend/breaches.rss > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 146 million compromised records in 566 incidents over 7 years. > From blitz at strikenet.kicks-ass.net Thu Feb 8 22:53:13 2007 From: blitz at strikenet.kicks-ass.net (blitz) Date: Thu, 08 Feb 2007 22:53:13 -0500 Subject: [Dataloss] [Follow-up] Vassar Brothers Medical Center In-Reply-To: <7.0.0.16.2.20070208135545.02537360@nowhere.org> References: <7.0.0.16.2.20070208135545.02537360@nowhere.org> Message-ID: <7.0.1.0.2.20070208224606.04309db8@strikenet.kicks-ass.net> I'm afraid we may be seeing the tip of a new trend. When a company realizes its been breached, they merely hire an independent investigator to say they weren't, and buy a lot of insurance to cover it. If the incident "hasn't happened" then they should be able to still get enough insurance to CYA. In any case, I expect to see admissions mitigated a lot more frequently by similar dealings. Lie, CYA, and hope nothing comes of it. The majority apparently don't, so its a gamble for them with odds on their side. Perhaps... Noting less should be expected from corporations who if they gave a damn would of secured it properly in the first place. Its just more corporate slight-of-hand. Grrr.... At 14:13 2/8/2007, Dissent wrote: >In August 2006, DL reported that Vassar Brothers Medical Center had >reported a stolen laptop containing PII on almost 260k patients. >Original story: http://attrition.org/dataloss/2006/08/vbmc01.html > >Vassar Brothers issued two letters to patients following that breach: >http://www.poughkeepsiejournal.com/assets/pdf/BK3538482.PDF >http://www.poughkeepsiejournal.com/assets/pdf/BK6060427.PDF > >Subsequently, Vassar Brothers retained Kroll to investigate the theft >and missing data. They then issued a press release saying that based >on Kroll's investigation of network server logs, the stolen laptop >did not contain any identifying patient information. > >The Poughkeepsie Journal has been all over this breach and just >published two more articles today, which dispute some of VBMC's >reported statements: > >Official: Data installed as part of drills >http://www.poughkeepsiejournal.com/apps/pbcs.dll/article?AID=/20070208/BUSINESS/70207069/1003 > >and: > >Documents show patient data on stolen laptop >http://www.poughkeepsiejournal.com/apps/pbcs.dll/article?AID=/20070208/BUSINESS/70207079 > > > > >-- >Main site: http://www.pogowasright.org >Main RSS feed: http://www.pogowasright.org/backend/pogowasright.rss >Breaches RSS feed: http://www.pogowasright.org/backend/breaches.rss > >_______________________________________________ >Dataloss Mailing List (dataloss at attrition.org) >http://attrition.org/dataloss >Tracking more than 146 million compromised records in 566 incidents >over 7 years. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070208/0c6b7313/attachment.html From ADAIL at sunocoinc.com Fri Feb 9 10:47:15 2007 From: ADAIL at sunocoinc.com (DAIL, ANDY) Date: Fri, 9 Feb 2007 10:47:15 -0500 Subject: [Dataloss] A Different Sort fo Data Breach Message-ID: <8CA58E707BB1C44385FA71D02B7A1C8EC7094D@mds3aex0e.USISUNOCOINC.com> A prime example of social engineering. February 09, 2007 (Computerworld) -- A Pennsylvania coroner has been charged with giving illegal access to a county 911 computer system to local newspaper reporters who then allegedly used his username and password to access a confidential law enforcement Web site for information for their news stories. Lancaster County, Pa., coroner G. Gary Kirchner, 73, was charged Monday by the Pennsylvania attorney general's office in connection with the incidents, which allegedly occurred between 2004 and 2005. "Publicizing confidential law enforcement information can compromise official investigations and jeopardize the safety of witnesses or citizens who file complaints," Attorney General Tom Corbett said in a statement. "Dr. Kirchner breached the security of the 911 Web site and violated the public trust in order to help a small group of reporters gain an edge over competing media outlets." http://www.computerworld.com/action/article.do?command=viewArticleBasic& articleId=9010920&intsrc=hm_list This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070209/bf13a4c8/attachment.html From cwalsh at cwalsh.org Fri Feb 9 11:55:44 2007 From: cwalsh at cwalsh.org (Chris Walsh) Date: Fri, 9 Feb 2007 10:55:44 -0600 Subject: [Dataloss] A Different Sort fo Data Breach In-Reply-To: <8CA58E707BB1C44385FA71D02B7A1C8EC7094D@mds3aex0e.USISUNOCOINC.com> References: <8CA58E707BB1C44385FA71D02B7A1C8EC7094D@mds3aex0e.USISUNOCOINC.com> Message-ID: <20070209165540.GB9648@cwalsh.org> Interestng that the coroner had access to the 911 site. It's not like he's a first responder (I hope!!). From lyger at attrition.org Fri Feb 9 19:35:59 2007 From: lyger at attrition.org (lyger) Date: Fri, 9 Feb 2007 19:35:59 -0500 (EST) Subject: [Dataloss] ECU Mistakenly Posts Personal Info Online Message-ID: http://www.wral.com/news/local/story/1198897/ East Carolina University plans to notify about 65,000 students, alumni and staff members about a security breach that could put them at risk for identity theft. A programming error on the school's OnePass Web site created files that made it possible for anyone to view personal information of thousands of students, former students and faculty members. The information included names, addresses, Social Security numbers and, in some cases, credit card numbers. [...] From sawaba at forced.attrition.org Sat Feb 10 00:15:09 2007 From: sawaba at forced.attrition.org (sawaba) Date: Sat, 10 Feb 2007 00:15:09 -0500 (EST) Subject: [Dataloss] (article) "We recovered the laptop!" ... so what? In-Reply-To: References: Message-ID: Wow, I've done my share of forensic investigations, and for the FBI to make this kind of claim is more than a little embarrassing. I remember reading the story when it originally came out, rolling my eyes, and moving on. Now that I take a closer look, it seems even more ridiculous, in part thanks to their official press release: http://www.fbi.gov/pressrel/pressrel06/laptop071306.htm Maybe I just haven't thought "deeply" enough about it, or the FBI has some special "tamper detection" device that they've kept secret. Otherwise, there is no middle ground. Either there was evidence that the drive was accessed after being stolen, or you just DON'T KNOW. There is no "highly confident" it was not compromised when it was gone for days, weeks or months. It is simply too easy to copy a drive or investigate it while mounted read-only. Now, if they said that they believed it wasn't accessed based solely based on investigative facts, it might have been plausible. But they didn't. They asked IBM for some magic pixie dust, sprinkled it on the laptop, and decided to say that the forensic examination helped give confidence that nothing was accessed. I could go on and on, but this lays it out pretty well: http://blog.zonelabs.com/blog/2006/06/forensics_looki.html --Sawaba P.S. - His "Worst Case Scenario" is quite likely if the criminals had any clue and knew how to use Google. The materials needed would have cost them nothing (or next to nothing if they bought latex gloves). On Thu, 8 Feb 2007, lyger wrote: > > http://attrition.org/dataloss/forensics.html > > Wed Feb 07 21:55:51 EDT 2007 > Jericho and Lyger > > In May of 2006, the United States Department of Veterans Affairs publicly > disclosed the fact that "Personal data on about 26.5 million U.S. military > veterans was stolen from the residence of a Department of Veterans Affairs > data analyst who improperly took the material home", prompting a mass > concern that the information, if in the wrong hands, could have led to > multiple cases of identity theft. At the very least, the fear that even a > government entity could have let such sensitive data fall into the wrong > hands led many to wonder about the data security of less protected > sources. The additional fact that the breach wasn't disclosed for almost > three weeks after the theft did little to initially ease those fears. > > Weeks later, the stolen laptop and hard drive were recovered from the back > of a truck at a black market sale and sent to the United States Federal > Bureau of Investigation for analysis. At the end of June 2006, the FBI > issued a declaration that "the personal data on the hardware was not > accessed by thieves" to which VA Secretary R. James Nicholson stated "This > is a reason to be optimistic. It's a very positive note in this entire > tragic event." The question that needs to be asked, however, is how could > they be absolutely sure that the data wasn't accessed? Simply because the > FBI said so? > > [...] > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 146 million compromised records in 562 incidents over 7 years. > > From lyger at attrition.org Sat Feb 10 07:06:35 2007 From: lyger at attrition.org (lyger) Date: Sat, 10 Feb 2007 07:06:35 -0500 (EST) Subject: [Dataloss] IN: Hacker gets state credit card info Message-ID: http://www.fortwayne.com/mld/journalgazette/16667910.htm State technology officials sent letters Friday to 5,600 people and businesses informing them that a hacker obtained thousands of credit card numbers from the state Web site. Although numbers are usually encrypted or shortened to the last four digits, the Office of Technology conceded a technical error allowed the full credit card numbers to remain on the system and be viewed by the intruder. "Like thousands of web sites, the state's web site is constantly under attack from hackers," the letter said. "To repel these attacks, the state has implemented the highest levels of security and submitted itself to regular independent audits to ensure that data is safeguarded". [...] From bkdelong at pobox.com Sat Feb 10 07:21:56 2007 From: bkdelong at pobox.com (B.K. DeLong) Date: Sat, 10 Feb 2007 07:21:56 -0500 Subject: [Dataloss] IN: Hacker gets state credit card info In-Reply-To: References: Message-ID: Another PCI DSS violation. It will be interesting to see if any action is taken. I believe most states qualify as Tier 1 merchants.... On 2/10/07, lyger wrote: > > http://www.fortwayne.com/mld/journalgazette/16667910.htm > > State technology officials sent letters Friday to 5,600 people and > businesses informing them that a hacker obtained thousands of credit card > numbers from the state Web site. > > Although numbers are usually encrypted or shortened to the last four > digits, the Office of Technology conceded a technical error allowed the > full credit card numbers to remain on the system and be viewed by the > intruder. > > "Like thousands of web sites, the state's web site is constantly under > attack from hackers," the letter said. "To repel these attacks, the state > has implemented the highest levels of security and submitted itself to > regular independent audits to ensure that data is safeguarded". > > [...] > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 146 million compromised records in 566 incidents over 7 years. > > > -- B.K. DeLong (K3GRN) bkdelong at pobox.com +1.617.797.8471 http://www.wkdelong.org Son. http://www.ianetsec.com Work. http://www.bostonredcross.org Volunteer. http://www.carolingia.eastkingdom.org Service. http://bkdelong.livejournal.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org From sbesser at gmail.com Sat Feb 10 07:32:01 2007 From: sbesser at gmail.com (Sharon Besser) Date: Sat, 10 Feb 2007 04:32:01 -0800 Subject: [Dataloss] Social Security Numbers Exposed in CCSU Letters Message-ID: Over the past week approximately 750 CCSU students have received mail from the Bursar's office that revealed their social security numbers in the name and address window of the envelopes. The letters were folded incorrectly by a malfunctioning machine in the office. http://clubs.ccsu.edu/recorder/news/news_item.asp?NewsID=175 The machine did it :-) -- Sharon -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070210/a8cd7023/attachment.html From bkdelong at pobox.com Sat Feb 10 07:42:46 2007 From: bkdelong at pobox.com (B.K. DeLong) Date: Sat, 10 Feb 2007 07:42:46 -0500 Subject: [Dataloss] IN: Hacker gets state credit card info In-Reply-To: References: Message-ID: Which reminds me - I'm going to be by annoying self and suggest we start tracking confirmed compliance violations. We know TJX violated PCI and the Indiana case certainly does. It would be interesting to also note if action is taken since there is an increasing realization that compliance laws and standards aren't really being enforced - much to the frustration of companies spending thousands to millions of dollars on meeting these laws/standards. On 2/10/07, B.K. DeLong wrote: > Another PCI DSS violation. It will be interesting to see if any action > is taken. I believe most states qualify as Tier 1 merchants.... > > On 2/10/07, lyger wrote: > > > > http://www.fortwayne.com/mld/journalgazette/16667910.htm > > > > State technology officials sent letters Friday to 5,600 people and > > businesses informing them that a hacker obtained thousands of credit card > > numbers from the state Web site. > > > > Although numbers are usually encrypted or shortened to the last four > > digits, the Office of Technology conceded a technical error allowed the > > full credit card numbers to remain on the system and be viewed by the > > intruder. > > > > "Like thousands of web sites, the state's web site is constantly under > > attack from hackers," the letter said. "To repel these attacks, the state > > has implemented the highest levels of security and submitted itself to > > regular independent audits to ensure that data is safeguarded". > > > > [...] > > _______________________________________________ > > Dataloss Mailing List (dataloss at attrition.org) > > http://attrition.org/dataloss > > Tracking more than 146 million compromised records in 566 incidents over 7 years. > > > > > > > > > -- > B.K. DeLong (K3GRN) > bkdelong at pobox.com > +1.617.797.8471 > > http://www.wkdelong.org Son. > http://www.ianetsec.com Work. > http://www.bostonredcross.org Volunteer. > http://www.carolingia.eastkingdom.org Service. > http://bkdelong.livejournal.com Play. > > > PGP Fingerprint: > 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE > > FOAF: > http://foaf.brain-stream.org > -- B.K. DeLong (K3GRN) bkdelong at pobox.com +1.617.797.8471 http://www.wkdelong.org Son. http://www.ianetsec.com Work. http://www.bostonredcross.org Volunteer. http://www.carolingia.eastkingdom.org Service. http://bkdelong.livejournal.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org From bkdelong at pobox.com Sat Feb 10 07:56:09 2007 From: bkdelong at pobox.com (B.K. DeLong) Date: Sat, 10 Feb 2007 07:56:09 -0500 Subject: [Dataloss] Social Security Numbers Exposed in CCSU Letters In-Reply-To: References: Message-ID: Yes but it's amazing how a little due diligence could have prevented this "breach". I mean, with 750 physical letters going out...someone should have noticed. Of course, FERPA violations have no teeth as we don't hear about colleges and universities losing Federal funding. So, per usual, it's left to Civil Action to force penalization. Educational institutions don't seem to be as effected by "loss of reputation" when these things happen. On 2/10/07, Sharon Besser wrote: > > Over the past week approximately 750 CCSU students have received mail from > the Bursar's office that revealed their social security numbers in the name > and address window of the envelopes. The letters were folded incorrectly by > a malfunctioning machine in the office. > > http://clubs.ccsu.edu/recorder/news/news_item.asp?NewsID=175 > > The machine did it :-) > -- > Sharon > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 146 million compromised records in 566 incidents over 7 > years. > > > > -- B.K. DeLong (K3GRN) bkdelong at pobox.com +1.617.797.8471 http://www.wkdelong.org Son. http://www.ianetsec.com Work. http://www.bostonredcross.org Volunteer. http://www.carolingia.eastkingdom.org Service. http://bkdelong.livejournal.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org From Dissent at pogowasright.org Sat Feb 10 08:51:20 2007 From: Dissent at pogowasright.org (Dissent) Date: Sat, 10 Feb 2007 08:51:20 -0500 Subject: [Dataloss] Social Security Numbers Exposed in CCSU Letters In-Reply-To: References: Message-ID: <7.0.0.16.2.20070210083414.02502b38@cotse.net> FERPA "lacks teeth," in part, because SCOTUS held that there is no individual right to enforcement under its provisions (Gonzaga University v. Doe). Furthermore, the US DOE shifted years ago from monitoring and enforcement to an "assistance" mode. They did that because they failed utterly at monitoring and enforcement (cf, monitoring and compliance reports between OSEP and NYSED in the '90's). Although the DOE/OCR does occasionally threaten to cut off federal funding to state education departments, they are not likely to do that, and certainly not for anything like failure to protect privacy. To the contrary, there was a threatened cutoff if schools didn't allow military recruiters access to student information, pursuant to the provisions of NCLB (20 U.S.C. ? 7908). Nice, huh -- they won't cut off funds if the school violates or breaches student privacy, but would cut off funds if the schools refuse to make student information available to the military recruiters (as well as businesses and post-secondary institutions). I haven't yet gone through the new Leahy-Specter bill proposed in Congress, but I had a conversation with one of Senator Feinstein's staffers this week about how her proposal (S. 239) relates to students and educational institutions. One of their lawyers got back to me to clarify the bill's application to unis. Basically, any uni that orders anything from out of state would be considered to be engaged in "interstate commerce" and would therefore be covered by the notification requirements and provisions of S.239, subject to the same exemptions as businesses and agencies -- i.e., the risk assessment exemption, etc. His (counsel's) position was that although FERPA would continue to permit unis to voluntarily publish and share "directory information" on students under the provisions and restrictions of FERPA (e.g., name, address, phone number, date of birth, other details), if those very same data were involved in a security breach, the uni would be responsible for notification, etc., subject to the same exemption provisions as businesses and other covered entities. Under S.239's provisions, there is no need for the compromised records to include SSN or financial details -- even "just" name, address, and full date of birth would trigger the notification requirements. And no, I'm not saying I support S. 239. But you're right in that the reputation of a uni is not tied to or really affected by its data security record. And I can't imagine Peterson's adding that type of info to their guide. /Dissent At 07:56 AM 2/10/2007, B.K. DeLong wrote: > >Of course, FERPA violations have no teeth as we don't hear about >colleges and universities losing Federal funding. So, per usual, it's >left to Civil Action to force penalization. Educational institutions >don't seem to be as effected by "loss of reputation" when these things >happen. > From Dissent at pogowasright.org Sat Feb 10 12:49:36 2007 From: Dissent at pogowasright.org (Dissent) Date: Sat, 10 Feb 2007 12:49:36 -0500 Subject: [Dataloss] Radford U. Waldron School of Health and Human Services Message-ID: <7.0.0.16.2.20070210124512.02555608@nowhere.org> http://www.wsls.com/servlet/Satellite?pagename=WSLS%2FMGArticle%2FSLS_BasicArticle&c=MGArticle&cid=1149193124169&path=!news!localnews Some local parents are wondering why Radford University is sending them letters. Jennifer Jarels got two letters, one for each of her sons, ages 2 and 4. They are obviously not students at Radford University. But Jarels received two of 2400 letters which warning of a security breach of a computer containing Social Security numbers and birthdates at RU's Waldron School of Health and Human Services. [...] Radford spokesman Rob Tucker said a virus put the information at risk. He said most of the 2400 identities were not RU students but declined to tell who they were or why their information was on an RU computer. Despite that, NewsChannel 10 found a link between RU and the kids. All the parents we talked to gave their child's personal information when enrolling them in "FAMIS": Family Access to Medical Insurance Security. According to Craig Markva, Director of Communication for Virginia's Department of Medical Assistance Services, Radford University previously had a privately funded outreach grant to promote the program and assist families enroll in FAMIS and the children's Medicaid program. Markva said DMAS was unaware of any security breach. [...] -- Main site: http://www.pogowasright.org Main RSS feed: http://www.pogowasright.org/backend/pogowasright.rss Breaches RSS feed: http://www.pogowasright.org/backend/breaches.rss From Dissent at pogowasright.org Sat Feb 10 17:08:56 2007 From: Dissent at pogowasright.org (Dissent) Date: Sat, 10 Feb 2007 17:08:56 -0500 Subject: [Dataloss] UK Department for Work and Pensions Message-ID: <7.0.0.16.2.20070210170531.024fb388@nowhere.org> http://news.bbc.co.uk/2/hi/uk_news/6349041.stm Ministers have apologised for a mix-up which led to bank and personal details of thousands of pensioners being sent to the wrong addresses. The Department for Work and Pensions (DWP) said it would try to trace all of those affected - as many as 26,000. [...] A DWP spokeswoman said the letters, which were first received on Wednesday, were to inform customers what their weekly pension payments next year would be. "Some of those customers received letters intended for someone else in that mailing," she said. [...] -- Main site: http://www.pogowasright.org Main RSS feed: http://www.pogowasright.org/backend/pogowasright.rss Breaches RSS feed: http://www.pogowasright.org/backend/breaches.rss From Dissent at pogowasright.org Sun Feb 11 14:50:35 2007 From: Dissent at pogowasright.org (Dissent) Date: Sun, 11 Feb 2007 14:50:35 -0500 Subject: [Dataloss] D.C. Metropolitan Police Department Message-ID: <7.0.0.16.2.20070211144910.024dc180@nowhere.org> http://www.nbc4.com/news/10983140/detail.html Personal information has been accidentally released about some D.C. police officers, including their Social Security numbers. A letter has gone out from the D.C. Chief Financial Officer to notify nearly 2,000 members of the Metropolitan Police Department who may be affected. It said the information was inadvertently released to two Advisory Neighborhood Commission officials who had requested information about police overtime. The letter said officials are taking the issue seriously but believe the risk of identity theft or other problems is minimal. It said the Social Security numbers have been erased from the computers of those who were given the information. Still, police union officials said the release of personal data is troubling. They want the city to make sure it doesn't happen again. The city is offering a year of free credit monitoring for those who were affected. From lyger at attrition.org Sun Feb 11 15:54:56 2007 From: lyger at attrition.org (lyger) Date: Sun, 11 Feb 2007 15:54:56 -0500 (EST) Subject: [Dataloss] (Commentary) Has "data loss" jumped the shark? Message-ID: For those of you not familiar with the term in the subject, it harkens back to an old episode of "Happy Days" where Fonzie revs up his motorcycle and literally "jumps a shark". Some would argue that from that point on, "Happy Days" was never the same again; it reached its peak and from there, it went all downhill. http://www.jumptheshark.com/ Looking at Attrition's Data Loss web page and Data Loss Database (DLDOS), I can't help but think of all of the time and research spent on chronicling these events. 26 million here, 72 there, a couple thousand here and there. This month (February 2007) alone, the web page and database have already been updated 17 times... and it's only the 11th of the month. Other than for hardcore privacy advocates and those who make their living in the security, identity theft prevention, or risk management arenas, is it even news anymore? Is data loss really still worthy of front-page news headlines, or has it become so commonplace that it should be expected as much as we expect the sun to rise in the morning? Regarding data loss issues, TJX has probably been the biggest story of the year thus far. Even so, the company itself flat out refuses to give any totals of the number of people impacted. Why should they? It would just mean "YANS" (yet another news story) for them to provide information, field phone calls, and do even more damage control for an already complicated situation. If they keep quiet and don't disclose, their "story" will eventually "jump the shark", become old news, and fade away. At what point will most people see "YANS" in their newspaper or on the internet and just turn the page or click another link? At what point does this become an issue where most people will simply say "so what?". From Dissent at pogowasright.org Sun Feb 11 20:01:49 2007 From: Dissent at pogowasright.org (Dissent) Date: Sun, 11 Feb 2007 20:01:49 -0500 Subject: [Dataloss] [update] VA Missing Hard Drive in Birmingham, Ala. Message-ID: <7.0.0.16.2.20070211195828.02648e58@nowhere.org> http://www.myfoxal.com/myfox/pages/News/Detail?contentId=2348926&version=1&locale=EN-US&layoutCode=TSTY&pageId=3.2.1 The Department of Veterans Affairs (VA) on Sunday issued an update on the information potentially contained on a missing government-owned, portable hard drive used by a VA employee at a Department facility in Birmingham, Ala. [...] VA and VA's Office of Inspector General have learned that data files the employee was working with may have included sensitive VA-related information on approximately 535,000 individuals. The investigation has also determined that information on approximately 1.3 million non-VA physicians ? both living and deceased? could have been stored on the missing hard drive. It is believed though, that most of the physician information is readily available to the public. Some of the files, however, may contain sensitive information. VA continues to examine data on the employee's work computer. The employee has been placed on administrative leave pending the outcome of the investigation. VA has no information the data has been misused. Birmingham Update 2/2/2/2 [...] Next week, VA will begin making notifications to individuals whose sensitive information may have been on the hard drive. VA is also making arrangements to provide one year of free credit monitoring to those whose information proves compromised. [...] On January 22, the employee, who works at the Birmingham (Ala.) VA Medical Center, reported the external hard drive was missing. On January 23, VA's IG was notified. The OIG opened a criminal investigation, sent special agents to the medical center, and notified the FBI. VA's Office of Information & Technology in Washington, D.C. also dispatched an incident response team to investigate. [...] -- Main site: http://www.pogowasright.org Main RSS feed: http://www.pogowasright.org/backend/pogowasright.rss Breaches RSS feed: http://www.pogowasright.org/backend/breaches.rss From lyger at attrition.org Sun Feb 11 20:20:51 2007 From: lyger at attrition.org (lyger) Date: Sun, 11 Feb 2007 20:20:51 -0500 (EST) Subject: [Dataloss] [update] VA Missing Hard Drive in Birmingham, Ala. In-Reply-To: <7.0.0.16.2.20070211195828.02648e58@nowhere.org> References: <7.0.0.16.2.20070211195828.02648e58@nowhere.org> Message-ID: which means all of you "research specialists" need to figure out if this was 48000, 535,000, 1.3 million, 583,000, 1.835 million, or 2.315 million affected! anyone want to buy the Data Loss Database on Ebay? Starting bid = $1 U.S. ;) On Sun, 11 Feb 2007, Dissent wrote: ": " http://www.myfoxal.com/myfox/pages/News/Detail?contentId=2348926&version=1&locale=EN-US&layoutCode=TSTY&pageId=3.2.1 ": " ": " The Department of Veterans Affairs (VA) on Sunday issued an update on ": " the information potentially contained on a missing government-owned, ": " portable hard drive used by a VA employee at a Department facility in ": " Birmingham, Ala. ": " ": " [...] ": " ": " VA and VA's Office of Inspector General have learned that data files ": " the employee was working with may have included sensitive VA-related ": " information on approximately 535,000 individuals. The investigation ": " has also determined that information on approximately 1.3 million ": " non-VA physicians ? both living and deceased? could have been stored ": " on the missing hard drive. It is believed though, that most of the ": " physician information is readily available to the public. Some of the ": " files, however, may contain sensitive information. ": " ": " VA continues to examine data on the employee's work computer. The ": " employee has been placed on administrative leave pending the outcome ": " of the investigation. VA has no information the data has been ": " misused. Birmingham Update ": " 2/2/2/2 From sawaba at forced.attrition.org Mon Feb 12 00:08:49 2007 From: sawaba at forced.attrition.org (sawaba) Date: Mon, 12 Feb 2007 00:08:49 -0500 (EST) Subject: [Dataloss] (article) "We recovered the laptop!" ... so what? In-Reply-To: <7.0.1.0.2.20070210220434.04333010@strikenet.kicks-ass.net> References: <7.0.1.0.2.20070210220434.04333010@strikenet.kicks-ass.net> Message-ID: You don't even have to mess with mirroring it. You can create a Linux boot disk, specifically set up with scripts that search for juicy data, and then upload them to your server over Wi-Fi. On a fairly new laptop, you should have data (if there's any data to be had) within 30 minutes. You'll be done in an hour or two unless there is a huge amount of data you want to grab. And because you are mounting the Fat32 or NTFS volume read-only, no dates (or any other data for that matter) are changed. Ta-da, look ma, noone touched it. --Sawaba On Sat, 10 Feb 2007, blitz wrote: > How much trouble to set the date and time before the copy as well? and then > back? > Love USB 2.0.... > As you and I know, mirroring the drive makes no changes to it. I think > they're blowing smoke out their posterior porthole, HOPING it wasn't > accessed. Sure the screws weren't tampered with....right...ever seen a nylon > screwdriver? Ive got a toolbox with perhaps a dozen, regular, Phillips and > Roberts. > > At 00:15 2/10/2007, you wrote: >> Wow, I've done my share of forensic investigations, and for the FBI to >> make this kind of claim is more than a little embarrassing. I remember >> reading the story when it originally came out, rolling my eyes, and moving >> on. >> >> Now that I take a closer look, it seems even more ridiculous, in part >> thanks to their official press release: >> http://www.fbi.gov/pressrel/pressrel06/laptop071306.htm > --snip From mhozven at tealeaf.com Mon Feb 12 01:27:33 2007 From: mhozven at tealeaf.com (Max Hozven) Date: Sun, 11 Feb 2007 22:27:33 -0800 Subject: [Dataloss] (article) "We recovered the laptop!" ... so what? Message-ID: <771A26039D33ED489E23D9614DE630DD04C4C6BA@SFMAIL02.tealeaf.com> Or boot up on a Symantec Ghost boot disk, then blast the data over to a network drive or a connected USB drive. -Max -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of sawaba Sent: Sunday, February 11, 2007 9:09 PM To: blitz Cc: dataloss at attrition.org Subject: Re: [Dataloss] (article) "We recovered the laptop!" ... so what? You don't even have to mess with mirroring it. You can create a Linux boot disk, specifically set up with scripts that search for juicy data, and then upload them to your server over Wi-Fi. On a fairly new laptop, you should have data (if there's any data to be had) within 30 minutes. You'll be done in an hour or two unless there is a huge amount of data you want to grab. And because you are mounting the Fat32 or NTFS volume read-only, no dates (or any other data for that matter) are changed. Ta-da, look ma, noone touched it. --Sawaba On Sat, 10 Feb 2007, blitz wrote: > How much trouble to set the date and time before the copy as well? and then > back? > Love USB 2.0.... > As you and I know, mirroring the drive makes no changes to it. I think > they're blowing smoke out their posterior porthole, HOPING it wasn't > accessed. Sure the screws weren't tampered with....right...ever seen a nylon > screwdriver? Ive got a toolbox with perhaps a dozen, regular, Phillips and > Roberts. > > At 00:15 2/10/2007, you wrote: >> Wow, I've done my share of forensic investigations, and for the FBI to >> make this kind of claim is more than a little embarrassing. I remember >> reading the story when it originally came out, rolling my eyes, and moving >> on. >> >> Now that I take a closer look, it seems even more ridiculous, in part >> thanks to their official press release: >> http://www.fbi.gov/pressrel/pressrel06/laptop071306.htm > --snip _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tracking more than 146 million compromised records in 570 incidents over 7 years. From bkdelong at pobox.com Mon Feb 12 08:57:54 2007 From: bkdelong at pobox.com (B.K. DeLong) Date: Mon, 12 Feb 2007 08:57:54 -0500 Subject: [Dataloss] (article) "We recovered the laptop!" ... so what? In-Reply-To: <771A26039D33ED489E23D9614DE630DD04C4C6BA@SFMAIL02.tealeaf.com> References: <771A26039D33ED489E23D9614DE630DD04C4C6BA@SFMAIL02.tealeaf.com> Message-ID: We should come up with a canned response to send spokespeople anytime they're quoted in an article as saying the laptop was recovered and "it appeared none of the data was affected". On 2/12/07, Max Hozven wrote: > Or boot up on a Symantec Ghost boot disk, then blast the data over to a > network drive or a connected USB drive. > > -Max > > -----Original Message----- > From: dataloss-bounces at attrition.org > [mailto:dataloss-bounces at attrition.org] On Behalf Of sawaba > Sent: Sunday, February 11, 2007 9:09 PM > To: blitz > Cc: dataloss at attrition.org > Subject: Re: [Dataloss] (article) "We recovered the laptop!" ... so > what? > > You don't even have to mess with mirroring it. You can create a Linux > boot > disk, specifically set up with scripts that search for juicy data, and > then upload them to your server over Wi-Fi. On a fairly new laptop, you > should have data (if there's any data to be had) within 30 minutes. > You'll > be done in an hour or two unless there is a huge amount of data you want > > to grab. > > And because you are mounting the Fat32 or NTFS volume read-only, no > dates > (or any other data for that matter) are changed. Ta-da, look ma, noone > touched it. > > --Sawaba > > On Sat, 10 Feb 2007, blitz wrote: > > > How much trouble to set the date and time before the copy as well? and > then > > back? > > Love USB 2.0.... > > As you and I know, mirroring the drive makes no changes to it. I > think > > they're blowing smoke out their posterior porthole, HOPING it wasn't > > accessed. Sure the screws weren't tampered with....right...ever seen a > nylon > > screwdriver? Ive got a toolbox with perhaps a dozen, regular, Phillips > and > > Roberts. > > > > At 00:15 2/10/2007, you wrote: > >> Wow, I've done my share of forensic investigations, and for the FBI > to > >> make this kind of claim is more than a little embarrassing. I > remember > >> reading the story when it originally came out, rolling my eyes, and > moving > >> on. > >> > >> Now that I take a closer look, it seems even more ridiculous, in part > >> thanks to their official press release: > >> http://www.fbi.gov/pressrel/pressrel06/laptop071306.htm > > --snip > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 146 million compromised records in 570 incidents over > 7 years. > > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 146 million compromised records in 570 incidents over 7 years. > > > -- B.K. DeLong (K3GRN) bkdelong at pobox.com +1.617.797.8471 http://www.wkdelong.org Son. http://www.ianetsec.com Work. http://www.bostonredcross.org Volunteer. http://www.carolingia.eastkingdom.org Service. http://bkdelong.livejournal.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org From hroggero at pynlogic.com Mon Feb 12 08:54:07 2007 From: hroggero at pynlogic.com (Herve Roggero) Date: Mon, 12 Feb 2007 08:54:07 -0500 Subject: [Dataloss] (article) "We recovered the laptop!" ... so what? Message-ID: Hi everyone This thead is very interesting. All techniques so far deal with reading data at a low level. Will Windows Vista prevent techniques such as Symantec Ghost? I understand that Vista performs bit-level encryption with its BitLocker technology. Thanks. Herve Roggero Managing Partner Pyn Logic LLC Visit www.pynlogic.com -----Original Message----- From: "Max Hozven" To: "sawaba" ; "blitz" Cc: dataloss at attrition.org Sent: 2/12/07 1:27 AM Subject: Re: [Dataloss] (article) "We recovered the laptop!" ... so what? Or boot up on a Symantec Ghost boot disk, then blast the data over to a network drive or a connected USB drive. -Max -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of sawaba Sent: Sunday, February 11, 2007 9:09 PM To: blitz Cc: dataloss at attrition.org Subject: Re: [Dataloss] (article) "We recovered the laptop!" ... so what? You don't even have to mess with mirroring it. You can create a Linux boot disk, specifically set up with scripts that search for juicy data, and then upload them to your server over Wi-Fi. On a fairly new laptop, you should have data (if there's any data to be had) within 30 minutes. You'll be done in an hour or two unless there is a huge amount of data you want to grab. And because you are mounting the Fat32 or NTFS volume read-only, no dates From ADAIL at sunocoinc.com Mon Feb 12 10:23:07 2007 From: ADAIL at sunocoinc.com (DAIL, ANDY) Date: Mon, 12 Feb 2007 10:23:07 -0500 Subject: [Dataloss] IN: Hacker gets state credit card info Message-ID: <8CA58E707BB1C44385FA71D02B7A1C8EC70955@mds3aex0e.USISUNOCOINC.com> I seriously doubt that Visa, MasterCard, or any other issuer would be insane enough to issue a fine to a state government. The state can easily legislate around any attempt by an issuer to fine them, and can even reverse the situation if they choose, and back up their threats with the State's monopoly on violence. I suspect, in the case of State entities, they'll just quietly try to correct the problem and everyone (except the data loss victims) will be happy. -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of B.K. DeLong Sent: Saturday, February 10, 2007 6:43 AM To: lyger Cc: dataloss at attrition.org Subject: Re: [Dataloss] IN: Hacker gets state credit card info Which reminds me - I'm going to be by annoying self and suggest we start tracking confirmed compliance violations. We know TJX violated PCI and the Indiana case certainly does. It would be interesting to also note if action is taken since there is an increasing realization that compliance laws and standards aren't really being enforced - much to the frustration of companies spending thousands to millions of dollars on meeting these laws/standards. On 2/10/07, B.K. DeLong wrote: > Another PCI DSS violation. It will be interesting to see if any action > is taken. I believe most states qualify as Tier 1 merchants.... > > On 2/10/07, lyger wrote: > > > > http://www.fortwayne.com/mld/journalgazette/16667910.htm > > > > State technology officials sent letters Friday to 5,600 people and > > businesses informing them that a hacker obtained thousands of credit > > card numbers from the state Web site. > > > > Although numbers are usually encrypted or shortened to the last four > > digits, the Office of Technology conceded a technical error allowed > > the full credit card numbers to remain on the system and be viewed > > by the intruder. > > > > "Like thousands of web sites, the state's web site is constantly > > under attack from hackers," the letter said. "To repel these > > attacks, the state has implemented the highest levels of security > > and submitted itself to regular independent audits to ensure that > > data is safeguarded". > > > > [...] > > _______________________________________________ > > Dataloss Mailing List (dataloss at attrition.org) > > http://attrition.org/dataloss Tracking more than 146 million > > compromised records in 566 incidents over 7 years. > > > > > > > > > -- > B.K. DeLong (K3GRN) > bkdelong at pobox.com > +1.617.797.8471 > > http://www.wkdelong.org Son. > http://www.ianetsec.com Work. > http://www.bostonredcross.org Volunteer. > http://www.carolingia.eastkingdom.org Service. > http://bkdelong.livejournal.com Play. > > > PGP Fingerprint: > 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE > > FOAF: > http://foaf.brain-stream.org > -- B.K. DeLong (K3GRN) bkdelong at pobox.com +1.617.797.8471 http://www.wkdelong.org Son. http://www.ianetsec.com Work. http://www.bostonredcross.org Volunteer. http://www.carolingia.eastkingdom.org Service. http://bkdelong.livejournal.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tracking more than 146 million compromised records in 566 incidents over 7 years. This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments. From macwheel99 at sigecom.net Mon Feb 12 10:31:24 2007 From: macwheel99 at sigecom.net (Al Mac) Date: Mon, 12 Feb 2007 09:31:24 -0600 Subject: [Dataloss] (article) "We recovered the laptop!" ... so what? In-Reply-To: References: Message-ID: <6.2.1.2.0.20070212092605.02a18440@mail.sigecom.net> Other operating systems have parallel concerns. i work with midrange systems that track the last date time stamp that stuff got backed up, but the system date can be changed. So we look at the data ... see that the last backup was Feb-9, onto a tape whose volume-id was IBM123, change the system date to Feb-9, make a tpe with volume-id of IBM123 and do another backup. The data says the last backup was Feb-9 on volume-id IBM123, which is the same thing it said before, but now we have an extra copy of all the data. However, someone who knows where to look can find the log of the time stamp being altered. >Hi everyone > >This thead is very interesting. All techniques so far deal with reading >data at a low level. Will Windows Vista prevent techniques such as >Symantec Ghost? I understand that Vista performs bit-level encryption with >its BitLocker technology. > >Thanks. > >Herve Roggero From mhozven at tealeaf.com Mon Feb 12 15:06:18 2007 From: mhozven at tealeaf.com (Max Hozven) Date: Mon, 12 Feb 2007 12:06:18 -0800 Subject: [Dataloss] Lost F.B.I. Laptops Still a Problem, Inspector Says Message-ID: <771A26039D33ED489E23D9614DE630DD04CBFBF6@SFMAIL02.tealeaf.com> http://www.nytimes.com/aponline/us/AP-FBI-Laptops.html?hp&ex=1171342800& en=a17b6916b0b00b81&ei=5094&partner=homepage Lost F.B.I. Laptops Still a Problem, Inspector Says Article Tools Sponsored By By THE ASSOCIATED PRESS Published: February 12, 2007 Filed at 11:57 a.m. ET WASHINGTON (AP) -- Between three and four FBI laptop computers are lost or stolen each month on average and the agency is unable to say in many instances whether information on the machines is sensitive or classified, the Justice Department's inspector general said Monday. The inspector general said the FBI is doing a better job of reducing the number of thefts and disappearances of weapons and laptop computers, but that not all problems were corrected as urged in a report five years ago. ''Perhaps most troubling, the FBI could not determine in many cases whether the lost or stolen laptop computers contained sensitive or classified information,'' said the report. ''Such information may include case information, personal identifying information, or classified information on FBI operations.'' In a report five years ago, the inspector general said 354 weapons and 317 laptop computers were lost or stolen during a 28-month review. The new report found that 160 weapons and 160 laptop computers were lost or stolen over a 44-month period. The FBI said it was preparing a response to the report. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070212/65fbb618/attachment.html From rforno at infowarrior.org Mon Feb 12 15:50:37 2007 From: rforno at infowarrior.org (Richard Forno) Date: Mon, 12 Feb 2007 15:50:37 -0500 Subject: [Dataloss] House Delivers Package of Privacy Bills Message-ID: House Delivers Package of Privacy Bills >From Internet News, February 9, 2007 By Roy Mark http://www.freepress.net/news/21007 Members of the U.S. House Energy and Commerce Committee introduced a package of bills Thursday evening aimed at identity theft, pretexting, data security and breach notifications. Included in the four pieces of legislation is Rep. Mary Bono?s (D-Calif.) Securely Protect Yourself Against Cyber Trespass Act (SPY Act), which has twice passed the House and twice failed to interest the U.S. Senate. The bill calls for consumer notification of any software downloaded to a computer. Commerce Committee Chairman John Dingell (D-Mich.) and Rep. Joe Barton (R-Texas), the former chairman of the committee, also introduced the Prevention of Fraudulent Access to Phone Records Act, which would impose restrictions on telephone carriers? use of confidential consumer information and increase penalties for pretexting. The two other bills in the package include legislation by Rep. Ed Markey (D-Mass.) to limit the sale and purchase of Social Security numbers and a bill sponsored by Reps. Bobby Rush (D-Ill.) and Cliff Stearns (R-Fla.) to require notification to consumers of data breaches. ?Data breaches continue at a rapid pace and constitute a major threat to consumers,? said Rush. ?We must pass comprehensive data security legislation this year.? Data breach notification bills in both the House and Senate failed in the 109th Congress largely because of jurisdictional disputes between various committees. Lawmakers also struggled with the trigger mechanisms for breach notification. Some favored notification when a ?significant? risk of potential identity theft exists while others supported a ?reasonable? risk standard. Still other disputes over notification emerged over whether companies encrypting data would be exempt from disclosure laws. ?We will work cooperatively with other committees to resolve jurisdictional issues and with stakeholders to resolve policy issues,? Dingell said. ?The American public is owed no less than the full measure of our combined best efforts. These bills address serious problems that are not going away and only worsen while the Congress dithers.? According to Dingell, the four bills will be considered individually and ?expeditiously? moved to the House floor for full votes. Dingell said the legislation was timed to promote National Consumer Protection Week, which began Feb. 4 and concludes Feb. 10. ?National Consumer Protection Week is a fitting time to make a serious down payment on resolving the scourge of identity theft and related abuse,? Dingell said in a statement. The bills represent the first tech-related bills to be introduced by members of the House committee. Democrats in the Senate have already introduced many similar measures. Nevertheless, the bills ? in both chambers ? are likely to run into opposition from data brokers, telephone carriers and even other lawmakers. Congress, for instance, has already passed legislation and President Bush signed into law last year the Telephone Records and Privacy Protection Act targeting pretexters and the Internet sites that sell the telephone records. Dingell and Barton?s new bill aims at carriers? protection procedures against pretexting, a measure opposed by the carriers. Federal Communications Commission Chairman Kevin Martin said he plans to attack the problem through the agency?s existing regulatory authority over telephone carriers. This article is from Internet News. From Dissent at pogowasright.org Mon Feb 12 19:58:41 2007 From: Dissent at pogowasright.org (Dissent) Date: Mon, 12 Feb 2007 19:58:41 -0500 Subject: [Dataloss] [update] Birmingham VA laptop Message-ID: <7.0.0.16.2.20070212195432.02592670@nowhere.org> http://www.kansas.com/mld/kansas/news/16683496.htm The Department of Veterans Affairs began notifying 1.8 million veterans and doctors Monday that their personal and business information could be on a portable hard drive that has been missing from an Alabama hospital for nearly three weeks. [...] [U.S. Rep. Artur Davis] said the department told him that the missing storage unit included the Social Security numbers and names of about 10,000 people, plus another 525,000 Social Security numbers. The information on doctors includes names and Medicare billing codes, he said. [...] Also: http://www.govexec.com/dailyfed/0207/021207p1.htm [...] The data for the 1.3 million physicians who have billed Medicaid and Medicare, both living and deceased, could result in widespread fraud, such as the creation of fake Medicare and Medicaid invoices. There are 902,053 physicians in the United States, according to the American Medical Association. According to congressional sources, personal information on patients and medical data were kept in separate files, but there is enough information that files could be linked. [...] -- Main site: http://www.pogowasright.org Main RSS feed: http://www.pogowasright.org/backend/pogowasright.rss Breaches RSS feed: http://www.pogowasright.org/backend/breaches.rss From blitz at strikenet.kicks-ass.net Mon Feb 12 20:13:53 2007 From: blitz at strikenet.kicks-ass.net (blitz) Date: Mon, 12 Feb 2007 20:13:53 -0500 Subject: [Dataloss] (article) "We recovered the laptop!" ... so what? In-Reply-To: References: Message-ID: <7.0.1.0.2.20070212201216.0437fdc8@strikenet.kicks-ass.net> Ok, so youve got a copy of an encrypted disk to crack at your leisure. The data is still compromised and in someone elses hands, and they have no idea if its secure or not. That still counts as a loss in my book. At 08:54 2/12/2007, you wrote: >Hi everyone > >This thead is very interesting. All techniques so far deal with >reading data at a low level. Will Windows Vista prevent techniques >such as Symantec Ghost? I understand that Vista performs bit-level >encryption with its BitLocker technology. > >Thanks. > >Herve Roggero >Managing Partner >Pyn Logic LLC >Visit www.pynlogic.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070212/d7b72d9b/attachment-0001.html From hroggero at pynlogic.com Tue Feb 13 07:34:43 2007 From: hroggero at pynlogic.com (Herve Roggero) Date: Tue, 13 Feb 2007 07:34:43 -0500 Subject: [Dataloss] (article) "We recovered the laptop!" ... so what? In-Reply-To: <7.0.1.0.2.20070212201216.0437fdc8@strikenet.kicks-ass.net> Message-ID: <000301c74f6b$56f043b0$2c0aa8c0@HPLAPTOP> Yes, I don't disagree. But isn't this legally different? Would this change my disclosure requirement? Let me give an example: If I do business in California, and my unencrypted laptop gets stolen with 100,000 SSNs in it, stored in clear text. I need to disclose this loss and reach out to 100,000 people to comply with SB 1386. Now, if I upgrade my laptops to MS Vista, can I get away with it? I'm only asking as I am seeing an interesting response from CXO individuals looking at MS Vista as a solution to their laptop/legal issues. If there is no official technical workaround to this encryption and it takes thousands or millions of years to crack, then it may fall under the "reasonable" steps to protect information and become a powerful tool for businesses looking to comply. Thank you Herve Roggero Managing Partner, Pyn Logic LLC Cell: 561 236 2025 Visit www.pynlogic.com _____ From: blitz [mailto:blitz at strikenet.kicks-ass.net] Sent: Monday, February 12, 2007 8:14 PM To: Herve Roggero Cc: dataloss at attrition.org Subject: RE: [Dataloss] (article) "We recovered the laptop!" ... so what? Ok, so youve got a copy of an encrypted disk to crack at your leisure. The data is still compromised and in someone elses hands, and they have no idea if its secure or not. That still counts as a loss in my book. At 08:54 2/12/2007, you wrote: Hi everyone This thead is very interesting. All techniques so far deal with reading data at a low level. Will Windows Vista prevent techniques such as Symantec Ghost? I understand that Vista performs bit-level encryption with its BitLocker technology. Thanks. Herve Roggero Managing Partner Pyn Logic LLC Visit www.pynlogic.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070213/331caa7a/attachment.html From Dissent at pogowasright.org Tue Feb 13 08:19:27 2007 From: Dissent at pogowasright.org (Dissent) Date: Tue, 13 Feb 2007 08:19:27 -0500 Subject: [Dataloss] [update] St. Mary's Hospital Message-ID: <7.0.0.16.2.20070213081359.0248ab88@nowhere.org> Updates the number of individuals affected and type of info compromised.... http://www.baltimoresun.com/news/local/bal-te.md.identity13feb13,0,5907611.story?coll=bal-local-headlines A second Maryland hospital has reported losing sensitive computerized data on tens of thousands of patients, raising another alarm about how consumer information is protected. Up to 130,000 former and current patients at St. Mary's Hospital in Leonardtown have recently been notified that a laptop with personal information was stolen from the hospital in December. Just last week, Johns Hopkins officials reported the loss of thousands of employee and patient records. Last seen Dec. 5 in St. Mary's emergency care center, the computer included the names, Social Security numbers and birth dates of patients who had been treated as long ago as 1989, said Christine Wray, the hospital's president and chief executive officer. The data did not include anyone's medical or financial information, but it also was not encrypted, so anyone can read it, she said. The laptop, used to register patients as they came in for treatment, was taken from a treatment area that the public could generally access without a security check. The hospital has contracted with National ID Recovery of Norcoss, Ga., a firm that specializes in identity theft cases, to help patients keep track of their personal information such as credit card usage patterns, she said. The service will be free to patients, and the hospital is paying the firm up to $425,000, she said. [...] St. Mary's Hospital was under no legal obligation to disclose the laptop theft, because no medical records were stolen, Wray said. But she and others on the hospital's staff felt it was necessary to give those potentially affected the chance to begin tracking their credit records and other personal information. [...] -- Main site: http://www.pogowasright.org Main RSS feed: http://www.pogowasright.org/backend/pogowasright.rss Breaches RSS feed: http://www.pogowasright.org/backend/breaches.rss From jericho at attrition.org Tue Feb 13 08:50:08 2007 From: jericho at attrition.org (security curmudgeon) Date: Tue, 13 Feb 2007 08:50:08 -0500 (EST) Subject: [Dataloss] (article) "We recovered the laptop!" ... so what? In-Reply-To: <7.0.1.0.2.20070212201216.0437fdc8@strikenet.kicks-ass.net> References: <7.0.1.0.2.20070212201216.0437fdc8@strikenet.kicks-ass.net> Message-ID: For the sake of argument, I'll disagree here. : Ok, so youve got a copy of an encrypted disk to crack at your leisure. : The data is still compromised and in someone elses hands, and they have : no idea if its secure or not. That still counts as a loss in my book. My work laptop has PGP desktop installed. A multi-gig partition is set up using PGP for protection, and upon every bootup it requires I enter my passphrase (more than thirty characters, using mixed case and special characters). If the machine is powered off or rebooted, you must enter this password to get access to my e-mail, client information or anything else work related. As far as I can tell, unless you grab my laptop while it is powered on, the data on it is relatively secure. There may be some residual information in the browser history/cache, but it will be specific to my company, not my company's clients. That said, can you describe a scenario other than what I described above as a viable way to get to the client data on my laptop? Other than snatching it while the power is on and copying the data off, which would be a huge warning flag to me to report said data as compromised, how an attacker could realistically get to the data? Jericho From rforno at infowarrior.org Tue Feb 13 09:00:43 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 13 Feb 2007 09:00:43 -0500 Subject: [Dataloss] Congress Seeks 'Bite' For Privacy Watchdog Message-ID: Congress Seeks 'Bite' For Privacy Watchdog By Ellen Nakashima Washington Post Staff Writer Tuesday, February 13, 2007; D01 http://www.washingtonpost.com/wp-dyn/content/article/2007/02/12/AR2007021201 430_pf.html Key lawmakers want to replace a White House privacy and civil liberties board created by Congress in 2004 with one that is more independent of the president. The idea is to make the board more like the one envisioned by the bipartisan 9/11 Commission. As the commission's vice chairman, Lee H. Hamilton, said yesterday: "We felt that you had to have a voice within the executive branch that reached across all of the departments of government with strong powers to protect our civil liberties." But the five-member Privacy and Civil Liberties Oversight Board is resisting proposals that would dramatically change its composition and powers. The battle is another sign of the changed political landscape, with the Democratic-controlled Congress pushing for stronger oversight of the Bush administration's counterterrorism programs. "In 2004, the Senate endorsed the idea of a strong privacy and civil liberties watchdog to keep vigil as the government launched a full-bore effort to make the nation safe from terrorists," said Sen. Joseph I. Lieberman (I-Conn.), the chairman of the Homeland Security and Governmental Affairs Committee who caucuses with the Democrats. "Congress passed a weak proposal. Now we are back to make sure the watchdog has both a bark and a bite." House Democrats see the board, which took office only last March after a series of delays, as too beholden to President Bush, who selects the members. Despite its position, the board has had to wait months before receiving briefings on sensitive administration programs, and then only with permission from the White House counsel's office. "Since its inception, the administration has failed to properly fund the board, and quite frankly, there have been no visible results of its existence," said Rep. Bennie Thompson (D-Miss.), chairman of the House Homeland Security Committee. Separate House and Senate measures would require that the entire board be confirmed by the Senate -- now it is only the chairman and vice chairman -- and that no more than three members be from one party. The House provision would remove the board from the Executive Office of the President but keep it within the executive branch and give it subpoena power, as recommended by the 9/11 Commission. The Senate version would keep the board within the executive office and allow it to ask the attorney general to issue subpoenas. Congress would have to be notified if a subpoena request were denied or modified. Two board members, however, including the lone Democrat, said the board would lose its effectiveness if it were outside the executive office and had "adversarial powers" such as subpoenas. Vice Chairman Alan Charles Raul said he wanted an environment in which agencies initiated contacts with the board to review programs with civil liberties implications -- before there is a controversy. "It's almost unreasonable to think that an agency is going to reach out at a very early stage to a body that by design, by mind-set and by reporting channels, is outside the president's supervision, even if they're technically within the executive branch," Raul said yesterday. Lanny J. Davis, who served as special counsel to President Bill Clinton, agreed. At the same time, he said, "The board needs a clearer mandate to be able to speak independently and to have full and complete access to all programs affecting privacy and civil liberties, both evolving as well as those in place." The board has asked Bush to issue a directive to all executive agencies that will spell out its mandate to ensure that it is involved in the development of programs that affect privacy and civil liberties. White House spokeswoman Dana Perino yesterday declined to comment specifically on that request, saying that there have been "internal discussions about any possible refinements that could be made" to make the board more effective. The board has held only one public forum, in December at Georgetown University, where the public was given an opportunity to express its concerns. The board's first report to Congress is to be presented in March. In November, board members said they had been briefed by the National Security Agency on its warrantless wiretapping program and that they were impressed by the protections, but failed to provide specifics. The board paid a return visit to the NSA two weeks ago and observed the surveillance program, which monitors people, including some in the United States, who have links to al-Qaeda. This is done under the supervision of a secret court that administers the Foreign Intelligence Surveillance Act (FISA). Raul and Davis said they were "more reassured" after the second briefing that the program had taken into account civil liberties and privacy protections. They said the agency had "multiple layers" of review, including audit trails to track whoever has access to the data. If information appears that is not related to counterterrorism, it is not shared with other agencies, Raul said. On that visit, Raul also reviewed the secret court orders governing the spying program that were issued Jan. 10 and supporting material submitted by the Justice Department. "The surveillance under the program is very highly regimented and justified both internally within the agency and now externally to the FISA court," he said. He declined to provide more detail on the orders. That hurts the board's credibility, said Marc Rotenberg, executive director of the Electronic Privacy Information Center, an advocacy group. "They have to do something more than say 'trust us,' " he said. "This goes to the objection that many people have had about an oversight board based in the executive branch." Thomas H. Kean, chairman of the 9/11 Commission, said he supported the legislation to make the board more independent, which includes reporting twice a year to Congress. "The civil liberties board has got to alert us on the questions involving our civil liberties," he said. "What hasn't been done yet is to make sure that it's in the executive branch as a totally independent agency. From cwalsh at cwalsh.org Tue Feb 13 10:49:17 2007 From: cwalsh at cwalsh.org (Chris Walsh) Date: Tue, 13 Feb 2007 09:49:17 -0600 Subject: [Dataloss] (article) "We recovered the laptop!" ... so what? In-Reply-To: References: <7.0.1.0.2.20070212201216.0437fdc8@strikenet.kicks-ass.net> Message-ID: <5A7FE679-34FE-4333-AEC8-D61C69F02358@cwalsh.org> The laptop and the passphrase are in the same laptop bag, which is stolen. Game Over. That is why a good law will require that the key not be lost, and (more generally) will set a key management floor, as well as specifying which encryption methods are approved, and saying that encryption is safe harbor only for instances of physical theft of the device. No current state laws do these things, IIRC. Only one of them even *defines* encryption, and they (Nevada) do it horribly wrong. On Feb 13, 2007, at 7:50 AM, security curmudgeon wrote: > > For the sake of argument, I'll disagree here. > > > That said, can you describe a scenario other than what I described > above > as a viable way to get to the client data on my laptop? From hbrown at knology.net Tue Feb 13 08:59:48 2007 From: hbrown at knology.net (Henry Brown) Date: Tue, 13 Feb 2007 07:59:48 -0600 Subject: [Dataloss] Lost F.B.I. Laptops Still a Problem, Inspector Says In-Reply-To: <771A26039D33ED489E23D9614DE630DD04CBFBF6@SFMAIL02.tealeaf.com> References: <771A26039D33ED489E23D9614DE630DD04CBFBF6@SFMAIL02.tealeaf.com> Message-ID: <45D1C454.5050501@knology.net> Different "SPIN" on the process: http://govexec.com/dailyfed/0207/021207tdpm2.htm The FBI has made significant progress in decreasing the rate of loss of laptop computers and weapons, the agency's inspector general said Monday. The analysis determined that when compared with figures from 2002, there has been a 349 percent reduction in the average number of weapons lost or stolen in a given month and a 312 percent reduction in the loss or theft of laptops. The agency reported 160 weapons and laptops lost or stolen during the audit period. Max Hozven wrote: > > http://www.nytimes.com/aponline/us/AP-FBI-Laptops.html?hp&ex=1171342800&en=a17b6916b0b00b81&ei=5094&partner=homepage > > > Lost F.B.I. Laptops Still a Problem, Inspector Says > > Article Tools Sponsored By > By THE ASSOCIATED PRESS > Published: February 12, 2007 > > Filed at 11:57 a.m. ET > > WASHINGTON (AP) -- Between three and four FBI laptop computers are > lost or stolen each month on average and the agency is unable to say > in many instances whether information on the machines is sensitive or > classified, the Justice Department's inspector general said Monday. > > The inspector general said the FBI is doing a better job of reducing > the number of thefts and disappearances of weapons and laptop > computers, but that not all problems were corrected as urged in a > report five years ago. > > ''Perhaps most troubling, the FBI could not determine in many cases > whether the lost or stolen laptop computers contained sensitive or > classified information,'' said the report. ''Such information may > include case information, personal identifying information, or > classified information on FBI operations.'' > > In a report five years ago, the inspector general said 354 weapons and > 317 laptop computers were lost or stolen during a 28-month review. > > The new report found that 160 weapons and 160 laptop computers were > lost or stolen over a 44-month period. > > The FBI said it was preparing a response to the report. > > ------------------------------------------------------------------------ > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 148 million compromised records in 573 incidents over 7 years. > From adam at homeport.org Tue Feb 13 10:57:31 2007 From: adam at homeport.org (Adam Shostack) Date: Tue, 13 Feb 2007 10:57:31 -0500 Subject: [Dataloss] (article) "We recovered the laptop!" ... so what? In-Reply-To: <000301c74f6b$56f043b0$2c0aa8c0@HPLAPTOP> References: <7.0.1.0.2.20070212201216.0437fdc8@strikenet.kicks-ass.net> <000301c74f6b$56f043b0$2c0aa8c0@HPLAPTOP> Message-ID: <20070213155731.GA11445@homeport.org> Speaking for myself here. As I understand things: Certain versions of Vista (I think Ultimate and Enterprise) include Bitlocker whole drive encryption. It's not on by default because of issues about key management. So just upgrading to Vista, in and of itself, doesn't change anything. Bitlocker itself has a bunch of modes, ranging from keys stored in a TPM and unlocked with a PIN, to keys stored on the hard drive and unlocked with a password. How you actually protect the encryption keys might be seen as important. I don't know if anyone has done a comparison against state laws. Adam On Tue, Feb 13, 2007 at 07:34:43AM -0500, Herve Roggero wrote: | Let me give an example: If I do business in California, and my unencrypted | laptop gets stolen with 100,000 SSNs in it, stored in clear text. I need to | disclose this loss and reach out to 100,000 people to comply with SB 1386. | | Now, if I upgrade my laptops to MS Vista, can I get away with it? | | | | I?m only asking as I am seeing an interesting response from CXO individuals | looking at MS Vista as a solution to their laptop/legal issues. If there is no | official technical workaround to this encryption and it takes thousands or | millions of years to crack, then it may fall under the ?reasonable? steps to | protect information and become a powerful tool for businesses looking to | comply. | | | | Thank you | | Herve Roggero | | Managing Partner, Pyn Logic LLC | | Cell: 561 236 2025 | | Visit www.pynlogic.com | | ------------------------------------------------------------------------------- | | From: blitz [mailto:blitz at strikenet.kicks-ass.net] | Sent: Monday, February 12, 2007 8:14 PM | To: Herve Roggero | Cc: dataloss at attrition.org | Subject: RE: [Dataloss] (article) "We recovered the laptop!" ... so what? | | | | Ok, so youve got a copy of an encrypted disk to crack at your leisure. The data | is still compromised and in someone elses hands, and they have no idea if its | secure or not. | That still counts as a loss in my book. | | At 08:54 2/12/2007, you wrote: | | | Hi everyone | | This thead is very interesting. All techniques so far deal with reading data at | a low level. Will Windows Vista prevent techniques such as Symantec Ghost? I | understand that Vista performs bit-level encryption with its BitLocker | technology. | | Thanks. | | Herve Roggero | Managing Partner | Pyn Logic LLC | Visit www.pynlogic.com | | _______________________________________________ | Dataloss Mailing List (dataloss at attrition.org) | http://attrition.org/dataloss | Tracking more than 148 million compromised records in 573 incidents over 7 years. From cwalsh at cwalsh.org Tue Feb 13 11:10:12 2007 From: cwalsh at cwalsh.org (Chris Walsh) Date: Tue, 13 Feb 2007 10:10:12 -0600 Subject: [Dataloss] Lost F.B.I. Laptops Still a Problem, Inspector Says In-Reply-To: <45D1C454.5050501@knology.net> References: <771A26039D33ED489E23D9614DE630DD04CBFBF6@SFMAIL02.tealeaf.com> <45D1C454.5050501@knology.net> Message-ID: <2931561A-4333-460A-B739-AD34554D5711@cwalsh.org> A 312 percent reduction? So, does that mean they wind up with more laptops at the end than they started with? That's some fuzzy math. On Feb 13, 2007, at 7:59 AM, Henry Brown wrote: > Different "SPIN" on the process: > > http://govexec.com/dailyfed/0207/021207tdpm2.htm > > The FBI has made significant progress in decreasing the rate of > loss of > laptop computers and weapons, the agency's inspector general said > Monday. > > The analysis determined that when compared with figures from 2002, > there > has been a 349 percent reduction in the average number of weapons lost > or stolen in a given month and a 312 percent reduction in the loss or > theft of laptops. The agency reported 160 weapons and laptops lost or > stolen during the audit period. > From cwalsh at cwalsh.org Tue Feb 13 16:38:04 2007 From: cwalsh at cwalsh.org (Chris Walsh) Date: Tue, 13 Feb 2007 15:38:04 -0600 Subject: [Dataloss] (article) "We recovered the laptop!" ... so what? In-Reply-To: <000301c74f6b$56f043b0$2c0aa8c0@HPLAPTOP> References: <000301c74f6b$56f043b0$2c0aa8c0@HPLAPTOP> Message-ID: <371942FB-207A-4F7F-8F1B-BC770AAEFB20@cwalsh.org> Not sure if Bitlocker supports encryption of data volumes on removable media. Depending on how your CXOs use machines, this may be an important consideration. OTOH, you can transfer at least some of the risk by purchasing insurance which would cover the cost of complying with notice requirements. I would imagine the insurance companies are wise to the adverse selection issues here, so you can't blithely ignore security, but you may be able to get away with (pardon the word choice) less than military-grade encryption on every laptop. Chubb Group is one underwriter of breach insurance. There are more but that is the only name that comes to mind. On Feb 13, 2007, at 6:34 AM, Herve Roggero wrote: > I?m only asking as I am seeing an interesting response from CXO > individuals looking at MS Vista as a solution to their laptop/legal > issues. If there is no official technical workaround to this > encryption and it takes thousands or millions of years to crack, > then it may fall under the ?reasonable? steps to protect > information and become a powerful tool for businesses looking to > comply. From Dissent at pogowasright.org Wed Feb 14 09:24:35 2007 From: Dissent at pogowasright.org (Dissent) Date: Wed, 14 Feb 2007 09:24:35 -0500 Subject: [Dataloss] [follow-up] UK: Nationwide fined almost ?1m over theft Message-ID: <7.0.0.16.2.20070214092253.024fade0@nowhere.org> http://www.channel4.com/news/content/news-storypage.jsp?id=27099299 Nationwide has been fined almost ?1 million after the theft of an employee's laptop computer exposed security flaws. The Financial Services Authority (FSA) fined Nationwide - the world's largest building society - ?980,000 for not having adequate information security procedures and controls in place. The theft from the employee's home in August last year potentially exposed the society's 11 million customers to an increased risk of financial crime, the FSA said. The FSA said the Nationwide was not aware that the laptop contained confidential customer information and did not start an investigation until three weeks after the robbery as the employee then went on holiday. Nationwide declined to say how many account details were on the laptop but said there had been no loss of money from any account and the laptop did not contain PINs, passwords, account balance information or memorable data relating to any customers. The fine imposed on Nationwide could have been as high as ?1.4 million, but the building society qualified for a 30 per cent discount by agreeing to settle early. [...] -- Main site: http://www.pogowasright.org Main RSS feed: http://www.pogowasright.org/backend/pogowasright.rss Breaches RSS feed: http://www.pogowasright.org/backend/breaches.rss From lyger at attrition.org Wed Feb 14 13:37:08 2007 From: lyger at attrition.org (lyger) Date: Wed, 14 Feb 2007 13:37:08 -0500 (EST) Subject: [Dataloss] Insurer reports personal information stolen Message-ID: http://www.courier-journal.com/apps/pbcs.dll/article?AID=/20070214/NEWS01/70214030 Computer tapes containing personal information on about 196,000 members of health insurer WellPoint - including many Anthem Blue Cross and Blue Shield customers in Kentucky and Indiana - have been stolen from the office of a WellPoint vendor. Social Security numbers, often the key to committing identity theft, were among the information on the tapes. [...] From sawaba at forced.attrition.org Wed Feb 14 21:09:14 2007 From: sawaba at forced.attrition.org (sawaba) Date: Wed, 14 Feb 2007 21:09:14 -0500 (EST) Subject: [Dataloss] [update] Birmingham VA laptop In-Reply-To: <7.0.0.16.2.20070212195432.02592670@nowhere.org> References: <7.0.0.16.2.20070212195432.02592670@nowhere.org> Message-ID: These guys are easily going to make and hold the #1 spot on the "Repeat Offenders" list if they keep losing data like this. --Sawaba On Mon, 12 Feb 2007, Dissent wrote: > http://www.kansas.com/mld/kansas/news/16683496.htm > > > The Department of Veterans Affairs began notifying 1.8 million > veterans and doctors Monday that their personal and business > information could be on a portable hard drive that has been missing > from an Alabama hospital for nearly three weeks. > > [...] > > [U.S. Rep. Artur Davis] said the department told him that the missing > storage unit included the Social Security numbers and names of about > 10,000 people, plus another 525,000 Social Security numbers. The > information on doctors includes names and Medicare billing codes, he said. > > [...] > > Also: > > http://www.govexec.com/dailyfed/0207/021207p1.htm > > [...] > > > The data for the 1.3 million physicians who have billed Medicaid and > Medicare, both living and deceased, could result in widespread fraud, > such as the creation of fake Medicare and Medicaid invoices. > > There are 902,053 physicians in the United States, according to the > American Medical Association. > > According to congressional sources, personal information on patients > and medical data were kept in separate files, but there is enough > information that files could be linked. > > [...] > > -- > Main site: http://www.pogowasright.org > Main RSS feed: http://www.pogowasright.org/backend/pogowasright.rss > Breaches RSS feed: http://www.pogowasright.org/backend/breaches.rss > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 148 million compromised records in 573 incidents over 7 years. > From sawaba at forced.attrition.org Wed Feb 14 21:22:25 2007 From: sawaba at forced.attrition.org (sawaba) Date: Wed, 14 Feb 2007 21:22:25 -0500 (EST) Subject: [Dataloss] (article) "We recovered the laptop!" ... so what? In-Reply-To: References: Message-ID: No, Vista will have no significant impact, for several reasons: 1. As mentioned somewhere down this thread, Vista's disk encryption option only comes with the more expensive versions of Vista. 2. Owners of this version are a much smaller percentage of total Vista owners. A small percentage of people that buy these versions will a) know it is there b) care that it is there, or c) know how to use it properly even if they do know about it and are interested in using it. 3. The people using disk encryption in Vista are likely to be doing it with their personal PCs. We're mostly interested in large entities and corporations using disk encryption to protect our sensitive, valuable data while in their care. These companies, if they are using disk encryption at all, are most likely to be using a commercial disk encryption product with enterprise deployment/management features. Bottom Line: Vista's new encryption features will most likely see the most use in the hands of the individual consumer, not the enterprise. Caveat: This is not to say that Vista's disk encryption features do not work! When and where they are PROPERLY used, they will be effective in protecting data from compromise. --Sawaba On Mon, 12 Feb 2007, Herve Roggero wrote: > Hi everyone > > This thead is very interesting. All techniques so far deal with reading data at a low level. Will Windows Vista prevent techniques such as Symantec Ghost? I understand that Vista performs bit-level encryption with its BitLocker technology. > > Thanks. > > Herve Roggero > Managing Partner > Pyn Logic LLC > Visit www.pynlogic.com > > -----Original Message----- > From: "Max Hozven" > To: "sawaba" ; "blitz" > Cc: dataloss at attrition.org > Sent: 2/12/07 1:27 AM > Subject: Re: [Dataloss] (article) "We recovered the laptop!" ... so what? > > Or boot up on a Symantec Ghost boot disk, then blast the data over to a > network drive or a connected USB drive. > > -Max > > -----Original Message----- > From: dataloss-bounces at attrition.org > [mailto:dataloss-bounces at attrition.org] On Behalf Of sawaba > Sent: Sunday, February 11, 2007 9:09 PM > To: blitz > Cc: dataloss at attrition.org > Subject: Re: [Dataloss] (article) "We recovered the laptop!" ... so > what? > > You don't even have to mess with mirroring it. You can create a Linux > boot > disk, specifically set up with scripts that search for juicy data, and > then upload them to your server over Wi-Fi. On a fairly new laptop, you > should have data (if there's any data to be had) within 30 minutes. > You'll > be done in an hour or two unless there is a huge amount of data you want > > to grab. > > And because you are mounting the Fat32 or NTFS volume read-only, no > dates > From sawaba at forced.attrition.org Wed Feb 14 21:40:16 2007 From: sawaba at forced.attrition.org (sawaba) Date: Wed, 14 Feb 2007 21:40:16 -0500 (EST) Subject: [Dataloss] (article) "We recovered the laptop!" ... so what? In-Reply-To: <7.0.1.0.2.20070212201216.0437fdc8@strikenet.kicks-ass.net> References: <7.0.1.0.2.20070212201216.0437fdc8@strikenet.kicks-ass.net> Message-ID: I disagree. If they encrypted the data correctly, they know very well if it is secure or not. There are specific encryption algorithms and associated key lengths considered suitable for disk encryption. The most commonly accepted is AES with a 256-bit key. It is chosen as such, because as of yet, no flaw has been found in AES, and a 256-bit key could not be brute-forced in any feasible time frame with current technology. In other words, when you finally brute force it 10 or 15 years from now, the credit card numbers and SSNs will be useless anyway. --Sawaba On Mon, 12 Feb 2007, blitz wrote: > Ok, so youve got a copy of an encrypted disk to crack at your leisure. The > data is still compromised and in someone elses hands, and they have no idea > if its secure or not. > That still counts as a loss in my book. > > At 08:54 2/12/2007, you wrote: >> Hi everyone >> >> This thead is very interesting. All techniques so far deal with reading >> data at a low level. Will Windows Vista prevent techniques such as Symantec >> Ghost? I understand that Vista performs bit-level encryption with its >> BitLocker technology. >> >> Thanks. >> >> Herve Roggero >> Managing Partner >> Pyn Logic LLC >> Visit www.pynlogic.com > From sawaba at forced.attrition.org Wed Feb 14 21:53:02 2007 From: sawaba at forced.attrition.org (sawaba) Date: Wed, 14 Feb 2007 21:53:02 -0500 (EST) Subject: [Dataloss] (article) "We recovered the laptop!" ... so what? In-Reply-To: References: <7.0.1.0.2.20070212201216.0437fdc8@strikenet.kicks-ass.net> Message-ID: I did some analysis on this for the company I work for, when we adopted a "full disk encryption" product. The two most significant things that came out of my research are: 1. This may not be the case with all disk encryption products, but you have to make sure you select "full encryption", as there may be a feature that, when selected, will only encrypt "active" data. How they word the option could be tricky as well. The "fast" encryption option may only encrypt active data. What they mean by "active" data is that it will only encrypt data that is not marked for overwrite (non-deleted data). This is a huge problem, because the last 1GB of data you deleted could potentially still be accessible if your drive/laptop is stolen! 2. If configured to encrypt EVERYTHING on the drive, it is Jericho says. The only way to steal the data is to grab the system while it is turned on and booted up with the OS running. For those interested, hibernating = turned off. I checked, and even hiberfil.sys is encrypted. --Sawaba On Tue, 13 Feb 2007, security curmudgeon wrote: > > For the sake of argument, I'll disagree here. > > : Ok, so youve got a copy of an encrypted disk to crack at your leisure. > : The data is still compromised and in someone elses hands, and they have > : no idea if its secure or not. That still counts as a loss in my book. > > My work laptop has PGP desktop installed. A multi-gig partition is set up > using PGP for protection, and upon every bootup it requires I enter my > passphrase (more than thirty characters, using mixed case and special > characters). If the machine is powered off or rebooted, you must enter > this password to get access to my e-mail, client information or anything > else work related. As far as I can tell, unless you grab my laptop while > it is powered on, the data on it is relatively secure. There may be some > residual information in the browser history/cache, but it will be specific > to my company, not my company's clients. > > That said, can you describe a scenario other than what I described above > as a viable way to get to the client data on my laptop? Other than > snatching it while the power is on and copying the data off, which would > be a huge warning flag to me to report said data as compromised, how an > attacker could realistically get to the data? > > Jericho > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 148 million compromised records in 573 incidents over 7 years. > From Dissent at pogowasright.org Thu Feb 15 08:34:37 2007 From: Dissent at pogowasright.org (Dissent) Date: Thu, 15 Feb 2007 08:34:37 -0500 Subject: [Dataloss] Piper Jaffray apologizes to employees for W-2 goof Message-ID: <7.0.0.16.2.20070215083258.02501620@nowhere.org> http://www.twincities.com/mld/twincities/business/16647381.htm Oops. The W-2s Piper Jaffray sent to current and former employees in January included employees' Social Security numbers on the outside of the envelope. The numbers were not identified as Social Security numbers, but followed the standard XXX-XX-XXXX format. The incident affected more than the 1,000 employees the company employs today, since about 2,600 people worked for Piper before the sale of its brokerage unit last year. "At this time we have no indication that the printing error has resulted in any misuse of employee personal information," Todd Firebaugh, chief administrative officer of the Minneapolis-based company, wrote in a letter to Piper employees last week apologizing for the incident. Executives indicated the mishap was an error by a third-party vendor, the name of which was not disclosed. The mailing didn't involve any customer data. "We take the security of our employees' personal information very seriously," said Rob Litt, a spokesman for the company. "We are implementing corrective processing changes with our vendors." The company will offer free 12-month credit monitoring to all employees affected. -- Main site: http://www.pogowasright.org Main RSS feed: http://www.pogowasright.org/backend/pogowasright.rss Breaches RSS feed: http://www.pogowasright.org/backend/breaches.rss From Dissent at pogowasright.org Thu Feb 15 08:37:26 2007 From: Dissent at pogowasright.org (Dissent) Date: Thu, 15 Feb 2007 08:37:26 -0500 Subject: [Dataloss] Laptop Stolen With 22,000 Kaiser Patients' Data Message-ID: <7.0.0.16.2.20070215083439.02501240@nowhere.org> http://cbs5.com/consumer/local_story_045212622.html In yet another instance of laptop theft potentially endangering personal data, Kaiser Permanente is in the process of notifying as many as 22,000 patients of a possible breach of their private medical information. The personal information was located on a doctor's laptop computer stolen from the Medical Center in Oakland at the end of last November. There were no details provided about where or how the laptop was taken, but a Kaiser spokesman said it was likely a random and isolated crime of opportunity. Kaiser said the majority of patients had only limited information listed on the laptop, but 500 of them included social security numbers. Kaiser officials said they are implementing a new systemwide policy that prohibits storage of member data on the hard drive of any desktop, laptop or mobile device. A spokesman also said information on all electronic devices will now be encrypted. Anyone with questions about the stolen laptop containing patient information can call Kaiser at 1-866-529-0779. -- Main site: http://www.pogowasright.org Main RSS feed: http://www.pogowasright.org/backend/pogowasright.rss Breaches RSS feed: http://www.pogowasright.org/backend/breaches.rss From lyger at attrition.org Thu Feb 15 11:39:51 2007 From: lyger at attrition.org (lyger) Date: Thu, 15 Feb 2007 11:39:51 -0500 (EST) Subject: [Dataloss] Iowa: Department of Education records hacked Message-ID: http://www.radioiowa.com/gestalt/go.cfm?objectid=C62EC2FD-D6CA-6148-ECA10EFC215AB72D The Department of Education is warning Iowans that someone gained access to personal information in records that were in what was supposed to be a protected area on the department's website. Department spokesperson, Elaine Watkins-Miller, says the records contained names, addresses, dates of birth and social security numbers of individuals who obtained a G.E.D. from Iowa between 1965 and 2002. [...] Watkins-Miller says you should keep an eye on the credit report, and call local law officers if you see any unusual activity. Watkins says they believe someone hacked into the records on Sunday. Watkins-Miller says they can't say how the records were access and that's being investigated by the DCI and the FBI. There were some 160-thousand records in the file, but she says it's believe only about 600 may have been viewed. [...] From Dissent at pogowasright.org Thu Feb 15 12:20:51 2007 From: Dissent at pogowasright.org (Dissent) Date: Thu, 15 Feb 2007 12:20:51 -0500 Subject: [Dataloss] Citibank Korea e-payment hack Message-ID: <7.0.0.16.2.20070215121827.02515988@nowhere.org> http://news.mk.co.kr/newsReadEnglish.php?sc=30800005&cm=General&year=2007&no=83542&selFlag=sc&relatedcode=&wonNo=&sID=308 Personal data on the Citibank e-payment system, used for e-commerce, has been hacked, allowing illegal transactions on bank users' credit cards. According to the banking industry, 20 credit cards issued by Citibank of Korea have been illegally settled from Feb. 1 to 6, worth 50 million won. Citibank Korea has requested an investigation from the National Policy Agency's Cyber Terror Center after finding the company's e-payment system was hacked to garner dates on the customers' credit card information and passwords in order to make charges. Hackers targeted under-300,000 won financial transactions of companies with weak e-payment security. That method was used, as below-300,000 won financial transactions can be made by inserting basic personal information, such as credit card numbers and passwords without official certificates. "Unlike other banks, Citibank has omitted the process of inserting the Card Validation Code (CVC) when executing e-payments, allowing the culprits to take illegal actions," said an official from the Financial Supervisory Service (FSS). [...] -- Main site: http://www.pogowasright.org Main RSS feed: http://www.pogowasright.org/backend/pogowasright.rss Breaches RSS feed: http://www.pogowasright.org/backend/breaches.rss From Dissent at pogowasright.org Thu Feb 15 18:33:42 2007 From: Dissent at pogowasright.org (Dissent) Date: Thu, 15 Feb 2007 18:33:42 -0500 Subject: [Dataloss] City College of San Francisco Message-ID: <7.0.0.16.2.20070215175956.02545970@nowhere.org> http://abclocal.go.com/kgo/story?section=local&id=5038107 Feb. 15 - KGO - City College of San Francisco Chancellor Dr. Philip R. Day sent a letter to current and former students warning them that a file with their personal information was potentially viewable via the Internet. According to the letter, the file contained "names, addresses and social security numbers," but did not include "any driver's license numbers, credit card or banking information." The file in question was used in 2000 for providing students that attended in summer 1999 their grades. Since June 2002, the college stopped using social security numbers as unique identifiers for students and switched to student identification numbers. [...] -- Main site: http://www.pogowasright.org Main RSS feed: http://www.pogowasright.org/backend/pogowasright.rss Breaches RSS feed: http://www.pogowasright.org/backend/breaches.rss From bob.dehnhardt at trinet.com Thu Feb 15 19:32:16 2007 From: bob.dehnhardt at trinet.com (Bob Dehnhardt) Date: Thu, 15 Feb 2007 16:32:16 -0800 Subject: [Dataloss] (article) "We recovered the laptop!" ... so what? References: Message-ID: >From what I understand, BitLocker requires special hardware - either a Trusted Platform Module on the motherboard, or a special USB device plugged in to the system. It also requires a compliant BIOS. None of these are particularly widespread at the moment, so I don't think BitLocker will be in common use any time soon. I think encryption is the second best method of protecting sensitive info on laptops (the best is to not put it there in the first place, but that battle was lost before it began). But if I've got your system, odds are I also have the key (EFS stores it on the system drive, BitLocker uses the on-board TPM or USB dongle, which would most likely be kept with the laptop). In that case, any encryption will fail given sufficient time. And encryption does not prevent the taking of a bit-level backup or image of the drive. That's a key tool for the attacker. Once that's been done, that can freely attack the system with whatever tools they like, knowing that they can always restore it to a pristine condition if things get too heavily munged. And running "strings" on a drive image is a great way of generating a system-specific word list for dictionary password attacks.... - Bob -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Herve Roggero Sent: Monday, February 12, 2007 5:54 AM To: Max Hozven; sawaba; blitz Cc: dataloss at attrition.org Subject: Re: [Dataloss] (article) "We recovered the laptop!" ... so what? Hi everyone This thead is very interesting. All techniques so far deal with reading data at a low level. Will Windows Vista prevent techniques such as Symantec Ghost? I understand that Vista performs bit-level encryption with its BitLocker technology. Thanks. Herve Roggero Managing Partner Pyn Logic LLC Visit www.pynlogic.com From Dissent at pogowasright.org Thu Feb 15 19:45:52 2007 From: Dissent at pogowasright.org (Dissent) Date: Thu, 15 Feb 2007 19:45:52 -0500 Subject: [Dataloss] [Humor] I read the news today, oh boy Message-ID: <7.0.0.16.2.20070215194023.0257f638@nowhere.org> http://www.pogowasright.org/blogs/dissent/?p=210 (Dateline Washington , D.C., January 6, 2031) The first session of the 122nd Congress opened today, with Senate leaders vowing that this would be the year that they would pass the Leahy-Specter Memorial Data Protection and Mandatory Breach Notification Act. Some Beltway insiders had suggested that previous failures to enact the legislation were due to the unpronouncabilty of "LSMDPMBNA," but others had suggested that until now, Congress's priority had been to debate how we landed up in wars with Iran, Korea, and Canada without Congress ever authorizing any of those wars. Over the holidays, members of Congress were shocked to read that unencrypted data on a laptop computer lost by a Kaiser Impermanente employee had been found and leaked to the media. The data revealed how Representative Kale Jackson's daughter had had 4 elective abortions before the age of 15, how Senator Reid Smither's son had undergone inpatient treatment for early-onset Huntington's Chorea and narcotic abuse, and how Representative JoAnne B. Lane was currently under psychiatric treatment for depression following her recent divorce. [....] -- Main site: http://www.pogowasright.org Main RSS feed: http://www.pogowasright.org/backend/pogowasright.rss Breaches RSS feed: http://www.pogowasright.org/backend/breaches.rss From adam at homeport.org Fri Feb 16 02:10:25 2007 From: adam at homeport.org (Adam Shostack) Date: Fri, 16 Feb 2007 02:10:25 -0500 Subject: [Dataloss] (article) "We recovered the laptop!" ... so what? In-Reply-To: References: <7.0.1.0.2.20070212201216.0437fdc8@strikenet.kicks-ass.net> <000301c74f6b$56f043b0$2c0aa8c0@HPLAPTOP> <20070213155731.GA11445@homeport.org> Message-ID: <20070216071025.GA6959@homeport.org> When we wanted to perform m of n key backup for the master keys at Zero Knowledge systems, there was nothing commercially available. Is there anything now? I'm unaware of anyone who uses m of n sharing in the real enterprise systems. Please enlighten me. On Wed, Feb 14, 2007 at 10:03:41PM -0500, sawaba wrote: | When serious encryption is needed, key management is as important as the | algorithm and key strength used. Most people have seen in the movies when | it takes multiple keys turned at the same time to activate the firing | mechanism for a nuclear weapon. It is similar in many enterprise data | encryption situations (minus the threat of worldwide destruction). M of N | key management requires a certain minimum number (say 3 of 6) of | custodians to input their piece of the key to decrypt the data. | | Obviously, this doesn't work when you need to log into your laptop ("yeah | Bob, this is Mike, could you come down to Starbucks and log me in again? I | went to the bathroom and it powered off while I was gone"). So, we come | back to the fact that certain kinds of data shouldn't be on laptops in the | first place. | | --Sawaba | | On Tue, 13 Feb 2007, Adam Shostack wrote: | | >Speaking for myself here. As I understand things: | > | >Certain versions of Vista (I think Ultimate and Enterprise) include | >Bitlocker whole drive encryption. It's not on by default because of issues | >about key management. So just upgrading to Vista, in and of itself, | >doesn't change anything. | > | >Bitlocker itself has a bunch of modes, ranging from keys stored in a | >TPM and unlocked with a PIN, to keys stored on the hard drive and | >unlocked with a password. How you actually protect the encryption | >keys might be seen as important. I don't know if anyone has done a | >comparison against state laws. | > | >Adam | > | >On Tue, Feb 13, 2007 at 07:34:43AM -0500, Herve Roggero wrote: | >| Let me give an example: If I do business in California, and my | >unencrypted | >| laptop gets stolen with 100,000 SSNs in it, stored in clear text. I need | >to | >| disclose this loss and reach out to 100,000 people to comply with SB | >1386. | >| | >| Now, if I upgrade my laptops to MS Vista, can I get away with it? | >| | >| | >| | >| I?m only asking as I am seeing an interesting response from CXO | >individuals | >| looking at MS Vista as a solution to their laptop/legal issues. If there | >is no | >| official technical workaround to this encryption and it takes thousands | >or | >| millions of years to crack, then it may fall under the ?reasonable? | >steps to | >| protect information and become a powerful tool for businesses looking to | >| comply. | >| | >| | >| | >| Thank you | >| | >| Herve Roggero | >| | >| Managing Partner, Pyn Logic LLC | >| | >| Cell: 561 236 2025 | >| | >| Visit www.pynlogic.com | >| | >| | >------------------------------------------------------------------------------- | >| | >| From: blitz [mailto:blitz at strikenet.kicks-ass.net] | >| Sent: Monday, February 12, 2007 8:14 PM | >| To: Herve Roggero | >| Cc: dataloss at attrition.org | >| Subject: RE: [Dataloss] (article) "We recovered the laptop!" ... so what? | >| | >| | >| | >| Ok, so youve got a copy of an encrypted disk to crack at your leisure. | >The data | >| is still compromised and in someone elses hands, and they have no idea | >if its | >| secure or not. | >| That still counts as a loss in my book. | >| | >| At 08:54 2/12/2007, you wrote: | >| | >| | >| Hi everyone | >| | >| This thead is very interesting. All techniques so far deal with reading | >data at | >| a low level. Will Windows Vista prevent techniques such as Symantec | >Ghost? I | >| understand that Vista performs bit-level encryption with its BitLocker | >| technology. | >| | >| Thanks. | >| | >| Herve Roggero | >| Managing Partner | >| Pyn Logic LLC | >| Visit www.pynlogic.com | >| | > | >| _______________________________________________ | >| Dataloss Mailing List (dataloss at attrition.org) | >| http://attrition.org/dataloss | >| Tracking more than 148 million compromised records in 573 incidents over | >7 years. | > | >_______________________________________________ | >Dataloss Mailing List (dataloss at attrition.org) | >http://attrition.org/dataloss | >Tracking more than 148 million compromised records in 573 incidents over 7 | >years. | > From bkdelong at pobox.com Fri Feb 16 08:32:21 2007 From: bkdelong at pobox.com (B.K. DeLong) Date: Fri, 16 Feb 2007 08:32:21 -0500 Subject: [Dataloss] (article) "We recovered the laptop!" ... so what? In-Reply-To: <20070216071025.GA6959@homeport.org> References: <7.0.1.0.2.20070212201216.0437fdc8@strikenet.kicks-ass.net> <000301c74f6b$56f043b0$2c0aa8c0@HPLAPTOP> <20070213155731.GA11445@homeport.org> <20070216071025.GA6959@homeport.org> Message-ID: It's funny - PKI and Key Management has been (mostly) mastered by the military and intelligence services, (or at least taken VERY seriously the past few years)....you'd think the business world would have looked to them by now for guidance. On 2/16/07, Adam Shostack wrote: > When we wanted to perform m of n key backup for the master keys at > Zero Knowledge systems, there was nothing commercially available. Is > there anything now? I'm unaware of anyone who uses m of n sharing in > the real enterprise systems. Please enlighten me. > > > On Wed, Feb 14, 2007 at 10:03:41PM -0500, sawaba wrote: > | When serious encryption is needed, key management is as important as the > | algorithm and key strength used. Most people have seen in the movies when > | it takes multiple keys turned at the same time to activate the firing > | mechanism for a nuclear weapon. It is similar in many enterprise data > | encryption situations (minus the threat of worldwide destruction). M of N > | key management requires a certain minimum number (say 3 of 6) of > | custodians to input their piece of the key to decrypt the data. > | > | Obviously, this doesn't work when you need to log into your laptop ("yeah > | Bob, this is Mike, could you come down to Starbucks and log me in again? I > | went to the bathroom and it powered off while I was gone"). So, we come > | back to the fact that certain kinds of data shouldn't be on laptops in the > | first place. > | > | --Sawaba > | > | On Tue, 13 Feb 2007, Adam Shostack wrote: > | > | >Speaking for myself here. As I understand things: > | > > | >Certain versions of Vista (I think Ultimate and Enterprise) include > | >Bitlocker whole drive encryption. It's not on by default because of issues > | >about key management. So just upgrading to Vista, in and of itself, > | >doesn't change anything. > | > > | >Bitlocker itself has a bunch of modes, ranging from keys stored in a > | >TPM and unlocked with a PIN, to keys stored on the hard drive and > | >unlocked with a password. How you actually protect the encryption > | >keys might be seen as important. I don't know if anyone has done a > | >comparison against state laws. > | > > | >Adam > | > > | >On Tue, Feb 13, 2007 at 07:34:43AM -0500, Herve Roggero wrote: > | >| Let me give an example: If I do business in California, and my > | >unencrypted > | >| laptop gets stolen with 100,000 SSNs in it, stored in clear text. I need > | >to > | >| disclose this loss and reach out to 100,000 people to comply with SB > | >1386. > | >| > | >| Now, if I upgrade my laptops to MS Vista, can I get away with it? > | >| > | >| > | >| > | >| I?m only asking as I am seeing an interesting response from CXO > | >individuals > | >| looking at MS Vista as a solution to their laptop/legal issues. If there > | >is no > | >| official technical workaround to this encryption and it takes thousands > | >or > | >| millions of years to crack, then it may fall under the ?reasonable? > | >steps to > | >| protect information and become a powerful tool for businesses looking to > | >| comply. > | >| > | >| > | >| > | >| Thank you > | >| > | >| Herve Roggero > | >| > | >| Managing Partner, Pyn Logic LLC > | >| > | >| Cell: 561 236 2025 > | >| > | >| Visit www.pynlogic.com > | >| > | >| > | >------------------------------------------------------------------------------- > | >| > | >| From: blitz [mailto:blitz at strikenet.kicks-ass.net] > | >| Sent: Monday, February 12, 2007 8:14 PM > | >| To: Herve Roggero > | >| Cc: dataloss at attrition.org > | >| Subject: RE: [Dataloss] (article) "We recovered the laptop!" ... so what? > | >| > | >| > | >| > | >| Ok, so youve got a copy of an encrypted disk to crack at your leisure. > | >The data > | >| is still compromised and in someone elses hands, and they have no idea > | >if its > | >| secure or not. > | >| That still counts as a loss in my book. > | >| > | >| At 08:54 2/12/2007, you wrote: > | >| > | >| > | >| Hi everyone > | >| > | >| This thead is very interesting. All techniques so far deal with reading > | >data at > | >| a low level. Will Windows Vista prevent techniques such as Symantec > | >Ghost? I > | >| understand that Vista performs bit-level encryption with its BitLocker > | >| technology. > | >| > | >| Thanks. > | >| > | >| Herve Roggero > | >| Managing Partner > | >| Pyn Logic LLC > | >| Visit www.pynlogic.com > | >| > | > > | >| _______________________________________________ > | >| Dataloss Mailing List (dataloss at attrition.org) > | >| http://attrition.org/dataloss > | >| Tracking more than 148 million compromised records in 573 incidents over > | >7 years. > | > > | >_______________________________________________ > | >Dataloss Mailing List (dataloss at attrition.org) > | >http://attrition.org/dataloss > | >Tracking more than 148 million compromised records in 573 incidents over 7 > | >years. > | > > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 148 million compromised records in 576 incidents over 7 years. > -- B.K. DeLong (K3GRN) bkdelong at pobox.com +1.617.797.8471 http://www.wkdelong.org Son. http://www.ianetsec.com Work. http://www.bostonredcross.org Volunteer. http://www.carolingia.eastkingdom.org Service. http://bkdelong.livejournal.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org From sawaba at forced.attrition.org Fri Feb 16 23:21:50 2007 From: sawaba at forced.attrition.org (sawaba) Date: Fri, 16 Feb 2007 23:21:50 -0500 (EST) Subject: [Dataloss] (article) "We recovered the laptop!" ... so what? In-Reply-To: <20070216071025.GA6959@homeport.org> References: <7.0.1.0.2.20070212201216.0437fdc8@strikenet.kicks-ass.net> <000301c74f6b$56f043b0$2c0aa8c0@HPLAPTOP> <20070213155731.GA11445@homeport.org> <20070216071025.GA6959@homeport.org> Message-ID: Many enterprise disk encryption appliances use M of N key sharing, such as those from Decru and Neoscale. Password-protected smart cards are used to store the key shares. --Sawaba On Fri, 16 Feb 2007, Adam Shostack wrote: > When we wanted to perform m of n key backup for the master keys at > Zero Knowledge systems, there was nothing commercially available. Is > there anything now? I'm unaware of anyone who uses m of n sharing in > the real enterprise systems. Please enlighten me. > > > On Wed, Feb 14, 2007 at 10:03:41PM -0500, sawaba wrote: > | When serious encryption is needed, key management is as important as the > | algorithm and key strength used. Most people have seen in the movies when > | it takes multiple keys turned at the same time to activate the firing > | mechanism for a nuclear weapon. It is similar in many enterprise data > | encryption situations (minus the threat of worldwide destruction). M of N > | key management requires a certain minimum number (say 3 of 6) of > | custodians to input their piece of the key to decrypt the data. > | > | Obviously, this doesn't work when you need to log into your laptop ("yeah > | Bob, this is Mike, could you come down to Starbucks and log me in again? I > | went to the bathroom and it powered off while I was gone"). So, we come > | back to the fact that certain kinds of data shouldn't be on laptops in the > | first place. > | > | --Sawaba > | > | On Tue, 13 Feb 2007, Adam Shostack wrote: > | > | >Speaking for myself here. As I understand things: > | > > | >Certain versions of Vista (I think Ultimate and Enterprise) include > | >Bitlocker whole drive encryption. It's not on by default because of issues > | >about key management. So just upgrading to Vista, in and of itself, > | >doesn't change anything. > | > > | >Bitlocker itself has a bunch of modes, ranging from keys stored in a > | >TPM and unlocked with a PIN, to keys stored on the hard drive and > | >unlocked with a password. How you actually protect the encryption > | >keys might be seen as important. I don't know if anyone has done a > | >comparison against state laws. > | > > | >Adam > | > > | >On Tue, Feb 13, 2007 at 07:34:43AM -0500, Herve Roggero wrote: > | >| Let me give an example: If I do business in California, and my > | >unencrypted > | >| laptop gets stolen with 100,000 SSNs in it, stored in clear text. I need > | >to > | >| disclose this loss and reach out to 100,000 people to comply with SB > | >1386. > | >| > | >| Now, if I upgrade my laptops to MS Vista, can I get away with it? > | >| > | >| > | >| > | >| I?m only asking as I am seeing an interesting response from CXO > | >individuals > | >| looking at MS Vista as a solution to their laptop/legal issues. If there > | >is no > | >| official technical workaround to this encryption and it takes thousands > | >or > | >| millions of years to crack, then it may fall under the ?reasonable? > | >steps to > | >| protect information and become a powerful tool for businesses looking to > | >| comply. > | >| > | >| > | >| > | >| Thank you > | >| > | >| Herve Roggero > | >| > | >| Managing Partner, Pyn Logic LLC > | >| > | >| Cell: 561 236 2025 > | >| > | >| Visit www.pynlogic.com > | >| > | >| > | >------------------------------------------------------------------------------- > | >| > | >| From: blitz [mailto:blitz at strikenet.kicks-ass.net] > | >| Sent: Monday, February 12, 2007 8:14 PM > | >| To: Herve Roggero > | >| Cc: dataloss at attrition.org > | >| Subject: RE: [Dataloss] (article) "We recovered the laptop!" ... so what? > | >| > | >| > | >| > | >| Ok, so youve got a copy of an encrypted disk to crack at your leisure. > | >The data > | >| is still compromised and in someone elses hands, and they have no idea > | >if its > | >| secure or not. > | >| That still counts as a loss in my book. > | >| > | >| At 08:54 2/12/2007, you wrote: > | >| > | >| > | >| Hi everyone > | >| > | >| This thead is very interesting. All techniques so far deal with reading > | >data at > | >| a low level. Will Windows Vista prevent techniques such as Symantec > | >Ghost? I > | >| understand that Vista performs bit-level encryption with its BitLocker > | >| technology. > | >| > | >| Thanks. > | >| > | >| Herve Roggero > | >| Managing Partner > | >| Pyn Logic LLC > | >| Visit www.pynlogic.com > | >| > | > > | >| _______________________________________________ > | >| Dataloss Mailing List (dataloss at attrition.org) > | >| http://attrition.org/dataloss > | >| Tracking more than 148 million compromised records in 573 incidents over > | >7 years. > | > > | >_______________________________________________ > | >Dataloss Mailing List (dataloss at attrition.org) > | >http://attrition.org/dataloss > | >Tracking more than 148 million compromised records in 573 incidents over 7 > | >years. > | > > From Dissent at pogowasright.org Sat Feb 17 08:43:54 2007 From: Dissent at pogowasright.org (Dissent) Date: Sat, 17 Feb 2007 08:43:54 -0500 Subject: [Dataloss] CT: Worker Data Was On Web Message-ID: <7.0.0.16.2.20070217084214.0711f8b8@nowhere.org> http://www.courant.com/news/politics/hc-stateinfo0217.artfeb17,0,7667978.story?coll=hc-headlines-politics-state Personal information for hundreds of state employees - including their names and Social Security numbers - was inadvertently posted on the Internet, the state comptroller's office said Friday. Officials said they believe the risk of identity theft is low, though the information had been on a state website for more than three years. The problem was discovered in January, and the 1,753 employees affected were informed of the mistake in letters mailed Feb. 8, officials said. The personal information was included in a spreadsheet of vendors used by the state that was accessible to the public on the state Department of Administrative Services website, according to Steven Jensen, a spokesman for state Comptroller Nancy S. Wyman's office. [...] According to the letter sent to employees from the comptroller's office, the spreadsheet was accessible to the public only when a specific name on it was searched. There was no menu or published link available where individuals could simply click on a title and open it. The Social Security numbers were displayed without hyphens and each had a numerical suffix attached, making them not easily recognizable, the letter said. The file was removed from the site and then "scrubbed" clean by information technology specialists to be certain it could no longer be accessed, Jensen said. [...] -- Main site: http://www.pogowasright.org Main RSS feed: http://www.pogowasright.org/backend/pogowasright.rss Breaches RSS feed: http://www.pogowasright.org/backend/breaches.rss From adam at homeport.org Sat Feb 17 16:28:14 2007 From: adam at homeport.org (Adam Shostack) Date: Sat, 17 Feb 2007 16:28:14 -0500 Subject: [Dataloss] (article) "We recovered the laptop!" ... so what? In-Reply-To: References: <7.0.1.0.2.20070212201216.0437fdc8@strikenet.kicks-ass.net> <000301c74f6b$56f043b0$2c0aa8c0@HPLAPTOP> <20070213155731.GA11445@homeport.org> <20070216071025.GA6959@homeport.org> Message-ID: <20070217212814.GA8178@homeport.org> I do't believe that's effectively multi-person control of the data in the fashion that your nuclear launch analogy evokes. It may be multi-person or multi-factor initilization, but once the system is up and running, there are in-memory processes which have access to all the data on the disk. On Fri, Feb 16, 2007 at 11:21:50PM -0500, sawaba wrote: | Many enterprise disk encryption appliances use M of N key sharing, such as | those from Decru and Neoscale. Password-protected smart cards are used to | store the key shares. | | --Sawaba | | On Fri, 16 Feb 2007, Adam Shostack wrote: | | >When we wanted to perform m of n key backup for the master keys at | >Zero Knowledge systems, there was nothing commercially available. Is | >there anything now? I'm unaware of anyone who uses m of n sharing in | >the real enterprise systems. Please enlighten me. | > | > | >On Wed, Feb 14, 2007 at 10:03:41PM -0500, sawaba wrote: | >| When serious encryption is needed, key management is as important as the | >| algorithm and key strength used. Most people have seen in the movies when | >| it takes multiple keys turned at the same time to activate the firing | >| mechanism for a nuclear weapon. It is similar in many enterprise data | >| encryption situations (minus the threat of worldwide destruction). M of N | >| key management requires a certain minimum number (say 3 of 6) of | >| custodians to input their piece of the key to decrypt the data. | >| | >| Obviously, this doesn't work when you need to log into your laptop ("yeah | >| Bob, this is Mike, could you come down to Starbucks and log me in again? | >I | >| went to the bathroom and it powered off while I was gone"). So, we come | >| back to the fact that certain kinds of data shouldn't be on laptops in | >the | >| first place. | >| | >| --Sawaba | >| | >| On Tue, 13 Feb 2007, Adam Shostack wrote: | >| | >| >Speaking for myself here. As I understand things: | >| > | >| >Certain versions of Vista (I think Ultimate and Enterprise) include | >| >Bitlocker whole drive encryption. It's not on by default because of | >issues | >| >about key management. So just upgrading to Vista, in and of itself, | >| >doesn't change anything. | >| > | >| >Bitlocker itself has a bunch of modes, ranging from keys stored in a | >| >TPM and unlocked with a PIN, to keys stored on the hard drive and | >| >unlocked with a password. How you actually protect the encryption | >| >keys might be seen as important. I don't know if anyone has done a | >| >comparison against state laws. | >| > | >| >Adam | >| > | >| >On Tue, Feb 13, 2007 at 07:34:43AM -0500, Herve Roggero wrote: | >| >| Let me give an example: If I do business in California, and my | >| >unencrypted | >| >| laptop gets stolen with 100,000 SSNs in it, stored in clear text. I | >need | >| >to | >| >| disclose this loss and reach out to 100,000 people to comply with SB | >| >1386. | >| >| | >| >| Now, if I upgrade my laptops to MS Vista, can I get away with it? | >| >| | >| >| | >| >| | >| >| I?m only asking as I am seeing an interesting response from CXO | >| >individuals | >| >| looking at MS Vista as a solution to their laptop/legal issues. If | >there | >| >is no | >| >| official technical workaround to this encryption and it takes | >thousands | >| >or | >| >| millions of years to crack, then it may fall under the ?reasonable? | >| >steps to | >| >| protect information and become a powerful tool for businesses looking | >to | >| >| comply. | >| >| | >| >| | >| >| | >| >| Thank you | >| >| | >| >| Herve Roggero | >| >| | >| >| Managing Partner, Pyn Logic LLC | >| >| | >| >| Cell: 561 236 2025 | >| >| | >| >| Visit www.pynlogic.com | >| >| | >| >| | >| | >>------------------------------------------------------------------------------- | >| >| | >| >| From: blitz [mailto:blitz at strikenet.kicks-ass.net] | >| >| Sent: Monday, February 12, 2007 8:14 PM | >| >| To: Herve Roggero | >| >| Cc: dataloss at attrition.org | >| >| Subject: RE: [Dataloss] (article) "We recovered the laptop!" ... so | >what? | >| >| | >| >| | >| >| | >| >| Ok, so youve got a copy of an encrypted disk to crack at your leisure. | >| >The data | >| >| is still compromised and in someone elses hands, and they have no idea | >| >if its | >| >| secure or not. | >| >| That still counts as a loss in my book. | >| >| | >| >| At 08:54 2/12/2007, you wrote: | >| >| | >| >| | >| >| Hi everyone | >| >| | >| >| This thead is very interesting. All techniques so far deal with | >reading | >| >data at | >| >| a low level. Will Windows Vista prevent techniques such as Symantec | >| >Ghost? I | >| >| understand that Vista performs bit-level encryption with its BitLocker | >| >| technology. | >| >| | >| >| Thanks. | >| >| | >| >| Herve Roggero | >| >| Managing Partner | >| >| Pyn Logic LLC | >| >| Visit www.pynlogic.com | >| >| | >| > | >| >| _______________________________________________ | >| >| Dataloss Mailing List (dataloss at attrition.org) | >| >| http://attrition.org/dataloss | >| >| Tracking more than 148 million compromised records in 573 incidents | >over | >| >7 years. | >| > | >| >_______________________________________________ | >| >Dataloss Mailing List (dataloss at attrition.org) | >| >http://attrition.org/dataloss | >| >Tracking more than 148 million compromised records in 573 incidents | >over 7 | >| >years. | >| > | > From bkdelong at pobox.com Mon Feb 19 12:15:37 2007 From: bkdelong at pobox.com (B.K. DeLong) Date: Mon, 19 Feb 2007 12:15:37 -0500 Subject: [Dataloss] Stop & Shop has credit card data stolen Message-ID: Great. I wonder where else these bugs are in place... http://www.boston.com/business/articles/2007/02/19/ stop__shop_reports_credit_data_was_stolen/ By Peter J. Howe, Globe Staff | February 19, 2007 SEEKONK -- With help from US Secret Service agents, Stop & Shop Supermarket Cos. executives scrambled yesterday to determine how many consumers may have had their credit and debit card data stolen by high-tech thieves who apparently broke into checkout-line card readers and planted the equivalent of bugs to steal information. Stop & Shop said customer information, including personal identification codes for cards, was confirmed stolen from supermarkets inCoventry and Cranston, R.I. The company said it had found evidence that card readers were tampered with in a similar way at four other stores in Seekonk and in Bristol, Providence, and Warwick, R.I. But the supermarket company said it had no reports of illegal transactions on cards that had been used at those stores. After being notified by a bank last week that its Coventry and Cranston stores appeared to be the common link to a number of stolen card numbers, Quincy-based Stop & Shop has bolted down card readers at all 385 of its supermarkets in New England, New York, and New Jersey, company spokesman Robert Keane said yesterday. "They would not now be able to tamper with the units the way they did before," Keane said. He declined to reveal details of how the scam worked, other than to say it involved card readers being removed, tampered with, and reinstalled. "Our investigation has not uncovered any involvement or suspected involvement of any Stop & Shop personnel in the tampering," Keane said. . . . . . . . Inside the Seekonk Stop & Shop, store employees pointed out newly installed bolts on the mounts for the pin pads, intended to thwart anyone from sliding the card readers off the mount to get at the underside of the device or the wires that connect it to the cash register. But at least one shopper was blas?. Al Mendes of Seekonk, who had just finished shopping yesterday afternoon and charged his purchases on his credit card, said he would not worry if his number got stolen. "The credit card company eats it," Mendes said. "Not me." -- B.K. DeLong (K3GRN) bkdelong at pobox.com +1.617.797.8471 http://www.wkdelong.org Son. http://www.ianetsec.com Work. http://www.bostonredcross.org Volunteer. http://www.carolingia.eastkingdom.org Service. http://bkdelong.livejournal.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org From Dissent at pogowasright.org Mon Feb 19 18:47:00 2007 From: Dissent at pogowasright.org (Dissent) Date: Mon, 19 Feb 2007 18:47:00 -0500 Subject: [Dataloss] Clarksville-Montgomery County schools (TN) Message-ID: <7.0.0.16.2.20070219184413.04e5f590@nowhere.org> http://www.theleafchronicle.com/apps/pbcs.dll/article?AID=/20070219/NEWS01/70219006 School system officials removed Thursday 633 Social Security numbers that had been inadvertently placed in a search engine on school system's Web site, officials said today. The identification numbers belonged to staff and faculty at Clarksville-Montgomery County middle and high schools. The employees' identification numbers since June 2006 had been embedded in file photos given by the company that took yearbook pictures, according to a news release sent by Communications Director Elise Shelton. No student information was accessible. -- Main site: http://www.pogowasright.org Main RSS feed: http://www.pogowasright.org/backend/pogowasright.rss Breaches RSS feed: http://www.pogowasright.org/backend/breaches.rss From Dissent at pogowasright.org Mon Feb 19 19:07:55 2007 From: Dissent at pogowasright.org (Dissent) Date: Mon, 19 Feb 2007 19:07:55 -0500 Subject: [Dataloss] NC Firms Paying $65K For Trashing Consumer Info Message-ID: <7.0.0.16.2.20070219190612.04e80748@nowhere.org> http://www.raleighchronicle.com/2007021916.html RALEIGH - Three North Carolina firms are finding out the hard way about a new state law that fines companies that put their customers' information at risk for identity theft. According to the NC Attorney General Roy Cooper's office, three Charlotte businesses are going to have to pay a total of $65,500 in fines for throwing in dumpsters, paper copies of information that contained customers' Social Security numbers or bank account information or both. Details of each of the violations appear below. [...] According to the Attorney General's office, listed below are the three firms that were fined, the circumstances surrounding the dumping of customer records, and the settlements details reached with each company: Movie Gallery operated a video rental store at 3001 Union Road in Gastonia. Around September 25, 2006, the owner of a neighboring business reported seeing a large number of Movie Gallery's files and videos in the dumpster. According to the settlement, the files contained personal information of people employed by Movie Gallery and people applying for jobs at the video store as well as people applying for movie rental membership. Movie Gallery has agreed to pay $50,000 to the state. Empire Equity Group operated a mortgage lending office at 2400 Crownpoint Executive Drive in Charlotte beginning in September 2002. Jonathan Lee Bailey served as manager and had previously operated offices for other mortgage companies in the area. According to the settlement with Cooper's office, around October 28, 2006 Bailey threw mortgage files that included personal financial details about people who applied for mortgage loans in the dumpster. Empire Equity and Bailey will pay the state $12,500. Stephen and Terri Newsome operated Home Finance Mortgage, Inc. at 20723 Torrence Chapel Road, Suite 204 in Cornelius until sometime in 2005 or 2006. According to the settlement, in November 2006 the company dumped files containing names, addresses, Social Security numbers, credit card numbers, and bank account numbers of people who had applied for mortgage loans. An investigator from the NC Office of the Commissioner of Banks helped Cooper's office with the investigation. Home Finance and its owners have agreed to pay the state $3,000 for their violations. -- Main site: http://www.pogowasright.org Main RSS feed: http://www.pogowasright.org/backend/pogowasright.rss Breaches RSS feed: http://www.pogowasright.org/backend/breaches.rss From Dissent at pogowasright.org Mon Feb 19 19:11:17 2007 From: Dissent at pogowasright.org (Dissent) Date: Mon, 19 Feb 2007 19:11:17 -0500 Subject: [Dataloss] Seton laptop stolen (TX) Message-ID: <7.0.0.16.2.20070219191016.04e644e0@nowhere.org> http://www.statesman.com/news/content/news/stories/local/02/20/20laptop.html Monday, February 19, 2007 A laptop with 7,800 patient names, birth dates and Social Security numbers was stolen last week from the Seton hospital system. Seton officials said the Dell computer was taken Friday from the information services department at 7600 Chevy Chase Drive, off Anderson Lane in North Austin. The laptop includes personal information on 7,800 uninsured patients who have gone to Seton emergency rooms and city health clinics since July 1, 2005. The computer does not contain patient health information, said Greg Hartman, senior vice president of marketing and planning for the Seton Family of Hospitals. He said that Seton is working with the Austin Police Department and that affected patients will be notified by letter. "It's a very difficult situation," Hartman said. "We're very hopeful we can catch this thief." -- Main site: http://www.pogowasright.org Main RSS feed: http://www.pogowasright.org/backend/pogowasright.rss Breaches RSS feed: http://www.pogowasright.org/backend/breaches.rss From lyger at attrition.org Mon Feb 19 21:20:20 2007 From: lyger at attrition.org (lyger) Date: Mon, 19 Feb 2007 21:20:20 -0500 (EST) Subject: [Dataloss] Additional info, Mortgage Lenders Network (May 2006) Message-ID: Courtesy Chris Walsh: http://attrition.org/dataloss/mln-foia.pdf For those keeping score at home, new data added to DL-0386 in DLDOS: 231,000 affected, SSN and NAA, and there was an arrest in the case. http://attrition.org/dataloss/dataloss.csv From sawaba at forced.attrition.org Mon Feb 19 23:18:05 2007 From: sawaba at forced.attrition.org (sawaba) Date: Mon, 19 Feb 2007 23:18:05 -0500 (EST) Subject: [Dataloss] (article) "We recovered the laptop!" ... so what? In-Reply-To: <20070217212814.GA8178@homeport.org> References: <7.0.1.0.2.20070212201216.0437fdc8@strikenet.kicks-ass.net> <000301c74f6b$56f043b0$2c0aa8c0@HPLAPTOP> <20070213155731.GA11445@homeport.org> <20070216071025.GA6959@homeport.org> <20070217212814.GA8178@homeport.org> Message-ID: Indeed, the M of N feature is for key recovery only. All disk encryption solutions I'm familiar with are most vulnerable when they are up and running. At that point, you're heavily dependant on your other security controls. --Sawaba On Sat, 17 Feb 2007, Adam Shostack wrote: > I do't believe that's effectively multi-person control of the data in > the fashion that your nuclear launch analogy evokes. It may be > multi-person or multi-factor initilization, but once the system is up > and running, there are in-memory processes which have access to all > the data on the disk. > From lyger at attrition.org Tue Feb 20 19:49:36 2007 From: lyger at attrition.org (lyger) Date: Tue, 20 Feb 2007 19:49:36 -0500 (EST) Subject: [Dataloss] TX: Medical records found dumped Message-ID: http://www.mysanantonio.com/news/metro/stories/MYSA021907.medicalrecordsdumped.KENS.184ada9d.html Hundreds of medical records from a chiropractor's office, protected under federal law, were found in the trash Monday behind a building. The paperwork, covered under the HIPPA law, included Social Security numbers, photocopies of driver's license numbers, addresses, phone numbers and private medical history. At least 20 boxes with medical files were recovered. Some of the files were found loose on the ground. They all belonged to Dr. James D. Strader of the now-defunct Back and Joint Institute of Texas. [...] From lyger at attrition.org Tue Feb 20 21:05:48 2007 From: lyger at attrition.org (lyger) Date: Tue, 20 Feb 2007 21:05:48 -0500 (EST) Subject: [Dataloss] Why we do this Message-ID: http://attrition.org/dataloss/why.html Tue Feb 20 21:01:22 EDT 2007 "Will you remove an entry from the Data Loss web page or DLDOS?" On a few occasions, Attrition has been asked if we will remove a data loss entry. In many cases, a company's representative feels that since the incident wasn't conclusively proven to have had personal data compromised, it's imperitive that the listing of the company come down as well. While this is certainly understandable, Attrition will not remove entries of companies with potential data loss incidents. There are several reasons for this -- primarily, Attrition's web page and database are services to the security community, just as a news outlet is. We report on data loss incidents, either confirmed or in question. As part of our reporting, we gather statistics and serve as a record. Attrition's statistics, for instance, are a very valuable part of the service we provide. Our staff are often questioned on the subject of data loss incidents and current trends in the subject matter, and we have been even been asked by the United States government to assist with research regarding said incidents. [...] From Dissent at pogowasright.org Wed Feb 21 10:34:36 2007 From: Dissent at pogowasright.org (Dissent) Date: Wed, 21 Feb 2007 10:34:36 -0500 Subject: [Dataloss] [update] TJX says computer security breach wider than previously reported Message-ID: <7.0.0.16.2.20070221103316.05220d78@nowhere.org> http://www.madison.com/tct/business/index.php?ntid=119919&ntpid=0 TJX Cos., operators of Marshall's and T.J. Maxx discount retail stores, said Wednesday a security breach into its computer systems was more extensive than previously reported. TJX had thought the intrusion into its customer data files took place between May 2006 and January 2007, but has since learned its computer system also was hacked into in July 2005 and other periods during that year. Credit and debit card data from transactions at its U.S. and Puerto Rican stores and credit card-only transactions at Canadian stores from January 2003 through June 2004 were stolen. Also believed stolen are some drivers' license numbers together with related names and addresses associated with unreceipted merchandise returns at TJX's T.J. Maxx, Marshalls and Home Goods stores in the U.S. and Puerto Rico for the last four months of May 2003, as well as for May and June 2004. TJX said it will notify those customers it can identify whose drivers' license numbers, names and addresses were taken. Additionally, T.J. Maxx customers in Britain and Ireland may also have been compromised, the company said. Names and addresses were not included with the stolen credit and debit card data. Also, debit card PIN numbers, information from transactions at the company's Bob's Stores and transactions made with Canadian bank debit cards are not believed to have been stolen. TJX did not disclose the number of accounts affected, and said its investigation is ongoing. From Dissent at pogowasright.org Wed Feb 21 14:27:53 2007 From: Dissent at pogowasright.org (Dissent) Date: Wed, 21 Feb 2007 14:27:53 -0500 Subject: [Dataloss] [follow-up] 8th Circuit upholds conviction in Acxiom data-theft case Message-ID: <7.0.0.16.2.20070221142704.0265b180@nowhere.org> http://www.pbcommercial.com/articles/2007/02/21/ap-state-ar/d8ne931o1.txt LITTLE ROCK - A federal appeals court Wednesday upheld the conviction and 8-year prison sentence given to a Florida man in the theft of 1 billion records that the database manager Acxiom Corp. collected in its work for large corporations. Scott Levine, 47, owned Snipermail Inc., a Florida company that distributed Internet ads to e-mail addresses. Prosecutors said Levine and others stole records from Acxiom, a Little Rock company that provides data.m.anagement services to large corporations for marketing purposes. Levine, of Boca Raton, Fla., was also ordered to pay $153,395 in restitution to Acxiom, one of the world's largest repositories of personal, financial and corporate data. The 8th U.S. Circuit Court of Appeals at St. Louis rejected Levine's claims that an Arkansas federal judge should have disallowed references in his trial to his "lavish personal expenditures" and that the judge miscalculated his sentence, among other things. [...] -- Main site: http://www.pogowasright.org Main RSS feed: http://www.pogowasright.org/backend/pogowasright.rss Breaches RSS feed: http://www.pogowasright.org/backend/breaches.rss From Dissent at pogowasright.org Wed Feb 21 17:27:50 2007 From: Dissent at pogowasright.org (Dissent) Date: Wed, 21 Feb 2007 17:27:50 -0500 Subject: [Dataloss] Hackers hit Georgia Tech and steal personal info Message-ID: <7.0.0.16.2.20070221172600.025fc058@nowhere.org> http://atlanta.bizjournals.com/atlanta/stories/2007/02/19/daily20.html The personal information of about 3,000 current and former Georgia Tech employees may have been compromised by unauthorized access to a Georgia Tech computer account by unknown sources outside the university, Georgia Tech reported Feb. 21. The stolen information includes names, addresses, Social Security numbers and other sensitive information, including about 400 state purchasing card numbers. The individuals affected are mostly in the School of Electrical and Computer Engineering, the university said. [...] -- Main site: http://www.pogowasright.org Main RSS feed: http://www.pogowasright.org/backend/pogowasright.rss Breaches RSS feed: http://www.pogowasright.org/backend/breaches.rss From jericho at attrition.org Wed Feb 21 21:34:07 2007 From: jericho at attrition.org (security curmudgeon) Date: Wed, 21 Feb 2007 21:34:07 -0500 (EST) Subject: [Dataloss] Johns Hopkins Breach Notification Letter Message-ID: This is the letter sent out to Johns Hopkins employees about the recent breach. For more information: http://attrition.org/dataloss/2007/02/jhh01.html. Typos are my own and _ indicates underlined text. I personally think this letter is well written, providing details on the nature of the incident, the information potentially lost and what to do in response. -- Office of the President 242 Garland Hall 3400 N. Charles Street Baltimore, MD 21218-2691 February 6, 2007 [Name] [Address] Dear [Name]: We learned recently that nine backup computer tapes sent out late in December for conversion to microfiche were not returned to Johns Hopkins. Eight of the nine were payroll tapes containing sensitive, personal information about present and past university employees, _including you_. The ninth tape contained personal, though less sensitive, demographic information on some Johns Hopkins Hospital patients. The university tapes included names, Social Security numbers and, for exmployees paid by direct deposit, bank account information. There was also information on birth dates, salary, deductions and retirement plan contributions. First, I apologize to you on behalf of the universit's entire senior leadership. _We do not believe the tapes were stolen or that the information on them has been misused. In fact, the best evidence is that they were inadvertently destroyed_. We have no evidence whatsoever of identity theft arising from this incident. Nevertheless, the loss of tapes containing your personal information is, obviously, a situation of significant concern. An intensive investigation by both Johns Hopkins and the contractor to whom they were sent has determined that the tapes never reached the contractor. We believe that they were mistakenly left at an intermediate stop by a courier hired by the contractor. We believe it is highly likely that they were thought to be trash, collected and incinerated. WHAT YOU SHOULD DO Although the best evidence is that the tapes have been destroyed, you may feel it prudent to take precautions. Detailed suggests are available at http://www.jhu.edu/identityalert. To summarize information available on that Web site: You may request free copies of your credit reports. You also may place a fraud alert on your credit file. A fraud alert tells creditors to contact you before they open any new accounts. To obtain a free annual credit report, go to http://www.annualcreditreport.com or call 877-322-8228. You may wish to stagger your requests so that you receive a free report from of the three credit bureaus every four months. To place a fraud alert on your account, call any one of these three major credit bureaus or visit the Experian Web site: Experian: 888-397-3742 or http://www.experian.com Equifax: 800-525-6285 TransUnionCorp: 800-680-7289 The process is easy and takes just minutes to complete. If you decide to place a fraud alert with any one of the three bureaus, it will notify the others to place alerts on their records as well. Johns Hopkins has notified the three credit bureaus about this situation; they are aware that Johns Hopkins employees may be calling. There is information on the Web site at http://www.jhu.edu/identityalert on what you should do if ever you detect any signs of fraud or other problems in your credit report. Again, please consult that Web site for more detailed information on this incident. If you do not have access to the Web, we have set up a telephone number for your use. Call 800-981-7524. Please know that people falsely identifying themselves as Johns Hopkins representatives could contact you and offer "assistance." Johns Hopkins will not contact you by phone, mail, e-mail or any other method concerning this incident to ask you for personal information. I urge you not to release personal information in response to contacts of this nature. The university apologizes to you for this very unfortunate occurence. I am sure you are concerned. Like you, Johns Hopkins takes this matter very seriously. We will review our processes and procedures and do everything we can to prevent a recurrence. We will post any important new information to the Web site. Sincerely, William R. Brody From jericho at attrition.org Fri Feb 23 04:53:36 2007 From: jericho at attrition.org (security curmudgeon) Date: Fri, 23 Feb 2007 04:53:36 -0500 (EST) Subject: [Dataloss] followup: Customer Data Breach Began in 2005, TJX Says (fwd) Message-ID: ---------- Forwarded message ---------- From: InfoSec News Subject: [ISN] Customer Data Breach Began in 2005, TJX Says http://www.washingtonpost.com/wp-dyn/content/article/2007/02/21/AR2007022102039.html By Ellen Nakashima Washington Post Staff Writer February 22, 2007 Retail giant TJX, whose stores include discount clothing chains T.J. Maxx and Marshalls, said yesterday that a computer-security breach stretched back 10 months earlier than the company originally thought, compromising credit and debit card data, drivers' license numbers, and names and addresses. The announcement underscores a trend of security breaches involving sensitive credit card data and reflects failures to properly secure computer systems, to notify customers when breaches occur and to update laws for the cyber-crime age, lawmakers and analysts said. TJX said that while it first thought the intrusion took place from May 2006 to January 2007, it now thinks its computer system was also hacked in July 2005 and on "various subsequent dates" that year. The company, which reported the intrusion in January -- a month after it said it discovered the breach -- has not said how many customers may have been affected or how many customers it has notified. "We don't have a number for you there. Our work is not finished," spokeswoman Sherry Lang said yesterday. More than 50 computer experts are helping TJX investigate the breaches, she said. Banks that issued the credit cards have not said how much they have had to cover in fraud-related losses. More than 30 states have laws that require companies to notify customers as soon as possible when a breach has occurred, though most of the statutes let companies delay notification while law enforcement agencies investigate. A bipartisan group of senators has reintroduced legislation that would mandate customer notification and require companies that maintain personal information to establish internal policies to protect it. "Americans live in a world where their most sensitive personal information can be accessed and sold to the highest bidder, with just a few keystrokes on a computer, yet our privacy laws haven't kept pace," Sen. Patrick J. Leahy (D-Vt.) said in a statement when the legislation was reintroduced this month. The credit card industry has set up rules for data protection called the Payment Card Industry Data Security Standard. They include encrypting transmission of cardholder data, regularly testing security systems and processes, and restricting access to data to those with a "need to know." But most large retailers have not complied with the standard, and noncompliance is about 80 percent among smaller retailers, said Avivah Litan, an analyst with Gartner, an information technology research firm. Litan said the retailers are not solely to blame. "It's a collective problem with collective responsibility," she said. "Certainly the retailers have to tighten up their systems, but the banks have to strengthen cardholder authentication so even if the data is stolen, it's useless." Security breaches are difficult to quantify accurately. The Privacy Rights Clearinghouse, a nonprofit research and advocacy group in San Diego, said more than 100 million records of U.S. residents have been exposed by security breaches since February 2005. The privacy group and the nonprofit Identity Theft Resource Center, also in San Diego, found that the majority of breaches they have tracked in the past few years occurred in government, the military and universities. One of the biggest breaches occurred in 2005, when 40 million credit card numbers, along with name and account information, were exposed by hackers who broke into CardSystems Solutions, a credit card processing center that handled transfers of payments between the banks that issue credit cards and the merchants' banks. Retailers often keep more data than necessary to process transactions, Litan said. They also keep information longer than necessary, she said. "The CEOs and senior managers of most retailers that are storing data, like TJX, have no idea they're storing that data," Litan said. "It's basically a legacy of old systems programming." Many retailer systems were built in the 1970s and '80s, before there were hackers. Many banks are frustrated because they are "left having to pay for the mistakes of retailers," to cover reissuing cards and any losses due to fraud, said Nessa Feddis, senior federal counsel for the American Bankers Association. "Retailers are not protecting the data," she said. "It's not a question of notification. It's a responsibility to protect the data." The bankers typically do not know the scope of retailer breaches because of confidentiality agreements between the retailers and the issuing card companies, such as Visa and MasterCard. In Massachusetts, where TJX is headquartered, the Massachusetts Bankers Association stopped surveying its members in connection with the TJX breach after more than 30 banks were alerted by Visa and Master Card that their cards had been compromised by the TJX intrusion, association spokesman Bruce Spitzer said. TJX operates more than 2,400 stores in the United States, Canada and Europe. They accept Visa, MasterCard, American Express and Discover credit cards. The company reported yesterday that same-store sales in the fourth quarter rose 5 percent from the comparable quarter a year earlier. The quarter ended Jan. 27, 10 days after the breach was disclosed. TJX, which is being sued by customers and banks, also reported that it spent $5 million in the fourth quarter to cover costs of the investigation, enhance computer security and communicate with customers. Fourth-quarter profit fell 29 percent, to $205.5 million. Sales rose 9 percent, to $5.1 billion. For the full fiscal year, TJX profit rose 7 percent, to $738 million. Sales rose 9 percent, to $17.4 billion. Copyright 2007 The Washington Post Company From Dissent at pogowasright.org Fri Feb 23 08:50:24 2007 From: Dissent at pogowasright.org (Dissent) Date: Fri, 23 Feb 2007 08:50:24 -0500 Subject: [Dataloss] Speedmark Message-ID: <7.0.0.16.2.20070223084742.049d6200@nowhere.org> http://www.consumeraffairs.com/news04/2007/02/speedmark.html Speedmark, a marketing services firm that employs "mystery shoppers" to observe employee behavior for client companies, was hit with a data breach when thieves stole computers containing some shoppers' personal data from the company's Woodlands, Texas office. Several computers were taken, one of which contained a database with personally identifying information on mystery shoppers working for Speedmark. The information included names, addresses, e-mail accounts, and Social Security numbers of Speedmark employees and contractors. The theft was discovered on Dec. 16, 2006, but many shoppers contracted to Speedmark did not receive letters notifying them of the breach until mid-February, 2007. [...] -- Main site: http://www.pogowasright.org Main RSS feed: http://www.pogowasright.org/backend/pogowasright.rss Breaches RSS feed: http://www.pogowasright.org/backend/breaches.rss From lyger at attrition.org Fri Feb 23 09:56:28 2007 From: lyger at attrition.org (lyger) Date: Fri, 23 Feb 2007 09:56:28 -0500 (EST) Subject: [Dataloss] Former Fruit of the Loom workers' identities compromised Message-ID: http://www.thenortheastgeorgian.com/articles/2007/02/23/news/business/01business.txt A security breach with a Fruit of the Loom database has left former Rabun Apparel Inc., employees on edge. Word spread rapidly across the North Georgia Technical College campus Tuesday morning about how easily one could access the 1,006 names and Social Security numbers of former employees. [...] From Dissent at pogowasright.org Fri Feb 23 13:39:31 2007 From: Dissent at pogowasright.org (Dissent) Date: Fri, 23 Feb 2007 13:39:31 -0500 Subject: [Dataloss] UK: Security alert as thousands told bank details have been stolen Message-ID: <7.0.0.16.2.20070223133810.04a4ed18@nowhere.org> http://www.worcesternews.co.uk/display.var.1216931.0.security_alert_as_thousands_told_bank_details_have_been_stolen.php THOUSANDS of county council staff are at risk of identity theft after their highly confidential bank and national insurance details were stolen. A lap top computer containing the personal information of up to 19,000 staff - complete with names and addresses - was taken in a street robbery. Despite the seriousness of the security breach, in a letter to staff Mike Weaver, the director of financial services at Worcestershire County Council, said he did not want to cause unnecessary concern'. advertisement He said the laptop was owned and being used by a member of staff employed by the council's IT supplier SERCO who was robbed outside the county several days ago'. "The personal details include names and addresses," he said. "Other details relating to national insurance and bank accounts are also held on the computer but are not so easily deciphered. "Although the theft appears random rather than planned and the computer is password protected, there is nevertheless a risk that this information might be misused." [...] -- Main site: http://www.pogowasright.org Main RSS feed: http://www.pogowasright.org/backend/pogowasright.rss Breaches RSS feed: http://www.pogowasright.org/backend/breaches.rss From Dissent at pogowasright.org Fri Feb 23 13:45:24 2007 From: Dissent at pogowasright.org (Dissent) Date: Fri, 23 Feb 2007 13:45:24 -0500 Subject: [Dataloss] AU: NAB sends customer account details to the wrong people Message-ID: <7.0.0.16.2.20070223134416.049c39f0@nowhere.org> http://www.finextra.com/fullstory.asp?id=16564 The National Australia Bank (NAB) has sent the personal banking details of nearly 400 customers to the wrong people. According to Australian press reports, statements including the account names, numbers and balances of 397 customers were posted to the wrong people after a computer crashed in the bank's post department. NAB was alerted to the breach last week when a customer told the bank that she had been sent another person's account details. Around 418 NAB customers who received wrong statements - some received more than one - were asked to destroy them. NAB spokesman Geoff Lynch told reporters that the bank took full responsibility for the incident. Affected customers were informed of the blunder by phone and were sent a formal letter of apology. Lynch claims there is nothing in the statements that exposes anyone to fraud risk. The bank says it has informed the Federal Privacy Commissioner, the Banking and Financial Services Ombudsman and the Australian Prudential Regulatory Authority of the incident. Last month UK high street bank Hbos said it had launched an investigation into how a customer who requested a copy of her bank statement ended up being sent the confidential details of 75,000 other account holders. -- Main site: http://www.pogowasright.org Main RSS feed: http://www.pogowasright.org/backend/pogowasright.rss Breaches RSS feed: http://www.pogowasright.org/backend/breaches.rss From lyger at attrition.org Sat Feb 24 14:11:11 2007 From: lyger at attrition.org (lyger) Date: Sat, 24 Feb 2007 14:11:11 -0500 (EST) Subject: [Dataloss] Customer data stolen from Japan Post worker Message-ID: http://www.yomiuri.co.jp/dy/national/20070225TDY02003.htm A Japan Post employee's bag containing personal information on 290,000 customers was stolen last month from a parked car in Soka, Saitama Prefecture, according to Japan Post. [...] However, the memory device contained about 290,000 postal transfer account holders' names, addresses, account numbers and account opening dates as well as the names and account numbers of 31 postal savings account holders. [...] From rforno at infowarrior.org Sat Feb 24 19:59:52 2007 From: rforno at infowarrior.org (Richard Forno) Date: Sat, 24 Feb 2007 19:59:52 -0500 Subject: [Dataloss] Think Your Social Security Number Is Secure? Think Again Message-ID: February 24, 2007 Your Money Think Your Social Security Number Is Secure? Think Again By DAMON DARLIN http://www.nytimes.com/2007/02/24/business/24money.html?pagewanted=print It should come as little surprise that Social Security numbers are posted on the Internet. But, says Betty Ostergren, a former insurance claims supervisor in suburban Richmond, Va., who has spent years trolling for them, ?people are always astounded? to learn that theirs is one of them. Mrs. Ostergren, 57, has made a name for herself as a gadfly as she took on a lonely and sometimes frustrating mission to draw attention to the situation. With addresses, dates of birth and maiden names often associated with Social Security numbers, she said, they are a gift to data thieves. But in the last few weeks, Mrs. Ostergren?s Web site, The Virginia Watchdog ? with the help of lobbying from an unexpected ally, America?s farm bureaus ? is having an effect. One by one, states and counties have started removing images of documents that contain Social Security numbers, or they are blocking out the numbers. Four states, including New York, have removed links to images of public documents containing Social Security numbers. Snohomish County, Wash., for example, said Wednesday that 61 types of documents, including tax liens and marriage certificates, would be blocked. (The documents are supposed to remain public at courthouses or state offices.) On Wednesday, the Texas attorney general, Greg Abbott, issued a legal opinion that county clerks could be committing a crime by revealing Social Security numbers on the Internet. ?I am almost in a celebratory mode,? said David Bloys, a retired private investigator in Shallowater, Tex., who also highlights the public records issue on his Web site, NewsforPublicOfficials.com. For people wondering if they should be worried about the security of their own numbers, there is a new tool to help them. TrustedID, a company that sells services to consumers to give them more control over who sees their credit reports, has compiled a database of compromised numbers that could already be traded or sold on the Internet. It has created an online search tool, StolenIDSearch.com, where people can check at no cost to see if their number is one that is in a too-public domain. TrustedID said that about 220,000 people had tested their numbers in the three weeks the site has been open to the public. The Social Security number remains the personal identifier not only for government documents, but for credit applications and medical records, as well as video and cellphone stores. ?In the commercial world, it is ubiquitous when credit is offered,? said Chris Jay Hoofnagle, a privacy advocate and senior fellow of the Berkeley Center for Law and Technology at the University of California, Berkeley. ?It all flows from the credit system and it flows very far.? Even though Americans are told to protect their Social Security number to prevent identity theft, that is a tall order. The Social Security Administration says its card ?was never intended and does not serve as a personal identification document.? But that has not been true about the number almost from outset. The Social Security numbers that were first handed out in November 1936 as a means for the federal government to track payments to the retirement system were soon used for other purposes. They help track payrolls, loan payments, financial transactions and income taxes. They are necessary for anyone seeking public assistance, like food stamps, or registering for the draft. Congress decreed that the numbers be put on records including professional licenses, marriages licenses and divorce decrees to better track scofflaws of child support orders. The Social Security number took on a second role. It allowed collectors of data to link pieces of information together, like a driver?s license record, credit report data and the information on the warranty card for a toaster. That is a useful tool for marketers and just as useful for criminals. It was only in 2004 that Congress prohibited states from using the Social Security number on drivers? licenses. Yet the databases with those numbers still exist. Until 2001, states could sell lists with those numbers, which means that for virtually anyone 22 years or older, the name, address, phone number and Social Security number are in private databases. The nine-digit string took on a third role ? as a password that was supposed to protect all that private information from snoops and criminals. But its ubiquity defeats that purpose, Mr. Hoofnagle said. ?It will pass when the business community no longer needs a Social Security number,? he said. The Social Security Administration?s Office of Inspector General said that 16 percent of the 99,000 fraud cases it investigated in the 12-month period that ended Sept. 30 involved the misuse of Social Security numbers. One involved an identify theft ring in Central Florida. Twelve people were convicted, sentenced to prison and ordered to repay more than $2 million. About 16,000 incidents are not a lot considering that 240 million numbers are currently in use, and certainly theft and fraud involving credit card numbers are much more pervasive. But credit card numbers are rarely exposed on documents in public view. And if a credit card is stolen or misused, obtaining a new one is a fairly simple process. A new Social Security number is rarely granted. (Indeed, one is limited to 3 replacements of the green paper Social Security card in a year and 10 over a lifetime.) Social Security numbers are routinely traded and sold by thieves over the Internet like credit card numbers, says Panos Anastassiadis, chief executive of Cyveillance, a company in Arlington, Va., that monitors online fraud attempts for major financial institutions. His company has found caches of them in Web chat rooms where they are offered as samples by criminals selling even larger lists. They are sometimes obtained by ?key logging? software surreptitiously installed on home computers to record what is typed. Some come from so-called phishing attacks in which people are misled into entering the data on fake Web sites of banks or utilities. The numbers are also out in the open. ?People think it is the banks, but banks are very secure,? Mr. Anastassiadis said. ?The problem is every dentist?s office has Social Security numbers. Every doctor?s office has them. How secure are these?? It has been Mrs. Ostergren?s near obsession to answer that question. Few things delight her more than finding a number belonging to a celebrity because it draws attention to her cause. ?Oh, my Lord!? she exclaimed recently as she stumbled upon the Social Security number of a member of the boldfaced set as she demonstrated how New York State Web sites display documents containing names, addresses and Social Security numbers. ?Let me download this one. This is Donald Trump?s number. I can?t wait to tell him.? Mrs. Ostergren never got through to Mr. Trump to confirm whether the nine-digit identifier was indeed his, but she has found and tried to notify others, including Kelly Ripa, the actress and talk-show host; Jeb Bush, the former governor of Florida; Porter Goss, the former C.I.A. director; and scores of state legislators. She posted links to some of those documents on her site. (New York later made the documents unavailable, so the links no longer work.) She has found Social Security numbers on tax liens on the official site of Maricopa County in Arizona. In Florida, as in many states, they appear on documents consumers sign when they buy furniture or other merchandise on credit. Mrs. Ostergren wants the documents taken off the Web, and she applies pressure by using the people whose numbers she finds. ?I?ve been calling people and telling them that they are exposed,? Mrs. Ostergren said. ?It is not very hard to find the numbers. They are exposed everywhere.? Her Web site may be cluttered with so many typefaces that it resembles a ransom note, but she seems to be having an impact. In the last month she found a pressure point: farmers. Their numbers show up on Uniform Commercial Code filings when they buy machinery or supplies on credit. She showed state farm bureau leaders their numbers; they contacted their state legislators. She has also found common cause with other gadflies like Mr. Bloys. She has had her share of setbacks as well. Several state legislators tried to ban her from posting information about their personal data that appeared in public records. She wins no fans among legitimate companies who sell databases. Removing the data from the Internet slows their ability to collect public information, but does not stop them. ?There are a lot of people in the data brokerage business who don?t like what I do,? she said. From dbloys at door.net Sat Feb 24 21:35:35 2007 From: dbloys at door.net (David Bloys) Date: Sat, 24 Feb 2007 20:35:35 -0600 Subject: [Dataloss] Think Your Social Security Number Is Secure? Think Again In-Reply-To: Message-ID: <01d801c75885$a200bb00$0202a8c0@Office> A lot has been happening since that article came out. The AG's opinion was a scathing warning for many of the clerks here in Texas. I have been receiving calls and emails from all over the country since last Thursday. Several citizens who have pleaded for years with their local officials to remove their sensitive information from the Internet are intending to bring criminal charges against some of the most obstinate. The repurcusions of the AG's opinion are not limited to Texas. I heard from an attorney representing a well known celebrity today. Social Security numbers belonging to the celebrity and his wife were found on a county website in another state. I can tell you also that most County websites across Texas have blocked access to the document images on their sites. David Bloys News For Public Officials www.newsforpublicofficials.com -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Richard Forno Sent: Saturday, February 24, 2007 7:00 PM To: Blaster Cc: dataloss at attrition.org Subject: [Dataloss] Think Your Social Security Number Is Secure? Think Again February 24, 2007 Your Money Think Your Social Security Number Is Secure? Think Again By DAMON DARLIN http://www.nytimes.com/2007/02/24/business/24money.html?pagewanted=print It should come as little surprise that Social Security numbers are posted on the Internet. But, says Betty Ostergren, a former insurance claims supervisor in suburban Richmond, Va., who has spent years trolling for them, ?people are always astounded? to learn that theirs is one of them. Mrs. Ostergren, 57, has made a name for herself as a gadfly as she took on a lonely and sometimes frustrating mission to draw attention to the situation. With addresses, dates of birth and maiden names often associated with Social Security numbers, she said, they are a gift to data thieves. But in the last few weeks, Mrs. Ostergren?s Web site, The Virginia Watchdog ? with the help of lobbying from an unexpected ally, America?s farm bureaus ? is having an effect. One by one, states and counties have started removing images of documents that contain Social Security numbers, or they are blocking out the numbers. Four states, including New York, have removed links to images of public documents containing Social Security numbers. Snohomish County, Wash., for example, said Wednesday that 61 types of documents, including tax liens and marriage certificates, would be blocked. (The documents are supposed to remain public at courthouses or state offices.) On Wednesday, the Texas attorney general, Greg Abbott, issued a legal opinion that county clerks could be committing a crime by revealing Social Security numbers on the Internet. ?I am almost in a celebratory mode,? said David Bloys, a retired private investigator in Shallowater, Tex., who also highlights the public records issue on his Web site, NewsforPublicOfficials.com. For people wondering if they should be worried about the security of their own numbers, there is a new tool to help them. TrustedID, a company that sells services to consumers to give them more control over who sees their credit reports, has compiled a database of compromised numbers that could already be traded or sold on the Internet. It has created an online search tool, StolenIDSearch.com, where people can check at no cost to see if their number is one that is in a too-public domain. TrustedID said that about 220,000 people had tested their numbers in the three weeks the site has been open to the public. The Social Security number remains the personal identifier not only for government documents, but for credit applications and medical records, as well as video and cellphone stores. ?In the commercial world, it is ubiquitous when credit is offered,? said Chris Jay Hoofnagle, a privacy advocate and senior fellow of the Berkeley Center for Law and Technology at the University of California, Berkeley. ?It all flows from the credit system and it flows very far.? Even though Americans are told to protect their Social Security number to prevent identity theft, that is a tall order. The Social Security Administration says its card ?was never intended and does not serve as a personal identification document.? But that has not been true about the number almost from outset. The Social Security numbers that were first handed out in November 1936 as a means for the federal government to track payments to the retirement system were soon used for other purposes. They help track payrolls, loan payments, financial transactions and income taxes. They are necessary for anyone seeking public assistance, like food stamps, or registering for the draft. Congress decreed that the numbers be put on records including professional licenses, marriages licenses and divorce decrees to better track scofflaws of child support orders. The Social Security number took on a second role. It allowed collectors of data to link pieces of information together, like a driver?s license record, credit report data and the information on the warranty card for a toaster. That is a useful tool for marketers and just as useful for criminals. It was only in 2004 that Congress prohibited states from using the Social Security number on drivers? licenses. Yet the databases with those numbers still exist. Until 2001, states could sell lists with those numbers, which means that for virtually anyone 22 years or older, the name, address, phone number and Social Security number are in private databases. The nine-digit string took on a third role ? as a password that was supposed to protect all that private information from snoops and criminals. But its ubiquity defeats that purpose, Mr. Hoofnagle said. ?It will pass when the business community no longer needs a Social Security number,? he said. The Social Security Administration?s Office of Inspector General said that 16 percent of the 99,000 fraud cases it investigated in the 12-month period that ended Sept. 30 involved the misuse of Social Security numbers. One involved an identify theft ring in Central Florida. Twelve people were convicted, sentenced to prison and ordered to repay more than $2 million. About 16,000 incidents are not a lot considering that 240 million numbers are currently in use, and certainly theft and fraud involving credit card numbers are much more pervasive. But credit card numbers are rarely exposed on documents in public view. And if a credit card is stolen or misused, obtaining a new one is a fairly simple process. A new Social Security number is rarely granted. (Indeed, one is limited to 3 replacements of the green paper Social Security card in a year and 10 over a lifetime.) Social Security numbers are routinely traded and sold by thieves over the Internet like credit card numbers, says Panos Anastassiadis, chief executive of Cyveillance, a company in Arlington, Va., that monitors online fraud attempts for major financial institutions. His company has found caches of them in Web chat rooms where they are offered as samples by criminals selling even larger lists. They are sometimes obtained by ?key logging? software surreptitiously installed on home computers to record what is typed. Some come from so-called phishing attacks in which people are misled into entering the data on fake Web sites of banks or utilities. The numbers are also out in the open. ?People think it is the banks, but banks are very secure,? Mr. Anastassiadis said. ?The problem is every dentist?s office has Social Security numbers. Every doctor?s office has them. How secure are these?? It has been Mrs. Ostergren?s near obsession to answer that question. Few things delight her more than finding a number belonging to a celebrity because it draws attention to her cause. ?Oh, my Lord!? she exclaimed recently as she stumbled upon the Social Security number of a member of the boldfaced set as she demonstrated how New York State Web sites display documents containing names, addresses and Social Security numbers. ?Let me download this one. This is Donald Trump?s number. I can?t wait to tell him.? Mrs. Ostergren never got through to Mr. Trump to confirm whether the nine-digit identifier was indeed his, but she has found and tried to notify others, including Kelly Ripa, the actress and talk-show host; Jeb Bush, the former governor of Florida; Porter Goss, the former C.I.A. director; and scores of state legislators. She posted links to some of those documents on her site. (New York later made the documents unavailable, so the links no longer work.) She has found Social Security numbers on tax liens on the official site of Maricopa County in Arizona. In Florida, as in many states, they appear on documents consumers sign when they buy furniture or other merchandise on credit. Mrs. Ostergren wants the documents taken off the Web, and she applies pressure by using the people whose numbers she finds. ?I?ve been calling people and telling them that they are exposed,? Mrs. Ostergren said. ?It is not very hard to find the numbers. They are exposed everywhere.? Her Web site may be cluttered with so many typefaces that it resembles a ransom note, but she seems to be having an impact. In the last month she found a pressure point: farmers. Their numbers show up on Uniform Commercial Code filings when they buy machinery or supplies on credit. She showed state farm bureau leaders their numbers; they contacted their state legislators. She has also found common cause with other gadflies like Mr. Bloys. She has had her share of setbacks as well. Several state legislators tried to ban her from posting information about their personal data that appeared in public records. She wins no fans among legitimate companies who sell databases. Removing the data from the Internet slows their ability to collect public information, but does not stop them. ?There are a lot of people in the data brokerage business who don?t like what I do,? she said. _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tracking more than 149 million compromised records in 580 incidents over 7 years. -- Internal Virus Database is out-of-date. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.18.1/691 - Release Date: 02/17/2007 5:06 PM -- Internal Virus Database is out-of-date. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.18.1/691 - Release Date: 02/17/2007 5:06 PM From Kim_Nash at ziffdavis.com Sat Feb 24 22:11:57 2007 From: Kim_Nash at ziffdavis.com (Nash, Kim) Date: Sat, 24 Feb 2007 22:11:57 -0500 Subject: [Dataloss] Think Your Social Security Number Is Secure? ThinkAgain Message-ID: > I can tell you also that most County websites across Texas have blocked > access to the document images on their sites. What bothers me and other Sunshine Law and FOIA advocates (and users) is that these documents are being blocked or removed, instead of simply redacted of personal information. -- Kim -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070224/ea13f25e/attachment.html From dbloys at door.net Sat Feb 24 23:02:43 2007 From: dbloys at door.net (David Bloys) Date: Sat, 24 Feb 2007 22:02:43 -0600 Subject: [Dataloss] Think Your Social Security Number Is Secure? ThinkAgain In-Reply-To: Message-ID: <01db01c75891$ce05b050$0202a8c0@Office> This bothers me as well. I work with courthouse documents every day. However, neither the Sunshine Laws nor FOIA promised remote access via the Internet to records that belong to the citizens. These laws were intended to make the records available to citizens who visited the repositories. They were never intended to be available to an identity thief sitting in an Internet cafe in Nigeria or a terrorist from his home computer in Iran. You have to also consider what information would need to be redacted, SSN's of course but their is much more sensitive information contained in the documents than just the SSN's. When you consider that anything you use to identity yourself can and has been used by identity thieves to identity themselves as their victims then it is clear. In many cases, identity thieves don't need a Social. It is handy but only because it can be used to gather more information on the victim. Criminals can easily use a signature copied from a County Website to steal a home. I know of one victim who had his home stolen twice. The FBI has called deed and mortgage fraud the fastest growing white collar crime in America. Keeping the records within the four walls of the courthouse is a system that has worked for centuries. Of course, this system left little oportunity for identity thieves or data agregators to profit at taxpayer expense. The safest solution has always been the simplest. The images should never be connected to a computer that is in turn connected to any network that reaches outside the jurisdiction of the repository. Most County Clerks in Texas have come to this realization although some needed the added inducement of an AG opinion. The indexes, which truly are government documents, are still available on the county website but the people's papers (deeds, mortgages, leases etc.) are kept at the local repository. David Bloys News For Public Officials HYPERLINK "http://www.newsforpublicofficials.com"www.newsforpublicofficials.com -----Original Message----- From: Nash, Kim [mailto:Kim_Nash at ziffdavis.com] Sent: Saturday, February 24, 2007 9:12 PM To: David Bloys; Richard Forno Cc: dataloss at attrition.org Subject: RE: [Dataloss] Think Your Social Security Number Is Secure? ThinkAgain > I can tell you also that most County websites across Texas have blocked > access to the document images on their sites. What bothers me and other Sunshine Law and FOIA advocates (and users) is that these documents are being blocked or removed, instead of simply redacted of personal information. -- Kim -- Internal Virus Database is out-of-date. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.18.1/691 - Release Date: 02/17/2007 5:06 PM -- Internal Virus Database is out-of-date. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.18.1/691 - Release Date: 02/17/2007 5:06 PM -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070224/d83d77c1/attachment.html From george at georgetoft.com Sun Feb 25 22:21:51 2007 From: george at georgetoft.com (George Toft) Date: Sun, 25 Feb 2007 20:21:51 -0700 Subject: [Dataloss] How to Steal 80,000 Identities in One Day Message-ID: <45E2524F.307@georgetoft.com> Tom Clancy style "Fiction" but well worth 5 minutes to read. http://www.informit.com/guides/content.asp?g=security&seqNum=243&rl=1 -- George Toft, CISSP, MSIS 623-203-1760 From lyger at attrition.org Tue Feb 27 11:36:25 2007 From: lyger at attrition.org (lyger) Date: Tue, 27 Feb 2007 11:36:25 -0500 (EST) Subject: [Dataloss] 4 arrested in security breach at Stop & Shop Message-ID: http://www.eyewitnessnewstv.com/Global/story.asp?S=6148256&nav=F2DO Four people are arrested in connection with the thefts of account and personal information from several Stop-and-Shop stores in Rhode Island and Massachusetts. Company spokeswoman Faith Weiner says the suspects were arrested last night outside the supermarket chain's store in Coventry, Rhode Island. She tells W-P-R-O A-M that store employees observed the suspects trying to tamper with checkout lane keypads. [...] From bkdelong at pobox.com Tue Feb 27 12:15:43 2007 From: bkdelong at pobox.com (B.K. DeLong) Date: Tue, 27 Feb 2007 12:15:43 -0500 Subject: [Dataloss] 4 arrested in security breach at Stop & Shop In-Reply-To: References: Message-ID: As a some-time shopper of MA-based Stop and Shops, I find this ridiculous. Where the hell were the "Loss prevention" folks on this one? They have cameras and, in some case, an office that overlooks the entire store floor. I bet they were tampering with the Self-Checkout lines as no store staff is around them unless they throw up the red light....and only then after one waits for several minutes. They go to the kiosk, reset and go back to the other registers. I just don't understand how someone could get away with this in such a public setting. On 2/27/07, lyger wrote: > > http://www.eyewitnessnewstv.com/Global/story.asp?S=6148256&nav=F2DO > > Four people are arrested in connection with the thefts of account and > personal information from several Stop-and-Shop stores in Rhode Island and > Massachusetts. > > Company spokeswoman Faith Weiner says the suspects were arrested last > night outside the supermarket chain's store in Coventry, Rhode Island. She > tells W-P-R-O A-M that store employees observed the suspects trying to > tamper with checkout lane keypads. > > [...] > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > Tracking more than 149 million compromised records in 580 incidents over 7 years. > -- B.K. DeLong (K3GRN) bkdelong at pobox.com +1.617.797.8471 http://www.wkdelong.org Son. http://www.ianetsec.com Work. http://www.bostonredcross.org Volunteer. http://www.carolingia.eastkingdom.org Service. http://bkdelong.livejournal.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org From dbloys at door.net Wed Feb 28 07:57:54 2007 From: dbloys at door.net (David Bloys) Date: Wed, 28 Feb 2007 06:57:54 -0600 Subject: [Dataloss] FW: Legislative CALL TO ACTION re Attorney General opinion on public records Message-ID: <018a01c75b38$1194a940$0202a8c0@Office> -----Original Message----- From: CTR [mailto:ctr at satx.rr.com] Sent: Tuesday, February 27, 2007 9:55 PM To: ctr at satx.rr.com Subject: Legislative CALL TO ACTION re Attorney General opinion on public records As you know by now, the Texas Attorney General issued an Opinion (GA-0519) last week (2/21/07) that basically said it is a crime (that could subject a County Clerk to fines, jail time or both) to disclose SSNs in public records (land records and other courthouse records may be public, but people have a right for personal identification in them, such as SSNs, to remain confidential). The AG opinion cited both state (Sec. 552.147 of the Texas Government Code) and federal (Public Information Act) laws. So, most County Clerks overreacted, by preventing abstractors, surveyors, etc. from searching public records, either entirely or at least until county personnel could review the documents first. Now, the Texas state House of Representatives will be voting on emergency legislation soon, probably tomorrow (Wed 2/28/07), that may remove the portion of state law that caused the AG to limit access to public records. Recent efforts to solve this problem before it got this far have been incomplete, centering around redaction, which is usually done by an expensive computer program that crawls through documents and blacks out SSNs it finds. Such programs have been consistently shown to miss lots of SSNs. And removing SSNs one by one, by county personnel, is an overwhelming task that will take years to get right. We need to get records back in the courthouse. Before the internet, access to personal information has always been limited by requiring a personal visit to a courthouse. And most of the people who search them are professionals who keep this information protected. For example, laws that regulate licensing of Texas Registered Professional Land Surveyors, also require that they perform their duties to a higher standard of moral and ethical responsibility that already requires the protection of such personal information. And, title abstractors are bound by their contracts with mortgage lenders to keep non-public personal information (NPPI) secret during a job, and destroy it once the job is done, under previous Federal law (the Gramm-Leach-Bliley Act of 1999). It is possible that by asking our legislators for a specific solution, we may get somewhere. Any change to state law will still leave County Clerks open to violating Federal law, because once documents are out on a county clerk's website, or they are sold in bulk to a website that resells them (CourthouseDirect, etc.) for anyone in the world to download, the SSNs are out of the county's control. We should ask legislators to be specific in reopening access to records, but ONLY at the local level, in person, at the courthouse. They should require removal of documents from all county websites, and put a moratorium on further bulk sales to 3rd parties. Please contact, by fax or email, your legislators with some version of the following message. Follow the link below and just enter your address to find out who your elected officials are: HYPERLINK "http://www.fyi.legis.state.tx.us/"http://www.fyi.legis.state.tx.us/ Dear Senator (name) or Dear Representative (name) , The February 21, 2007 ruling (GA-0519) by the Attorney General of Texas relative to the duties of a County Clerk, under Section 552.147 of the Texas Government Code as enacted by the 79th Legislative session, has had unintended consequences in the access to the public records of all counties of Texas. As I am sure you are aware, the initial reaction of some County Clerks, based on advice from their County Attorney, has been to close both physical and internet-based access to the public records in light of the potential for criminal offense liability if access is allowed to information restricted by the Public Information Act (PIA). This denial of access has had immediate detrimental and/or devastating affect on the ability of abstractors, surveyors, and private investigators to perform the necessary research in the transaction of real property rights and the issuance of title insurance. You can easily project the delay and cost for all parties, when researchers are faced with having to request a large number of public record copies, only to wait for the County Clerk to have to review each document on an individual basis. The state legislature will be taking up the issue soon in an attempt to give relief to County Clerks. But, any change to state law will still leave County Clerks open to violating Federal law, because once images of documents are put on a county clerk's website, or they are sold in bulk to a website that resells them, for anyone in the world to download, SSNs and other confidential personal data are totally out of the county's control. I ask you to be specific in rewriting the law to reopen access to records, but ONLY at the local level, in person, at the courthouse. And at the same time, make the law require removal of document images from all county websites, and put a moratorium on further bulk sales to 3rd parties. This way, County Clerks, and only those professionals they know by name and see on a daily basis, can once more be the gatekeepers and safeguarders of this restricted personal information. As your constituent and a research professional of the State of Texas, I am respectfully requesting your personal involvement in an immediate response to this crisis resulting from unintended consequences of state law. Sincerely, (your name, address, phone etc.) _____ I am using the free version of SPAMfighter for private users. It has removed 983 spam emails to date. Paying users do not have this message in their emails. Try HYPERLINK "http://www.spamfighter.com/len"SPAMfighter for free now! -- Internal Virus Database is out-of-date. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.18.1/691 - Release Date: 02/17/2007 5:06 PM -- Internal Virus Database is out-of-date. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.18.1/691 - Release Date: 02/17/2007 5:06 PM -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070228/4bf9bb34/attachment.html From Dissent at pogowasright.org Wed Feb 28 14:25:08 2007 From: Dissent at pogowasright.org (Dissent) Date: Wed, 28 Feb 2007 14:25:08 -0500 Subject: [Dataloss] Gulf Coast Med. Computer Theft Message-ID: <7.0.0.16.2.20070228142324.0596b678@nowhere.org> http://www.wmbb.com/servlet/Satellite?pagename=WMBB%2FMGArticle%2FMBB_BasicArticle&c=MGArticle&cid=1149193437207&path=!news!archives BAY COUNTY, Fla.-While no identity cases have surfaced yet, the threat has. Gulf Coast Medical Center announced Tuesday, 1200 patient had personal information stolen. The information was in a computer that went missing in Nashville, TN in November. Rod Whiting with Gulf Coast Medical Center says no one has come forward with identity theft problems thus far. Gulf Coast did implement a new security system for laptop computers close to a year ago. Each laptop comes equip with a lock to secure the laptop.