From MKEVHILL at aol.com Mon Oct 1 03:19:23 2007 From: MKEVHILL at aol.com (MKEVHILL at aol.com) Date: Sun, 30 Sep 2007 23:19:23 EDT Subject: [Dataloss] GA: Trashed Documents Create ID Scare Message-ID: _http://www.11alive.com/news/article_news.aspx?storyid=103923_ (http://www.11alive.com/news/article_news.aspx?storyid=103923) Sensitive documents were found in a trash dumpster behind a strip shopping center in Morrow. The shopping center is located at the intersection of Mt. Zion Road and Jonesboro Road. The file folders had copies of people?s drivers license, social security cards, and their addresses. The material could potentially become an identity theft nightmare. The documents were apparently dumped by someone with The Invision HR Staffing Group. The company recently changed its name and has moved from Morrow to College Park. Nick Campbell works for a retailer in the strip shopping center and said he found the documents Saturday when he went to the dumpster to throw out some trash. He called the Morrow Police Department. He says the officer saw the files and said there was nothing he could do about it. Campbell says he then took it upon himself to remove the sensitive material from the dumpster so that no one else would take advantage of the private information. ************************************** See what's new at http://www.aol.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070930/ff08d1f5/attachment.html From lyger at attrition.org Tue Oct 2 11:20:56 2007 From: lyger at attrition.org (lyger) Date: Tue, 2 Oct 2007 11:20:56 +0000 (UTC) Subject: [Dataloss] Hackers open data of group's workers Message-ID: http://www.nwanews.com/adg/News/203129/ A hacker illegally gained access to a computer of The Nature Conservancy containing personal information on about 14, 000 people, including current and former Nature Conservancy employees and their dependents, the nonprofit organization confirmed Monday. Those affected include 36 employees in Arkansas. According to an e-mail the Arlington, Va., organization sent its employees, the hacker used a Web site to gain access to a Nature Conservancy computer Sept. 12. [.] The stolen information included the names, home addresses, Social Security numbers and birth dates of current and former U. S.-based employees who had worked at the Conservancy during the past seven years. [...] From lyger at attrition.org Wed Oct 3 11:30:43 2007 From: lyger at attrition.org (lyger) Date: Wed, 3 Oct 2007 11:30:43 +0000 (UTC) Subject: [Dataloss] GA: Personal data was on missing ARMC server Message-ID: http://www.onlineathens.com/stories/100307/news_20071003074.shtml A computer missing from a Regional First Care clinic in Watkinsville held the personal information of more than 1,400 people, according to Athens Regional Health Services, the parent corporation of Athens Regional Medical Center and the clinic. Workers at the 1010 Village Drive clinic first noticed on Sept. 24 that the Dell Optiplex GX-620 computer was missing. The computer held Social Security numbers for 85 people, some health information for 545 people and the name, address and/or telephone numbers of 811 people, ARHS chief information officer Timothy Penning said in a news release Tuesday. No credit card or other financial information was stored on the computer, which was a backup server for the Watkinsville clinic. [...] From rchicker at etiolated.org Wed Oct 3 13:33:39 2007 From: rchicker at etiolated.org (rchick) Date: Wed, 3 Oct 2007 09:33:39 -0400 Subject: [Dataloss] Stolen credit cards Bally Total Fitness Message-ID: http://www.thebostonchannel.com/news/14254005/detail.html* BOSTON -- *Six people were indicted Tuesday for allegedly stealing more than 350 credit cards from men's locker rooms at Bally Total Fitness health clubs around the country and using the cards to get more than $350,000 in cash advances at horse race tracks in several states. Five residents of Massachusetts and one resident of Texas are charged with aggravated identity theft and credit card fraud. Prosecutors allege that Dennis Savarese, 50, of Austin, Texas, used his memberships at two national health club chains -- Bally's and 24 Hour Fitness -- to get access to locker rooms at gyms throughout the country. To get into members' lockers, he used a book published by the Locksmith Association that lists serial numbers and matching combinations for Master Lock combination locks, prosecutors claim. Prosecutors said Savarese stole the credit cards, then left the rest of the locker undisturbed and put the lock back on the lockers. Most victims did not immediately notice that they were missing a credit card, and when they did notice, they usually believed they had simply lost the card, prosecutors said. [...] The defendants are accused of stealing credit cards in various states, including California, Maryland, Minnesota, Texas and Washington. They are accused of using the stolen cards to get cash advances at race tracks in several states, including Arizona, California, Washington and Missouri. [...] Prosecutors said the thefts occurred over a two-year period, beginning in June 2005. Most weeks, Savarese stole between five and 10 credit cards from as many as three different gyms, according to the indictment. The men usually used the cards to get cash advances of between $1,000 and $9,000, but occasionally, the advances were more than $20,000, the indictment states. It could not immediately be determined if Savarese had retained an attorney yet. Attorneys for the other defendants did not immediately return calls seeking comment Tuesday. A spokesman for Bally's could not immediately be reached for comment. A message was left at the health club chain's Chicago headquarters. [...] -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20071003/c3229089/attachment-0001.html From jericho at attrition.org Wed Oct 3 22:07:32 2007 From: jericho at attrition.org (security curmudgeon) Date: Wed, 3 Oct 2007 22:07:32 +0000 (UTC) Subject: [Dataloss] follow-up: TJX and job opening Message-ID: ---------- Forwarded message ---------- From: Paul Ferguson Via Emergent Chaos. [snip] If you need a change in your life, consider this job posting: Title: IT Security Architecture Manager Needed Company: TJX Companies Location: Framingham, MA Skills: Very strong technical security background in both the mainframe and distributed environments. Term: Full Time Pay: DOE Length: Full Time Detail: TJX Companies is seeking an IT Security Architecture Manager who has at least 6 years experience in Information Technology and certification related to the security profession (CISSP, CISA, CISM) preferred. http://www.emergentchaos.com/archives/2007/10/looking_for_a_challenge_l.html From lyger at attrition.org Thu Oct 4 13:29:30 2007 From: lyger at attrition.org (lyger) Date: Thu, 4 Oct 2007 13:29:30 +0000 (UTC) Subject: [Dataloss] MA: Data for 450,000 mistakenly released Message-ID: http://www.boston.com/news/local/articles/2007/10/04/data_for_450000_mistakenly_released/ The Massachusetts Division of Professional Licensure has launched an internal probe and announced plans to review its protocols after the Social Security numbers of about 450,000 licensed professionals were inadvertently released. The information was mailed last month to agencies that submitted a public records request for the names and addresses of professionals licensed by the division, said Kofi Jones, a spokeswoman for the state Executive Office of Housing and Economic Development, which oversees the division. The division mailed 28 computer disks to 23 agencies that use the information as a marketing or promotional tool. Officials said that 26 of the 28 disks have been recovered and that they do not believe anyone's personal information was compromised. [...] From jericho at attrition.org Fri Oct 5 12:28:31 2007 From: jericho at attrition.org (security curmudgeon) Date: Fri, 5 Oct 2007 12:28:31 +0000 (UTC) Subject: [Dataloss] follow-up: TJX Judge: Consumers Selling Vouchers Won't Cut It Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.eweek.com/article2/0,1895,2192056,00.asp By Evan Schuman October 4, 2007 A U.S. District Court judge says the idea puts too much of the burden on the consumers. When U.S. District Court Judge William G. Young told lawyers Sept. 27 that he had serious concerns about the proposed TJX settlement, he also took issue with the part that would allow for consumers to turn the vouchers into cash by selling them. In a courtroom exchange, TJX attorney Harvey J. Wolkoff argued that there is an easy way for a consumer to turn the vouchers into cash. "These vouchers are fully transferable, so that someone can take a $30 voucher and sell it on eBayI've never done it myselfand get $25," Wolkoff said. Replied Young: "Too hard for me, Mr. Wolkoff. Too hard for me. These are consumers. People know how to cash checks. Saying, 'Go to eBay and negotiate it' won't cut it." [..] From lyger at attrition.org Fri Oct 5 15:02:47 2007 From: lyger at attrition.org (lyger) Date: Fri, 5 Oct 2007 15:02:47 +0000 (UTC) Subject: [Dataloss] Germany: Theft of credit card data affects tens of thousands of Kartenhaus customers Message-ID: http://www.heise.de/english/newsticker/news/96992 The Hamburg ticket sales office Kartenhaus informed its customers on Thursday that still unidentified culprits had stolen credit card numbers and billing addresses. Some 66,000 customers who purchased tickets with a credit card from the Kartenhaus.de website between October 24, 2006 and September 30, 2007 were affected. The only exceptions were credit card purchases of tickets to sporting events featuring Hertha BSC, HSV Handball, and Eisbren Berlin. The parent company, Ticketmaster, advised customers to "check your credit card bills as soon as possible to identify any irregularities or abuse". It is still not known how the thief or thieves gained access to the data. Apparently only one server was affected. Ticketmaster Europe's Vice President, Tommy Higgins, said that as soon as the attack was discovered, an internal team was assembled to track down the security hole and to inform all necessary personnel. [...] From lyger at attrition.org Fri Oct 5 18:56:11 2007 From: lyger at attrition.org (lyger) Date: Fri, 5 Oct 2007 18:56:11 +0000 (UTC) Subject: [Dataloss] UK: Laptop theft sparks ID fears Message-ID: http://www.manchestereveningnews.co.uk/news/s/1018735_laptop_theft_sparks_id_fears Hundreds of people have been placed at risk of identity theft after a laptop computer containing personal and financial details was stolen from a car, it was revealed today. HM Customs and Revenue is investigating the incident after an employee's laptop was stolen from the boot of a car. The computer contained sensitive financial details of at least 400 people which had been passed to the HMRC by several financial institutions as part of an audit. HMRC confirmed that the computer, which disappeared overnight on September 20, did hold customer information but said it was protected by "top level encryption". [...] From lyger at attrition.org Sat Oct 6 20:19:13 2007 From: lyger at attrition.org (lyger) Date: Sat, 6 Oct 2007 20:19:13 +0000 (UTC) Subject: [Dataloss] Canada: Privacy breach at MacEwan Message-ID: http://www.edmontonsun.com/News/Edmonton/2007/10/04/4550530.html A city college chose not to inform students and others whose personal credit information was left publicly available through its Internet site, it has confirmed. MacEwan College was cited in the auditor general.s report this week after a tipster told the AG.s office about the security breach in 2006. It mirrored access problems in 2002-2003, the AG.s report confirmed. The college chose not to tell those whose personal information was included in the accessible journal entries based on an assessment of risk by its Freedom of Information and Protection of Privacy office, said MacEwan spokesman Gordon Turtle. [.] According to the auditor general.s investigation, the breach included computer scans of "employee and student information such as credit card numbers, copies of cheques, signatures, addresses, as well as college information such as bank account numbers and deposit receipts." [...] From jericho at attrition.org Mon Oct 8 16:19:07 2007 From: jericho at attrition.org (security curmudgeon) Date: Mon, 8 Oct 2007 16:19:07 +0000 (UTC) Subject: [Dataloss] Student reporter who discovered university security breach punished but not expelled Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.splc.org/newsflash.asp?id=1621 By Moriah Balingit SPLC staff writer October 5, 2007 OREGON -- When Western Oregon University student journalist Blair Loving opened up a mysteriously placed file on the university's public server last June, he thought he would find information about the College of Education. Instead, he uncovered a file containing the names, Social Security numbers, grade point averages and other sensitive information of former students. Loving's decision to download the file so that the campus newspaper, the Western Oregon Journal, could report on the security breach nearly ended his tenure as a student and led to the dismissal of the paper's adviser, Susan Wickstrom, for allegedly mishandling a copy of the file and for failing to advise the students about the university's computer policies. Loving learned at a disciplinary hearing Sept. 28 that he would not be expelled, but the infraction will remain on his record. Wickstrom was informed in August that her contract would not be renewed. "I worked there for seven years ...and I really feel like I had an excellent relationship with the students," Wickstrom said. "So I was really shocked and stunned to not have my contract renewed." [..] From lyger at attrition.org Mon Oct 8 18:12:21 2007 From: lyger at attrition.org (lyger) Date: Mon, 8 Oct 2007 18:12:21 +0000 (UTC) Subject: [Dataloss] IA: UI contacts former students after laptop theft Message-ID: http://www.press-citizen.com/apps/pbcs.dll/article?AID=/20071008/NEWS01/71008002/1079 The University of Iowa is informing 184 former and current students that their grade information was contained on a laptop computer stolen from a former teaching assistant now living in Arizona. The theft of the computer, which occurred last month in a break-in of the instructor's home, contained class records such as attendance, test scores, and grades of students who took his philosophy courses at the UI between 2002 and 2006. Social security numbers (SSNs) were also present in 100 of the records. UI Information Technology Security Officer Jane Drews analyzed backup copies of the files and found them an unlikely source for committing identity theft. "The instructor buried the files in his directory structure and obfuscated the social security numbers," Drews said. "While they were not encrypted, popular SSN scanning tools were unable to detect SSNs in any of the five files." [...] From lyger at attrition.org Mon Oct 8 21:36:53 2007 From: lyger at attrition.org (lyger) Date: Mon, 8 Oct 2007 21:36:53 +0000 (UTC) Subject: [Dataloss] PA: Professor's laptops stolen; contained unsecured student information Message-ID: (from Carnegie Mellon University's student newspaper) http://www.thetartan.org/2007/10/8/news/laptop The first weekend in September was notable for most students as it was the end of the first week of classes. For a small percentage of the student body population, it was the weekend that their social security numbers left campus, stored in the unencrypted files of two stolen laptop computers. According to University Police reports filed on Sept. 2, the laptops were stolen from the office of a computer science professor in Wean Hall. The door is believed to have been locked and there were no signs of forced entry, according to case officer Lieutenant John Race of the Carnegie Mellon University Police. [.] Students whose social security numbers were stored on the stolen computers were informed of the theft on the weekend of Sept. 29. The e-mail provided students with general information about the theft as well as a website address through which they could set up a Fraud Alert system on their banking and credit accounts which would notify them of any suspicious credit patterns in the future. Further protective action was left to the discretion of the individual student. [...] From hbrown at knology.net Tue Oct 9 12:14:57 2007 From: hbrown at knology.net (Henry Brown) Date: Tue, 09 Oct 2007 07:14:57 -0500 Subject: [Dataloss] Semtech Corporation data loss Message-ID: <470B70C1.70504@knology.net> Semtech Corporation is a leading supplier of high-quality analog and mixed-signal semiconductor products. The company is dedicated to providing customers with proprietary solutions and breakthrough technology in power management, protection, advanced communications, human interface, test & measurement, as well as wireless and sensing products. The Company's integrated circuits (ICs) are employed in communications, computer and computer-peripheral, automated test equipment, industrial and other commercial applications. http://www.pacbiztimes.com/index.cfm?go2=articles/wk_100807b Semtech faces identity-theft threat By Stephen Nellis Staff Writer Oct. 8, 2007 Semtech has notified its U.S. employees of a potential breach of their personal data. The Camarillo-based chipmaker said a laptop computer and other personal belongings were stolen from one of its vendors. The computer was not stolen from a Semtech facility, but ?may have contained computerized data relating to Semtech employees.? Semtech notified all of its U.S. employees in late September, although the company declined to say how many of its 690 employees are based in the United States. The firm also declined to name the vendor from whom the computer was stolen. The vendor that lost the laptop will pay for identity-theft protection services for all of Semtech?s employees for one year. Semtech declined to provide further details of the incident, such as what personal employee data may have been put at risk, when the theft happened or how long it took the company to inform its workers of the potential breach. (...) From lyger at attrition.org Tue Oct 9 14:55:02 2007 From: lyger at attrition.org (lyger) Date: Tue, 9 Oct 2007 14:55:02 +0000 (UTC) Subject: [Dataloss] MA: Personal info of Pembroke workers, volunteers accessible for months Message-ID: http://www.patriotledger.com/articles/2007/10/09/news/news01.txt Personal information on anyone who worked or volunteered for the Pembroke schools in the last four years was accessible via the Internet because of a weakness in the district's computer system. The information, including names, birth dates and Social Security numbers, was available from May until Oct. 2, when school officials learned of the problem, School Superintendent Frank Hackett said. "It was not easy to get to, but it was there, so, ultimately, there was some exposure to confidential personal data," Hackett said Monday. "It just was there, lying dormant, unless you came across it through a search engine". Hackett said the files may still exist as what are known as cached files on the Google search engine. [...] From jericho at attrition.org Tue Oct 9 15:32:12 2007 From: jericho at attrition.org (security curmudgeon) Date: Tue, 9 Oct 2007 15:32:12 +0000 (UTC) Subject: [Dataloss] Nevada Law Mandates Encryption of Electronically-Transmitted Personal Information Message-ID: ---------- Forwarded message ---------- From: John Payton To: privacy at whitestar.linuxbox.org Nevada has enacted a data security law that mandates encryption for the transmission of personal information (see Nev. Rev. Stat. ? 597.970 (2005)). Specifically, the Nevada encryption statute generally prohibits a business in Nevada from transferring "any personal information of a customer through an electronic transmission," except via facsimile, "unless the business uses encryption to ensure the security of electronic transmission."[1] The Nevada encryption law goes into effect on October 1, 2008. More: http://mofo.com/news/updates/bulletins/12866.html From cwalsh at cwalsh.org Tue Oct 9 16:04:01 2007 From: cwalsh at cwalsh.org (Chris Walsh) Date: Tue, 9 Oct 2007 11:04:01 -0500 Subject: [Dataloss] Nevada Law Mandates Encryption of Electronically-Transmitted Personal Information In-Reply-To: References: Message-ID: <20071009160347.GA13994@cwalsh.org> Does this mean that Nevada has changed the definition of "encryption" that they use in their laws? Last I looked, the definition they used was very broad (http://www.leg.state.nv.us/Statutes/70th/Stats199916.html#Stats199916page2704): Encryption. means the use of any protective or disruptive measure, including, without limitation, cryptography, enciphering, encoding or a computer contaminant, to: 1. Prevent, impede, delay or disrupt access to any data, information, image, program, signal or sound; 2. Cause or make any data, information, image, program, signal or sound unintelligible or unusable; or 3. Prevent, impede, delay or disrupt the normal operation or use of any component, device, equipment, system or network. On Tue, Oct 09, 2007 at 03:32:12PM +0000, security curmudgeon wrote: > > > ---------- Forwarded message ---------- > From: John Payton > To: privacy at whitestar.linuxbox.org > > Nevada has enacted a data security law that mandates encryption for the > transmission of personal information (see Nev. Rev. Stat. ? 597.970 > (2005)). Specifically, the Nevada encryption statute generally prohibits > a business in Nevada from transferring "any personal information of a > customer through an electronic transmission," except via facsimile, > "unless the business uses encryption to ensure the security of electronic > transmission."[1] The Nevada encryption law goes into effect on October 1, > 2008. > > More: http://mofo.com/news/updates/bulletins/12866.html > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor your > traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml From lyger at attrition.org Tue Oct 9 21:08:42 2007 From: lyger at attrition.org (lyger) Date: Tue, 9 Oct 2007 21:08:42 +0000 (UTC) Subject: [Dataloss] Semtech Corporation data loss In-Reply-To: <470B70C1.70504@knology.net> References: <470B70C1.70504@knology.net> Message-ID: On Tue, 9 Oct 2007, Henry Brown wrote: ": " http://www.pacbiztimes.com/index.cfm?go2=articles/wk_100807b ": " Semtech faces identity-theft threat from the article: "Robert Siciliano, CEO of IDTheftSecurity.com, said that Semtech is likely doing everything it could and should in the wake of potentially stolen employee data. If Semtech quickly notified its workers of a possible breach and ensured access to identity theft protection services, Siciliano said, then the Camarillo company took "a strong approach to preventing identity from occurring. It's unfortunate that it has to be reactive, but that's just the way things go when this happens." Siciliano said there is little Semtech could have done to prevent the incident." [...] Errr... "little Semtech could have done"? How about a nice policy regarding NOT putting personal information on mobile devices, especially laptops, with penalties up to and including termination of employment for doing so? From adam at homeport.org Wed Oct 10 05:53:10 2007 From: adam at homeport.org (Adam Shostack) Date: Wed, 10 Oct 2007 01:53:10 -0400 Subject: [Dataloss] Nevada Law Mandates Encryption of Electronically-Transmitted Personal Information In-Reply-To: References: Message-ID: <20071010055310.GA2472@homeport.org> too bad they exclude fax. http://www.emergentchaos.com/archives/2005/06/florida_hospita.html http://www.emergentchaos.com/archives/2006/02/brigham_and_wom.html http://www.emergentchaos.com/archives/2006/03/cibc_one_customers_wire_t.html On Tue, Oct 09, 2007 at 03:32:12PM +0000, security curmudgeon wrote: | | | ---------- Forwarded message ---------- | From: John Payton | To: privacy at whitestar.linuxbox.org | | Nevada has enacted a data security law that mandates encryption for the | transmission of personal information (see Nev. Rev. Stat. ? 597.970 | (2005)). Specifically, the Nevada encryption statute generally prohibits | a business in Nevada from transferring "any personal information of a | customer through an electronic transmission," except via facsimile, | "unless the business uses encryption to ensure the security of electronic | transmission."[1] The Nevada encryption law goes into effect on October 1, | 2008. | | More: http://mofo.com/news/updates/bulletins/12866.html | _______________________________________________ | Dataloss Mailing List (dataloss at attrition.org) | http://attrition.org/dataloss | | Tenable Network Security offers data leakage and compliance monitoring | solutions for large and small networks. Scan your network and monitor your | traffic to find the data needing protection before it leaks out! | http://www.tenablesecurity.com/products/compliance.shtml From jericho at attrition.org Wed Oct 10 13:32:17 2007 From: jericho at attrition.org (security curmudgeon) Date: Wed, 10 Oct 2007 13:32:17 +0000 (UTC) Subject: [Dataloss] follow-up: TJX Revises Consumer Settlement, Agrees to Pay Cash Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.eweek.com/article2/0,1895,2193685,00.asp By Evan Schuman October 9, 2007 Hours before a federal judge demanded that TJX address key concerns about its proposed settlement, the merchant behind the biggest retail data breach ever agreed to some key changes, including offering a cash alternative to its voucher offer. The biggest objection to the initial proposed settlement had been that consumer victims were only offered $30 vouchers for making purchases at stores owned by The TJX Companies. Under a new proposed settlement that was filed late Oct. 9, attorneys for both sides are now proposing giving consumers a choice: either the $30 voucher or a $15 check. The objection to the voucher-only deal was that TJX could be using the settlement as a way to potentially boost sales, relying on consumers to buy more than $30 worth of merchandise. The new proposal still makes the vouchers seem twice as compelling as the checks, but with the addition of a cash alternative, the proposal is more likely to get the approval of U.S. District Court Judge William G. Young. [..] From lyger at attrition.org Wed Oct 10 14:04:00 2007 From: lyger at attrition.org (lyger) Date: Wed, 10 Oct 2007 14:04:00 +0000 (UTC) Subject: [Dataloss] OH: Official loses vacation days after data theft Message-ID: http://zanesvilletimesrecorder.com/apps/pbcs.dll/article?AID=/20071010/UPDATES01/71010008/1002/NEWS01 COLUMBUS (AP) -- A supervisor for the state's massive new online financial system will lose a week of vacation over the theft of a computer backup device carrying the Social Security numbers of thousands of Ohioans and other sensitive data, officials said. Jerry Miller, 49, a team leader for Ohio's new payroll and accounting system, didn't follow an order given nearly three months before the theft to move the sensitive data from a common computer drive to a secure directory. Miller understood the order but did not relay it to the employees he supervised, and they continued to store sensitive information on the computer drive, according to an investigation by the Department of Administrative Services. The backup device was stolen in June from the car of Justin Ilovar, 22, an intern at the state's Office of Management and Budget. Ilovar had been responsible for taking the device home overnight for safekeeping. [...] From lyger at attrition.org Wed Oct 10 14:14:07 2007 From: lyger at attrition.org (lyger) Date: Wed, 10 Oct 2007 14:14:07 +0000 (UTC) Subject: [Dataloss] Data Breach No. 4 Comes From Outside Pfizer Message-ID: http://www.theday.com/re.aspx?re=8bd92db3-bb26-4c59-83ac-6c13fd6796fd Pfizer Inc. employees, already wracked by three data breaches this year, have been getting notices in their mailboxes about yet another security problem, this time with no direct connection to the company. The spouses and domestic partners of about 1,800 Pfizer employees, including 23 from Connecticut, learned late last month about a data breach at Wheels Inc., which provides cars to the company, mostly for use by its sales force. It could not be determined how many local residents were affected, but a company spokeswoman pointed out that the Pfizer Global Research & Development benefits package does not include company cars and salespeople do not work out of local offices. The breach at Wheels, first reported by the Pharmalot Web site, released onto the Internet names, addresses, birth dates and driver's license numbers, but not Social Security numbers, according to the company. [...] From lyger at attrition.org Wed Oct 10 18:39:09 2007 From: lyger at attrition.org (lyger) Date: Wed, 10 Oct 2007 18:39:09 +0000 (UTC) Subject: [Dataloss] Commerce Bank says hacking damage was limited Message-ID: http://www.infoworld.com/article/07/10/10/Commerce-Bank-hacking-damage-was-limited_1.html A regional bank in the U.S. said it was able to deflect most of a hacking attempt on its database, but not before some customer information was divulged. Commerce Bank, which operates banks in five U.S. states, said Tuesday that a hacker gained access to a database with about 3,000 customer records and accessed data belonging to 20 of them. The bank is contacting those who may have been affected. The hacking was quickly detected and stopped, according to Commerce Bank, which then notified law enforcement. [...] From lyger at attrition.org Thu Oct 11 16:54:55 2007 From: lyger at attrition.org (lyger) Date: Thu, 11 Oct 2007 16:54:55 +0000 (UTC) Subject: [Dataloss] (update) Medical group manager gets prison for stealing patients' records Message-ID: (for those keeping track of the Data Loss Database - Open Source, this event would be DL-0053) http://attrition.org/dataloss/dldos.html ---------- Forwarded message ---------- From: InfoSec News Date: Thu, 11 Oct 2007 00:16:28 -0500 (CDT) http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2007/10/10/BA6VSN2NJ.DTL SAN JOSE - A former branch manager at the San Jose Medical Group has been sentenced to almost two years in prison for stealing medical records for about 187,000 patients, federal prosecutors said today. Joseph Nathaniel Harris, 44, pleaded guilty in May to one count of health care-related theft after he stole computer equipment from his former employer, including a DVD that contained patients' names, Social Security numbers, medical diagnoses and other information, the U.S. attorney's office said. Harris was sentenced Friday in U.S. District Court in San Jose to 21 months in prison and three years of supervised release. Judge Jeremy Fogel also ordered him to pay $145,154 in restitution. Harris, now an Anaheim resident, was directed to begin his sentence Jan. 4. [...] From lyger at attrition.org Fri Oct 12 11:50:47 2007 From: lyger at attrition.org (lyger) Date: Fri, 12 Oct 2007 11:50:47 +0000 (UTC) Subject: [Dataloss] WA: County workers' data on stolen laptop Message-ID: http://seattletimes.nwsource.com/html/localnews/2003944263_missingdata12m.html The King County Transportation Department has informed 1,400 current and former employees that a laptop computer containing personal information about them has been stolen. Workers' names, addresses and Social Security numbers were on the password-protected laptop, which was stolen during a Sept. 28 home burglary. The information was not encrypted, department spokeswoman Rochelle Ogershok said Thursday. The laptop was taken from the home of a Transportation Department human-resources employee while the employee was traveling outside the country, Ogershok said. The employee routinely carries the laptop from one work site to another. [...] From lyger at attrition.org Sat Oct 13 07:55:30 2007 From: lyger at attrition.org (lyger) Date: Sat, 13 Oct 2007 07:55:30 +0000 (UTC) Subject: [Dataloss] MT: MSU computers hacked Message-ID: http://newbillingsoutpost.com/news//index.php?option=com_content&task=view&id=19799&Itemid=27 Montana State University security experts have determined that an unknown hacker remotely accessed a computer server that housed records containing credit card numbers and social security numbers of students who enrolled online for MSU Extended University courses during the last two years. The data in question were encrypted, and there is no evidence that personal information was stolen. However, the Extended University is sending information by mail to 1,400 people known to have personal information on the server. The letter includes information on how to receive a free credit report, flag a credit file with a fraud alert and monitor accounts for suspicious activity. "Even though we don't believe any data was stolen, we are treating this as a serious situation and want to alert these students to the possibility that they were affected,. said Cathy Conover, MSU spokesperson. [...] From csullo at gmail.com Mon Oct 15 17:21:12 2007 From: csullo at gmail.com (Sullo) Date: Mon, 15 Oct 2007 13:21:12 -0400 Subject: [Dataloss] CA: Schwarzenegger vetoes data-breach bill Message-ID: http://www.securityfocus.com/brief/607?ref=rss California Governor Arnold Schwarzenegger vetoed a bill on Saturday that would have prevented companies from retaining certain sensitive payment data and spelled out what information firms would need to disclose in the event of a breach. The bill, identified as Assembly Bill 779, would have prohibited the storage of "payment verification codes, ... PIN verification values, or any payment related data that is not needed for business purposes," [...] -- http://www.cirt.net | http://www.osvdb.org/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20071015/a3e2aa76/attachment.html From lyger at attrition.org Mon Oct 15 21:43:48 2007 From: lyger at attrition.org (lyger) Date: Mon, 15 Oct 2007 21:43:48 +0000 (UTC) Subject: [Dataloss] (update) CT: Employee Suspended Following Theft Of Taxpayer Computer Data Message-ID: http://www.courant.com/news/custom/topnews/hc-laptopemployee,0,5290585.story A supervisor at the state Department of Revenue Services was suspended without pay Monday after an investigation into the theft of his laptop computer that contained the names and Social Security numbers of 106,000 Connecticut taxpayers. Jason Purslow was suspended for six weeks. His computer was stolen from his car in August at a hotel in New York. Police say it was possible the vehicle was not locked because there were no signs of a break-in. [...] From lyger at attrition.org Mon Oct 15 21:45:10 2007 From: lyger at attrition.org (lyger) Date: Mon, 15 Oct 2007 21:45:10 +0000 (UTC) Subject: [Dataloss] TSA Laptops With Personal Info Missing Message-ID: http://ap.google.com/article/ALeqM5jVsQSGHmxE5jv_4QU9UxSKo2ggGQD8S9SORO3 Two laptop computers with detailed personal information about commercial drivers across the country who transport hazardous materials are missing and considered stolen. The laptops belong to a contractor working for the Transportation Security Administration and contain the names, addresses, birthdays, commercial driver's license numbers and, in some cases, Social Security numbers of 3,930 people, according to an Oct. 12 letter from TSA to lawmakers. The contractor told TSA that the personal information was deleted from the computers before they were stolen, the letter stated. But after the second laptop was stolen, TSA investigators discovered that a person with data recovery skills could recover the personal information that the contractor deleted. [...] From rforno at infowarrior.org Tue Oct 16 12:06:22 2007 From: rforno at infowarrior.org (Richard Forno) Date: Tue, 16 Oct 2007 08:06:22 -0400 Subject: [Dataloss] Verizon Says It Turned Over Data Without Court Orders Message-ID: Verizon Says It Turned Over Data Without Court Orders Firm's Letter to Lawmakers Details Government Requests By Ellen Nakashima Washington Post Staff Writer Tuesday, October 16, 2007; A01 Verizon Communications, the nation's second-largest telecom company, told congressional investigators that it has provided customers' telephone records to federal authorities in emergency cases without court orders hundreds of times since 2005. The company said it does not determine the requests' legality or necessity because to do so would slow efforts to save lives in criminal investigations. In an Oct. 12 letter replying to Democratic lawmakers, Verizon offered a rare glimpse into the way telecommunications companies cooperate with government requests for information on U.S. citizens. Verizon also disclosed that the FBI, using administrative subpoenas, sought information identifying not just a person making a call, but all the people that customer called, as well as the people those people called. Verizon does not keep data on this "two-generation community of interest" for customers, but the request highlights the broad reach of the government's quest for data. The disclosures, in a letter from Verizon to three Democrats on the House Energy and Commerce Committee investigating the carriers' participation in government surveillance programs, demonstrated the willingness of telecom companies to comply with government requests for data, even, at times, without traditional legal supporting documents. The committee members also got letters from AT&T and Qwest Communications International, but those letters did not provide details on customer data given to the government. None of the three carriers gave details on any classified government surveillance program. < - > http://www.washingtonpost.com/wp-dyn/content/article/2007/10/15/AR2007101501 857_pf.html From MKEVHILL at aol.com Tue Oct 16 12:14:33 2007 From: MKEVHILL at aol.com (MKEVHILL at aol.com) Date: Tue, 16 Oct 2007 08:14:33 EDT Subject: [Dataloss] Administaff says laptop containing employee information missing Message-ID: _http://www.reuters.com/article/companyNewsAndPR/idUSWNAS639820071015_ (http://www.reuters.com/article/companyNewsAndPR/idUSWNAS639820071015) Administaff Inc said a company laptop computer containing personal information about individuals who were its worksite employees during calendar year 2006 has been reported missing. The personal information was not saved in an encrypted location and this is a violation of company policies, Administaff said in a statement. The data included names, addresses and social security numbers for most worksite employees paid by Administaff in 2006, it said. ************************************** See what's new at http://www.aol.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20071016/ec10ef2d/attachment.html From MKEVHILL at aol.com Wed Oct 17 02:08:37 2007 From: MKEVHILL at aol.com (MKEVHILL at aol.com) Date: Tue, 16 Oct 2007 22:08:37 EDT Subject: [Dataloss] Home Depot Laptop With Personal Employee Data Stolen Message-ID: _http://www.thebostonchannel.com/news/14353117/detail.html_ (http://www.thebostonchannel.com/news/14353117/detail.html) BOSTON -- Team 5 Investigates has confirmed that a Home Depot laptop containing the personal information of 10,000 employees has been stolen from the home of a worker in Massachusetts. NewsCenter 5's Sean Kelly reported Tuesday that employees nationwide are potentially impacted. The retailer tells Team 5 Investigates it is confident that this personal information was not the thief's target, but that is little consolation to thousands of Home Depot workers, including Anthony Garro, of Salem. He and his wife both received letters from Home Depot headquarters in Atlanta telling them that their personal information may be in the wrong hands. "They can get your Social Security number, date of birth, you know. They can open up an account, anything," Garro said. ............ Team 5 Investigates has confirmed that the laptop was stolen from the personal car of an unnamed Massachusetts employee, while the car was parked at his residence. Home Depot will not disclose the city or town. ............ Home Depot said it regrets any inconvenience and is offering free credit monitoring for a year. Mike ************************************** See what's new at http://www.aol.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20071016/e32f4e8e/attachment.html From jericho at attrition.org Wed Oct 17 05:48:06 2007 From: jericho at attrition.org (security curmudgeon) Date: Wed, 17 Oct 2007 05:48:06 +0000 (UTC) Subject: [Dataloss] followup: TSA Demands Encryption Following Dual Laptop Loss Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.eweek.com/article2/0,1895,2199122,00.asp By Lisa Vaas eWeek.com October 16, 2007 All data must be encrypted, the TSA orders, after the loss of laptops holding hazmat driver data. Following the loss and possible theft of two laptops containing the personal data of 3,930 truckers who handle hazardous materials, the Transportation Security Administration has mandated that contractors must encrypt any and all data on top of any deletion policies they have in place. According to a letter the TSA sent to lawmakers on Oct. 12, the laptops - both of which belonged to a TSA contractor - contain names, addresses, birthdays, commercial driver's license numbers and, in some instances, Social Security numbers of the affected truckers. First, one laptop was lost. At that time, the contractor, L-1 Identity Solutions' Integrated Biometric Technology division, told the TSA that the truckers' information had been deleted from the system, TSA Public Affairs Manager Ann Davis told eWEEK. Then, another laptop disappeared. After the second theft or loss, the TSA conducted an IT forensic investigation that ascertained that the deleted information could be retrieved if a thief had the proper training. [..] From MKEVHILL at aol.com Wed Oct 17 14:33:03 2007 From: MKEVHILL at aol.com (MKEVHILL at aol.com) Date: Wed, 17 Oct 2007 10:33:03 EDT Subject: [Dataloss] Laptop With Social Security Numbers Inside Stolen From School Administrator Message-ID: _http://www.thepittsburghchannel.com/news/14352765/detail.html_ (http://www.thepittsburghchannel.com/news/14352765/detail.html) VANDERGRIFT, Pa. -- A school district laptop with personal information and Social Security numbers in it was stolen earlier this month in the Pittsburgh area. Police said someone stole the computer from a Kiski Area High School.administrator's car in either Wilkinsburg or Edgewood on Oct. 8. The assistant superintendent said he reported the incident because of identity theft risks. mike ************************************** See what's new at http://www.aol.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20071017/72aba0d1/attachment.html From lyger at attrition.org Wed Oct 17 19:37:46 2007 From: lyger at attrition.org (lyger) Date: Wed, 17 Oct 2007 19:37:46 +0000 (UTC) Subject: [Dataloss] 9 years of La. applicants' data lost Message-ID: http://www.chron.com/disp/story.mpl/ap/nation/5222008.html Sensitive data for virtually all Louisiana college applicants and their parents over the past nine years were in a case lost last month during a move, officials said. The Louisiana Office of Student Financial Assistance was advised to not say how many records were involved and the media format in which they were stored, Executive Director Melanie Amrhein said Wednesday. The state Attorney General's Office is investigating the loss. The lost case held backup data for every Louisiana application for federal student aid - just about anyone who applied to college - from 1998 through Sept. 13 of this year, Amrhein (AM-rine) said. It also involved anyone who had a college savings account under the START Saving Program or who applied for the TOPS scholarship program in those years. The data included Social Security numbers for applicants and their parents; the bank account information for START account holders also was involved. [...] From lyger at attrition.org Thu Oct 18 17:27:18 2007 From: lyger at attrition.org (lyger) Date: Thu, 18 Oct 2007 17:27:18 +0000 (UTC) Subject: [Dataloss] NC: WPD Website Revealed Personal Information Message-ID: http://www.wect.com/Global/story.asp?S=7231751&nav=2gQc The Wilmington Police Department has fixed a big problem on their new website P2C or Police to Citizens. Along with providing police reports, the website also listed stolen social security numbers, drivers license numbers and North Carolina ID numbers. WECT discovered the problem on the day the site was launched and notified the police department. [...] From lyger at attrition.org Thu Oct 18 18:54:52 2007 From: lyger at attrition.org (lyger) Date: Thu, 18 Oct 2007 18:54:52 +0000 (UTC) Subject: [Dataloss] OH: UC Students' Personal Information Stolen Message-ID: http://www.local12.com/news/local/story.aspx?content_id=35011124-74e7-4f96-8644-baf54bf00990 The personal information of thousands of University of Cincinnati students and graduates has been stolen. A flash drive was taken from a U.C. Employee last month. It had the Social Security numbers and other data for more than 7,000 people. [...] From jericho at attrition.org Mon Oct 22 05:15:22 2007 From: jericho at attrition.org (security curmudgeon) Date: Mon, 22 Oct 2007 05:15:22 +0000 (UTC) Subject: [Dataloss] Identity Thieves, Methods More Diverse Than Believed, Study Finds (fwd) Message-ID: ---------- Forwarded message ---------- From: dan at geer.org Identity Thieves, Methods More Diverse Than Believed, Study Finds By CHRISTOPHER CONKEY The Wall Street Journal October 20, 2007; Page A5 WASHINGTON -- As government agencies, schools and many businesses ponder how to combat identity theft, a new research project is challenging some popular assumptions about such crimes and the people who commit them. Results of the study by researchers at the Center for Identity Management and Information Protection at Utica College, New York, found that contrary to the stereotype of a typical offender as a well-educated white male exploiting his computer savvy, the identity thieves and the methods they use are surprisingly diverse. The study, which looked at more than 500 Secret Service cases that closed between January 2000 and March 2007, found that 54% of the offenders were black, 38% were white. Nearly one-third were female. About 71% had no previous criminal record, and many cases involved sloppy data-security practices by businesses like retail stores. The results of the study are slated to be presented at an economic-crime conference Monday in Virginia. [..] From lyger at attrition.org Tue Oct 23 10:45:41 2007 From: lyger at attrition.org (lyger) Date: Tue, 23 Oct 2007 10:45:41 +0000 (UTC) Subject: [Dataloss] WV: 200, 000 notified of missing tape containing personal information Message-ID: http://www.dailymail.com/story/News/200710232/200-000-notified-of-missing-tape-containing-personal-information/ West Virginia officials are alerting 200,000 past and current members of three health insurance programs that a computer tape containing some personal information is missing. The tape, containing such information as names, addresses and Social Security numbers, slipped out of a package shipped Oct. 12 by the state Public Employees Insurance Agency to a Pennsylvania analyst it uses. The information comes from PEIA as well as the Children's Health Insurance Program and the AccessWV high risk insurance pool. Officials believe the package came unglued in transit, and do not suspect theft, Department of Administration Spokeswoman Diane Holley said. [...] From lyger at attrition.org Tue Oct 23 17:24:28 2007 From: lyger at attrition.org (lyger) Date: Tue, 23 Oct 2007 17:24:28 +0000 (UTC) Subject: [Dataloss] FL: Bonanza for identity theft in trash behind Sarasota Blockbuster Message-ID: http://www.heraldtribune.com/article/20071023/NEWS/710230558 Jonathan Murray was fishing in a trash container for boxes Friday when he found what could have been a thief's bonanza. Amongst the trash from a Blockbuster video store were membership forms and employment applications that included names, addresses, credit card numbers and Social Security numbers. "The sad part is that even after I told Blockbuster about it, I went back the next day to go get some more boxes, and this time I found credit card stuff," said Murray, a Sarasota resident. Federal and state officials said no law was broken in the incident, but Florida law puts the onus on Blockbuster to inform its customers of the security lapse. [...] From lyger at attrition.org Tue Oct 23 17:30:42 2007 From: lyger at attrition.org (lyger) Date: Tue, 23 Oct 2007 17:30:42 +0000 (UTC) Subject: [Dataloss] UT: Personal information compromised on Dixie State computer system Message-ID: http://www.thespectrum.com/apps/pbcs.dll/article?AID=/20071023/NEWS01/71023004 An unauthorized person reportedly gained access to Dixie State College's computer system and gained access to confidential files, including Social Security numbers, birth date information and addresses for some alumni and current DSC employees. The college's Information Technology staff became aware of the incident, which took place Sept. 11. No credit card or financial data was compromised. Once DSC officials became aware of the incident, the compromised files, which contained approximately 11,000 names of those who graduated or worked at DSC from 1986 to 2005, were immediately deleted from the server. In addition, law enforcement officials, the Utah State Attorney General's Office and the Utah Higher Education Commissioner's office were notified. [...] From jericho at attrition.org Tue Oct 23 20:07:34 2007 From: jericho at attrition.org (security curmudgeon) Date: Tue, 23 Oct 2007 20:07:34 +0000 (UTC) Subject: [Dataloss] Federal Security Breaches Double in Four Months Message-ID: ---------- Forwarded message ---------- From: Paul Ferguson Via GovExec. [snip] Federal agencies report an average of 30 incidents a day in which Americans' personally identifiable information is exposed, double the incidents reported early this summer, according to the top information technology executive in the Bush administration. The Office of Management and Budget issued a memo in July 2006 requiring agencies to report security incidents that expose personally identifiable information to the U.S. Computer Emergency Readiness Team within one hour of the security incident. In June 2007, 40 agencies reported almost 4,000 such security incidents, an average of about 14 per day. As of this week, the average had increased to 30 a day, said Karen Evans, administrator of the Office of Electronic Government and Information Technology at OMB. [snip] More: http://www.govexec.com/story_page.cfm?articleid=38348 From jericho at attrition.org Wed Oct 24 06:53:41 2007 From: jericho at attrition.org (security curmudgeon) Date: Wed, 24 Oct 2007 06:53:41 +0000 (UTC) Subject: [Dataloss] TJX Breach More Than Twice As Bad As Had Been Reported Message-ID: ---------- Forwarded message ---------- From: Paul Ferguson [snip] Despite TJX having reported some 46 million consumers impacted, new documents now identify that number as about 96 million, including about 29 million MasterCard victims and 65 million Visa victims, according to documents filed with the federal court on Tuesday. The new numbers came to light in filing from attorneys representing some of the banks now suing TJX. [snip] More: http://storefrontbacktalk.com/story/102407tjx From lyger at attrition.org Wed Oct 24 14:15:06 2007 From: lyger at attrition.org (lyger) Date: Wed, 24 Oct 2007 14:15:06 +0000 (UTC) Subject: [Dataloss] MA: Not Your Average Joe's restaurants hit with data breach Message-ID: http://boston.bizjournals.com/boston/stories/2007/10/22/daily30.html Massachusetts restaurant chain Not Your Average Joe's issued a statement Tuesday that said its Massachusetts restaurants were targeted by an individual or individuals seeking to illegally obtain credit card data. "We are shocked that this has happened and are taking the situation very seriously," the statement, which was published on the company's Web site, read. "We sincerely apologize to our customers for any inconvenience that this issue may cause them. We take this issue seriously, and want our customers to understand how they may be impacted." The Dartmouth, Mass.-based chain said an external investigation into the cause and impact is still on-going. [...] From lyger at attrition.org Wed Oct 24 15:15:11 2007 From: lyger at attrition.org (lyger) Date: Wed, 24 Oct 2007 15:15:11 +0000 (UTC) Subject: [Dataloss] ME: 'Potential Breach' of Confidential Student Data (Bates College) Message-ID: http://media.www.batesstudent.com/media/storage/paper1116/news/2007/10/23/News/potential.Breach.Of.Confidential.Student.Data-3050562.shtml Two publicly accessible documents that contained the record of nearly 500 recipients of the federal Perkins Loan along with each recipient's address, date of birth, Social Security number, legal name and loan amount were uncovered on the Bates network by The Bates Student on Oct. 13. All that was necessary to access the files was a Bates username and password. The information which is intended to be private could easily be used for identification theft. Because this information could be used for this purpose, Maine statute 1346 known as "the Notice of Risk to Personal Data Act," enacted this past spring, requires Bates to notify the affected students that the data has been potentially compromised. Information and Library Services Vice President Gene Weimers was uncertain at press time whether or not the Maine statute requires them to notify the Maine Attorney General. Managing News Editor Conor Hurley of The Student informed the Student Financial Services Office (SFS) that the documents were publicly available on Oct. 15. The SFS Office claims to not have received Hurley's correspondence and the documents remained on the server. When Hurley contacted the SFS Office Monday, it attributed the mistake to the Information and Library Services Office but declined further comment. [...] From cwalsh at cwalsh.org Wed Oct 24 18:20:21 2007 From: cwalsh at cwalsh.org (Chris Walsh) Date: Wed, 24 Oct 2007 13:20:21 -0500 Subject: [Dataloss] ME: 'Potential Breach' of Confidential Student Data (Bates College) In-Reply-To: References: Message-ID: <20071024181958.GA100@cwalsh.org> The law seems clear to me: It applies to "information brokers" and those whohold data for them. Notice to the broker's regulator, or the AG where the broker is not regulated by the state, is mandatory. How Bates College is an ionformation broker is where things get murky for me. http://janus.state.me.us/legis/LawMakerWeb/externalsiteframe.asp?ID=280017964&LD=1671&Type=1&SessionID=6 On Wed, Oct 24, 2007 at 03:15:11PM +0000, lyger wrote: > > http://media.www.batesstudent.com/media/storage/paper1116/news/2007/10/23/News/potential.Breach.Of.Confidential.Student.Data-3050562.shtml > > Two publicly accessible documents that contained the record of nearly 500 > recipients of the federal Perkins Loan along with each recipient's > address, date of birth, Social Security number, legal name and loan amount > were uncovered on the Bates network by The Bates Student on Oct. 13. All > that was necessary to access the files was a Bates username and password. > > The information which is intended to be private could easily be used for > identification theft. Because this information could be used for this > purpose, Maine statute 1346 known as "the Notice of Risk to Personal Data > Act," enacted this past spring, requires Bates to notify the affected > students that the data has been potentially compromised. Information and > Library Services Vice President Gene Weimers was uncertain at press time > whether or not the Maine statute requires them to notify the Maine > Attorney General. > > Managing News Editor Conor Hurley of The Student informed the Student > Financial Services Office (SFS) that the documents were publicly available > on Oct. 15. The SFS Office claims to not have received Hurley's > correspondence and the documents remained on the server. When Hurley > contacted the SFS Office Monday, it attributed the mistake to the > Information and Library Services Office but declined further comment. > > [...] > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor your > traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml From MKEVHILL at aol.com Thu Oct 25 01:41:11 2007 From: MKEVHILL at aol.com (MKEVHILL at aol.com) Date: Wed, 24 Oct 2007 21:41:11 EDT Subject: [Dataloss] TX: School Burglars Target Students' Information Message-ID: _http://www.tylerpaper.com/article/20071024/NEWS01/710240339_ (http://www.tylerpaper.com/article/20071024/NEWS01/710240339) Four East Texas school districts had campuses burglarized within the past week, and one district has reason to believe the burglars' target may have been their students' Social Security information. Burglars smashed glass from windows, pried open doors and climbed down a middle school's skylight to gain entry to buildings in the Rains, Kaufman, Edgewood, and Alba-Golden Independent School Districts. Once inside, they tossed drawers, rummaged through filing cabinets and smashed their way into a safe all the while managing to avoid tripping each school's alarm system or alerting their security guards. In some of the filing cabinets, school officials kept students' personal information, including Social Security numbers. While law enforcement agencies said it's too early in the investigation to say the burglaries are connected, they did note several similarities - the burglaries were around the same time frame, and petty cash funds kept around the schools were stolen. ..... mike ************************************** See what's new at http://www.aol.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20071024/7dc10001/attachment.html From lyger at attrition.org Thu Oct 25 03:07:48 2007 From: lyger at attrition.org (lyger) Date: Thu, 25 Oct 2007 03:07:48 +0000 (UTC) Subject: [Dataloss] Another take on Data Loss statistics Message-ID: Courtesy Dan Geer: http://attrition.org/dataloss/dlstats.pdf This may be of interest to those looking into statistical and/or quantitative analysis. If anyone wishes to contact Dan regarding his findings, please email me directly. From jericho at attrition.org Thu Oct 25 03:11:31 2007 From: jericho at attrition.org (security curmudgeon) Date: Thu, 25 Oct 2007 03:11:31 +0000 (UTC) Subject: [Dataloss] How Are U.S. Businesses and Lawmakers Responding to Data Breaches? Message-ID: ---------- Forwarded message ---------- From: Paul Ferguson Via Wall Street & Technology. [snip] There were 305 publicized data breaches affecting nearly 77 million individuals in the United States in the first nine months of 2007, according to the Identity Theft Resource Center, a nonprofit that works to prevent identity theft. Of these incidents, 6.2 percent were reported by banking, credit and financial services institutions. Law firm Scott + Scott, which recently conducted a separate survey on data breaches with privacy and information management research firm The Ponemon Institute, reports that almost half the data breaches it recorded were attributed to lost or stolen equipment, such as laptops, PDAs and memory sticks. The second largest threat, according to the Colchester, Conn.-based firm, arose from negligent employees, temporary employees and/or contractors. The survey, "The Business Impact of Data Breach," examined the responses of more than 700 U.S.-based C-level executives, managers and IT security officers in midsize to large businesses spanning all industries. But despite the frequency of such security failures, 42 percent of respondents to the Scott + Scott survey whose companies have suffered data breaches claimed their organization's IT security spending will remain the same in the coming year. Even after suffering a data breach, 46 percent of businesses failed to implement encryption solutions, and 82 percent did not seek legal counsel prior to responding to the incident -- even though they had no prior response plan in place. [snip] More: http://www.wallstreetandtech.com/feed/showArticle.jhtml?articleID=202600763 From lyger at attrition.org Thu Oct 25 03:40:10 2007 From: lyger at attrition.org (lyger) Date: Thu, 25 Oct 2007 03:40:10 +0000 (UTC) Subject: [Dataloss] commentary: Data Loss "Unplugged" Message-ID: http://attrition.org/dataloss/dlunplugged.html Wed Oct 24 23:33:36 EDT 2007 Lyger Since July 1, 2005, attrition.org has "officially" been tracking incidents regarding the theft, loss, or exposure of personally identifiable information (PII). In the months since the creation of the Data Loss web page, Data Loss Mail List, and Data Loss Database (Open Source) (aka "DLDOS"), we have been asked many questions about not only why we maintain these resources but also about what criteria we use to determine the inclusion of events into the mail list, web page, and database. For anyone interested, we feel that we should try to clarify our "requirements" and answer any questions that may arise. First, we can't "report" what we don't know. In most cases, we will only include events that are reported by a legitimate media source. While we could include blog rumors and tips via email from unverified sources, we feel that it's best to have a verifiable and reputable source of information in case there are any questions or concerns regarding the validity of the information contained in our resources. If an event isn't covered by a reputable media source, there's a good chance we may not include it in our resources. We do understand that work by others such as Chris Walsh, who finds additional breaches through Freedom Of Information Act (FOIA) requests, will uncover breaches not normally reported by media outlets, but attrition.org simply doesn't have the resources to actively pursue such additional information. We applaud Chris for his efforts and hope that he continues to keep up with his endeavors. [...] From lyger at attrition.org Thu Oct 25 14:40:10 2007 From: lyger at attrition.org (lyger) Date: Thu, 25 Oct 2007 14:40:10 +0000 (UTC) Subject: [Dataloss] OH: Identity data on UA alumni is missing Message-ID: http://www.ohio.com/news/break_news/10788671.html A microfilm containing the personal information of approximately 1,200 University of Akron alumni is missing. The university has sent out letters to the affected alumni, graduates of the fall 1974 class, informing them that their names, previous addresses and phone numbers, along with birth dates and Social Security numbers, were on the missing microfilm. Dave Russ, of the university's institutional marketing department, said the missing microfilm reel was one of several that was being digitized by an outside vendor. The university and the vendor have engaged in an exhaustive search, but have not located the missing reel. [...] From cwalsh at cwalsh.org Thu Oct 25 20:36:36 2007 From: cwalsh at cwalsh.org (Chris Walsh) Date: Thu, 25 Oct 2007 15:36:36 -0500 Subject: [Dataloss] Nevada Law Mandates Encryption of Electronically-Transmitted Personal Information In-Reply-To: <20071009160347.GA13994@cwalsh.org> References: <20071009160347.GA13994@cwalsh.org> Message-ID: <20071025203630.GB29517@cwalsh.org> I emailed the author of the article at mofo.com (man do I want an email address there...). She replied that have they don't have any evidence that Nevada has changed this definition or whether it relies on it or a different one. Maybe this will come out when/if a case is brought to court... Chris On Tue, Oct 09, 2007 at 11:04:01AM -0500, Chris Walsh wrote: > Does this mean that Nevada has changed the definition of > "encryption" that they use in their laws? From bkdelong at pobox.com Thu Oct 25 21:04:18 2007 From: bkdelong at pobox.com (B.K. DeLong) Date: Thu, 25 Oct 2007 17:04:18 -0400 Subject: [Dataloss] Nevada Law Mandates Encryption of Electronically-Transmitted Personal Information In-Reply-To: <20071025203630.GB29517@cwalsh.org> References: <20071009160347.GA13994@cwalsh.org> <20071025203630.GB29517@cwalsh.org> Message-ID: Speaking of PII and other such data, did anyone ever attempt to bring the "PCI DSS as law" into the mix in NV? If encryption was proposed, I'd be surprised if other such protections were not as well. At last count, MN, CA, TX, MA and IL have or had laws proposed containing bits of the PCI DSS. Did I miss anyone? On 10/25/07, Chris Walsh wrote: > I emailed the author of the article at mofo.com (man do I want > an email address there...). > > She replied that have they don't have any evidence that Nevada has > changed this definition or whether it relies on it or a > different one. > > Maybe this will come out when/if a case is brought to court... > > Chris > > On Tue, Oct 09, 2007 at 11:04:01AM -0500, Chris Walsh wrote: > > Does this mean that Nevada has changed the definition of > > "encryption" that they use in their laws? > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor your > traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml > -- B.K. DeLong (K3GRN) bkdelong at pobox.com +1.617.797.8471 http://www.wkdelong.org Son. http://www.ianetsec.com Work. http://www.bostonredcross.org Volunteer. http://www.carolingia.eastkingdom.org Service. http://bkdelong.livejournal.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org From jericho at attrition.org Fri Oct 26 06:25:26 2007 From: jericho at attrition.org (security curmudgeon) Date: Fri, 26 Oct 2007 06:25:26 +0000 (UTC) Subject: [Dataloss] follow-up: TJX Intruder Moved 80-GBytes Of Data And No One Noticed Message-ID: ---------- Forwarded message ---------- From: Paul Ferguson Via StorefrontBacktalk. [snip] Citing new information about the TJX data breach, attorneys suing the clothing retail chain amended their complaints on Thursday and wants a jury to evaluate TJX's security professionalism. New details that emerged from documents filed in federal court Thursday include: A TJX consultant found that not only was TJX not PCI-compliant, but that it had failed to comply with nine of the 12 applicable PCI requirements. Many were "high-level deficiencies," the consultant said. "After locating the stored data on the TJX servers, the intruder used the TJX high-speed connection in Massachusetts to transfer this data to another site on the Internet" in California. More than "80 GBytes of stored data improperly retained by TJX was transferred in this manner. TJX did not detect this transfer." In May 2006, a traffic capture/sniffer program was installed on the TJX network by the cyber thieves, where it remained undetected for seven months, "capturing sensitive cardholder data as it was transmitted in the clear by TJX." [snip] More: http://storefrontbacktalk.com/story/102507tjxrevisedcomplaint From hbrown at knology.net Sun Oct 28 20:36:49 2007 From: hbrown at knology.net (Henry Brown) Date: Sun, 28 Oct 2007 15:36:49 -0500 Subject: [Dataloss] Art dot com's website hacked Message-ID: <4724F2E1.6010307@knology.net> http://www.allheadlinenews.com/articles/7008975169 Art.com's Website Hacked; Customers Alerted Of Possible Identity Theft October 28, 2007 11:08 a.m. EST Harriette Cecilio - AHN News Writer Emeryville, CA (AHN) - An online retailer of posters, prints and framed art on Saturday alerted customers that hackers had gotten into website to access credit card accounts. But the company offered assurances that it has beefed up security to avoid future attacks. Art.com, which operates websites including Art.com and Allposters.com, said it is investigating the intrusion and asked its clientele to be more vigilant. The Art.com chief said the cyberspace criminals gained systems entry despite "multiple security layers" and accessed some credit card transaction from July to September. "To date, the company is unaware of any unauthorized use of those credit card numbers or any attempted identity theft related to the intrusion," a company statement said. From chris at cwalsh.org Mon Oct 29 00:09:02 2007 From: chris at cwalsh.org (Chris Walsh) Date: Sun, 28 Oct 2007 19:09:02 -0500 Subject: [Dataloss] Document archive mini-update Message-ID: <6FD65433-C610-414F-AB7F-DD0D67A626D6@cwalsh.org> I have added several documents received from North Carolina's Attorney General's office to the on-line collection at http:// www.cwalsh.org/cgi-bin/docview.pl Sorry for the delay, but I overhauled the underlying database schema to accomodate multiple sources of documents, and to also more clearly handle the distinction between whose data was exposed, who was holding the data, and who reported the breach. BTW - This collection was out of commission for about 10 days due to a hardware failure (my iMac lost a power supply or a mobo - need to open it up and look at diagnostic LEDs). Now the DB is on a back-end FreeBSD box where it belongs. I have many more documents to add, and will be doing so as time permits. I've added some Google Adsense gingerbread to the search result pages , which is kind of interesting because Google is able to crawl the PDFs themselves, so in some cases the ads are truly context- aware. *If you prefer not to see such ads, turn off Javascript* (I recommend NoScript). Of course, the original scanned docs are entirely unaltered. From lyger at attrition.org Tue Oct 30 11:25:35 2007 From: lyger at attrition.org (lyger) Date: Tue, 30 Oct 2007 11:25:35 +0000 (UTC) Subject: [Dataloss] NV: UNR professor loses flash drive with students' personal information Message-ID: http://news.rgj.com/apps/pbcs.dll/article?AID=/20071030/NEWS02/710300339/1321/NEWS A University of Nevada, Reno professor has lost a flash drive that contained the names and Social Security numbers of 16,000 current and former students, a UNR spokeswoman said today. The flash drive contained the information of incoming freshmen who enrolled in the fall semesters from 2001 through 2007, said Jane Tors of UNR's communications department. That does not include freshmen who enrolled in the spring, transfer students or graduate students. [...] From lyger at attrition.org Tue Oct 30 11:27:18 2007 From: lyger at attrition.org (lyger) Date: Tue, 30 Oct 2007 11:27:18 +0000 (UTC) Subject: [Dataloss] HI: USPS Laptop Stolen had Employee Personal Info Message-ID: http://kgmb9.com/main/content/view/1282/40/ The personal information of nearly 3,000 Oahu postal employees could be in the hands of a criminal. Workers got the warning this weekend that a computer with the employees information on it had been stolen. The laptop was taken in August. [...] From lyger at attrition.org Tue Oct 30 13:59:16 2007 From: lyger at attrition.org (lyger) Date: Tue, 30 Oct 2007 13:59:16 +0000 (UTC) Subject: [Dataloss] NC: Personal documents found in trash can (fwd) Message-ID: ---------- Forwarded message ---------- From: MKEVHILL at aol.com To: dataloss at attrition.org Date: Tue, 30 Oct 2007 08:19:00 EDT (http://news14.com/content/headlines/588963/personal-documents-found-in-trash-can/Default.aspx) SALISBURY -- Two men found a box in a dumpster full of the ingredients for identity theft. It appeared to be year's worth of cell phone customers' applications from all over the area. The cell phone business recently moved and behind it was a dumpster full of furniture and other things from inside. That's where Steve Gandy and Lee Wilbanks said they found the box. "We've got a lady's driver's license number, her Bank of America credit card number and we've got her work address, home address, we've got every bit of information that somebody would use for identity theft," said Gandy as he sifted through the box. There is so much private financial information on the documents that it was hard finding papers that could be televised. "It's the application, where they print driver's license, method of payment and the Social Security number," added Gandy. From job applications with addresses, birth dates and Social Security numbers to copies of driver's licenses, Mastercards, and Visas, the box was full of identity theft bait. [...] From lyger at attrition.org Tue Oct 30 17:46:41 2007 From: lyger at attrition.org (lyger) Date: Tue, 30 Oct 2007 17:46:41 +0000 (UTC) Subject: [Dataloss] State officials warn Ohioans of data breach at Hartford Insurance Message-ID: http://www.wdtn.com/Global/story.asp?S=7285876 State insurance regulators say some Ohio consumers are affected by a data security breach at Hartford Life Insurance. The company has misplaced three backup tapes containing sensitive personal information. The Hartford says the problem was discovered September 27th. Ohio Insurance Director Mary Jo Hudson has asked the company for more information, including the number of Ohioans involved. [...] From lyger at attrition.org Wed Oct 31 16:34:42 2007 From: lyger at attrition.org (lyger) Date: Wed, 31 Oct 2007 16:34:42 +0000 (UTC) Subject: [Dataloss] TN: Identification theft hits 70,000 people Message-ID: http://www.wreg.com/Global/story.asp?S=7288802 Pathology Group of the Mid-South operates out of an office building in East Memphis. They do laboratory testing for many medical facilities in the Memphis area. While you may not know a lot about them, if you've gotten lab work done lately, the company probably knows an awful lot about you. Your name, address, social security number, even medical information. [.] Pathology Group sent a letter out, notifying clients that someone broke into the locked office building on September 23 or 24th. More than a month later, Wheeler's family is just getting theirs. "My biggest concern is the timeliness," says Wheeler. According to the notice, several computers with flat screen monitors were stolen. One of those computers had patient information on about 75,000 people. One of which was Wheeler's wife. The thieves not only stole thousands of people's personal information, they also stole Wheeler's peace of mind. "We received a fraud call from a Visa card company," explains Wheeler."Immediately, I thought now it's going to start." [...] From lyger at attrition.org Wed Oct 31 20:49:04 2007 From: lyger at attrition.org (lyger) Date: Wed, 31 Oct 2007 20:49:04 +0000 (UTC) Subject: [Dataloss] MI: Stolen laptop contained data on Ferris State students Message-ID: http://www.wzzm13.com/news/news_article.aspx?storyid=83016 Ferris State University is warning current and potential students after the theft of a laptop that contained student data. [.] The computer contains personal information about applicants for 2007-2008 students, including names, addresses, telephone numbers, dates of birth, email addresses, academic information and student identification numbers. The thief would have to get through two layers of password protection to access the data. Up to 18,000 current and potential students could be affected. University administrators tell WZZM 13 News they are more concerned about students receiving unsolicited emails or mailers, rather than identity theft. [...] From adam at homeport.org Wed Oct 31 22:09:12 2007 From: adam at homeport.org (Adam Shostack) Date: Wed, 31 Oct 2007 18:09:12 -0400 Subject: [Dataloss] Footballer John Arne Riise's paystub online Message-ID: <20071031220911.GA28892@homeport.org> > An inquiry has been launched by Liverpool Football Club after a top > player's payslip, detailing a 139,634 monthly wage - was put on the > internet. http://news.bbc.co.uk/2/hi/uk_news/england/merseyside/7071296.stm