From lyger at attrition.org Tue Jan 1 06:54:01 2008 From: lyger at attrition.org (lyger) Date: Tue, 1 Jan 2008 06:54:01 +0000 (UTC) Subject: [Dataloss] Off Topic: Happy New Year Message-ID: Best wishes to everyone on the list in 2008. Here's to hoping that everyone finds the new year with safety, happiness, and a few less breaches to endure. *clink* Lyger From lawyer at carpereslegalis.com Wed Jan 2 21:57:47 2008 From: lawyer at carpereslegalis.com (Marjorie Simmons) Date: Wed, 2 Jan 2008 13:57:47 -0800 Subject: [Dataloss] UK: Police personal data found on discarded floppy Message-ID: <000f01c84d8a$83378aa0$0901a8c0@Lakshmi> One often overlooked problem with the release of just name, address and phone is that it can and often does uncover a relationship between the data loser and the exposed persons. While it might be inconsequential in some instances, it definitely is a major concern in other instances. For example, Widget Business XYZ loses its customer mailing list and a defense agency is a customer, and the widgets can only be used as part of a certain technology, where the timing of the widget deployment is sensitive. Or, consider the law firm whose client mailing list is compromised. There are many such instances when simple name, address and telephone data losses can show a relationship between people that the parties would neither expect nor want to have disclosed. While raw data may be available in a publicly available directory, the relationship between parties is often not, and it is the exposure of the relationship, confidential or simply hidden, that is the problem. ### -----Original Message----- On Wed, 26 Dec 2007, lyger wrote On Wed, 26 Dec 2007, Dan O'Donnell wrote: ": " ": " ": " Police data details found at dump ": " A senior police officer has apologised after confidential details of ": " staff were found on a dump in Devon. ": " ": " The details, on a floppy disk, included names, addresses, telephone ": " numbers and ranks of employees of Devon and Cornwall Police. ": " ": " The disk was in an obsolete computer that had been used by the force ": " and had been sent for recycling. While losing the personal information of police officers is certainly a concern due to the nature of their jobs, I've noticed other recent reports of general "data loss" involving not much more than names, addresses, and sometimes phone numbers. Should this generally be considered "personal information" if such data can usually be found in a phone book or Google (for most people anyway)? Just a thought and something we consider when including (or not including) breach data on attrition's data loss web page and database... From jordantd at corp.earthlink.net Thu Jan 3 03:04:31 2008 From: jordantd at corp.earthlink.net (Timothy Jordan) Date: Wed, 2 Jan 2008 19:04:31 -0800 Subject: [Dataloss] UK: Police personal data found on discarded floppy In-Reply-To: <000f01c84d8a$83378aa0$0901a8c0@Lakshmi> References: <000f01c84d8a$83378aa0$0901a8c0@Lakshmi> Message-ID: <94C5902E77E89C45B945DBD2749D0F0A2019540CF7@EXMBX04.exchhosting.com> One important, and often overlooked, way that this "inconsequential" data and the relationships can be used is via Social Engineering attempts. In other words, 1+1=2 and so on. -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Marjorie Simmons Sent: Wednesday, January 02, 2008 4:58 PM To: dataloss at attrition.org Subject: Re: [Dataloss] UK: Police personal data found on discarded floppy One often overlooked problem with the release of just name, address and phone is that it can and often does uncover a relationship between the data loser and the exposed persons. While it might be inconsequential in some instances, it definitely is a major concern in other instances. For example, Widget Business XYZ loses its customer mailing list and a defense agency is a customer, and the widgets can only be used as part of a certain technology, where the timing of the widget deployment is sensitive. Or, consider the law firm whose client mailing list is compromised. There are many such instances when simple name, address and telephone data losses can show a relationship between people that the parties would neither expect nor want to have disclosed. While raw data may be available in a publicly available directory, the relationship between parties is often not, and it is the exposure of the relationship, confidential or simply hidden, that is the problem. ### -----Original Message----- On Wed, 26 Dec 2007, lyger wrote On Wed, 26 Dec 2007, Dan O'Donnell wrote: ": " ": " ": " Police data details found at dump ": " A senior police officer has apologised after confidential details of ": " staff were found on a dump in Devon. ": " ": " The details, on a floppy disk, included names, addresses, telephone ": " numbers and ranks of employees of Devon and Cornwall Police. ": " ": " The disk was in an obsolete computer that had been used by the force ": " and had been sent for recycling. While losing the personal information of police officers is certainly a concern due to the nature of their jobs, I've noticed other recent reports of general "data loss" involving not much more than names, addresses, and sometimes phone numbers. Should this generally be considered "personal information" if such data can usually be found in a phone book or Google (for most people anyway)? Just a thought and something we consider when including (or not including) breach data on attrition's data loss web page and database... _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml From lyger at attrition.org Thu Jan 3 12:48:40 2008 From: lyger at attrition.org (lyger) Date: Thu, 3 Jan 2008 12:48:40 +0000 (UTC) Subject: [Dataloss] UK: Data Loss Hits Llanelli Message-ID: http://www.thisissouthwales.co.uk/displayNode.jsp?nodeId=161366&command=displayContent&sourceNode=162951&contentPK=19423694&folderPk=88498&pNodeId=162956 A Bank is investigating after a Llanelli man was sent the personal investment details of 33 other people. The Furnace resident's wife, who did not wish to be named, said the documents - containing client's full names, addresses, reference numbers and investment details - had been addressed to her husband. It is believed the details were sent by Key Data on behalf of Bradford & Bingley. The letter accompanied another containing information about her husband's own 9,075 investment. [...] From lyger at attrition.org Thu Jan 3 12:51:11 2008 From: lyger at attrition.org (lyger) Date: Thu, 3 Jan 2008 12:51:11 +0000 (UTC) Subject: [Dataloss] UT: ID info at risk in laptop theft Message-ID: http://www.sltrib.com/ci_7867694 Officials with one of Utah's largest insurance companies are searching for a stolen laptop containing Social Security numbers and other personal information for about 2,800 people and 1,400 companies. The computer was taken from a car parked in the home garage of an auditor for the Workers Compensation Fund (WCF) on Dec. 9. But WCF said it chose not to issue a public statement at that time out of fear of alerting anyone that the laptop contained information that could be used for identity thefts. The agency said it has informed companies and workers of the theft, and is covering fees for a professional security watch for the affected workers that could total $200,000, said WCF spokeswoman Peggy Larsen. [...] From lyger at attrition.org Thu Jan 3 14:38:39 2008 From: lyger at attrition.org (lyger) Date: Thu, 3 Jan 2008 14:38:39 +0000 (UTC) Subject: [Dataloss] Robotics Online Hacked - Credit Card Details Accessed (fwd) Message-ID: Courtesy Fergie's Tech Blog: http://fergdawg.blogspot.com/ Via Pogo Was Right. [snip] Robotics Industries Association reported that a hacker accessed their administration site for Robotics Online on or about December 10th, gaining access to individual orders that contained credit card information. Seven residents of NH were affected, but national totals were not indicated. Following the intrusion, the company deleted all credit card information from their site, and temporarily ceased accepting credit card orders. [snip] More: http://www.pogowasright.org/article.php?story=20080102170749849 From rforno at infowarrior.org Thu Jan 3 19:00:01 2008 From: rforno at infowarrior.org (Richard Forno) Date: Thu, 03 Jan 2008 14:00:01 -0500 Subject: [Dataloss] MPs say losing computer data should be made a crime Message-ID: MPs say losing computer data should be made a crime Tania Branigan, political correspondent Thursday January 3, 2008 The Guardian Recklessly or repeatedly mishandling personal information should become a criminal offence, a committee of MPs urges today in the wake of the child benefit fiasco. A report from the justice select committee says there is evidence of a widespread problem within government and expresses concern that further cases of data loss are still coming to light, adding that concerns about systemic failings were raised two years ago by the man now in charge of the government's review of security. The committee says that companies should be obliged to report information losses. "The scale of the data loss by government bodies and contractors is truly shocking, but the evidence we have had points to further hidden problems," warned Alan Beith, chairman of the committee. "It is frankly incredible, for example, that the measures HMRC [HM Revenue & Customs] has [now] put in place were not already standard procedure." The report was prompted by HMRC's loss of computer discs containing the personal and bank details of all British families claiming child benefit. < - > http://politics.guardian.co.uk/homeaffairs/story/0,,2234448,00.html From lyger at attrition.org Fri Jan 4 01:12:01 2008 From: lyger at attrition.org (lyger) Date: Fri, 4 Jan 2008 01:12:01 +0000 (UTC) Subject: [Dataloss] GA: Vandals steal school computer with social security numbers Message-ID: http://www.wrdw.com/home/headlines/13022572.html Students throughout Richmond County returned to school today. But there were empty classrooms at Dorothy Hains Elementary school after vandals broke in -- breaking windows, setting walls on fire and stealing electronics. "I was disgusted yet again...because it had just recently happened," said Principal Sophia Cogle. It's the second time this has happened since November. This time, teachers desks were ransacked, bulletin boards destroyed, papers--and even an America flag--burned. [.] But, there's also damage inside the main building. The library door was kicked in and the circulation computer was stolen--something the principal desperately wants back because it has the social security numbers of students and teachers on it. [...] From mhill at idtexperts.com Fri Jan 4 05:58:32 2008 From: mhill at idtexperts.com (Michael Hill, CITRMS) Date: Fri, 4 Jan 2008 00:58:32 -0500 Subject: [Dataloss] CT: Stolen Laptop Includes Health Net Workers' Data Message-ID: <001101c84e96$d6a90080$6501a8c0@mkevhill> http://www.courant.com/business/hc-laptop0104.artjan04,0,6454765.story Thousands of Health Net employees in Connecticut and other states have been notified that their names and Social Security numbers were on a laptop computer that was stolen more than a month ago from a company vendor. There have been no reports of identity theft as a result of the incident, said David Olson, a Health Net spokesman. He wouldn't name the vendor or say where the laptop was stolen, other than it wasn't in the Northeast. The laptop had information on about 5,000 employees companywide and an undisclosed number of health-care providers outside the Northeast. There was no medical information about them on the computer, Olson said. .......... Health Net retained Kroll Inc. to provide free credit monitoring for one year, and help in restoring good credit in case of identity theft, to employees and providers who sign up for it. About a month ago, Health Net started telling employees in a letter that police were investigating the laptop theft and had "not found any evidence that the data has been accessed or misused." ............. Michael Hill Certified Identity Theft Risk Management Specialist IDT Consultants 404-216-3751 "If You Think You're Not At Risk, Think Again!" -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080104/85e3c61e/attachment.html From lyger at attrition.org Fri Jan 4 12:52:27 2008 From: lyger at attrition.org (lyger) Date: Fri, 4 Jan 2008 12:52:27 +0000 (UTC) Subject: [Dataloss] California data-breach law now covers medical information Message-ID: http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/01/04/BUR6U9000.DTL California residents must now be notified when their electronic medical information or health insurance information has been exposed. AB1298, which took effect Tuesday, expands California's data-breach notification law to include unencrypted medical histories, information on mental or physical conditions, and medical treatments and diagnoses. Also covered under the law are unencrypted insurance policy or subscriber numbers, any applications for insurance, claims histories and appeals. The exposed information must include a California resident's name to require notification but does not need to include Social Security numbers. The law applies to state agencies and any company that does business with Californians, even if its headquarters are not in the state. [...] From lyger at attrition.org Fri Jan 4 14:42:16 2008 From: lyger at attrition.org (lyger) Date: Fri, 4 Jan 2008 14:42:16 +0000 (UTC) Subject: [Dataloss] FL: Laptops Stolen From DCF Contain Personal Information Message-ID: http://www.cfnews13.com/News/Local/2008/1/4/laptops_stolen_from_dcf_contain_personal_information1.html State computers with personal information on them were stolen from a Department of Children and Families office, compromising the personal information of thousands of day care workers. [.] Social Security numbers, birth dates and other information was on the five laptop computers stolen from the DCF offices in Orange County Nov. 7 and 8. [...] From mike at cokenour.com Fri Jan 4 18:50:18 2008 From: mike at cokenour.com (Mike Cokenour) Date: Fri, 04 Jan 2008 18:50:18 +0000 Subject: [Dataloss] MD Taxpayer Data Exposed Online Message-ID: http://www.washingtontimes.com/article/20080104/METRO/73800052/1004 Taxpayer data exposed onlineJanuary 4, 2008 By Gary Emerling - A security gap on a Maryland government Web site left hundreds of Social Security numbers unprotected as homeowners attempted to register for a property-tax exemption this week.? Officials said residents applying Monday for the homestead-tax credit at the Maryland Department of Assessments and Taxation Web site (www.dat.state.md.us) may have exposed their Social Security numbers online because the application system did not have a necessary security certificate to encrypt the information before it was sent out over the Internet.? Robert Young, the department's associate director of assessments and taxation, said the gap briefly left the numbers exposed, but the information was transferred to a secure server after an application was submitted.? "For that minute or so there ... that wasn't encrypted," Mr. Young said. "If they submitted an application, it went to a different section that was encrypted."? The application system on the site went online Dec. 28 but was not accessed until Monday, after residents had received their assessment notices in the mail. Roughly 900 people used the system that day.? Mr. Young said it would have been nearly impossible for anyone to access the numbers because of the brief amount of time they were exposed and because hackers would have had to tap into Internet transmission lines from a specific location.? "Somebody would have had to been focused in on that site," Mr. Young said. "The chances of that are virtually nil."? The Web-based tax-application system is managed by Towson University's Regional Economic Studies Institute.? Tim Brooks, the institute's associate director in charge of software development, said a hacker would have had to be located right outside the home of a resident accessing the site or outside of the institute's data center at Towson to steal the numbers once they were sent out over the Internet.? "While it is technically possible there was some sort of compromise, it is logistically unfeasible," Mr. Brooks said.? Mr. Young said officials shut down the site on Monday at about 4 p.m. and added the extra protection. The site reopened Wednesday at about 4:15 p.m. and is now secure, he said.? Reports of identity theft have become more common around the region and across the country in recent years. Last year, there were 446 security breaches resulting in the exposure of nearly 128 million records, according to the Identity Theft Resource Center.? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080104/02ad9153/attachment.html From rforno at infowarrior.org Fri Jan 4 18:58:35 2008 From: rforno at infowarrior.org (Richard Forno) Date: Fri, 04 Jan 2008 13:58:35 -0500 Subject: [Dataloss] Sears exposes customer information via its web site In-Reply-To: <20080104182655.GA21114@gsp.org> Message-ID: ------ Forwarded Message From: Rich Summary: if you know someone's name, address and phone number, you can retrieve their purchase history from Sears' web site. http://www.benedelman.org/news/010408-1.html This is an interesting follow-on to the recent discovery that Sears is pushing spyware: http://community.ca.com/blogs/securityadvisor/archive/2007/12/20/sears-com- join-the-community-get-spyware.aspx http://www.benedelman.org/news/010108-1.html From hbrown at knology.net Sat Jan 5 10:33:49 2008 From: hbrown at knology.net (Henry Brown) Date: Sat, 05 Jan 2008 04:33:49 -0600 Subject: [Dataloss] UK dataloss (Lloyds TSB bank) Message-ID: <477F5D0D.2050406@knology.net> From Computer Weekly http://tinyurl.com/yqque2 ... Lloyds TSB has sent a letter to customers warning them that their computers may have been exposed to a Trojan horse, but a customer has complained of a lack of detail from the bank. The bank's Fraud Response Team sent letters to some customers in December after it received a tip-off from payments association APACs, acting on intelligence from a law enforcement agency. "Lloyds TSB has been recently advised that your computer may have been infected with a virus. This virus is specifically designed to steal personal information including credit card and your internet login details," warned the letter. "This virus can be difficult to detect and you may have downloaded this unknowingly. It can compromise your use of the internet banking service on your PC including your Lloyds TSB passwords and memorable information." (...) Lloyds said a small number of customers received the letter but would not give details of the exact number, the type of Trojan or how it discovered the information. Lloyds TSB said, "We received intelligence from a law enforcement agency via Apacs that a very small number of UK consumers might have been exposed to a Trojan horse programme and that some of these were Lloyds TSB customers." (...) From lyger at attrition.org Sat Jan 5 19:54:01 2008 From: lyger at attrition.org (lyger) Date: Sat, 5 Jan 2008 19:54:01 +0000 (UTC) Subject: [Dataloss] NM: Identity info stolen from NMSU Message-ID: http://www.lcsun-news.com/news/ci_7886839 A computer hard drive containing the names and Social Security numbers of current and former NMSU employees is missing from the Pan American Center, just the latest in a series of thefts from the facility since November 2006, according to police reports. A New Mexico State University official said it was "highly improbable" that the information on the hard drive could be accessed. The external hard drive was stolen sometime between Dec. 30 and Jan. 2 from an office at the NMSU Special Events Department, housed at the Pan Am. It contained the names and Social Security numbers of every employee hired by the department since 1999, according to a university police report. [...] From mike at cokenour.com Mon Jan 7 23:02:22 2008 From: mike at cokenour.com (Mike Cokenour) Date: Mon, 07 Jan 2008 23:02:22 +0000 Subject: [Dataloss] Geeks.com warns customers of possible data compromise despite security certification Message-ID: January 07, 2008 (Computerworld) -- Just because a Web site has a certification claiming that it is virtually hackproof, that doesn't necessarily mean it's immune to all intrusions. A case in point is Geeks.com, which on Friday began notifying an unspecified number of customers that their personal and financial data may have been compromised by an intrusion into the systems that run the online technology retailer's Web site. Geeks.com, whose formal business name is Genica Corp., said in a letter to customers that it discovered the security breach on Dec. 5. The compromised information included the names, addresses, telephone numbers and Visa credit card numbers of an unspecified number of customers who had shopped at Geeks.com, according to a copy of the letter that was posted on The Consumerist blog (http://consumerist.com/341408/geekscom-website-hacked-customer-data-stolen). Complete coverage: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9056004&intsrc=hm_list From jericho at attrition.org Tue Jan 8 00:05:48 2008 From: jericho at attrition.org (security curmudgeon) Date: Tue, 8 Jan 2008 00:05:48 +0000 (UTC) Subject: [Dataloss] Geeks.com warns customers of possible data compromise despite security certification In-Reply-To: References: Message-ID: It's the Hacker Safe certification of course, which only protects against 99% of hacker crime! =) : January 07, 2008 (Computerworld) -- Just because a Web site has a : certification claiming that it is virtually hackproof, that doesn't : necessarily mean it's immune to all intrusions. : : A case in point is Geeks.com, which on Friday began notifying an : unspecified number of customers that their personal and financial data : may have been compromised by an intrusion into the systems that run the : online technology retailer's Web site. Geeks.com, whose formal business : name is Genica Corp., said in a letter to customers that it discovered : the security breach on Dec. 5. : : The compromised information included the names, addresses, telephone : numbers and Visa credit card numbers of an unspecified number of : customers who had shopped at Geeks.com, according to a copy of the : letter that was posted on The Consumerist blog : (http://consumerist.com/341408/geekscom-website-hacked-customer-data-stolen). Hacker Safe - Tested Daily 07-Jan https://www.scanalert.com/RatingVerify?ref=www.geeks.com WEBSITE: www.geeks.com STATUS: HACKER SAFE CERTIFICATION 07-JAN-2008 This site is tested and certified daily to pass the HACKER SAFE Security Scan. To help address concerns about hacker access to confidential data, the "live" HACKER SAFE mark appears only when a web site meets the HACKER SAFE standard. Research indicates sites remotely scanned for known vulnerabilities on a daily basis, such as those earning HACKER SAFE certification, can prevent over 99% of hacker crime. From lyger at attrition.org Wed Jan 9 02:13:05 2008 From: lyger at attrition.org (lyger) Date: Wed, 9 Jan 2008 02:13:05 +0000 (UTC) Subject: [Dataloss] Wis. mailing sent with personal info Message-ID: http://www.businessweek.com/ap/financialnews/D8U201M02.htm Social Security numbers were printed on about 260,000 informational brochures sent by a vendor hired by the state to recipients of SeniorCare and other state programs. The gaffe is the second time in 13 months that mailings including the recipients' Social Security numbers were sent from state departments. In December 2006, the state Department of Revenue mailed 171,000 tax booklets with the number printed on the label. The latest mailing was first reported on Tuesday by WKOW-TV. The state Department of Health and Family Services issued a statement saying the mistake was the fault of EDS, a private vendor for state Medicaid services. Karen Timberlake, deputy secretary of the state department, said the mailing went to about 260,000 Medicaid, SeniorCare, and BadgerCare members. [...] From jericho at attrition.org Wed Jan 9 08:40:48 2008 From: jericho at attrition.org (security curmudgeon) Date: Wed, 9 Jan 2008 08:40:48 +0000 (UTC) Subject: [Dataloss] follow-up: Sears Data Breach Draws Lawsuit Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.informationweek.com/security/showArticle.jhtml?articleID=205600038 By Thomas Claburn InformationWeek January 7, 2008 Following revelations that Sears' ManageMyHome.com site exposed customer purchase data to any online visitor who asked about it, a New Jersey resident has filed a $5 million class action lawsuit against the retailer. In a complaint filed on Friday in Cook County, Ill., where Sears has its headquarters, plaintiff Christine Desantis alleges that the company's exposure of customer data represents a breach of contract and a violation of the Consumer Fraud Act. The $5 million sought is to cover payments to affected consumers and attorneys, and the cost of injunctive relief; no individual is seeking more than $75,000, according to the legal filing. The crux of the case is that Sears "failed to take reasonable steps to ensure that [consumers'] private information was secure," according to the complaint. [..] From lyger at attrition.org Wed Jan 9 14:15:49 2008 From: lyger at attrition.org (lyger) Date: Wed, 9 Jan 2008 14:15:49 +0000 (UTC) Subject: [Dataloss] GA: UGA contacting 4, 000 after server breached by hacker Message-ID: http://news.mywebpal.com/partners/680/public/news866847.html University of Georgia officials are trying to contact more than 4,000 current, former and perspective residents of a university housing complex after a hacker was able to access a server containing personal information, including Social Security numbers. The security breach happened sometime between Dec. 29 and Dec. 31, the university said Tuesday. During that time, a computer with an overseas IP address was able to access the personal information . including Social Security numbers, names and addresses . of 540 current graduate students living in graduate family housing and 3,710 former students and applicants. University officials know what country the hacker was operating in, but would not comment on it, UGA spokesman Tom Jackson said. [...] From lyger at attrition.org Thu Jan 10 01:29:45 2008 From: lyger at attrition.org (lyger) Date: Thu, 10 Jan 2008 01:29:45 +0000 (UTC) Subject: [Dataloss] UK Irony: Clarkson eats words over lost data Message-ID: http://www.vnunet.com/vnunet/news/2206703/clarkson-eats-words-lost "TV presenter Jeremy Clarkson has been forced to eat his own words after thieves hacked into his bank account. Clarkson said in a newspaper column that the data lost by staff at HM Revenue & Customs was useless, and published his own bank details in the article to prove his point. However, he was forced to apologise publicly after ?500 was quickly removed from his account. Clarkson gave his account number and sort code and hinted at his address. This was enough for him to lose the money." [...] From hbrown at knology.net Thu Jan 10 19:46:57 2008 From: hbrown at knology.net (Henry Brown) Date: Thu, 10 Jan 2008 13:46:57 -0600 Subject: [Dataloss] Wis. mailing sent with personal info In-Reply-To: References: Message-ID: <47867631.4040604@knology.net> interesting followup: From ComputerWorld http://tinyurl.com/2j6v9x "Appalled" officials at the Wisconsin State Department of Health and Family Services (DHFS) are asking Electronic Data Systems Corp. to explain why it allowed Social Security numbers to be printed on the address labels of information brochures recently sent to more than 260,000 recipients of state health care services. The state agency is also asking Plano, Texas-based EDS to cover the cost of mailing letters to all of the affected individuals informing them of the error as well as the costs of providing credit-monitoring services for a year. [...] > http://www.businessweek.com/ap/financialnews/D8U201M02.htm > > Social Security numbers were printed on about 260,000 informational > brochures sent by a vendor hired by the state to recipients of SeniorCare > and other state programs. > > The gaffe is the second time in 13 months that mailings including the > recipients' Social Security numbers were sent from state departments. In > December 2006, the state Department of Revenue mailed 171,000 tax booklets > with the number printed on the label. > > The latest mailing was first reported on Tuesday by WKOW-TV. > > The state Department of Health and Family Services issued a statement > saying the mistake was the fault of EDS, a private vendor for state > Medicaid services. Karen Timberlake, deputy secretary of the state > department, said the mailing went to about 260,000 Medicaid, SeniorCare, > and BadgerCare members. > > [...] > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor your > traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml > > > > From adam at homeport.org Thu Jan 10 20:57:14 2008 From: adam at homeport.org (Adam Shostack) Date: Thu, 10 Jan 2008 15:57:14 -0500 Subject: [Dataloss] Wis. mailing sent with personal info In-Reply-To: <47867631.4040604@knology.net> References: <47867631.4040604@knology.net> Message-ID: <20080110205714.GA28041@homeport.org> Appalled experts elsewhere are asking why Wisconsin gave SSNs to EDS as part of mailing informational brochures. You don't have to select * from row. You could have selected name, address from row. Aam On Thu, Jan 10, 2008 at 01:46:57PM -0600, Henry Brown wrote: | interesting followup: | | From ComputerWorld | http://tinyurl.com/2j6v9x | | "Appalled" officials at the Wisconsin State Department of Health and | Family Services (DHFS) are asking Electronic Data Systems Corp. to | explain why it allowed Social Security numbers to be printed on the | address labels of information brochures recently sent to more than | 260,000 recipients of state health care services. | | The state agency is also asking Plano, Texas-based EDS to cover the cost | of mailing letters to all of the affected individuals informing them of | the error as well as the costs of providing credit-monitoring services | for a year. | | [...] | | | > http://www.businessweek.com/ap/financialnews/D8U201M02.htm | > | > Social Security numbers were printed on about 260,000 informational | > brochures sent by a vendor hired by the state to recipients of SeniorCare | > and other state programs. | > | > The gaffe is the second time in 13 months that mailings including the | > recipients' Social Security numbers were sent from state departments. In | > December 2006, the state Department of Revenue mailed 171,000 tax booklets | > with the number printed on the label. | > | > The latest mailing was first reported on Tuesday by WKOW-TV. | > | > The state Department of Health and Family Services issued a statement | > saying the mistake was the fault of EDS, a private vendor for state | > Medicaid services. Karen Timberlake, deputy secretary of the state | > department, said the mailing went to about 260,000 Medicaid, SeniorCare, | > and BadgerCare members. | > | > [...] | > _______________________________________________ | > Dataloss Mailing List (dataloss at attrition.org) | > http://attrition.org/dataloss | > | > Tenable Network Security offers data leakage and compliance monitoring | > solutions for large and small networks. Scan your network and monitor your | > traffic to find the data needing protection before it leaks out! | > http://www.tenablesecurity.com/products/compliance.shtml | > | > | > | > | | _______________________________________________ | Dataloss Mailing List (dataloss at attrition.org) | http://attrition.org/dataloss | | Tenable Network Security offers data leakage and compliance monitoring | solutions for large and small networks. Scan your network and monitor your | traffic to find the data needing protection before it leaks out! | http://www.tenablesecurity.com/products/compliance.shtml From lyger at attrition.org Thu Jan 10 22:57:41 2008 From: lyger at attrition.org (lyger) Date: Thu, 10 Jan 2008 22:57:41 +0000 (UTC) Subject: [Dataloss] Texas AG accuses rehab center of dumping sensitive customer info Message-ID: http://www.chron.com/disp/story.mpl/ap/tx/5444381.html The Texas attorney general filed court papers Thursday accusing a facility owned by a Pennsylvania-based physical therapy company of violating state identity theft protection laws. Investigators in the attorney general's office say a rehabilitation center operated by Select Physical Therapy dumped about 4,000 pieces of sensitive customer information in garbage containers behind its facility in Levelland, about 30 miles west of Lubbock. The records included Social Security numbers, credit and debit card account numbers, names, addresses and telephone numbers. Investigators say the garbage containers also contained "sensitive medical information" and copies of checks from large corporations that had contracted with the facility for employee physicals and drug tests. [...] From chris at cwalsh.org Fri Jan 11 03:43:08 2008 From: chris at cwalsh.org (Chris Walsh) Date: Thu, 10 Jan 2008 21:43:08 -0600 Subject: [Dataloss] Wis. mailing sent with personal info In-Reply-To: <20080110205714.GA28041@homeport.org> References: <47867631.4040604@knology.net> <20080110205714.GA28041@homeport.org> Message-ID: <9C985005-711E-4653-9C50-50590CA3388E@cwalsh.org> EDS is a major provider of outsourced IT. They may well have a more general contract and, in effect, made this decision themselves. The SSNs would have been given as part of the larger scope of work, and then improperly used. Is this a risk firms take when they outsource? Heavens to Betsy, yes. Should Wisconsin have anticipated this? Great Caesar's ghost they should have. Does Wisconsin not have an information classification policy to which 3rd parties must adhere? By jiminy, I would hope so. On Jan 10, 2008, at 2:57 PM, Adam Shostack wrote: > Appalled experts elsewhere are asking why Wisconsin gave SSNs to EDS > as part of mailing informational brochures. > > You don't have to select * from row. You could have selected name, > address from row. From lyger at attrition.org Fri Jan 11 14:30:57 2008 From: lyger at attrition.org (lyger) Date: Fri, 11 Jan 2008 14:30:57 +0000 (UTC) Subject: [Dataloss] UK: Personal info lost in Oldham Message-ID: http://www.manchestereveningnews.co.uk/news/s/1031694_personal_info_lost_in_oldham SENSITIVE personal information on almost 150 NHS patients in the Oldham area has been `lost', health bosses admitted today. The Oldham NHS Primary Care Trust says two data sticks containing highly personal assessment notes of 148 clients who have been in contact with the trust's continuing care service have been reported missing. Health chiefs have already launched an internal investigation and tried to contact all the individuals affected. As yet the trust has been unable to talk to three of the patients involved. [...] From tblackmore at tslad.com Fri Jan 11 16:33:55 2008 From: tblackmore at tslad.com (Tracy Blackmore) Date: Fri, 11 Jan 2008 09:33:55 -0700 Subject: [Dataloss] Wis. mailing sent with personal info References: <47867631.4040604@knology.net><20080110205714.GA28041@homeport.org> <9C985005-711E-4653-9C50-50590CA3388E@cwalsh.org> Message-ID: This is a GREAT example of 'out of sight out of mind'! Many companies know that they do not absolve themselves of the risks when they outsource but since they have outsourced they get busy concentrating on more local problems. I hope that someone investigates this and gets to the bottom of the questions of whether EDS made the decision to add this field into a mass-mailing or if the State passed a bunch of data and asked EDS to run it. Make no mistake though - the State of Wisconsin is ultimately responsible since they were the 'owners' of the data. ________________________________ From: dataloss-bounces at attrition.org on behalf of Chris Walsh Sent: Thu 1/10/2008 8:43 PM To: Adam Shostack Cc: dataloss at attrition.org Subject: Re: [Dataloss] Wis. mailing sent with personal info EDS is a major provider of outsourced IT. They may well have a more general contract and, in effect, made this decision themselves. The SSNs would have been given as part of the larger scope of work, and then improperly used. Is this a risk firms take when they outsource? Heavens to Betsy, yes. Should Wisconsin have anticipated this? Great Caesar's ghost they should have. Does Wisconsin not have an information classification policy to which 3rd parties must adhere? By jiminy, I would hope so. On Jan 10, 2008, at 2:57 PM, Adam Shostack wrote: > Appalled experts elsewhere are asking why Wisconsin gave SSNs to EDS > as part of mailing informational brochures. > > You don't have to select * from row. You could have selected name, > address from row. _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080111/013444ca/attachment.html From jericho at attrition.org Fri Jan 11 16:31:59 2008 From: jericho at attrition.org (security curmudgeon) Date: Fri, 11 Jan 2008 16:31:59 +0000 (UTC) Subject: [Dataloss] follow-up: Database breach investigation ongoing Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.dailybruin.ucla.edu/news/2008/jan/10/database-breach-investigation-ongoing/ By Julia Erlandson, Daily Bruin senior staff January 10, 2008 One year after a breach of a university database compromised students personal information, UCLA officials say they are continuing to track the case and bolster security. In December 2006, administrators alerted the campus community that a hacker had accessed a UCLA database containing the names and Social Security numbers of over 800,000 current and former students, as well as faculty and staff members. Though the database did not contain students credit card or bank information, the hacker did appear to have accessed some Social Security numbers, which can be used to steal a persons identity. An ongoing investigation has found no evidence of identity theft resulting from the breach, though affected students should still be vigilant, said Jim Davis, associate vice chancellor for information technology. Since the incident, university officials have worked to protect students Social Security numbers, Davis said. [..] From james at iqbio.net Fri Jan 11 17:25:16 2008 From: james at iqbio.net (James Childers) Date: Fri, 11 Jan 2008 09:25:16 -0800 Subject: [Dataloss] Wis. mailing sent with personal info In-Reply-To: References: <47867631.4040604@knology.net><20080110205714.GA28041@homeport.org><9C985005-711E-4653-9C50-50590CA3388E@cwalsh.org> Message-ID: <88677D8E4FBE2A4C9CEF9FBF8F38E705221DE1@prometheus.HQ.IQBIO.NET> This is also a PERFECT example of how a monolithic database with vast amounts of data in the Government arena can and ultimately WILL always be abused/misused. My assumption is that some WI State employee was told by their boss to get the information to EDS so they could mail a letter. The employee probably did not care about or even stop to think about the implications of sending the entire database to the contractor. Heck, they probably even sent it by email! EDS on the other hand probably provides these services for WI after being awarded a contract for services. These contracts are "put out for bid" and ultimately the lowest cost provider won. Price is usually the only determining factor in Government Contracting. We are dealing with the lowest common denominator here... which ultimately is the component between the chair and the keyboard. The employee probably said, "I'll just send the entire database to the contractor" and let them figure it out, instead of spending the money and taking the time to figure out exactly what data they actually need. This employee should have asked "Do you want fries with that?" - which is probably the only training this employee ever had. You can encrypt the data, attempt to limit access, enact secure policies, but when one apathetic employee has access to vast amounts of data with little or no oversight ... ultimately you WILL have a breach. You GET WHAT YOU PAY FOR. James (Jim) Childers President & CEO Artemis Solutions Group (USA) BioCert(r) - iQBio(tm) - BioSaf(r) www.biometricsdirect.com From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Tracy Blackmore Sent: Friday, January 11, 2008 8:34 AM To: Chris Walsh; Adam Shostack Cc: dataloss at attrition.org Subject: Re: [Dataloss] Wis. mailing sent with personal info This is a GREAT example of 'out of sight out of mind'! Many companies know that they do not absolve themselves of the risks when they outsource but since they have outsourced they get busy concentrating on more local problems. I hope that someone investigates this and gets to the bottom of the questions of whether EDS made the decision to add this field into a mass-mailing or if the State passed a bunch of data and asked EDS to run it. Make no mistake though - the State of Wisconsin is ultimately responsible since they were the 'owners' of the data. ________________________________ From: dataloss-bounces at attrition.org on behalf of Chris Walsh Sent: Thu 1/10/2008 8:43 PM To: Adam Shostack Cc: dataloss at attrition.org Subject: Re: [Dataloss] Wis. mailing sent with personal info EDS is a major provider of outsourced IT. They may well have a more general contract and, in effect, made this decision themselves. The SSNs would have been given as part of the larger scope of work, and then improperly used. Is this a risk firms take when they outsource? Heavens to Betsy, yes. Should Wisconsin have anticipated this? Great Caesar's ghost they should have. Does Wisconsin not have an information classification policy to which 3rd parties must adhere? By jiminy, I would hope so. On Jan 10, 2008, at 2:57 PM, Adam Shostack wrote: > Appalled experts elsewhere are asking why Wisconsin gave SSNs to EDS > as part of mailing informational brochures. > > You don't have to select * from row. You could have selected name, > address from row. _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml -- This message has been scanned for viruses and dangerous content by MailScanner , and is believed to be clean. No virus found in this incoming message. Checked by AVG. Version: 7.5.516 / Virus Database: 269.19.1/1219 - Release Date: 1/11/2008 10:19 AM -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080111/f150275d/attachment.html From shamburg at eclipsec.com Fri Jan 11 17:41:31 2008 From: shamburg at eclipsec.com (Steve Hamburg) Date: Fri, 11 Jan 2008 11:41:31 -0600 Subject: [Dataloss] Wis. mailing sent with personal info Message-ID: <003f01c85478$8ae471c3$82f0a8c0@eclipsec.com> I think there is another point to consider, which is the security practices of external parties to whom various aspects of business operations are outsourced. What contractual provisions are in place regarding security standards that must be addressed when outsourcing services to a firm? Further, what provisions are in place regarding financial recovery of loss should a security breach result from poor security practices of an outsourced firm? Many other questions / considerations come to mind. Steve. -- Steve Hamburg, President Eclipsecurity, LLC www.eclipsec.com 312.373.9382 -----Original Message----- From: "James Childers" To: "Tracy Blackmore" ; "Chris Walsh" ; "Adam Shostack" Cc: "dataloss at attrition.org" Sent: 1/11/2008 11:25 AM Subject: Re: [Dataloss] Wis. mailing sent with personal info This is also a PERFECT example of how a monolithic database with vast amounts of data in the Government arena can and ultimately WILL always be abused/misused. My assumption is that some WI State employee was told by their boss to get the information to EDS so they could mail a letter. The employee probably did not care about or even stop to think about the implications of sending the entire database to the contractor. Heck, they probably even sent it by email! EDS on the other hand probably provides these services for WI after being awarded a contract for services. These contracts are "put out for bid" and ultimately the lowest cost provider won. Price is usually the only determining factor in Government Contracting. We are dealing with the lowest common denominator here... which ultimately is the component between the chair and the keyboard. The employee probably said, "I'll just send the entire database to the contractor" and let them figure it out, instead of spending the money and taking the time to figure out exactly what data they actually need. This employee should have asked "Do you want fries with that?" - which is probably the only training this employee ever had. You can encrypt the data, attempt to limit access, enact secure policies, but when one apathetic employee has access to vast amounts of data with little or no oversight ... ultimately you WILL have a breach. You GET WHAT YOU PAY FOR. James (Jim) Childers President & CEO Artemis Solutions Group (USA) BioCert(r) - iQBio(tm) - BioSaf(r) www.biometricsdirect.com From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Tracy Blackmore Sent: Friday, January 11, 2008 8:34 AM To: Chris Walsh; Adam Shostack Cc: dataloss at attrition.org Subject: Re: [Dataloss] Wis. mailing sent with personal info This is a GREAT example of 'out of sight out of mind'! Many companies know that they do not absolve themselves of the risks when they outsource but since they have outsourced they get busy concentrating on more local problems. I hope that someone investigates this and gets to the bottom of the questions of whether EDS made the decision to add this field into a mass-mailing or if the State passed a bunch of data and asked EDS to run it. Make no mistake though - the State of Wisconsin is ultimately responsible since they were the 'owners' of the data. ________________________________ From: dataloss-bounces at attrition.org on behalf of Chris Walsh Sent: Thu 1/10/2008 8:43 PM To: Adam Shostack Cc: dataloss at attrition.org Subject: Re: [Dataloss] Wis. mailing sent with personal info EDS is a major provider of outsourced IT. They may well have a more general contract and, in effect, made this decision themselves. The SSNs would have been given as part of the larger scope of work, and then improperly used. Is this a risk firms take when they outsource? Heavens to Betsy, yes. Should Wisconsin have anticipated this? Great Caesar's ghost they should have. Does Wisconsin not have an information classification policy to which 3rd parties must adhere? By jiminy, I would hope so. On Jan 10, 2008, at 2:57 PM, Adam Shostack wrote: > Appalled experts elsewhere are asking why Wisconsin gave SSNs to EDS > as part of mailing informational brochures. > > You don't have to select * from row. You could have selected name, > address from row. _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml -- This message has been scanned for viruses and dangerous content by MailScanner , and is believed to be clean. No virus found in this incoming message. Checked by AVG. Version: 7.5.516 / Virus Database: 269.19.1/1219 - Release Date: 1/11/2008 10:19 AM -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mhill at idtexperts.com Fri Jan 11 20:23:15 2008 From: mhill at idtexperts.com (Michael Hill, CITRMS) Date: Fri, 11 Jan 2008 15:23:15 -0500 Subject: [Dataloss] OH: Records for 800 UA students missing Message-ID: <004801c8548f$cca68220$6501a8c0@mkevhill> http://www.ohio.com/news/break_news/13709292.html The University of Akron has informed 800 students and graduates of the College of Education that a portable hard drive containing personal information is missing and may have been discarded or destroyed in December. The university said the device contained Social Security numbers, names and addresses of students and graduates. Dr. Cynthia Capers, interim dean of the College of Education, said UA felt it was essential to notify students and graduates even though ''we believe this incident puts them at low risk of identity theft.'' Students and graduates received Federal Trade Commission guidelines to help guard against identity theft and a UA phone numbers and Web address to ask additional questions. Michael Hill Certified Identity Theft Risk Management Specialist IDT Consultants 404-216-3751 "If You Think You're Not At Risk, Think Again!" -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080111/b8c8c16f/attachment.html From lyger at attrition.org Fri Jan 11 21:23:08 2008 From: lyger at attrition.org (lyger) Date: Fri, 11 Jan 2008 21:23:08 +0000 (UTC) Subject: [Dataloss] IA: UI College of Engineering notifies former students of technology miscue Message-ID: http://www.press-citizen.com/apps/pbcs.dll/article?AID=/20080111/NEWS01/80111010/1079 The University of Iowa College of Engineering has notified some 216 of its former students that some of their personal information, including Social Security numbers, was inadvertently exposed on the Internet for several months, until the erroneous file location was discovered in early January 2008. The information did not include birth dates, specific grades, or any financial information, such as credit card numbers. UI technology staff believes there is little risk that the information was or will be misused; however, they are advising the students to take precautions to protect their financial information by placing "fraud alerts" on their files with the three major credit bureaus. [...] From hbrown at knology.net Sat Jan 12 01:14:42 2008 From: hbrown at knology.net (Henry Brown) Date: Fri, 11 Jan 2008 19:14:42 -0600 Subject: [Dataloss] Follow up on the Nashville TN Voter registration stolen computers Message-ID: <47881482.8020408@knology.net> http://www.nashvillecitypaper.com/news.php?viewStory=58495 City offers free identity theft protection to voters Metro Nashville is contracting with Debix Identity Protection Network to provide citizens effected by the recent theft of two Davidson County Election Commission laptops a full year of identity theft coverage for free, according to Mayor Karl Dean's office. Voters will receive a letter containing detailed instructions on how to enroll with Debix no later than next week, according to the Mayor's office and an enrollment form and activation code will be included. The laptops were stolen Dec. 23 and contained the complete Social Security numbers of 337,000 registered Davidson County voters. From hbrown at knology.net Sat Jan 12 22:15:11 2008 From: hbrown at knology.net (Henry Brown) Date: Sat, 12 Jan 2008 16:15:11 -0600 Subject: [Dataloss] POTENTIAL dataloss Message-ID: <47893BEF.70400@knology.net> NO Losses YET but ... And this is from a state that will ARREST people for putting sensitive employee data in the trash... From the Dallas Morning News http://tinyurl.com/33wyee Company gets kindergartners' Social Security numbers, data Permission not needed to hand over Social Security info; TEA says it's safe Texas school districts are handing over Social Security numbers, dates of birth and other sensitive information about the state's kindergarten students to a private software company without permission from the children's parents. State education officials who set up the unusual arrangement insist that the information is safe. But some educators and parents worry about sending student Social Security numbers to a private company hired to store kindergarten reading test scores. A privacy expert says thousands of 5- and 6-year-olds are vulnerable to identity theft as a result. [...] OZ Systems, an Arlington software company, has received at least $2.3 million in state money to create databases of preschool and kindergarten student records. The new database for kindergarten test scores also includes sections for children's names, Social Security numbers, dates of birth, gender, school identification numbers and parents' names and addresses, educators say. [...] From chris at cwalsh.org Sun Jan 13 04:38:56 2008 From: chris at cwalsh.org (Chris Walsh) Date: Sat, 12 Jan 2008 22:38:56 -0600 Subject: [Dataloss] TSA "redress" site exposed 247 Message-ID: <16535FE9-AAAB-4D77-B13E-663C1D2A50C9@cwalsh.org> There's been some attention to a TSA site that collected a large amount of PII, and was discovered by Chris Soghoian to be grossly insecure. According to House Oversight and Government Reform Committee report (http://oversight.house.gov/documents/20080111092648.pdf ): "TSA also contacted the individuals who had submitted their personal information through the unsecured 'file your application online' link to inform them that they were at a heightened risk of identity theft." (p. 8) Earlier in the report (p. 7) it is stated that 'At least 247 travelers submitted their personal information through the unsecured ?file your application online? link'. The report (p. 6) also states that name, address, Social Security numbers, eye color, place of birth, and other sensitive personal information were asked for on the submission page of the TSA's site. I think it is fair to conclude that this is a breach affecting the TSA (and their contractor, Desyne Web Services) involving at least 247 people. From hbrown at knology.net Mon Jan 14 22:39:07 2008 From: hbrown at knology.net (Henry Brown) Date: Mon, 14 Jan 2008 16:39:07 -0600 Subject: [Dataloss] Data breech notification from Suffolk VA Message-ID: <478BE48B.4010406@knology.net> IMO the information contained in this article MIGHT NOT be the complete story, but draw your own conclusion(s)... From the Virginian Pilot http://tinyurl.com/2n3tfr SUFFOLK VA The Department of Social Services has mailed about 1,500 letters to warn of a "potential security breach" involving a department computer that police suspect was used to commit fraud. The city does not believe any clients' personal information was compromised, and there is no evidence the data used for the fraud was retrieved from the computer, said Leonard Horton, director of Social Services. Kia James, 26, is accused of using her work computer while employed by Social Services last summer to apply for a credit card using her landlord's information, according to a search warrant and criminal complaint. She was charged with two felony counts, credit card fraud and forgery, and is accused of spending nearly $1,000 on the card. A grand jury is scheduled to review the case Jan. 28. The letters were sent as a precaution to everyone who applied for or received tax relief in 2007, Horton said. The department sent letters to them because James worked in that area, he said. The criminal charges concern only one victim, who works in Richmond. But police investigated a potential second victim who was a former Suffolk Social Services employee, according to the search warrant. Horton said that former employee left the department several years ago. James worked for Social Services for seven months, according to her court record. The Department of Social Services offered to help residents conduct a free credit check. Horton said more than 100 people have called in response to the letters. From lyger at attrition.org Tue Jan 15 00:35:54 2008 From: lyger at attrition.org (lyger) Date: Tue, 15 Jan 2008 00:35:54 +0000 (UTC) Subject: [Dataloss] Tennessee Tech loses Social Security numbers of 990 students Message-ID: http://www.tennessean.com/apps/pbcs.dll/article?AID=/20080114/NEWS04/80114105/1001/NEWS A portable storage drive containing the names and Social Security numbers of 990 Tennessee Tech University students has been lost, according to university officials. The school notified students today who lived in Capital Quad and Crawford residence halls during the fall 2007 semester that their information could be at risk. "We don't know that it has fallen into anybody's hands; we don't know where it is," said TTU spokeswoman Monica Greppin. "We're notifying everybody purely as a precaution." From hbrown at knology.net Tue Jan 15 16:00:10 2008 From: hbrown at knology.net (Henry Brown) Date: Tue, 15 Jan 2008 10:00:10 -0600 Subject: [Dataloss] ID Theft at Dahlgren VA Navy Facility Message-ID: <478CD88A.8080009@knology.net> An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080115/c860892c/attachment.html From lyger at attrition.org Wed Jan 16 20:07:09 2008 From: lyger at attrition.org (lyger) Date: Wed, 16 Jan 2008 20:07:09 +0000 (UTC) Subject: [Dataloss] UK: Hospital staff ID is 'lost' in data blunder Message-ID: http://www.bexleytimes.co.uk/content/bexley/times/news/story.aspx?brand=BXYOnline&category=news&tBrand=northlondon24&tCategory=newsbxy&itemid=WeED16%20Jan%202008%2017%3A02%3A37%3A830 SENSITIVE data spanning 20 years has gone missing from a hospital. Records containing names, addresses, national insurance numbers and bank details of staff at Queen Mary's Hospital, Sidcup, disappeared last October but staff were only told on Tuesday. NHS bosses are clueless as to how the incident happened and insist that there is no evidence that the data was stolen. [...] From lyger at attrition.org Thu Jan 17 02:31:31 2008 From: lyger at attrition.org (lyger) Date: Thu, 17 Jan 2008 02:31:31 +0000 (UTC) Subject: [Dataloss] WI: More Social Security numbers revealed in state mailing Message-ID: http://www.madison.com/wsj/topstories/267330 As state officials responded Tuesday to a fresh breach of personal information, privacy advocates said the state has failed to act quickly enough to protect citizens against identity theft. "They've literally had years to deal with these issues. They're not new," said Chris Ahmuty, executive director of the American Civil Liberties Union of Wisconsin. Ahmuty said his group would consider "all its options" if the state can't show it was finally dealing with the problem adding, "It may take an outside group to encourage them." His comments followed a disclosure by state officials Tuesday that a portion of 5,000 taxpayers in northeastern Wisconsin had their Social Security numbers exposed in a state mailing - the third such mistake in 13 months. [...] From lyger at attrition.org Thu Jan 17 16:26:40 2008 From: lyger at attrition.org (lyger) Date: Thu, 17 Jan 2008 16:26:40 +0000 (UTC) Subject: [Dataloss] (follow-up) TN: Suspect In Laptop Thefts Surrenders Message-ID: http://www.newschannel5.com/Global/story.asp?S=7735032 According to Metro police, the Tennessee parolee and suspected burglar in the Christmas Eve break-in at the Davidson County Election Commission surrendered early Thursday at police headquarters. After being taken into custody, police interviewed Robert Osbourne and then booked him on an arrest warrant charging him with breaking into Metro's Election Commission offices. Osbourne allegedly stole computers containing voters' information, which included social security numbers. [...] From lyger at attrition.org Thu Jan 17 17:23:27 2008 From: lyger at attrition.org (lyger) Date: Thu, 17 Jan 2008 17:23:27 +0000 (UTC) Subject: [Dataloss] WI: UW staff's personal data was on public Web site at least a year Message-ID: http://www.madison.com/tct/news/267604 UW-Madison officials waited more than a month before advising more than 200 faculty and staff members of a potential exposure of their personal information on the Internet last year. The personal information -- including e-mail addresses, phone numbers and Social Security-based campus ID numbers of faculty and staff who made purchases from the DoIT computer shop -- had been accessible on a campus Internet site for at least a year, said Brian Rust, communications manager for the UW's department of information technology. Rust said the Web-based database for DoIT employees was intended to keep track of sales transactions for statistical purposes. He said the department only learned that purchasers' campus ID numbers -- some of which still use Social Security numbers -- could be accessed after a UW staffer found information about his own DoIT purchase during a routine online search. [...] From hbrown at knology.net Thu Jan 17 20:47:34 2008 From: hbrown at knology.net (Henry Brown) Date: Thu, 17 Jan 2008 14:47:34 -0600 Subject: [Dataloss] US Major Retailer data breech Message-ID: <478FBEE6.4070705@knology.net> From Consumerist.com http://tinyurl.com/2k9e4z "Major Retailer's" Data Breach Results In Wave Of Credit Card Fraud? Anecdotal evidence suggests that a recently reported data breach by an undisclosed "major retailer" has resulted in a jump in consumers having their debit cards forcibly reissued, or calls from their bank to verify their recent purchase history. The problems seem to have started just around Christmas time and have continued into mid-January. The thefts cut across all types of credit cards, but one of the common threads is that the cards are being used to purchase physical products in-store. This is a contrast to the big credit card reissue last year when stolen debit cards were being used to make fraudulent ATM withdrawals. Which retailer? Who's behind it? Nobody knows and we won't find out for some time, not until the cops catch the robbers. Until then, here's all the people on our site talking about the recent seeming surge of fraudulent activity.. [...] From fergdawg at netzero.net Fri Jan 18 02:31:20 2008 From: fergdawg at netzero.net (Paul Ferguson) Date: Fri, 18 Jan 2008 02:31:20 GMT Subject: [Dataloss] Data Lost on 650,000 Credit Card Holders Message-ID: <20080117.183120.2044.0@webmail05.vgs.untd.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Via SFGate.com (AP). [snip] Personal information on about 650,000 customers of J.C. Penney and up to 100 other retailers could be compromised after a computer tape went missing. GE Money, which handles credit card operations for Penney and many other retailers, said Thursday night that the missing information includes Social Security numbers for about 150,000 people. The information was on a backup computer tape that was discovered missing last October. It was being stored at a warehouse run by Iron Mountain Inc., a data storage company, and was never checked out but can't be found either, said Richard C. Jones, a spokesman for GE Money, part of General Electric Capital Corp. Jones said there was "no indication of theft or anything of that sort," and no evidence of fraudulent activity on the accounts involved. [snip] More: http://www.sfgate.com/cgi-bin/article.cgi?f=/n/a/2008/01/17/financial/f1742 00S38.DTL - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFHkA90q1pz9mNUZTMRAhspAJ44oAZeEEIPj2oGNeOGT1oLYVJpiACeKFd0 716L/OuG4Usq9PCB4SmOD2o= =pHQB -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/ From jericho at attrition.org Fri Jan 18 07:34:18 2008 From: jericho at attrition.org (security curmudgeon) Date: Fri, 18 Jan 2008 07:34:18 +0000 (UTC) Subject: [Dataloss] follow-up: One year later: Five takeaways from the TJX breach Message-ID: ---------- Forwarded message ---------- http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9057758 By Jaikumar Vijayan January 17, 2008 Computerworld One year ago today, The TJX Companies Inc. disclosed what has turned out to be the largest information security breach involving credit and debit card data -- thus far, at least. The data compromise at the Framingham, Mass.-based retailer began in mid-2005, with system intrusions at two Marshalls stores in Miami via poorly protected wireless LANs. The intruders who broke into TJX's payment systems remained undetected for 18 months, during which time they downloaded a total of 80GB of cardholder data. TJX eventually said that 45.6 million card numbers belonging to customers in multiple countries were stolen from its systems. Even that number may be far too low: a group of banks that is suing the retailer claimed in an October court filing that information about 94 million cards was exposed during the serial intrusions. The sheer size of the data theft puts TJX in a league of its own among companies hit by such incidents, and the breach has made it something of a poster child for sloppy data security practices among retailers. In addition, the breach highlighted several familiar issues and some not-so-familiar ones. Here, on the one-year anniversary of the breach becoming known, are five takeways for security managers: [..] From lyger at attrition.org Fri Jan 18 14:54:50 2008 From: lyger at attrition.org (lyger) Date: Fri, 18 Jan 2008 14:54:50 +0000 (UTC) Subject: [Dataloss] TN: Election Commission laptop harddrive found Message-ID: (following yesterday's arrest report) http://www.nashvillecitypaper.com/news.php?viewStory=58576 Metro Police confirmed late Thursday they have recovered the hard drive from the laptop computer, containing names and complete Social Security numbers for 337,000 registered voters, that was stolen from the Election Commission in December. Police said Election Commission staff viewed and confirmed the information stored on the seized hard drive came from the stolen computer that gave them the most concern. Officials did not disclose where the hard drive, a router and other computer components were found, citing the ongoing investigation. Police do not yet know if any of the other seized equipment - including additional hard drives - came from a second malfunctioning laptop also stolen from the Election Commission. Computer experts have begun the process of examining the files and data components to determine if they have been accessed or tampered with, according to police. [...] From chris at cwalsh.org Fri Jan 18 17:37:40 2008 From: chris at cwalsh.org (Chris Walsh) Date: Fri, 18 Jan 2008 11:37:40 -0600 Subject: [Dataloss] TN: Election Commission laptop harddrive found In-Reply-To: References: Message-ID: <20080118173740.GB82797@fripp.cwalsh.org> On Fri, Jan 18, 2008 at 02:54:50PM +0000, lyger wrote: > > Computer experts have begun the process of examining the files and data > components to determine if they have been accessed or tampered with, > according to police. Luckily, it is impossible to modify bits on a hard drive without leaving evidence of your misdeed. Surprisingly, Tripwire and similar products manage to make quite a bit of money despite this feature of computer architecture which is seemingly known by even the least-experienced newspaper writer. From tblackmore at tslad.com Fri Jan 18 18:10:15 2008 From: tblackmore at tslad.com (Tracy Blackmore) Date: Fri, 18 Jan 2008 11:10:15 -0700 Subject: [Dataloss] TN: Election Commission laptop harddrive found References: <20080118173740.GB82797@fripp.cwalsh.org> Message-ID: But with products like Tripwire - you don't have to manually go thru the hard-drive. It will automatically monitor and notify if problems are found. Plus... it's a LOT easier and quicker to restore a compromised server if you have a nice pretty list of all files having been modified already in your hands :-) Tracy ________________________________ From: dataloss-bounces at attrition.org on behalf of Chris Walsh Sent: Fri 1/18/2008 10:37 AM To: lyger Cc: dataloss at attrition.org Subject: Re: [Dataloss] TN: Election Commission laptop harddrive found On Fri, Jan 18, 2008 at 02:54:50PM +0000, lyger wrote: > > Computer experts have begun the process of examining the files and data > components to determine if they have been accessed or tampered with, > according to police. Luckily, it is impossible to modify bits on a hard drive without leaving evidence of your misdeed. Surprisingly, Tripwire and similar products manage to make quite a bit of money despite this feature of computer architecture which is seemingly known by even the least-experienced newspaper writer. _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080118/bdc0693e/attachment.html From mhozven at tealeaf.com Fri Jan 18 18:17:24 2008 From: mhozven at tealeaf.com (Max Hozven) Date: Fri, 18 Jan 2008 10:17:24 -0800 Subject: [Dataloss] TN: Election Commission laptop harddrive found In-Reply-To: <20080118173740.GB82797@fripp.cwalsh.org> Message-ID: <771A26039D33ED489E23D9614DE630DD078E99B1@SFMAIL02.tealeaf.com> I think that if you are tricky enough, you could maybe do this: 1. Boot laptop off of a Ghost CD and create a Ghost image of the drive. 2. Use Ghost Explorer to overwrite a file you want to change in the Ghost image file. Make sure the file date/time on the file you create is the same as the one you overwrite to cover your tracks. Keep the file size the same if you want to get really sneaky. 3. Boot the laptop off of the Ghost CD again. Do a Ghost restore of the updated image you just created. 4. The resulting laptop will boot up with the hard disk appearing unchanged, as it has never booted to it's native OS, the changes having been done via Ghost. There's other disk imaging software packages besides Ghost that could probably do similar things as well. My opinion is that once a computer/drive gets out of your hands, there's really no 100% way to know if anything was changed unless you have an image of the drive before it left and you individually "checksum" each file to look for changes. -Max (Note: Opinions expressed are solely my own and not that of my company.) -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Chris Walsh Sent: Friday, January 18, 2008 9:38 AM To: lyger Cc: dataloss at attrition.org Subject: Re: [Dataloss] TN: Election Commission laptop harddrive found On Fri, Jan 18, 2008 at 02:54:50PM +0000, lyger wrote: > > Computer experts have begun the process of examining the files and > data components to determine if they have been accessed or tampered > with, according to police. Luckily, it is impossible to modify bits on a hard drive without leaving evidence of your misdeed. Surprisingly, Tripwire and similar products manage to make quite a bit of money despite this feature of computer architecture which is seemingly known by even the least-experienced newspaper writer. _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml From daniel.clemens at packetninjas.net Fri Jan 18 19:00:52 2008 From: daniel.clemens at packetninjas.net (Daniel Clemens) Date: Fri, 18 Jan 2008 13:00:52 -0600 Subject: [Dataloss] TN: Election Commission laptop harddrive found In-Reply-To: <771A26039D33ED489E23D9614DE630DD078E99B1@SFMAIL02.tealeaf.com> References: <771A26039D33ED489E23D9614DE630DD078E99B1@SFMAIL02.tealeaf.com> Message-ID: <29A6A310-C223-491F-A610-E144623FAE14@packetninjas.net> On Jan 18, 2008, at 12:17 PM, Max Hozven wrote: > > I think that if you are tricky enough, you could maybe do this: > > 1. Boot laptop off of a Ghost CD and create a Ghost image of the > drive. > 2. Use Ghost Explorer to overwrite a file you want to change in the > Ghost image file. > Make sure the file date/time on the file you create is the same as > the one you overwrite > to cover your tracks. Keep the file size the same if you want to > get really sneaky. > 3. Boot the laptop off of the Ghost CD again. Do a Ghost restore of > the updated image you just created. > 4. The resulting laptop will boot up with the hard disk appearing > unchanged, as it has never booted > to it's native OS, the changes having been done via Ghost. > > There's other disk imaging software packages besides Ghost that could > probably do similar things as well. I don't think ghost doesn't really copy every part of the drive. I am sure it would be fairly easy to tell if the drive was only Ghost'd and then restored since certain parts of the drive would have never been copied and certain portions would be completely overwritten or pointed to new locations on the drive. (not to mention any installation logs that may have taken place , or anything in mbr, or mft). The file you replaced could possibly still be on the drive that you restored to especially if inode pointer points to a new file, but the old file is still there... I haven't tried this personally (Ghost , then re-analysis forensically) but I am willing to bet you could tell if something was 're-ghosted'. But then again I am only assuming and it sounds like you are too, so most likely we are both asses. > My opinion is that once a computer/drive gets out of your hands, > there's > really no 100% way to know if > anything was changed unless you have an image of the drive before it > left and you individually "checksum" > each file to look for changes. > Um. I have to disagree with this. There is actually allot of work you can do to see what has changed when dealing with data theft like this.(excluding super ninjas of course). What you can't validate is what has been completely copied off of the drive if the theft involved a criminal that knew how to truly duplicate the drive. -Daniel Clemens From james at iqbio.net Fri Jan 18 19:30:31 2008 From: james at iqbio.net (James Childers) Date: Fri, 18 Jan 2008 11:30:31 -0800 Subject: [Dataloss] TN: Election Commission laptop harddrive found In-Reply-To: <771A26039D33ED489E23D9614DE630DD078E99B1@SFMAIL02.tealeaf.com> References: <20080118173740.GB82797@fripp.cwalsh.org> <771A26039D33ED489E23D9614DE630DD078E99B1@SFMAIL02.tealeaf.com> Message-ID: <88677D8E4FBE2A4C9CEF9FBF8F38E705221E1D@prometheus.HQ.IQBIO.NET> Knopix Boot CD and linux bit-by-bit copying of the hdd would be good tools for doing something like this. James (Jim) Childers President & CEO Artemis Solutions Group (USA) BioCert(r) - iQBio(tm) - BioSaf(r) www.iqbio.com -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Max Hozven Sent: Friday, January 18, 2008 10:17 AM To: Chris Walsh; lyger Cc: dataloss at attrition.org Subject: Re: [Dataloss] TN: Election Commission laptop harddrive found I think that if you are tricky enough, you could maybe do this: 1. Boot laptop off of a Ghost CD and create a Ghost image of the drive. 2. Use Ghost Explorer to overwrite a file you want to change in the Ghost image file. Make sure the file date/time on the file you create is the same as the one you overwrite to cover your tracks. Keep the file size the same if you want to get really sneaky. 3. Boot the laptop off of the Ghost CD again. Do a Ghost restore of the updated image you just created. 4. The resulting laptop will boot up with the hard disk appearing unchanged, as it has never booted to it's native OS, the changes having been done via Ghost. There's other disk imaging software packages besides Ghost that could probably do similar things as well. My opinion is that once a computer/drive gets out of your hands, there's really no 100% way to know if anything was changed unless you have an image of the drive before it left and you individually "checksum" each file to look for changes. -Max (Note: Opinions expressed are solely my own and not that of my company.) -----Original Message----- From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org] On Behalf Of Chris Walsh Sent: Friday, January 18, 2008 9:38 AM To: lyger Cc: dataloss at attrition.org Subject: Re: [Dataloss] TN: Election Commission laptop harddrive found On Fri, Jan 18, 2008 at 02:54:50PM +0000, lyger wrote: > > Computer experts have begun the process of examining the files and > data components to determine if they have been accessed or tampered > with, according to police. Luckily, it is impossible to modify bits on a hard drive without leaving evidence of your misdeed. Surprisingly, Tripwire and similar products manage to make quite a bit of money despite this feature of computer architecture which is seemingly known by even the least-experienced newspaper writer. _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml _______________________________________________ Dataloss Mailing List (dataloss at attrition.org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From dcs44 at georgetown.edu Fri Jan 18 20:38:37 2008 From: dcs44 at georgetown.edu (David C. Smith) Date: Fri, 18 Jan 2008 15:38:37 -0500 Subject: [Dataloss] TN: Election Commission laptop harddrive found In-Reply-To: <29A6A310-C223-491F-A610-E144623FAE14@packetninjas.net> References: <771A26039D33ED489E23D9614DE630DD078E99B1@SFMAIL02.tealeaf.com> <29A6A310-C223-491F-A610-E144623FAE14@packetninjas.net> Message-ID: <47910E4D.9040405@georgetown.edu> > > I don't think ghost doesn't really copy every part of the drive. > I am sure it would be fairly easy to tell if the drive was only I am not sure about ghost, but it can be done with the unix dd command. It creates a forensically sound bit image of the source. http://www.forensicswiki.org/wiki/Dd. Dd images do hold up in court as evidence and you can use MD5 sums to prove changes were not made. You may also view the drive with write blockers like http://www.forensicswiki.org/index.php?title=Write_Blockers which would not alter the source drive. Cheaply, one can use a USB external cable say, http://www.newegg.com/Product/Product.aspx?Item=N82E16812156101 ($18) combined with a usb software block (free): http://windowsir.blogspot.com/2004/12/xp-sp2-and-making-usb-storage-read.html to retrieve all information without being detected. > >anything was changed unless you have an image of the drive before it > >left and you individually "checksum" > >each file to look for changes. > > Um. I have to disagree with this. But, you can alter the dd image using a hex editor and reapply it back the original media without detection (unless you have a source image to "diff" against). But I would like to think that someone in the organization would tell them that since they lost integrity control of the data it should be deleted or reverified. Dave Daniel Clemens wrote: > On Jan 18, 2008, at 12:17 PM, Max Hozven wrote: > > >> I think that if you are tricky enough, you could maybe do this: >> >> 1. Boot laptop off of a Ghost CD and create a Ghost image of the >> drive. >> 2. Use Ghost Explorer to overwrite a file you want to change in the >> Ghost image file. >> Make sure the file date/time on the file you create is the same as >> the one you overwrite >> to cover your tracks. Keep the file size the same if you want to >> get really sneaky. >> 3. Boot the laptop off of the Ghost CD again. Do a Ghost restore of >> the updated image you just created. >> 4. The resulting laptop will boot up with the hard disk appearing >> unchanged, as it has never booted >> to it's native OS, the changes having been done via Ghost. >> >> There's other disk imaging software packages besides Ghost that could >> probably do similar things as well. >> > > I don't think ghost doesn't really copy every part of the drive. > I am sure it would be fairly easy to tell if the drive was only > Ghost'd and then restored since certain parts of the drive would have > never been copied and certain portions would be completely overwritten > or pointed to new locations on the drive. > (not to mention any installation logs that may have taken place , or > anything in mbr, or mft). > The file you replaced could possibly still be on the drive that you > restored to especially if inode pointer points to a new file, but the > old file is still there... > > I haven't tried this personally (Ghost , then re-analysis > forensically) but I am willing to bet you could tell if something was > 're-ghosted'. > But then again I am only assuming and it sounds like you are too, so > most likely we are both asses. > > >> My opinion is that once a computer/drive gets out of your hands, >> there's >> really no 100% way to know if >> anything was changed unless you have an image of the drive before it >> left and you individually "checksum" >> each file to look for changes. >> >> > > Um. I have to disagree with this. > There is actually allot of work you can do to see what has changed > when dealing with data theft like this.(excluding super ninjas of > course). > What you can't validate is what has been completely copied off of the > drive if the theft involved a criminal that knew how to truly > duplicate the drive. > > -Daniel Clemens > _______________________________________________ > Dataloss Mailing List (dataloss at attrition.org) > http://attrition.org/dataloss > > Tenable Network Security offers data leakage and compliance monitoring > solutions for large and small networks. Scan your network and monitor your > traffic to find the data needing protection before it leaks out! > http://www.tenablesecurity.com/products/compliance.shtml > From lyger at attrition.org Fri Jan 18 21:12:54 2008 From: lyger at attrition.org (lyger) Date: Fri, 18 Jan 2008 21:12:54 +0000 (UTC) Subject: [Dataloss] UK: MoD loses data of 600,000 would-be recruits Message-ID: http://www.telegraph.co.uk/news/main.jhtml?xml=/news/2008/01/18/ndata618.xml The personal details of 600,000 people interested in joining Britain's armed forces have been lost after a laptop belonging to a Royal Navy officer was stolen, the Ministry of Defence disclosed tonight. It is the latest extraordinary data loss incident involving a Government department and potentially the most serious as recruits to the armed forces are targets for terrorists. The laptop containing the data was stolen from a vehicle parked overnight in the Edgbaston area of Birmingham on Jan 9 but was only made public late tonight. [.] For those who submitted an application to the forces "extensive personal data" - including passport details, National Insurance numbers, family details and medical records - has been lost. [...] From chris at cwalsh.org Sat Jan 19 05:19:24 2008 From: chris at cwalsh.org (Chris Walsh) Date: Fri, 18 Jan 2008 23:19:24 -0600 Subject: [Dataloss] TN: Election Commission laptop harddrive found In-Reply-To: <47910E4D.9040405@georgetown.edu> References: <771A26039D33ED489E23D9614DE630DD078E99B1@SFMAIL02.tealeaf.com> <29A6A310-C223-491F-A610-E144623FAE14@packetninjas.net> <47910E4D.9040405@georgetown.edu> Message-ID: <20C31028-91D9-486D-8E5C-A070178374B6@cwalsh.org> Sorry folks -- my sarcasm was not as overt as I thought when I made my original comment. I had in mind reading/writing via a raw device (to use UNIX parlance), which would make your actions undetectable -- much as David is saying. The Attrition folks have a rant on this subject -- http://attrition.org/dataloss/forensics.html On Jan 18, 2008, at 2:38 PM, David C. Smith wrote: > I am not sure about ghost, but it can be done with the unix dd > command. > It creates a forensically sound bit image of the source. > http://www.forensicswiki.org/wiki/Dd. Dd images do hold up in court > as > evidence and you can use MD5 sums to prove changes were not made. You > may also view the drive with write blockers like > http://www.forensicswiki.org/index.php?title=Write_Blockers which > would > not alter the source drive. From lyger at attrition.org Sat Jan 19 06:09:23 2008 From: lyger at attrition.org (lyger) Date: Sat, 19 Jan 2008 06:09:23 +0000 (UTC) Subject: [Dataloss] Admin: General mail list stuff Message-ID: Hi all, First, welcome to all of the new subscribers to the Data Loss Mail List. We hope you find some good information and discussion about loss and/or theft of personal information. A few quick items for everyone: 1. If you subscribed to this mail list and wish to be removed, please visit: http://attrition.org/security/dataloss.html 2. Discussion is welcome and encouraged. With over 1,000 subscribers, there will be some cross-talk on occasion. If you wish to respond to someone's post directly, please mail them directly and don't CC the entire list unless you want the entire list to see your response. P.S. Also feel free to not CC me on any posts to the list. I get them anyway. :) 3. If you respond to a post to the list, please trim off excessive footers (i.e. sig files or the dataloss mail list and tenable footers) when you can. 8K of a response is perfectly fine... unless 5.5K of that is a quoted footer. 4. This is touchy, but if your post either a) isn't topical, or b) ends up in attrition.org's spam filter, it won't get approved. We get literally hundreds of spam emails a day, so if your post ends up in our filter, oops, sorry, deleted. Nothing personal. Please send any questions, comments, or concerns to lyger at attrition.org. If I don't respond within three business days, you can assume that I've been hit by a very large mass transportation vehicle and can then mail staff at attrition.org Thanks, Lyger From hbrown at knology.net Sat Jan 19 22:58:01 2008 From: hbrown at knology.net (Henry Brown) Date: Sat, 19 Jan 2008 16:58:01 -0600 Subject: [Dataloss] Kansas City IRS data lost Message-ID: <47928079.5060205@knology.net> From Houston Chronicle: http://www.chron.com/disp/story.mpl/ap/nation/5469430.html KANSAS CITY, Mo. ? Federal investigators blame city officials for the loss in 2006 of 26 IRS computer tapes containing taxpayer information. In a heavily redacted report obtained by The Kansas City Star through a Freedom of Information Act request, the Treasury Department's inspector general for tax administration said the city failed to follow "proper safeguards for protecting federal tax return information." The tapes were delivered to City Hall in August 2006 to help revenue officials make sure people living or working in Kansas City are paying the 1 percent city earnings tax. City officials said they realized the tapes were missing in late 2006, touching off the investigation that began on Dec. 19, 2006, and lasted until Nov. 1, 2007. The tapes have never been found. "The investigation revealed the city did not follow and was not following the proper safeguards for protecting federal tax return information," the inspectors wrote. The information released to The Star and published in a story Saturday did not elaborate on the city's mistakes. Most of the information in the 42 pages provided to the paper was blacked out, and the agency said it wasn't handing over another 105 pages because that "could impede its law enforcement activities." The IRS has never said what was on the tapes, how many taxpayers may have been affected or whether taxpayers would be told of the lost information. [...] From jericho at attrition.org Wed Jan 23 07:22:19 2008 From: jericho at attrition.org (security curmudgeon) Date: Wed, 23 Jan 2008 07:22:19 +0000 (UTC) Subject: [Dataloss] follow-up: Not one but THREE military laptops have gone missing as security breach grows, admits Defence Secretary Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.dailymail.co.uk/pages/live/articles/news/news.html?in_article_id=509566&in_page_id=1770 The Daily Mail 21st January 2008 Three military laptops with personal details of up to 600,000 people have been lost, Defence Secretary Des Browne admitted today. The Cabinet minister, who is understood to be furious at the data security breaches, told MPs this afternoon that the extent of the blunders was wider than previously revealed. They are likely to lead to disciplinary action. With the Ministry of Defence already under fire over the loss of one computer on 9 January, Mr Browne ordered an independent inquiry into military data security. The laptop stolen in Birmingham this month - from the car of a Royal Navy officer who was involved in recruitment - contained details of 600,000 people including passport numbers, insurance numbers, family background information and medical details. The MoD is writing to about 3,500 people whose bank details were included on the database. [..] From jericho at attrition.org Thu Jan 24 17:09:55 2008 From: jericho at attrition.org (security curmudgeon) Date: Thu, 24 Jan 2008 17:09:55 +0000 (UTC) Subject: [Dataloss] fringe: 'Erased' personel data on agency tapes can be retrieved, company says Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.govexec.com/dailyfed/0108/012308j2.htm By Jill R. Aitoro Govexec.com January 23, 2008 Personal and sensitive government data -- including employees' personal data -- on magnetic tapes that federal agencies erase and later sell can be retrieved using simple technology, according to an investigation conducted by a storage tape manufacturer. The findings contradict a report released by the Government Accountability Office last year that concluded such data was irretrievable. From March through August 2007, GAO investigated if data could be retrieved from used magnetic tapes that federal agencies sell to commercial tape companies in the United States. Magnetic tapes are widely used by federal agencies, particularly for backing up data stored on large systems in the event of a disaster or system failure. The sample of tapes that GAO obtained came from such agencies as the Federal Reserve Bank, the Air Force and the National Oceanic and Atmospheric Administration. According to its September 2007 report (GAO-07-1233R) [1], GAO concluded it could not find "any comprehensible data on any of the tapes using standard commercially available equipment and data recovery techniques, specialized diagnostic equipment, custom programming or forensic analysis." Selling used magnetic tapes is not illegal, GAO pointed out, and if agencies follow guidelines set by the National Institute of Standards and Technology for erasing all data, the risk of theft is low. "Based on the limited scope of work we performed, we conclude that the selling of used magnetic tapes by the government represents a low security risk, especially if government agencies comply with NIST guidelines in sanitizing their tapes," GAO concluded. "Even if some data were recoverable from some tape formats that had been overwritten to preserve their servo tracks, the data may not be complete or even decipherable." [..] From jericho at attrition.org Thu Jan 24 16:45:51 2008 From: jericho at attrition.org (security curmudgeon) Date: Thu, 24 Jan 2008 16:45:51 +0000 (UTC) Subject: [Dataloss] fringe: Pillaged MySpace Photos Show Up in Massive BitTorrent Download Message-ID: [The information compromised consists of private photograph/images only, not PII. However, such images can be fairly sensitive at times.] http://www.wired.com/politics/security/news/2008/01/myspace_torrent By Kevin Poulsen 01.23.08 | 5:00 PM A 17-gigabyte file purporting to contain more than half a million images lifted from private MySpace profiles has shown up on BitTorrent, potentially making it the biggest privacy breach yet on the top social networking site. The creator of the file says he compiled the photos earlier this month using the MySpace security hole that Wired News reported on last week. That hole, still unacknowledged by the News Corporation-owned site, allowed voyeurs to peek inside the photo galleries of some MySpace users who had set their profiles to "private," despite MySpace's assurances that such images could only be seen by people on a user's friends' list. "I think the greatest motivator was simply to prove that it could be done," file creator "DMaul" says in an e-mail interview. "I made it public that I was saving these images. However, I am certain there are mischievous individuals using these hacks for nefarious purposes." The MySpace hole surfaced last fall, and it was quickly seized upon by the self-described pedophiles and ordinary voyeurs who used it, among other things, to target 14- and 15-year-old users who'd caught their eye online. A YouTube video showed how to use the bug to retrieve private profile photos. The bug also spawned a number of ad-supported sites that made it easy to retrieve photos. One such site reported more than 77,000 queries before MySpace closed the hole last Friday following Wired News' report. [..] From lyger at attrition.org Thu Jan 24 22:59:50 2008 From: lyger at attrition.org (lyger) Date: Thu, 24 Jan 2008 22:59:50 +0000 (UTC) Subject: [Dataloss] MA: Security breach compromises Fallon patient data Message-ID: http://boston.bizjournals.com/boston/stories/2008/01/21/daily65.html A vendor computer containing personal information on nearly 30,000 patients of Fallon Community Health Plan has been stolen, the insurer announced Thursday. The Worcester-based health insurer said Thursday that someone stole a vendor's laptop computer believed to contain personal information for members with Fallon Senior Plan and Summit ElderCare coverage. The data included names, dates of birth, some diagnostic information and medical ID numbers -- some of which may be based on Social Security numbers. The information did not include addresses. The computer was taken from the offices of a third-party vendor contracted by Fallon to handle medical claims management. The theft was discovered earlier this month, but Fallon could not confirm until last week what kind of information was on the computer. [...] From lyger at attrition.org Thu Jan 24 23:44:48 2008 From: lyger at attrition.org (lyger) Date: Thu, 24 Jan 2008 23:44:48 +0000 (UTC) Subject: [Dataloss] Hackers Steal OmniAmerican Bank Account Data Message-ID: Via Fergie's Tech Blog (http://fergdawg.blogspot.com/) [snip] An international gang of cyber criminals hacked into OmniAmerican Bank's records, the bank's president disclosed Wednesday. They stole scores of account numbers, created new PINs, fabricated debit cards, then withdrew cash from ATMs in Eastern Europe, including Russia and Ukraine, as well as in Britain, Canada and New York. "It was a pretty sophisticated scheme," said Tim Carter, president of the Fort Worth-based bank. The amount stolen is not yet known, he said, describing it only as "minimal." No depositors will lose money, he said. Fewer than 100 accounts, some of them dormant, were compromised, all with a daily withdrawal limit of less than $1,000, he said. After discovering the fraudulent activity Friday afternoon, OmniAmerican placed temporary limits on some ATM and debit-card transactions and suspended some electronic banking services, which were restored Sunday, Carter said. At no time were customer deposits at risk, he stressed. "We reduced by half the dollar amount that could be withdrawn and limited [access] to Texas. We cut out anything outside Texas," Carter said. The unauthorized withdrawals were stopped Friday, and bank employees worked over the weekend to deal with the damage, he said. The bank learned of the breach from customers inquiring about unusual activity in their accounts, from internal monitoring and from a law-enforcement agency, which Carter declined to name. [snip] More: http://www.star-telegram.com/business/story/429367.html Hat-tip: Pogo Was Right - - ferg From jericho at attrition.org Fri Jan 25 07:28:51 2008 From: jericho at attrition.org (security curmudgeon) Date: Fri, 25 Jan 2008 07:28:51 +0000 (UTC) Subject: [Dataloss] follow-up: Election Commission official not aware of CD in stolen laptop Message-ID: "No indication the [CD] disc had been copied or even removed from the computer." I think that hits a new low for stupid statements regarding potential dataloss. ---------- Forwarded message ---------- From: InfoSec News http://www.nashvillecitypaper.com/news.php?viewStory=58614 By Amanda N. Maynord Nashville City Paper January 24, 2008 Administrator of Election Ray Barrett said he was unaware that a compact disc had been left in one of the stolen laptops taken from the Davidson County Election Commission for more than a year. Police said last night they were surprised to find the CD that had been created in November 2006 that contained sensitive voter information, however, there was no indication the disc had been copied or even removed from the computer. I was not aware of it until [the police found it], Barrett said. They told me that was the [laptop] that wasnt working. Barrett and other officials had been subpoenaed to appear in court this morning for Robert Osbournes preliminary hearing. [..] From lyger at attrition.org Sat Jan 26 01:59:07 2008 From: lyger at attrition.org (lyger) Date: Sat, 26 Jan 2008 01:59:07 +0000 (UTC) Subject: [Dataloss] PA: Laptop with students' information stolen Message-ID: http://www.collegian.psu.edu/archive/2008/01/25/laptop_with_students_informati.aspx A university laptop containing archived information and social security numbers for 677 students attending Penn State between 1999 and 2004 was recently stolen from a faculty member while traveling earlier this month. David Lindstrom, chief privacy officer at Penn State, said he believes the theft was random and "had nothing to do with Penn State." "We have no reason to believe anybody's information has been compromised, but you need to take precautions, watch your credit, and just be careful," he said. [...] From mhill at idtexperts.com Sat Jan 26 14:27:34 2008 From: mhill at idtexperts.com (Michael Hill, CITRMS) Date: Sat, 26 Jan 2008 09:27:34 -0500 Subject: [Dataloss] Hundreds' personal information found in dumpster Message-ID: <002a01c86027$97d8ad90$6501a8c0@mkevhill> http://www.komotv.com/news/local/14449977.html SEATTLE -- One man went dumpster-diving and discovered a company he trusted trashed his personal information in a public dumpster where anyone could have snatched them up. Steve Gillett of Seattle said Visa Services Northwest threw out the sensitive documents instead of shredding them. The documents, which ended up in a downtown alley, included papers with Gillett's name, social security number, credit card information and even a copy of his signature. Gillett's private information, as well as those of hundreds of others, had been dumped by the travel services company. "This firm was throwing away in a public bin more information than my wife knows about me," Gillett said. Xiaoli Ding, the owner of the company, claims what Gillett found was the result of an isolated incident. He says he keeps his clients' personal information for year, then destroys the files properly. Then he shreds the sensitive documents and recycles the rest. "Obviously, we accidentally dumped that particular file in the recycle bin," he said. Even so, Ding said, the documents are safe in the bin since the business is located on an upper floor of the building where the public doesn't typically visit. But the trouble is, the papers don't stay there. Everything in that recycle bin on the upper floor eventually ends up in an alley way nearby; it's brought to another dumpster in a very public place. Michael Hill Certified Identity Theft Risk Management Specialist IDT Consultants 404-216-3751 "If You Think You're Not At Risk, Think Again!" -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080126/1e41e765/attachment-0001.html From lyger at attrition.org Mon Jan 28 00:13:48 2008 From: lyger at attrition.org (lyger) Date: Mon, 28 Jan 2008 00:13:48 +0000 (UTC) Subject: [Dataloss] ChoicePoint to settle shareholder suit Message-ID: http://www.ajc.com/metro/content/business/stories/2008/01/24/choice_0125.html Alpharetta-based info broker ChoicePoint said it has agreed to pay $10 million to settle a class action lawsuit stemming from the 2004 theft of records of more than 160,000 people and subsequent stock sales by top executives. The company said neither ChoicePoint nor the individual defendants -- chief executive Derek Smith or operating chief Doug Curling -- admitted to any liability. The theft, though detected by ChoicePoint in the fall of 2004, was not disclosed to the public until Feb. 15, 2005. ChoicePoint said it has entered into a letter of understanding, subject to court approval, through which it and a group of shareholders will settle the lawsuit that stemmed from the security breach. Smith and Curling netted $16.6 million in profit from stock sales before the records theft was disclosed. The timing of the sales lead to an investigation by the Securities and Exchange Commission. Earlier this week the SEC said it has completed the probe and will take no enforcement action. [...] From david at geercom.com Mon Jan 28 19:57:06 2008 From: david at geercom.com (David Geer) Date: Mon, 28 Jan 2008 14:57:06 -0500 Subject: [Dataloss] Journalist seeking pay at the pump data loss incident info Message-ID: <008501c861e7$f72b2a40$01fea8c0@HAPPY2> Hello DataLoss List Members, I am covering data loss due to credit card skimming and other exploits on credit cards at gas station pay at the pump terminals. I am particularly interested in incidents of skimming as well as incidents where criminals sit in gas station parking lots, hack into gas station networks via their wireless networks and then get credit card data housed on the local server. If you have any leads to the frequency of these types of incidents, that is also welcome. Best Regards, David Geer -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20080128/fecbd337/attachment.html From lyger at attrition.org Mon Jan 28 22:50:17 2008 From: lyger at attrition.org (lyger) Date: Mon, 28 Jan 2008 22:50:17 +0000 (UTC) Subject: [Dataloss] NC: Wake EMS Laptop Missing Message-ID: http://www.wral.com/news/news_briefs/story/2364442/ A Wake County Emergency Medical Services laptop computer with patient information disappeared from the WakeMed Emergency Department Thursday night, officials said Monday. The computer, which was being charged at the time of its disappearance, was not in use, and security measures make it unlikely that information would be accessed, according to a news release. "We have no reason to believe that the computer was stolen with any intention of accessing the medical records stored in it," Wake EMS Chief Skip Kirkwood said. [...] From lyger at attrition.org Mon Jan 28 23:54:25 2008 From: lyger at attrition.org (lyger) Date: Mon, 28 Jan 2008 23:54:25 +0000 (UTC) Subject: [Dataloss] UK: Ministry of Defence breakouts by country Message-ID: Looks like more data about the MoD breach is now becoming available: http://news.bbc.co.uk/2/hi/uk_news/northern_ireland/7214492.stm The names of more than 14,223 people resident in Northern Ireland were contained on a Ministry of Defence laptop recently stolen in England. [.] http://ukpress.google.com/article/ALeqM5hi6mSWcH32hgvTaTbkDMiNTXQgXg The personal details of almost 60,000 Scots were among those on an MoD computer stolen earlier this month. (59,553 noted in story title) [...] From lyger at attrition.org Tue Jan 29 00:20:15 2008 From: lyger at attrition.org (lyger) Date: Tue, 29 Jan 2008 00:20:15 +0000 (UTC) Subject: [Dataloss] T. Rowe Price warns of computer thefts Message-ID: http://www.investmentnews.com/apps/pbcs.dll/article?AID=/20080128/REG/672979544 T. Rowe Price Retirement Plan Services alerted 35,000 current and former participants in "several hundred" plans that their names and Social Security numbers were contained in files on computers that were stolen, said Brian Lewbart, spokesman. The machines were taken from the office of CBIZ Benefits and Insurance Services Inc., which prepares the 5500s for T. Rowe Price, he said. [...] From macwheel99 at wowway.com Tue Jan 29 04:58:52 2008 From: macwheel99 at wowway.com (Al Mac Wheel) Date: Mon, 28 Jan 2008 22:58:52 -0600 Subject: [Dataloss] Journalist seeking pay at the pump data loss incident info In-Reply-To: <008501c861e7$f72b2a40$01fea8c0@HAPPY2> References: <008501c861e7$f72b2a40$01fea8c0@HAPPY2> Message-ID: <6.2.1.2.1.20080128223240.03ce0560@pop3.mail.wowway.com> You might check the list's open source data base of past breaches. Go to http://attrition.org/dataloss & check out the links there. There have been incidents reported associated with multiple gas station chains in different parts of the nation where * criminals do the ATM skimming trick to capture info on people who stick their credit cards into the gas pumps to buy gas. * the convenience store failed to have wireless security, so that anyone with wireless on their PC could download all the info going through that convenience store network ... they don't have to be parked in plain sight in the parking lot to do this ... and generally when the news comes out that there has been such a breach, it is kept secret for a long time what kind of stupidity was going on at the store that led to being breached On another computer security list, not long ago, I saw where some outfit had randomly visited millions of e-commerce web sites, determined what computer system they were using, and at what patch level. They found half a million without proper computer security, either at an old version, or many months behind on applying patches. Some computer system implementations are more vulnerable to breach than others. There are places that list problems on different Operating Systems in need of some patch to fix some problem someone has uncovered. Some Operating Systems are conspicuous by their absense from these lists. Through research places like Gartner you can get statistics on #s of sites out there with various OS, then compare problem lists to see if some OS have more than their fair share of security weaknesses. As a journalist, you might do dumpster diving to check that places that sell gas in your neck of the woods do a proper job of shredding receipts associated with people who pay for gas with credit card inside the store. It is not a data loss incident ... I assume you have seen that the price at the pumps change daily ... some crooks have figured out how to make unauthorized changes to the pump prices, for the purpose of buying gas CHEAP The credit card industry has a PCI standard associated with what the retrailers are supposed to be storing after a sale is consumated. Periodically they release statistics on the numbers of clients who have flunked PCI audits. You might push them to tell you proportions by type of company ... restaurant, convenience store, hotel, etc. Here's an experiment you can try ... buy something from a major chain ... Sears, Home Depot, Walmart, etc. paying by credit card. Then a few weeks later, try to return your purchase. If they know exactly who you are, from your receipt, and you do not have to show your credit card to get a credit, then they are in violation of the PCI standard. This means they have stored information beyond what they are supposed to. Al Macintyre >Hello DataLoss List Members, > >I am covering data loss due to credit card skimming and other exploits on >credit cards at gas station pay at the pump terminals. I am particularly >interested in incidents of skimming as well as incidents where criminals >sit in gas station parking lots, hack into gas station networks via their >wireless networks and then get credit card data housed on the local server. > >If you have any leads to the frequency of these types of incidents, that >is also welcome. > >Best Regards, >David Geer > >_______________________________________________ >Dataloss Mailing List (dataloss at attrition.org) >http://attrition.org/dataloss > >Tenable Network Security offers data leakage and compliance monitoring >solutions for large and small networks. Scan your network and monitor your >traffic to find the data needing protection before it leaks out! >http://www.tenablesecurity.com/products/compliance.shtml From lyger at attrition.org Tue Jan 29 12:49:22 2008 From: lyger at attrition.org (lyger) Date: Tue, 29 Jan 2008 12:49:22 +0000 (UTC) Subject: [Dataloss] DC: 38, 000 Social Security Numbers Potentially Exposed After Theft Message-ID: http://thehoya.com/node/15151 A hard drive containing the Social Security numbers of nearly 40,000 Georgetown students, alumni, faculty and staff was reported stolen from the office of Student Affairs on Jan. 3, potentially exposing thousands of students to identity theft. The external hard drive, located on the fifth floor of the Leavey Center, was used to back up a computer that contained billing information for various student services, including activities fees and student health insurance, according to David Lambert, vice president and chief information officer for University Information Services. The university notified the Department of Public Safety, the Metropolitan Police Department and the U.S. Secret Service, which investigates possible misuse of private information, of the missing hard drive. The university has not learned of any reports of identity theft in the time since the hard drive's disappearance, Lambert said. [...] From lyger at attrition.org Wed Jan 30 00:12:58 2008 From: lyger at attrition.org (lyger) Date: Wed, 30 Jan 2008 00:12:58 +0000 (UTC) Subject: [Dataloss] WI: UW-Madison privacy leak was bigger than previously described Message-ID: http://www.wbay.com/Global/story.asp?S=7791239 An accidental leak of personal information on the Internet could have affected more than twice as many UW-Madison employees as previously reported. University spokesman Brian Rust says the Social Security-based campus ID numbers of 529 employees might have been posted on a campus Web site over the course of a year. But he says the university decided to notify only the 205 employees whose information was most likely seen on the site. [...] From lyger at attrition.org Wed Jan 30 12:33:50 2008 From: lyger at attrition.org (lyger) Date: Wed, 30 Jan 2008 12:33:50 +0000 (UTC) Subject: [Dataloss] MT: Hacker steals Davidson Cos. clients' data Message-ID: http://www.greatfallstribune.com/apps/pbcs.dll/article?AID=/20080130/NEWS01/801300301 A computer hacker broke into a Davidson Companies database and obtained the names and Social Security numbers of virtually all of the Great Falls financial services company's clients. The database included information such as account numbers and balances, said Jacquie Burchard, spokeswoman for Davidson Companies. However, the hacker didn't get access to the accounts. [.] The computer hacker accessed information on 226,000 current and former clients, Burchard said. [...] From lyger at attrition.org Wed Jan 30 12:51:47 2008 From: lyger at attrition.org (lyger) Date: Wed, 30 Jan 2008 12:51:47 +0000 (UTC) Subject: [Dataloss] NJ: Health insurer says stolen laptop had customers' data Message-ID: http://www.nj.com/news/index.ssf/2008/01/horizon_blue_cross_blue_shield.html Horizon Blue Cross Blue Shield of New Jersey is notifying more than 300,000 of its members that their names, social security numbers and other personal information were contained on a laptop computer stolen in Newark earlier this month. The health insurance giant, which serves more than 3.3 million people across the state, said there was no reason to believe any of the information was compromised because it was protected by password and other security features -- although the data was not encrypted. [...] From jericho at attrition.org Wed Jan 30 18:31:17 2008 From: jericho at attrition.org (security curmudgeon) Date: Wed, 30 Jan 2008 18:31:17 +0000 (UTC) Subject: [Dataloss] follow-up: Details of Scots on stolen laptop Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://news.bbc.co.uk/2/hi/uk_news/scotland/7214464.stm BBC News 29 January 2008 A stolen Ministry of Defence computer had the personal details of almost 60,000 Scots stored on it. The revelation came in a written parliamentary answer to SNP defence spokesman Angus Robertson MP. The laptop, which was taken from a Royal Navy officer in Birmingham on 9 January, contained information about 600,000 people. The MoD has set up a freephone help number on 0800 085 3600 for anyone who thinks they may have been affected. The breakdown given to Mr Robertson disclosed that the details of 59,553 people in Scotland were lost as a result of the theft. In Wales, the details of 37,546 people were lost, while in Northern Ireland 14,223 people were affected. The details of 459,778 people from England and 34,667 people from elsewhere were also on the laptop. [..] From jericho at attrition.org Wed Jan 30 18:30:33 2008 From: jericho at attrition.org (security curmudgeon) Date: Wed, 30 Jan 2008 18:30:33 +0000 (UTC) Subject: [Dataloss] New data security breaches come in fours Message-ID: ---------- Forwarded message ---------- From: InfoSec News http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9060018 By Jaikumar Vijayan January 29, 2008 Computerworld What do Fallon Community Health Plan, Pennsylvania State University, OmniAmerican Bank and T. Rowe Price Group Inc. all have in common? Each of them recently joined the seemingly never-ending parade of organizations that have disclosed security breaches resulting in the potential compromise of personal data. Leading the pack in terms of the number of data records known to be involved was T. Rowe Price. Two weeks ago, the Baltimore-based investment management firm's retirement plan services group began notifying about 35,000 current and former participants in "several hundred" plans that their names and Social Security numbers might have been compromised, a company spokesman confirmed today. [..]