Shostack + Friends Blog Archive


Security Breach Roundup

  • State of Ohio, 7.7 million registered voter SSNs, dismal process. From “Ohio Recalls Voter Registration CDs” via Dataloss.
  • Fifth Third Bank employee Marco Antonio Munoz, 74 pages of names of victims, dismal dependance on process, from “Internal theft of personal bank data rare,” in the Cadilac News. Someone’s PR department deserves a bonus for that headline. Via Canadian Privacy Law Blog.
  • University of Alaska Fairbanks, 38,941 SSNs, Hacker. From “Officials urge people to be on alert for fraud,” Fairbanks Daily News-Miner.
  • Hong Kong Police, 20,000 complainants, “private company.” From “Hong Kong: Former police complainants exposed on the Internet” (RISKS Digest summary of a Radio Australia story.)
  • Iron Mountain (again), 17,000 Long Island Railroad Employee SSNs, lost records. From “Personal Data of NY Transit Employees Lost,” via Dataloss. Interesting view into what happens when companies are given the choice of interpretation:

    [NY Police spokeswoman] Farello said the driver contacted authorities after noticing outside the Bronx VA hospital that the containers were missing.

    The company is treating that as “we misplaced them” rather than as theft. The New York Police are unspun, and are treating it as theft. Its good that the law doesn’t give the company discretion to be gullible on your behalf.

  • Lastly, not quite a breach, but apparently soccer fans are complaining (with good reason) about the amount of data being gathered on them by the Germans. Here I thought the Germans had good data protection laws. Maybe someone will investigate why all this data was collected? See “FIFA Criticizes Data Gathering At World Cup” at CSOOnline.