Shostack + Friends Blog Archive


Breach Roundup: 6/17 – 6/24

This week’s roundup is large. Rather than push other newish posts off the bottom of most people’s screens, it has been deemed preferable to prepend this introductory paragraph, at the bottom of which readers may elect to see more.

Western Illinois University

Multiple servers breached. University loses SSNs and other data on 200,000 to 240,000 current and previous students, as well as credit-card information on those using the university bookstore or hotel. According to a response received from WIU’s official “Security Alert” email address:

A majority of students potentially affected are students who took courses from
1983 to the present. A smaller number of records from 1978 to 1982
(approximately 1,000 records) may have been at risk of exposure. Anyone who
has performed an online purchase through the University bookstore or who has
stayed in the University Union Hotel may also potentially be affected

Interestingly, the Division of Student Services, which seemingly runs on-line bookstore sales, says that they “Don’t retain credit card information after credit card sales have been processed.”
Official version of events is at

ING U.S. Financial Services

Social Security Numbers and other info on 13,000 Washington, D.C. residents obtained when a thief stole a laptop from the home of an ING U.S. employee. No password, no encryption. Theft occurred June 12.
Washington Post has more.


Laptop stolen May 29th contained name and SSN info on up to 2500 of their employees.
(AP, via Dataloss)

University of Alabama, Birmingham

The tide of theft continues. An office computer containing names, SSNs, and medical information for 9,800 kidney donors, recipients, and potential recipients was stolen in February, but “the affected people weren’t notified until earlier this month because it took months for school officials to reconstruct the missing database”.
(AP, via Dataloss)

Unnamed ATM transaction processor

Visa admits there’s a problem it has known about since February, but reveals no numbers or names. Thanks, guys. AP has the story.

US Navy

Names, SSNs of 28,000 Navy personnel and some family members show up on a web site. Navy discovers it, has info removed. Congress is asking for more information (such as the name of the site).
(AP, via MSN)

Catawba County, NC High Schoolers

SSNs and test scores for 619 students show up on web. School blames Google.
(, via Dataloss)

FTC loses laptops containing PII

In other news, Surgeon General caught smoking under bleachers.

In a statement, the FTC said two employee laptops were stolen from a locked vehicle. The PCs contained data on about 110 people that was “gathered in law enforcement investigations and included, variously, names, addresses, Social Security numbers, dates of birth, and in some instances, financial account numbers.”

[Brian Krebs, via Dataloss]

San Francisco State University

3,000 former and current students’ SSNs, names, grades lost via a…laptop theft!
Although use of SSNs as student idenfifiers is now banned, apparently it’s just too much work to clean up the years of cruft that faculty have accumulated. An interesting research question: what is the half-life of information like this?
(, via Dataloss)

US Department of Agriculture

Names, photos, and SSNs of 26,000 workers revealed when a hacker was able to get into a USDA server.
(, via Dataloss)