Shostack + Friends Blog Archive

 

Yahoo! Yippee? What to Do?

[Dec 20 update: The first draft of this post ended up with both consumer and enterprise advice, which made it complex. The enterprise half is now on the IANS blog: Never Waste a Good Crisis: Yahoo Edition.] Yesterday, Yahoo disclosed that attackers broke into Yahoo in 2013 and stole details on a billion accounts. Brian […]

 

The Breach Response Market Is Broken (and what could be done)

Much of what Andrew and I wrote about in the New School has come to pass. Disclosing breaches is no longer as scary, nor as shocking, as it was. But one thing we expected to happen was the emergence of a robust market of services for breach victims. That’s not happened, and I’ve been thinking […]

 

Threat Modeling Crypto Back Doors

Today, the Open Technology Institute released an open letter to the President of the United States from a broad set of organizations and experts, and I’m pleased to be a signer, and agree wholeheartedly with the text of the letter. (Some press coverage.) I did want to pile on with an excerpt from chapter 9 […]

 

The Onion and Breach Disclosure

There’s an important and interesting new breach disclosure that came out yesterdau. It demonstrates leadership by clearly explaining what happened and offering up lessons learned. In particular: It shows the actual phishing emails It talks about how the attackers persisted their takeover by sending a fake “reset your password” email (more on this below) It […]

 

MD5s, IPs and Ultra

So I was listening to the Shmoocon presentation on information sharing, and there was a great deal of discussion of how sharing too much information could reveal to an attacker that they’d been detected. I’ve discussed this problem a bit in “The High Price of the Silence of Cyberwar,” but wanted to talk more about […]

 

Indicators of Impact — Ground Truth for Breach Impact Estimation

One big problem with existing methods for estimating breach impact is the lack of credibility and reliability of the evidence behind the numbers. This is especially true if the breach is recent or if most of the information is not available publicly.  What if we had solid evidence to use in breach impact estimation?  This […]

 

New paper: "How Bad Is It? — A Branching Activity Model for Breach Impact Estimation"

Adam just posted a question about CEO “willingness to pay” (WTP) to avoid bad publicity regarding a breach event.  As it happens, we just submitted a paper to Workshop on the Economics of Information Security (WEIS) that proposes a breach impact estimation method that might apply to Adam’s question.  We use the WTP approach in a […]

 

Paying for Privacy: Enterprise Breach Edition

We all know how companies don’t want to be named after a breach. Here’s a random question: how much is that worth to a CEO? What would a given organization be willing to pay to keep its name out of the press? (A-priori, with at best a prediction of how the press will react.) Please […]

 

HHS & Breach Disclosure

There’s good analysis at “HHS breach investigations badly backlogged, leaving us in the dark” To say that I am frequently frustrated by HHS’s “breach tool” would be an understatement. Their reporting form and coding often makes it impossible to know – simply by looking at their entries – what type of breach occurred. Consider this […]

 

New York Times gets Pwned, Responds all New School

So there’s a New York Times front page story on how “Hackers in China Attacked The Times for Last 4 Months.” I just listened to the NPR story with Nicole Perlroth, who closed out saying: “Of course, no company wants to come forward and voluntarily say `hey we were hacked by China, here’s how it […]

 

"Cyber" Insurance and an Opportunity

There’s a fascinating article on PropertyCasualty360 “ As Cyber Coverage Soars, Opportunity Clicks” (thanks to Jake Kouns and Chris Walsh for the pointer). I don’t have a huge amount to add, but wanted to draw attention to some excerpts that drew my attention: Parisi observes that pricing has also become more consistent over the past […]

 

South Carolina

It’s easy to feel sympathy for the many folks impacted by the hacking of South Carolina’s Department of Revenue. With 3.6 million taxpayer social security numbers stolen, those people are the biggest victims, and I’ll come back to them. It’s also easy to feel sympathy for the folks in IT and IT management, all the […]

 

How to mess up your breach disclosure

Congratulations to Visa and Mastercard, the latest companies to not notify consumers in a prompt and clear manner, thus inspiring a shrug and a sigh from consumers. No, wait, there isn’t a clear statement, but there is rampant speculation and breathless commentary. It’s always nice to see clear reminders that the way to get people […]

 

Why Breach Disclosures are Expensive

Mr. Tripathi went to work assembling a crisis team of lawyers and customers and a chief security officer. They hired a private investigator to scour local pawnshops and Craigslist for the stolen laptop. The biggest headache, he says, was deciphering how much about the breach his nonprofit needed to disclose…Mr. Tripathi said he quickly discovered […]

 

Dear Verisign: Trust requires Transparency

On their blog, Verisign made the following statement, which I’ll quote in full: As disclosed in an SEC filing in October 2011, parts of Verisign’s non-production corporate network were penetrated. After a thorough analysis of the attacks, Verisign stated in 2011, and reaffirms, that we do not believe that the operational integrity of the Domain […]

 

The Diginotar Tautology Club

I often say that breaches don’t drive companies out of business. Some people are asking me to eat crow because Vasco is closing its subsidiary Diginotar after the subsidiary was severely breached, failed to notify their reliant parties, mislead people when they did, and then allowed perhaps hundreds of thousands of people to fall victim […]

 

The Rules of Breach Disclosure

There’s an interesting article over at CIO Insight: The disclosure of an email-only data theft may have changed the rules of the game forever. A number of substantial companies may have inadvertently taken legislating out of the hands of the federal and state governments. New industry pressure will be applied going forward for the loss […]

 

Breach Harm: Should Arizona be required to notify?

Over at the Office of Inadequate Security, Pogo was writing about the Lulzsec hacking of Arizona State Police. Her article is “A breach that crosses the line?” I’ve been blogging for years about the dangers of breaches. I am concerned about dissidents who might be jailed or killed for their political views, abortion doctors whose […]

 

Representative Bono-Mack on the Sony Hack

There’s a very interesting discussion on C-SPAN about the consumer’s right to know about breaches and how the individual is best positioned to decide how to react. “Representative Bono Mack Gives Details on Proposed Data Theft Bill.” I’m glad to see how the debate is maturing, and how no one bothered with some of the […]

 

What does Coviello's RSA breach letter mean?

After spending a while crowing about the ChoicePoint breach, I decided that laughing about breaches doesn’t help us as much as analyzing them. In the wake of RSA’s recent breach, we should give them time to figure out what happened, and look forward to them fulfilling their commitment to share their experiences. Right now we […]

 

Another critique of Ponemon's method for estimating 'cost of data breach'

I have fundamental objections to Ponemon’s methods used to estimate ‘indirect costs’ due to lost customers (‘abnormal churn’) and the cost of replacing them (‘customer acquisition costs’). These include sloppy use of terminology, mixing accounting and economic costs, and omitting the most serious cost categories.

 

Visualization for Gunnar's "Heartland Revisited"

You may have heard me say in the past that one of the more interesting aspects of security breaches, for me at least, is the concept of reputation damage.  Maybe that’s because I heard so many sales tactics tied to defacement in the 90’s, maybe because it’s so hard to actually quantify brand equity and […]

 

Note on Design of Monitoring Systems

Dissent reports “State Department official admits looking at passport files for more than 500 celebrities.” A passport specialist curious about celebrities has admitted she looked into the confidential files of more than 500 famous Americans without authorization. This got me thinking: how does someone peep at 500 files before anyone notices? What’s wrong with the […]

 

Lessons from HHS Breach Data

PHIPrivacy asks “do the HHS breach reports offer any surprises?” It’s now been a full year since the new breach reporting requirements went into effect for HIPAA-covered entities. Although I’ve regularly updated this blog with new incidents revealed on HHS’s web site, it might be useful to look at some statistics for the first year’s […]

 

OSF looking for DataLossDB help

The folks running the Open Security Foundation’s DataLossDB are asking for some fully tax-deuctible help meeting expenses. I’ve blogged repeatedly about the value of this work, and hope that interested EC readers can assist in supporting it. With new FOIA-able sources of information becoming available, now seems to be a great time to help out.

 

Welcome to the club!

As EC readers may know, I’ve been sort of a collector of breach notices, and an enthusiastic supporter of the Open Security Foundation’s DataLossDB project. Recently, I had an opportunity to further support DataLossDB, by making an additional contribution to their Primary Sources archive – a resource I find particularly valuable. Unfortunately, that contribution was […]

 

Failure to Notify Leads to Liability in Germany

…a Bad Homburg business man won millions in damages in a suit against the [Liechtenstein] bank for failing to reveal that his information was stolen along with hundreds of other account holders and sold to German authorities for a criminal investigation. He argued that if the bank had informed those on the list that their […]

 

J.C. Penny knew best

JC Penney, Wet Seal: Gonzalez Mystery Merchants JCPenney and Wet Seal were both officially added to the list of retail victims of Albert Gonzalez on Friday (March 26) when U.S. District Court Judge Douglas P. Woodlock refused to continue their cloak of secrecy and removed the seal from their names. StorefrontBacktalk had reported last August […]

 

'Don't Ask, Don't Tell in Davos' — Act 3 in the Google-China affair

There is no better illustration of the institutional and social taboos surrounding data breach reporting and information security in general than the Google-Adobe-China affair. While the Big Thinkers at the World Economic Forum discussed every other idea under the sun, this one was taboo.

 

The Dog That Didn't Bark at Google

So it’s been all over everywhere that “uber-sophisticated” hackers walked all over Google’s internal network. Took their source, looked at email interception tools, etc. What’s most fascinating to me is that: Google’s customers don’t seem to be fleeing Google stock fell approximately 4% on the news they were hacked, while the market was down 2% […]

 

Biggest Breach Ever

Precision blogging gets the scoop: You’re probably talking about this terrible security disaster already: the largest database leak ever. Arweena, a spokes-elf for Santa Claus, admitted a few hours ago that the database posted at WikiLeaks yesterday is indeed the comprehensive 2009 list of which kids have been naughty, and which were nice. The source […]

 

We Take Your Privacy Seriously

So after BNY Melon dropped a tape with my social security number and those of millions of my closest neighbors, they bought me a one year subscription to Experian’s “Triple Alert” credit monitoring service. Today, I got email telling me that there was new information, and so I went to login. Boy, am I glad […]

 

Publius Outed

The pseudonymous blogger, Publius, has been outed. Ed Whelan of the National Review outed him in what appears to be nothing more than a fit of pique at a third blogger, Ed Volokh, and Publius commented on Volokh’s criticism of Whelen, so Whelen lashed out at Publius. Or so it seems from the nosebleed bleachers […]

 

Who Watches the FUD Watcher?

In this week’s CSO Online, Bill Brenner writes about the recent breaks at Kaspersky Labs and F-Secure. You can tell his opinion from the title alone, “Security Vendor Breach Fallout Justified” in his ironically named “FUD watch” column. Brenner watched the FUD as he spreads it. He moans histrionically, When security is your company’s business, […]

 

Abuse of the Canadian Do Not Call List

The Globe and Mail and the CBC each report that Canada’s Do Not Call list is being used by telemarketers both good and bad (where each term is relative). This is a bit sad for Canada. The US’s DNC list has been very successful, and one of the very few places where the US has […]

 

Breach Misdirection

While we were all paying attention to the Inauguration and having merry debates about how many Justices can deliver the Oath of Office on a pin, what may be the biggest breach ever tried to tiptoe past. Heartland Payment Systems may have lost 100 million credit card details, surpassing the 94 million that was lost […]

 

ITRC Year End Report for 2008

The Identity Theft Resource Center (ITRC) released their year-end breach report: Reports of data breaches increased dramatically in 2008. The Identity Theft Resource Center’s 2008 breach report reached 656 reported breaches at the end of 2008, reflecting an increase of 47% over last year’s total of 446. Dissent of PogoWasRight has some analysis. I’ll take […]

 

Now will you believe MD5 is broken?

I’m just sitting here blinking, having a Brecht moment in which I am laughing at those who are crying and crying at those who are laughing. At the CCC congress, a number of people did something dramatic — they created a forged SSL certificate. It’s dramatic, but nothing special. We’ve known that MD5 is broken […]

 

New ID Theft Research And Blog For Debix

Adam and I have discussed Debix several times in the past, so it will come as no surprise, that I am again posting about them. Debix now has a blog, which will be covering issues around identity theft, breaches and privacy. Debix also released a new research study examining child identity theft. The most recent […]

 

The Skype Issue

According to The New York Times in, “Surveillance of Skype Messages Found in China,” the Chinese provider TOM has software in place that reads Skype text messages, and blocks ones that use naughty words and terms, like “Falun Gong,” “Independent Taiwan,” and so on. A group of security people and human rights workers not only […]

 

This Week in Petard-Hoisting, the Palin Edition

If you are the sort of person who looks at odd legal rulings and opinions, you may remember that a few years ago the US DOJ issued an opinion that stored emails are not protected under the Stored Communications Act. The DOJ reasoning is that when you leave read email on your server, it’s not […]

 

That's an address I haven't used in a very long time.

Well, I got a letter from BNY Mellon, explaining that they lost my data. The most interesting thing about it, I think, is where it was sent, which is to my mom. (Hi Mom!) I had thought that I’d moved all of my financial statements to an address of my own more than a decade […]

 

Breach notice primary sources

Today on the Dataloss mailing list, a contributor asked whether states in addition to New Hampshire and Maryland make breach notification letters available on-line. I responded thusly (links added for this blog post): I know only of NH and MD. NY and NC have been asked to do it, but have no plans to. NJ […]

 

Maryland Breach Notices

Case Number Date Received Business Name No. of MD residents Total breach size Information breached How breach occurred 153504 06/09/08 Argosy University name, social security number, addresses Laptop computer stolen from employee of SunGard Higher Education Maryland Information Security Breach Notices are put online by the most-forward looking Douglas F. Gansler, attorney general. I’m glad […]

 

Paper Breach

The BBC reports in “Secret terror files left on train” that an … unnamed Cabinet Office employee apparently breached strict security rules when he left the papers on the seat of a train. A fellow passenger spotted the envelope containing the files and gave it to the BBC, who handed them to the police. We […]

 

6/16ths of Chileans personal information leaked by hacker

A hacker in Chile calling himself the ‘Anonymous Coward’ published confidential data belonging to six million people on the internet. Authorities are investigating the theft of the leaked data, which includes identity card numbers, addresses, telephone numbers, emails and academic records. Chile has a population of about 16 million, so that’s 3/8ths of the country. […]

 

UK Information Commissioner's Office Can Now Fine Your Ass

From the article: The Criminal Justice and Immigration Act has received Royal Assent creating tough new sanctions for the privacy watchdog, the Information Commissioner’s Office (ICO). This new legislation gives the ICO the power to impose substantial fines on organisations that deliberately or recklessly commit serious breaches of the Data Protection Act. It’s about time […]

 

41 and counting

Virginia, West Virginia, and South Carolina are the latest states to pass data breach notification laws, bringing to 42 the total number of states with such laws on the books (including the one state with a law that applies only to public entities, Oklahoma) See More Breach Notification Laws — 42 States and Counting at […]

 

Do you feel like we do?

As many EC readers realize, press reports about data breaches involving lost or stolen computers often contain statements something like “The actual risk is thought to be minimal, since a password is required to login to the missing computer”. Such statements are sufficiently numerous that the pre-eminent source of breach data, Attrition.org, have issued a […]

 

Avoid ID theft: Don’t run for President

The Washington Post reports: The State Department said last night that it had fired two contract employees and disciplined a third for accessing Sen. Barack Obama’s passport file. Obama’s presidential campaign immediately called for a “complete investigation.” State Department spokesman Tom Casey said the employees had individually looked into Obama’s passport file on Jan. 9, […]

 

More Hardware Security Shown to be Bunk

After showing that “encrypted” disk drives only encrypted the password you use, not the data, Heise-Online now shows that fingerprint-access is often bunk: Manufacturers of USB sticks and cards with fingerprint readers promise us that their data safes can only be opened with the right fingerprint. It turns out that an easy-to-find tool allows nosy […]

 

Back in the ring to take another swing

Via Kable’s Government Computing, comes news that the British House of Lords “Science and Technology Committee has announced a follow-up inquiry to its ‘Personal Internet Security’ report”. Chair of the committee Lord Sutherland said: “The committee was disappointed with the government’s response to its report. We felt they had failed to address some of our […]

 

Here we go…

Experian sues Lifelock. I think I can hear the champagne corks popping at ID Analytics from here. They, arguably, provide a service which is similar enough (a detective control against new account fraud, rather than a preventative control), but theirs operates through a different mechanism. I’d like to see some numbers showing the efficacy of […]

 

Citibank limiting ATM withdrawals in NYC?

Title: Citibank limits ATM cash in city Author: KERRY BURKE and LARRY McSHANE Source: DAILY NEWS Date Published:January 3rd 2008 Excerpt: The New York-based Daily News reported today that Citibank has limited the cash amount its customers can take out of ATM machines. It is being reported that the security of Citibank’s ATM machines in […]

 

Anarchy in the UK

“Anger as NHS patient records lost” “Patient data loss affects 168,000” “Post Office sends wrong details” “Discs ‘worth £1.5bn’ to criminals” “£20,000 reward offered for discs“* “More firms ‘admit disc failings’” * Readers are invited to comment on the contrast. Thanks to Ant, Cat and Steven Murdoch for links. Image: Teton dam, Wikipedia.

 

Breach Disclosure of the Zeroeth Millennium

The BBC reports that the whereabouts of the legendary cave where Romulus and Remus, founders of Rome, were nursed by a she-wolf, Lupa, as foundlings. The eight-meter-high cave was found buried sixteen meters under a previously-unexplored area of Palatine hill in Rome. Although their home address has been made public, it is unclear if the […]

 

No word on the lupins

NSW Police are investigating the possible compromise of an online florist’s database and theft of customers’ credit card details. The Fraud Squad has set up Strike Force Parkview to investigate the case that involves the retailer Roses Only. There are unconfirmed reports that the details were used to make a string of luxury purchases in […]

 

Full Disclosure debate, 2.0

A poor choice of names (I guess “best UNIX editor” was their second choice), but Silicon.com is doing something that seems worthwhile by launching their Full Disclosure Campaign. Silicon.com wants the government to review its data protection legislation and improve the reporting of information security breaches in the public and private sectors. We are calling […]

 

Canon Says Over 50% of Cameras Repaired in First Three Years

In the Times Online article, “Digital DNA could finger Harry Potter leaker,” we learn that the person who leaked photos of the last Harry Potter novel has yielded up the serial number of their camera, which was in the metadata of the pictures they took. From this, we lean that it was a Canon, likely […]

 

Electronic data: you can sell it and have it

Mike Rothman has the unmitigated temerity to go on vacation and deprive me of his daily rant^H^H^H^Hincite, but not before remarking on the Certegy data loss incident: So Certegy (a big check processor) loses a couple million records with information like bank accounts and credit card numbers. And Certegy’s president gets interviewed and says because […]

 

TSA Can’t Keep a Secret

Alternate title: “If schadenfreude is wrong, I don’t want to be right.” Ryan Singel reports that the “TSA Lost Sensitive Data on 100,000 Employees.” This is the same agency which wants to collect all your personal data so they can deny you the right to get on a plane without any sort of legal proceedings. […]

 

Flash Data Breach

The Hartford Courant reports that a Lockheed employee dropped a USB flash drive at a gas station that contained Joint Strike Fighter information. A truck driver found it and “took it home for a 20-minute look-see, then turned it over to authorities.” I have three words of advice: full disk encryption. Photo courtesy of POONDOG.

 

Security Through Stupidity

In my last post on security, I promised a tale, and I ought to deliver on that before it becomes nothing more than a good intention. Some time ago, so long ago that it no longer matters, I bought a piece of network stereo equipment. It was one of these little boxes that lets you […]

 

UK Story On Breaches and Silence

IT Week in the UK writes, “Companies keep silent on data breaches.” There are a couple of interesting quotes: Jonathan Coad, a media specialist at law firm Swan Turton, said newsworthy breaches are often leaked to the press. “Reporting crime to the police is a double-edged sword as invariably the press has found out about […]

 

How to Allocate Resources

The other day, I wrote: I also don’t buy the bad management argument. Allocating resources to security is an art, not a science. I’ll offer up a simple experiment to illustrate that shortly. So here’s the experiment. It works better in person than in blog comments. Ask two experts to write down how they’d allocate […]

 

Mommas, Don’t Let Your Babies Grow Up to be County Clerks

At first blush, it seems that an emergency bill in Texas that exempts clerks from state and Federal law about data breaches is a bad thing. However, with closer reading, it looks more like a correction for that pesky old law of unintended consequences. On 23 Feb, the Texas Attorney General ruled that disclosing Social […]

 

Breach irony

According to Courtney Manzel, Counsel – Office of Privacy, Sprint Nextel Corporation, reporting a breach pursuant to NY’s notification law: A laptop computer was stolen from the human resources department of Velocita Wireless during a rash of office burglaries in the Woodbridqe, New Jersey area. The laptop computer was one of many items stolen. It […]

 

CIBC, 470,000 Canadians, lost tape

I’d attribute our knowledge that “CIBC loses info on 470,000 Canadians” (reported in the Globe and Mail) to the new transparency imperative, but as the CIPPIC survey makes clear, privacy regulators are finding notice requirements in extant laws. (More on that excellent survey soon.) Also note that the Globe and Mail seems to think that […]

 

Credit Card Data Over AOL IM

From the files of “too good to make up”, DavidJ.org reports a story from a couple of years ago about his credit card data being sent over AOL Instant Messenger. Essentially he bought some merchandise at a shot which didn’t have a point of sale terminal so the clerk was IMing all credit card data […]

 

Information Exposed For 800,000 At UCLA

Apparently it’s Identity Theft Tuesday here on Emergent Chaos. CNN reports that a “Hacker attack at UCLA affects 800,000 people”, which includes current and former faculty, students and staff. The initial break-in was apparently in October of 2005 and access continued to be available until November 21st of this year. I am stunned that it […]

 

SANS Top 20 has competition!

SANS has just released their annual Top 20. I won’t bother linking to it — Google knows where to find it, and if you’re reading this blog, you probably do too. Anyway, it seems like the SANS people have a bit of competition. Check out this list: Failing to assess adequately the vulnerability of its […]

 

International Breach Notices: The Future Is Unevenly Distributed

So said William Gibson, and it is as true in breach notices as it is anywhere else. While only 34 US states have laws requiring these notices, we see organizations around the world sending them. They resonate as the right thing. Acknowledging and apologizing for your mistakes is powerful. (Hey, someone should mention that to […]

 

The butler did it

There’s a feeling you get when you watch a formulaic movie. After seeing a half-hour’s worth, you just know how it will end. You can see the decision points characters reach, and you know they’ll make the bad choice. Indeed, the very predictability of such films is what allows hilarious parodies such as Airplane! or […]

 

Debian CVS server compromised

Here’s news of a breach that (I presume) involved no PII, but which could be significant. I wrote about a previous Debian breach back in December, 2003. I hadn’t realized it had been so long! Update: Local vuln used to elevate privs. Local access gained due to weak developer password. Details here.

 

Breach Roundup: 6/17 – 6/24

This week’s roundup is large. Rather than push other newish posts off the bottom of most people’s screens, it has been deemed preferable to prepend this introductory paragraph, at the bottom of which readers may elect to see more.

 

Breach Roundup

Expedia/Ernst & Young, 250,000 CC, Lost Laptop. Ed Hasbrouck has a great analysis of Expedia’s privacy policy at “Expedia auditors lose laptop with customer credit card numbers.” Japanese Telco KDDI, 4million names, address, phone numbers, mechanism unknown. “KDDI Suffers Massive Data Leak.” Why is a Japanese telco owning up? New expectations. AIG (American Insurance Group), […]

 

Breach Roundup: "We’re From The Government" Edition

State of Colorado, 150,000 voter records, “missing.” “Records for 150,000 Colo. voters missing,” via Dataloss. State of Oregon, 2,200 tax records, ex-employee getting trojan’d by a porn site. “State says taxpayer files may have been compromised.” AP via dataloss. Minnesota State Auditor, numbers about unknown number of state and local employee, stolen laptops. “3 laptops […]

 

80% of Active Duty Military, 2.2 million SSNs

Social Security numbers and other personal information for as many as 2.2 million U.S. military personnel — including nearly 80 percent of the active-duty force — were among the data stolen from the home of a Department of Veterans Affairs analyst last month, federal officials said yesterday, raising concerns about national security as well as […]

 

Breach Roundup

Where two organizations are implicated, the first is the one which collected the data, the second is Ernst and Young the one that lost it. Texas Guaranteed Student Loan/Hummingbird, 1.3m SSNs, “lost equipment.” “Toronto firm at centre of security breach” Hotels.com/Ernst and Young, 243,000 credit cards, lost laptop. “Hotels.com customer info may be at risk” […]

 
 

Personal Data on 26,500,000 Veterans Stolen (Including SSNs)

Personal data, including Social Security numbers of 26.5 million U.S. veterans, was stolen from a Veterans Affairs employee this month after he took the information home without authorization, the department said Monday. The material represents personal data of all living veterans who served and have been discharged since 1976, according to the department. The information […]

 

Breach round-up

Ohio University I: On Friday, April 21, the FBI advised the Technology Transfer Department at Ohio University’s Innovation Center that a server containing office files had been compromised. Data on the server included e-mails, patent and intellectual property files, and 35 Social Security numbers associated with parking passes. Ohio University II: 300,000 alums and friends. […]

 

Security Breach Roundup

State of Ohio, 7.7 million registered voter SSNs, dismal process. From “Ohio Recalls Voter Registration CDs” via Dataloss. Fifth Third Bank employee Marco Antonio Munoz, 74 pages of names of victims, dismal dependance on process, from “Internal theft of personal bank data rare,” in the Cadilac News. Someone’s PR department deserves a bonus for that […]

 

DoD Tricare Management Activity system, SSNs, credit card numbers, health info, 14K people

Via Army Times: The Pentagon said routine monitoring of the Tricare Management Activity’s public servers on April 5 resulted in the discovery of an intrusion and that the personal records had been compromised, leaving open the possibility of identity theft among the members affected. The information contained in the files varied and investigators do not […]

 

aetna insurance,38K customers, names+SSNs, health info, stolen laptop

Report via Reuters. Aetna declined to to say where this occurred or which law-enforcement agency they are working with, but it looks like the employer whose folks just got their PII exposed was the US Department of Defense. Stars and Stripes has the scuttlebutt from HQ: The laptop was stolen from an employee’s personal car […]

 

Purdue University, 1351 applicants+students, SSNs, "unauthorized electronic access"

“Unauthorized electronic access”. Not sure if that’s a poorly configured web server, or what. Press release today. Happened in February. Notices sent at some unspecified time. Indiana only requires state agencies to disclose breaches, the law isn’t in effect yet, and the legislative and judicial departments aren’t considered state agencies. Quoth “Mark Smith, head and […]

 

Breach Notices Round Up

Because of the volume, I’m going to consolidate these: US Marine Corp/Naval Postgraduate School, 207,750 SSNs, dismal process. From Stars and Stripes, “Thousands of Marines may be at risk for identity theft after loss of portable drive,” via Dataloss list. Marines affected should know there’s an “active duty military” alert you can add to their […]

 

196,000 HP Employee SSNs, Fidelity Laptop

A laptop lost by Fidelity this month has exposed 196,000 current and former HP employees, staff were told last night. “This is to let you know that Fidelity Investments, record-keeper for the HP retirement plans, recently had a laptop computer stolen that contained personal information about you, including your name, address, social security number and […]

 

Stolen Ernst and Young laptop had 84,000 SSNs

Information courtesy of the Reporting Form E&Y filed pursuant to New York state law. The consulting firm has been criticized for the delay in reporting this breach, which occurred on January 4.

 

Ehime Prefectural Police (Japan), Data on unknown # Suspects, Virus

A massive amount of investigation data kept by Ehime Prefectural Police has been leaked onto the Internet, apparently after the computer that kept the data was infected with a virus through the file exchange software Winny, it has been learned. The amount of information leaked from the Ehime police computer is about four times that […]

 

Toyama Japan Hospital, 2,800 patients, file sharing

Information on about 2,800 patients who had surgery at a privately-run hospital in Toyama between 1997 and December 2004 was unintentionally uploaded to the Internet. According to the hospital, the man in charge of data on surgery transferred the information–consisting of patients’ names, sexes, birthdates and information on surgical procedures for which they were hospitalized–to […]

 

North Carolina Transportation Department, 16,000 credit card #s, outside intruder

The Associated Press is reporting that: An Internet server used by the state Transportation Department’s Ferry Division to process credit card payments for ferry fares may have been breached by outsiders, the agency said Friday. The computer database contained 16,000 credit card numbers, the DOT said. The Office of the State Controller has notified its […]

 

British Columbia, More than 65,000 SINs, Dismal Process

The provincial government has auctioned off computer tapes containing thousands of highly sensitive records, including information about people’s medical conditions, their social insurance numbers and their dates of birth. Sold for $300 along with various other pieces of equipment, the 41 high-capacity data tapes were auctioned in mid-2005 at a site in Surrey that routinely […]

 

Medco (prescription drug service)/ 4600 people, birth dates, SSNs, drug info/lost laptop

Executive summary: Prescription drug benefits provider Medco employee loses laptop with Ohio government employee (and dependents) info. Waits six weeks to let Ohio know. Ohio complains vociferously. Interestingly, the names of the affected individuals were not on the laptop. Money quote from a Medco spokesperson: You’re as efficient as the lessons learned in the last […]

 

"It fell off the truck. No, really."

Via news.com.au: BANK statements, including customers’ private details, were left on the side of a busy Sydney road after the documents fell off the back of a truck. The confidential account information and credit card statements of thousands of Commonwealth Bank customers were left lying on the Hume Highway at Warwick Farm, in Sydney’s south-west, […]

 

University of Northern Iowa, 6000 W-2 forms, virus-infected laptop

An IT person troubleshoots dodgy printing of US earnings documents by loading 6,000 of them onto a laptop. Hilarity ensues when the laptop later turns out to be infected with malware detected during “routine monitoring”. Via wcfCourier.com: The University of Northern Iowa has warned students and faculty to monitor their bank accounts after someone accessed […]

 

Old Dominion, 601 SSNs, Grad Student's Dismal Process

In 2004, a graduate student apparently posted a class roster of 601 students, complete with names an social security numbers on the web. (“ODU Graduate Student Posts Student Information on Website, School Investigating,” via Netsec.) Update: Lyger of Attrition pointed out that the dates in the WAVY-TV story don’t add up. There’s a story in […]

 

Blue Cross of Florida, 27,000 employee SSNs, Contractor

The names and Social Security numbers of about 27,000 Blue Cross and Blue Shield of Florida current and former employees, vendors and contractors were sent by a contractor to his home computer in violation of company policies, the company said Thursday. The contractor had access to a database of identification badge information and transferred it […]

 

Suffolk County, NY, 7,000+ SSNs, Dismal Process Failures

The Suffolk county [New York] clerk’s office has exposed the Social Security numbers of thousands of homeowners on its Web site, and officials said they don’t have a way to remove them. And soon, a new plan will make it easier to retrieve them. Mortgages and deeds that contain Social Security numbers for an estimated […]

 

Crispier Breach Disclosure (Cooks Illustrated, unknown # CCs)

A good breach disclosure fills you up with what happened, how, and what the company is doing for you. But too often, such notices are soggy and imprecise. Want more precision in the recipe? Beefier response? Cooks Illustrated set out to see what could be done, in “What Happened To Your Website.” Unfortunately, the disclosure […]

 

Naming names isn't always bad

In a comment to an earlier blog entry concerning a ‘he who must not be named’ policy for card processors and others who get breached , optionsScalper asks “given Adam’s recent series on “Disclosure” (at least five posts back to the BofA post on 1/21/2006), how do you (or Adam) assess the disclosure in this […]

 

Brigham and Women's Hospital, 60 Medical Records, Fax Errors

For the past six months, Brigham and Women’s Hospital in Boston has been accidentally faxing the confidential medical records of women who’d recently given birth to a Boston investment bank, regardless of the bank’s repeated attempts to stop them, the Boston Herald reports. (via CSO Online.) (and) The records, called inpatient admission sheets, contain a […]

 

City of Washington DC, 190,000 SSNs, Willful Ignorance of Federal Law

Although Washington, DC routinely capitalizes on the strictest interpretation of its own traffic laws, the federal city has found itself in violation of a federal law intended to protect drivers from identity theft. Since December it has been illegal to display Social Security numbers on driver’s licenses, yet the District Department of Motor Vehicles continues […]

 

Blue Cross of North Carolina, 629 SSNs, "Human Error"

A “human error” at Blue Cross and Blue Shield of North Carolina allowed the Social Security numbers of more than 600 members to be printed on the mailing labels of envelopes sent to them with information about a new insurance plan. (“Computerworld“)

 

Is That Legal?

In comments on Chris’s post “Nations Bank, 100,000 credit cards, breach at unnamed(!) processor,” OptionsScalper asks: It is amazing that the unnamed processor remains unnamed (or do I misunderstand?). I think the risk to customers at this bank has not been reduced, i.e. card replacement is ineffective. How does one even go about measuring whether […]

 

Nations Regions Bank, 100,000 credit cards, breach at unnamed(!) processor

From Indychannel.com: Regions Bank is canceling the credit cards of 100,000 of its customers in 15 states — including Indiana — saying a separate company put their credit information at risk. Regions said the security breach involves a company that processes credit and debit cards nationwide. The bank, which says it was not responsible for […]

 

Disclosure Laws, Redux

In responding to Lyal Collins’ comment on my “Disclosure Laws” post, I went and read the Rhode Island Identity Theft Protection act of 2005 (H6191). A couple of things occured to me. First, the National Conference of State Legislatures has a great list of Security Breach Legislation. Second, and perhaps more important, I don’t see […]

 

Disclosure Laws

In an article (“Credit card numbers reported stolen from R.I. state Web site“) about the Rhode Island breach, I found the following quotes: The breach on Dec. 28 was detected during a routine security audit and reported to the state government the following day, Loring said. At the time, the company believed only eight credit […]

 

The following is not to be construed as legal advice. Or anything else.

The acronym “IANAL” is no doubt familiar to anyone reading these words. Well, I Am Not A Lawyer, but Paul Rianda is, and he wrote an interesting article for Transaction World’s September 2005 issue, that I happened to run across. In it, Mr. Rianda, esq., discusses his view of why the breaches we are all […]

 

Dataloss Mail List

In what has become a near weekly occurance, large companies are collecting your personal information (sometimes without your knowledge or consent), and subsequently letting it fall into the hands of the bad guys. This is your personal information; name, address, social security number, credit card number, bank account numbers, and more. Data Loss is a […]

 

University of Colorado at Colorado Springs, 2500 employees, SSNs, "virus"

Looks like a worm hit a personnel department PC. From the Colorado Springs Gazette: Personal information on about 2,500 current and former employees at the University of Colorado at Colorado Springs has been compromised by someone who hacked into a computer and infected it with a virus. Names, Social Security numbers, birth dates and addresses […]

 
 
 

Langley, British Columbia, Canada, 1,000 medical records, courier firm

There are calls for tougher guidelines in the handling of private information after 1,000 medical files went missing when a courier car was stolen in Langley on Thursday. The courier company says the driver left the car running for less than a minute. When the car was stolen, so was a box of health records […]

 

State of Rhode Island, 4,118 or 53,000 CC, Hacker

Thousands of credit card numbers were stolen from a state government Web site that allows residents to register their cars and buy state permits, authorities said Friday. The private company that runs http://www.ri.gov said that 4,118 credit card numbers had probably been taken, a state official said. All online transactions were suspended Friday until any […]

 

Providence Home Services, 365,000 medical records, Car Thief

About 365,000 hospice and home health care patients in Oregon and Washington are being notified about the theft of computer backup data disks and tapes late last month that included personal information and confidential medical records…In an announcement yesterday, Providence Home Services, a division of Seattle-based Providence Health Systems, said the records and other data […]

 

Providence Home Services, 365, 000 people, health records, theft from employee vehicle

From Computerworld (via Slashdot) we learn that a home health care business deliberately sent patient info home with an employee as part of their disaster recovery plan. I’m serious. Now, unless this guy lives under Cheyenne Mountain, I’m saying that’s a dumb plan. Anyhoo, some of the information was encrypted, but much of it was […]

 

UDel breach twofer

The University of Delaware “UDaily” reports on two breaches: [A] computer in the School of Urban Affairs and Public Policy was attacked sometime between Nov. 22-26 by an unknown hacker, and it contained a portion of a database that included Social Security numbers for 159 graduate students. […] A back-up hard drive was stolen from […]

 

Various Oregon credit unions, debit cards, organized fraud ring?

This one seems to have slipped below the radar. From the January 25 Corvallis, Oregon Gazette-Times: Fair Isaac Corp., a Minnesota-based data security provider, late last week alerted the OSU Federal Credit Union, Citizens Bank, Benton County Schools Credit Union and Central Willamette Community Credit Union that customer debit cards bearing the Visa imprint may […]

 

Notre Dame, SSNs+CC#s+Check Images,hacker

Not much detail on this one, but it looks like a box used for fundraising purposes got 0wned. The intrusion was detected by “security software” on January 13, but the intrusion itself is said to have occurred between November 22 and January 12. [I guess they run Tripwire monthly ;^)]. Information potentially obtained by the […]

 

University of Kansas, 9,200 SSNs, IT Department

[Update: Fixed headline, thanks to to anonymous.] Students who applied via the online application put out by the Department of Student Housing were alerted through either an e-mail or a letter that their private information might have been exposed. According to a University Relations news release, a computer file with names, addresses, birth dates, phone […]

 

Bank of America Customers Under Attack

The Seattle Post Intelligencer asa story, “B of A Customers Hit By Thefts,” about cash withdrawals being made overseas: According to customer service representatives at Bank of America, there have been numerous reports of checking account fraud in Seattle, but many more incidents being reported from other states. The increases in fraud reports are generally […]

 

UK various breaches

Deptarment of Work and Pensions, 8,800 identities Her Majesty’s Revenue and Customs (HMRC) was forced to close down the tax credits website at the start of December last year, after a spate of fraudulent claims came to light which exploited the stolen identities of Department for Work and Pensions staff. Network Rail, 4,000 identities Primarolo […]

 

Illinois Department of Human Services, client names and SSNs, misconfigured voicemail

“To leave a message, press ‘1234’ and listen to confidential client voicemail containing SSNs and other identifying information”. The compromised information dated back to mid-November 2005. Additional details at the Belleville News-Democrat, which notes that this is a repeat offender — the same office left unshredded confidential documents in a trash bin until the paper […]

 

People's Bank of Connecticut, 90,000 SSNs, UPS & TransUnion

A computer tape from a Connecticut bank containing personal data on 90,000 customers was lost in transit recently, the bank reported today. People’s Bank, based in Bridgeport, Connecticut, is sending letters to the affected customers, it said in a statement. The tape contains information such as names, addresses, Social Security numbers and checking account numbers. […]

 
 

Atlantis Resort (Bahamas) 50,000, Hacker

Customers of the Atlantis resort in the Bahamas have reason to worry this week, as over 50,000 identities have been taken from the hotel’s database. The information was revealed in a document submitted to the Bahamas Securities and Exchange Commission. The information includes typical information such as names, addresses and credit card details, but also […]

 

Winnebago County (IL), Several SSNs, Winnebago County Clerk

ROCKFORD, Ill. – The Winnebago County Clerk is apologizing for releasing a list of election officials that included Social Security numbers. County Clerk Dave Johnson said an employee forgot to blacken out the numbers before giving the list of Democratic election judges to county clerk candidate Jeff Polsean. The Illinois Freedom of Information Act exempts […]

 

H&R Block, Unknown # of SSNs, Mailing Labels

Stories like this one make me scratch my head and wonder, what is a breach? What should this category cover? Why do I blog these things? Why are we here? Why are you here? And what are those clowns doing over there? However, since we sent you this CD, we have become aware of a […]

 

University of San Diego, 7800 people, W-2 information, "hackers"

One that I missed. The executive summary is that somebody, somehow, got into the machine that prints W-2s for the university. The University sent out an undated disclosure letter which was very sparsely detailed — “one of the worst” seen by Beth Givens of privacyrights.org, who’s seen plenty of ’em. Story is at the San […]

 

Iowa State (again!), 3000 SSNs+2500 encrypted CC#s, "hacker"

The Des Moines Register reports on a December, 2005 breach at Iowa State: [3,000 ISU employees’] personal data might have been viewed by hackers who infiltrated two computers earlier this month. One held about 2,500 encrypted credit card numbers of athletic department donors. The second computer contained Social Security numbers for more than 3,000 ISU […]

 

Gartner to Visa, MasterCard: Play fair

Oft-quoted Gartner analyst Avivah Litan weighs in on the intriguingly gentle treatment of Sam’s Club by Visa and MasterCard: Recommendations […] * MasterCard and Visa: Show far greater transparency in enforcing PCI standards. There is still too much confusion about the standard and how to comply with it — confusion that is increased by seemingly […]

 

Mariott Vacation Club, 206,000 records, backup tape

Marriott International Inc.’s time-share division said yesterday that it is missing backup computer tapes containing credit card account information and the Social Security numbers of about 206,000 time-share owners and customers, as well as employees of the company. Officials at Marriott Vacation Club International said it is not clear whether the tapes, missing since mid-November, […]

 

BancorpSouth, 6500 debit cards, unknown

In a report remarkable for what it doesn’t say, WLBT TV of Jackson, MS reports: A possible security breach has one bank giving customers new debit cards. BancorpSouth is sending out new cards to about 6500 customers. The vice president of the banks security department says account numbers were either lost or they were somehow […]

 

US Department of Justice, several SSNs, Process Errors

The federal government is responsible for issuing Social Security numbers, but it may not be doing enough to protect these critically personal pieces of information on its own Web sites. Acting on a tip, InformationWeek was able to access Web pages that include the names and Social Security numbers of people involved in Justice Department-related […]

 

Ford, 70,000 Employee SSNs, Stolen Computer

Ford Motor Co. informed about 70,000 active and former white-collar employees that a computer with company data, including social security numbers, was stolen from a Ford facility. From the WSJ, “Ford Computer Holding Staff Data Is Reported Stolen.” “Where Identity Theft is Job #1!”

 

Update on ABN Amro (Lasalle Bank) tape

Lasalle Bank’s tape of mortgage-related information on 2 million customers has been found by DHL. (Thanks to Adam for the heads-up) No word on whether the tape was in a container which would show evidence of tampering, so this doesn’t foreclose (pardon the pun) the possibility of PII being stolen: […]the tape had been located […]

 

Guidance Software, 4,000 CC+CCV, Hacker

Or, “I Wonder How They Figured It Out.” Online attackers breached the security of a server at digital forensics firm Guidance Software and stole the account information of nearly 4,000 customers, the company acknowledged on Monday according to news reports. From Rob Lemos, “Customer Data Stolen From Guidance Software.”

 

Reeves Namepins, Unknown # Cop Credit Cards, Hacker

Reevesnamepins.com, a company that manufacturers the plastic and metal name tags that police officers around the country wear on their uniforms, had its customer database hacked recently, exposing credit card and other personal data for a number of police departments. So writes Brian Krebs in “Database Hack Exposes Police Financial Data.”

 

Meth Addicts and ID Theft

There’s a great article in USA Today, “Meth addicts’ other habit: Online theft.” Unlike many articles of this type, the reporting is measured and carefully reported, and full of details that make it believable: One dumpster behind a call center in suburban Mill Woods proved to be a jackpot. In a nondescript strip mall just […]

 

Lasalle Bank, 2 million mortgagees, SSNs, acct #s, "lost" tape

From Crain’s Chicago Business: LaSalle Bank Corp. says a computer tape bearing confidential information on about 2 million residential mortgage customers disappeared last month as it was being transported to a consumer credit company in Texas. The Chicago bank has alerted law enforcement authorities and is also monitoring transactions closely to detect any unusual or […]

 

No good deed goes unpunished

The folks at the Alabama Credit Union were informed that 500 of their customers were among those whose payment card information was stolen in the Sam’s Club breach. They took a conservative approach and reissued the cards for all 500 customers, and also informed them of the breach. As we’ve commented on previously, information concerning […]

 

White Wolf, Unknown number of Passwords, Hackers

The game company White Wolf is going offline because of internet attacks. This is a blending of several trends: Fuller disclosure of incidents, attackers who are only in it for the money, and the economic impact of attacks. Dear White Wolf Users, Like many other well-known companies of the last few years, White Wolf was […]

 

Firm breached in Scottrade incident to sell business unit

From the press release: SALT LAKE CITY, Dec. 13 /PRNewswire-FirstCall/ — silex technology america, Inc. and TROY Group, Inc. signed a definitive agreement effective today stating that silex technology america will acquire the Wireless & Connectivity Solution Business of TROY Group, Inc. […] “We are pleased to announce this transaction as we believe that the […]

 

"Aid to the Church in Need", 2000 donors to charity, "personal details"

Not sure if the personal details obtained by hackers include CC#s, but names and addresses are certainly involved in this breach at a UK charity. A couple of interesting twists to this one, as reported at Silicon.com. First, the thieves weren’t content with just stealing the info — they used it to extort victims directly: […]

 
 

Estimating breach size by fraud volume

Much is being made of a press release from ID Analytics. Based on results from that firm’s fraud detection products, a conservative estimate is that one of every 1000 pieces of PII lost in a data breach results in an actual fraud. An additional finding is that the likelihood of a fraud being committed using […]

 

Sam's Club, CC #'s and more?, they're not saying

American Banker(12/7/2005) reports [warning: paywall] on the tight-lipped reaction of Sam’s Club, MasterCard, and Visa to a recent data breach involving credit and debit card mag stripe data from Sam’s Club gas stations. The affected cards seem to have been primarily from two issuers, and hundreds of actual frauds have already occurred. Nobody is talking […]

 

Disclosure Rules are Changing (Salem, MA Schools, 'several dozen psych profiles')

A school psychologist’s records detailing students’ confidential information and personal struggles were accidentally posted to the school system’s Web site and were publicly available for at least four months. … The psychological profiles, some dating back more than a decade, contained children’s full names, birthdays and, in many instances, IQ scores and grades, the newspaper […]

 

Cornell, 900 SSNs, "breach"

Cornell employees this past summer discovered a security breach on a computer that contained personal information, such as names, addresses, social security numbers and bank names and account numbers. After conducting an analysis of the breach, Cornell Information Technology (CIT) did not find evidence that any information stored on the computer had been inappropriately accessed. […]

 

Costs of Breaches

The Ponemon Institute continues to analyze the cost of breaches. Their latest work is distributed by PGP, Inc. The work that they’re doing is quite challenging and useful, but is unlikely to be a complete accounting of the costs. For example, what’s the real cost of the brand damage done to Choicepoint? Along with several […]

 

More info, thoughts on Troy Group breach

In an interesting article, The St. Louis Post Dispatch reports new information about the recent breach of the “eCheck Secure” system run by Troy Group. According to the article, the number of potential Scottrade victims is 140,000. Troy Group published a news release revealing they got hacked, and notified their financial sector customers, including Scottrade, […]

 

UNC Addresses Risk Systemically, Rather than Piecemeal

Students are currently recognized by their Social Security Number in many University systems and applications. With the growing threat of identity theft, an alternative method has been desired for identifying students and faculty. The opportunity to execute this change has surfaced through the implementation of an updated University [of North Carolina] computer system. Kudos to […]

 

Scottrade, Millions of "E-secure" system users, SSNs, account numbers, etc, "hacker"

Info is spotty on this, but according to a WFMY TV News report, Millions of names, addresses, social security numbers, and bank account numbers could be in dangerous hands. Officials with Scottrade, an investment company with an office in Greensboro say a security breach compromised the information of some of its account holders. A letter […]

 

Boeing, 161,000 SSNs, Stolen laptop

A laptop computer containing names, social security numbers and other sensitive information of 161,000 current and former employees of Boeing Co. was stolen recently, the U.S. aerospace manufacturer said Friday. From “Boeing says laptop with employee info stolen.” A bit more in the Seattle Post-Intelligencer.

 

Indiana University, 5300 students, malware

According to an Associated Press article appearing in the Indianapolis Star, Personal information about nearly 5,300 Indiana University students might have been accessed by a computer hacker, school officials said. Technicians discovered during a routine scan that three malicious software programs had been installed on a Kelley School of Business instructor’s computer in mid-August, said […]

 
 

Epic Problems With Phone Privacy

In the cover story of next week’s Maclean’s magazine, Jonathon Gatehouse reports that he successfully obtained the phone records of Canadian Privacy Commissioner Jennifer Stoddart: …Her eyes widen as she recognizes what has just been dropped on the conference table in her downtown Ottawa office — detailed lists of the phone calls made from her […]

 

Transunion, 3,623 SSNs, Stolen Computer

Social Security numbers and other information about more than 3,000 consumers were stolen recently from TransUnion LLC, one of three U.S. companies that maintain credit histories on individuals, in the latest of many security breaches that have focused congressional attention on identity theft and fraud. The data were housed in a desktop computer that was […]

 

How Much Goodwill is 17,000 Letters Worth?

The Seattle Post Intelligencer reports that “ChoicePoint warns consumers about fraud:” ChoicePoint Inc., the company that disclosed earlier this year that thieves had accessed its massive database of consumer information, said Tuesday in a regulatory filing it has sent out another 17,000 notices to people telling them they may be victims of fraud. The story […]

 

University of Tennessee, 1,900 SSNs, Bad Policies

The University of Tennessee notified about 1,900 students and employees yesterday that their names and Social Security numbers inadvertently were posted on the Internet. … A University of Tennessee student made the discovery about two weeks ago when she searched the Internet for her name and found it listed with her Social Security number on […]

 

15% of Oregonians at Risk from DMV

Police have a warning for anyone who did business with the Oregon Department of Motor Vehicles in 1999 or 2000. They say as many as a half-million stolen DMV records were found on a laptop during a methamphetamine bust Wednesday night at a southeast Portland apartment complex. They allegedly discovered evidence of meth distribution and […]

 

Sessions Bill/Breach Monday

In ‘honor’ of the Sessions bill (see “The hand is quicker than the eye” and “Adding Silent Insult to Injury (Senator Sessions’ ‘privacy’ act)“), we offer up stories about three breaches. Under Sessions’ bad law, the state of Georgia would not be coming clean with its residents, nor would the California school system. I think […]

 

5.2% of Georgia residents to get Notice of Stolen Personal Data

State officials on Friday began notifying 465,000 Georgians that they might be at risk of identity theft because of a government security breach detected in April. Joyce Goldberg, spokeswoman for the Georgia Technology Authority, emphasized that officials had no evidence that any personal data had been used for fraudulent purposes. But she said officials are […]

 

California Schools, "tens of thousands" of Student Records, Default Passwords

The personal information of tens of thousands of California children — including their names, state achievement test scores, identification numbers and status in gifted or special-needs programs — is open to public view through a security loophole in dozens of school districts statewide that use a popular education software system. … The problem occurs when […]

 

Montclair State University, 9,100 SSNs, Exposed Files

Due to what Montclair State University officials are calling an “inadvertent error,” the social security numbers of 9,100 Montclair State University students were made available online for nearly five months, putting each student at risk for identity theft and credit fraud. Etc, etc, files found by a student ego-surfing on Google. Read “Negligence At MSU […]

 

How To Notify Customers After a Breach

I referenced Larry Ponemon’s “After a privacy breach, how should you break the news?” months ago. Now there’s more data, in a survey sponsored by the law firm of White and Case. They have a press release, and you can download the full survey. As Chris pointed out, knowledge is good. According to the survey, […]

 

Bank of America, some credit card numbers, laptop

In a letters sent to Buxx [prepaid debit cards] users and dated Sept. 23, [Bank of America] warned that customers may have had their bank account numbers, routing transit numbers, names and credit card numbers compromised by the theft. Visa Buxx is a prepaid credit card for teenagers that the Bank of America (BofA) stopped […]

 

Mount Sinai Hospital, 10,000 Ground Zero worker SSNs, Disgruntled Ex-Employee

Letters have gone out to about 10,000 Ground Zero rescue and cleanup workers, notifying them that a computer containing Social Security numbers and health records was stolen, leaving them vulnerable to identity theft. The letters were sent by the World Trade Center Medical Monitoring Program, which is providing free health-care services to the workers. Workers […]

 

University of Georgia, 2400 SSNs, Hacker

ATHENS – A hacker broke into a computer database at the University of Georgia, gaining access to the Social Security numbers of employees in the College of Agricultural and Environmental Sciences and people who are paid from that department. More than 2,400 numbers, belonging to roughly 1,600 people, may have been exposed, UGA spokesman Tom […]

 

RBC Dain Rauscher, 300,000 SSNs, Disgruntled former employee

The FBI has opened an investigation into the possible theft of personal information about some clients of RBC Dain Rauscher Inc. The chief executive of the Minneapolis-based brokerage firm disclosed the problem in a letter sent to 300,000 households. Dain Rauscher has not yet detected any fraudulent activity in their accounts, according to the letter […]

 

CUNY, Hundreds of SSNs, Exposed Files

The CUNY foul-up that put students’ personal information a Google search away from identity thieves was more widespread than first reported, with school officials saying yesterday that the Social Security numbers of hundreds of employees also got on the Web. City University of New York officials detected the unprotected payroll link for Hunter College Campus […]

 

More On Cardsystems Lawsuit

Joris Evers continues to report well on the Cardsystems lawsuit, this time in “Judge looks for links in credit card case:” Kramer said he wants to be clear on which defendants fall under California civil code section 1798.82, the notification statute. While it is clear that the breach was at CardSystems, the law applies to […]

 

North Fork Bank, 9000 mortgageholders (Not SSNs), stolen laptop

Data relating to about 9,000 mortgages that were originated by Countrywide Home Loans but sold to North Fork were in the laptop, according to a letter received by a customer on Thursday. The laptop was one of several stolen over the July 24 weekend, the letter said without identifying the office. The data included the […]

 

Cardsystems Breach and Notice

On Friday, San Francisco judge Richard Kramer ruled against the idea that Cardsystems (or Visa or Mastercard) had to provide 1386 notice to people. Some articles are “Visa, MasterCard Win Battle Over Breach” and “Credit card companies can keep data ID theft secret.” But the article worth reading is CNet’s “Judge holds off disclosure in […]

 

Palo Alto Children's Health Council, 6,700 SSNs, Thief

A backup tape containing the names, Social Security numbers and detailed health information of as many as 6,000 current and former clients of the Children’s Health Council was stolen from the nonprofit agency’s offices, officials confirmed Sunday. From SignonSandiego, “Thousands of health records stolen from Palo Alto agency.” via Cotse Privacy Watch. The Children’s Health […]

 

Miami University of Ohio, 21,762 SSNs, Staff

Miami University is notifying all students who attended Miami during the fall 2002 semester that a report containing their names, Social Security numbers and grades had been inadvertently placed in a file accessible through the Internet. University officials said that at this point they have no evidence of illegal use of the information, which included […]

 

Soldier Readiness Processing Center, "1000s" of SSNs, Thieves

COLORADO SPRINGS – Fort Carson has cautioned thousands of its soldiers to watch their credit records carefully following the theft of computerized personnel records from the post. Thieves broke into the Soldier Readiness Processing center over the weekend of Aug. 20-21 and stole four computer hard drives containing thousands of personnel records, Fort Carson spokeswoman […]

 

Asif Siddiqui Update

In May, I blogged “Georgia DMV, employee Asif Siddiqui, “hundreds of thousands.”” An anonymous tipster sent me a link to “Unemployment Appeal Decision:” The following is the decision of Appeals Tribunal of Georgia Department of Labor ruling that Asif Siddiqui is entitled to unemployment benefits as employer Georgia Technology Authority failed to prove their allegations. […]

 

ChartOne, 3,851 SSNs+Medical Records, System Administrator

On Aug. 1, UF was notified that a computer was stolen from ChartOne, a Boston-based firm that the Health Science Center contracts with to help manage medical records. In the laptop’s database were the names, Social Security numbers, dates of birth and medical record numbers for more than 3,000 patients spread over a wide area. […]

 

US Air Force, 33,000 SSNs, Hacker

In : Half of USAF’s officers’ PII stolen, Chris points to stories about “AFPC notifies Airmen of criminal activity exposing personal info,” and “Air Force investigates data breach.” AMS, an online program used for assignment preferences and career management, contains career information on officers and enlisted members as well as some personal information like birth […]

 

Sonoma State, 61,709 SSNs, Hacker

Hackers have broken into Sonoma State University’s computer system, where they had access to the names and Social Security numbers of 61,709 people who either attended, applied, graduated or worked at the school from 1995 to 2002, university officials disclosed Monday. So says SF Chronicle. Sonoma State has a page.

 

University of North Texas, 34,000 SSNs, Bad Design + Google

The UNT server storing the electronic university housing records of about 34,000 current, former and prospective students was accessed by a computer hacker. In addition, an Internet-based form available to students to make inquiries to the UNT financial aid office mistakenly created a file containing personal information of the current and former students who used […]

 

Cal Poly, 31,077 SSNs, Hacker

Notices went out on Thursday to 31,077 people informing them that their records might have been stolen after Cal Poly Pomona discovered two computer servers were compromised in late June. “We got hit by a hacker,’ said Debra Brum, interim vice president of instructional and information technology. Personal data, including names and Social Security numbers […]

 

CalTech, One Planet, Hacker

In the spirit of my personal information breach posts, I present to you the South African Sunday Independent’s story, “Hacker ‘outs’ news of the 10th planet of our solar system:” Brown has submitted a name for the new planet to the International Astronomical Union, which has yet to act on the proposal, but he did […]

 

Iowa State, 2037 SSNs and 2,379 CC, "Hacker"

The Iowa State University is sending out a warning to alumni Wednesday after a hacker had access to the alumnae association Web site. A computer at Iowa State University’s Alumni Association was hacked into, allowing outside access to thousands of Social Security numbers and pages of credit card information. … By tapping into the computer, […]

 

Cardsystems Death Penalty?

“CardSystems has not corrected, and cannot at this point correct, the failure to provide proper data security for those accounts,” said Tim Murphy, Visa’s senior vice president for operations in a memorandum sent to several banks. “Visa USA has decided that CardSystems should not continue to participate as an agent in the Visa system.” So […]

 

Acxiom, 8.2 gb of love, Bad Password

In “Acxiom’s High Tech Hacker,” Ryan Singel describes how Scott Levine downloaded 8.2 gb of data that customers had uploaded to an Acxiom FTP server. The server was misconfigured, and anyone could login and see other people’s data. “According to law enforcement, the individual arrested was a known sophisticated hacker. He evidentially gained access through […]

 

Blue Cross of Arizona, 57,000 SSNs + Medical Data, Arizona Biodyne

The Arizona Republic brings us the news that “Medical firm’s files with personal data stolen:” The personal information of 57,000 Blue Cross Blue Shield of Arizona customers was stolen from a Phoenix-based managed care company. Arizona Biodyne, an affiliate of Magellan Health Services that manages behavioral health for Blue Cross of Arizona, began last Friday […]

 

Alberta Health and Wellness, 670,000 Health Care Numbers, Tape

Frank Work, Alberta’s Information and Privacy Commissioner, released a report on his investigation into missing Health and Wellness computer data storage tape. Work stated the incident is a low risk for potential fraud. As soon as the incident was reported, Alberta Health and Wellness changed practices and eliminated the related tape transfer business process. … […]

 

MSU, 27,000 SSNs, "intrusion"

More than 27,000 students were informed by e-mail on Tuesday that their Social Security numbers could have been compromised by an attack on the College of Education’s server. The server housed information that included student names, addresses, student courses and personal identification numbers. After the intrusion was discovered at the beginning of April, the server […]

 

Citi National Bank, Thousands of Millionaires, Iron Mountain

In the San Francisco Chronicle, David Lazurus reports “Personal data lost — again:” Today I bring news of yet another security breach involving potentially thousands of people’s personal info, and this is the first anyone’s hearing of it. The latest company to drop the data ball is City National Bank, based in Los Angeles and […]

 

USC Admissions, 320,000 SSNs, SQL Injection

A programming error in the University of Southern California’s online system for accepting applications from prospective students left the personal information of as many as 320,000 users publicly accessible, school officials confirmed on Tuesday. “Sap,” discoverer of the vulnerability in USC’s Web application The flaw could have allowed an attacker to send commands to the […]

 

Chase Manhattan and Textual Interpretation

Ray Everett Church picks up on a story, “Shouldn’t The CardSystems Victims Be Notified?” from Ed Foster, showing that Chase Manhattan bank has failed to read the text of California’s SB 1386. Ed writes: “Even the strictest of laws, like the one in California, require more identifying information like the individual’s social security number or […]

 

Cardsystems Auditor

I can’t find the blog that discussed the irony of a Visa spokesperson claiming that PCI worked because of the auditor’s need to put their reputation on the line, but then refused to name the auditor. According to the New York Times, in “Weakness in the Data Chain,” it was Cable and Wireless: In December […]

 

The FTC and BJs Wholesale

The FTC has recently issued a consent order to BJ’s Wholesale club in response to this complaint. The FTC, unfortunately, is the body charged with protecting consumers from ID theft. They are failing to rise to the challenge. This is obvious from the continued growth of ID theft. It is obvious from FTC Chair Deborah […]

 

U Connecticut, 72,000 SSNs, Hacker

A computer containing personal information such as Social Security number and name was breached by an unauthorized intruder. Although there is no evidence indicating that this personal data was accessed or extracted, the University of Connecticut is contacting everyone whose identity may have been put at risk. … The breach occurred on October 26, 2003. […]

 

FinCen (IRS), Potentially tens of thousands, Complacent Bureaucrats

The U.S. tax agency — whose databases include suspicious activity reports from banks about possible terrorist or criminal transactions — launched the probe after the Government Accountability Office said in April that the IRS “routinely permitted excessive access” to the computer files. The GAO team was able to tap into the data without authorization, and […]

 

Suntrust, 75? SSNs, Employee Jonathan Bryan Adair

This post updated to replace the Suntrust logo with “You can’t shut me up by Jennifer Moo, after a bunch of bozos called “Internet Identity” sent vaguely scary letters that chilled my web hosting company. The Atlanta Journal Constitution reports that “Ex-SunTrust employee charged in check scam.” (Use Bugmenot for a login.): The U.S. attorney’s […]

 

Equifax Canada, 600 credit histories, hacker

CBC is reporting “Hacker accesses files at Equifax:” A computer hacker has accessed the files of about 600 consumers at Equifax Canada, one of Canada’s major credit bureaus. Most of the files are for consumers from British Columbia. Better Business Bureau spokesperson Sheila Chernesky said personal financial information is being gathered all the time, and […]

 

Florida Hospitals, "40 pages" of medical histories, mis-dialed fax

ALTAMONTE SPRINGS, Fla. — The private medical information for hundreds of people ended up at a Seminole County airplane parts business. The information was about patients at Florida Hospital East and Florida Hospital Altamonte. It included hundreds of names, birth dates, social security numbers and medical diagnosis information. … The 40-page fax included appointment information […]

 

Ed Moyle on "MasterCard Lays Down the Law"

In a bold move, MasterCard lays down the law on CardSystems. And by “lay down the law”, I mean they upped the ante from recommending they comply with security procedures to “putting them on notice” to comply. Um…. Is it me, or does that sound like the same thing to you? If the only ramifications […]

 

Stupid Privacy Invasion Fatigue

This morning, Liz sent me a pointer to “Pentagon Creating Student Database” in the Washington Post. I said “Not blogging it. I have stupid privacy invasion fatigue.” Apparently, I’m not alone. In “ID theft concerns grow, tools lacking,” Bob Sullivan of MSNBC reports: Among the report’s most interesting findings: only 14 percent of consumers who […]

 

Kaiser Permanente, 150 patients, $200,000 fine

Computerworld reports that “Kaiser Permanente division fined $200k for patient data breach:” The California Department of Managed Health Care (DMHC) has fined Kaiser Foundation Health Plan, a division of Kaiser Permanente, $200,000 for exposing the confidential health information of about 150 people. The DMHC said the information had been available on a publicly accessible Web […]

 

"Dear Mastercard,"

Effective May 1, 2005, any compromise of my data will result in a $50 liability for you, the card issuer, owed to me, the card holder. Cashing the payment check I sent you last month (which you did) shall constitute your acceptance of this agreement. Subsequent security breaches will compound the fee. I will spell […]

 

CardSystems and Choicepoint

Choicepoint, please call your trademark attorneys. You’re in danger of becoming a generic term for “massive security breach,” and a band-aid isn’t going to fix that. That was the lead (and about all I’d written) of a long post on Choicepoint and some bank breach. I think it was the New Jersey case. The point […]

 

CardSystems Cards Being Exploited

The Denver Channel reports that “Stolen Credit Card Data Now Being Sold On Internet:” CardSystems Solutions Inc. is admitting it made a huge mistake after some 40 million credit card accounts ended up in the wrong hands. Some of those account numbers are already being sold on a Russian Web site, and some consumers are […]

 

FDIC, 6,000 employee SSNs, "security failure"

Thousands of current and former employees at the Federal Deposit Insurance Corp. are being warned that their sensitive personal information was breached, leading to an unspecified number of fraud cases. In letters dated last Friday, the agency told roughly 6,000 people to be “vigilant over the next 12 to 24 months” in monitoring their financial […]

 

CardSystem Solutions, 40,000,000 CC, hacker

The New York Times (and probably everyone else) is reporting that “MasterCard Says 40 Million Files Are Put at Risk.” MasterCard said its investigation found that CardSystems, in violation of MasterCard’s rules, was storing cardholders’ account numbers and security codes on its computer systems. That information, MasterCard said, was supposed to be transferred to the […]

 

Minnesota, 2,000 medical records, hacker

The Duluth News Tribue is carrying a story, “State’s Web systems bogged down:” [Monicq] Feider, [manager of the Health Professionals Services Program] disclosed the problem in a March 31 letter sent to nearly 2,000 health professionals. “The case management system database includes private and public information about you,” she wrote. “The security company believes that […]

 

Motorola, 34,000 Employee SSNs, Outsourcer ACS

In an article titled “Stolen PCs contain Motorola HR data“, Reuters is reporting that: In the latest example of hardware theft putting data security at risk, two computers containing personal information on Motorola employees were stolen from the mobile phone maker’s human resources services provider, Affiliated Computer Services (ACS). The data on the stolen computers […]

 

Citibank, 3,900,000 SSNs, unencrypted tape

[Update: Bruce Schneier has an important update in “E-Hijacking.” Thanks to Chris for pointing this out.] CNN is reporting that Info on 3.9M Citigroup customers lost. Citigroup said Monday that personal information on 3.9 million consumer lending customers of its CitiFinancial subsidiary was lost by UPS while in transit to a credit bureau — the […]

 

Polk Community College, 3 SSNs, Professor Bradley Neil Slosberg

Professor Bradley Neil Slosberg asked students in his anatomy and physiology class to sign in with their name and social security numbers. They did. CNN quotes student Amanda Bracewell: “We all signed it. We figured, ‘He’s a teacher, what is he going to do with it?’” TBO.com news has the only non-AP story, at Professor […]

 

Duke, 9,000 partial SSNs, Hacker. (With Commentary.)

In Hacker hits Duke system, the (Charlotte? Raleigh [thanks, Neil!]) News and Observer reports on a breach at Duke University School of Medicine. The school’s “Security Incident at Duke” page states: On Thursday, May 26, 2005 a security breach allowed an unauthorized user to gain access to data stored on several web sites at Duke […]

 

Breach Laws

The Washington Post reports: States Keep Watchful Eye on Personal-Data Firms: Critics of the multi-state approach say that due to the potential monetary, logistical and public-relations headaches that could come from establishing different requirements and penalties in each state, companies will soon be forced to set their overall policies to satisfy the state with the […]

 

University of Cincinnati, 7,000 SSN, Hacker

Cincinnati’s Channel Cincinnati reports that “Hacker Steals Personal Data From UC System:” UC Vice President of Information Technology, Fred Siff, said the hacker knew how to avoid intruder alerts on the system. “This was obviously a serious breach,” Siff said. “This is a very sophisticated hack. I hope that goes without question. It wasn’t just […]

 

Omega World Travel, 80,000 CCs, Laptop

The Washington Post reports, “FBI Probes Theft of Justice Dept. Data” The FBI is investigating the theft of a laptop computer containing travel account information for as many as 80,000 Justice Department employees, but it is unclear how much personal data are at risk of falling into the wrong hands. Authorities think the computer was […]

 

Purdue University, 11,360 SSNs, hacker

Purdue University is alerting current and former employees that their Social Security numbers and other information may have been illegally accessed from at least one of four campus computer workstations. “Our investigation of a recent information technology security breach shows that the records of 11,360 current and former employees may have been accessed electronically,” said […]

 

University of Chicago, 24,000+ SSNs, Unsecured File server

The action is motivated by the discovery by a campus web developer that files containing social security numbers were located on a portion of a public server that could be accessed by web developers not associated with the site. He had pointed this out last November, at which time all of the several dozen files […]

 

Valdosta State University (Georgia) , 40,000 SSNs, hacker

The Associated Press reports “Identity theft risk widens at Valdosta State:” VALDOSTA — A computer identity breach at Valdosta State University has widened, with authorities now saying up to 40,000 people could have had their Social Security numbers accessed by a computer hacker last week. The breach was larger than originally thought, said school spokesman […]

 

676,000 Victims

I first covered the improper disclosures by Wachovia, Bank of America, Commerce Bancorp, and PNC Bank NA employees last week. It’s now up to 676,000 accounts, all New Jersey residents. The Census Bureau estimates that in 2003, New Jersey had 8,638,396 residents. Thus, around 8% of the people of New Jersey are affected by Orazio […]

 

Stanford, 9,900 SSNs, Insecure Career Center computer

The San Jose Mercury News reports that “Computer system hacked at Stanford:” The FBI and Stanford University are investigating how someone hacked into a computer system containing information about people looking for work through the university’s Career Development Center. University spokesman Jack Hubbard said there was no evidence that any data had actually been acquired […]

 

Breaches List at Privacy Rights Clearing House

The Privacy Rights Clearinghouse have been tracking breaches too. They’ve tallied 5,476,150 people affected, and have a better list than I do. I’ll continue to cover as I see things, since their list isn’t complete either.

 

Jackson (Mich) Community College, 8,000 SSNs, Bad Policy

The Detroit Free Press reports that “Hacker may have stolen Social Security numbers from Jackson Community College:” A hacker who broke into the computer system at Jackson Community College may have accessed as many as 8,000 Social Security numbers, the college said Monday. The hacker broke into the system Wednesday. College officials are still investigating […]

 

MCI, 16,500 employees, ironically anonymous employee

Reuters is reporting “MCI: employee data was on stolen laptop:” A laptop computer containing the names and Social Security numbers of about 16,500 current and former employees of MCI Inc. was stolen last month, the Wall Street Journal reported on Monday. The computer was stolen from a car that was parked in the garage at […]

 

Arrests in T-Mobile, Lexis-Nexis

The Washington Post reports on Computers Seized in Data-Theft Probe: According to the teenage source, a police officer in Florida was among those who opened the infected e-mail message. Not long after his computer was infected with the keystroke-capturing virus, the officer logged on to his police department’s account at Accurint, a LexisNexis service provided […]

 
 

San Jose Medical Group, 185,000, Joseph Nathaniel Harris (update)

Joseph Nathaniel Harris has been arrested and charged with the April break-in to the San Jose Medical Group, and stealing two computers with 185,000 medical records on them. The San Francisco Chronicle reports: “During Harris’ employment at San Jose Medical Group, there were several incidents of reported theft of money and medications,” according to an […]

 

Merlin Information Systems, 9,000, Lying customers

If these data brokers had any ability to deliver on their marketing, these things would never happen. Some assistant DA somewhere is going to close a data broker on false advertising, and make a name for themselves. The Daily Interlake reports “Thief nets personal information from Kalispell company:” About 9,000 people have been notified that […]

 

Hinsdale Central High School (Chicago), unknown #, 2 students

ABC7Chicago reports “Two students investigated for identity theft at high schoo” May 12, 2005 — Criminal charges might be filed against two students for stealing personal information at a west suburban high school. The students at Hinsdale Central are accused of hacking into the school’s computer system and obtaining Social Security numbers for students and […]

 

Michigan State Wharton Center, 40,000 CCs, Hacker

The Detroit Free Press reports “Michigan State’s Wharton Center says computer security breached:” EAST LANSING, Mich. (AP) — Michigan State University has warned more than 40,000 Wharton Center patrons that a hacker broke into a computer server involved in credit card processing for the performing arts venue. But so far, there has been no indication […]

 

Georgia DMV, employee Asif Siddiqui, "hundreds of thousands"

The Atlanta Journal Constitution reports Georgia driver’s license data put at risk (Use Bugmenot if you need a login.): Georgia Technology Authority said Friday that Asif Siddiqui, a 43-year-old Pakistani who worked for GTA, could have downloaded information on “hundreds of thousands” of drivers before he was arrested and fired late last month. … The […]

 

Texas DMV, hundreds, mailing errors

An agency that warns Texans not to share personal information with strangers because of the risks of identity theft mistakenly mailed hundreds of driver’s licenses to the wrong people. The Texas Department of Public Safety (DPS) blamed the mixup on a malfunctioning machine that was recently installed to sort licenses for mailing. Statewide, at least […]

 

SafeNet, hundreds, paper in a briefcase

An employee hoping to get extra work done over the weekend printed out 2004 payroll information for hundreds of Safenet’s U.S. employees, snapped it into a briefcase and placed the briefcase in a car. The car was broken into over the weekend and the briefcase stolen – along with the employees’ names, bank account numbers […]

 

Time Warner, 600,000 employees, Iron Mountain Backup Tape

Time Warner Inc. on Monday said data on 600,000 current and former employees stored on computer back-up tapes was lost by an outside storage company, which the U.S. Secret Service is now investigating. Time Warner’s data storage company, Boston-based Iron Mountain Inc., lost the tapes during transport, Time Warner said. reports the New York Times. […]

 

Blockbuster, 65, Employee Miles N. Holloman

A former employee of a Blockbuster video store in Washington, D.C., has been indicted on charges of stealing customers’ identities, then using them to buy more than $117,000 in trips, electronics and other goods. Miles N. Holloman is charged with stealing credit card numbers, Social Security numbers and other private financial information from the application […]

 

CMU, 5,000+, Hacker

A hacker who tapped into business school computers at Carnegie Mellon University may have compromised sensitive personal data belonging to 5,000 to 6,000 graduate students, staff, alumni and others, officials said yesterday. … There is no evidence that any data, including Social Security and credit card numbers, have been misused, officials said. But they have […]

 

Ameritrade, 200,000 SSNs, Backup Tape

Some days I feel like I’m playing Clue…It was Mr. Mustard, in the study with the lead pipe. Ameritrade Inc. has advised 200,000 current and former customers that a computer backup tape containing their personal information has been lost, MSNBC.com has learned. The tape contained information spanning the years 2000-2003, and included both current and […]

 

DSW, IRS Security Failures

What is it with order of magnitude errors in victim counts? DSW Shoe reports 1.4 million credit cards exposed. In other news, the General Accounting Office reports [The IRS] has corrected or mitigated 32 of the 53 weaknesses that GAO reported as unresolved at the time of our prior review in 2002. However, in addition […]

 

Polo Ralph Lauren Breach: The Rules Have Changed.

The security failure at Polo Ralph Lauren is going to be a big story. Not Choicepoint big, but big. According to ComputerWorld, in “Scope of credit card security breach expands: [An emailed] statement also noted that Polo Ralph Lauren has been working with law enforcement officials and credit card companies since fall 2004 to determine […]

 

Breaches: Tufts, GM/HSBC/Ralph Lauren

Infoworld reports 106,000 Tufts Alumni getting letters, and Cnet reports that “A bank tells 180,000 people who used their GM MasterCards at Polo Ralph Lauren that their data may have been stolen.” (That sounds like a strange set of circumstances. Who sorts their data by credit card issuer?)

 

59 breaches at Lexis-Nexis

[T]he company said just 2% of those informed by the company in March of the security breach had accepted its offer of free credit monitoring and none had reported identity theft. All the others will also be offered the services it said. (From CNN, or see the statement here.) So, let’s review. A slew of […]

 

Small Bits: Digitizing Art, Making Sense, Wages of Sin, Pookmail

Capturing the Unicorn is an article at the New Yorker about the hubris of technologists trying to capture art. (The technologists win, but the archivist in me asks: CDs?) 13 things that do not make sense is a New Scientist article about, well, 13 things that don’t make sense. Some foolish people might look at […]

 

More on Nevada DMV

In working on the Choicepoint roundup for tomorrow, I found Axinar pointing to this story about the Las Vegas DMV heist. Apparently, all that encryption? Err. Never mind. But Lewis said Friday that Digimarc Corp., the Beaverton, Ore.,-based company that provides digital driver’s licenses in Nevada, told her Thursday the information was not encrypted, and […]

 

1,700 Drivers Licenses stolen

The theft occurred early Monday in a remote industrial area, authorities said. The thieves took blank licenses and laminated covers, a digital license camera, a camera computer and a license printer. … “It’s been pondered that this has national security interests,” [police spokesman Tim] Bedwell said. “But it’s easier to pass a fake ID to […]