[Dataloss] AOL Takes Down Site With Users' Search Data
http://www.washingtonpost.com/wp-dyn/content/article/2006/08/07/AR2006080701150_pf.html
AOL Takes Down Site With Users' Search Data
Personal Details Posted in 'Screw-Up'
By Ellen Nakashima
Washington Post Staff Writer
Tuesday, August 8, 2006; D01
AOL issued an apology yesterday for posting on a public Web site 20
million keyword searches conducted by hundreds of thousands of its
subscribers from March to May. But the company's admission that it
made a mistake did little to quell a barrage of criticism from
bloggers and privacy advocates who questioned the company's security
practices and said the data breach raised the risk of identity theft.
"This was a screw-up and we're angry and upset about it," the company
said in a statement. "Although there was no personally-identifiable
data linked to these accounts, we're absolutely not defending this.
It was a mistake, and we apologize."
The posted data were similar to what the U.S. Justice Department had
been seeking when it subpoenaed Internet companies, including AOL,
last year. AOL complied and handed over search terms that were not
linked to individuals.
<http://financial.washingtonpost.com/custom/wpost/html-qcn.asp?dispnav=business&mwpage=qcn&symb=GOOG&nav=el>Google
Inc. fought the subpoena in court and won.
The AOL data was posted at the end of last month on a special AOL Web
site designed by the company so researchers could learn more about
how people look for information on the Internet. The company removed
the data over the weekend when bloggers discovered it.
The Washington Post did not review the full 439-megabyte data set but
contacted bloggers who had looked at it.
For the posted data, each person using AOL's search engine was
assigned a unique number to maintain anonymity, the company said. But
some privacy experts said scrutinizing a user's searches could reveal
information to help deduce the person's identity.
Michael Arrington, editor of the blog TechCrunch, said some of the
data contained credit card numbers, Social Security numbers,
addresses and names.
"People put anything they can think of into the search boxes," he said.
Based on his analysis so far, out of 20 million queries, the number
that contained sensitive personal financial information such as
credit card and Social Security numbers is probably "in the hundreds," he said.
"Most people aren't stupid enough to type their Social Security
numbers in a search engine, but it's definitely enough to make AOL
look stupid," he said.
Some bloggers said some of the information available included queries
on how to kill one's spouse and child pornography.
Experts said people search for all sorts of personal data --
including their own names -- with the assumption that it will remain private.
"I search on myself," said David H. Holtzman, president of GlobalPOV,
a blog and consulting firm on privacy and security and author of the
forthcoming book "Privacy Lost." "Now you think you have a disease or
you have some emotional issue -- I'm a single parent and I'm always
looking for things. All of a sudden there's a correlation between my
name and something very private that I don't expect to have dumped
all over the Internet."
Kevin Bankston, an attorney with the San Francisco-based Electronic
Frontier Foundation, said AOL's apology was appreciated but the
damage had already been done.
"The horse is out of the barn," he said. "The data's out there and
been copied. This incident highlights the dangers of these companies
storing so much intimate data about their users."
The mishap was rooted in an effort by AOL to design a Web site aimed
at helping researchers do their jobs more effectively by including
AOL open-source data tools, company spokesman Andrew Weinstein said.
A technician posted the data to the site without running them past an
in-house privacy department, not realizing the implications,
Weinstein said. An internal investigation is underway to determine
what happened and how to prevent future occurrences, he said.
However, Weinstein also noted that identifying an individual by
search terms alone is difficult because someone could have typed in a
friend's name or address instead of his own. The AOL search network
had 42.7 million unique visitors in May, so the total data set
covered 1.5 percent of search users that month. The 20 million search
records represent about one-third of 1 percent of the total searches
conducted on the AOL network in that period, the company said.
The data were gleaned from searches conducted by people with AOL user
accounts in the United States.
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
_______________________________________________
Dataloss Mailing List (dataloss
attrition.org)
http://attrition.org/errata/dataloss/
[Dataloss] Virginia Advises Insurance Agents of Security Breach
http://www.insurancejournal.com/news/east/2006/08/08/71296.htm
August 8, 2006
Virginia's Bureau of Insurance is advising all insurance agents in the
state that their social security number may have been accessible on the
bureau's website for a six-week period of time.
The social security numbers were not shown on any web page, but officials
fear a savvy computer user could have found them using the source code
tool of a web browser.
Although officials said the likelihood of finding an SSN was remote,
access would have been possible from June 13 through July 31, 2006. The
bureau said it immediately corrected the programming error the same day it
was discovered.
The inadvertent access to an agent's SSN was caused during an upgrade to
the bureau's web-site feature that allows the public to look up agency and
agent information. This on-line feature is specifically designed to allow
consumers to check whether an agency or individual is licensed in
Virginia. It also shows the insurance companies to which an agent has been
appointed to offer and sell their products.
[...]
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/errata/dataloss/
Re: [Dataloss] Details on AOL search log disclosure
: Now that we all have the list -- how ethical are we being by using it,
: for whatever purposes?
:
: Which ethical guidelines apply in this circumstance.
:
: (would type more but sliced hand opened a harddrive last night)
Hopefully more will pipe up on this isssue, especially any lawyers
lurking around.
There are a couple issues that I see here. First, having the list in
general can be debated. If I have such a list, is it unethical? It depends
on how I obtained it really. If I hack a server or trick a person into
giving it to me, no. If I get it from a popular torrent site and thousands
of people are reading through it as I download it, i'd say no. Just
possessing it in that circumstance isn't necessarily unethical but again,
what am I doing with it? Another key point to think about when debating
the "possession of such a list" angle, is if the victim knows about the
disclosure. In the case of the AOL list, they know it was leaked out so I
don't see myself (or anyone on this list) having an obligation to report
it to them. If I was under the impression that AOL wasn't aware, it would
be an ethical duty to report it to them or law enforcement.
Moving on from that issue, once we have the list and resolve any ethical
dilemna in possession.. what are we doing with it? Anyone doing analysis
on the content of the list attempting to determine the extent of
disclosure, I don't see a problem with that. Obviously if you are browsing
it looking for sensitive information to use in a crime or questionable
activity, sure it crosses the boundary of ethical use.
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 296 incidents over 6 years.
[Dataloss] Univ of Wyoming investigates possible alumni breach
News Release
UW Investigates Possible Data Security Breach
Aug. 8, 2006 -- The University of Wyoming is investigating a possible
security breach of the university's Advance Alumni Database. The
possible compromise of information in this database was identified
and reported to university officials by persons with authorized access.
UW President Tom Buchanan has directed UW Vice President for
Information Technology Robert Aylward to retain an independent firm
to evaluate whether a compromise of alumni information occurred and,
if it did, the cause and extent of the situation. Questions should be
directed to Aylward at (307) 766-4860.
Posted on Tuesday, August 08, 2006
http://www.uwyo.edu/news/showrelease.asp?id=9565
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 296 incidents over 6 years.
Re: [Dataloss] Teens arrested in VA laptop theft
henry ojo <henryojoyahoo.com> wrote: It.s beginning to look like trying to kill a fly on a glass door with a shotgun, with the news of teenagers being responsible for the theft. The downside being the thieves don't even know how ' valuable' the data they have stolen is, till the fire brigade storms in with sirens blaring and lights flashing because a cat got stuck up a tree.
Henry Ojo BSc CISA HISP BS7799 Auditor
www.efortresses.ie
Cell: 00353 874182266
Office:+(0) 7958430094
Fax :+(0) 7092 0950843
---------------------------------
The all-new Yahoo! Mail goes wherever you go - free your email address from your Internet provider.
Henry Ojo BSc CISA HISP BS7799 Auditor
www.efortresses.ie
Cell: 00353 874182266
Office:+(0) 7958430094
Fax :+(0) 7092 0950843
---------------------------------
Copy addresses and emails from any email account to Yahoo! Mail - quick, easy and free. Do it now...
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 296 incidents over 6 years.
[Dataloss] Bank of America/VISA breach?
A question posed by a member of another mailing list, forwarded with
permission. All responses will be forwarded to the author:
____________________________________
Date: Tue, 8 Aug 2006 18:08:02 -0400
A friend of mine just had his Bank of America Visa debit card cancelled
because BOA said that VISA just informed them that there was a "massive
compromise" of Visa debit cards. Anyone know what's up?
Date: Tue, 8 Aug 2006 20:15:56 -0400 (EDT)
My friend got a call from BOA saying that there has been a "massive"
compromise of Visa debit cards and his card might be affected. As a
precaution, BOA is cancelling his old card and mailing him a new one. But
there is an interesting twist. BOA wouldn't be cancelling the card for
another hour to give my friend time to make one last withdrawl. He rushed
over to his local ATM, but he tried to take out too much money when he
went over his daily limit. When he tried a second withdrawl at lower
amount, but the ATM said his card was cancelled.
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 296 incidents over 6 years.
Re: [Dataloss] Bank of America/VISA breach?
That's interesting -- I had someone email me yesterday asking if I knew
anything about Chase servers being compromised.....which I said I didn't.
Just passing along the RUMINT in case there's any corroboration here.
-rf
On 8/9/06 10:13 AM, "lyger" <lygerattrition.org> wrote:
>
> A question posed by a member of another mailing list, forwarded with
> permission. All responses will be forwarded to the author:
>
> ____________________________________
>
>
> Date: Tue, 8 Aug 2006 18:08:02 -0400
>
> A friend of mine just had his Bank of America Visa debit card cancelled
> because BOA said that VISA just informed them that there was a "massive
> compromise" of Visa debit cards. Anyone know what's up?
>
> Date: Tue, 8 Aug 2006 20:15:56 -0400 (EDT)
>
> My friend got a call from BOA saying that there has been a "massive"
> compromise of Visa debit cards and his card might be affected. As a
> precaution, BOA is cancelling his old card and mailing him a new one. But
> there is an interesting twist. BOA wouldn't be cancelling the card for
> another hour to give my friend time to make one last withdrawl. He rushed
> over to his local ATM, but he tried to take out too much money when he
> went over his daily limit. When he tried a second withdrawl at lower
> amount, but the ATM said his card was cancelled.
>
>
>
> _______________________________________________
> Dataloss Mailing List (datalossattrition.org)
> http://attrition.org/dataloss
> Tracking more than 142 million compromised records in 296 incidents over 6
> years.
>
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 296 incidents over 6 years.
[Dataloss] Linens & Things Stolen Receipts in Sterling Virginia
Sheriff's spokesman Kraig Troxell says a folder holding about 90 receipts
was taken from the store sometime around 8 p.m. The receipts show both the
full account number and the name of the credit or debit card holder
Authorities say the information on the receipts could be used to create a
fake card or to make fraudulent online purchases. Shoppers are urged to
contact their bank or credit card company.
This affects shoppers on Saturday.Aug 5.
http://www.wjla.com/news/stories/0806/351119.html
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 296 incidents over 6 years.
[Dataloss] Credit Card slips Oasis clothing store in Britain
A bundle of store receipts was found in the street.
Each contained full card account #, expiration date, customer signature.
Speculation abounds how many slips were there before remainder were found
by a concerned citizen, and how they came to be lying in the street in the
first place.
http://www.thisisdorset.net/display.var.841695.0.credit_card_fraud_fear_as_slips_found_in_road.php
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 296 incidents over 6 years.
[Dataloss] Transportation Department Laptop Stolen
Transportation Department Laptop Stolen
Missing Computer Could Compromise Data of Florida Residents
http://www.washingtonpost.com/wp-dyn/content/article/2006/08/09/AR2006080901
177_pf.html
By Christopher Lee and Del Quentin Wilber
Washington Post Staff Writers
Wednesday, August 9, 2006; 3:42 PM
A laptop computer belonging to the federal Department of Transportation
inspector general's office was stolen last month, putting the sensitive
personal information of nearly 133,000 Florida residents at risk, Acting
Inspector General Todd J. Zinser said today.
The laptop, assigned to a special agent in the Miami office, was stolen from
a government vehicle on July 27 in Doral, Fla., Zinser told Florida Gov. Jeb
Bush (R) today in a letter obtained by The Washington Post.
The computer contains the names, Social Security numbers, birthdates and
addresses of 42,792 Florida residents who hold a pilot's license; 80,667
people in the Miami-Dade County area who hold commercial driver's licenses;
9,496 people who took personal driver's license tests or obtained their
license from an examining facility near Tampa, the letter said.
"While we do not have reason to believe that the perpetrators targeted the
laptop based on any knowledge of its data contents, we are nonetheless
taking all possible steps to inform Florida residents," Zinser wrote. "We
will be working with members of Congress, federal agencies, state and local
agencies, the news media, and trucking and aviation organizations to further
ensure that the individuals are aware of the situation and of the steps they
may take to protect themselves from misuse of their personal information."
Zinser wrote that a team of special agents has been dispatched to the Miami
area to work with Miami-Dade police in investigating what happened to the
laptop. A reward will be offered for its return, he wrote.
"We regret this matter and take our responsibilities seriously," Zinser
wrote. "We have taken action and will continue to take steps necessary to
prevent this from happening again."
The theft is just the latest in a string of embarrassing data breaches
reported by a wide variety of federal agencies.
The highest profile incident of its kind was a May 3 burglary at the home of
a Department of Veterans Affairs data analyst. Thieves made off with a
laptop and external hard drive containing the names, birthdates, and Social
Security numbers of as many as 26.5 million veterans and active duty service
members, raising fears of mass identity theft. The computer equipment was
later recovered and two men were arrested and charged with the burglary last
week.
Authorities do not believe the sensitive data had been accessed. The
department took a public relations hit for its handling of the incident,
including a nearly three week delay in disclosing the theft to Congress and
the public.
The bad news has kept coming at the Department of Veterans Affairs. The
department announced yesterday that a desktop computer containing sensitive
personal information for as many as 38,000 patients at VA hospitals in
Pennsylvania had gone missing from a VA contractor's Reston office.
Some of the data breaches are new, and some are merely newly disclosed as
the high-profile VA case pressured agency officials to come clean about
security lapses. In recent weeks, data breaches involving hundreds to
thousands of people have been disclosed at the Department of Agriculture,
the Department of Energy, the Department of the Navy, the Social Security
Administration and the Internal Revenue Service.
An Office of Management and Budget official testified in early June that
federal agencies experience dozens of smaller-scale information security
breaches every year, often involving government issued laptops that are lost
or stolen while on business travel or when taken home.
Chris Dancy, a spokesman for the Aircraft Owners and Pilots Association,
said that the Florida theft concerned his group, which represents more than
400,000 pilots.
"Exactly in the same way that the loss of the VA computer caused concerns
for members of the military and veterans, we are very concerned anytime
there is the possibility of identity theft involving our members or airmen
in general," he said.
Zinser wrote that he learned of the laptop theft on July 31, but was unaware
that the computer contained sensitive personal information on Florida
residents until Saturday, when the IG's office began investigating exactly
what was in the laptop and dispatched its agents to Florida.
He did not notify Florida lawmakers or the governor until today, after the
Washington Post called the IG's office to inquire about a tip about the
theft.
In 2005, the Department of Transportation earned a C-minus on the annual
federal computer security report card compiled by the House Government
Reform Committee. The government-wide average for 2005 was a D-plus, but
there were wide variations -- the Social Security Administration got an
A-plus, while the departments of Defense and Homeland Security earned F's.
The report card measures compliance with the 2002 Federal Information
Security Management Act, which requires agencies to test their systems,
develop cyber-security plans and report on their progress.
© 2006 The Washington Post Company
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 296 incidents over 6 years.
[Dataloss] Skimming Insider Crime on Smart Cards
| | | | | | | | | |
