OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
* An e-mail went out Aug 14 to about 80 students, telling them who their advisor will be for the new semester. That communication also contained social security numbers.

Earlier, you may recall,
* UK had to notify about 6500 students that their personal information may have been on a computer drive that was stolen from a classroom in April 2006.
* In June 2006, some faculty members were told their ID numbers were briefly on the web

[...]

http://www.wkyt.com/Global/story.asp?S=5285189

_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 301 incidents over 6 years.


 
[Dataloss] Oh *that* UK

From: Chris Walsh (cwalshcwalsh.org)
Date: Tue Aug 15 2006 - 23:14:21 CDT


Via http://www.first.org/newsroom/globalsecurity/43840.html

UK accidently releases Social Security numbers

The Social Security numbers of about 700 University of Kentucky
students may have been accidentally released publicly in two
incidents recently, school officials said Tuesday.

In a statement from the school, officials said about 630 studentsí
names and Social Security numbers were posted on UKís financial aid
Web site between Friday and Monday.

The mistake was discovered Monday afternoon, and the information was
removed, officials said. They said they have received no reports of
anyone affected by the release.

Courier-Journal, August 16, 2006 02:43 GMT+01
http://www.courier-journal.com/apps/pbcs.dll/article?AID=/20060815/
NEWS01/60815036/1008

[This isn't a first for UK -- http://www.kentucky.com/mld/
heraldleader/14717374.htm]

_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 301 incidents over 6 years.


 
[Dataloss] GRR. Sorry about the dupe, folks.

From: Chris Walsh (cwalshcwalsh.org)
Date: Tue Aug 15 2006 - 23:18:26 CDT


I thought I checked -- Al's message was off the screen.

cw

_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 301 incidents over 6 years.


 
[Dataloss] hard drive destruction

From: George Toft (georgemyitaz.com)
Date: Wed Aug 16 2006 - 08:32:13 CDT


Just wondering what the group feels is an adequate level of destruction
for a hard drive that contains personal financial information . . .

A. Using software to wipe the drive to DOD 5200.28 spec.

B. Cutting the platters in half (great big saw that essentially chops
the drive into two pieces).

C. Drilling out the center of the platter with a 2" drill bit.

D. Hard drive degausser.

E. Other - please specify.

--
George Toft, CISSP, MSIS
My IT Department
www.myITaz.com
480-544-1067

Confidential data protection experts for the financial industry.
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 303 incidents over 6 years.


 
Re: [Dataloss] hard drive destruction

From: *Hobbit* (hobbitavian.org)
Date: Wed Aug 16 2006 - 08:46:19 CDT


For the 99% case, "dd if=/dev/zero of=/dev/hda" from a linux distrib
booted to a shell will probably suffice. Or maybe from /dev/random,
which would take much longer. I wouldn't think scammers in Nigeria
or wherever are the ones going after old drives with magnetic-force
microscopy or in-depth head-signal analysis...

Clearly, the answer is to fill the drive up with pr0n and then
send it off!

_H*
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 303 incidents over 6 years.


 
Re: [Dataloss] hard drive destruction

From: Pawel Krawczyk (kravietzpost.pl)
Date: Wed Aug 16 2006 - 09:49:03 CDT


George Toft wrote:
> Just wondering what the group feels is an adequate level of destruction
> for a hard drive that contains personal financial information . . .
[...]

> E. Other - please specify.
>
My company has just started working with a chemical factory to dissolve
hard drives in acid, so at the end of the day you can get a bottle of
yellow fluid that WAS your hard drive. Now they're working to make the
procedure to conform with Polish regulations about processing classified
data.

Pawel Krawczyk
Bolanda Networks, Poland

_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 303 incidents over 6 years.


 
Re: [Dataloss] hard drive destruction

From: Joe Francis (joelayeredsecurity.net)
Date: Wed Aug 16 2006 - 10:05:49 CDT


I agree. To worry about microscopy on the drive, it means that the
FBI/CIA/NSA or another TLA is after you ... in which case they'll probably
just kick in your door if they know where you live (which they must if
they are stealing your trash).

I personally "dd if=/dev/zero of=/dev/hda && dd if=/dev/urandom
of=/dev/hda" and then run a drill bit through the drive (not right down
the middle of the spindle, but somewhere to the side but still hit the
platters). I think I drill moreso because it's fun than any other reason,
though :)

Really paranoid places have grinders that can reduce any media (drives,
removable devices, CDs, etc) to a powder.

On Wed, 16 Aug 2006, *Hobbit* wrote:

> For the 99% case, "dd if=/dev/zero of=/dev/hda" from a linux distrib
> booted to a shell will probably suffice. Or maybe from /dev/random,
> which would take much longer. I wouldn't think scammers in Nigeria
> or wherever are the ones going after old drives with magnetic-force
> microscopy or in-depth head-signal analysis...
>
> Clearly, the answer is to fill the drive up with pr0n and then
> send it off!
>
> _H*
> _______________________________________________
> Dataloss Mailing List (datalossattrition.org)
> http://attrition.org/dataloss
> Tracking more than 142 million compromised records in 303 incidents over 6 years.
>
>
>
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 303 incidents over 6 years.


 
Re: [Dataloss] hard drive destruction

From: Angelo Manoloules (angelocombatingidtheft.com)
Date: Wed Aug 16 2006 - 09:52:47 CDT


Thermite Grenade--just melt it down--that's the only guarantee that no one
else can do anything with it.
Angelo
"Retired Special Forces"
www.CombatingIDTheft.biz

-----Original Message-----
From: dataloss-bouncesattrition.org [mailto:dataloss-bouncesattrition.org]
On Behalf Of George Toft
Sent: Wednesday, August 16, 2006 9:32 AM
To: datalossattrition.org
Subject: [Dataloss] hard drive destruction

Just wondering what the group feels is an adequate level of destruction
for a hard drive that contains personal financial information . . .

A. Using software to wipe the drive to DOD 5200.28 spec.

B. Cutting the platters in half (great big saw that essentially chops
the drive into two pieces).

C. Drilling out the center of the platter with a 2" drill bit.

D. Hard drive degausser.

E. Other - please specify.

--
George Toft, CISSP, MSIS
My IT Department
www.myITaz.com
480-544-1067

Confidential data protection experts for the financial industry.
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 303 incidents over 6
years.

_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 303 incidents over 6 years.


 
Re: [Dataloss] hard drive destruction

From: DAIL, ANDY (ADAILsunocoinc.com)
Date: Wed Aug 16 2006 - 09:58:15 CDT


If you plan to dispose of the drive, a 10 lb sledge hammer works just
fine, and is much less of a hazard than having employees play with power
tools.

If you want the recycle the drive, the DoD Standards (below) of a 3-time
over-write will usually suffice.

National Industrial Security Program Operating Manual Description:
Section 5. Software and Data
Files........................................................8-5-1

Subsection 8-5-3:
1. Overwriting Media. Overwriting is a software procedure that replaces
the data previously stored on magnetic storage media with a predefined
set of meaningless data. Overwriting is an acceptable method for
clearing. Only approved overwriting software that is compatible with the
specific hardware intended for overwriting will be used. Use of such
software will be coordinated in advance with the Customer. The success
of the overwrite procedure will be verified through random sampling of
the overwritten media. The effectiveness of the overwrite procedure may
be reduced by several factors: ineffectiveness of the overwrite
procedures, equipment failure (e.g., misalignment of read/write heads),
or inability to overwrite bad sectors or tracks or information in
inter-record gaps. To clear magnetic disks, overwrite all locations
three (3) times (first time with a character, second time with its
complement, and the third time with a random character). Items which
have been cleared must remain at the previous level of classification
and remain in a secure, controlled environment.

3. Sanitizing Media. Sanitization removes information from media such
that data recovery using any known technique or analysis is prevented.
Sanitizing is a two-step process that includes removing data from the
media in accordance with Table 3 and removing all classified labels,
markings, and activity logs.

National Institute of Standards and Technology Description:

CSL BULLETIN
Advising users on computer systems technology

DISPOSITION OF SENSITIVE AUTOMATED INFORMATION
Sanitization means the removal of data from storage media so that, for
all practical purposes, the data cannot be retrieved. Some instances in
which sanitization must be considered include whenever media is
transferred from one organization to another, when equipment is declared
surplus, and when organizations dispose of media.

Sanitization: Why Be Concerned?
In the past, reports have surfaced that federal agencies have disposed
of surplus information technology (IT) equipment without taking
appropriate measures to erase the information stored on the system's
media. This can lead to the disclosure of sensitive information,
embarrassment to the agency, costly investigations, and other
consequences which could have been avoided.

Employees throw away old diskettes believing that "erasing" the files on
the diskette has made the data unretrievable. In reality, however,
"erasing" a file simply removes the "pointer" to that file. The pointer
tells the computer where the file is physically stored on the disk.
Without this pointer, the files will not appear on a directory listing
of the diskette's files. This does not mean that the file was removed
from the diskette. (Commonly available utility programs can often
retrieve information that is presumed "deleted.") Fortunately, with
foresight and appropriate planning, these situations can be avoided.

Techniques for Media Sanitization
Three techniques are commonly used for media sanitization: overwriting,
degaussing, and destruction. Overwriting and degaussing are the methods
recommended for disposition of sensitive automated information. (Users
of classified systems may also have to be concerned with data remanence.
This refers to the residual information left behind once media has been
in some way erased.) Security officers should be consulted for
appropriate guidance.

Overwriting
Overwriting is an effective method of clearing data from magnetic media.
As the name implies, overwriting utilizes a program to write (1s, 0s, or
a combination of both) onto the location of the media where the file to
be sanitized is located. The number of times that media is overwritten
depends on the level of sensitivity of the information. Overwriting
should not be confused with merely deleting the pointer to a file, as
discussed above.

Degaussing
Degaussing is a method to magnetically erase data from magnetic media.
Two types of degaussers exist: strong magnets and electric degaussers.
Degaussers are tested by the Department of Defense; those which meet
their requirements are placed on the Degausser Products List (DPL) of
the National Security Agency's (NSA) Information Systems Security
Products and Services Catalogue.

Destruction
The final method of sanitization is destruction of the media.
NCSC-TG-025 provides specifics on this method and its applicability.
Shredding diskettes, after removing the outer protective casing, is also
an option for unclassified media.

Employee Training and Awareness
Most employees who utilize IT systems also use, and in fact are often
the custodians of, magnetic media. It is therefore important for
agencies to give the issue of media sanitization appropriate attention
in the agency computer security training and awareness program.

Employees should understand the following essential elements:
1. Media containing sensitive information should not be released without
appropriate sanitization.
2. File deletion functions (e.g., the DEL command on MS-DOS) usually can
be expected to remove only the pointer to a file (i.e., the file is
often still recoverable).

3. When data is removed from storage media, every precaution should be
taken to remove duplicate versions that may exist on the same or other
storage media, back-up files, temporary files, hidden files, or extended
memory.

4. Media in surplus equipment should be sanitized.

Andy Dail
Sunoco PCI Project Manager

-----Original Message-----
From: dataloss-bouncesattrition.org
[mailto:dataloss-bouncesattrition.org] On Behalf Of George Toft
Sent: Wednesday, August 16, 2006 8:32 AM
To: datalossattrition.org
Subject: [Dataloss] hard drive destruction

Just wondering what the group feels is an adequate level of destruction
for a hard drive that contains personal financial information . . .

A. Using software to wipe the drive to DOD 5200.28 spec.

B. Cutting the platters in half (great big saw that essentially chops
the drive into two pieces).

C. Drilling out the center of the platter with a 2" drill bit.

D. Hard drive degausser.

E. Other - please specify.

--
George Toft, CISSP, MSIS
My IT Department
www.myITaz.com
480-544-1067

Confidential data protection experts for the financial industry.
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss Tracking more than 142 million compromised
records in 303 incidents over 6 years.

This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments.
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 303 incidents over 6 years.


 
Re: [Dataloss] hard drive destruction

From: blitz (blitzstrikenet.kicks-ass.net)
Date: Wed Aug 16 2006 - 10:57:51 CDT


Generally, Im for recycling drives as much as possible, for not too
many have the resources to access an electron microscope needed to
see anything left over after a DOD approved wipe and rewrite scheme.
If it were National security, incineration is the only way, as you'd
be dealing with entities with the time and money. PII theft is
usually a crime of opportunity.
A DOD 5200.28 wipe should suffice.

At 09:32 8/16/2006, you wrote:
>Just wondering what the group feels is an adequate level of destruction
>for a hard drive that contains personal financial information . . .
>
>A. Using software to wipe the drive to DOD 5200.28 spec.
>
>B. Cutting the platters in half (great big saw that essentially chops
>the drive into two pieces).
>
>C. Drilling out the center of the platter with a 2" drill bit.
>
>D. Hard drive degausser.
>
>E. Other - please specify.
>
>--
>George Toft, CISSP, MSIS
>My IT Department
>www.myITaz.com
>480-544-1067
>
>Confidential data protection experts for the financial industry.
>_______________________________________________
>Dataloss Mailing List (datalossattrition.org)
>http://attrition.org/dataloss
>Tracking more than 142 million compromised records in 303 incidents
>over 6 years.

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 303 incidents over 6 years.


 
Re: [Dataloss] hard drive destruction

From: Chris Walsh (cwalshcwalsh.org)
Date: Wed Aug 16 2006 - 11:05:31 CDT


Agreed on the sufficiency of wiping.

For disks that are dead, or that are obsolete, I used to use a combination of the
drill and hammer methods. Where some sort of paper trail is warranted, I would
probably go with a service, even though I suspect they are pricey.

cw
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 303 incidents over 6 years.


 
Re: [Dataloss] hard drive destruction

From: DAIL, ANDY (ADAILsunocoinc.com)
Date: Wed Aug 16 2006 - 11:09:10 CDT


Don't forget contractual and cost considerations either. For instance,
we have computers in over 5,000 gas stations. When a hard drive goes
out in one of those PC's, our contract with Dell requires us to send in
the old drive in order to receive a new one under warranty. We could
pay extra and just get a new drive and destroy the old one, but why make
it more expensive? We ensure the drive is clean, then we ship it to
Austin. It adds a step, but it is still cheaper than buying new drives
all the time (funny how those $100, 500 GB drives at CompUSA never seem
to make it onto my commercial account ordering lists).

Too many decision makers are led down the most expensive solution to a
problem for the sake of ease, because of paranoia or inexperienced
staff. The more simple and inexpensive the solution (assuming it is
effective, or adequate compensating controls can be deployed), the more
likely it is to be followed by staff, and the more likely I am to still
be managing the effort next year. :)


Andy Dail
Sunoco PCI Project Manager

        -----Original Message-----
        From: dataloss-bouncesattrition.org
[mailto:dataloss-bouncesattrition.org] On Behalf Of blitz
        Sent: Wednesday, August 16, 2006 10:58 AM
        To: George Toft
        Cc: datalossattrition.org
        Subject: Re: [Dataloss] hard drive destruction


        Generally, Im for recycling drives as much as possible, for not
too many have the resources to access an electron microscope needed to
see anything left over after a DOD approved wipe and rewrite scheme.
        If it were National security, incineration is the only way, as
you'd be dealing with entities with the time and money. PII theft is
usually a crime of opportunity.
        A DOD 5200.28 wipe should suffice.


        At 09:32 8/16/2006, you wrote:

                Just wondering what the group feels is an adequate level
of destruction
                for a hard drive that contains personal financial
information . . .
        
                A. Using software to wipe the drive to DOD 5200.28 spec.
        
                B. Cutting the platters in half (great big saw that
essentially chops
                the drive into two pieces).
        
                C. Drilling out the center of the platter with a 2"
drill bit.
        
                D. Hard drive degausser.
        
                E. Other - please specify.
        
                --
                George Toft, CISSP, MSIS
                My IT Department
                www.myITaz.com <http://www.myitaz.com/>
                480-544-1067
        
                Confidential data protection experts for the financial
industry.
                _______________________________________________
                Dataloss Mailing List (datalossattrition.org)
                http://attrition.org/dataloss
                Tracking more than 142 million compromised records in
303 incidents over 6 years.

        --
        This message has been scanned for viruses and
        dangerous content by MailScanner <http://www.mailscanner.info/>
, and is
        believed to be clean.

This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments.

_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 303 incidents over 6 years.


 
Re: [Dataloss] hard drive destruction

From: Al Mac (macwheel99sigecom.net)
Date: Wed Aug 16 2006 - 12:52:32 CDT


I agree that it is best to have professionals do the obliteration, because
most businesses do not have personnel with relevant skills and check lists
to take care of all computers they done with. However, there needs to be
certification that the professionals actually do what they contracted to do.

There have been breaches where some computer trade-in place was supposed to
wipe disk on the old system, then the used market gets the confidential
data not erased. The computer trade-in place had dropped the ball.

This also applies to passing old company computers to employees, or sales
direct to other companies who accept hand me down equipment. There have
been breaches in that area also.

Al Mac

_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 303 incidents over 6 years.


 
Re: [Dataloss] hard drive destruction

From: DAIL, ANDY (ADAILsunocoinc.com)
Date: Wed Aug 16 2006 - 13:45:40 CDT


Very excellent points.

This whole security and accountability issue adds a new level of
complexity to outsourcing and offshoring IT capabilities. Data breaches
aside, when SoX moves from 404 to 409, I cannot help but wonder how some
business entities will demonstrate compliance, when all of their
physical data handling occurs outside of their physical control. It is
deceptively easy to comply with security requirements on paper.

Of course The Information Security ISO 17799 and ISO 27001 will add
additional levels of complexity. The combination of executive
accountability (in terms of actually going to jail) for financial data,
and the vulnerability of personal data (often stored on the same
systems) will make the next 5 years.... Interesting.

Andy Dail
Sunoco PCI Project Manager

-----Original Message-----
From: dataloss-bouncesattrition.org
[mailto:dataloss-bouncesattrition.org] On Behalf Of Al Mac
Sent: Wednesday, August 16, 2006 12:53 PM
To: datalossattrition.org
Subject: Re: [Dataloss] hard drive destruction

I agree that it is best to have professionals do the obliteration,
because
most businesses do not have personnel with relevant skills and check
lists
to take care of all computers they done with. However, there needs to
be
certification that the professionals actually do what they contracted to
do.

There have been breaches where some computer trade-in place was supposed
to
wipe disk on the old system, then the used market gets the confidential
data not erased. The computer trade-in place had dropped the ball.

This also applies to passing old company computers to employees, or
sales
direct to other companies who accept hand me down equipment. There have

been breaches in that area also.

Al Mac

_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss Tracking more than 142 million compromised
records in 303 incidents over 6 years.

This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments.
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 303 incidents over 6 years.


 
[Dataloss] Chevron Laptop gone missing

From: Henry Brown (hbrownknology.net)
Date: Wed Aug 16 2006 - 19:27:07 CDT


http://tinyurl.com/r3rtd

Chevron may have pocketed record profits of $4.35 billion in the most
recent quarter, but that wasn't enough to protect the names and Social
Security numbers of potentially tens of thousands of employees.

The San Ramon oil giant sent an e-mail to U.S. workers Monday warning
that a laptop computer "was stolen from an employee of an independent
public accounting firm who was auditing our employee savings, health and
disability plans."
...

_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 303 incidents over 6 years.


 
[Dataloss] Survey: 81% of U.S. firms lost laptops with sensitive data in the past year

From: security curmudgeon (jerichoattrition.org)
Date: Thu Aug 17 2006 - 08:23:27 CDT


Courtesy of WK / ISN:

---------- Forwarded message ----------

http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9002493

By Linda Rosencrance
August 16, 2006
Computerworld

Loss of confidential data -- including intellectual property, business
documents, customer data and employee records -- is a pervasive problem
among U.S. companies, according to a survey released yesterday by Ponemon
Institute LLC and Vontu Inc., a San Francisco-based provider of data loss
prevention products.

Eighty-one percent of companies surveyed reported the loss of one or more
laptops containing sensitive information during the past 12 months,
according to the survey, which queried nearly 500 information security
professionals.

One of the main reasons corporate data security breaches occur is because
companies don't know where their sensitive or confidential business
information resides within the network or enterprise systems, Larry
Ponemon, chairman of the Ponemon Institute, said in a statement.

"This lack of knowledge, coupled with insufficient controls over data
stores, can pose a serious threat for both business and governmental
organizations," Ponemon said. "Moreover, the danger doesn't stop at the
network, but includes employees' and contractors' laptop computers and
other portable storage devices."

Ponemon, whose research firm is based in Elk Rapids, Mich., is also a
columnist for Computerworld.

Other findings of the study include the following:

* Handheld devices and laptops ranked highest among storage devices that
   posed the greatest risk for sensitive corporate data, followed by
   Universal Serial Bus memory sticks, desktop systems and shared file
   servers.

* Sixty-four percent of companies surveyed reported that they have never
   conducted an inventory of sensitive consumer information.

* Sixty-four percent also reported never having taken an inventory of
   employee data.

* Eighty-one percent of respondents reported that protecting sensitive
   "data at rest" is a priority this year, and 89% predicted that it will
   be a priority next year. The survey defines data at rest as all
   electronic information found on storage devices within an
   organization's IT infrastructure.

Asked "How long would it take to determine what actual sensitive data was
on a lost or stolen laptop, desktop, file server or mobile device?" the
most frequent answer was "never," according to the survey.

More than 53% of respondents believed that their companies would be unable
to determine what sensitive or confidential information resided on a USB
memory stick if it was lost or stolen.

And approximately 49% of respondents said that their companies would be
unable to determine what lost data resided on a handheld or comparable
mobile device, according to the survey.

"Corporations are clearly struggling with the challenges of identifying
and protecting sensitive data, as well as developing successful strategies
for securing confidential information stored among the myriad devices that
make up today's data networks," said Ponemon. "Our findings point to the
shockingly high risk to both business and consumers of undiscovered
confidential data, but we believe that the data also serve as a compass to
help point organizations toward effective solutions to this vexing
problem."

According to Pete Lindstrom, an analyst at Spire Security LLC in Malvern,
Pa., organizations can take the following steps to protect sensitive data.

    1. Identify your most significant data elements. That's often
       personal information, but it could also be intellectual property,
       financial data or something else.

    2. Determine where this data exists on your network, and where it is
       most likely to leak. Laptops are the typical answer here, but
       e-mail is another possibility. And some people are concerned about
       backup tapes or laptop outputs such as USB drives and CDs.

    3. Monitor the network and possibly the endpoint for this
       information, and take appropriate action. In the beginning, this
       is simply logging. You could also prevent/block it, or even better
       encrypt it.

    4. Encrypt data in the places where it is most likely to rest.

    5. Plan your rights management strategy now. Data is ubiquitous.

In the future, organizations will have another option for data encryption,
said Stephen Northcutt, president of the SANS Institute, a Bethesda,
Md.-based cybersecurity training and certification company.

"The newest laptops and desktops are shipping with something called the
Trusted Platform Module, and it's a chip that's designed for secure
storage so it was built to play very nicely with [public-key
infrastructure]," Northcutt said. "It's really a thing of the future. The
laptops are shipping now, the software is available now, but the
implementations don't exist right this second.

"We think this will really be the final answer," he said. "In the
meantime, [organizations] are going to have to go with a third-party
solution to [encrypt their data]."
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 303 incidents over 6 years.


 
[Dataloss] Chain reports stolen laptop to employees

From: lyger (lygerattrition.org)
Date: Thu Aug 17 2006 - 08:26:06 CDT


http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2006/08/17/BUG11KJOOV1.DTL

About 1,200 employees at Williams-Sonoma may be at risk of identify theft
after a laptop computer containing personal information was stolen from an
auditor.

The San Francisco home-furnishing chain sent an e-mail to current and
former employees earlier this month alerting them to the theft.

"Although the information contained on the computer was not encrypted, it
was password protected," the letter stated. "Despite this level of
protection, the potential does exist that your personal information may be
accessed and/or disclosed by unauthorized individuals."

Williams-Sonoma said it has arranged free credit monitoring for its
employees.

[...]
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 303 incidents over 6 years.


 
Re: [Dataloss] hard drive destruction

From: Al Mac (macwheel99sigecom.net)
Date: Thu Aug 17 2006 - 01:41:58 CDT


Remember that SOX only applies to companies doing business in USA that are
traded on the stock market. Many large companies are privately held.

Looking at recent large breaches
Ernst & Young ... multiple breaches with records on different companies
* BP employees
* Cisco employees
* Hotels.com
* IBM employees
* Nokia employees
* Sun Microsystems employees

I think they are based in Britain, so different laws may be applicable than
those in USA
Hummingbird in Canada breached 1,300,000 US students

these are public companies in USA
American Insurance Group ... 930,000
Automated Data Processing .. hundreds of thousands
IBM ... 17,781,462
Marsh Insurance ... 540,000 .

I do not believe the American Red Cross is
several incidents, big one = 1 million people
or American Institute of Certified Public Accountants (330,000)
or Vassar Brothers Medical Center (257,800)

It might be of interest to know what proportion of breaches occurred at
institutions not covered by SOX CFR GLBA HIPPA etc. In other words the
only rules that applied to them were the breach disclosure laws, and good
governance without any mandate for it..

Alphabet soup of some data security standards
http://www.unbeatenpathintl.com/ITstandards/source/1.html

I think a large proportion of breaches overall have been at Colleges and
Universities. I don't think any of them are covered by SOX. However, the
number of victims per academia incident generally smaller compared to
incidents by Government and Financial Institutions ... I think the banks
are heavily regulated, such as by GLBA, bank regulators, and the credit
card standards, and most of them public companies.

There's also the question of what industries appear to have avoided having
any significant breaches, and the numbers of non-victims (because no
breaches) involved there.

>This whole security and accountability issue adds a new level of
>complexity to outsourcing and offshoring IT capabilities. Data breaches
>aside, when SoX moves from 404 to 409, I cannot help but wonder how some
>business entities will demonstrate compliance, when all of their
>physical data handling occurs outside of their physical control. It is
>deceptively easy to comply with security requirements on paper.
>
>Of course The Information Security ISO 17799 and ISO 27001 will add
>additional levels of complexity. The combination of executive
>accountability (in terms of actually going to jail) for financial data,
>and the vulnerability of personal data (often stored on the same
>systems) will make the next 5 years.... Interesting.
>
>Andy Dail
>Sunoco PCI Project Manager

_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 304 incidents over 6 years.


 
Re: [Dataloss] hard drive destruction

From: George Toft (georgemyitaz.com)
Date: Thu Aug 17 2006 - 11:17:15 CDT


speaking of grinders . . .

http://www.semshred.com/content535.html

George Toft, CISSP, MSIS
My IT Department
www.myITaz.com
480-544-1067

Confidential data protection experts for the financial industry.

Joe Francis wrote:
> I agree. To worry about microscopy on the drive, it means that the
> FBI/CIA/NSA or another TLA is after you ... in which case they'll probably
> just kick in your door if they know where you live (which they must if
> they are stealing your trash).
>
> I personally "dd if=/dev/zero of=/dev/hda && dd if=/dev/urandom
> of=/dev/hda" and then run a drill bit through the drive (not right down
> the middle of the spindle, but somewhere to the side but still hit the
> platters). I think I drill moreso because it's fun than any other reason,
> though :)
>
> Really paranoid places have grinders that can reduce any media (drives,
> removable devices, CDs, etc) to a powder.
>
>
>
> On Wed, 16 Aug 2006, *Hobbit* wrote:
>
>
>>For the 99% case, "dd if=/dev/zero of=/dev/hda" from a linux distrib
>>booted to a shell will probably suffice. Or maybe from /dev/random,
>>which would take much longer. I wouldn't think scammers in Nigeria
>>or wherever are the ones going after old drives with magnetic-force
>>microscopy or in-depth head-signal analysis...
>>
>>Clearly, the answer is to fill the drive up with pr0n and then
>>send it off!
>>
>>_H*
>>_______________________________________________
>>Dataloss Mailing List (datalossattrition.org)
>>http://attrition.org/dataloss
>>Tracking more than 142 million compromised records in 303 incidents over 6 years.
>>
>>
>>
>
> _______________________________________________
> Dataloss Mailing List (datalossattrition.org)
> http://attrition.org/dataloss
> Tracking more than 142 million compromised records in 303 incidents over 6 years.
>
>
>
>
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 304 incidents over 6 years.


 
[Dataloss] Tennessee: 10 stolen HCA computers contained people's records

From: lyger (lygerattrition.org)
Date: Thu Aug 17 2006 - 20:30:20 CDT


Courtesy pogowasright.org

http://www.kansas.com/mld/kansas/news/state/15297743.htm

Posted on Thu, Aug. 17, 2006
Rose French, Associated Press

NASHVILLE, Tenn. - HCA Inc. said 10 computers containing Medicare and
Medicaid billing information and records of employees and physicians were
stolen from one of the company's regional offices.

HCA officials won't say where or when the theft occurred because they
believe that might help the thieves, who authorities believe were after
computer hardware, not personal identity information.

"We don't want to tip them off they may have information that they might
use to perpetuate identity theft," said HCA spokesman Jeff Prescott.

The Nashville-based for-profit hospital operator reports on its Web site
that the FBI is investigating the incident.

The computers held thousands of files on Medicare and Medicaid patients
treated at HCA hospitals in Colorado, Kansas, Louisiana, Mississippi,
Oklahoma, Oregon, Texas or Washington state between 1996 and 2006.

The machines contained some patient names and Social Security numbers but
no addresses or dates of birth.

[...]

_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 304 incidents over 6 years.


 
[Dataloss] Florida Dept of Transportation loses laptop, 40K pilots' data

From: dano (danowell.com)
Date: Fri Aug 18 2006 - 08:24:13 CDT


 From the online publication of Aircraft Owners and Pilots Association
(US), ePilot:

AOPA ePilot Volume 8, Issue 33 August 18, 2006

  AOPA MEMBERS OUTRAGED OVER LOSS OF PERSONAL INFO

AOPA President Phil Boyer fired off a blistering letter to the
Department of Transportation's inspector general after the loss of a
government laptop computer exposed tens of thousands of Florida
pilots to the risk of identity theft. The letter was a follow-up to
Boyer's phone conversation with the inspector general last week right
after AOPA learned about the incident. The laptop, stolen from a
government agent's car, included the names, addresses, and Social
Security numbers of some 40,000 pilots, all the information a
thief needs to obtain fraudulent credit cards or loans. Boyer told
Acting DOT Inspector General Todd Zinser that AOPA members were
"outraged that such sensitive personal information would be left
unsecured." Ironically, the FAA has stopped using Social Security
numbers for new pilot certificate numbers, is allowing pilots to
change their old certificate numbers, and has removed certificate
numbers from its Web site.
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 304 incidents over 6 years.


 
[Dataloss] Youngstown Ohio Jury Info Breach

From: Al Mac (macwheel99sigecom.net)
Date: Sun Aug 20 2006 - 11:57:33 CDT


Prospective jury members fill out questionnaires which include names,
addresses and occupations of potential jurors and their families

Because of a local defense lawyer's release of personal information about
jurors, which resulted in postponement of a trial, Mahoning County's five
general division common pleas judges will soon be discussing reforms

Judge Evans decided to postpone a felony assault case, and do the trial
with a different jury, after lawyer for defendant shared jury
questionnaires with the accused's step father and minister. The judges are
now discussing a proposed new rule to prohibit release of information from
the questionnaires to anyone but court personnel with a need to know,
without a judge's permission.

The lawyer acknowledged giving the jury questionnaires to the accused's
stepfather and minister, but said there was no rule preventing him from
doing so. A deputy sheriff then reported seeing one of the people to whom
a juror questionnaire had been given, hand the questionnaire to another
person in the courtroom.

http://www.vindy.com/content/local_regional/320036781852634.php

_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 307 incidents over 6 years.


 
[Dataloss] Wired News: Privacy Debacle Hall of Fame

From: lyger (lygerattrition.org)
Date: Mon Aug 21 2006 - 08:15:52 CDT


(some pretty interesting choices here, especially number one... - lyger)

http://www.wired.com/news/politics/privacy/0,71622-0.html?tw=rss.index

Earlier this month AOL publicly released a data trove: 500,000 search
queries culled from three months of user traffic on its search engine.

The company claimed it was trying to help researchers by providing
"anonymized" search information, but experts and the public were shocked
at how easy it was to figure out who had been searching on what.
Apparently, AOL's anonymizing process didn't include removing names,
addresses and Social Security numbers. Although the company has since
apologized and taken the data down, there are at least half-a-dozen
mirrors still out there for all to browse.

This may have been one of the dumbest privacy debacles of all time, but it
certainly wasn't the first. Here are ten other privacy snafus that made
the world an unsafer place. Despite the obvious flaws of rankings, we have
attempted one as follows, in descending order:

10. ChoicePoint data spill:
ChoicePoint, one of the largest data brokers in the world, in early 2005
admitted that it had released sensitive data on roughly 163,000 people to
fraudsters who signed up as ChoicePoint customers starting in 2001. At
least 800 cases of identity theft resulted. Sued by the FTC, the company
paid $15 million in a settlement earlier this year -- at least $5 million
of which goes to the consumers whose lives they ruined.

9. VA laptop theft:
In May, two teenagers stole a laptop from the Veterans Association that
contained financial information on more than 25 million veterans, as well
as people on active duty. Electronic Frontier Foundation staff attorney
Kurt Opsahl said this is one of the worst data breaches in recent memory
because of its sheer scale: "The database contained the names, Social
Security numbers and dates of birth of as many as 26.5 million veterans
and their families, though allegedly recovered without evidence of the
thieves obtaining access." The case also raised awareness about how many
unprotected, private databases are floating around on easily-stolen,
mobile devices. When the laptop was recovered, it appeared that none of
the data had been disturbed -- but only time will tell.

[...]

_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 307 incidents over 6 years.


 
[Dataloss] Aflac clients' data stolen

From: lyger (lygerattrition.org)
Date: Tue Aug 22 2006 - 12:25:58 CDT


Courtesy PogoWasRight.org

http://www.charleston.net/assets/webPages/departmental/news/Stories.aspx?section=business&tableId=103737&pubDate=8/22/2006

Insurance giant Aflac said Monday that a laptop computer containing
personal information on hundreds of customers was stolen from an agent's
car in the Greenville area.

The computer contained names, addresses, Social Security numbers and birth
dates of 612 policy holders, said spokeswoman Laura Kane.

After the theft was reported, the Columbus, Ga.-based company notified all
affected customers in a letter dated Aug. 11.

Kane said the insurer, also known as American Family Life Assurance Co.,
believes the computer was taken by an opportunistic thief, not someone who
was after the data on it.

The information is protected by a password, she said. Also, the computer
is equipped with tracking software that will alert officials when the
computer is connected to the Internet.

[...]
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 307 incidents over 6 years.


 
[Dataloss] Hospital Laptop Computer Containing Patient Information Stolen

From: lyger (lygerattrition.org)
Date: Tue Aug 22 2006 - 13:12:34 CDT


Courtesy Audit (attrition.org)

http://www.clickondetroit.com/news/9716061/detail.html

28,400 Home Care Patients Affected

POSTED: 10:32 am EDT August 22, 2006
UPDATED: 1:49 pm EDT August 22, 2006

TROY, Mich. -- Troy Beaumont Hospital officials are asking for your help
Tuesday in recovering a stolen laptop computer containing patient
information.

The laptop computer was stolen on Aug. 5, according to hospital officials.
The computer was in the rear of the vehicle of a Beaumont Home Care nurse,
which was stolen from outside a senior center on Agnes Street on Detroit,
said Chris Hengstebeck, director of security at Troy Beaumont Hospital.

The vehicle was recovered about a mile from the location, but the laptop
remained missing, according to Hengstebeck.

The Dell D-400 computer (serial No. 5MZ1F61) was turned off at the time
and in a nylon case, Hengstebeck said. He said the computer is used to
document patient care and includes personal information such as names,
addresses, Social Security numbers and insurance information on 28,400
Home Care patients served over the last three years.

[...]
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 307 incidents over 6 years.


 
Re: [Dataloss] Aflac clients' data stolen

From: Chris Walsh (cwalshcwalsh.org)
Date: Tue Aug 22 2006 - 22:09:32 CDT


  This reads just like the laptop theft from Aflac that occurred on
December 12, 2005, exposing the PII of 257 people, except the earlier
theft was from a car parked in Hoboken, NJ.

On Aug 22, 2006, at 12:25 PM, lyger wrote:

>
> Courtesy PogoWasRight.org
>
> http://www.charleston.net/assets/webPages/departmental/news/
> Stories.aspx?section=business&tableId=103737&pubDate=8/22/2006
>
> Insurance giant Aflac said Monday that a laptop computer containing
> personal information on hundreds of customers was stolen from an
> agent's
> car in the Greenville area.

_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 307 incidents over 6 years.


 
[Dataloss] Privacy Working Group RFP

From: Richard Forno (rfornoinfowarrior.org)
Date: Tue Aug 22 2006 - 22:24:35 CDT


Lauren is one of those folks who is a thought leader in the realm of IT,
security, policy, and related matters. Dare I say someone I respect and
look up to myself. -rf

< - >

The observant reader will note that despite the rising tide of concerns
regarding search query privacy, the industry as a whole is still pretty much
in a state of denial, made all the more confusing by various signals from
the U.S. Department of Justice.

This is turning into such a mess that it's becoming difficult to even keep
the various participants and their positions completely clear. There is
every reason to believe that without heroic action by the players involved,
we may be heading toward a privacy, legislative, and judicial nightmare. But
maybe there's a way out.

< - >

Therefore, I propose the formation of a high-level Internet working
group/consortium dedicated specifically to the cooperative discussion of
these issues and the formulation of possible policy and technology
constructs that can be applied toward their amelioration. Such a working
group would be as open as possible, though proprietary concerns would likely
necessitate some closed aspects if progress is to be accelerated as much as
possible.

< - >

http://lauren.vortex.com/archive/000188.html

_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 307 incidents over 6 years.


 
[Dataloss] Education Department working to fix software after student loan data breach

From: lyger (lygerattrition.org)
Date: Wed Aug 23 2006 - 12:21:57 CDT


http://www.startribune.com/484/story/631186.html

Associated Press
Last update: August 23, 2006 . 11:54 AM

WASHINGTON. The Education Department was working to fix a software glitch
in its student loan Web site after users complained that they could see
other people's personal data.

The department said Wednesday that only a "limited number'' of the
program's 6.4 million borrowers were believed to be affected after the
problem began Sunday, since not all use the online system. It did not
specify how many.

The program involves holders of federal direct student loans, not those
who have loans managed through private companies.

The department blamed the data breach on a routine software upgrade,
conducted by Dallas-based contractor Affiliated Computers Services Inc.,
that appeared to mix up data for different borrowers when they accessed
the Web site. Since Sunday, four borrowers have complained, a spokeswoman
said.

[...]
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 307 incidents over 6 years.


 
[Dataloss] Stolen laptop returned to Beaumont Hospital

From: lyger (lygerattrition.org)
Date: Wed Aug 23 2006 - 20:05:46 CDT


(follow-up to previous post)

Courtesy Audit (attrition.org)

http://freep.com/apps/pbcs.dll/article?AID=/20060823/NEWS99/60823026

August 23, 2006
By Kim Norris

A stolen laptop filled with medical and personal information of more than
28,000 patients of Beaumont Hospital Home Care was returned Wednesday,
without any of the patients. information accessed, Beaumont Hospital
officials said.

Several unnamed employees have since been disciplined, officials said.

The laptop computer was inside a car belonging to a home care nurse care
when the car was stolen Aug. 5 on Agnes Street in Detroit. It was
recovered Wednesday after hospital security officials received more about
50 tips from area residents responding to a hotline number disseminated by
local media.

[...]

_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 307 incidents over 6 years.


 
Re: [Dataloss] Stolen laptop returned to Beaumont Hospital

From: World Privacy Forum (info2006worldprivacyforum.org)
Date: Thu Aug 24 2006 - 14:22:39 CDT


 From the Detroit Free Press article:

"Hospital officials said an independent computer expert determined that
the laptopís patient information was not accessed during the time it
was missing. Yet, they added that the agency will continue to offer
free credit monitoring to the 28,473 patients whose information was on
the laptop."

I've seen several media reports saying similar things such as "the data
wasn't accessed" after post-breach recovery of computers. What isn't
being said, of course, is that the entire drive could have been copied
without specific data being accessed. The "data wasn't accessed"
statements need some substantial qualifiers, I think. This is a real
flaw in some of the reporting on this issue -- my hope is that even the
most general reporting of this becomes more tuned into the copy issue.
While not everyone will know how to copy a drive without leaving
footprints, the professionals will.

Pam Dixon

On Aug 23, 2006, at 6:05 PM, lyger wrote:

>
> (follow-up to previous post)
>
> Courtesy Audit (attrition.org)
>
> http://freep.com/apps/pbcs.dll/article?AID=/20060823/NEWS99/60823026
>
> August 23, 2006
> By Kim Norris
>
> A stolen laptop filled with medical and personal information of more
> than
> 28,000 patients of Beaumont Hospital Home Care was returned Wednesday,
> without any of the patients. information accessed, Beaumont Hospital
> officials said.
>
> Several unnamed employees have since been disciplined, officials said.
>
> The laptop computer was inside a car belonging to a home care nurse
> care
> when the car was stolen Aug. 5 on Agnes Street in Detroit. It was
> recovered Wednesday after hospital security officials received more
> about
> 50 tips from area residents responding to a hotline number
> disseminated by
> local media.
>
> [...]
>
> _______________________________________________
> Dataloss Mailing List (datalossattrition.org)
> http://attrition.org/dataloss
> Tracking more than 142 million compromised records in 307 incidents
> over 6 years.
>
>
>

_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 307 incidents over 6 years.


 
Re: [Dataloss] Stolen laptop returned to Beaumont Hospital

From: George Toft (georgemyitaz.com)
Date: Thu Aug 24 2006 - 15:49:36 CDT


In the wake of similar statements in the VA laptop case, I talked to a
computer forensics expert and he confirmed that as long as Windows was
not used to access the drive, then the markers used to indicate file
access will remain intact and indicate no access.

It is not unreasonable to assume that a savvy ID thief would make a copy
of the drive using Linux. Now they have a copy of the drive, the
original is "untouched" and the marketing spin machine touts "nobody
accessed the data."

It's all marketing spin to downplay the seriousness of their mistake
because nobody likes to admit to their customers that they screwed up.

George Toft, CISSP, MSIS
My IT Department
www.myITaz.com
480-544-1067

Confidential data protection experts for the financial industry.

World Privacy Forum wrote:
> From the Detroit Free Press article:
>
> "Hospital officials said an independent computer expert determined that
> the laptopís patient information was not accessed during the time it
> was missing. Yet, they added that the agency will continue to offer
> free credit monitoring to the 28,473 patients whose information was on
> the laptop."
>
> I've seen several media reports saying similar things such as "the data
> wasn't accessed" after post-breach recovery of computers. What isn't
> being said, of course, is that the entire drive could have been copied
> without specific data being accessed. The "data wasn't accessed"
> statements need some substantial qualifiers, I think. This is a real
> flaw in some of the reporting on this issue -- my hope is that even the
> most general reporting of this becomes more tuned into the copy issue.
> While not everyone will know how to copy a drive without leaving
> footprints, the professionals will.
>
> Pam Dixon
>
>
>
>
> On Aug 23, 2006, at 6:05 PM, lyger wrote:
>
>
>>(follow-up to previous post)
>>
>>Courtesy Audit (attrition.org)
>>
>>http://freep.com/apps/pbcs.dll/article?AID=/20060823/NEWS99/60823026
>>
>>August 23, 2006
>>By Kim Norris
>>
>>A stolen laptop filled with medical and personal information of more
>>than
>>28,000 patients of Beaumont Hospital Home Care was returned Wednesday,
>>without any of the patients. information accessed, Beaumont Hospital
>>officials said.
>>
>>Several unnamed employees have since been disciplined, officials said.
>>
>>The laptop computer was inside a car belonging to a home care nurse
>>care
>>when the car was stolen Aug. 5 on Agnes Street in Detroit. It was
>>recovered Wednesday after hospital security officials received more
>>about
>>50 tips from area residents responding to a hotline number
>>disseminated by
>>local media.
>>
>>[...]
>>
>>_______________________________________________
>>Dataloss Mailing List (datalossattrition.org)
>>http://attrition.org/dataloss
>>Tracking more than 142 million compromised records in 307 incidents
>>over 6 years.
>>
>>
>>
>
>
> _______________________________________________
> Dataloss Mailing List (datalossattrition.org)
> http://attrition.org/dataloss
> Tracking more than 142 million compromised records in 307 incidents over 6 years.
>
>
>
>
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 307 incidents over 6 years.


 
[Dataloss] Oregon: Beaverton school staff personal data stolen

From: lyger (lygerattrition.org)
Date: Fri Aug 25 2006 - 08:48:09 CDT


http://www.oregonlive.com/metrowest/oregonian/index.ssf?/base/metro_west_news/1156217123179890.xml&coll=7

Tuesday, August 22, 2006

Beaverton school officials have notified about 1,600 employees that time
slips revealing personal information were missing following a July 24
break-in.

School officials sent letters home late last week, notifying staff members
of the theft. The school district will provide a year of credit reporting
to the full-time teachers, substitutes and other staff whose Social
Security numbers were printed on the slips.

"We're encouraging people to follow up on the letter and enroll in the
program," said Sue Robertson, associate superintendent for human resources
and support.

[...]
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 310 incidents over 6 years.


 
[Dataloss] FMCSA laptop stolen from a government vehicle in Baltimore

From: Al Mac (macwheel99sigecom.net)
Date: Fri Aug 25 2006 - 20:22:17 CDT


This is a separate story from the SLASHDOT discussion of Baltimore Police
not able to recover a stolen laptop programmed to call home to identify
where it ended up, in the hands of a Verizon customer, after being stolen.

The people affected in this latest Baltimore laptop story are some with
commercial driver's licenses from Alabama, California, Florida, Georgia,
Illinois, Kentucky, Maryland, North Carolina, New Jersey, New York,
Pennsylvania, Texas and Virginia and Washington, D.C.

The Federal Motor Carrier Safety Administration, part of the Department of
Transportation, said a the laptop was stolen Tuesday from a
government-owned vehicle, and was reported to Baltimore police.

FMCSA said the computer might contain names, dates of birth and commercial
driver's license numbers of 193 people from 40 motor carrier companies. It
does not contain financial or medical information, the agency said.

[...]

http://www.thewbalchannel.com/news/9741267/detail.html

_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 310 incidents over 6 years.


 
[Dataloss] Dominion Resources laptop lost

From: Henry Brown (hbrownknology.net)
Date: Sat Aug 26 2006 - 04:56:45 CDT


APPARENTLY "we" can tell whether data has been accessed even when the
computer is still missing.

http://tinyurl.com/osa85

" A spokesman for Dominion Resources has confirmed that two laptop
computers containing employee information have been stolen.

Company security and local law enforcement are investigating the theft,
which apparently occurred earlier this month. Law officers have
indicated that sensitive information contained on the computers has not
been accessed.

Dominion has notified the workers affected and advised them to takes
steps to prevent identity theft. No customer information was on the
computers, the company said. "

_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 310 incidents over 6 years.


 
[Dataloss] Hacker swipes PortTix data

From: lyger (lygerattrition.org)
Date: Sat Aug 26 2006 - 09:58:54 CDT


Courtesy PogoWasRight.org

http://pressherald.mainetoday.com/news/local/060826tickethack.shtml

Credit card information for about 2,000 people who ordered tickets online
through PortTix, Merrill Auditorium's ticketing agency, was stolen this
week when someone hacked into the PortTix Web site.

The breach was discovered Wednesday after someone called to report the
possibility that the information was compromised, said Janice Bailey,
PortTix executive director.

She declined to reveal the caller's identity. Bailey said the Web site was
secured immediately and an outside audit was performed to make sure the
site could not be breached again. Portland police are investigating the
breach, she said.

[...]

_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 310 incidents over 6 years.


 
[Dataloss] U of South Carolina 6,000 students

From: Al Mac (macwheel99sigecom.net)
Date: Sat Aug 26 2006 - 18:26:54 CDT


USC is working on a computer upgrade to a system that does not store Social
Security #s etc. and not a moment too soon.

The University of South Carolina is warning 6,000 current and former
students that some of their personal information may have been accessed by
an intruder into the school's computer system.

A security audit this summer determined a university computer server was
accessed from outside the system in September 2005.

The intruder could have acquired a database used by the university post
office that had the names, Social Security numbers and birthdays of about
6,000 students.

The university sent letters to the students.

It is the second time in four months the university has had to inform
students that someone other than authorized university personnel had access
to their personal information.

In April, about 1,400 students' names, Social Security numbers and birth
dates were e-mailed accidentally to as many as 1,000 students in the
Hospitality, Retail and Sports Management Program.

[...]
http://www.thestate.com/mld/thestate/news/local/15369806.htm

_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 310 incidents over 6 years.


 
[Dataloss] Sovereign Bank Warns Customers Personal Data May Have Been Breached

From: lyger (lygerattrition.org)
Date: Sat Aug 26 2006 - 21:03:03 CDT


Courtesy Fergie's Tech Blog: http://fergdawg.blogspot.com/

http://www.boston.com/news/local/massachusetts/articles/2006/08/25/bank_warns_customers_personal_data_may_have_been_breached/

Sovereign Bank is warning thousands of customers that their personal
data may have been stolen along with three managers' laptops taken
earlier this month in Massachusetts.

Bank officials said fewer than 1 percent of customers in the New
England and Mid-Atlantic area may have been affected, the
Standard-Times of New Bedford reported.

"There's no information any of the accounts have been compromised,"
bank spokesman Carl Brown told the newspaper. He would not say how many
letters were sent to customers Aug. 21, but said it was in the thousands.

"We do consider this as a serious matter; we want to do everything we
can," Brown said. "Police are investigating, and we're conducting our
own internal investigation."

[...]
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 310 incidents over 6 years.


 
Re: [Dataloss] Stolen laptop returned to Beaumont Hospital

From: Chris Walsh (cwalshcwalsh.org)
Date: Sun Aug 27 2006 - 18:51:24 CDT


Indeed, the ability to copy a disk w/out altering it is necessary in order for
evidence to hold up in court. If the police change the disk by examining it,
then how could the defense independently examine the same body of evidence?

http://www.cftt.nist.gov/disk_imaging.htm is a useful link, IMO.

Chris

On Thu, Aug 24, 2006 at 01:49:36PM -0700, George Toft wrote:
> In the wake of similar statements in the VA laptop case, I talked to a
> computer forensics expert and he confirmed that as long as Windows was
> not used to access the drive, then the markers used to indicate file
> access will remain intact and indicate no access.
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 315 incidents over 6 years.


 
[Dataloss] N.M. Judicial Branch data exposure

anonadminpogowasright.org
Date: Mon Aug 28 2006 - 11:23:50 CDT


For eight days last spring, an unsecured document containing names, birth
dates, Social Security numbers, home addresses and other personal
information on some 1,500 New Mexican employees of the state judicial
branch was posted on a state computer server.

http://www.freenewmexican.com/news/48386.html
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 315 incidents over 6 years.


 
[Dataloss] Verizon gaffe lets customer details slip

From: lyger (lygerattrition.org)
Date: Tue Aug 29 2006 - 16:54:15 CDT


Courtesy InfoSec News and WK:

http://news.com.com/Verizon+gaffe+lets+customer+details+slip/2100-1029_3-6109883.html

By Joris Evers
Staff Writer, CNET News.com
Published: August 25, 2006, 5:11 PM PDT

Verizon Wireless this week accidentally distributed a file with limited
details on more than 5,000 customers outside the company, potentially
giving identity thieves a toehold.

The Microsoft Excel spreadsheet file was e-mailed on Monday and includes
names, e-mail addresses, cell phone numbers and cell phone models of 5,210
Verizon Wireless customers, going by a copy of the file obtained by CNET
News.com. All of the customers have Motorola Razr phones, according to the
spreadsheet.

The spreadsheet was inadvertently sent to about 1,800 people, all Verizon
Wireless subscribers, according to a follow-up e-mail apologizing for the
gaffe that the mobile carrier sent on Thursday. The Excel file was
attached to an ad for a Bluetooth wireless headset, instead of the
electronic order form that was supposed to be sent.

"Verizon Wireless takes the security, confidentiality and integrity of
your personal information very seriously, and we deeply regret this
error," the company said in the Thursday e-mail. It said that it has
already implemented additional quality control procedures and process
improvements to prevent a re-occurrence.

[...]
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 315 incidents over 6 years.


 
Re: [Dataloss] Verizon gaffe lets customer details slip

From: security curmudgeon (jerichoattrition.org)
Date: Tue Aug 29 2006 - 17:00:11 CDT


: Courtesy InfoSec News and WK:
:
: http://news.com.com/Verizon+gaffe+lets+customer+details+slip/2100-1029_3-6109883.html

>From the article:

  The information in the document is limited and does not immediately
  expose those listed to fraud, the company said in its apology. Yet it
  recommends that people affected review their bills more carefully and
  add a password to their account by calling 1-866-861-5096.

Great.. they give you a number to a sales office and it isn't
monitored 24/7 either. Most credit card companies have a 24/7 response for
fraud related issues, but Verizon doesn't? Glad to see they really treat
this seriously.
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 315 incidents over 6 years.


 
[Dataloss] (no subject)

From: lyger (lygerattrition.org)
Date: Tue Aug 29 2006 - 21:33:59 CDT


Courtesy Fergie's Tech Blog: http://fergdawg.blogspot.com/

http://www.msnbc.msn.com/id/14575839/

AT&T Inc. said Tuesday that computer hackers illegally accessed credit
card data and other personal information from several thousand
customers who bought DSL equipment from AT&T's online store.

The phone company said it is notifying "fewer than 19,000" customers
whose data was accessed over the past weekend.

The company said it noticed the hacking "within hours," immediately
shut down the online store, notified credit card companies and is
working with law enforcement agencies to investigate the incident and
find the hackers.

[...]
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 315 incidents over 6 years.


 
[Dataloss] Washington State Healthcare Provider Issues Security Advisory on Stolen Laptop

From: lyger (lygerattrition.org)
Date: Tue Aug 29 2006 - 21:40:08 CDT


Courtesy Fergie's Tech Blog: http://fergdawg.blogspot.com/

http://seattlepi.nwsource.com/local/283006_compass29ww.html

Everett-based Compass Health has issued a security advisory to clients
that one of its laptop computers was stolen in late June - but there is
no indication that the personal data and social security numbers
contained in the computer were used for identity theft.

The advisory affects a limited number of people, including those served
by Catholic Community Services and SeaMar. Both groups have Seattle
offices.

People affected by this theft should have received letters from Compass
Health, an agency that helps people who suffer from mental illness.

[...]
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 315 incidents over 6 years.


 
[Dataloss] Dept of Education contractor laptop stolen

From: Henry Brown (hbrownknology.net)
Date: Wed Aug 30 2006 - 05:49:34 CDT


 Laptops with sensitive data stolen from Education contractor

http://govexec.com/dailyfed/0806/082906p1.htm

Two laptop computers believed to contain unencrypted personal
information about 43 grant reviewers were stolen from an Education
Department contractor in Washington, D.C., earlier this month.
...

_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 315 incidents over 6 years.


 
[Dataloss] Valley Baptist Medical Center: Web Leak

From: lyger (lygerattrition.org)
Date: Wed Aug 30 2006 - 08:03:33 CDT


Courtesy PogoWasRight.org:

http://www.newschannel5.tv/2006/8/29/28085/-Personal-Information-Posted-on-Hospital-Web-Site-

Tuesday, August 29, 2006 Posted: 06:39 PM

HARLINGEN - A computer glitch on a hospital web site left some people at
risk for identity theft.

Names, birth dates, and social security numbers of various healthcare
workers were posted on Valley Baptist Medical Center's web site late last
week.

The personal information came from an online application filled out by
workers who provide services and bill the hospital.

The mistake was first discovered by a Houston resident visiting the web
site.

"I was shocked, " says Maria Hinojosa. A victim of identity theft herself,
Hinojosa says she realized something was very wrong.

Hinojosa provided NEWSCHANNEL 5 with four names of the potential 73
victims.

[...]
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 315 incidents over 6 years.


 
[Dataloss] Introducing the Data Loss Database - Open Source

From: lyger (lygerattrition.org)
Date: Wed Aug 30 2006 - 17:41:29 CDT


http://attrition.org/dataloss/dldos.html

Wed Aug 30 18:27:24 EDT 2006

Since July of 2005, attrition.org has been tracking data loss and data
theft incidents not just from the United States, but across the world. Our
archives go back to the year 2000, and with over 142 MILLION records
compromised in over 300 incidents across six years, we would finally like
to introduce a very basic and rudimentiary database that will assist
others in tracking these incidents.

DLDOS (Data Loss Database - Open Source) is a simple flat comma seperated
value file that can be imported into your database of choice, whether it
be MySQL, Microsoft Access, or Oracle (good luck). We provide the date,
the company that reported the breach, the type of data impacted, the
number of records impacted, third party companies involved, and a few
other sortable items that may be of interest. At this point, attrition.org
is not hosting an actual database itself, but the raw data is free and
available for use as long as attrition.org is credited for the use of said
data. Really, we're not trying to be jerks, but if you're going to use our
data in your research, be it a web site or paper written for a commercial
entity, just give us a shout out please.

Attrition.org's main data loss page can be found here:

http://attrition.org/dataloss/

Attrition.org's Data Loss Mail List information:

http://attrition.org/security/dataloss.html

Please feel free to use this information, build on it, grow on it, and
share it. Updates to the raw data will be provided by attrition.org
weekly, if not daily. Share and share alike; distribute and learn.

_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 321 incidents over 6 years.


 
[Dataloss] Teen MySpace ignored "private"

From: lyger (lygerattrition.org)
Date: Thu Aug 31 2006 - 07:05:44 CDT


(fringe dataloss topic, not to be included in DLDOS, but possibly of
interest - lyger)

>From Al Mac (macwheel99_at_sigecom.net):

A security hole in the popular MySpace social networking site allowed
users to view entries marked "private, for months before it was fixed.

{...}

http://www.net-security.org/news.php?id=12151
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 321 incidents over 6 years.


 
Re: [Dataloss] Teen MySpace ignored "private"

From: B.K. DeLong (bkdelongpobox.com)
Date: Thu Aug 31 2006 - 07:14:20 CDT


It looks like the method used to "hide" the data was pretty pathetic.
I wouldn't even call it a security hole - using the CSS property
display:none; is Web design and simply does not display anything in
that block, leaving the content in the original source code.

At 08:05 AM 8/31/2006, lyger wrote:

>(fringe dataloss topic, not to be included in DLDOS, but possibly of
>interest - lyger)
>
> >From Al Mac (macwheel99_at_sigecom.net):
>
>A security hole in the popular MySpace social networking site allowed
>users to view entries marked "private, for months before it was fixed.
>
>{...}
>
>http://www.net-security.org/news.php?id=12151
>_______________________________________________
>Dataloss Mailing List (datalossattrition.org)
>http://attrition.org/dataloss
>Tracking more than 142 million compromised records in 321 incidents
>over 6 years.

--
B.K. DeLong (K3GRN)
bkdelongpobox.com
+1.617.797.8471

http://www.wkdelong.org Son.
http://www.haloworldwide.com Work.
http://www.bostonredcross.org Volunteer.
http://www.brain-stream.com Play.

PGP Fingerprint:
38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE

FOAF:
http://foaf.brain-stream.org

_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 321 incidents over 6 years.


 
[Dataloss] LabCorp - Patient info on stolen computer

From: lyger (lygerattrition.org)
Date: Thu Aug 31 2006 - 08:33:43 CDT


Courtesy PogoWasRight.org

http://www.thnt.com/apps/pbcs.dll/article?AID=/20060831/NEWS/608310428/1001

Home News Tribune Online 08/31/06
By KEN TARBOUS

A medical lab is notifying patients that a computer with sensitive
personal information was stolen from its Prospect Plains Road
sample-collection center.

LabCorp is identifying patients who may have had their names and Social
Security numbers on a computer stolen from its Monroe Patient Service
Center and notifying those people by mail, said Pamela Sherry, LabCorp's
senior vice president of corporate communications.

"We have no reason to believe the information is being used improperly,"
Sherry said.

The information, which was scrambled and password protected, did not
include birth dates or test results, Sherry said.

Sherry did not say how many patients had their personal information placed
on the computer or how many people were receiving letters about the theft.

[...]
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 321 incidents over 6 years.


 
[Dataloss] Domino's: Pizza receipts land in trash

From: lyger (lygerattrition.org)
Date: Thu Aug 31 2006 - 10:33:53 CDT


Courtesy hypronix <hypronix_at_gmail.com>

http://vancouver.24hrs.ca/TopStory/home.html

By John Pigeon, 24 HOURS

When Mark Schroeder slapped a pizza dinner on his Visa card in Whistler three
years ago, he never thought that his Visa receipt would end up in a dumpster
behind a Domino's franchise office in Port Coquitlam.

But on Tuesday afternoon when 24 hours followed an anonymous tip to the
dumpster off Kingsway Avenue, Schroeder's credit-card slip, complete with
account number, expiry date and name, was among thousands in a trash container.

"I can't even think of a word to describe how upset I am right now. What can
you say?" Schroeder said from his home in Pemberton. "I'm kind of awestruck,
actually, that they would do something like this and treat their customers with
such a lack of respect."

The anonymous tipster felt the same way when he came across the dumpster,
overflowing with credit-card slips and card imprints, on his morning walk to
work.

[...]
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 321 incidents over 6 years.


 

90 messages sorted by: [ date ] [ thread ] [ subject ]


Starting: Tue Aug 01 2006 - 11:17:12 CDT
Ending: Thu Aug 31 2006 - 10:35:41 CDT

Last message date: Thu Aug 31 2006 - 10:35:41 CDT
Archived on: Thu Aug 31 2006 - 10:35:41 CDT


90 messages sorted by: [ date ] [ thread ] [ subject ]

 

Most recent messages
90 messages sorted by: [ author ] [ thread ] [ subject ]


Starting: Tue Aug 01 2006 - 11:17:12 CDT
Ending: Thu Aug 31 2006 - 10:35:41 CDT

Last message date: Thu Aug 31 2006 - 10:35:41 CDT
Archived on: Thu Aug 31 2006 - 10:35:41 CDT


90 messages sorted by: [ author ] [ thread ] [ subject ]

 

90 messages sorted by: [ author ] [ date ] [ thread ]


Starting: Tue Aug 01 2006 - 11:17:12 CDT
Ending: Thu Aug 31 2006 - 10:35:41 CDT

Last message date: Thu Aug 31 2006 - 10:35:41 CDT
Archived on: Thu Aug 31 2006 - 10:35:41 CDT


90 messages sorted by: [ author ] [ date ] [ thread ]

 

Most recent messages
90 messages sorted by: [ author ] [ date ] [ subject ]


Starting: Tue Aug 01 2006 - 11:17:12 CDT
Ending: Thu Aug 31 2006 - 10:35:41 CDT

Last message date: Thu Aug 31 2006 - 10:35:41 CDT
Archived on: Thu Aug 31 2006 - 10:35:41 CDT


90 messages sorted by: [ author ] [ date ] [ subject ]