OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: [Dataloss] Reporting Dataloss

From: Sasha Romanosky (sromanosandrew.cmu.edu)
Date: Sat May 03 2008 - 17:37:17 CDT


 
Was that the FCC or FTC that you notified? The FTC might be more interested.
You could call their 800 number:
1-877-ID-THEFT
(http://www.ftc.gov/bcp/conline/pubs/credit/idtheftmini.shtm). In addition
to recording your complaint, you could tell them about the breach, itself.
 
What state was this in? Different states require different notification
procedures.
 
cheers,
sasha

  _____

From: dataloss-bouncesattrition.org [mailto:dataloss-bouncesattrition.org]
On Behalf Of Aaron Allen
Sent: Saturday, May 03, 2008 12:11 PM
To: datalossattrition.org
Subject: [Dataloss] Reporting Dataloss

Back in November 2007, I uncovered a data breach containing about 7000
partial names, addresses and full SSNs of students that graduated from the
public school system from which I graduated in 2002. The data was publicly
posted on a website of a vendor that the school had used. Here is an
example line from the leak:

        Permanent Number
        LAST NAME
        
FIRST
NAME

        Geocode Status

        
        
        
        Address
        ZIP
        GRADE

        

        401999999 XXXXX ......hia .......estown Rd
        40511
        D
        09

Note that I changed the social security number to protect the innocent, but
everything else is the same. As you can see, the data provided was full
social, last three letters of the first name, partial address, full zip, the
high school the student was attending in the year 2001, and the grade they
were in when they attended that school. I notified both the vendor and the
school district and they removed the information. They told me they would
not notify the affected individuals because the amount of information
contained in the leak was so small that it was useless to any potential ID
theif.

However, because the breach targets such a small group of individuals I was
easily able to go through the information and using publicly available
information fill in a lot of missing information and obtain full SSN, name,
addresses, and phone numbers. I have also notified the FCC and attempted to
contact other agencies, but no one seems to really care that this data loss
has occurred. Now, several months later, I have found out that I am a
victim of identity theft (someone filed taxes under my SSN). While there is
no way to link these two incidents, it has caused me to look back into this
data leak I discovered back in Nov.

So, my question to the list is what is the best way and to whom do you
report a data loss event that neither of the responsible parties are willing
to disclose?

Or, am I just being too paranoid and the amount of data that was leaked
should not be a cause for concern?

_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml