BreachExchange mailing list archives
blog: Oops! SSNBreach.org exposes students' personal info in Google
From: lyger <lyger () attrition org>
Date: Mon, 13 Aug 2007 21:29:11 +0000 (UTC)
(More information and commentaryregarding events surrounding the Louisiana Board of Regents data breach...) http://www.pogowasright.org/blogs/dissent/?p=582 On July 18th, SSNBreach.org ("SSNB") was launched by Liberty Coalition and Aaron Titus. The site's stated purpose was to assist and empower those whose personally identifiable information had been accessible via the web due to the Louisiana Board of Regents. ("LBR") failure to password-protect over 200 files containing confidential student and employee records. Less than three weeks after its launch, SSNB's own files on some of these students are being indexed by Google. Despite being notified of the problem on August 7, the problem isn't fixed, with more students. names and files appearing in Google every day. The History of SSNBreach.org: "Finders, Keepers" On or before June 18, Titus, a self-described "privacy advocate" and "privacy expert," discovered that the LBR files were accessible via search engines and cache. He did not inform LBR. Instead, he contacted the media. WDSU broke the story on July 17, after they had notified LBR. While they left LBR in the dark about the exposure and the files accessible to cybercriminals, Titus and the Liberty Coalition were busy using the contents of those sensitive and confidential files to create their own database on everyone affected. When it was pointed out to them that they did not seek or secure permission to use information from files which "the reasonable man" would realize had been accidentally exposed and were intended to be confidential, Ostrolenk responded: "You are correct that we do not ask permission to retrieve online information. In fact, I cannot recall a single instance when I have contacted the proprietor of a website to ask permission to view information placed in the public domain." Of course, Titus and the Liberty Coalition did much more than just view the information that had been unintentionally exposed. They used it. An identity thief might make the same statement they did. [...] _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml
Current thread:
- blog: Oops! SSNBreach.org exposes students' personal info in Google lyger (Aug 13)