Re: UK: Police personal data found on discarded floppy

[Timothy Jordan <jordantd () corp earthlink net>]

One important, and often overlooked, way that this "inconsequential" data and the relationships can be used is via 
Social Engineering attempts.  In other words, 1+1=2 and so on.


-----Original Message-----
From: dataloss-bounces () attrition org [mailto:dataloss-bounces () attrition org] On Behalf Of Marjorie Simmons
Sent: Wednesday, January 02, 2008 4:58 PM
To: dataloss () attrition org
Subject: Re: [Dataloss] UK: Police personal data found on discarded floppy

One often overlooked problem with the release of just name, address and phone is that it can and often does uncover a 
relationship between the data loser and the exposed persons.
While it might be inconsequential in some instances, it definitely is a major concern in other instances. For example, 
Widget Business XYZ loses its customer mailing list and a defense agency is a customer, and the widgets can only be 
used as part of a certain technology, where the timing of the widget deployment is sensitive. Or, consider the law firm 
whose client mailing list is compromised.  There are many such instances when simple name, address and telephone data 
losses can show a relationship between people that the parties would neither expect nor want to have disclosed.

While raw data may be available in a publicly available directory, the relationship between parties is often not, and 
it is the exposure of the relationship, confidential or simply hidden, that is the problem.

###
-----Original Message-----
On Wed, 26 Dec 2007,  lyger wrote

On Wed, 26 Dec 2007, Dan O'Donnell wrote:

": " <http://news.bbc.co.uk/1/hi/england/devon/7160490.stm>
": "
": "   Police data details found at dump
": " A senior police officer has apologised after confidential details of
": " staff were found on a dump in Devon.
": "
": " The details, on a floppy disk, included names, addresses, telephone
": " numbers and ranks of employees of Devon and Cornwall Police.
": "
": " The disk was in an obsolete computer that had been used by the force
": " and had been sent for recycling.

While losing the personal information of police officers is certainly a concern due to the nature of their jobs, I've 
noticed other recent reports of general "data loss" involving not much more than names, addresses, and sometimes phone 
numbers.  Should this generally be considered "personal information" if such data can usually be found in a phone book 
or Google (for most people anyway)?  Just a thought and something we consider when including (or not including) breach 
data on attrition's data loss web page and database...

_______________________________________________
Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan 
your network and monitor your traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml
_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml