BreachExchange mailing list archives
Re: slightly OT: LifeLock Identity Theft
From: "Tom Widman" <twidman () identityfraud com>
Date: Mon, 30 Apr 2007 19:12:06 -0700
The lifelock program is interesting and while I have some familiarity, I don't have all the details.
From what I see, the LifeLock product can help reduce the chances of one
becoming a victim of ID Theft, although marginally, since managing credit bureau fraud alerts (which is what it does) only addresses part of the problem. There are many other types of ID Theft that occur that have nothing to do with credit. Thus, in my view, the "product" guarantee is off-base since fraud alerts don't stop 60-80% of other types of frauds (depending on whose statistics you view). However, the guarantee of $1 million is unique and ideally makes up for the other types of fraud that can and do occur, if these other types of fraud are covered since they unrelated to the product. My concern for lifelock is about consumer marketing practices and properly conveying what your product does, and also practicing what you preach. For example, this is from their Terms and Conditions: 1. Your Account: You agree that you are who you say you are when you enroll and that you will not purposely engage in behavior that will put your Identity at unnecessary risk, such as leaving your PIN or passwords in obvious places, publishing your Social Security Number, etc. __ I think other vendors do not post their SSN's because from a risk and prudence standpoint, it is irresponsible. It's not good for Doctors to tell you to stop smoking cigarettes while they continue to smoke them. Since lifelock does not cover the exposure the CEO is engaging (and advertising), I believe they are increasing their own consumer liability exposure. BUT, I must admit that from a marketing standpoint, it garners excellent attention. We try to track the various offers since we are one of the pioneers in the identity protection space, having started development back in 1997. Identity protection is a very young industry with a lot of variety between offerings. We promote risk management that essentially says, do the best you can at prevention and have some remedies in place when id theft occurs, whether prevention & remedies are from lifelock, a homeowners insurer, Equifax, or us, etc. it is simply prudent to engage certain solutions. T Widman -----Original Message----- From: dataloss-bounces () attrition org [mailto:dataloss-bounces () attrition org] On Behalf Of dataloss-request () attrition org Sent: Monday, April 30, 2007 4:52 PM To: dataloss () attrition org Subject: Dataloss Digest, Vol 15, Issue 3 Send Dataloss mailing list submissions to dataloss () attrition org To subscribe or unsubscribe via the World Wide Web, visit https://attrition.org/mailman/listinfo/dataloss or, via email, send a message with subject or body 'help' to dataloss-request () attrition org You can reach the person managing the list at dataloss-owner () attrition org When replying, please edit your Subject line so it is more specific than "Re: Contents of Dataloss digest..." Today's Topics: 1. Texas AG: CVS Dumped Customers' Records (lyger) 2. Wireless Security Puts IRS Data at Risk (Richard Forno) 3. Hackers, laptop thieves compromise personal information of 17, 500 at Ohio State in separate incidents (lyger) 4. UCSF computer server with research subject information is stolen (lyger) 5. Personal data of NMSU students posted online (lyger) 6. Los Alamos warns workers about identity theft (lyger) 7. Federal Database Exposes Social Security Numbers (lyger) 8. (update) Fed Breach Leaks Social Security Numbers (lyger) 9. (update) Fed breach leaks Social Security numbers (lyger) 10. USDA Narrows List to 38,700... (lyger) 11. Counter Strike Struck (rwise29210 () gmail com) 12. Does a data loss of one count if she is famous? It just isn't for "Ordinary People" anymore. (rwise29210 () gmail com) 13. Administravia: List Reminders and Changes (lyger) 14. Neiman says employee data stolen (lyger) 15. Baltimore Co. Laptop Stolen With Personal Info (lyger) 16. The cost of doing business? (Rodney Wise) 17. (update) Darwin Professional Underwriters - Tech-404.com (lyger) 18. Ceridian accidentally leaks data from NY firm (lyger) 19. Re: Ceridian accidentally leaks data from NY firm (Patrick Hack) 20. Re: Ceridian accidentally leaks data from NY firm (Katie Felten) 21. slightly OT: LifeLock Identity Theft Protection (security curmudgeon) 22. Re: slightly OT: LifeLock Identity Theft Protection (security curmudgeon) 23. Re: slightly OT: LifeLock Identity Theft Protection (Chris Walsh) 24. 175 told of possible computer security incident at Purdue (lyger) 25. Caterpillar Says Employee Data Stolen (lyger) 26. FEMA's 'Unfortunate' Privacy Disaster (lyger) 27. NY AG settles first data breach case (Chris Walsh) 28. N. Texas Company Posted Private Information Online (lyger) 29. Is it just about credit? (Rodney Wise) 30. Re: Is it just about credit? (question 1 / health care) (security curmudgeon) 31. Re: Is it just about credit? (question 1 / health care) (nepen) 32. UNM says some employee information on stolen laptop (lyger) 33. Re: Is it just about credit? (question 1 / health care) (Rodney Wise) 34. Re: Is it just about credit? (question 1 / health care) (nepen) 35. Re: The cost of doing business? (J Beebe) 36. Re: Is it just about credit? (Al Mac) 37. Re: Is it just about credit? (Chris Walsh) 38. Re: Is it just about credit? (question 1 / health care) (Adam Shostack) 39. (update) Stolen Caterpillar laptop contained employees personal information (lyger) ---------------------------------------------------------------------- Message: 1 Date: Tue, 17 Apr 2007 22:33:18 +0000 (UTC) From: lyger <lyger () attrition org> Subject: [Dataloss] Texas AG: CVS Dumped Customers' Records To: dataloss () attrition org Message-ID: <Pine.LNX.4.64.0704172232340.553 () forced attrition org> Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed http://www.forbes.com/feeds/ap/2007/04/17/ap3621733.html Texas Attorney General Greg Abbott sued CVS Corp. on Tuesday, alleging pharmacy employees dumped credit card numbers, medical information and other sensitive material from more than 1,000 customers into a garbage container. The Rhode Island company was accused of failing to protect its customers from identity theft at the store in Liberty, about 45 miles northeast of Houston. The lawsuit alleges employees dumped the records behind a store that apparently was being vacated by CVS (nyse: CVS - news - people ). CVS did not immediately return a telephone call seeking comment Tuesday. [...] ------------------------------ Message: 2 Date: Tue, 17 Apr 2007 23:20:10 -0400 From: Richard Forno <rforno () infowarrior org> Subject: [Dataloss] Wireless Security Puts IRS Data at Risk To: Infowarrior List <infowarrior () attrition org>, "dataloss () attrition org" <dataloss () attrition org> Message-ID: <C24B06AA.63F41%rforno () infowarrior org> Content-Type: text/plain; charset="US-ASCII" Would somebody kindly explain WTF the IRS is using wireless networking anywhere in their IT environment??? -rf April 17, 2007 Wireless Security Puts IRS Data at Risk By THE ASSOCIATED PRESS http://www.nytimes.com/aponline/technology/AP-IRS-Wireless-Security.html?_r= 1&oref=slogin&pagewanted=print Filed at 10:57 p.m. ET WASHINGTON (AP) -- Internal Revenue Service offices across the nation that use wireless technology are still vulnerable to hackers, according to the latest assessment of the agency's security policies released Tuesday. Despite efforts to improve wireless security the past four years, the Inspector General's assessment of 20 buildings in 10 cities discovered four separate locations at which hackers could have easily gained access to IRS computers using wireless technology. There was no evidence that the computers were connected to the IRS network at the time and no signs that any hacking had occurred, the report said. ''However, anyone with a wireless detection tool could pick up the wireless signal and gain access to the computer,'' wrote Michael Phillips, the Inspector General. And if an employee had been connected to the IRS network, ''a hacker conceivably could gain access to the IRS network,'' which contains sensitive financial data of more than 226 million taxpayers, he added. The vulnerabilities were discovered in Denver and at three other IRS facilities in Texas and Florida. Wireless networks are created by linking computers using hardware called routers. The devices enable wireless laptop or mobile device users, such as Treos, to send signals back and forth to each other. Data can be encrypted, but the report said that software available on the Internet can decode the encryption. The inspector general's office said it used inexpensive wireless equipment and software freely available on the Internet to scan the facilities for wireless signals. According to the report, the IRS also is not effectively monitoring its uses of wireless technology. As of May 2006, the agency had scanned fewer than 6 percent of all IRS offices - mainly in the Washington, D.C., and Baltimore metropolitan areas. The inspector general's office recommended increased of the IRS network for unapproved wireless devices and educating employees about security risks. The report said the agency agreed with the IG's recommendations and will implement them. ------------------------------ Message: 3 Date: Wed, 18 Apr 2007 19:22:09 +0000 (UTC) From: lyger <lyger () attrition org> Subject: [Dataloss] Hackers, laptop thieves compromise personal information of 17, 500 at Ohio State in separate incidents To: dataloss () attrition org Message-ID: <Pine.LNX.4.64.0704181920380.13877 () forced attrition org> Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed (update: another unrelated incident exposes another 3,500) http://scmagazine.com/us/news/article/651562/hackers-laptop-thieves-compromi se-personal-information-17500-ohio-state-separate-incidents/ On March 31 or April 1, a hacker using a foreign web address cracked a university firewall and accessed the names, Social Security numbers, employee ID numbers and birth dates of more than 14,000 current and former staff members, according to a university statement. [...] In an unrelated incident, the personal information of about 3,500 current and former chemistry students was compromised when two laptop computers were stolen from the home of a university professor on Feb. 24. The laptops were likely not the target of the burglary, and were stolen with a number of other household items, according to Lynch. Records stored in the laptops contained names, Social Security numbers and grades, according to the university. [...] ------------------------------ Message: 4 Date: Thu, 19 Apr 2007 01:51:53 +0000 (UTC) From: lyger <lyger () attrition org> Subject: [Dataloss] UCSF computer server with research subject information is stolen To: dataloss () attrition org Message-ID: <Pine.LNX.4.64.0704190150560.9570 () forced attrition org> Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed http://pub.ucsf.edu/newsservices/releases/200704189/ A computer file server containing research subject information related to studies on causes and cures for different types of cancer was stolen from a locked UCSF office on March 30, 2007. The server contained files with names, contact information, and social security numbers for study subjects and potential study subjects. For some individuals, the files also included personal health information. [...] Notification letters were sent Monday, April 16, to about 3,000 individuals. Using backup files, UCSF officials are conducting an extensive analysis of the server data to determine as quickly as possible all the names involved in this incident. [...] ------------------------------ Message: 5 Date: Thu, 19 Apr 2007 15:48:23 +0000 (UTC) From: lyger <lyger () attrition org> Subject: [Dataloss] Personal data of NMSU students posted online To: dataloss () attrition org Message-ID: <Pine.LNX.4.64.0704191547200.16494 () forced attrition org> Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed http://www.freenewmexican.com/news/60444.html The names and Social Security numbers of more than 5,600 New Mexico State University students were accidentally posted on the school's Web site, but officials say odds are minimal that any students' identities were compromised. The information was in a public section of the site for nearly two hours on April 5 before the mistake was caught. The file was accessed by 14 computers and all of their IP addresses have been tracked, said Mrinal Virnave, NMSU's director of enterprise application services. Virnave said the file contained the names and Social Security numbers of students who registered online to attend their commencement ceremonies from 2003 to 2005, meaning most of the names and numbers are of former students. [...] ------------------------------ Message: 6 Date: Fri, 20 Apr 2007 15:38:20 +0000 (UTC) From: lyger <lyger () attrition org> Subject: [Dataloss] Los Alamos warns workers about identity theft To: dataloss () attrition org Message-ID: <Pine.LNX.4.64.0704201537030.9592 () forced attrition org> Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed http://www.freenewmexican.com/news/60494.html Los Alamos National Laboratory warned employees about protecting themselves against identity theft after the names and Social Security numbers of 550 lab workers were posted on a Web site run by a subcontractor working on a security system. An April 5 letter to the employees from Jan A. Van Prooyen, the lab's acting deputy director, said the problem was discovered the previous week when a lab employee happened upon the Web site of a software services company that had been hired years before. Clicking a link and entering a password provided online led to a table that included names, and in some cases, Social Security numbers, of people who entered certain lab sites around 1998, the letter said. [...] ------------------------------ Message: 7 Date: Fri, 20 Apr 2007 21:11:44 +0000 (UTC) From: lyger <lyger () attrition org> Subject: [Dataloss] Federal Database Exposes Social Security Numbers To: dataloss () attrition org Message-ID: <Pine.LNX.4.64.0704202106210.3039 () forced attrition org> Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed http://www.nytimes.com/2007/04/20/washington/20cnd-data.html?_r=1&hp=&adxnnl =1&oref=slogin&adxnnlx=1177103032-yUYrfkNKmHsZVZ/hqNZWCw The Social Security numbers of tens of thousands of people who received loans or other financial assistance from two Agriculture Department programs were disclosed for years in a publicly available database, raising concerns about identity theft and other privacy violations. Officials at the Agriculture Department and the Census Bureau, which maintains the database, were evidently unaware that the Social Security numbers were accessible in the database until they were notified last week by a farmer from Illinois, who stumbled across the database on the Internet. [...] Ms. Bergmeier said she was able to identify almost 30,000 records in the database that contained Social Security numbers. [...] ------------------------------ Message: 8 Date: Sat, 21 Apr 2007 00:40:18 +0000 (UTC) From: lyger <lyger () attrition org> Subject: [Dataloss] (update) Fed Breach Leaks Social Security Numbers To: dataloss () attrition org Message-ID: <Pine.LNX.4.64.0704210038210.9225 () forced attrition org> Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed (Original numbers reported almost 30,000, now 150,000. Updated) http://www.forbes.com/feeds/ap/2007/04/20/ap3637323.html The Social Security numbers of up to 150,000 people who received Agriculture Department grants have been posted on a government Web site since 1996, but they were taken down last week. Free credit monitoring is being offered to those affected. The security breach was only noticed last week and promptly closed, the Agriculture Department and Census Bureau announced Friday. The Agriculture data that included Social Security numbers were removed from the Web on April 13 and similar data from 32 other agencies were taken down April 17 as a precaution, said Agriculture spokeswoman Terri Teuber. [...] ------------------------------ Message: 9 Date: Sat, 21 Apr 2007 05:18:23 +0000 (UTC) From: lyger <lyger () attrition org> Subject: [Dataloss] (update) Fed breach leaks Social Security numbers To: dataloss () attrition org Message-ID: <Pine.LNX.4.64.0704210516170.19230 () forced attrition org> Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed (first 30K, then 150K, now 63K... hope everybody has erasers handy...) http://origin.denverpost.com/nationworld/ci_5714663 The Social Security numbers of 63,000 people who received Agriculture Department grants have been posted on a government Web site since 1996, but they were taken down last week. Free credit monitoring is being offered to those affected. The security breach was only noticed last week and promptly closed, the Agriculture Department and Census Bureau announced Friday. The Agriculture data that included Social Security numbers were removed from the Web on April 13 and similar data from 32 other agencies were taken down April 17 as a precaution, said Agriculture spokeswoman Terri Teuber. [...] The department originally said Friday the Social Security numbers of 105,000 to 150,000 individuals had been entered into federal databases open to the public since 1981. But by Friday evening, after they calculated how many people had been entered more than once, USDA announced that 63,000 individuals had their Social Security numbers exposed. The data has only been posted on the Internet by the Census Bureau since 1996. [...] ------------------------------ Message: 10 Date: Mon, 23 Apr 2007 20:07:36 +0000 (UTC) From: lyger <lyger () attrition org> Subject: [Dataloss] USDA Narrows List to 38,700... To: dataloss () attrition org Message-ID: <Pine.LNX.4.64.0704232005540.26783 () forced attrition org> Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed (yet another newly revised total...) http://www.usda.gov/wps/portal/!ut/p/_s.7_0_A/7_0_1OB?contentidonly=true&con tentid=2007/04/0110.xml The U.S. Department of Agriculture (USDA) has narrowed to approximately 38,700 the number of people whose private identification information was accessible to the public on a government-wide website. USDA takes seriously its responsibility to protect private information and after learning of the potential exposure, immediately took action to remove the information from the website. USDA is also offering credit monitoring services to protect the personal accounts of affected individuals, due to the potential that information was downloaded prior to removal. There is no evidence that this information has been misused. [...] ------------------------------ Message: 11 Date: Mon, 23 Apr 2007 10:55:45 -0400 From: <rwise29210 () gmail com> Subject: [Dataloss] Counter Strike Struck To: <dataloss () attrition org> Message-ID: <00c501c785b7$792d4db0$6401a8c0@xp1> Content-Type: text/plain; charset="iso-8859-1" I haven't seen this on the list. Sorry if it is a repost. Rodney Wise http://pplrwise.blogspot.com Counter Strike firm in credit card hack claim Hacker, customers accuse Valve of coverup By Chris Williams ? More by this author Published Thursday 19th April 2007 11:09 GMT Receive the days biggest stories by email http://www.theregister.co.uk/2007/04/19/valve_steam_hack/ Valve Software, the company behind Counter Strike and Half Life, has been accused of covering up a hack of its servers which allegedly exposed the credit card details of thousands of customers. A hacker calling himself MaddoxX has trumpeted details of the claimed break-in on his website, and threatened to publish more credit card information if Valve do not "come with something good". Customers say Valve has known about the alleged security breach since April 8 at the latest. A customer told us he raised the hacker's claims on Valve's Steampowered.com forums, but a company moderator quickly stepped in to delete it, writing, "Please do not re-post that thread. Valve are aware of the issue and are investigating. Making threads on the issue will not help." Sources say a dozen threads about the matter have been suppressed on Valve's official forums. In the meantime the firm has made no attempt to contact the thousands of cyber cafe owners potentially affected. A large file posted on a file sharing site appears to back up the hacker's claims of breaking into the server of Valve's distribution network, Steam. It contains sensitive financial information including Valve's current assets, full details of five credit card transactions from March 12 with the threat of exposing more, and details of how to set up a fake cyber cafe certificate for multiplayer Counter Strike. The 14MB plus directory is essentially a "rip" of the cyber cafe content delivery platform, Steam Cafe, and contains all the files to access Valve's Central Authentication Server. We contacted MaddoxX via email. He claimed he first gained access to Steam this January, and said that although the cyber cafe customer database is not linked to the standard customer list, he has access to that too. Valve have not contacted him, he said, but have approached his hosting provider to take down the page which announces the hack, so far without success. The hacker says it's not his intention to steal information. He told us: "I just came accross the login details when I was browsing some stuff. The access to their whole customer database was more like luck, but still a hack because the login details are inside some files. They changed the logins now and made it not possible anymore to get the details from the files. The [credit card] details itself are stored in a MySQL database where I still have access to." "It is just to show how lax they are with their security. I want a full excuse from VALVe on their site that they did NOT inform anyone about this. I've got several e-mails from cafe owners and they said VALVe hasn't even said shit to them...so you can see how they threat their customers." One cyber cafe owner contacted by The Register said: "Why has it taken days if not weeks before they told us if there is even the slightest possibility someone has our CC details then we should have been told?" Valve did not return repeated requests for comment.? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070423/bd30c0b4/attach ment-0001.html ------------------------------ Message: 12 Date: Mon, 23 Apr 2007 11:06:32 -0400 From: <rwise29210 () gmail com> Subject: [Dataloss] Does a data loss of one count if she is famous? It just isn't for "Ordinary People" anymore. To: <dataloss () attrition org> Message-ID: <00ef01c785b8$fabe9860$6401a8c0@xp1> Content-Type: text/plain; charset="iso-8859-1" Thieves take laptop with Smith photos April 20, 2007 By Alan J. Keays Herald Staff The head of Edgewood Studios in Rutland is looking for the return of a stolen laptop containing some valuable information, including unreleased images of Anna Nicole Smith, the star of his most recent film. "There are photographs in there that are not to be released," Giancola said Thursday afternoon in a phone interview from the offices of his Rutland-based movie production studio. "There is stuff that we have that is just not cleared for release." Police said burglars early Thursday broke into Edgewood Studios, at Howe Center, a large complex of offices and businesses just outside Rutland's downtown. Several other businesses in the complex were also burglarized. Police have made no arrest. Although the thieves did not steal all that much from his studio, the laptop contained a great deal of "proprietary material," including future movie scripts, plot lines, phone numbers and e-mail addresses, Giancola said. The laptop also contained unreleased photos of Smith, who before her death of a drug overdose in February played a starring a role in the studio's soon-to-be-released movie, "Illegal Aliens." "We're trying to find the laptop because it has material that has proprietary information to Edgewood Studios," Giancola said. "We're really hoping to get that laptop back because of the copyrighted material that was on it." "Illegal Aliens" is set to be released on DVD next month. The movie, filmed in September 2005 in Rutland, has generated international interest following the media attention that accompanied Smith's death. "What we're most concerned about is 'Illegal Aliens' kind of stuff, and that movie is not being released until May 1," Giancola said. "There's another movie called 'Zombie Town' and that movie's not going to be released probably until Halloween and there's material from that on (the laptop) and we don't want that out there, either." Surveillance video suggested the burglars did not target the laptop for theft because of its connection to Smith. Instead, Giancola said, it appeared the burglars were on a "drunken rampage," smashing the front door and two inside doors at the studio. Giancola said the value of the stolen items and the cost of repairing damage would amount to a couple of thousand dollars. However, he said, a dollar amount cannot be placed on the value of the "proprietary material" that was on the stolen laptop, including the Smith photos. "The intellectual property is way more valuable than any of the physical equipment we have," Giancola said. Contact Alan J. Keays at alan.keays () rutlandherald com. Rodney Wise For New stories about ID Theft and Data Loss by Compaines visit: http://pplrwise.blogspot.com See what is happening to your information -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070423/4d2ba8dd/attach ment-0001.html ------------------------------ Message: 13 Date: Tue, 24 Apr 2007 03:55:22 +0000 (UTC) From: lyger <lyger () attrition org> Subject: [Dataloss] Administravia: List Reminders and Changes To: dataloss () attrition org Message-ID: <Pine.LNX.4.64.0704240342430.18420 () forced attrition org> Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Greetings all, I'll try to be as brief as I can. The Data Loss Mail List would like to remind subscribers and posters that list topics should adhere to the following guidelines: Data Loss is a non-commercial mail list that covers topics such as news releases regarding large-scale personal data loss and personal data theft incidents. Discussion about incidents, indictments, legislation, and recovery of lost or stolen personal data is encouraged. Advertisements or endorsements for commercial products and/or services, on or off list, are not allowed. Isolated personal incidents regarding identity theft are not considered to be topical. Discussion is welcome about items that are topical. Please contact me directly with any questions or concerns about list content. Thanks, Lyger ------------------------------ Message: 14 Date: Tue, 24 Apr 2007 17:04:46 +0000 (UTC) From: lyger <lyger () attrition org> Subject: [Dataloss] Neiman says employee data stolen To: dataloss () attrition org Message-ID: <Pine.LNX.4.64.0704241704010.8512 () forced attrition org> Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed http://www.wfaa.com/sharedcontent/dws/bus/stories/042507dnbusneiman.40beadd. html The Neiman Marcus Group said Tuesday that computer equipment containing files with sensitive information of nearly 160,000 current and former employees has been stolen. The files were owned by a pension consultant and contained 2-year-old data that was current as of Aug. 30, 2005. Information included each person.s name, address, social security number, date of birth, period of employment and salary information. Employees hired after Aug. 30, 2005 are not affected. [...] ------------------------------ Message: 15 Date: Tue, 24 Apr 2007 22:41:30 +0000 (UTC) From: lyger <lyger () attrition org> Subject: [Dataloss] Baltimore Co. Laptop Stolen With Personal Info To: dataloss () attrition org Message-ID: <Pine.LNX.4.64.0704242240320.28984 () forced attrition org> Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed http://wjz.com/local/local_story_114155042.html A laptop containing the personal information of about 6,000 people was stolen from a Baltimore County health center, a health department spokeswoman said Tuesday. The computer did not contain medical information but did have names, date of birth, social security numbers, telephone numbers and emergency contact information. The personal information was from patients who were seen at the clinic between Jan. 1, 2004 and April 12. [...] ------------------------------ Message: 16 Date: Wed, 25 Apr 2007 06:59:07 -0400 From: "Rodney Wise" <rwise29210 () gmail com> Subject: [Dataloss] The cost of doing business? To: dataloss () attrition org Message-ID: <24e2acc50704250359yaf861b5wd847586701bfda85 () mail gmail com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Bank groups in 3 states plan to sue TJX over data theft http://www.mercurynews.com/businessheadlines/ci_5745507 The Associated Press Article Launched: 04/25/2007 01:50:15 AM PDT BOSTON (AP) - Bank associations in Massachusetts, Connecticut and Maine said Tuesday that they will sue TJX over a data theft that exposed at least 45 million credit and debit cards to potential fraud. Banks have been saddled with costs to replace cards and cover fraudulent charges tied to the theft from TJX, the owner of nearly 2,500 discount stores including T.J. Maxx and Marshalls. On Jan. 17, Framingham, Mass.-based TJX disclosed a breach of its computer systems by an unknown hacker or hackers who accessed card data from transactions as long ago as late 2002. On March 28, TJX said at least 45.7 million of its shoppers' cards had been compromised. -- Rodney Wise http://pplriwse.blogspot.com ------------------------------ Message: 17 Date: Wed, 25 Apr 2007 20:13:02 +0000 (UTC) From: lyger <lyger () attrition org> Subject: [Dataloss] (update) Darwin Professional Underwriters - Tech-404.com To: dataloss () attrition org Message-ID: <Pine.LNX.4.64.0704252010300.14262 () forced attrition org> Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed For anyone interested in the follow-up: Darwin Professional Underwriters, which operates the website Tech-404.com, has come to an agreement with attrition.org regarding the use of our Data Loss web page and RSS feed. In return for use of attrition.org's RSS service and/or web page, Darwin has graciously agreed to make a contribution to the Open Source Vulnerability Database (http://osvdb.org) in order to further promote security awareness. We appreciate Darwin's willingness to work with us to help resolve this matter and we wish them the best in their future endeavors. Lyger ------------------------------ Message: 18 Date: Thu, 26 Apr 2007 16:01:31 +0000 (UTC) From: lyger <lyger () attrition org> Subject: [Dataloss] Ceridian accidentally leaks data from NY firm To: dataloss () attrition org Message-ID: <Pine.LNX.4.64.0704261558210.9828 () forced attrition org> Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed http://twincities.bizjournals.com/twincities/stories/2007/04/23/daily36.html Payroll processing firm Ceridian Corp. accidentally leaked employee data from a New York advertising firm on a Web site, the company confirmed Thursday. Bloomington-based Ceridian (NYSE: CEN) notified New York advertising company Innovation Interactive last week , after it learned that it had inadvertently leaked ID and bank-account data on 150 employees, company spokesman Pete Stoddart said. Ceridian said a former employee accidentally posted the information on a personal Web site. The employee took the data by accident after leaving the company in March 2006. [...] ------------------------------ Message: 19 Date: Thu, 26 Apr 2007 11:15:28 -0500 From: "Patrick Hack" <Phack () 4thebank com> Subject: Re: [Dataloss] Ceridian accidentally leaks data from NY firm To: <dataloss () attrition org> Message-ID: <463089CF.E11B.0075.0 () 4thebank com> Content-Type: text/plain; charset="us-ascii" Just wondering, how do you 'Accidentally' take private customer information as you're leaving employment and 'Accidentally' post it to your personal web site? This sure sounds like straight-up data theft to me. P. Hack
lyger <lyger () attrition org> 4/26/2007 11:01 AM >>>
http://twincities.bizjournals.com/twincities/stories/2007/04/23/daily36.html Payroll processing firm Ceridian Corp. accidentally leaked employee data from a New York advertising firm on a Web site, the company confirmed Thursday. Bloomington-based Ceridian (NYSE: CEN) notified New York advertising company Innovation Interactive last week , after it learned that it had inadvertently leaked ID and bank-account data on 150 employees, company spokesman Pete Stoddart said. Ceridian said a former employee accidentally posted the information on a personal Web site. The employee took the data by accident after leaving the company in March 2006. [...] _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tracking more than 207 million compromised records in 634 incidents over 7 years. CONFIDENTIALITY NOTICE: This email message is private, confidential property of the sender, and the materials may be privileged communications intended solely for the receipt, use, benefit, and information of the intended recipient indicated above. If you are not the intended recipient, you are hereby notified that any review, disclosure,distribution, copying or taking of any other action in reference to the contents of this message is strictly prohibited, and may result in legal liability on your part. If you have received this message in error, please notify the sender immediately and delete this message from your system. We believe that this email and any attachments are free of any virus or other defect that might affect any computer system that it is received and opened in, however, it is the responsibility of the recipient to ensure that it is virus free and the sender accepts no responsibility for any loss or damage. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070426/b48707ee/attach ment-0001.html ------------------------------ Message: 20 Date: Thu, 26 Apr 2007 12:27:25 -0500 From: "Katie Felten" <kfelten () gmail com> Subject: Re: [Dataloss] Ceridian accidentally leaks data from NY firm To: "'Patrick Hack'" <Phack () 4thebank com>, <dataloss () attrition org> Message-ID: <000801c78828$29df7c10$7d9e7430$@com> Content-Type: text/plain; charset="us-ascii" P, my thoughts exactly when I read this article this morning Katie Felten, CITRMS Data Security & Privacy Specialist Certified Identity Theft Risk Management Specialist www.getsmartcomply.com K Felten & Associates, LLC N78W14573 Appleton Ave #297 Menomonee Falls, WI 53051 Direct 262-227-0772 Katie () k-felten com From: dataloss-bounces () attrition org [mailto:dataloss-bounces () attrition org] On Behalf Of Patrick Hack Sent: Thursday, April 26, 2007 11:15 AM To: dataloss () attrition org Subject: Re: [Dataloss] Ceridian accidentally leaks data from NY firm Just wondering, how do you 'Accidentally' take private customer information as you're leaving employment and 'Accidentally' post it to your personal web site? This sure sounds like straight-up data theft to me. P. Hack
lyger <lyger () attrition org> 4/26/2007 11:01 AM >>>
http://twincities.bizjournals.com/twincities/stories/2007/04/23/daily36.html Payroll processing firm Ceridian Corp. accidentally leaked employee data from a New York advertising firm on a Web site, the company confirmed Thursday. Bloomington-based Ceridian (NYSE: CEN) notified New York advertising company Innovation Interactive last week , after it learned that it had inadvertently leaked ID and bank-account data on 150 employees, company spokesman Pete Stoddart said. Ceridian said a former employee accidentally posted the information on a personal Web site. The employee took the data by accident after leaving the company in March 2006. [...] _______________________________________________ Dataloss Mailing List (dataloss@ attrition.org) http://attrition.org/dataloss Tracking more than 207 million compromised records in 634 incidents over 7 years. CONFIDENTIALITY NOTICE: This email message is private, confidential property of the sender, and the materials may be privileged communications intended solely for the receipt, use, benefit, and information of the intended recipient indicated above. If you are not the intended recipient, you are hereby notified that any review, disclosure,distribution, copying or taking of any other action in reference to the contents of this message is strictly prohibited, and may result in legal liability on your part. If you have received this message in error, please notify the sender immediately and delete this message from your system. We believe that this email and any attachments are free of any virus or other defect that might affect any computer system that it is received and opened in, however, it is the responsibility of the recipient to ensure that it is virus free and the sender accepts no responsibility for any loss or damage. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070426/ae2665fa/attach ment-0001.html ------------------------------ Message: 21 Date: Thu, 26 Apr 2007 23:37:58 +0000 (UTC) From: security curmudgeon <jericho () attrition org> Subject: [Dataloss] slightly OT: LifeLock Identity Theft Protection To: dataloss () attrition org Message-ID: <Pine.LNX.4.64.0704262336290.6752 () forced attrition org> Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed http://www.lifelock.com/ My name is Todd Davis This is my social security number 457-55-5462 "I'm Todd Davis, CEO of LifeLock. Yes, that really is my social security number. No I'm not crazy. I'm just sure our system works. Just like we have with mine, LifeLock will make your personal information useless to a criminal. And it's GUARANTEED." Here at LifeLock, We Guarantee Your Good Name. No one else does because no one else can. http://www.lifelock.com/our-guarantee $1 Million Guarantee Our $1 Million Guarantee Our Guarantee is simple. If you are our client when someone steals your personal information and subsequently misuses it, we will reimburse any and all direct expenses that you incur and pay for professionals with the proper expertise. The maximum amount that we will pay is $1 million over the life of the incident. We provide this guarantee because we are so confident in our product. Direct expenses include lost wages, long-distance calls, postage and other miscellaneous costs in addition to any funds that are actually stolen from you or a third party that holds you responsible. If you need an attorney to help resolve the claims, we will select them and manage the case on your behalf. Your request must not be fraudulent and you must tell us of the event within 30 days of first learning of it. How the Guarantee Works: If your Identity is used by a third party without your consent, we will do the following: 1. We will pay any direct expenses you incur subject to the terms below. Usually, we will advance these costs on your behalf. If we do that, you must assign your guarantee request to any such re-imbursement by any third party. For example, if your bank charges you fees because someone else used your credit card and it took you over your limit, we will ensure that you are reimbursed that money promptly. If the bank doesn't do it, then we will and if and when the professionals we hire to assist you get the bank to refund the money, you agree that it will be sent to us or that, if paid directly to you, that you will send it to us as soon as you receive it. 2. If the amount involved is over $1,000, we reserve the right to investigate the guarantee request and conclude that the claim is valid. For instance, if you are arrested for bank fraud and you assert that you did not commit the crime and that someone else stole your identity to commit the crime, we will investigate your assertion. If we are confident that you did not commit the crime, we will advance any legal fees, bail or other costs required to get you out of jail and back to your life. We will perform our investigation with all due haste and we will render our decision as quickly as we can. The standard we will use is that if any reasonable person would come to the conclusion that you are not responsible, we will as well. Once we are comfortable that you are innocent due to Identity Theft that occurred while you are our client, we will advance all fees and costs as discussed above. Note that we do not necessarily require that you are found innocent by the authorities before performing on our guarantee. 3. If it turns out that our investigation is wrong and that you misrepresented a loss or that you weren't our client when it happened, you agree to pay us back any amount we have advanced or incurred on your behalf upon demand, including any costs we incur to collect the money from you. Being found guilty of the crime which you attributed to Identity theft is sufficient evidence to conclude that we are entitled to recover all amounts advanced or paid on your behalf as described above. 4. Should we, however, decline your guarantee request and you are found innocent due to the fact that someone used your Identity to commit the crime, we will then honor our guarantee and pay you$10,000 for the hardship you suffered. You agree that we are not liable for any additional costs or awards for any reason. That's it. No more fancy language. ------------------------------ Message: 22 Date: Fri, 27 Apr 2007 01:59:19 +0000 (UTC) From: security curmudgeon <jericho () attrition org> Subject: Re: [Dataloss] slightly OT: LifeLock Identity Theft Protection To: dataloss () attrition org Message-ID: <Pine.LNX.4.64.0704270153530.6752 () forced attrition org> Content-Type: TEXT/PLAIN; charset=US-ASCII On Thu, 26 Apr 2007, security curmudgeon wrote: : http://www.lifelock.com/ : : My name is Todd Davis : This is my social security number 457-55-5462 My post was not an endorsement of lifelock.com, Todd Davis or anything else. This post was made because I found it surprising that a CEO would post his own social security number "proving" his own service, something that other services don't do. Attrition does not have any affiliation with lifelock.com or any other company/service that provides identity theft protection. Until earlier this evening, neither Lyger nor myself had heard of lifelock.com despite their "million dollar advertising campaign" (from what we were later told). If anyone has any comments, criticisms or rebuttal of my post, we will selectively post them if they are fair, reasonable and cite their sources. By reading this mail you absolve myself and attrition.org of any wrongdoing, pinkie swear you will eat a twinkie before midnight and will print and shred this message if it was not intended for you. - Jericho ------------------------------ Message: 23 Date: Thu, 26 Apr 2007 20:21:24 -0500 From: Chris Walsh <chris () cwalsh org> Subject: Re: [Dataloss] slightly OT: LifeLock Identity Theft Protection To: security curmudgeon <jericho () attrition org> Cc: dataloss () attrition org Message-ID: <F948F5A7-6D3C-4E15-B9B1-F9464F7AAE75 () cwalsh org> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Great. Now lyger's gonna have to send out a notification letter to the guy. Couldn't you have ROT13'd the email to avoid this? :^) Chris On Apr 26, 2007, at 6:37 PM, security curmudgeon wrote:
http://www.lifelock.com/ My name is Todd Davis This is my social security number 457-55-5462 "I'm Todd Davis, CEO of LifeLock. Yes, that really is my social security number. No I'm not crazy. I'm just sure our system works. Just like we have with mine, LifeLock will make your personal information useless to a criminal. And it's GUARANTEED."
------------------------------
Message: 24
Date: Fri, 27 Apr 2007 15:22:29 +0000 (UTC)
From: lyger <lyger () attrition org>
Subject: [Dataloss] 175 told of possible computer security incident at
Purdue
To: dataloss () attrition org
Message-ID: <Pine.LNX.4.64.0704271521320.1933 () forced attrition org>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
(from April 24, 2007)
http://news.uns.purdue.edu/x/2007a/070424KsanderEngineer.html
Purdue University is informing 175 people who were students in fall 2001
that a Web page containing information about them was inadvertently
available on the Internet.
The page, which was no longer in use but was on a computer server
connected to the Internet, contained names and Social Security numbers of
students who were enrolled in a freshman engineering honors course and
were scheduling to meet with advisers. Although forgotten, the page had
been indexed by Internet search engines and consequently was available to
individuals searching the Web.
The page has been removed and, at Purdue's request, Yahoo and Google have
removed the page from their indexes and cache. Letters are in the mail to
those potentially affected.
[...]
------------------------------
Message: 25
Date: Sat, 28 Apr 2007 01:47:50 +0000 (UTC)
From: lyger <lyger () attrition org>
Subject: [Dataloss] Caterpillar Says Employee Data Stolen
To: dataloss () attrition org
Message-ID: <Pine.LNX.4.64.0704280146040.21501 () forced attrition org>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
(if anyone can find verifiable details on number affected or type of
information, please let us know)
http://www.sfgate.com/cgi-bin/article.cgi?f=/n/a/2007/04/27/financial/f17255
8D76.DTL&type=business
Caterpillar Inc. said late Friday that a laptop computer containing
personal data on employees was stolen from a benefits consultant that
works with the company.
Caterpillar spokesman Rusty Dunn declined to provide many details Friday.
"This is an open investigation and we're not prepared to get into any
specifics," Dunn said.
He said one laptop computer was stolen earlier this month, but didn't say
where the theft took place or identify the consultant.
Dunn declined to say how many employees were affected.
[...]
------------------------------
Message: 26
Date: Sat, 28 Apr 2007 02:12:56 +0000 (UTC)
From: lyger <lyger () attrition org>
Subject: [Dataloss] FEMA's 'Unfortunate' Privacy Disaster
To: dataloss () attrition org
Message-ID: <Pine.LNX.4.64.0704280211580.21501 () forced attrition org>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
From April 23, 2007
http://www.washingtonpost.com/wp-dyn/content/article/2007/04/22/AR2007042201 362.html Sometimes when they are not busy dealing with natural disasters, FEMA folks just make up their own. We got this letter the other day from Glenn M. Cannon, assistant administrator in the Disaster Operations Directorate. "Dear Disaster Generalist," he wrote to about 2,300 people on April 16, "an unfortunate administrative processing error at FEMA . . . has resulted in the printing of Social Security numbers on the outside address labels of Disaster Assistance Employee (DAE) . . . reappointment letters." The mail distribution center mishandled the letters, he said, creating this "unintentional release of Privacy Act information." [...] ------------------------------ Message: 27 Date: Fri, 27 Apr 2007 22:45:03 -0500 From: Chris Walsh <chris () cwalsh org> Subject: [Dataloss] NY AG settles first data breach case To: dataloss () attrition org Message-ID: <738474A5-36BC-4B2E-9A52-AADE095DDDE1 () cwalsh org> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed By Sharon Gaudin InformationWeek April 27, 2007 01:32 PM The New York Attorney General has obtained the first settlement under the state's new security breach notification law. Attorney General Andrew Cuomo announced Thursday that it has reached an agreement with CS Stars LLC, a Chicago-based claims management company, to implement precautionary procedures, comply with New York's notification law in the event of another security breach, and pay $60,000 to the AG's office for investigation costs. On May 9, 2006, an employee at CS Stars noticed that a computer was missing that held personal information, including the names, addresses, and Social Security numbers of recipients of workers' compensation benefits, according to the AG's office. The New York Special Funds Conservation Committee, a not-for-profit organization created to assist in providing benefits to workers under the New York Workers' Compensation Law, was the owner of the data contained in the missing computer. It was not until June 29, 2006 that CS Stars first notified Special Funds of the security breach, the AG's office reported. On the same date, the company notified the FBI, as well. The FBI instructed the company to not send out any notifications to people who might be affected by the data breach because it might impede their investigation. According to the AG's release, CS Stars notified the Attorney General's office, the Consumer Protection Board, and the state office of Cyber Security about the breach on June 30, 2006. Then on July 18, the company, with the permission of the FBI, the company began sending out notices to the approximately 540,000 potentially affected New York consumers notifying them of the security breach. [...] Via http://www.informationweek.com/news/showArticle.jhtml? articleID=199202218 ------------------------------ Message: 28 Date: Sat, 28 Apr 2007 21:47:15 +0000 (UTC) From: lyger <lyger () attrition org> Subject: [Dataloss] N. Texas Company Posted Private Information Online To: dataloss () attrition org Message-ID: <Pine.LNX.4.64.0704282145530.6533 () forced attrition org> Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed http://www.nbc5i.com/money/13207482/detail.html A North Texas company posted online the private information of hundreds of job applicants, NBC 5 reported. Couriers On Demand, run by Kyle Bowers, made available for public viewing names, addresses, phone numbers, Social Security numbers and drivers license numbers on its Web site, NBC 5 reported. Attorney Cami Boyd, who specializes in data privacy, said the company should have been encrypting its data behind a secure firewall. Without taking those precautions, she said, it is in violation of state law and federal law. [...] ------------------------------ Message: 29 Date: Sun, 29 Apr 2007 07:36:44 -0400 From: "Rodney Wise" <rwise29210 () gmail com> Subject: [Dataloss] Is it just about credit? To: dataloss () attrition org Message-ID: <24e2acc50704290436u343d7975y1645480e00c9cd9e () mail gmail com> Content-Type: text/plain; charset="iso-8859-1" (In his best Columbo accent).... There is just one more thing mam... I am having trouble understanding a few things... gee do ya think you could help me out here? I have a few questions for discussion by the group. I have seen time and time again that companies that have been compromised have offered credit munitioning to help REDUCE any monetary damages that might be gained from lawsuits. It is not just about credit. You can lodk it down for your life and still have problems. Question 1 Is is just about your credit? If someone gets you SSN or SIN (Canida) they can do a lot more than get cash. If they get medical treatment for ... I don't know ... a heart problem of even... HIV do you think you will ever get insurance again? Question 2 What about death and taxes? Well if you are in the US without the proper permissions to be here in most situations you MUST have 2 forms of identity to gain employment. A SSN AND a drivers license number. If they have YOUR SSN and get employment that can put you in another tax bracket owing more money than the job they are doing will be deducting for taxes. What if that happens multiple times? There is NO verification process in place that will tell an employer that it is not you. It will just verify it is a valid number. Lets go one more step further... I get your Driver License Number from a check you give me. I make $5/hr at a retail store and see several of these a day, I can sell this for about $50 (read 10 hours of work) for each one. You are flying to that city where what happens there stays there and use your DLN as your ID. OOPS I forgot to tell you I used your number when I got pulled over for a DUI. YOU now have a crimanl record. Question 3 3. How does credit monitoring help these problems? Question 4 What does the federal government REQUIRE businesses to do to help reduce data theft? Five thing. 1.Take Stock ... like and inventory of your data 2. Scale Down... What do you REALLY need 3.Lock it down... Protect it 4. Pitch it... READ SHRED 5. Plan Ahead... create a written plan http://www.ftc.gov/bcp/edu/pubs/business/privacy/bus69.pdf Question 4 If you read the publication, is this too much to ask of the companies we willingly give our data to? Rodney Wise http://pplriwse.blogspot.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070429/95858e29/attach ment-0001.html ------------------------------ Message: 30 Date: Sun, 29 Apr 2007 17:39:20 +0000 (UTC) From: security curmudgeon <jericho () attrition org> Subject: Re: [Dataloss] Is it just about credit? (question 1 / health care) To: dataloss () attrition org Message-ID: <Pine.LNX.4.64.0704291727340.28887 () forced attrition org> Content-Type: TEXT/PLAIN; charset=US-ASCII : Question 1 : Is is just about your credit? : : If someone gets you SSN or SIN (Canida) they can do a lot more than get : cash. If they get medical treatment for ... I don't know ... a heart : problem of even... HIV do you think you will ever get insurance again? Hopefully someone in the health care industry can speak up on this but a few points. Many (most? all?) hospitals require photo ID for everything now. While we know that a bad guy can do a full identity theft, including getting a new license or birth certificate, it does require a dedicated person. They ask for the photo ID with insurance card, which you'd also have to get issued. Some hospitals actually train their staff (a full class) on handling photo ID, recognizing aspects that would be suspicious (birth date, etc) and how to respond. This has lead to some cases where the person using a stolen identity recived medical treatment, walked out of the hospital all better, only to be arrested immediately as the hospital staff watched (they knew what was going on but wouldn't deny treatment of course). Some hospitals use computer systems that have routines specifically designed to flag possible identity theft. Various incidents (most related to billing I assume) will flag a record with a potential identity theft marker which is visible to any hospital employee who loads the record. Employees are trained to act normal and provide treatment but call a special security number (internal to the hospital) and trained security staff respond. This leads one to wonder if the DMV when re-issuing a license might notice discrepancies. Eye color goes from blue to brown, hair color, height, weight .. how many changes before someone says "wait"? ------------------------------ Message: 31 Date: Sun, 29 Apr 2007 18:36:50 +0000 (UTC) From: nepen <nepen () attrition org> Subject: Re: [Dataloss] Is it just about credit? (question 1 / health care) To: dataloss () attrition org Message-ID: <Pine.LNX.4.64.0704291758540.23987 () forced attrition org> Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed On Sun, 29 Apr 2007, security curmudgeon wrote:
: Question 1 : Is is just about your credit? : : If someone gets you SSN or SIN (Canida) they can do a lot more than get : cash. If they get medical treatment for ... I don't know ... a heart : problem of even... HIV do you think you will ever get insurance again? Hopefully someone in the health care industry can speak up on this but a few points. Many (most? all?) hospitals require photo ID for everything now. While we know that a bad guy can do a full identity theft, including getting a new license or birth certificate, it does require a dedicated person. They ask for the photo ID with insurance card, which you'd also have to get issued. Some hospitals actually train their staff (a full class) on handling photo ID, recognizing aspects that would be suspicious (birth date, etc) and how to respond. This has lead to some cases where the person using a stolen identity recived medical treatment, walked out of the hospital all better, only to be arrested immediately as the hospital staff watched (they knew what was going on but wouldn't deny treatment of course).
Just a note, but back when I had absolutely no way to prove who I was, the ER would treat me. This was post 9-11, and the hospital had significantly upgraded their security procedures. ERs have charity care programs, however, for those who cannot pay, and they are [or mine was] retroactive. If you state that you cannot pay upon arriving, they will set up an appointment for you. I don't really see an issue there with ID theft unless someone is deliberately attempting to keep their particular ailment off of their own record. The requirements for these programs [at least here] are relatively loose, but usually last only one year, at which time you must re-file. You may be able to pull it off for minor problems that are put through Fast-Track [but charity care, at least in my state, covers that 100%], but if you go in with heart problems you may wake up 10 hours later handcuffed to your bed after your open-heart surgery.
This leads one to wonder if the DMV when re-issuing a license might notice discrepancies. Eye color goes from blue to brown, hair color, height, weight .. how many changes before someone says "wait"?
That's the beauty of contact lenses [particularly blue to brown--brown to
blue not so easy to pull off], hair and weight don't seem like big issues,
and depending upon the age of the person, a one or two inch height
discrepancy doesn't seem like a big deal.
My mother had no problems getting her license--she went when I went--and
she's changed her hair colour, weight, and height. If I'd have given her a
pair of blue contact lenses, I'd doubt they'd have even noticed. Her
previous license had no photo.
Though at the NJ DMV, I was able to receive my ID and /bypass/ their "6
point identification system" which requires a certain amount of documents
worth a certain number of points, adding up to 6, before you're able to
get a license or photo ID. I was also able to do this at the SSA. This was
all relatively recently--this month, in fact. All the SSA required was a
note from my doctor--who simply wrote everything I told him to write when
it came to my description--in lieu of their new post-9/11 requirements.
For my birth certificate: I never had to get out of the car.
It seems to me that everyone now has to juggle leniency for those who have
fallen through the cracks with vigilance for those who are exploiting the
system. I spent hours worrying about how I would be able to get my new
Social Security Card or meet the DMV's 6 points, and I had absolutely no
problem doing either. It was incredibly easy.
It seems like this transitioning issue, where they are accommodating
people unable to meet the new requirements, might be the easiest point of
abuse.
nepen
------------------------------
Message: 32
Date: Sun, 29 Apr 2007 19:43:46 +0000 (UTC)
From: lyger <lyger () attrition org>
Subject: [Dataloss] UNM says some employee information on stolen
laptop
To: dataloss () attrition org
Message-ID: <Pine.LNX.4.64.0704291943030.31072 () forced attrition org>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
http://kob.com/article/stories/S72768.shtml?cat=517
University of New Mexico officials say personal information for 3,000
employees may have been stored on a laptop computer that was stolen.
The university notified the employees by e-mail that some personal
information may have been on a laptop taken Wednesday from a San Francisco
office.
University officials learned of the theft Friday from an outside
consultant working on UNM's human resource and payroll systems.
[...]
------------------------------
Message: 33
Date: Sun, 29 Apr 2007 18:51:24 -0400
From: "Rodney Wise" <rwise29210 () gmail com>
Subject: Re: [Dataloss] Is it just about credit? (question 1 / health
care)
To: "security curmudgeon" <jericho () attrition org>
Cc: dataloss () attrition org
Message-ID:
<24e2acc50704291551x683b6e86off6a59e2455c90df () mail gmail com>
Content-Type: text/plain; charset="iso-8859-1"
I guess the basic question is:
As people who are aware of data breeches how can we alert others that is is
NOT just about credit.
Rodney
On 4/29/07, security curmudgeon <jericho () attrition org> wrote:
: Question 1 : Is is just about your credit? : : If someone gets you SSN or SIN (Canida) they can do a lot more than get : cash. If they get medical treatment for ... I don't know ... a heart : problem of even... HIV do you think you will ever get insurance again? Hopefully someone in the health care industry can speak up on this but a few points. Many (most? all?) hospitals require photo ID for everything now. While we know that a bad guy can do a full identity theft, including getting a new license or birth certificate, it does require a dedicated person. They ask for the photo ID with insurance card, which you'd also have to get issued. Some hospitals actually train their staff (a full class) on handling photo ID, recognizing aspects that would be suspicious (birth date, etc) and how to respond. This has lead to some cases where the person using a stolen identity recived medical treatment, walked out of the hospital all better, only to be arrested immediately as the hospital staff watched (they knew what was going on but wouldn't deny treatment of course). Some hospitals use computer systems that have routines specifically designed to flag possible identity theft. Various incidents (most related to billing I assume) will flag a record with a potential identity theft marker which is visible to any hospital employee who loads the record. Employees are trained to act normal and provide treatment but call a special security number (internal to the hospital) and trained security staff respond. This leads one to wonder if the DMV when re-issuing a license might notice discrepancies. Eye color goes from blue to brown, hair color, height, weight .. how many changes before someone says "wait"? _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tracking more than 207 million compromised records in 634 incidents over 7 years.
-- Rodney Wise http://pplriwse.blogspot.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://attrition.org/pipermail/dataloss/attachments/20070429/95212b4b/attach ment-0001.html ------------------------------ Message: 34 Date: Sun, 29 Apr 2007 23:32:01 +0000 (UTC) From: nepen <nepen () attrition org> Subject: Re: [Dataloss] Is it just about credit? (question 1 / health care) To: dataloss () attrition org Message-ID: <Pine.LNX.4.64.0704292309010.9463 () forced attrition org> Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed On Sun, 29 Apr 2007, Rodney Wise wrote:
I guess the basic question is: As people who are aware of data breeches how can we alert others that is
is
NOT just about credit. Rodney
Simple: Research the potential results of dataloss that do not involve
identity theft/credit issues, write about these new ideas, and put the
information out there.
Notsosimple: Hope for interest, particularly if there is some sort of
marketable protection against these other outcomes. Sadly, the ability for
someone to profit from offering services to protect against these
potential non-credit-related outcomes of dataloss events may have an
effect on whether or not there is much interest in them.
Research, write, publish: Create awareness and cross your fingers?
nepen
------------------------------
Message: 35
Date: Sun, 29 Apr 2007 19:27:59 -0700
From: J Beebe <j.beebe () cox net>
Subject: Re: [Dataloss] The cost of doing business?
To: dataloss () attrition org
Message-ID:
<20070430022820.KICS24310.fed1rmmtao104.cox.net () fed1rmimpo01 cox net>
Content-Type: text/plain; charset="us-ascii"; format=flowed
Here's a link to the complaint filed by the Mass. Bankers Assoc.
It notes that they and the other 2 bankers assocs. are asking for
"tens of millions of dollars."
https://www.massbankers.org/pdfs/DataBreachSuitNR5.pdf
Should be interesting.
JB
At 03:59 AM 4/25/2007, Rodney Wise wrote:
Bank groups in 3 states plan to sue TJX over data theft http://www.mercurynews.com/businessheadlines/ci_5745507 The Associated Press Article Launched: 04/25/2007 01:50:15 AM PDT BOSTON (AP) - Bank associations in Massachusetts, Connecticut and Maine said Tuesday that they will sue TJX over a data theft that exposed at least 45 million credit and debit cards to potential fraud. Banks have been saddled with costs to replace cards and cover fraudulent charges tied to the theft from TJX, the owner of nearly 2,500 discount stores including T.J. Maxx and Marshalls. On Jan. 17, Framingham, Mass.-based TJX disclosed a breach of its computer systems by an unknown hacker or hackers who accessed card data from transactions as long ago as late 2002. On March 28, TJX said at least 45.7 million of its shoppers' cards had been compromised. -- Rodney Wise http://pplriwse.blogspot.com _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tracking more than 207 million compromised records in 630 incidents over 7 years. -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.463 / Virus Database: 269.5.10/774 - Release Date: 4/23/2007 5:26 PM
------------------------------ Message: 36 Date: Sun, 29 Apr 2007 20:41:43 -0500 From: Al Mac <macwheel99 () sigecom net> Subject: Re: [Dataloss] Is it just about credit? To: "Data Loss Incidents" <dataloss () attrition org> Message-ID: <6.2.1.2.1.20070429195335.02a52360 () mail sigecom net> Content-Type: text/plain; charset="us-ascii"; format=flowed How difficult is it for the criminal underworld to manufacture fake driver's licenses? The photo-id looks exactly like the person carrying it (it is their photo), but the identity is whoever identity they stole. Such an id can be used to help get a job, get medical treatment, anything such a fake id is used for. Does not matter if thumb print on there, because fake-id has photo and thumb print of the crook instead of the real person who has the real-id-license that was issued by the state DMV. You right that the DMV record ought to have eye color, hair color etc. But one of the types of data theft has been entire DMV data bases. Crooks in the fake-id business can then match identity to be stolen with person needing fake id with similar characteristics ... eye color, hair color, gender, approx age, etc. This will cease to work when the photo-id gets scanned in some place to compare it to the official copy in DMV records, unless crooks have the sophistication to also mess with the official records, or the communication between police car check point and official records. I expect it will be pretty rare for people running around with fake-ids to have the kinds of hacker skills to real-time spoof whatever is done to validate photo or thumb print on the fake-id. A small fortune is spent on protecting the nation's currency from counterfeiting, but yet there still are people who get away with passing counterfeit money. Nothing like that expense can be incurred to protect individual states from not having fraudulent driver's licenses and other identification in circulation. A while back, the state of Colorado sorted employee tax reporting data by SSN to get a count of how many different places same SSN being used ... I think the biggest was like 50 or 100 employers had someone simultaneously working there with same SSN. We can reasonably assume that if other US states were to do this, that they might get similar numbers. Bigger in the more populated states. Similar story other nations. The feds have done this with critical infrastructure ... people working at Pentagon, Nuclear weapons facilities, etc. & yes found lots of fraudulent identities there. We can hope most of them are people who just need a job, not many potential terrorists in the bunch. Is there a serious risk that the states will crack down on the real people, in whose names those 50 other people using their SSN? Or is there temptation for states to look the other way, since this is tax money being paid for services that the fake SSN holders may be less likely to claim than valid SSN holders? You may be better off with a bunch of people paying extra taxes in your name, than only one of them. Except with how easy it is to fraudulently claim income tax refund, which is big problem for IRS, and also the person in whoever name this got done. More risks than you said. You don't even get on the plane at airport to go home, because your identity was used by someone stopped by the police, let go on minimal bail, supposed to return for court date, never did. Now you have the legal expense of proving you not whoever that is running around the country committing more crimes in your name. Let's suppose the real Rodney Wise is in the hospital for serious treatment, and while there, persons with fake identity for Rodney Wise steal his car, sell it, occupy his home, sell everything there, get second mortgage on it, sell house, run up ungodly bills, clean out bank accounts. Real Rodney gets out of hospital & try to go home, be arrested as intruder in home now belong someone else. This has happened to people in nations where possession is 9/10 of law. Credit monitoring helps with some of the problems but we need more. Some day, DNA testing will be as rapid as stick some skin cells or spit into a gadget that will say "You born in nation X, legally in nation Y, have a blood relative criminal Z" and we pray that long before that reality the data bases locked down with good support for people to correct errors about themselves.. - Al Macintyre ------------------------------ Message: 37 Date: Sun, 29 Apr 2007 23:47:24 -0500 From: Chris Walsh <chris () cwalsh org> Subject: Re: [Dataloss] Is it just about credit? To: Data Loss Incidents <dataloss () attrition org> Message-ID: <9E72B570-5BCC-4F3C-B9D2-0D6DDD7EF078 () cwalsh org> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Here in IL, we just had a high-profile federal bust of some folks who were allegedly selling fake drivers' licenses and fake SocSec cards as a combo pack for $300. This was in a section of Chicago with many undocumented workers. Reports are that this is undoubtedly so the buyers can work in the US, but of course the news coverage says that the sellers don't exactly care why someone is looking for ID as long as they have the $$. In this particular instance, the Feds say they acted because the gang allegedly selling these IDs had murdered someone who tried to go into competition with them. Clearly, then, the cost of production of these IDs is less than the $300, or else the dead guy would have been no threat since he could not possibly undercut the gang. On Apr 29, 2007, at 8:41 PM, Al Mac wrote:
How difficult is it for the criminal underworld to manufacture fake driver's licenses?
------------------------------
Message: 38
Date: Mon, 30 Apr 2007 11:15:00 -0400
From: Adam Shostack <adam () homeport org>
Subject: Re: [Dataloss] Is it just about credit? (question 1 / health
care)
To: Rodney Wise <rwise29210 () gmail com>
Cc: security curmudgeon <jericho () attrition org>,
dataloss () attrition org
Message-ID: <20070430151500.GB8860 () homeport org>
Content-Type: text/plain; charset=us-ascii
On Sun, Apr 29, 2007 at 06:51:24PM -0400, Rodney Wise wrote:
| I guess the basic question is:
|
| As people who are aware of data breeches how can we alert others that is
is NOT
| just about credit.
We used to use words like 'privacy' or 'data protection.' To
Jericho's point, I'd argue that the problem is central medical
databases, and upgrading the trusted third parties to control what
goes in them is just poor thinking.
Adam
|
| On 4/29/07, security curmudgeon <jericho () attrition org> wrote:
|
|
| : Question 1
| : Is is just about your credit?
| :
| : If someone gets you SSN or SIN (Canida) they can do a lot more than
get
| : cash. If they get medical treatment for ... I don't know ... a heart
| : problem of even... HIV do you think you will ever get insurance
again?
|
| Hopefully someone in the health care industry can speak up on this but
a
| few points.
|
| Many (most? all?) hospitals require photo ID for everything now. While
we
| know that a bad guy can do a full identity theft, including getting a
new
| license or birth certificate, it does require a dedicated person. They
ask
| for the photo ID with insurance card, which you'd also have to get
issued.
| Some hospitals actually train their staff (a full class) on handling
photo
| ID, recognizing aspects that would be suspicious (birth date, etc) and
how
| to respond. This has lead to some cases where the person using a
stolen
| identity recived medical treatment, walked out of the hospital all
better,
| only to be arrested immediately as the hospital staff watched (they
knew
| what was going on but wouldn't deny treatment of course).
|
| Some hospitals use computer systems that have routines specifically
| designed to flag possible identity theft. Various incidents (most
related
| to billing I assume) will flag a record with a potential identity
theft
| marker which is visible to any hospital employee who loads the record.
| Employees are trained to act normal and provide treatment but call a
| special security number (internal to the hospital) and trained
security
| staff respond.
|
| This leads one to wonder if the DMV when re-issuing a license might
notice
| discrepancies. Eye color goes from blue to brown, hair color, height,
| weight .. how many changes before someone says "wait"?
|
| _______________________________________________
| Dataloss Mailing List (dataloss () attrition org)
| http://attrition.org/dataloss
| Tracking more than 207 million compromised records in 634 incidents
over 7
| years.
|
|
|
|
| --
| Rodney Wise
| http://pplriwse.blogspot.com
| _______________________________________________
| Dataloss Mailing List (dataloss () attrition org)
| http://attrition.org/dataloss
| Tracking more than 207 million compromised records in 634 incidents over 7
years.
------------------------------
Message: 39
Date: Mon, 30 Apr 2007 23:51:50 +0000 (UTC)
From: lyger <lyger () attrition org>
Subject: [Dataloss] (update) Stolen Caterpillar laptop contained
employees personal information
To: dataloss () attrition org
Message-ID: <Pine.LNX.4.64.0704302349010.20529 () forced attrition org>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
(now disclosed that SSNs were on the stolen laptop. other reports have
also disclosed that the laptop belonged to an "SBA Inc." located in
Georgia.)
http://www.wjbc.com/wire2/news/01943_Caterpillar-Data-WEB_145542.htm
Caterpillar Incorporated told employees in a letter that a laptop stolen
this month contained current and former workers' Social Security numbers,
banking information and addresses. Peoria-based Caterpillar has declined
to say how many of its roughly 95-thousand employees were affected but has
set up a call center to answer their questions.
[...]
------------------------------
_______________________________________________
Dataloss mailing list
Dataloss () attrition org
https://attrition.org/mailman/listinfo/dataloss
End of Dataloss Digest, Vol 15, Issue 3
***************************************
_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss
Tracking more than 207 million compromised records in 634 incidents over 7 years.
Current thread:
- Re: slightly OT: LifeLock Identity Theft Tom Widman (May 01)