Re: Reporting Dataloss

["Thomas Raef" <traef () ebasedsecurity com>]

Depending on the state laws governing this incident, the school and the vendor don’t have the option of not notifying 
the “potential” victims. Data loss is data loss.

 

I’d start with the State Attorneys office. I believe they have jurisdiction of that.

 

Thomas J. Raef

e-Based Security, LLC

http://www.ebasedsecurity.com

traef () ebasedsecurity com

1-888-251-5803

 

From: dataloss-bounces () attrition org [mailto:dataloss-bounces () attrition org] On Behalf Of Aaron Allen
Sent: Saturday, May 03, 2008 11:11 AM
To: dataloss () attrition org
Subject: [Dataloss] Reporting Dataloss

 

Back in November 2007, I uncovered a data breach containing about 7000 partial names, addresses and full SSNs of 
students that graduated from the public school system from which I graduated in 2002.  The data was publicly posted on 
a website of a vendor that the school had used.  Here is an example line from the leak:

        
         
        
Permanent Number

        LAST NAME

        
FIRST 


NAME 

        Geocode Status

         
                                
Address

        ZIP

        GRADE

         
        
        
401999999

XXXXX

......hia

.......estown Rd

        40511

        D

        09

                                        
                                                                                                                        
                                                                                


Note that I changed the social security number to protect the innocent, but everything else is the same.  As you can 
see, the data provided was full social, last three letters of the first name, partial address, full zip, the high 
school the student was attending in the year 2001, and the grade they were in when they attended that school.  I 
notified both the vendor and the school district and they removed the information.  They told me they would not notify 
the affected individuals because the amount of information contained in the leak was so small that it was useless to 
any potential ID theif.

However, because the breach targets such a small group of individuals I was easily able to go through the information 
and using publicly available information fill in a lot of missing information and obtain full SSN, name, addresses, and 
phone numbers.  I have also notified the FCC and attempted to contact other agencies, but no one seems to really care 
that this data loss has occurred.  Now, several months later, I have found out that I am a victim of identity theft 
(someone filed taxes under my SSN).  While there is no way to link these two incidents, it has caused me to look back 
into this data leak I discovered back in Nov.

So, my question to the list is what is the best way and to whom do you report a data loss event that neither of the 
responsible parties are willing to disclose?

Or, am I just being too paranoid and the amount of data that was leaked should not be a cause for concern?

No virus found in this incoming message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.23.8/1412 - Release Date: 5/2/2008 4:34 PM


No virus found in this outgoing message.
Checked by AVG. 
Version: 7.5.524 / Virus Database: 269.23.8/1412 - Release Date: 5/2/2008 4:34 PM
 

_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml