Blog: When Reporters Go Looking For Data Breaches...

[David Shettler <dave () opensecurityfoundation org>]

They often find them, and usually get a complimentary legal threat or
outright lawsuit to go with it.

Recently, a Minnesota Public Radio reporter went digging, and indeed
found records exposed. The records in question were I-9 processing
forms held by Texas-based Lookout Services. The undisputed truth seems
to end about there. The reporter wrote about the incident, and the
attention the incident stirred caused the entire state of Minnesota to
stop using Lookout Services for I-9 verification. Lookout Services
responded with a lawsuit, essentially claiming that MPR illegally
accessed the data.

Now, MPR claims it didn't need to authenticate in order to access the
data. Lookout Services supposedly disagrees, according to a great
article by minnpost.com reporter David Brauer, which gives excellent
background into the issue. My interpretation is this: an authenticated
connection was used to find a URL that granted access to data without
authentication. For instance, most modern web applications determine
if a login session is established on every request to the website. It
is possible to 'omit' or 'forget' to check on certain requests, and
just hand the content over. If I had to bet, I'd bet that the reporter
found such an omission, then ran with it.

[ ...read the rest here:
http://datalossdb.org/incident_highlights/41-when-reporters-go-looking-for-data-breaches
]
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.
http://www.credant.com/campaigns/ebook-chpt-one-web.php