BreachExchange mailing list archives
Blog: When Reporters Go Looking For Data Breaches...
From: David Shettler <dave () opensecurityfoundation org>
Date: Tue, 15 Dec 2009 16:18:45 -0500
They often find them, and usually get a complimentary legal threat or outright lawsuit to go with it. Recently, a Minnesota Public Radio reporter went digging, and indeed found records exposed. The records in question were I-9 processing forms held by Texas-based Lookout Services. The undisputed truth seems to end about there. The reporter wrote about the incident, and the attention the incident stirred caused the entire state of Minnesota to stop using Lookout Services for I-9 verification. Lookout Services responded with a lawsuit, essentially claiming that MPR illegally accessed the data. Now, MPR claims it didn't need to authenticate in order to access the data. Lookout Services supposedly disagrees, according to a great article by minnpost.com reporter David Brauer, which gives excellent background into the issue. My interpretation is this: an authenticated connection was used to find a URL that granted access to data without authentication. For instance, most modern web applications determine if a login session is established on every request to the website. It is possible to 'omit' or 'forget' to check on certain requests, and just hand the content over. If I had to bet, I'd bet that the reporter found such an omission, then ran with it. [ ...read the rest here: http://datalossdb.org/incident_highlights/41-when-reporters-go-looking-for-data-breaches ] _______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Get business, compliance, IT and security staff on the same page with CREDANT Technologies: The Shortcut Guide to Understanding Data Protection from Four Critical Perspectives. The eBook begins with considerations important to executives and business leaders. http://www.credant.com/campaigns/ebook-chpt-one-web.php
Current thread:
- Blog: When Reporters Go Looking For Data Breaches... David Shettler (Dec 15)