Tag Archives: data leak

How do you or your vendor dispose of printed PII?

Do you save it for holidays to throw to the crowds at parades?

According to Reuters, the confetti was apparently shredded horizontally but still contained information from various police incident reports, including names, social security numbers, and bank account information of Nassau County police officers and employees.

Make sure that personally identifiable information is actually destroyed before it leaves your custody.

via Long Island cops probe how secret information became NYC confetti | Ars Technica.

Startup To Launch New Brand Of SaaS For Post-Incident Response

This looks like a very handy new service:

A startup that will officially come out of stealth mode on Wednesday has built a software-as-a-service offering for organizations to handle the mostly manual processes involved in responding to a data loss breach.

The firm’s new SaaS offering encompasses event preparedness; data event analysis; liability assessment; and incident response workflow.

The only problem I see is their pricing scheme: 90-day free trial, then $450 per month and the customer selects a plan based on how many data loss incidents they expect each year.

How many companies can accurately (or honestly) predict an annual DLI rate?  I suppose if they are able to track how many they experience, they could trend and estimate.

But in that situation, I’d say they have pretty severe data control problems.

via Startup To Launch New Brand Of SaaS For Post-Incident Response – Dark Reading.

Researchers’ typosquatting snarfed 20GB of Fortune 500 e-mails

Talk about an easy exploit:

Two researchers who set up doppelganger domains to mimic legitimate domains belonging to Fortune 500 companies say they managed to vacuum up 20 gigabytes of misaddressed e-mail over six months.

The intercepted correspondence included employee usernames and passwords, sensitive security information about the configuration of corporate network architecture that would be useful to hackers, affidavits and other documents related to litigation in which the companies were embroiled, and trade secrets, such as contracts for business transactions.

via Researchers’ typosquatting snarfed 20GB of Fortune 500 e-mails.

AnonyOps vs BART

Anonymous computer hackers broke into a BART website and revealed personal information on thousands of BART riders Sunday; part of a protest that could include a disruption of train service during the Monday afternoon commute.

Transit officials closed down the myBART website, which is run by an external vendor, and urged anyone who subscribed to the news alert service to change their passwords on other websites if they use the same password they used for myBART.

[…]

The information includes names, email addresses, myBART account passwords, and in some cases mailing addresses and phone numbers. BART officials emphasized that no financial information is stored in the affected database.

I wonder if the passwords were even encrypted.

via Computer hackers expose BART riders personal information – San Jose Mercury News.

AntiSec’s Dump Of Law Enforcement Data Includes Personal Data Of Thousands

Chaos-hackers grab what they can and throw it on the wall like a big bowl of spaghetti.  How do you stop it?

Feinman recommends that organizations take an inventory of the sensitive data they have and get rid of any data they don’t need. “We’re seeing more customers using our ‘shredder’ feature now,” he says. “If you aren’t going to use it, there’s no reason to keep it around.”

The best way to secure data is to purge what you don’t absolutely need.  It’s true for PCI DSS, and it’s true for everything else.

via AntiSec’s Dump Of Law Enforcement Data Includes Personal Data Of Thousands – Dark Reading.

Social Security Administration Exposed Data Of 36,000 Over Three Years

Nobody cares more about your personal information than you do.  Unfortunately, there’s nothing we can do to keep it out of the hands of the government.

According to a report issued by the SSA’s Office of the Inspector General, some 36,657 people were erroneously included in the SSA’s Death Master List, which collects names of recently deceased individuals and is sold to the public.

The data was published between May 2007 and April 2010, according to the report. The SSA had already exposed an additional 26,930 individuals’ records between July 2006 and Jan. 2009.

via Social Security Administration Exposed Data Of 36,000 Over Three Years – Darkreading.

Philadelphia Family Planning Council Data Breach Affects 70,000 Patients

The Family Planning Council incident is just the latest in a series of flash drive data breaches to be reported. On Feb. 23, Henry Ford Health System in Detroit notified the public of a lost flash drive containing information on 2,777 patients, and on Sept. 20, insurer AmeriHealth Mercy reported a missing flash drive that stored data on 280,000 Medicaid members.

You’d think HIPPA or some other regulation would cover all that, but there’s still the policy gap and human laziness factor gap at work.

The stolen flash drive at Family Planning Council was simply password-protected rather than encrypted, Schwoebel noted.

Steps companies could take to better secure data include encrypting the devices, monitoring data transfer on the drives using back-end management software and creating an audit trail.

“It’s a bit intimidating for health care organizations to understand what is the right level of encryption for what they need,” Schwoebel said. “There are different types of drives that offer different levels of security, and they should work with someone to analyze what’s the correct level of security they need for their data and put together an overall plan to make sure that the USB drives they do provide to their customers meet the standards for data loss prevention.”

via Philadelphia Family Planning Council Data Breach Affects 70,000 Patients – Health Care IT – News & Reviews – eWeek.com.

Texas exposes addresses, SSNs of 3.5 million residents

According to Texas State Comptroller Susan Combs, the data wasn’t exposed by a hacker or a group of vigilante scriptkiddies—it ended up on a state-controlled public server after having been passed around between various state agencies. The data came from the Teacher Retirement System of Texas, the Texas Workforce Commission, and the Employees Retirement System of Texas, all of whom transferred the unencrypted data (against state policy) between January and May of 2010. The information was only discovered on the public server on March 31, 2011, meaning it has been available for almost a year.

So far, the state says there’s no indication that the data was misused, but that doesn’t mean it hasn’t or won’t be sometime in the future. In addition to the aforementioned personal information, Combs said that other data, like date of birth and driver’s license numbers had been exposed “to varying degrees.” Additionally, “all the numbers were embedded in a chain of numbers and not in separate fields”—good if only lazy “hackers” accessed the file, but bad because it ensures that the appropriate data is matched with other data from the same person.

I’m wondering which employees had access to the data, and which had access to the public server, and what sort of processes were violated which resulted in this data being published to the Internet at large.

via Texas exposes addresses, SSNs of 3.5 million residents

Data Leaks Underscore Need for Employee Security Training

The university had created lists of students who’d studied at the College of Education at MSU between 2005 and 2009 to submit for the accreditation approval, according to the March 3 article. The lists contained names and Social Security numbers, the university said.

Although the list was supposed to be uploaded to a secure server accessible only to university personnel as part of the accreditation process, it ended up on an insecure server, exposing it to the Google spiders indexing the Web, the university said. The MSU IT team is currently working with Google to remove all leaked lists from the search engines indexes, the university said.

Data breaches are a growing problem. The 2010 data breach report from Ponemon Institute found that the average cost of a data breach is approximately $7.2 million. That hefty price tag includes the cost of hiring a third-party security auditor with computer forensics knowledge to investigate what happened and fix the issue, notifying all the users and the state government, setting up a call center that can handle questions from worried victims, paying for credit monitoring services, lost productivity and sales as customers leave, Shaul said. In a heavily regulated industry, compliance fines can also increase the cost of the breach, he said.

I recall a similar incident affecting the Mesa County, Colorado Sheriff’s office accidentally posting a bunch of confidential data to a public webserver.

My question is: Why do these employees have access to publish to public webservers?  Does MSU have their Intranet and Internet sites on the same physical server?  That seems like a bad idea.

via Page 2 – University Data Breaches Underscore Need for Employee Security Training – Security – News & Reviews – eWeek.com.

Data leak embarrasses Colorado sheriff, terrifies informants

The Mesa County, Colorado, Sheriff’s Dept accidentally published the personal information of 200,000 “customers:”

The leak started flowing when a county IT employee who had legal access to the database copied it to another server in April of this year. According to the Associated Press, the employee had copied over the database in the form of a giant text file with everyone’s information available in plaintext, assuming that the target server was secure.

[…]

This kind of data leak—the kind that occurs as a result of employee actions and not outside “hackers”—is surprisingly common. State employees (and the IRS) seem to always be losing laptops that contain personal information about citizens, and the military recently enacted (another) ban on external disks accessing the network in order to prevent another WikiLeaks bomb from going off.

Security experts warned in the past that employees tend to be the greatest threat to company security—a lesson that the Mesa County sheriff’s department has now learned the hard way.

I can’t help but wonder why the IT employee exported the database to plain text and left it on a server for months — does he suck at SQL and excel at using Find in Notepad?  Was this how he backs up his database?

And then, of course, there are the questions about who the custodian and owners of the data were, what policies does the Sheriff’s office have about this sort of thing, and is this going on the employee’s annual review?

via Data leak embarrasses Colorado sheriff, terrifies informants.