Archive for August, 2007

SSNBreach.org: Chandra Breach

SSNBreach.org announced that in August, 2007 a hacker site that apparently traffics in stolen personal information posted a file with approximately 408 credit card numbers online, and available through a major search engine. The file also contained Social Security Numbers, Dates of Birth, Mother’s Maiden Names, Passwords, PINs, Addresses, Phone Numbers, Card Verification Numbers, Purchase Amount, and other sensitive information.

The site was registered by “Fadjri” (randee@stereocotil.com), and the WHOIS registrant’s address seemed to be an address in Jakarta (Jl. Bambu Duri IV no.08 Pondok Bambu, Jakarta, 12130, ID. Phone: +62.2193804070). Major Credit Card companies’ fraud departments, and the FBI were immediately notified. Google was also asked to clear its caches. Within several days, the website was gone, and Google’s caches had cleared.

Individuals affected by this breach can search for their name at www.ssnbreach.org.

No Comments

SSNBreach.org: Whizlink.com Breach

SSNBreach.org announced that whizlink.com posted an excel file which contained what appeared to be a call list with personal information of 1,299 sales leads. The file appeared to contain full names, addresses, phone numbers, financial information, and individualized comments like, “WAS IN HURRY. CALL AFTER 8 PM,” “REFINANCE+DEBTS CONSOLIDATION,” “FICO SCORE – 540,” “LOAN OFFICER – TIM,” “HE IS LOOKING FOR 50000 FOR TO PY OFF THE DEBTS AND FOR THE HOME IMP,” and “HUNG UP ON SSN.”

The file was available through Google. The domain was registered to Sanjiv Bhagat, an employee of California mortgage services company American Vision Financial Inc., and was hosted on his employer’s server. However, he insists that he knew nothing about the file, and was unaware that someone had stolen his administrative passwords in order to post the site.

If you think you may have been affected by this data breach, you can securely search for your name at www.ssnbreach.org to get a more detailed picture of what personal information was exposed.

No Comments

SSNBreach.org Announces York County, PA Courts Breach

In July, 2007 the York County, PA court website posted a file containing the full names, addresses, home and cell phone numbers, race, social security numbers, and other sensitive information for approximately 97 people. The individuals appeared to be deputized employees of the court.

The court became aware of the breach before July 6th, 2007, and on that date President Judge Richard K. Renn issued an order to Google, Inc. to clear their caches of files containing sensitive personal information. However, as of August 20, 2007 the file was still available on the York County website. The file was removed, and Google’s caches cleared by August 25th, 2007.

If you think you may have been affected by this data breach, you can securely search for your name at www.ssnbreach.org to get a more detailed picture of what personal information was exposed.

No Comments

SSNBreach.org Announces Williamsport, PA Police Department Breach

The Williamsport, PA police department website exposed the names, birth dates, social security numbers, and other potentially sensitive information of approximately 174 individuals on their website. SSNBreach.org notified the police department, because even though it had already been removed from williamsportpd.org, the file was still cached by Google.

The file purported to be updated as of 6/27/2007. If you live in Williamsport, PA, and think you may have been on this list, you can search for your name at www.ssnbreach.org and get more a detailed picture of what information was exposed.

No Comments

SSNBreach.org Announces Tyler Pension Management Solutions Breach

SSNBreach.org announced today that Tyler Pension Management Solutions (NYSE: TYL) posted a file online that contained the full names, ages, social security numbers, and other pension information of more than 650 individuals.

The company provides online access to pension information for businesses and pensioners alike, but it’s not clear whether the breached file was related to Tyler’s online Pension Management tools.

Tyler acted quickly to take the files down and clear caches of major search engines. Individuals who think they may be victims of this identity breach may securely search for their name at SSNBreach.org.

No Comments

When Data Breaches go Unreported

UNREPORTED BREACHES

I have encountered dozens of data breaches by schools, companies, doctors’ offices, and other organizations over the past two years. Of the many lessons I’ve gleaned from these experiences, one stands out: An alarming number of breaches go unreported. While the cause may differ from one instance to another, I have discovered several recurring themes:

  • Entities Fail to Detect Breaches. Many organizations do not have proper diagnostic processes to detect breaches when they occur, and many do not even keep proper logs. Thus, when many press releases read, “we have no evidence that the sensitive information was accessed…” it may simply mean that they did not keep any records, and thus literally have “no evidence.”
  • Entities Underestimate the Severity of Breaches. Doing a simple cost/benefit analysis, organizations often come to the logical conclusion that the PR ‘costs’ of announcing a breach (especially when no proof of access exists) far outweigh any benefits. However, when the victims learn of the breach directly, or when the media is notified of the breach, organizations tend to take it more seriously.
  • Victims Lack Sufficient Information to Advocate for their own Interests. One of the cruel ironies of data breaches is that the only source of information about a breach is filtered, packaged, and presented by the organization responsible for the breach. The breaching entity’s concern is to minimize perceived liability; therefore it is in their best interest to restrict the flow of information about the breach as far as possible. Without a complete understanding of what information was breached, victims are unable to be effective advocates for themselves.
  • Organizations are Ignorant of Applicable Law, if it Exists. Even in states where breach notification laws exist, smaller organizations often assume that the law only applies in limited circumstances, to larger companies, or to particularly large breaches.
  • Leaders are Uncertain of Proper Action. I think that most organization leaders intend to do the right thing. But in the event of a breach, some aren’t sure exactly what to do, how to make an announcement, who to notify, or under what circumstances they must make an announcement. And there aren’t many resources to help them figure things out.
  • The Market does not Value Privacy. Privacy is expensive, but the costs of violating privacy are small. In many countries, privacy laws counteract the Market’s enmity toward privacy. The United States has precious few laws to counteract anti-privacy market forces. Until the Market recognizes the true costs to society for failing to protect privacy, privacy legislation is necessary.
  • Ironically, the Victims’ Privacy May Shield the Breaching Entity. Every once in a while, a breaching entity will attempt to sacrilegiously wrap themselves in the victim’s cloak of privacy, they have just tattered. These entities might fail to report any relevant information about a breach on the false premise that they wish to protect the privacy of those affected. Of course, functionally keeping a victim in the dark about the extent of an identity breach does not protect him, it only protects the breaching entity.

And for the most part, organizations which choose not to report breaches get away with it.

REPORTED BREACHES

I believe that breaching organizations have at minimum a moral (and often legal) responsibility to notify victims of their risks. I also believe they have moral obligations to bear the true costs of their mistakes. However, even if a breach is detected and reported, full notification is functionally impossible under almost every circumstance, even among well-intentioned organizations:

  1. Not everyone will read the press release. Most breaches have a media shelf life of only 24-72 hours. The assertion that every victim of an identity breach will hear about the breach and be able to identify himself as a victim within first 72 hours of media attention is ludicrous. However, a victim who misses the announcement remains at risk for years.
  2. 100% contact is functionally impossible. Even if the breaching organization has a record of the victims’ contact information, the information may be out of date. People move, phone numbers change, and many addresses are incomplete or not on file. Letters that do arrive at the proper address may be ignored. Though direct contact is the best method of notification, even a good-faith effort of direct mailing and phone calling cannot ensure that everyone is notified. Multiple contact strategies should be applied over long periods of time to reasonably ensure that most victims are notified.
  3. The notification message is always incomplete. I have read dozens of breach press releases, and they almost write themselves: “On X date, we discovered that some personal information was compromised. We acted immediately to make the information ubavailable, and we have no evidence that anyone accessed it for inappropriate reasons. You should get a credit report as a precaution.” For reasons explained above, I have yet to read a single breach announcement that explains the full depth and breadth of a breach. The lack of information keeps victims in the dark about what their true risks are, and deny them the opportunity to be effective advocates for themselves.
  4. Many breach notification laws are weak. Most data breach notifications laws only require an organization to say, “Oops.” If the organization is feeling nice, they’ll say, “Oops, sorry.” And if they’re feeling gregarious, they’ll say, “Oops, sorry, and here’s a free report of how much damage has been done to your life. You’ll still be at risk for years to come, though, so stay vigilant. Good luck.”But they have no responsibility to help you clear your name when someone purchases a car or home in your name, or when someone commits a crime with your identity, or if an identity thief makes it impossible for you to qualify for medical insurance. Merely getting a credit report does not protect against many of these risks, and victims can’t look to the breaching entity for help.

UTOPIA

Some privacy advocates dream of a fairy tale Utopia where all victims of identity breach will receive a personalized phone call or letter, detailing the extent of the breach, and an explanation of exactly what risks they face.

It is a dream I do not share.

In fact, the more I think about this dream, the more nightmarish it becomes. In this “Utopia,” every organization you come in contact with– every store, school, business, church, club, or government agency– must collect a full battery of contact and personally identifiable information, with which to notify you of a potential future breach. Since the risk of breach can increase with time, these organizations would have to maintain updated records on your whereabouts, contact information, and identifiable information in perpetuity. To believe in such a privacy fairy tale world is not only naïve, but dangerous.

No Comments