Archive for October, 2007

Army’s 18th MEDCOM Puts 78 at Risk

The Army’s 18th MEDCOM in Seoul, Korea, posted full names, social security numbers, dates of birth, medical diagnoses, medical treatments, sex, race, and other sensitive information of 78 service men and women. The 18th MEDCOM and the Pentagon was notified on June 13, 2006, and the file was deleted within days, but the military did not comment on the existence of the file. The file, “Heat Injury.xls” detailed heat exhaustion and heat stroke of patients stationed in Korea. Some of medical notes included:

“Competing in Army 10 miles, pushing self to make team. Ambient temp 75 F, Rectal temp 106.9 F, No organ damage.” “2 mile road march with full gear @1300, Rectal Temp 98.2 F.” “P[atient] was out doing field patrol, felt dizzy, kept falling back down. P[atient] felt her body cramping.” “Rectal Temperature: 107.0, Brain and Liver were affected by the heat stroke. No previous heat injury.” “multi-organ failure; p[atient] expired.”

The file was available through major search engines, such as Google, before it was taken down. Individuals on this list are at extreme risk of identity theft.

You can confirm whether you were affected by this breach by searching for your name at www.ssnbreach.org.

Source: SSNBreach.org.

No Comments

SemperFi Data Puts 40 at Risk of ID Theft

While searching on Google for his own social security number, an anonymous internet user discovered a breach on www.semperfidatarecoveryandcomputerservices.com, and alerted the Liberty Coalition in late September, 2007. The Excel file, belonging to Arkansas company SemperFi Data Recovery, exposed the names, social security numbers, addresses, cell and home phone numbers, W-4 information and other personal information of 40 employees living in Arkansas and Oklahoma. The Liberty Coalition immediately contacted the proprietor of the website by phone and e-mail, as well as several of the victims, and reported the incident to the FBI. Even after the warning, the proprietor left the file online for several more weeks before taking the website down completely.

The business owner, who did not identify himself by name, explained that although he purposely placed the files online, he intended only a small number of people to see it, and didn’t want anyone to fuss about it. Instead, major search engines picked up the file, and several employees were justifiably upset.

You can confirm whether you were affected by this breach by searching for your name at www.ssnbreach.org.

Source: SSNBreach.org.

1 Comment

University of Texas, Austin FTP Site Puts 22 at Risk of ID Theft

In late September, 2007 the Liberty Coalition discovered six files that contain the names, social security numbers, gender, majors, grades, email addresses, department, etc. of approximately 22 students or former students at the University of Texas at Austin Petroleum and Geosystems Department. The files were available on an open university FTP site accessible through the search engine, www.filewatcher.com and perhaps other search engines. The affected students appear to be former enrollees of course PGE383 in the Summer of 2001 and 2002.

The University and FBI were notified of the exposure. The files were taken offline within hours, and University of Texas Chief Information Security Officer Cam Beasley wrote in an e-mail to the Liberty Coalition that “…the University of Texas at Austin takes these matters seriously and we are actively working to secure this information.” In a phone conversation, a University official indicated that they planned to immediately notify affected individuals directly, where possible.

You can confirm whether you were affected by this breach by searching for your name at www.ssnbreach.org.

Source: SSNBreach.org.

No Comments

Case Western University Website Exposes Medical Information, Personal Information of 452 People

SSNBreach.org reports that 8 files were discovered at filer.case.edu containing sensitive personal information of approximately 452 people. Three files identified participants in a medical study, as well as a detailed description of personal medical conditions, treatments, ages, and other demographic information. In that file, one column identifies several individuals who appear to be doctors or medical professionals who participated in the study: Rein Lambrecht, Thomas Chelimsky, Bill Stacey, and Amer Alshekhlee. Applicants were asked to describe details of their conditions like, “…bladder and sexual function inability to stand > 10 secs, several bowel obstructions… 2 years of diarrhea with no constipation….” Participants were also required to list medications they were taking. The list reveals one participant’s treatments as, “glucophage, tricol, bactrim, prinivil, prilosec, crestor, lasix, zetia, aerobid, singulair, zyrtec, albuterol, oxygen, betopic eye, xalatan, wellbutrin, neurontin, iburpofen, mutli vitamin, vitamin E, B-complex, fero-grade.” A column labeled “Consent/HIPAA form” shows that 56% of the entries read either “needs signature,” or “NO.

Other files contained GPA, addresses, phone numbers, e-mail addresses, a few Social Security Numbers, dates of birth, and other information. Several of the files seemed to be notes from interviews with interview scores, and comments like “Score: 10.5 too generous?… possibly too harsly [sic] graded, but not at up to a 9… Intramurals, no honors/research/ no work experience, bad essay.

The university was notified, deleted the files within 48 hours, and later Chief Information Security Officer Tom Siu assured the Liberty Coalition that they “take this matter very seriously and continue to work diligently to ensure that our policies and technical security measures promote the integrity and confidentiality of such records.”

The website filer.case.edu appears to be an online filing system for students and faculty of Case Western Reserve University. While the system, called “Filer,” does not claim to be secure, the system does require a login, which may lend a false sense of security to some faculty or students, and may have contributed to some individuals posting sensitive information. Yahoo.com has indexed roughly 44,100 files and websites at filer.case.edu. However, the files in question appeared to be purged from Yahoo’s caches by October 4, 2007.

You can confirm whether you were affected by this breach by searching for your name at www.ssnbreach.org.

No Comments

Educational Dissertation Puts 17,036 K-12 Students at Risk

On August 28, 2007 at least three files with sensitive information for about 17,000 Tennessee K-12 students and the names of several hundred teachers were posted on a personal website which has since been taken down (http://tnweb.org/). One file contained the Grade Levels, Elementary School, Teacher’s Name, Student’s Birth Date, Student’s Full Name, Student’s Gender, and Test Scores for about 11,789 students. Another file contained the Grade Levels, Elementary School Names, Social Security Numbers, Students’ Full Name, Gender, and test scores for roughly 2,247 elementary school students. The file also contained the names of several hundred teachers. A third file contained the names, social security numbers, and composite scores for approximately 3,000 K-12 students.

The files were placed online as a part of a Longitudinal Dissertation by Christopher Nugent, who had used the website as a temporary method to transfer files between computers. The website never contained direct links to the files, and Mr. Nugent believed that the files had been encrypted during transfer, and mistakenly believed that the files had been deleted afterward. Mr. Nugent generated random IDs and purged names before working on the data set for his dissertation, to ensure privacy. He was shocked to find that Google had somehow indexed the original files, and acted immediately to take down the website and alert search engines to clear their caches. In an e-mail to the Liberty Coalition, Mr. Nugent expressed his dismay, “Because I believe that the privacy of every individual is of the up most importance, I cannot express to you enough that I believed I had taken every precaution to maintain strict security procedures and secure all information.”

The FBI was notified, and Google took its sweet time purging the files. The last file was finally removed October 2, 2007, despite the efforts of Mr. Nugent and the Liberty Coalition.

Confirm whether you were affected by this breach, at www.ssnbreach.org.

Source: https://www.ssnbreach.org/news.php#nugent.

No Comments

Customer of PeopleFinders in Poland Exposes Background Check

The information in this breach was never exposed on any website owned or operated by PeopleFinders, but on a Polish website unrelated to the company. The information appeared to be a PeopleFinders.com report, and was placed online independently by a third party.

On August 21st, 2007 the Liberty Coalition discovered a copy of a “Comprehensive Background Check with Nationwide Criminal” purported to be authored by PeopleFinders.com. The subject of the report (Report Number:1564209) was “Christina M Snyder,” and was apparently issued on 11/12/2006 2:46:02 PM. It purports to be ordered by Christina, but was apparently paid for by “Lukasz Kozacki” of “Tarnowskie Gory, Poland.” The price of the report appeared to be $600, and the Money Transfer Control Number was 9057968254. A copy of this report was discovered on a website registered to “Tuszy ski Micha” in “Tarnowskie G ry, Poland.” The Whois Registry says the contact phone number is “+48.322853753,” and the e-mail address is “tuszyn@op.pl.” The website has since been shut down, and Google has cleared its caches.

The report contained Christina’s Address, Phone Number, Social Security Number, Mother’s Maiden Name, Drivers License Number, Date of Birth, Routing Number, Bank Account Number, Maiden Name, Previous Addresses, Friends, Neighbors and Relatives’ Names and Contact Information, as well as Property Value. It also purported to contain contact information for people identified as Christina’s possible friends, associates, relatives, or neighbors.

This breach was reported to the FBI. It also provides insight into what conditions you may appear on someone else’s background report.

Confirm whether you were affected by this breach, at www.ssnbreach.org.

Source: SSNBreach.org.

No Comments