Archive for November, 2007

Scholarship Foundation Created by Monster.com Founder Exposes 694 Students’ Personal Information

NEW YORK, New York. Hundreds of high school students from Pennsylvania, New York and West Virginia may be at extreme risk of identity theft after winning scholarships from the McKelvey Foundation. The scholarship foundation, started by Monster.com founder Andrew McKelvey, placed a massive cache of former McKelvey Foundation Scholarship winners’ personal information online. A total of 51 files were discovered by the Liberty Coalition on November 8, 2007, using a major search engine. The files contained thousands of records, and roughly 694 unique names, social security numbers, dates of birth, high school, address, phone number, e-mail address, and other sensitive information. The server indicated that most of the files were last modified as early as March, 2004, indicating that they have probably been available online more than three years. Some of the files were modified as late as April 2007.

The Liberty Coalition notified several hundred of the victims of this breach by e-mail on November 26, 2007. Of the dozens who replied to the Liberty Coalition, none reported that they had been notified of the breach by the Foundation.

Though the McKelvey Foundation removed the files from the server within 24 hours of notification, it may be impossible to determine how many people accessed the files, who has copies of the files, or where they are in the world.

A McKelvey Foundation representative explained that the breach was a mistake, and that they were unaware that the files were online at the time the Liberty Coalition contacted them.

Individuals on these lists are at extreme risk of identity theft and other forms of danger. In addition, we also note that as of the date of this announcement, the McKelvey Foundation’s current website is not secure or encrypted, even though they require student applicants to surrender a wide range of sensitive information online. Until the McKelvey fails to secure their website, all youth who apply to the McKelvey Foundation expose their most sensitive information, including home address, e-mail, phone number high school (and, until November 2008, their social security numbers) to additional risk as it is passed over the internet unencrypted. The Liberty Coalition recommends that students should avoid applying for a McKelvey Foundation Scholarship until the foundation encrypts their website, creates a privacy policy, and demonstrates an appreciation of the profound trust thousands of youth and parents have placed in them.

You can confirm whether you were affected by this breach by searching for your name at www.ssnbreach.org.

Source: www.ssnbreach.org.

No Comments

University of Florida Exposes 415 Student Social Security Numbers Online

GAINESVILLE, Florida. On November 15, 2007, the Liberty Coalition discovered 14 separate files on the University of Florida Computing and Networking Services (CNS) website containing sensitive information for 534 former University of Florida students, including 415 social security numbers. All affected individuals appear to be former students of Richard A. Elnicki, D.B.A., Professor Emeritus in ISM 4220 and 4220 between 1998 and 2001.

The University of Florida Office of Information Technology, Computer Networking Services, and the FBI were notified of the breach. The files were taken down immediately by University officials, and they took steps to ensure that major search engines cleared their caches of the sensitive information.

The files were posted on an online file server that requires a password to upload files, even though the public can download the files without a password. Although the Liberty Coalition was unable to contact Professor Elnicki directly, past experience has shown that university faculty occasionally mistakenly believe that files uploaded to these types of servers are secure, or at least not available to the public.

The server indicated that many of the files had been online since 1998. Considering the files have gone undetected for up to nine years, even though they apparently sit on a CNS server, the University of Florida’s failure to detect these files seems especially shocking. Students affected by this breach are at severe risk of identity theft.

You can confirm whether you were affected by this breach by searching for your name at www.ssnbreach.org.

Source: www.ssnbreach.org.

No Comments

Penn State Department of Geosciences Exposes 39 Students’ Personal Information

UNIVERSITY PARK, Pennsylvania. In September, 2007 the Liberty Coalition discovered four files on the Penn State Department of Geosciences website containing social security Numbers, assignment scores, test scores, and grades of roughly 39 students.

The University and FBI were notified, and Penn State removed the files within a few business hours of notification. The files were confirmed deleted from Google’s cache in mid-October. However, cached versions of the files remained in other major search engines until mid-November, 2007.

You can confirm whether you were affected by this breach by searching for your name at www.ssnbreach.org.

Source: www.ssnbreach.org

No Comments

Alabama Licensure Board for Interpreters and Transliterators Exposes 225

On October 15 and 27, 2007 the Liberty Coalition discovered several Excel files on the Alabama Licensure Board for Interpreters and Transliterators‘ website, which contain sensitive personal information of more than 225 licensed translators. The files contain application information, full names, dates of birth, a few social security numbers, addresses, phone numbers, e-mail addresses, employer information, and a other information. By posting this information online, the State of Alabama has put some of these individuals at high risk of identity theft.

The Liberty Coalition notified Paula Scout McCaleb, Executive Director, Shonda McQueen, Licensing Agent, the Alabama State Attorney General, and the FBI about this breach. Where possible, we also notified several individuals directly. Of those contacted directly, none indicated that they have yet been contacted by the Alabama Licensure Board.The files were deleted within two days, or two weeks, depending on the file. Since that time, the Alabama Licensure Board for Interpreters and Transliterators continues to publish the names of licensees, but only their names, license numbers and expiration dates. It is unfortunate that the Board did not such have a privacy policy prior to this incident.

You can confirm whether you were affected by this breach by searching for your name at www.ssnbreach.org.

Source: www.ssnbreach.org.

No Comments

Lady Bug Home Care Exposes Job Applicants to ID Theft

On October 18, 2007 the Liberty Coalition discovered an Excel file on Benbrook, TX-based Lady Bug Home Care’s home page that appears to contain sensitive personal information for 105 job applicants and their references. The file contains, full names, home phone numbers, social security numbers, addresses, e-mail addresses, previous addresses, dates of birth, drivers license numbers, medical information, emergency contact information, medical certification statuses, schools, degrees, car insurance information, and previous car accidents. Many individuals on this list are at extreme risk of identity theft. The site has since been taken down.

Applicants seemed to live in Texas, from the following cities: Alvarado, Arlington, Austin, Bedford, Benbrook, Burleson, Cross Roads, Crowley, Dallas, Denton, Elgin, Euless, Flower Mound, Fort Worth, Georgetown, Glenn Heights, Grandview, Hurst, Kennedale, Lewisville , Mansfield, Mesquite, N. Richland Hill, Pflugerville, Sanger, Weatherford, and Wylie.

You can confirm whether you were affected by this breach by searching for your name at www.ssnbreach.org.

Source: www.ssnbreach.org.

No Comments

NASWA Exposes 1,446 Social Security Numbers Online

In March 2006, the National Association of State Work Force Agencies (NASWA) posted a file containing the full names, social security numbers, and dates of birth of 1,446 individuals who apparently participated in a program offered by the agencies. The organization was notified in March, 2006, and the file was taken offline. However, the file remained in online caches until at least October, 2008.

You can confirm whether you were affected by this breach by searching for your name at www.ssnbreach.org.

Source: www.ssnbreach.org.

No Comments

An Entertaining Discussion with Yahoo.com Abuse

I thought you might all appreciate this exchange between me and Yahoo. In essence, I was trying to get them to take down a website with sensitive information. The owner was nowhere to be found. The registered owner of the domain was a company who pointed me to Yahoo, since Yahoo was the host. Yahoo kept stonewalling me with incorrect form letters. I’ve edited a little for brevity.

Original Message Follows:
————————-

To Yahoo Abuse:

My name is Aaron Titus. I am the Information Privacy Director for the Liberty Coalition.

In September 2007, a file containing around the names, social security numbers, scores, grades, and other information of about 60 students. Though the file had already been removed from your site when it was discovered on September 13, the information was available until September 18, 2007 through a Google Cache.

The file was available online:
[hyperlink omitted]

In addition, the file was available through at least one major search engine.

You should consult legal counsel to determine whether your state has applicable breach notification laws. We trust that you will take action to remove the sensitive files, clear search engine caches, and notify internet archives such as http://web.archive.org, as soon as possible.

This apparent breach will be reported to the FBI through ic3.gov. It will also be documented at SSNBreach.org, once the file becomes unavailable to the public, and it appears as though cached versions have been removed from major search engines.

Do not hesitate to contact me if you have any additional questions.

-Aaron Titus

—–Original Message—–
From: Yahoo! Domains [mailto:domains-abuse@cc.yahoo-inc.com]
Sent: Friday, November 09, 2007 12:27 PM
To: Aaron Titus
Subject: Re: Scratchpad50.com Personal Information Breach
(KMM60105393V28300L0KM)

Hello Aaron,

Thank you for writing to Yahoo! Domains.

We appreciate your reporting this instance of abuse. Please write back with a more detailed description of the issue in question and include as much of the following information as you can:

1. A more detailed description of the complaint or issue.
2. Any other information that may help us investigate and take the appropriate action.
Please include the requested information in the body of your email response, and do not send attachments as we are unable to open them.

Additionally, you may want to review the Yahoo! Domains Terms of Service at:
http://smallbusiness.yahoo.com/tos/tos.php
Thank you again for contacting Yahoo! Domains.

Regards,
Stan
Yahoo! Customer Care
41624814
For assistance with all Yahoo! services please visit:
http://help.yahoo.com/

Original Message Follows:
————————-

Yahoo Abuse,
In response to your “more detailed description of the complaint or issue,” I invite you to read my original e-mail, which reports the issue with painstaking detail. As a courtesy, I have included the original detailed report [in this] e-mail.

Next time, please at least try to pretend that you’re not sending a form letter.

-Aaron Titus

—–Original Message—–
From: Yahoo! Domains [mailto:domains-abuse@cc.yahoo-inc.com]
Sent: Saturday, November 10, 2007 9:45 AM
To: Aaron Titus
Subject: RE: Scratchpad50.com Personal Information Breach
(KMM60147527V5861L0KM)

Hello Aaron,

Thank you for writing to Yahoo! Domains.

We appreciate your inquiry and are sorry for the issues you are experiencing with Google search results. Unfortunately, we are not affiliated with Google and are not able to address any concerns that you may be experiencing with their services.

If you have issues with Google’s search services, we recommend that you contact them directly to have these issues addressed. You can do so by visiting the following page:

http://www.google.com/intl/en/contact/index.html

Thank you again for contacting Yahoo! Domains.

Regards,
Stan
Yahoo! Customer Care
41624814
For assistance with all Yahoo! services please visit:
http://help.yahoo.com/

Original Message Follows:
————————-

Boy, you guys really are dense.

Please note that the title of this e-mail is “Scratchpad50.com Personal Information Breach.” As described in my original e-mail, the domain, Scratchpad50.com had exposed several people to increased risk of identity theft. Yahoo is the host for Scratchpad50.com, and should therefore 1. Investigate, and 2. Take appropriate action to eliminate the files mentioned.

If you insist on continuing to reply with irrelevant form letters, next time try to pick one that has some bearing on reality. Or, you can save us both some time and simply say outright,

“Because we get a high volume of e-mails, we do our best to stonewall as many questions with non-answers as possible. This policy keeps our work levels a manageable level. In addition, even though this e-mail address is ‘abuse@yahoo.com,’ Yahoo, Inc. has not empowered us to take any action of a substantial nature to actually fix problems. We are only permitted to answer low-level customer questions, and make sure that customers are not able to penetrate too far into the organization.”

Please consider adding such a form letter to your repertoire.

-Aaron Titus

—–Original Message—–
From: Yahoo! Domains [mailto:domains-abuse@cc.yahoo-inc.com]
Sent: Sunday, November 11, 2007 6:18 AM
To: Aaron Titus
Subject: RE: Scratchpad50.com Personal Information Breach (KMM60186560V79817L0KM)

Dear Aaron,

Thank you for writing to Yahoo! Domains.

Yahoo! Domains is evaluating your request, however, Yahoo! Domain is unlikely to remove the page for the reasons explained below.

Although you have objected to material posted on this Yahoo! Domains user’s page on defamation grounds, Yahoo! Domains is not in a position to know the truth or falsity of the statements at issue and therefore cannot take a position on claims, if any, you may have against this user. Your complaints may be directed more appropriately to the individuals who posted the allegedly objectionable statements. If you are not aware of the identity of this individual, please be advised that Yahoo! Domains complies with third-party subpoenas seeking information that pertains to the identities of given subscribers, within the limits of the federal Electronic communications Privacy Act, 18 U.S.C. ? 2701 et seq., and state law.

We recognize that you may be disappointed with this response, however, it is consistent with federal law. Congress enacted the Communications Decency Act of 1996 (“CDA”), which provides that online service providers may remove, edit or not remove or edit content, in their sole discretion, in recognition of the unique role of online service providers such as Yahoo! Domains. Simply stated, this federal statute protects online service providers from any liability for third-party statements, or for the removal or failure to remove such statements. See also, Zeran v. America Online, Inc., 129 F.3d 327 (4th Cir. 1997), cert. denied, ___ U.S.___ (1998).

Should you have further questions regarding this matter, you may direct them in writing to:

Legal Department
Yahoo! Inc.
701 First Ave.
Sunnyvale, CA 94089

Thank you again for contacting Yahoo! Domains.

Regards,
Miller Daniels
Yahoo! Customer Care
41624814

—–Original Message—–
From: Aaron Titus
Sent: Sunday, November 11, 2007 3:05 PM
To: ‘Yahoo! Domains’
Subject: RE: Scratchpad50.com Personal Information Breach (KMM60186560V79817L0KM)

Yahoo Domains,
Thank you for finally finding the [almost] correct form letter! Good Job! [except, I wasn’t talking about “defamation”]

-Aaron Titus

No Comments

University of Tennessee, Martin puts 41 Students at Risk of ID Theft

On September 9, 2007 the Liberty Coalition discovered two Excel files on a University of Tennessee, Martin website containing personal information for 240 former high school students who are now between 18-21 years old. The file with the most sensitive information contains 41 names, Social Security Numbers, addresses, high schools, and age, sex, race, and other personal information for 2004 Tennessee Governor’s School for the Agriculture Sciences applicants. The Governor’s school is a summer program for gifted and talented high school students. The files, online since at least September 2006, expose information protected by FERPA and also put these students at severe risk of identity theft. The exposure was reported to the FBI.

In addition, the online folder contained large quantities of potentially sensitive or protected academic information, such as writing samples, student applications, academic competition scores, and the like. Some files appear to have been posted for a year or more.

According to the official University of Tennessee at Martin Press Release,

“The information was posted accidentally by a UT Martin faculty member, who had backed up files to a publicly accessible server. The 41 applicants are being notified initially by telephone and e-mail and will be contacted again by letter. Additionally, the names and academic information for fewer than 100 university students were posted to the link; Social Security numbers were not associated with these names. These students, who were enrolled in agriculture and natural resources classes, are being contacted and advised of the situation.

“…For questions about the 41 Governor’s School for the Agricultural Sciences applicants, call Dr. Jerry Gresham, 731-881-7262; and for UT Martin students who have questions about the accidental release of academic information, call the Office of Academic Records, 731-881-3050.”

The files were inadvertently posted by Timothy N. Burcham, P.E., Ph.D., Master of Science in Agricultural Operations Management Graduate Coordinator, as an effort to back up a computer. Because the online file system at UTM required a password, the faculty member mistakenly believed that the files were not available to the public.

The university acted quickly (after business hours) to remove the files once they were notified, and the University was able to successfully clear several major search engine caches. UT IT staff is or was in the process of identifying 12 separate IP addresses that accessed the sensitive information, including one Chinese IP address. Tennessee does have a breach notification law in the instance of Social Security Numbers, and to their credit, they have decided to notify individuals whose grades or scores have been exposed, even though they’re not required to do so by law.

Individuals who applied for the 2004 Tennessee Governor’s School for the Agricultural Sciences, from the following high schools may be at special risk of identity theft, and should search for their names at ssnbreach.org right away, to find out whether they were affected:

  • Adamsville High School
  • Big Sandy High School
  • Blackman High School
  • Bledsoe County
  • Bolivar Central High School
  • Bolton High School
  • Brentwood High School
  • Brighton High School
  • Bruceton Central High School
  • Camden Central High School
  • Chatt Arts/Sci
  • Collierville High School
  • Columbia Central High School
  • Columbia Central High School
  • Cornersville High School
  • Covington High School
  • Craigmont High School
  • Creek Wood High School
  • Crockett County High School
  • Culleoka High School
  • Culleoka High School
  • Davidson Academy
  • Dickson County High School
  • Dresden High School
  • Dyer County High School
  • Dyersburg High School
  • Fairview High School
  • Forrest High School
  • Franklin County
  • Fred J. Page High School
  • Gallatin High School
  • Germantown High School
  • Gibson County High School
  • Gordonsville High School
  • Greenfield High School
  • Halls High School
  • Hardin County High School
  • Harpeth High School
  • Haywood County High School
  • Hendersonville High School
  • Henry County High School
  • Hermitage Springs High School
  • Hillsboro High School
  • Huntingdon High School
  • Kenwood High School
  • Lawrence County High School
  • Lewis County High School
  • Liberty Tech Magnet HS
  • Madison Academic Magnet HS
  • Marshall County High School
  • McEwen High School
  • McKenzie High School
  • McMinn Central High School
  • McNairy County Central H.S.
  • Montgomery Central High School
  • Morristown-Hamblen
  • Mt Pleasant High School
  • Munford High School
  • Nashville Christian High School
  • North Side High School Jackson
  • Northwest High Clarksville
  • Oak Ridge High School
  • Obion County Central High School
  • Ooltewah High School
  • Peabody High School
  • Polk County High School
  • Ripley High School
  • Riverside High School
  • Rossville Academy
  • Santa Fe High School
  • Science Hill High School
  • Siegel High School
  • South Fulton High School
  • South Haven Christian School
  • Spring Hill High School
  • St. Andrews-Sewanee School
  • Stewart County High School
  • Tipton-Rosemark Academy
  • Union City High School
  • Upperman High School
  • Wayne County High School
  • Webb School High School
  • West Carroll High School
  • Westminster Acad.
  • Westview High School
  • White House High School
  • White Station High School
  • Wilson Central High School
  • Zion Christian Academy

You can confirm whether you were affected by this breach by searching for your name at www.ssnbreach.org.

Source: www.ssnbreach.org.

About SSNBreach.org

SSNBreach.org is a free online directory of victims of personal information breach, that tells you whether your personal information has been exposed.

SSNBreach.org does NOT contain sensitive data, such as Social Security Numbers (SSN), Birth Dates, Addresses, and the like. Consequently, there is no way to search for your SSN or any other type of sensitive data on SSNBreach.org. Instead of storing sensitive information, we document what information was exposed, and the situation surrounding the breach. This information allows victims to further investigate, take action, or correct any harm from the exposure.

No Comments

Scratchpad50.com puts 60 at Risk of ID Theft

In September 2007, a file containing around the names, social security numbers, scores, grades, and other information of about 64 students on Scratchpad50.com. The operator of the domain could not be readily identified, so the host and domain registrars were notified. Though the file had already been removed from the site when it was discovered, the information was available until September 18, 2007 through a Google Cache.

You can confirm whether you were affected by this breach by searching for your name at www.ssnbreach.org.

Source: www.ssnbreach.org.

No Comments

Virginia Tech Exposes 12 Social Security Numbers Online

On September 6, 2007, the Liberty Coalition discovered several files on a Virgina Tech server which appeared to contain potentially sensitive information for about 100 people, including 12 social security numbers. The files ranged from grading spreadsheets used by professors to team rosters, to the results of a survey about cell phone usage. Virginia Tech removed the most sensitive files within a month (ie, the files containing social security numbers), but left others online.

You can confirm whether you were affected by this breach by searching for your name at www.ssnbreach.org.

Source: www.ssnbreach.org.

No Comments