Archive for January, 2008

Oregon State Posts 19 SSNs Online

CORVALLIS, Oregon. In December, 2007 the Liberty Coalition discovered sensitive personal information of 33 students and faculty on a University of Oregon Web server, including 19 social security numbers. The individuals affected appear to be participants in the 2006 NASA Robotics Academy in Maryland, under the direction of Melissa Jenson-Morgan. The personal information, which includes names, SSNs, phone numbers, GPA, Academic Majors, and other information, was placed in an Excel file on oregonstate.edu and indexed by major search engines.

Individuals on this list are at increased risk of identity theft.

Individuals affected by this breach should immediately vist www.ssnbreach.org and search for their names, to confirm what types of personal information were exposed.

About SSNBreach.org

Sponsored by the Washington, DC non-profit Liberty Coalition, SSNBreach.org provides hundreds of thousands of free personalized Identity Exposure Reports™ as a public service.

SSNBreach.org documents the types of information exposed, but does NOT contain sensitive data, such as Social Security Numbers, Birth Dates, Addresses, etc. Consequently, there is no way to search for your SSN or any other type of sensitive data on SSNBreach.org. Once we document the types of exposed information, and the situation surrounding the breach, we include the information in personalized Identity Exposure Reports. This information allows victims to further investigate, take action, or correct harm.

Source: https://www.ssnbreach.org/release.php?g=61

No Comments

U. Mass, Dartmouth Prof. Puts 32 Student’s Personal Info Online

DARTMOUTH, Massachusetts. In December, 2007 the Liberty Coalition discovered the names, grades, GPA, and partial social security numbers for 32 former students of Phuong Tu, probably from the Fall, 2004 CIS 100 class. Ironically, the sensitive information was contained posted on the Computer and Information Science Department’s main web server. In the file, students’ complete social security numbers appeared to be listed, with only the first number replaced by a zero.

By placing this information online, the University of Massachusetts Dartmouth has put these students at increased risk of identity theft.

Individuals affected by this breach should immediately vist www.ssnbreach.org and search for their names, to confirm what types of personal information were exposed.

About SSNBreach.org

Sponsored by the Washington, DC non-profit Liberty Coalition, SSNBreach.org provides hundreds of thousands of free personalized Identity Exposure Reports™ as a public service.

SSNBreach.org documents the types of information exposed, but does NOT contain sensitive data, such as Social Security Numbers, Birth Dates, Addresses, etc. Consequently, there is no way to search for your SSN or any other type of sensitive data on SSNBreach.org. Once we document the types of exposed information, and the situation surrounding the breach, we include the information in personalized Identity Exposure Reports. This information allows victims to further investigate, take action, or correct harm.

Source: https://www.ssnbreach.org/release.php?g=60

No Comments

University of Wisconsin Prof. Posts 196 Names and Grades Online

MADISON, Wisconsin. In late November, 2007 that Liberty Coalition discovered the names, scores, and Grades of 196 students of Professor Yu Hen Hu’s ECE 734 classes between 1994 and 2006. The information was posted in Excel files on a University of Wisconsin – Madison server. According to the server, the files had been online for several years. Students affected by this breach are NOT at special risk of identity theft.

This breach fits within a common national pattern where university faculty or staff use university servers to store backed-up files, and later forgetting them or assuming that they are not available to the public. Unfortunately in this instance, some of Professor Hu’s backed-up files contained sensitive information which was made available online and was picked up by search engines.

You can confirm whether you were affected by this breach by searching for your name at www.ssnbreach.org.

About SSNBreach.org

SSNBreach.org is a free online directory of victims of personal information breach, that tells you whether your personal information has been exposed.
SSNBreach.org does NOT contain sensitive data, such as Social Security Numbers (SSN), Birth Dates, Addresses, and the like. Consequently, there is no way to search for your SSN or any other type of sensitive data on SSNBreach.org. Instead of storing sensitive information, we document what information was exposed, and the situation surrounding the breach. This information allows victims to further investigate, take action, or correct any harm from the exposure.

Source: https://www.ssnbreach.org/release.php?g=56

No Comments

Grissom Air Reserve Base Supervisor Exposes 11 Personnel Online

GRISSOM ARB, Indiana. A Grissom Air Reserve Base weather station supervisor recently posted sensitive personnel information on his personal website, www.0cool.net. The Excel file contained contact information for 11 individuals, including seven social security numbers, dates of birth, drivers license numbers, and other information. The Liberty Coalition contacted one employee who explained that he had found the information by Googling himself days earlier. He talked to the supervisor, who explained that the file was a failed attempt at creating a random number generator. For some reason the Supervisor used fellow employees’ sensitive data for testing purposes. As a result, his fellow workers are now at extreme risk of identity theft. The Liberty Coalition was unable to reach the Supervisor directly.

The file had been deleted when the Liberty Coalition discovered it, but the information remained in Google’s cache for several weeks.

Individuals affected by this breach should immediately visit www.ssnbreach.org and search for their names, to confirm what types of personal information were exposed.

About SSNBreach.org

Sponsored by the Washington, DC non-profit Liberty Coalition, SSNBreach.org provides hundreds of thousands of free personalized Identity Exposure Reports™ as a public service.
SSNBreach.org documents the types of information exposed, but does NOT contain sensitive data, such as Social Security Numbers, Birth Dates, Addresses, etc. Consequently, there is no way to search for your SSN or any other type of sensitive data on SSNBreach.org. Once we document the types of exposed information, and the situation surrounding the breach, we include the information in personalized Identity Exposure Reports. This information allows victims to further investigate, take action, or correct harm.

Source: https://www.ssnbreach.org/release.php?g=62

No Comments

Texas State University Exposes Employment Info of 2,215 Online

SAN MARCOS, Texas. The Texas State University Computer Science Department website posted the names, birth dates, hire dates, salary and employment information for 2,215 Southwest Texas State University (SWT) Faculty and Administrators in fiscal years 1998 thru 2003. We are aware that in many states, government employee salary information is public information. We are unaware whether Texas law also requires public disclosure of personally identifiable information, such as names, dates of birth, or EEO status. Regardless of Texas law, exposure of a name and birth date combined with other employee information may create additional risk for some individuals.

According to the Excel file meta data, the file was created on February 18, 2003, and has been online since at least March 2006. According to the file, the data source is the employee profile (PEXXEMPF) file of the SWT database. The Liberty Coalition encouraged the university to re-evaluate the need to post all of the information.

You can confirm whether you were affected by this breach by searching for your name at www.ssnbreach.org.

About SSNBreach.org

SSNBreach.org is a free online directory of victims of personal information breach, that tells you whether your personal information has been exposed.
SSNBreach.org does NOT contain sensitive data, such as Social Security Numbers (SSN), Birth Dates, Addresses, and the like. Consequently, there is no way to search for your SSN or any other type of sensitive data on SSNBreach.org. Instead of storing sensitive information, we document what information was exposed, and the situation surrounding the breach. This information allows victims to further investigate, take action, or correct any harm from the exposure.

Source: https://www.ssnbreach.org/release.php?g=55

No Comments

Texas Education Agency Exposes SSNs of Three People Online

AUSTIN, Texas. Earlier this month, the Texas Education Agency has posted the names, social security numbers, and birth dates of three individuals who applied to take the GED. The report is dated March 23, 1998, and was online between at least October 1999 and December 2008, or almost 10 years.

The three individuals on this list are at extreme risk of identity theft.

You can confirm whether you were affected by this breach by searching for your name at www.ssnbreach.org.

About SSNBreach.org

SSNBreach.org is a free online directory of victims of personal information breach, that tells you whether your personal information has been exposed.
SSNBreach.org does NOT contain sensitive data, such as Social Security Numbers (SSN), Birth Dates, Addresses, and the like. Consequently, there is no way to search for your SSN or any other type of sensitive data on SSNBreach.org. Instead of storing sensitive information, we document what information was exposed, and the situation surrounding the breach. This information allows victims to further investigate, take action, or correct any harm from the exposure.

Source: https://www.ssnbreach.org/release.php?g=54

No Comments

13 Names and SSNs Escape from USA Funds, End Up on Geocities.com

INDIANAPOLIS, Indiana. In late November, 2007, the Liberty Coalition discovered a the names, partial Social Security Numbers, and detailed student loan information in a report titled “United Student Aid Funds: …For the Week Ended 05/08/2004.” The report includes information about 13 students or former students who had taken out student loans. Though identified as a United Student Aid (USA) Funds report, the file was posted on geocities.com, by a user named “pvvanitha.” The report, named “report_format.doc” was report number “DACBRT05,” created on December 10, 2004 by “UFD612R1.”

The Liberty Coalition notified several Vice Presidents of USA Funds, and the FBI of the breach. The FBI forwarded the complaint to the Office of the Indiana State Attorney General Consumer Protection Division, which contacted the Liberty Coalition for additional information. No additional action by the Attorney General is known at this time. The Liberty Coalition also contacted Geocities/Yahoo, and got their usual brain-dead responses thanking us for contacting them.

Bob Murray, Vice President of Corporate Communications explained,

“…we have worked with our vendors to have the link to the file removed from Geocities.com. We are in the process of requesting removal of references to this file from Internet archives and search engine caches. We also are attempting to contact the individuals named in the file. In addition, we are conducting an investigation into how this internal file was made public, in violation of our corporate privacy policies.
“We assure you that USA Funds and its vendors take significant steps to protect the personal, non-public information of our customers. You should also be aware that during the past year, USA Funds and its vendors have begun moving away from the use of Social Security numbers to entirely separate customer identification numbers as identifiers for our customer accounts.”

USA Funds is also setting up a phone number which affected customers can call for more information.

According to a Wikipedia article on USA funds, the organization has supported nearly $115.5 billion in higher education financial aid in the last 44 years, serving more than 13.6 students or parents.

You can confirm whether you were affected by this breach by searching for your name at www.ssnbreach.org.

About SSNBreach.org

SSNBreach.org is a free online directory of victims of personal information breach, that tells you whether your personal information has been exposed.
SSNBreach.org does NOT contain sensitive data, such as Social Security Numbers (SSN), Birth Dates, Addresses, and the like. Consequently, there is no way to search for your SSN or any other type of sensitive data on SSNBreach.org. Instead of storing sensitive information, we document what information was exposed, and the situation surrounding the breach. This information allows victims to further investigate, take action, or correct any harm from the exposure.

Source: https://www.ssnbreach.org/release.php?g=53

No Comments

43 South Florida Workforce Participants’ Personal Information Online

MIAMI, Florida. South Florida Workforce, a job and career services organization, posted the names and personal information of 43 of its participants on its website. The Liberty Coalition discovered an Excel file posted on a public document sharing site containing an internal trouble ticket log with 43 names and the last four digits of social security numbers. Three of the participants’ names and full social security numbers were exposed. Businesses extend credit based upon the last four digits of the social security number, and some financial institutions use it as a password, making it an extremely sensitive piece of information. By placing this information online, South Florida Workforce has put these individuals at increased risk of identity theft and other types of fraud.

According to the server, the file was placed online March 2, 2007. It appears to be clear from search engine caches as of January, 2008.

According to one employee, when a participant calls with a problem, South Florida Workforce routinely records that person’s name and Social Security Number in internal documentation. In this instance, some of that documentation was accidentally placed on a public website. The Liberty Coalition recommends that participants in South Florida Workforce immediately change their policy of using social security numbers to identify its participants.

You can confirm whether you were affected by this breach by searching for your name at www.ssnbreach.org.

About SSNBreach.org

SSNBreach.org is a free online directory of victims of personal information breach, that tells you whether your personal information has been exposed.
SSNBreach.org does NOT contain sensitive data, such as Social Security Numbers (SSN), Birth Dates, Addresses, and the like. Consequently, there is no way to search for your SSN or any other type of sensitive data on SSNBreach.org. Instead of storing sensitive information, we document what information was exposed, and the situation surrounding the breach. This information allows victims to further investigate, take action, or correct any harm from the exposure.

No Comments

Murray State University Exposes 260 Student SSNs Online

MURRAY, Kentucky. The Murray State University College of Education posted the personal information of 260 students and professionals, including names, social security numbers and birth dates, ethnicity, gender, GPA, and test scores on its website. Affected students are all participants in Continuing NCATE Accreditation through Murray State University, and the information is in an Excel report called “2000-2001 State Admissions Report.” The report was last revised in June, 2001 and was posted online in Excel format on or before June 13, 2002. Since that time it has been available to the world online. Google picked up the file in its cache at least 1 1/2 years ago. When in Google’s cache, otherwise “hidden fields” are automatically un-hidden, and are automatically displayed.

Almost all of the information in this report is sensitive, and much of it is protected by FERPA and other applicable laws. Most importantly, Murray State University has put these students at severe risk of identity theft and other forms of fraud or harm.

Considering that this breach went undetected by the university more than five years, the Liberty Coalition encourages Murray University to re-evaluate its security protocols, and implement server-side text and non-text file searching for risky information on university servers, before it is picked up by major search engines.

In response to this notification, Murray State University issued a Media Statement, which is re-published here in full:

“MURRAY, Ky. – On January 3, 2008, Murray State University’s College of Education received notification from the Liberty Coalition, an organization focused on prevention of identity breach issues, that personal student information including student names, social security numbers and birth dates was accessible by manipulating a Microsoft Excel file on the MSU College of Education website. Upon learning of this the College of Education removed the file from its web site and took steps to remove the information from search engine caches. The file was a 2000-2001 Admission to Teacher Education report posted online in Microsoft Excel format in preparation for the fall 2002 accreditation visit by the National Council for Accreditation of Teacher Education (NCATE) and Kentucky Education Professional Standards Board (EPSB). “While on opening the file revealed no personal data that could be connected to any student it did contain ‘hidden fields’ which could be manipulated to reveal the information listed above. It was not MSU’s practice or procedure to post any file for this particular report in Excel format, opting instead for the Acrobat reader format. The posting of this Excel file was inadvertent and unintended. Evaluation of web logs available to Murray State indicate that the file has been searched for, however, Murray State is unable to determine whether the information in the ‘hidden fields’ has, in fact, been accessed.

“The University notified affected individuals by mail and provided information on identity theft precautions and other precautionary measures.

“MSU has taken and is continuing to take steps to remedy the situation. This is a regrettable incident and Murray State considers any breach of privacy and confidentiality as a serious matter. The University will make every effort to address concerns and questions on this sensitive issue. For more information please contact Bonnie Adams in MSU’s College of Education at 270-809-3833 or email

.”

The Liberty Coalition encourages individuals affected by this breach to follow precautionary measures as outlined on this site, and as directed by MSU.

You can confirm whether you were affected by this breach by searching for your name at www.ssnbreach.org.

About SSNBreach.org

SSNBreach.org is a free online directory of victims of personal information breach, that tells you whether your personal information has been exposed.
SSNBreach.org does NOT contain sensitive data, such as Social Security Numbers (SSN), Birth Dates, Addresses, and the like. Consequently, there is no way to search for your SSN or any other type of sensitive data on SSNBreach.org. Instead of storing sensitive information, we document what information was exposed, and the situation surrounding the breach. This information allows victims to further investigate, take action, or correct any harm from the exposure.

No Comments

Colorado State University Exposes 300 Students’ Personal Info Online

FORT COLLINS, Colorado. On November 15, 2007, the Liberty Coalition discovered four files containing sensitive personal student information for 300 Colorado State University students on the Warner College of Natural Resources website. The files include 208 social security numbers, usernames, passwords (derived from the social security number), and other information. The affected individuals all appear to be former College of Natural Resources students.

The files were created between 2000 and 2004, and according to meta properties contained in the Excel file, they were last saved by “Ingrid Burke” or “Craig Spooner.” One of the files seems to have originated with “Mark Gathany” of Ohio University. Students affected by this breach may be at extreme risk of identity theft.

University officials immediately responded, taking down the file and working to get search engine caches cleared. Scott Baily, Associate Director of Academic Computing & Networking Services explained,

“Colorado State University takes personal privacy very seriously, and has policies against maintaining unencrypted files containing sensitive information. Indeed, last year we undertook a campus-wide SSN purge activity, where University-owned computers were scanned in an attempt to remove all files containing sensitive information…. I have contacted Yahoo, the only search engine that we can confirm had these files in their cache…. A total of 114 unique SSNs are involved. CSU has initiated a course of action to notify the affected parties to the extent possible.”

You can confirm whether you were affected by this breach by searching for your name at www.ssnbreach.org.

About SSNBreach.org

SSNBreach.org is a free online directory of victims of personal information breach, that tells you whether your personal information has been exposed.
SSNBreach.org does NOT contain sensitive data, such as Social Security Numbers (SSN), Birth Dates, Addresses, and the like. Consequently, there is no way to search for your SSN or any other type of sensitive data on SSNBreach.org. Instead of storing sensitive information, we document what information was exposed, and the situation surrounding the breach. This information allows victims to further investigate, take action, or correct any harm from the exposure.

Source: https://www.ssnbreach.org/release.php?g=45

No Comments