NEW YORK, New York. In early October, 2007, the Liberty Coalition discovered a file containing what appears to be the names, genders, dates of birth, salary information, e-mail addresses, t-shirt sizes, and contact information for approximately 1,010 Cracked.com subscribers. The file was available to the online public, and was not password-protected, encrypted, behind a firewall, nor require authentication to access. The exposure contradicted Cracked.com’s already weak Privacy Policy,

“We use commercially reasonable efforts to safeguard and secure your personal information while stored on our computer systems. We use a variety of industry standard security measures, including encryption and authentication tools, to maintain the confidentiality of your personal information. Your personal information is stored behind industry standard firewalls and is only accessible by a limited number of persons who are authorized to access such systems, and are required to keep the information confidential.” (Accessed 11 October 2007)

However, presumably in response to this breach, Cracked.com has since changed its privacy policy to disclaim all responsibility for exposing customer data:

“We have physical, electronic, and managerial procedures to help safeguard, prevent unauthorized access, maintain data security, and correctly use your information. HOWEVER, WE DO NOT GUARANTEE SECURITY. Neither people nor security systems are foolproof, including encryption systems. In addition, people can commit intentional crimes, make mistakes or fail to follow policies. If applicable law imposes any non-disclaimable duty (if any), you agree that the standard used to measure our compliance with that duty will be one of intentional misconduct.”

Translation: “We screwed up, and we’re not going to take any responsibility for it unless you sue us. You’re on your own if we put you at risk.”

By the time the file was discovered, it had already been removed from cracked.com, but continued to be available through Google’s cache. Cracked.com was notified of the breach, and they subsequently changed their privacy policy.

You can confirm whether you were affected by this breach by searching for your name at www.ssnbreach.org.

About SSNBreach.org

SSNBreach.org is a free online directory of victims of personal information breach, that tells you whether your personal information
has been exposed.

SSNBreach.org does NOT contain sensitive data, such as Social
Security Numbers (SSN), Birth Dates, Addresses, and the like. Consequently, there is no way to search for your SSN or any other
type of sensitive data on SSNBreach.org. Instead of storing sensitive information, we document what information was exposed, and the
situation surrounding the breach. This information allows victims to further investigate, take action, or correct any harm from the
exposure.

Source: https://www.ssnbreach.org/release.php?g=30

AUSTIN, Texas. The Liberty Coalition recently discovered what appeared to be 2,665 partial social security numbers of Coaches for the Texas Special Olympics in two Excel files on the Texas Special Olympics website. The last four digits of the social security number are often used to extend credit, and some financial institutions use it as a password. By placing this information online, the Texas Special Olympics has put these coaches at an elevated risk of identity theft. The files also contain location and coach certification information.

The files were online since at least February, 2006, and were removed in early December, 2007.

You can confirm whether you were affected by this breach by searching for your name at www.ssnbreach.org.

About SSNBreach.org

SSNBreach.org is a free online directory of victims of personal information breach, that tells you whether your personal information has been exposed.
SSNBreach.org does NOT contain sensitive data, such as Social Security Numbers (SSN), Birth Dates, Addresses, and the like. Consequently, there is no way to search for your SSN or any other type of sensitive data on SSNBreach.org. Instead of storing sensitive information, we document what information was exposed, and the situation surrounding the breach. This information allows victims to further investigate, take action, or correct any harm from the exposure.

Source: www.ssnbreach.org.

In October 2007, the Liberty Coalition discovered seven files on the website titanfoundation.com exposing personal information of 1,689 individuals. The files contain names, addresses, Social Security Numbers, email addresses, and financial information. Some individuals on this list are at extreme risk of identity theft.

The files contained individual notes of a personal nature such as, “I am a housewife and have my granddaughter to care for,” “I’m pregnant, due in December, want to stay home with my new baby,” “unemployed mother of two young children,” “my family is having a rough patch with money right now and i need some extra help,” and “I recently lost my job and need an income.”

The FBI was notified, and the files were confirmed deleted within 24 hours. However, the information remained available through Google’s cache until late December, 2007.
You can confirm whether you were affected by this breach by searching for your name at www.ssnbreach.org.

About SSNBreach.org
SSNBreach.org is a free online directory of victims of personal information breach, that tells you whether your personal information has been exposed.

SSNBreach.org does NOT contain sensitive data, such as Social Security Numbers (SSN), Birth Dates, Addresses, and the like. Consequently, there is no way to search for your SSN or any other type of sensitive data on SSNBreach.org. Instead of storing sensitive information, we document what information was exposed, and the situation surrounding the breach. This information allows victims to further investigate, take action, or correct any harm from the exposure.

Source: ssnbreach.org.

FORT MONROE, Virginia. On November 3, 2007 the Liberty Coalition discovered files online that contain sensitive information for 4,057 former ROTC scholarship winners from across the country, including 551 Social Security Numbers. The remaining files contain full names, academic majors, schools, scholarship award and suspense information, and other information for 3,506 individuals. It is unclear whether any of this information is protected by FERPA.

The ROTC website’s Privacy Policy states that “All information provided by military sources on this site is considered public information and may be distributed or copied.” By making Students’ names and Social Security Numbers available online, apparently as “public information,” the ROTC put these individuals at severe risk of identity theft.

The Liberty Coalition was unable to determine how long the files were available online, but they were created or last modified as early as November 27, 2006. The file containing the most sensitive information was confirmed removed from the website on November 6, 2007. However, the information remained in Google’s search engine caches until mid December, 2007.

You can confirm whether you were affected by this breach by searching for your name at www.ssnbreach.org.

About SSNBreach.org

SSNBreach.org is a free online directory of victims of personal information breach, that tells you whether your personal information has been exposed.
SSNBreach.org does NOT contain sensitive data, such as Social Security Numbers (SSN), Birth Dates, Addresses, and the like. Consequently, there is no way to search for your SSN or any other type of sensitive data on SSNBreach.org. Instead of storing sensitive information, we document what information was exposed, and the situation surrounding the breach. This information allows victims to further investigate, take action, or correct any harm from the exposure.

Source: www.ssnbreach.org.

In early November, 2007, the Liberty Coalition discovered 31 separate files containing sensitive information for 333 students who took math courses from Associate Professor Vakhtang Putkaradze between Fall 2001 and Fall 2004 at the University of New Mexico. The files appear to contain full names, 177 partial social security numbers, 190 e-mail addresses, and grades for all 333 students. The last four digits of a person’s Social Security Number is used by businesses to extend credit, and may be used by some financial institutions as a password or identifier. By placing this information online, the University of New Mexico has put these students at an elevated risk of identity theft. In addition, much of the exposed information may be protected by FERPA or other applicable laws.

Information provided publicly by the University of New Mexico’s server indicates that the files have been online since as early as 2001.

UNM immediately deleted the files in question, but some remained available in search engine caches into December, 2007. According to one University of New Mexico official, the university is attempting to contact the affected students, most of whom are no longer at UNM.

University of New Mexico recently activated Google indexing for the campus website, making UNM pages more visible than they once were. The UNM official explained,

“We have notified the departmental IT staffs and asked them to take a careful look at their public data…. We do include a discussion of sensitive data in all new faculty orientations at UNM; however, this material was apparently not added to the new faculty orientation until after Professor Putkaradze arrived on campus. We are reviewing this material and ways to ensure that all faculty at UNM are aware of their obligations to protect student data. UNM takes the protection of private student data very seriously. As much as I would prefer that we did not have incidents like this, I am very grateful that you alerted me to this problem.”

You can confirm whether you were affected by this breach by searching for your name at www.ssnbreach.org.

Source: www.ssnbreach.org.

An identity thief who identifies himself as “Cypher,” explained how he went dumpster diving in New York for sensitive information. Though the Liberty Coalition discovered the file in August, 2007 and reported the breach to the FBI on August 26, the file remained online several months, and was confirmed deleted only on December 7, 2007.

The text file he posted, entitled “Dumpster Diving… Part II.” contained addresses and social security numbers for 49 New York residents. The file boasts, “CONTACT ORGANIZED CONFUZION VIA VOICEMAIL: UNITED STATES HEAD QUARTERS 1+212-415-0239 AFTER 22:00” The number turned out to be a fax number.

This file was reported to the FBI (without any visible action on the FBI’s part), and the Liberty Coalition requested Google to purge it from its caches.

You can confirm whether you were affected by this breach by searching for your name at www.ssnbreach.org.

Source: www.ssnbreach.org.

NEWARK, Delaware. On November 15, 2007 the Liberty Coalition discovered 20 separate files containing sensitive personal information for roughly 582 University of Delaware Chemistry students who participated in the Chemistry mentoring program between 2000 and 2004. This information included full names, dates of birth, roughly 482 social security numbers, addresses, telephone numbers, e-mail addresses, home addresses, and a range of other personal information of current or former University of Delaware students. Students affected by this breach may be at extreme risk of identity theft. The files were available to the public on a University of Delaware website.

According to the server, the files had been posted online for as long as seven years. Officials have indicated that the University of Delaware switched away from using Social Security Numbers as identifiers several years ago, and that they did a text-search for social security numbers on their servers at that time. Unfortunately, their internal search engine failed to scan non-plain text files such as MS Excel files.

All of the files are posted in an online folder belonging to Professor Harold White of the Department of Chemistry and Biochemistry, who was shocked to find that they were there. As is often the case, the files were posted on an online file server that requires a password to upload files, but which is available to the public without a password.

You can confirm whether you were affected by this breach by searching for your name at www.ssnbreach.org.

Source: www.ssnbreach.org.

NEW YORK, New York. Hundreds of high school students from Pennsylvania, New York and West Virginia may be at extreme risk of identity theft after winning scholarships from the McKelvey Foundation. The scholarship foundation, started by Monster.com founder Andrew McKelvey, placed a massive cache of former McKelvey Foundation Scholarship winners’ personal information online. A total of 51 files were discovered by the Liberty Coalition on November 8, 2007, using a major search engine. The files contained thousands of records, and roughly 694 unique names, social security numbers, dates of birth, high school, address, phone number, e-mail address, and other sensitive information. The server indicated that most of the files were last modified as early as March, 2004, indicating that they have probably been available online more than three years. Some of the files were modified as late as April 2007.

The Liberty Coalition notified several hundred of the victims of this breach by e-mail on November 26, 2007. Of the dozens who replied to the Liberty Coalition, none reported that they had been notified of the breach by the Foundation.

Though the McKelvey Foundation removed the files from the server within 24 hours of notification, it may be impossible to determine how many people accessed the files, who has copies of the files, or where they are in the world.

A McKelvey Foundation representative explained that the breach was a mistake, and that they were unaware that the files were online at the time the Liberty Coalition contacted them.

Individuals on these lists are at extreme risk of identity theft and other forms of danger. In addition, we also note that as of the date of this announcement, the McKelvey Foundation’s current website is not secure or encrypted, even though they require student applicants to surrender a wide range of sensitive information online. Until the McKelvey fails to secure their website, all youth who apply to the McKelvey Foundation expose their most sensitive information, including home address, e-mail, phone number high school (and, until November 2008, their social security numbers) to additional risk as it is passed over the internet unencrypted. The Liberty Coalition recommends that students should avoid applying for a McKelvey Foundation Scholarship until the foundation encrypts their website, creates a privacy policy, and demonstrates an appreciation of the profound trust thousands of youth and parents have placed in them.

You can confirm whether you were affected by this breach by searching for your name at www.ssnbreach.org.

Source: www.ssnbreach.org.

GAINESVILLE, Florida. On November 15, 2007, the Liberty Coalition discovered 14 separate files on the University of Florida Computing and Networking Services (CNS) website containing sensitive information for 534 former University of Florida students, including 415 social security numbers. All affected individuals appear to be former students of Richard A. Elnicki, D.B.A., Professor Emeritus in ISM 4220 and 4220 between 1998 and 2001.

The University of Florida Office of Information Technology, Computer Networking Services, and the FBI were notified of the breach. The files were taken down immediately by University officials, and they took steps to ensure that major search engines cleared their caches of the sensitive information.

The files were posted on an online file server that requires a password to upload files, even though the public can download the files without a password. Although the Liberty Coalition was unable to contact Professor Elnicki directly, past experience has shown that university faculty occasionally mistakenly believe that files uploaded to these types of servers are secure, or at least not available to the public.

The server indicated that many of the files had been online since 1998. Considering the files have gone undetected for up to nine years, even though they apparently sit on a CNS server, the University of Florida’s failure to detect these files seems especially shocking. Students affected by this breach are at severe risk of identity theft.

You can confirm whether you were affected by this breach by searching for your name at www.ssnbreach.org.

Source: www.ssnbreach.org.

UNIVERSITY PARK, Pennsylvania. In September, 2007 the Liberty Coalition discovered four files on the Penn State Department of Geosciences website containing social security Numbers, assignment scores, test scores, and grades of roughly 39 students.

The University and FBI were notified, and Penn State removed the files within a few business hours of notification. The files were confirmed deleted from Google’s cache in mid-October. However, cached versions of the files remained in other major search engines until mid-November, 2007.

You can confirm whether you were affected by this breach by searching for your name at www.ssnbreach.org.

Source: www.ssnbreach.org