Because I am Here

MIAMI, Florida. South Florida Workforce, a job and career services organization, posted the names and personal information of 43 of its participants on its website. The Liberty Coalition discovered an Excel file posted on a public document sharing site containing an internal trouble ticket log with 43 names and the last four digits of social security numbers. Three of the participants’ names and full social security numbers were exposed. Businesses extend credit based upon the last four digits of the social security number, and some financial institutions use it as a password, making it an extremely sensitive piece of information. By placing this information online, South Florida Workforce has put these individuals at increased risk of identity theft and other types of fraud.

According to the server, the file was placed online March 2, 2007. It appears to be clear from search engine caches as of January, 2008.

According to one employee, when a participant calls with a problem, South Florida Workforce routinely records that person’s name and Social Security Number in internal documentation. In this instance, some of that documentation was accidentally placed on a public website. The Liberty Coalition recommends that participants in South Florida Workforce immediately change their policy of using social security numbers to identify its participants.

You can confirm whether you were affected by this breach by searching for your name at www.ssnbreach.org.

About SSNBreach.org

SSNBreach.org is a free online directory of victims of personal information breach, that tells you whether your personal information has been exposed.
SSNBreach.org does NOT contain sensitive data, such as Social Security Numbers (SSN), Birth Dates, Addresses, and the like. Consequently, there is no way to search for your SSN or any other type of sensitive data on SSNBreach.org. Instead of storing sensitive information, we document what information was exposed, and the situation surrounding the breach. This information allows victims to further investigate, take action, or correct any harm from the exposure.

MURRAY, Kentucky. The Murray State University College of Education posted the personal information of 260 students and professionals, including names, social security numbers and birth dates, ethnicity, gender, GPA, and test scores on its website. Affected students are all participants in Continuing NCATE Accreditation through Murray State University, and the information is in an Excel report called “2000-2001 State Admissions Report.” The report was last revised in June, 2001 and was posted online in Excel format on or before June 13, 2002. Since that time it has been available to the world online. Google picked up the file in its cache at least 1 1/2 years ago. When in Google’s cache, otherwise “hidden fields” are automatically un-hidden, and are automatically displayed.

Almost all of the information in this report is sensitive, and much of it is protected by FERPA and other applicable laws. Most importantly, Murray State University has put these students at severe risk of identity theft and other forms of fraud or harm.

Considering that this breach went undetected by the university more than five years, the Liberty Coalition encourages Murray University to re-evaluate its security protocols, and implement server-side text and non-text file searching for risky information on university servers, before it is picked up by major search engines.

In response to this notification, Murray State University issued a Media Statement, which is re-published here in full:

“MURRAY, Ky. – On January 3, 2008, Murray State University’s College of Education received notification from the Liberty Coalition, an organization focused on prevention of identity breach issues, that personal student information including student names, social security numbers and birth dates was accessible by manipulating a Microsoft Excel file on the MSU College of Education website. Upon learning of this the College of Education removed the file from its web site and took steps to remove the information from search engine caches. The file was a 2000-2001 Admission to Teacher Education report posted online in Microsoft Excel format in preparation for the fall 2002 accreditation visit by the National Council for Accreditation of Teacher Education (NCATE) and Kentucky Education Professional Standards Board (EPSB). “While on opening the file revealed no personal data that could be connected to any student it did contain ‘hidden fields’ which could be manipulated to reveal the information listed above. It was not MSU’s practice or procedure to post any file for this particular report in Excel format, opting instead for the Acrobat reader format. The posting of this Excel file was inadvertent and unintended. Evaluation of web logs available to Murray State indicate that the file has been searched for, however, Murray State is unable to determine whether the information in the ‘hidden fields’ has, in fact, been accessed.

“The University notified affected individuals by mail and provided information on identity theft precautions and other precautionary measures.

“MSU has taken and is continuing to take steps to remedy the situation. This is a regrettable incident and Murray State considers any breach of privacy and confidentiality as a serious matter. The University will make every effort to address concerns and questions on this sensitive issue. For more information please contact Bonnie Adams in MSU’s College of Education at 270-809-3833 or email

.”

The Liberty Coalition encourages individuals affected by this breach to follow precautionary measures as outlined on this site, and as directed by MSU.

You can confirm whether you were affected by this breach by searching for your name at www.ssnbreach.org.

About SSNBreach.org

SSNBreach.org is a free online directory of victims of personal information breach, that tells you whether your personal information has been exposed.
SSNBreach.org does NOT contain sensitive data, such as Social Security Numbers (SSN), Birth Dates, Addresses, and the like. Consequently, there is no way to search for your SSN or any other type of sensitive data on SSNBreach.org. Instead of storing sensitive information, we document what information was exposed, and the situation surrounding the breach. This information allows victims to further investigate, take action, or correct any harm from the exposure.

FORT COLLINS, Colorado. On November 15, 2007, the Liberty Coalition discovered four files containing sensitive personal student information for 300 Colorado State University students on the Warner College of Natural Resources website. The files include 208 social security numbers, usernames, passwords (derived from the social security number), and other information. The affected individuals all appear to be former College of Natural Resources students.

The files were created between 2000 and 2004, and according to meta properties contained in the Excel file, they were last saved by “Ingrid Burke” or “Craig Spooner.” One of the files seems to have originated with “Mark Gathany” of Ohio University. Students affected by this breach may be at extreme risk of identity theft.

University officials immediately responded, taking down the file and working to get search engine caches cleared. Scott Baily, Associate Director of Academic Computing & Networking Services explained,

“Colorado State University takes personal privacy very seriously, and has policies against maintaining unencrypted files containing sensitive information. Indeed, last year we undertook a campus-wide SSN purge activity, where University-owned computers were scanned in an attempt to remove all files containing sensitive information…. I have contacted Yahoo, the only search engine that we can confirm had these files in their cache…. A total of 114 unique SSNs are involved. CSU has initiated a course of action to notify the affected parties to the extent possible.”

You can confirm whether you were affected by this breach by searching for your name at www.ssnbreach.org.

About SSNBreach.org

SSNBreach.org is a free online directory of victims of personal information breach, that tells you whether your personal information has been exposed.
SSNBreach.org does NOT contain sensitive data, such as Social Security Numbers (SSN), Birth Dates, Addresses, and the like. Consequently, there is no way to search for your SSN or any other type of sensitive data on SSNBreach.org. Instead of storing sensitive information, we document what information was exposed, and the situation surrounding the breach. This information allows victims to further investigate, take action, or correct any harm from the exposure.

Source: https://www.ssnbreach.org/release.php?g=45

PROVO, Utah. The Brigham Young University’s Counseling and Career Center appears to have exposed personal information of 89 BYU Medical school Applicants by placing their names and personal information on its website. The information, contained in an excel file named “MD-DO-Stats-2006.xls,” contained full names, last three digits of social security numbers, gender, economic disadvantaged status, academic majors, race, MCAT scores, an indication of whether the applicant was accepted or rejected, and other academic information.

At least some of the information posted online is covered by the Family Educational Rights and Privacy Act (FERPA). When it was discovered by the Liberty Coalition in November, 2007, the original file had already been deleted from the BYU server, but part of the file remained in Google’s Cache until early December, 2007.

Student applicants from the following universities were affected:

• Case Western Reserve University School of Medicine
• Dartmouth Medical School
• Drexel University College of Medicine
• East TN State U., James H. Quillen Coll. of Med.
• Eastern Virginia Medical School
• Johns Hopkins University School of Medicine
• Loyola University Chicago Stritch School of Medicine

You can confirm whether you were affected by this breach by searching for your name at www.ssnbreach.org.

About SSNBreach.org

SSNBreach.org is a free online directory of victims of personal information breach, that tells you whether your personal information has been exposed.
SSNBreach.org does NOT contain sensitive data, such as Social Security Numbers (SSN), Birth Dates, Addresses, and the like. Consequently, there is no way to search for your SSN or any other type of sensitive data on SSNBreach.org. Instead of storing sensitive information, we document what information was exposed, and the situation surrounding the breach. This information allows victims to further investigate, take action, or correct any harm from the exposure.

Source: https://www.ssnbreach.org/release.php?g=52

On November 1, 2007 the Liberty Coalition discovered an Excel file on the Montana State University Website containing personal information of university employees hired in August, 2006. The file is labeled “New Hire Report Aug 16, 2006,” posted by MSU Bozeman Personnel & Payroll Services: 19 Montana Hall, PO Box 172520, Bozeman, MT 59717-2529. The file contains the complete social security numbers, names, street addresses, and hire dates for roughly 42 University of Montana employees. According to the MSU Press release,

“…an independent security analyst [Liberty Coalition] informed university data security staff that an Excel spreadsheet with the names and Social Security numbers of 42 people — mostly new hires during the summer of 2006 — was available on the MSU Web site. The spreadsheet was immediately removed.”

By posting this information online, Montana State University has put these individuals at extreme risk of identity theft.

University officials removed the file immediately upon notice, and conducted an investigation. However, the university has not released the results of that investigation to the Liberty Coalition.

You can confirm whether you were affected by this breach by searching for your name at www.ssnbreach.org.

About SSNBreach.org

SSNBreach.org is a free online directory of victims of personal information breach, that tells you whether your personal information has been exposed.

SSNBreach.org does NOT contain sensitive data, such as Social Security Numbers (SSN), Birth Dates, Addresses, and the like. Consequently, there is no way to search for your SSN or any other type of sensitive data on SSNBreach.org. Instead of storing sensitive information, we document what information was exposed, and the situation surrounding the breach. This information allows victims to further investigate, take action, or correct any harm from the exposure.

Source: https://www.ssnbreach.org/release.php?g=51

LIBERTY, Kentucky. A former elementary school principal, and proprietor of Frysc Connect and Rick’s Computer Enterprise in Liberty, Kentucky posted a file online which appeared to contain 2,377 names, including 1,291 of his former students’ social security numbers, dates of birth, ethnicities, addresses, phone numbers, guardians’ names and other personal information. Rick claimed that he scrambled names and other information so they no longer matched. Though some of the information had apparently been scrambled, much had not.

For example, the Liberty Coalition was able to contact a few students and parents on the list by calling home phone numbers listed, and some parents’ names still matched children’s names. Because the file had been used for years for training purposes, unfortunately there is no way to determine how much of the information had been scrambled.

Even if most of the information had been scrambled, it is alarming that educators have easy access to so much children’s sensitive personal information, and that some feel free to copy it for their own use.

The file had been shared and used for more than six years to train school employees on his product called “The Ultimate FRC/YSC Toolkit,” a software package designed to help school districts manage student personal information. All of the individuals affected by this breach live in the small town of Liberty, Kentucky. Parents who find their own names on ssnbreach.org, but fail to find one of their children’s names, may assume that the child’s record had been scrambled.

You can confirm whether you were affected by this breach by searching for your name at www.ssnbreach.org.

About SSNBreach.org

SSNBreach.org is a free online directory of victims of personal information breach, that tells you whether your personal information
has been exposed.

SSNBreach.org does NOT contain sensitive data, such as Social Security Numbers (SSN), Birth Dates, Addresses, and the like. Consequently, there is no way to search for your SSN or any other type of sensitive data on SSNBreach.org. Instead of storing sensitive information, we document what information was exposed, and the situation surrounding the breach. This information allows victims to further investigate, take action, or correct any harm from the exposure.

Source: https://www.ssnbreach.org/release.php?g=50

NEW YORK, New York. In early October, 2007, the Liberty Coalition discovered a file containing what appears to be the names, genders, dates of birth, salary information, e-mail addresses, t-shirt sizes, and contact information for approximately 1,010 Cracked.com subscribers. The file was available to the online public, and was not password-protected, encrypted, behind a firewall, nor require authentication to access. The exposure contradicted Cracked.com’s already weak Privacy Policy,

“We use commercially reasonable efforts to safeguard and secure your personal information while stored on our computer systems. We use a variety of industry standard security measures, including encryption and authentication tools, to maintain the confidentiality of your personal information. Your personal information is stored behind industry standard firewalls and is only accessible by a limited number of persons who are authorized to access such systems, and are required to keep the information confidential.” (Accessed 11 October 2007)

However, presumably in response to this breach, Cracked.com has since changed its privacy policy to disclaim all responsibility for exposing customer data:

“We have physical, electronic, and managerial procedures to help safeguard, prevent unauthorized access, maintain data security, and correctly use your information. HOWEVER, WE DO NOT GUARANTEE SECURITY. Neither people nor security systems are foolproof, including encryption systems. In addition, people can commit intentional crimes, make mistakes or fail to follow policies. If applicable law imposes any non-disclaimable duty (if any), you agree that the standard used to measure our compliance with that duty will be one of intentional misconduct.”

Translation: “We screwed up, and we’re not going to take any responsibility for it unless you sue us. You’re on your own if we put you at risk.”

By the time the file was discovered, it had already been removed from cracked.com, but continued to be available through Google’s cache. Cracked.com was notified of the breach, and they subsequently changed their privacy policy.

You can confirm whether you were affected by this breach by searching for your name at www.ssnbreach.org.

About SSNBreach.org

SSNBreach.org is a free online directory of victims of personal information breach, that tells you whether your personal information
has been exposed.

SSNBreach.org does NOT contain sensitive data, such as Social
Security Numbers (SSN), Birth Dates, Addresses, and the like. Consequently, there is no way to search for your SSN or any other
type of sensitive data on SSNBreach.org. Instead of storing sensitive information, we document what information was exposed, and the
situation surrounding the breach. This information allows victims to further investigate, take action, or correct any harm from the
exposure.

Source: https://www.ssnbreach.org/release.php?g=30

AUSTIN, Texas. The Liberty Coalition recently discovered what appeared to be 2,665 partial social security numbers of Coaches for the Texas Special Olympics in two Excel files on the Texas Special Olympics website. The last four digits of the social security number are often used to extend credit, and some financial institutions use it as a password. By placing this information online, the Texas Special Olympics has put these coaches at an elevated risk of identity theft. The files also contain location and coach certification information.

The files were online since at least February, 2006, and were removed in early December, 2007.

You can confirm whether you were affected by this breach by searching for your name at www.ssnbreach.org.

About SSNBreach.org

SSNBreach.org is a free online directory of victims of personal information breach, that tells you whether your personal information has been exposed.
SSNBreach.org does NOT contain sensitive data, such as Social Security Numbers (SSN), Birth Dates, Addresses, and the like. Consequently, there is no way to search for your SSN or any other type of sensitive data on SSNBreach.org. Instead of storing sensitive information, we document what information was exposed, and the situation surrounding the breach. This information allows victims to further investigate, take action, or correct any harm from the exposure.

Source: www.ssnbreach.org.

In October 2007, the Liberty Coalition discovered seven files on the website titanfoundation.com exposing personal information of 1,689 individuals. The files contain names, addresses, Social Security Numbers, email addresses, and financial information. Some individuals on this list are at extreme risk of identity theft.

The files contained individual notes of a personal nature such as, “I am a housewife and have my granddaughter to care for,” “I’m pregnant, due in December, want to stay home with my new baby,” “unemployed mother of two young children,” “my family is having a rough patch with money right now and i need some extra help,” and “I recently lost my job and need an income.”

The FBI was notified, and the files were confirmed deleted within 24 hours. However, the information remained available through Google’s cache until late December, 2007.
You can confirm whether you were affected by this breach by searching for your name at www.ssnbreach.org.

About SSNBreach.org
SSNBreach.org is a free online directory of victims of personal information breach, that tells you whether your personal information has been exposed.

SSNBreach.org does NOT contain sensitive data, such as Social Security Numbers (SSN), Birth Dates, Addresses, and the like. Consequently, there is no way to search for your SSN or any other type of sensitive data on SSNBreach.org. Instead of storing sensitive information, we document what information was exposed, and the situation surrounding the breach. This information allows victims to further investigate, take action, or correct any harm from the exposure.

Source: ssnbreach.org.

FORT MONROE, Virginia. On November 3, 2007 the Liberty Coalition discovered files online that contain sensitive information for 4,057 former ROTC scholarship winners from across the country, including 551 Social Security Numbers. The remaining files contain full names, academic majors, schools, scholarship award and suspense information, and other information for 3,506 individuals. It is unclear whether any of this information is protected by FERPA.

The ROTC website’s Privacy Policy states that “All information provided by military sources on this site is considered public information and may be distributed or copied.” By making Students’ names and Social Security Numbers available online, apparently as “public information,” the ROTC put these individuals at severe risk of identity theft.

The Liberty Coalition was unable to determine how long the files were available online, but they were created or last modified as early as November 27, 2006. The file containing the most sensitive information was confirmed removed from the website on November 6, 2007. However, the information remained in Google’s search engine caches until mid December, 2007.

You can confirm whether you were affected by this breach by searching for your name at www.ssnbreach.org.

About SSNBreach.org

SSNBreach.org is a free online directory of victims of personal information breach, that tells you whether your personal information has been exposed.
SSNBreach.org does NOT contain sensitive data, such as Social Security Numbers (SSN), Birth Dates, Addresses, and the like. Consequently, there is no way to search for your SSN or any other type of sensitive data on SSNBreach.org. Instead of storing sensitive information, we document what information was exposed, and the situation surrounding the breach. This information allows victims to further investigate, take action, or correct any harm from the exposure.

Source: www.ssnbreach.org.