http://securityratty.com/feed/ed372254c847b4d675176cbfd7130e92 Wed, 07 May 2008 18:20:50 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss http://securityratty.com/article/f74dd3d54ef8465c68b7797c38075517 http://securityratty.com/article/f74dd3d54ef8465c68b7797c38075517 Security Breach

Date Reported:
5/14/08

Organization:
Oklahoma State University ("OSU") 

Contractor/Consultant/Branch:
OSU Parking & Transit Services

Victims:
OSU faculty, staff and students who had purchased a parking permit between July 2002 and March 2008

Number Affected:
as many as 70,000

Types of Data:
"names, addresses and Social Security numbers"

Breach Description:
"Oklahoma State University has discovered that a server under the control of OSU Parking and Transit Services had been accessed from another country without authorization. The database contained confidential information, specifically the names, addresses and Social Security numbers of OSU faculty, staff and students who had purchased a parking permit between July 2002 and March 2008."

Reference URL:
Oklahoma State University Alert
KOCO Channel 5 News
The Daily O'Collegian
The Oklahoman

Report Credit:
Oklahoma State University

Response:
From the online sources cited above:

STILLWATER, Okla. -- Personal information belonging to anybody who got a parking pass at Oklahoma State University over the last five years has been compromised, university officials said Wednesday.

Oklahoma State University has discovered that a server under the control of OSU Parking and Transit Services had been accessed from another country without authorization. The database contained confidential information, specifically the names, addresses and Social Security numbers of OSU faculty, staff and students who had purchased a parking permit between July 2002 and March 2008.
[Evan] What does the OSU Parking and Transit Services department need Social Security numbers for?  Do you suppose information security personnel knew that sensitive personal information was stored on the server prior to this incident?

Upon discovering this intrusion, the IT Information Security Office immediately removed the server from the network to evaluate server activity to ascertain if personal information had been accessed.

The confidential information has been removed from the database.

The illegal access was limited to the parking and transit server.

As a result of its investigation, OSU believes the intruder's purpose and only action was to use the OSU server for storage capacity and bandwidth to upload and distribute illegal and inappropriate content.
[Evan] I wonder if I am getting this right.  Was there a direct network path from the public Internet through a firewall to the compromised database server running http, ftp, or some other file transfer protocol?  That's not cool.  A database server storing confidential information should not be accessible from the internet directly through a firewall. It is generally a good practice to separate the database function from the file transfer function into different servers and different firewall DMZs.  All this for parking?  Ugh.

OSU contacted and worked with federal law enforcement authorities.

After evaluation of all available data related to this incident, OSU found no evidence which would indicate that the database was copied or viewed by the hacker; however, OSU cannot say with 100 percent certainty that the hacker did not access personally identifiable information.
[Evan] I wonder what evidence they looked for and how they went about gathering it.

We are not aware of any instances of misuse of this information or of any identify theft as a result of the temporary availability of this information.

OSU recommends you carefully review any bills or financial transactions you receive in the near future to ensure that the charges associated with your accounts are accurate.
[Evan] Yeah!  Review your bills (pay them occasionally) and financial transactions carefully.  But wait, you do this already?  Disappointing statement coming from an organization that did not carefully review their controls in securing your personal information.

OSU President Burns Hargis said, "This breakdown in security is totally unacceptable. We are conducting a full review and will take whatever steps are necessary to protect our network from unauthorized access. This is a serious matter and we will deal with it aggressively. We regret the circumstances and concern this situation has caused."
[Evan] This is my favorite statement from this story!  What do you suppose his stance was prior to being notified of the breach? 

In my experience, there are primarily ("primarily" because there are always exceptions) four types of senior information security management.  You have the organizations that just don't get it and don't really care or know that they don't get it.  These organizations lose information over and over and dangerously continue to operate in a business as usual manner.

Secondly, you have the organizations that didn't get it, suffer some adverse event, then HOLY &$#^!  They respond with all guns blazing and overspend on controls they don't need and run a very cost ineffective security program (I guess they really never got it either). 

Thirdly, there is the company that didn't get it, suffered an adverse event and admitted they have a problem.  These companies may seek guidance and consultation in the effort to build a comprehensive information security program.  These programs should be built around business objectives and sound risk management. 

Lastly, there are the companies that were proactive and built a sound information security program because it was good business.  These organizations didn't need an adverse event or breach before taking action.  These organizations don't panic when an adverse event occurs.  They know that eventually an adverse event will occur and they will be prepared when it does.

The server is believed to have been compromised on November 23, 2007. OSU learned of the breech [sic] on March 20, 2008 and blocked access to the server immediately.
[Evan] Wow.  The server was 0wn3d (like my 1337 5p34k?) for almost 4 months before anyone noticed?!  That is way, way, way too long for a compromised server to go unnoticed.  We can now assume that there was no effective IDS/IPS (host or network) and no effective logging and monitoring of the server.

The OSU Parking Department has altered their procedures for the collection of private information. Additionally, the server which was located at the OSU Parking Service's office will be relocated to the IT Data Center for enhanced security. OSU is conducting a full review and will be taking additional steps to protect our network from unauthorized access.
[Evan] It's a very good idea to not collect private information if it is not required.  It's too bad that it took a breach for this to happen.  Moving the server from the Parking Service's office to the IT Data Center will help protect against physical security attacks, but this was a logical attack.  Maybe the IT Data Center has better firewalls or something .  I like the "full review".  This should be done no less than annually.

The IT Information Security Office has made security recommendations to the OSU Parking Office which include physical relocation of their server and database to a more secure location, additional training for server administrators, and added vulnerability assessments.

Q. How will I know if any of my personal information was used by someone else?
A. The best way to find out is to obtain your credit reports from the three major credit bureaus: Equifax, Experian and Trans Union. If you notice accounts on your credit report that you did not open or applications for credit ("inquiries") that you did not make, these could be indications that someone else is using your personal information, without your permission.
[Evan] "If you notice accounts on your credit report that you did not open or applications for credit ("inquiries") that you did not make", then chances are you have already become an identity-theft victim.  I'm not saying whether this is likely, or not.

Q. Why did you have my personal information?
A. You provided this information to us when you applied to Oklahoma State University, or during your tenure as a student or employee here. Oklahoma State, like other institutions, maintains records of all employees and students who have attended the University.
[Evan] Great question!  Why did you have my personal information (on a publicly accessible server used in a department that doesn't really need it without proper protections and without proper monitoring)?

Commentary:
This breach torques me a little, in case you didn't pick up on that from the comments above.  I made plenty.

Past Breaches:
Unknown

]]> Thu, 15 May 2008 11:08:54 +0000 server sensitive personal information personal information information server administrators server immediately server prior database server confidential information Oklahoma State University Parking Services server is compromised http://securityratty.com/article/c911429366b51bc32cae40fcf5414be0 http://securityratty.com/article/c911429366b51bc32cae40fcf5414be0 Security Breach

Date Reported:
5/8/08

Organization:
Dominican University

Contractor/Consultant/Branch:
None

Victims:
Students

Number Affected:
5,215

Types of Data:
"names, addresses, phone numbers, birthdays and Social Security numbers"

Breach Description:
"CHICAGO -- Some Dominican University students and alumni were notified this week of a breach in security that could have put their personal information at risk.  The university said two students were able to access records on a staff network storage area in April. The files were three spreadsheets from 2003, 2005 and 2007."

Reference URL:
WMAQ NBC Channel 5 News
RiverForest-Leaves
Dominican University

Report Credit:
Dominican University

Response:
From the online sources cited above:

Dominican University takes information security very seriously. In April, we discovered that two student workers had accessed Excel files containing limited student data by misusing passwords related to their work-study employment.

Two computer science sophomores who had password access through their work-study employment discovered three Excel files, containing a total of 5,215 student records.

These files were in an unsecure location that was to be accessible only to specific staff members.
[Evan] Is this password misuse or just poorly secured files and poor security?  The confidential files were stored in an unsecure location that was supposed to be accessible by specific staff.  Does this make any sense to you?

One of the students came forward earlier this month with the information that they had accessed files that were to be available to staff only. The students then disclosed the full extent of their access to the exposed data and demonstrated to the administration how the access occurred.
[Evan] I wonder if the school would have ever found out if the student didn't come forward.  My guess is not.

We notified all affected parties in writing, set up a toll-free hotline, and have worked closely with both the local police and states attorney’s offices.

A letter was sent to all affected students and alumni on April 18 when the extent of the exposure could be determined.

The students went through a full university judicial process, were suspended temporarily and have been barred from future campus employment, among other sanctions.

The students are expected to return to classes next fall "under a lot of supervision, as you'd expect,"
[Evan] I don't know.  There are probably students doing worse things on campus that probably need a lot more supervision than these two.  Judging only by what I have read, these students seem to have been pretty honest.  They came forward, they cooperated with the investigation and even demonstrated what they did. 

The university is conducting a complete security audit and internal review.
[Evan] This should be done a regular basis anyway.  All good information security programs conduct regular audits, assessments and reviews.

Dominican has conducted a complete internal security audit and has hired an external consultant to review all security processes.
[Evan] I endorse the school's decision to enlist a third-party consultant, assuming that the consultant is good at what they do.  The last statement contained the word "conducting", this statement contains "conducted".

At this time we have no reason to believe that any information has been misused, but retain the right to prosecute as necessary.

"Steps have been taken to make something like this more difficult to do in the future. We've significantly tightened security,"
[Evan] If I had a dime for every time I heard this, I could retire very comfortably. If there are no details or facts to support statements like this, they don't mean much to me

If I have more questions, who should I call? You can call our toll-free number: (877) 387-8310.

Student Reaction:
"I was a little upset. I was nervous. I didn't know what to do. I knew that our family's been affected by this before, so I wanted to react right away,"

"I think that's crazy, because ... people can get your information, know things about you (and) you can't do anything about it,"

"Someone actually just charged on my debit card something. (It was) unrelated to this, I think, but it freaks me out every day now,"
[Evan] This student didn't just buy some Adobe education version software, did he/she?

Commentary:
I'm not sure if I am reading this right or not, but it seems almost like these students stumbled upon the confidential files and informed officials of their findings.  I don't sense an dishonesty on their part.  I could be wrong, but it also seems like the school didn't (and maybe still doesn't) properly secure confidential information.  The statement about a secure file in an unsecured location is puzzling.

If assumptions are correct, then it may be ill-advised to sanction these students.  Does anyone else see this the same way, or would you say that I am off base here?

Past Breaches:
Unknown

]]> Wed, 14 May 2008 18:40:18 +0000 university dominican university dominican university students dominican students files security security processes access Two students access confidential Dominican University files http://securityratty.com/article/dea4cb8188870bfad6891526dcfee0f2 http://securityratty.com/article/dea4cb8188870bfad6891526dcfee0f2 Security Breach

Date Reported:
5/7/08

Organization:
Hong Kong and Shanghai Banking Corporation ("HSBC")

Contractor/Consultant/Branch:
Kwun Tong branch 

Victims:
Customers

Number Affected:
159,000

Types of Data:
"name, account number and transactions of customers"

Breach Description:
"HONG KONG, May 8 (Xinhua) -- The Hong Kong branch of banking giant Hongkong and Shanghai Banking Corporation Limited (HSBC) has lost a computer server with client data involving about 159,000 accounts, the bank confirmed on Wednesday."

Reference URL:
IDG Magazines Norge
Xinhua News Agency
The Standard

Report Credit:
The Breach Blog was notified by an anonymous tip at 11:15AM on May 7th.  It just took me a while to get it posted.  Sorry for the delay!

Response:
From the online sources cited above:

HSBC has admitted losing a server containing data on 159,000 customers.
[Evan] How do you lose a server?

The server went missing on 26 April from its Kwun Tong district branch in Hong Kong during renovation work

The server held customer names, account numbers, transaction amounts and transaction types

HSBC said the server is protected by "multiple layers of security" and the risk of data breaches and fraud is "deemed to be low".
[Evan] What kind of "multiple layers of security"?  This is one of those statements that is misused and overused.  Without details, who knows what they are talking about.

the server contained no PIN codes or online banking login credentials.

The bank said it has reported the incident to the police, the Hong Kong Monetary Authority, and the Hong Kong privacy commissioner.

The case has been classified as theft.
[Evan] Ah, so HSBC didn't really "lose" the server?  It was stolen.

The Monetary Authority has demanded that the bank contact all the affected customers and explain what measures could be taken to avoid potential losses thereof.

The bank is contacting customers, who will not be liable for any financial loss arising from any fraudulent activity as a result of the lost data.

Clients data are kept in a confidential manner. If any complaint arises, we will deal with it case by case, HSBC chairman Vincent Cheng Hoi-chuen said.

Internet Society chairman Charles Mok Nai-kwong said even though the server has been encrypted, there may still be ways to access the data.
[Evan] Charles Mok Nai-kwong states that the server was encrypted.  This is a good thing.

"I do not know how advanced the system is or the skill of those who want to access the data. But if the server goes to the police, they will have ways to get the data," Mok said.
[Evan] This reminds me of a few stories I have read where authorities were unable to break commercially available encryption implementations.  The one case that comes to mind was the case of the FBI unable to crack PGP encrypted PDAs captured from terrorists.  If the encryption was implemented correctly and key management is sound, it would be very difficult for the police to access meaningful information.

Commentary:
What type of physical controls were present at the time of the server theft?  Stuart King on his ComputerWeekly Risk management blog sums this up very well when he says "Spend all you want on boxes of tricks to stop the hackers getting in, but forget to lock the door to the servers and it's game over."

The last HSBC breach that we reported on The Breach Blog was also physical security related, see below.

Past Breaches:
February, 2008 - Five-year-old wanders into bank branch after-hours

]]> Wed, 14 May 2008 12:16:19 +0000 server hsbc server theft data lost data computer server data breaches clients data hong kong HSBC loses a server in branch renovation http://securityratty.com/article/15351609f42234c5774ba9e03af7e8e7 http://securityratty.com/article/15351609f42234c5774ba9e03af7e8e7 Security Breach

Date Reported:
5/8/08

Organization:
The Princeton Tower Club

Contractor/Consultant/Branch:
None

Victims:
Former club members

Number Affected:
103

Types of Data:
"names and social security numbers"

Breach Description:
"Tower Club is taking steps to protect 103 of its alumni in the classes of 2006 and 2007 after a spreadsheet listing their names and social security numbers was e-mailed to current club members early Wednesday morning."

Reference URL:
The Daily Princetonian
United Press International
Asbury Park Press

Report Credit:
Rachel Dunn and Josephine Wolff, The Daily Princetonian

Response:
From the online sources cited above:

Tower Club is taking steps to protect 103 of its alumni in the classes of 2006 and 2007 after a spreadsheet listing their names and social security numbers was e-mailed to current club members early Wednesday morning.

The document was attached to an apparently unrelated e-mail that informed current members about a club event.

The spreadsheet was attached unintentionally because of "a technical glitch," Tower graduate board chair Greg Berzolla ’87 said
[Evan] Really?  A technical glitch?  These types of breaches are usually the result of human error.

"The [spreadsheet] file wasn’t even available on the hard drive [of the computer that sent the e-mail]," Berzolla said. "[The e-mail system] took an old e-mail and used it as a template [for Wednesday’s e-mail] as near as we can guess. It’s not a system very many people use or understand, that’s the problem."

"I cannot comment on [the glitch] because I don’t understand it," he said. "I didn’t figure it out, I think the club technical chair [did]. [Tower president] Stephanie [Burset ’09] tried to explain it to me, but I think she doesn’t really understand it either."
[Evan] At least he is honest.

Burset said in an e-mail that Pine, the e-mail system Tower currently uses, is "fairly antiquated, but our tech chairs have assured me that nothing like this can ever happen again," and added that "we plan on switching to a new client whom is more secure and easier to use."
[Evan] I am concerned by statements like "nothing like this can ever happen again".  We still don't know why it happened in the first place.

The e-mail was sent by Tower officers from the tower@princeton.edu account to the roughly 200 current club members.

Tower officers sent another e-mail to the club yesterday asking members to delete the message from their mailboxes "out of respect for ’07."

Berzolla said he believes the risk of identity fraud is "extremely limited"

"It’s hard for any kind of fraud to occur that quickly," he said of the incident. "I feel confident that our club members are not going to use this information badly."
[Evan] It only takes one person.  It should also be mentioned that one or more of the destination email accounts could be a shared account and that these emails were sent in clear text (subject to the possibility of interception).

"[The breach] would have had to have been intentional [for there to be legal repercussions]," Berzolla said.
[Evan] Do you have to demonstrate intent to argue negligence (The failure to use reasonable care)?  I'm certainly not a lawyer, but I think that there are cases where victims have been awarded damages when there was not intent to harm on the part of the defendant.  I don't really advocate lawsuits anyway, but I am just stating what seems obvious to me.

Tower will pay for an identity theft protection services for the affected individuals next year.

Berzolla hopes this measure will assuage any possible threat of legal action from former members against the club. "I don’t expect there to be any problems, but just in case," he said.

The social security numbers on the spreadsheet were collected as part of the process of signing in new members several years ago, Berzolla said. Tower no longer requires its members to submit their social security numbers, he added.
[Evan] It is a good practice to not collect information that isn't required to conduct business.  The Tower Club would be well advised to go through the information they currently possess and purge the information they no longer need.

Victim Reaction:
"I had no idea this happened, and frankly, I’m baffled and a little pissed off," Valerie McConnell ’07 said

"Now that I know that the social security numbers weren’t sent out on purpose, I’m not pissed off," McConnell said. "I think my identity is ok. I can’t imagine anyone in the club trying to steal my identity (not that there’s a lot to steal right now anyway)."
[Evan] I think I would still be pissed off.  Identity thieves are not all stupid.  Many of them will hold on to the information for a year or more before using it or selling it.

"[The incident] is a mistake; it shouldn’t have happened," Beylin said in an e-mail. "However, with the number of times I’ve handed out my SSN this year while seeking financial services or apartment hunting, it’s really not my biggest source of concern for identity theft."
[Evan] This is a good point.  Have you ever thought of all the times you have given out your Social Security number?  All of your employers, schools, insurance companies, banks, mortgage companies, credit card companies, etc. have your number.  The same number used for identification and authentication.  A recipe for disaster?

Commentary:
The Tower Club does not handle personal information any worse than most other organizations.  It seems like they just didn't know any better.  It sometimes makes me nervous.

Past Breaches:
Unknown

]]> Tue, 13 May 2008 05:20:10 +0000 princeton tower club tower club club club technical chair e-mail system tower e-mail system tower system current club Technical glitch blamed in The Princeton Tower Club breach http://securityratty.com/article/5567080eb516a43807499e1350da7025 http://securityratty.com/article/5567080eb516a43807499e1350da7025 Security Breach

Date Reported:
4/14/08 (delayed)

Organization:
Purdue Pharma L.P.

Contractor/Consultant/Branch:
None

Victims:
Employees

Number Affected:
~5,000

Types of Data:
"names, dates of birth, Social Security numbers and other pension related information"

Breach Description:
"a former employee accessed a disk containing personal information about individuals employed by Purdue Pharma and its associated U.S. companies prior to December 31, 2003 and attempted to email some of the information on the disk to another person"

Reference URL:
The New Hampshire State Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

We are writing to inform you about an incident affecting information maintained by Purdue Pharma L.P. ("Purdue Pharma")

Purdue Pharma is a privately held pharmaceutical company.

we recently learned that a former employee accessed a disk containing personal information about individuals employed by Purdue Pharma and its associated U.S. companies prior to December 31, 2003 and attempted to email some of the information on the disk to another person.
[Evan] Attempted?  What prevented the former employee from actually sending the information?  It's not clear why the former employee wanted to send the information either.

We have determined that the disk contained information concerning approximately 5,000 individuals, and included names, dates of birth, Social Security numbers and other pension related information.

The former employee retained the disk when his employment ended, in direct violation of our policies and standard confidentiality agreement.
[Evan] This former employee may not have given a damn.

As soon as we learned of the unauthorized access, we promptly demanded that the information be deleted and returned to us.

The original disk has been returned and we believe that all copies of the information have been deleted.
[Evan] Once information confidentiality has been compromised it is very difficult (some would argue impossible) to restore it.  How can you be certain that the information has been deleted?

We have undertaken a thorough investigation of this matter and, based on results of that investigation to date, we have no reason to believe that the personal information was misused.
[Evan] Actually, there is EVERY reason to believe that the personal information was misused!  If the information was used in a manner that was not permitted by the owner (the victim), then it was misused.  That’s my definition anyway.

We are continuing to investigate the incident and are examining the measures we can take to help prevent incidents of this kind from happening again.

Even though we believe that there is little risk of fraud or identity theft against the individuals as a result of this incident, we are providing the potentially affected individuals, at our cost, with the identity theft protection services in the attached notification letter, for two years.
[Evan] If there is "little risk of fraud", then why spend thousands of dollars in notification (because it’s the law, I suppose) and identity theft protection (not required by law)?

Purdue has contracted to provide a two year subscription to TrustedID's IDFreeze.
[Evan] The cost of IDFreeze is $8.25/mo.  I am almost certain that Purdue isn't paying this full price and there is a good chance that not all affected persons will enroll, but for demonstration purposes only, $8.25/mo. x 5,000 subscriptions x 24 months = $990,000!

We deeply regret that this incident occurred and take very seriously our obligation to protect the privacy of personal information.

Commentary:
Employee and former employee information misuse is a very challenging issue for information security professionals.  It's tough to comment because we don't have much detail about what controls are already in place.

Past Breaches:
Unknown

]]> Mon, 12 May 2008 14:44:52 +0000 information personal information information security professionals purdue pharma purdue information confidentiality employee information misuse employee original disk Former employee exposes Purdue Pharma personal information http://securityratty.com/article/61e22cbbd808bee3a68e835bb0a92ca3 http://securityratty.com/article/61e22cbbd808bee3a68e835bb0a92ca3 Security Breach

Date Reported:
5/9/08

Organization:
Rent-a-Center*

*formerly RentWay

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
Unknown

Types of Data:
"photocopies of Social Security cards and driver's licenses, credit card numbers, home addresses and phone numbers"

Breach Description:
"Hundreds of RentWay customer files — including Social Security, driver's license and credit card numbers — were abandoned in a parking lot, leaving consumers at risk for identity fraud."

Reference URL:
Sarasota Herald-Tribune
Bradenton Herald
Sarasota Herald-Tribune (May 10)

Report Credit:
Anthony Cormier, Sarasota Herald-Tribune

Response:
From the online sources cited above:

Hundreds of RentWay customer files — including Social Security, driver's license and credit card numbers — were abandoned in a parking lot, leaving consumers at risk for identity fraud.

The files were discovered in a plaza off Cortez Road on Friday morning.

In the files were photocopies of Social Security cards and driver's licenses, credit card numbers, home addresses and phone numbers of people who leased furniture, TVs and appliances from RentWay.

A Manatee Sheriff's deputy arrived at about 10:30 a.m. and called workers from Rent-A-Center, which acquired RentWay in 2006, to clean up the mess.

In dress slacks and business shirts, Rent-A-Center employees crawled in a Dumpster on Friday afternoon.

it was unclear how long the files were in the lot and who may have accessed the sensitive information

Rather than shredding the documents that contained personal information of clients and taking them to their own Dumpster, the employees left the papers piled in the bottom of the Dots' store Dumpster

Kimberly Lash, manager of Dots, a women's clothing store next door to the the vacant storefront, said the mess had been out in the corner of the building for nearly a week.

She said the Rent-A-Center store manager said there were personal documents in the Dumpster.
[Evan] If I understand this correctly, the Rent-A-Center manager knew that there were personal documents being discarded in the dumpster?!  What the *&^# kind of manager would knowingly put his/her customers at risk?  I wouldn't hold the Dot's store manager ultimately responsible, but I wonder why she didn't do or say anything when she was told that there was personal information in the dumpster.

"All they did was pick it up and put it in my Dumpster," she said.

On Friday morning, a transient was seen rifling through the paperwork until he was shooed off by Don McLucas, who found the mess and called police

"Unbelievable," McLucas said. "Imagine the fraud you could commit with this stuff. And they just dump it like that? Unbelievable."

"You could open a bank account, apply for a credit card, anything. That information could be worth hundreds of thousands of dollars." - Robert Siciliano, CEO of IDTheftSecurity.com
[Evan] The bad guys certainly know this.  It seems like others either don't care or don't know.

The store manager of the Rent-A-Center store declined to comment. It's unclear what happened to the documents once they were removed from the Dots Dumpster.

Lt. William Vitaioli said it would not be a criminal violation to dispose of personal information such as Social Security numbers, credit card numbers, driver's license numbers or phone numbers.
[Evan] Should it be?  This is a hot debate.

Florida law requires companies to notify consumers if the security of their personal information has been breached.
[Evan] Are notification laws working?  Another hot debate.

Commentary:
If I had the time, I would check dumpsters on the way home one of these days.  Think I would find anything along my 25 mile ride home?

Past Breaches:
Unknown

]]> Mon, 12 May 2008 11:05:33 +0000 store manager store store dumpster rent-a-center store rent-a-center security rent-a-center store manager social security cards rent-a-center employees Did the Rent-a-Center manager knowingly expose personal information? http://securityratty.com/article/93d97ba2583b32143ad38008c44b1d57 http://securityratty.com/article/93d97ba2583b32143ad38008c44b1d57 Security Breach

Date Reported:
4/30/08

Organization:
Saks Incorporated

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
Unknown*

*According to the New Hampshire State Attorney General breach notification there were 163 persons affected who reside in the state of New Hampshire

Types of Data:
Name, address, Saks Fifth Avenue credit card account number, and/or Saks Fifth Avenue/MasterCard co-branded credit card account number.

Breach Description:
"In mid-April 2008, Saks learned that four company laptops were stolen.  Two of the stolen laptops contained several files that included customer names, addresses, Saks Fifth Avenue credit card account numbers, and/or Saks Fifth Avenue/MasterCard co-branded credit card account numbers."

Reference URL:
New Hampshire State Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

In mid-April 2008, Saks learned that four company laptops were stolen.  Two of the stolen laptops contained several files that included customer names, addresses, Saks Fifth Avenue credit card account numbers, and/or Saks Fifth Avenue/MasterCard co-branded credit card account numbers.

Based on our investigation, we have confirmed that these files did not include Social Security numbers, the credit cards' expiration dates, pin numbers, codes, or passwords, or any other types of sensitive data.
[Evan] Thank God for that!

Given the very limited type of personal information on these files and that it was stored on password-protected laptops, we believe there is a very low risk of identity theft or credit card fraud as a result of this event.
[Evan] I agree with the limited type of information argument, but could care less about password-protected laptops.  Password-protected laptops are little more than nothing to stop someone for accessing the information.

We have no indication that this personal information has been accessed or misused, or even that the laptops are in the hands of someone seeking to misuse the information.

Nor was this a breach of our network, website, or database (as is typical in many company breaches covered by the news).
[Evan] I think laptop thefts and losses are more typical that network, website or database breaches.

The company has drafted a written notice of the breach that it will be sending to the affected individuals imminently.

Saks takes its customers' privacy very seriously, and we have exercised utmost caution and diligence in our response following the discovery of the theft.

Within hours of learning of the theft, we initiated our own investigation into the incident and notified law enforcement.

Finally, if you have additional questions related to this situation, you can contact us between the hours of 9:00 a.m. ET through 6:00 p.m. ET on Monday though Saturday through our dedicated toll-free information helpline at 1-888-724-2455.

We deeply regret any inconvenience or concern that this matter may cause you.

Commentary:
The letter sent to the affected individuals is signed by Stephen I. Sadove, Chairman and Chief Executive Office of Saks Incorporated.  I respect Mr. Sadove for addressing this situation in person (so to speak).  It demonstrates his understanding that information security is a corporate issue for which he is ultimately responsible.

Past Breaches:
Unknown

]]> Sun, 11 May 2008 17:28:38 +0000 saks laptops information andor saks company laptops personal information breach description breach credit card account Two stolen Saks Incorporated laptops contained sensitive information http://securityratty.com/article/d416168f47cfa9bd568f0552c9159b9e http://securityratty.com/article/d416168f47cfa9bd568f0552c9159b9e Security Breach

Date Reported:
5/7/08

Organization:
Las Cruces Public Schools ("LCPS")

Contractor/Consultant/Branch:
None

Victims:
Teachers, principals, administrators and other LCPS employees.  The breach also affected students enrolled in special education programs.

Number Affected:
1,800*

*1,750 teachers, principals, administrators and other LCPS employees who had access to the SEAS system because they work with special education children or programs AND 50 students enrolled in special education programs at various LCPS schools, local charter schools, and home schools

Types of Data:
"confidential student and staff information, including some personal identifying data"

Breach Description:
"LAS CRUCES - The Las Cruces Public Schools has announced that confidential student and staff information, including some personal identifying data, was unintentionally posted on the Internet.  Immediately upon learning that the data was posted, the district took steps to remove the data from the Internet site where it was found, said Superintendent Stan Rounds."

Reference URL:
LCPS news release (Word document download)
LCPS press conference (Word document download)
Las Cruces Sun-News

Report Credit:
Las Cruces Public Schools

Response:
From the online sources cited above:

LAS CRUCES - The Las Cruces Public Schools has announced that confidential student and staff information, including some personal identifying data, was unintentionally posted on the Internet.  Immediately upon learning that the data was posted, the district took steps to remove the data from the Internet site where it was found, said Superintendent Stan Rounds.

"We began a thorough investigation to determine how this happened and to prevent it from happening in the future.  The investigation includes a search of the Internet to determine if the information is located anywhere online and how to remove it."

Rounds said there is currently no indication that the data has been misused.

Preliminary information indicates a part-time LCPS computer data analyst unintentionally posted information from a secure LCPS special education computer database, named SEAS (Special Education Automated System), and placed it onto an un-secure website.

The data in question was contained within two electronic database files that were posted on the Internet between Tuesday, April 29 and Monday, May 5, 2008.

For the time being, Rounds said he is not disclosing what specific information was posted online to prevent any potential compromise to those affected
[Evan] The compromise has already taken place.  If a bad guy/gal is in possession of the information, he/she probably knows what he/she has without us having to tell him/her.

However, the individuals affected will be notified of what information was released, he said

Those affected include 1,750 teachers, principals, administrators and other LCPS employees who had access to the SEAS system because they work with special education children or programs.

Also affected were 50 students enrolled in special education programs at various LCPS schools, local charter schools, and home schools
[Evan] It especially stinks when children are affected.

Some data for other special education students may have been released as well.

"We’ve already begun to notify the affected individuals about what specific information is involved and we will assist them in taking appropriate safeguards," Rounds said

"If we find any of the information on the web, we will immediately take all appropriate steps to have it removed," said Jeff Harris, LCPS director of technology support services.  "As of today, we’ve located the data in two Internet sites and removed it.  We’re continuing to search for any other locations where it may exist."

On Monday, May 5, when the Superintendent learned of the potential breach, he directed that each student and staff member affected be provided credit fraud protection for up to one year to ensure their private information was not jeopardized in any way.  This will be paid at school district expense.

Rounds said the experienced part-time employee who unintentionally disclosed the data has been placed on administrative leave and no longer has access to any LCPS computer, data, or server.

"LCPS goes to great lengths to ensure student and staff confidentiality, but this incident appears to be caused by human error," Rounds said.  "This also highlights the need for the district to review its data security and privacy policies to make sure it never happens again."

Rounds said an ad-hoc committee is being established to immediately review LCPS policies and procedures.  This committee will be chaired by Dr. Shaun Cooper, the current Chief Information Officer at New Mexico State University.  Cooper is also the former Director of Security and Research Computing at NMSU

Commentary:
Human errors will happen as long as we are humans, I suppose.  Not that we should just accept defeat and use it as an excuse.  There are numerous controls with varying degrees of effectiveness that information security personnel implement to reduce the frequency and impact of human error related breaches.  Without knowing more detail, it's hard to say what could have been done better.  Was the cause of this breach simple oversight or lack of awareness, poor training, lack of production control (no formal review and approval process for posting information to public sites), etc.  I guess I'm not sure.

I do appreciate Mr. Rounds' response.  The response to the breach and notification was swift.  I also like the press conference and ad-hoc committee established to review LCPS policy and procedure.  I hope that the committee and effort will be ongoing long after this breach is forgotten (by those not personally affected).

Past Breaches:
Unknown

]]> Fri, 09 May 2008 06:02:19 +0000 information lcps lcps employees special education students lcps press conference special education specific information data security data Personal Las Cruces Public Schools Special Ed information posted online http://securityratty.com/article/27cbd575cc28534b9ca368f27ad75124 http://securityratty.com/article/27cbd575cc28534b9ca368f27ad75124 Security Breach

Date Reported:
4/29/08

Organization:
ACAP Security Inc.

Contractor/Consultant/Branch:
PinPay
SoftCard

Victims:
Merchants, Agents and customers

Number Affected:
Unknown

Types of Data:
Name, mailing address, phone number, email address, date of birth, city of birth, sex, and one or more of the following (chosen from drop-down):

• Passport
• Voting ID card
• PAN card
• Driving License card
• Government issued ID card
• Social Security Card
• Military ID card
• Consular ID card
• Postal ID card
• Government Employee ID Card
• Credit Card
• Debit Card
  

Breach Description:
ACAP Security and affiliated sites are actively marketing a "secure payment system that allows Internet-based businesses to accept secure PIN-debit card payments and transactions at their online store."  The PinPay and SoftCard sign-up pages and account access pages are not adequately secured with encryption, potentially exposing extremely sensitive personal information.

Reference URL:
Merchant 911 Blog

Report Credit:
Tom Mahoney, the Founder and Director of Merchant 911

Response:
From the online source cited above and my own cursory investigation:

Back in January, I had short email dialog with a Kip Long, who claimed to be one of the principles of a company called Softcard out of Huntington Beach, CA. They are not to be confused with SoftCard Systems in Athens, GA. As far as I know, SoftCard Systems is a legitimate company with a legitimate product.

Mr. Long was rather aggressively, but not very successfully, trying to impress me with their product - from what I can make of it, a virtual PIN based card.

The company uses PinPay - to process transactions and both companies are a part of ACAP Security, Inc..

I reviewed their site for possible inclusion in our website’s resource pages, but promptly rejected them.

their insecure sign-up form - was requesting “Identity Card Numbers” and issue dates.
[Evan] The sign-up forms at SoftCard.biz and PinPay.net are not secure.  Neither are their respected login pages.

“Identity cards” are selectable from a drop down menu and include such ID information as Passport, Driver’s license, SSN, and Credit Card.

The form also requires a full name and DOB.

I tried using the HTTPS URL but it appears that they do not have a security certificate tied to their site.

The fact that Mr. Long used a hotmail address to pitch the company made me wonder too, given that at Merchant911 we try to instill in our members that a free email address from a customer is a fraud alert.

If a company official can’t use his company’s domain for email, I’m not going to talk to him.

I called their attention to the insecure web form in January. They still have the form up there, happily collecting this information with an insecure form.
[Evan] I also sent emails and heard nothing in return.

I have to wonder how much information has already been sniffed or otherwise compromised. You probably don’t want to fill out this form.
[Evan] My advice would be to NOT fill out the form and NOT conduct business with a company that has not demonstrated a willingness to secure your information.

Commentary:
Tom informed me about this vulnerability (and potentially a breach for anyone that signed-up/in) a couple of weeks ago.  I've been a little busy lately, but was finally able to check it out.  Let me recap what I found.

First, let's go to www.softcard.biz. This is the site that Tom originally pointed out to me.



The flash home page forwards visitors to a static index (indexaa.html) page.  The first paragraph on the page informs visitors about PinPay.

"The PINPAY SoftCard is a wise way to carry and transfer money. It gives you the ability to purchase products at participating stores throughout the world (as well as at online shopping malls), with the security of a PIN that travels the internet via private encrypted tunnels. It also allows you the ability to load money to your card, pay bills, transfer money to merchants, transfer money between cards, and withdraw cash from your card at the store."



See where the page says, "Register for your FREE card HERE!!"?  This is a link to the sign-up page that Tom was referring to.



No "https" in the URL.  Tom was right on that.  The sign-up form asks for a personal information ranging from name and address to identity card information (even information for a "Second Identity Card").



The "Select Identity Card" drop down menu displays the choices for the prospective customer, including Passport, Voting ID card, PAN card, Drivers License card, Government issued ID card, Social Security card, Military ID card, Consular ID card, Postal ID card, Government Employee ID Card, Credit Card and Debit Card



SoftCard (or PinPay or ACAP Security) are asking for some very sensitive personal information!  First, this is quite a bit more information than they need to approve a person for a "PINPAY SoftCard".  Second, no encryption?!  Third, who is ACAP/SoftCard/PinPay and what will they do to secure my information once they have it supposing it wasn't intercepted on the way to them?

Let's dig a little (public) information about ACAP Security.  According to Entreprenuer.com, ACAP launched "Personal Private Network" (ppn) technology, commercially available under the trade name ppnPRO, which is described as a "highly secure, and highly private" personal private network.  ppnPRO uses "Government approved AES encryption, with strong personalized 256-bit encryption keys, and encrypting all information- network addresses, applications and ports, as well as the confidential data content".  Sounds impressive, but it also sounds like the company should know a thing or two about securing web site transactions with encryption. 

I want to discuss the risk of sending confidential private information over a public network such as the internet without encryption, in particular.  This is not a new topic, but I will take some time to demonstrate the risk.

In order for my information to be compromised, someone (or something) will need to capture the traffic.  In order for someone to capture my traffic, they will need to tap into the communication somewhere between me (my computer) and the destination (the web server).  My information doesn't travel directly from my computer to the server.  There are intermediaries (routers, switches, firewalls, etc.) that have to get (or forward) my information from my computer to the server.



As you can see depicted in the graphic above, there are at least 16 routers (or hops) between this example source and www.softcard.biz.  The final few hops are not reported due to filtering.  So where could my traffic be captured?  At the very least:

• Between my computer and my router (or firewall)
• Between my firewall and the ISP hand-off
• Between all the traversed devices within my ISP's network
• Between all the traversed devices through the internet
• Between all the traversed devices within the destination ISP's network
• Between all the traversed devices within the destination organization's network and the server itself.
  

Anyone in the communication path can use a simple protocol analyzer like Wireshark and capture the sensitive information:

txtfname=Billy&txtmname=J&txtlname=Madison&txtaddress=123+Main+Street&txtcity=Anywhere&
txtstate=MA&txtzip=87451&txtcountry=United+States&mob_phone=NONE&txtphone=18006218200&
txtemail=billymadison@honky.com&txtdob=04%2F20%2F1988&txtbirthcity=Boston&
txtbirthcountry=United+States&txtgender=M&identity1=Social+Security+Card&txtcardno1=123-45-6789&
txtissuedate1=04%2F20%2F1988&identity2=Driving+License+card&txtcardno2=M-1234567890&
txtissuedate2=04%2F20%2F2006&submit=Accept+Card+Agreement-Submit

This is a very simplistic demonstration about why it is important to encrypt sensitive information.  If the communication had been encrypted, none of the data would have been visible without access to the private key.

We could go deeper into the server application and SQL, but I think that this is enough.

A Quote from the ACAP Security CEO:
“The right of privacy is a fundamental and very important right of American society. A right our Nation’s founders fought the American Revolution to obtain and a right many brave American soldiers have fought and continue to fight and die to preserve. As this Nation continues to advance into cyberspace, we have expanded the right of privacy to include the right to electronic privacy. The elements of cyber-crime and cyber-vulnerabilities have begun to seriously erode and destroy this important right of electronic privacy.”

Past Breaches:
Unknown

]]> Thu, 08 May 2008 09:26:03 +0000 information drivers license card license card card free card social security card sensitive information sensitive personal information encrypt sensitive information Confidential information sent to PinPay.net and SoftCard.biz is exposed http://securityratty.com/article/7ae56d34b365648af4041ccd173db81f http://securityratty.com/article/7ae56d34b365648af4041ccd173db81f Security Breach

Date Reported:
4/28/08

Organization:
Cove Creek Mortgage
Front Range Mortgage, LLC

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
Unknown

Types of Data:
Mortgage files, tax returns, pay stubs, Social Security numbers, and other personal information

Breach Description:
"ENGLEWOOD, Colo. -- The Arapahoe County District Attorney's Office is advising anyone who has used Cove Creek Mortgage to watch out for identity theft after hundreds of mortgage files were dumped in a public trash bin over the weekend."

Reference URL:
Denver Channel 7 News
Denver Channel 7 News (update)

Report Credit:
Denver Channel 7 News

Response:
From the online sources cited above:

ENGLEWOOD, Colo. -- The Arapahoe County District Attorney's Office is advising anyone who has used Cove Creek Mortgage to watch out for identity theft after hundreds of mortgage files were dumped in a public trash bin over the weekend.
[Evan] Cove Creek Mortgage joins the ranks of other mortgage companies reported for similar breaches on The Breach Blog.  The others are Affordable Realty and Union Mortgage Services of Cleveland, Inc..

Cove Creek's owner had abandoned his Englewood office in January, and property managers had not been able to find him
[Evan] What kind of businessman just abandons an office full of confidential files and equipment?

On Saturday, the property manager had a crew clean out his office and throw all items from the office -- including complete mortgage files -- into two Dumpsters.
[Evan] Maybe the property manager should pay a little closer attention to the things they throw in the dumpster.  Having said this, the property manager is not really at fault.

David Peters who works in the same complex found the files Monday morning.

"I was taking some other trash out to the garbage can and opened the lid and on there was a couple of laptops,"

"Directly underneath them were files with people's names on it and I was like, 'Well, this is not right.'"

"There were tax returns, pay stubs, everything in there," he said. "And as I looked at the different files I realized that it was mortgage files, which was kind of scary, because who do you disclose the most information to or all of your information? That is when you are getting a mortgage loan."
[Evan] According to the news report, Mr. Peters contacted authorities.  This could have easily been much worse for victims.

The Dumpsters were not secured and located at 88 Inverness Drive East, Bldg. F.

Sheriff's investigators finally found the owner of Cove Creek and talked him into retrieving the files, many of which had private information, including Social Security numbers and credit history.
[Evan] Mr. owner guy, will you please come get your stuff and the personal information that was entrusted to you?  According to zoominfo a guy named Charlie Cartwright is/was the president of Cove Creek Mortgage.  I have no idea if this is the same guy that is referred to in the news article.

The district aAttorney's office got a tip about numerous mortgage files and two laptop computers in a Dumpster behind offices formerly used by Cove Creek Mortgage and Front Range Mortgage.
[Evan] Now Front Range Mortgage joins the ranks.  Front Range Mortgage offers credit repair services too! Do you suppose they could have repaired the damage that could have been done?

"With a name, Social Security number and bank account number, they can clean you out before you even know," said Arapahoe County District Attorney Carol Chambers.

The files and computers contained sensitive information on many former customers of Front Range Mortgage, including names and addresses, Social Security numbers and bank, credit card and investment account information.

While there are civil laws against dumping such documentation, Chambers said it is not against the law.
[Evan] It's too bad that we have to write and enforce laws to protect us from idiots.

"I think it is a matter of legislation not catching up with the realities of identity theft," said Chambers. "And absolutely, we think recklessly disposing or negligently disposing of this kind of information should maybe carry a criminal penalty, just to get people's attention that you can't just leave this information or leave it out in a Dumpster."

"The district attorney recommends that any former customers of Front Range or Cove Creek should place a fraud alert on their credit reports and monitor any bank, credit card or investment accounts that might have been included on a mortgage application with that firm."

For further information, assistance or questions, call the District Attorney's Fraud Assistance Line at 720-874-8547.

Commentary:
What is with these mortgage companies?  The 90's and early 2000's was a wild ride for mortgage brokers, real estate agents, and investors.  The money attracted people from all walks of life and a lot of poor decisions were made.  Now that the bubble has burst, we start to see the true colors of some of these "professionals".

I don't know much if anything about the owners of these companies, but I do know that securing personal information poorly is bad business.

Past Breaches:
Unknown

]]> Wed, 07 May 2008 18:20:50 +0000 mortgage files numerous mortgage files personal information information complete mortgage files personal information poorly files cove creek mortgage cove creek Personal information from two Colorado mortgage companies found in dumpsters