[SecurityRatty] tag: compensation

Chairman Tata Surprised by Tricky Terrorists

Sun, 30 Nov 2008 22:29:00 +0000

Chairman Rata Tata, whose company owns the Taj hotel in Mumbai, gave a frank and honest interview to CNN. I would imagine that the Tata Group's PR people and General Counsel are scrambling at the moment trying to do as much damage control as possible.

The sad part of this unfolding story is the feeling one gets that the terrible loss of life at the hotel may have been prevented or at least mitigated had proper security measures been implemented and if the security that had been in place prior to the attack had not been removed.

One eye witness who stayed at the hotel a week before the terrorist assault spoke about metal detectors and baggage being checked. The same witness then went on to say that those security measures had been removed within the last week, allowing people to enter without being checked.

The most surprising news to surface must be the Chairman's comments regarding the terrible event. Unbelievably, he actually said; "They knew what they were doing and they did not go through the front. All of our arrangements were on the front entrance".

Who is Tata's security advisor, a kitchen worker? Actually, he might have been better off if that were the case since the terrorists entered the hotel through the rear kitchen door. ANNOUNCEMENT TO ALL CHAIRMEN AND CEO's; Terrorists are Tricky. That is their job. They are watching your businesses and will do the opposite to what you expect.

In the case of the TAJ HOTEL, you made it easy for them. Did nobody in Mumbai ever stop to think that a bad person can go through the back door? It is one thing for a cafe in a pedestrian area to be attacked as anyone can walk right by or walk through the front and open fire, but how can a major landmark that attracts Western vistors drop their security measures AFTER they have received terrorist alert warnings that the hotel may be the target of terrorsit attacks?

I don't know if it was the case with the Taj Hotel, but cutting corners where security is concerned is common place in corporate culture. Security is often seen as a necessary evil and usually the first department to experience budgetary cutbacks. It is very difficult to convince some clients that nothing happening is really a good thing and that by cutting out security may open the door to evil.

This appears to have been the case with the Taj. There is no doubt that the terrorists had conducted hundreds of hours of surveillance in and around Mumbai. Was it a coincidence that the attack occurred the week after security measures had been removed? What might have been the result if security had remained tight (if you could call watching the front entrance and disregarding the back as "tight security")? Maybe the terrorists would have held back another month or two...maybe in that time they would have been detected...

One thing is for certain, places like the Taj Hotel have to get serious about security. Mr. Tata's claim that; "If I look at what we had...it could not have stopped what took place", must be replaced by more progressive, proactive thinking. If the Tata Group had spent an adequate amount of funding on ensuring that a strict security policy was in force - if only for the period in question - then they might not now be facing a 5 Billion Rupee reconstruction bill. Who knows how high the civil suits against the Taj will run when compensation and punitive costs are calculated.

Kudos though to Chairman Tata for at least recognizing that the Indian authorities may not be able to handle the situation on their own. "These attacks underscore the need for Law Enforcement to seek outside expertise for training, equipment and strategic operations", he said.

We agree Mr. Tata. We also hope that you will recognize the need for the Tata Group to seek similar outside expertise to assist you with your security planning and training.

Money Mules Syndicate Actively Recruiting Since 2002

Tue, 28 Oct 2008 05:44:21 +0000

Money mules have already been an inseparable part of the underground ecosystem. And while others try to hide their activities by outsourcing their hosting needs to botnet masters partitioning their botnets, the experienced ones apply a decent level of OPSEC (operational security) by establishing a trust based model based on recommendations in order to even consider letting you register for their services. Their geographical location not only reflects the average time it would take to take action against their activities and expose yet another extensive network of fraudulent operations, but also, has the potential to increase or decrease the commissions that the mules take based on the risk factor of getting caught.

There are several different types of money mules, those serving themselves, and those offering their services to others, in this particular case, we have a money mules syndicate that's been operating since 2002, and is only serving the high profile customers. What happens when such a money mule syndicate (naturally) starts vertically integrating by offering value-added services like credit card balance checking and date of birth lookups? Profits apparently increase, since the syndicate is actively recruiting and is currently looking for 20 to 30 mules -- their current staff is said to be approximately 100 people -- to cash out anything from bank account logins, Paypal accounts, to stolen credit card data. Here's a translated description of the service :

"Who we are?

- First place at (cyber crime community) top list of trusted service providers for 2008
- We serve the big guys only since 2002
- We never scam, in business since 2002 without a single scam complaint
- We look for you, you don't look for us
- We offer outstanding working conditions and high commissions

Who you should be?
- Dedicated person with experience in the field
- Have been in the business for at least 6 months
- Have been recommended by at least 1 person from (cybercrime community) and from (cybercrime community)
- You take 45% commission of the processed check, minimal amount is $3000
- You pay a membership fee

In the next two months we draw the command of 20-30 people who will most satisfy our requirements. For the selected team will be Paradise conditions:

- Instant payment (a few hours after delivered)
- Large numbers to drop service in the USA and the UK (30)
- Individual drop in the number of large islands
- 3-5 fresh weekly drop
- Round-the-clock support"

In case some of their customers get scammed -- appreciate the irony here as scammers compensate the scammers getting scammed by the scammer's outsourced personnel -- by some of their money mules, the service is offering compensation for the stolen goods/amount of money, clearly speaking for the revenues it is to prone to be generating. OPSEC (Operational Security) has been taking place across high-profile cybercrime communities during the last quarter, mostly in response to their increasing awareness that in the very same way they keep track of the major anti-fraud features implemented across their services of (ab)use, those implementing them could be monitoring them as well.

How can we co-operate to tackle phishing?

Mon, 27 Oct 2008 09:47:06 +0000

Richard Clayton and I recently presented evidence of the adverse impact of take-down companies not sharing phishing feeds. Many phishing websites are missed by the take-down company which has the contract for removal; unsurprisingly, these websites are not removed very fast. Consequently, more consumers’ identities are stolen.

In the paper, we propose a simple solution: take-down companies should share their raw, unverified feeds of phishing URLs with their competitors. Each company can examine the raw feed, pick out the websites impersonating their clients, and focus on removing these sites.

Since we presented our findings to the Anti-Phishing Working Group eCrime Researchers Summit, we have received considerable feedback from take-down companies. Take-down companies attending the APWG meeting understood that sharing would help speed up response times, but expressed reservations at sharing their feeds unless they were duly compensated. Eric Olsen of Cyveillance (another company offering take-down services) has written a comprehensive rebuttal of our recommendations. He argues that competition between take-down companies drives investment in efforts to detect more websites. Mandated sharing of phishing URL feeds, in his view, would undermine these detection efforts and cause take-down companies such as Cyveillance to exit the business.

I do have some sympathy for the objections raised by the take-down companies. As we state in the paper, free-riding (where one company relies on another to invest in detection so they don’t have to) is a concern for any sharing regime. Academic research studying other areas of information security (e.g., here and here), however, has shown that free-riding is unlikely to be so rampant as to drive all the best take-down companies out of offering service, as Mr. Olsen suggests.

While we can quibble over the extent of the threat from free free-riding, it should not detract from the conclusions we draw over the need for greater sharing. In our view, it would be unwise and irresponsible to accept the current status quo of keeping phishing URL feeds completely private. After all, competition without sharing has approximately doubled the lifetimes of phishing websites! The solution, then, is to devise a sharing mechanism that gives take-down companies the incentive to keep detecting more phishing URLs.

Here is our stab at devising a suitable sharing mechanism. We propose the creation of a members-only sharing club with compensation for net contributors paid for by net receivers. Take-down companies submit real-time copies of their entire feeds to a trusted third party (for the sake of argument, let’s assume that the APWG takes on this role). The APWG collates the individual feeds, marks the source of each submission (i.e., which take-down company) along with a timestamp. The APWG makes the amalgamated feed available immediately to all members. The members pick out phishing URLs impersonating their own clients, while ignoring the rest. Crucially, the expensive task of verifying phishing URLs and initiating take-down continues to be performed by the take-down company.

Periodically, the combined feed is audited to determine the reciprocity of contributions. Take-down companies provide a list of their clients to the auditor. The auditor then computes the number of phishing websites impersonating each take-down company’s clients that are missed by the takedown company but identified by others. The auditor also tallies the time difference for phishing websites that are identified by others first.

For example, suppose bank A1 has hired take-down company A to remove phishing sites on its behalf, and bank B1 has hired take-down company B. Suppose 500 phishing sites impersonate A1, and that A identifies 400 while B identifies an additional 100 sites missed by A. Likewise, suppose another 500 phishing sites impersonate bank B1, and that B identifies 300 while A identifies an additional 200 sites missed by B. B has received a net of 100 useful phishing sites more from A than B has given to A. Consequently, B should pay A a previously-agreed ‘finder’s fee’ for identifying these extra 100 websites.

The ‘finder’s fee’ provides additional incentive for take-down companies to invest in better phishing website detection. Designed properly, such a sharing club can overcome the potential for free-riding that companies such as Cyveillance fret about, while increasing sharing to shorten phishing website lifetimes.

Some subtleties must be mentioned, however. If the finder’s fee is big enough, some companies may be tempted to cheat to minimize their payout. For instance, underperforming take-down companies could claim to have independently discovered missing data from their feed shortly after collecting it from the shared feed. This can be mitigated by adding a credible threat of detection — inserting a few dubious fake phishing URLs that only appear in the shared feed. If the company claims to have ‘independently’ rediscovered these URLs, then they will be caught cheating. Another issue is that the auditing system does incur some overhead, which could be avoided if sharing was made unconditional.

To sum up, we recognize that many take-down companies will be reticent to share. However, we feel that sharing is too important to the goal of tackling phishing to brush aside because of a few inevitable complications. For the good of protecting consumers, the anti-phishing industry should learn to co-operate!

The Growing Security Skills Shortage

Tue, 19 Aug 2008 05:02:06 +0000

We are regularly hearing from our security clients about their difficulties finding people with the right skills – or when they do finally find them, these people are too costly to employ because their skills are in such demand.

Indeed, the “unavailability of people with the right skills” was cited as a top challenge for security groups in both our enterprise and SMB surveys.

In comparing need for talent across 25 different IT roles, Forrester analysts came to the conclusion that information security experts are among the hottest roles in IT, sharing the top spot with information/data architects.

The skills shortage is likely to get worse before it gets better. We’re unlikely to see a significant spike in security experts’ salaries to attract those we need to hire: large changes in compensation for senior security personnel would run against the current of economic belt-tightening. Another typical approach to offsetting the shortage would be to train up: foster the career development and advancement of existing security personnel on our payroll. However, with all the outsourcing that is going on – and which will increasingly occur – there is a shrinking pool from which to find people with “the right stuff” worth championing their advancement.

We could look outside of security to others in IT, or even to co-workers in other departments or business groups. But given how poor a job IT Security does of marketing its value proposition, I don’t hold much hope for attracting non-security people.

What do you think? Are we about to hit a very big wall when it comes to skills and staffing? Are you presently feeling the pain of a skills shortage? Do you see such a shortage looming? What measures are you taking to acquire and nurture talent? Which ones are successful and why?

I welcome your thoughts on the topic.

419 Mail Targets Musicians

Wed, 06 Aug 2008 03:13:03 +0000

One of my musician colleagues received the following email:

------Original Message------
From: smith douglas
Subject: lovely song
Sent: Aug 5, 2008 5:50 PM

Hello Lovely vocalist

I am Olatunji Hassan a music lover and I must say I listened to
your song via the internet and was moved.I lived in the United
States all my life and now I am back in my father land(AFRICA)
I must also lay my emphasis on the fact that I still travel to
us when the country is pretty hot.
I am the C.E.O of Douglas compensations
The compensation company is a company which has gotten the
approval of the Government to dispatch lost funds and recovered
theft funds to individuals who seems to need the funds.
I am using the power bestowed on me by my Government to approve
the sum of 100,000 United states Dollars for you.
your urgent reply is needed in regards to this development.
Olantunji Hassan.

Of course, it's a scam. There are plenty of musicians promoting their music on their websites, blogs, fan sites and forums - which presents scammers with a huge selection of targets to choose from. Be on your guard...

"Metro" employee information mistakenly posted to Web

Tue, 15 Jul 2008 06:39:14 +0000

Technorati Tag: Security Breach

Date Reported:
7/14/08

Organization:
Washington Metropolitan Area Transit Authority ("Metro")

Contractor/Consultant/Branch:
None

Victims:
"past and present employees"

Number Affected:
4,675

Types of Data:
Names and Social Security numbers

Breach Description:
"Metro has advised nearly 4,700 past and present employees that their social security numbers were published accidentally on the transit agency’s Web site last month."

Reference URL:
Metro Press Release
Associated Press via Forbes.com
NBC Channel 4 News
The Washington Post

Report Credit:
Washington Metropolitan Area Transit Authority

Response:
From the online sources cited above:

Metro has advised nearly 4,700 past and present employees that their social security numbers were published accidentally on the transit agency’s Web site last month.

The information was posted between June 9 and 25 as part of a solicitation from Metro to companies interested in providing worker’s compensation and risk management services.
[Evan] Rather than post this information to a public web site, why wasn't a more secure method of tranmission used such as VPN or secure FTP?

The document mistakenly included the social security numbers of 4,675 employees.
[Evan] According to Metro spokeswoman Candace Smith the sensitive information was supposed to be redacted. I wonder how well this mandate was communicated to the employee(s) responsible for compiling and posting the information.

A smaller group of employees had their names and social security numbers posted in the lengthy document. Metro officials continue to analyze the information for any other data breaches.

Three Metro employees have been disciplined

The three disciplined employees, including a manager, have been suspended for up to a month without pay, officials said.
[Evan] This implies that the employees responsible for the mistake should have known better. We can probably assume that they were informed of the proper procedure, but did not follow it.

Letters warning of the breach were sent out to the affected employees.

The letter urges employees to watch their credit reports for signs of identity theft.

Last week, the agency set up a separate Web site where employees can determine whether their numbers were among those posted.

The agency is offering the 4,700 employees one year of free credit report monitoring, $25,000 in identity theft insurance and counseling services.

"We deeply regret this incident, and believe the likelihood of misuse of the information is low," said Metro Chief Safety Officer Ronald Keele.

"However, we have taken additional steps to protect employee information by bolstering Internet security and requiring more checks and balances of materials before they are being released publicly."
[Evan] Checks and balances are typically lacking in these types of breaches, so I think it’s a good sign that Metro is addressing these.

Metro officials say they are not alone in this type of data breach.
[Evan] So what?

According to the Identity Theft Resource Center, data breaches at businesses, governments and universities were up 69 percent in the first half of 2008 compared with a similar period in 2007.

Commentary:
The end result of this oversight is three disciplined employees (with no pay for a month) and nearly 4,700 people with an increased risk of identity theft. Forethought is there for a reason, whether or not you use it is your choice.

Past Breaches:
Unknown

Have you googled, HR security breaches lately?

Tue, 08 Jul 2008 05:38:15 +0000

Blogger: Randall Gamby

As briefly mentioned in a Burton Group IdPS blog and a ZDNet Australia published article on July 3, 2008, HR data from Google was stolen from one of their previous HR outsource partners. It seems that the partner, Colt Express Outsource Partners, had equipment stolen that contained HR data from some of its clients, including Google. The data was unencrypted and stored on systems that were apparently portable.

So what does this mean for all of us?

First, it shows that even large SaaS companies like Google can be bitten by a lack of security at their partners, just like many of us can. Burton Group has been warning clients for a long time about the dangers of sending confidential information to outsource partners without proper security and audit processes in place. Of course this should also be backed by strong contractual language.

Second, be prepared to pay. Even if Google had breach mitigation terms in their contract, Colt Express announced that it was in financial difficulty. So Google has had to pay for financial reporting and other compensation to its own employees, even though Google did nothing wrong.

Third, a Google representative stated "We take the security of our employees very seriously and require outside vendors to meet appropriate security standards. We review and update these standards on an on-going basis.” Does this mean that Google doesn’t require encryption of its confidential information since encryption of the data was not deployed at Colt Express? When working with third parties, whether it’s financial data or confidential personal data, this information needs to be protected from unauthorized access. One of the simplest ways is encrypting the data while at rest, regardless of where it’s located.

Final, the Colt Express breach brings to mind a question Burton Group is always asking: “What is your exit strategy if the contract is terminated with your outsourcing partner?” A lot of effort is expended in creating an outsourcing agreement around use and protection of data, but what happens when the contract is ended? Do you obtain and retain the information the outsource partner maintained? Do you have the outsource partner destroy the information and any archives of it (and verify this was done)? Do you create a custodial contract with the outsourcing partner for them to maintain the information and archives on your behalf (ensuring the data is properly protected)? As was found in this incident, after their contract with Google was terminated the outsourcing partner apparently retained the employee data unencrypted on their servers. This was the fatal mistake that allowed the breach to occur.

So as you work with your outsourcing and SaaS vendors, you should not only consider how day-to-day operations should be secured to maintain the confidentiality of your data. You should also think about how that data is being maintained over time, and what are your procedures should the unthinkable happen if your partner allows your data to be compromised.

Have you googled, ???HR security breaches??? lately?

Tue, 08 Jul 2008 05:38:15 +0000

Blogger: Randall Gamby

So what does this mean for all of us?

Third, a Google representative stated "We take the security of our employees very seriously and require outside vendors to meet appropriate security standards. We review and update these standards on an on-going basis.??? Does this mean that Google doesn???t require encryption of its confidential information since encryption of the data was not deployed at Colt Express? When working with third parties, whether it???s financial data or confidential personal data, this information needs to be protected from unauthorized access. One of the simplest ways is encrypting the data while at rest, regardless of where it???s located.

Final, the Colt Express breach brings to mind a question Burton Group is always asking: ???What is your exit strategy if the contract is terminated with your outsourcing partner???? A lot of effort is expended in creating an outsourcing agreement around use and protection of data, but what happens when the contract is ended? Do you obtain and retain the information the outsource partner maintained? Do you have the outsource partner destroy the information and any archives of it (and verify this was done)? Do you create a custodial contract with the outsourcing partner for them to maintain the information and archives on your behalf (ensuring the data is properly protected)? As was found in this incident, after their contract with Google was terminated the outsourcing partner apparently retained the employee data unencrypted on their servers. This was the fatal mistake that allowed the breach to occur.

Confidential Connecticut Department of Labor mailing is missing

Tue, 10 Jun 2008 08:00:32 +0000

Technorati Tag: Security Breach

Date Reported:
6/2/08

Organization:
State of Connecticut

Contractor/Consultant/Branch:
Connecticut Department of Labor

Victims:
Customers

Number Affected:
2,160

Types of Data:
"personal information, including name, address and Social Security number"

Breach Description:
"WETHERSFIELD, The Connecticut Department of Labor is notifying approximately 2,100 customers that files containing copies of letters sent to them regarding their unemployment insurance claim cannot be located."

Reference URL:
Connecticut Department of Labor
Associated Press via The Hartford Courant
Newsday

Report Credit:
Connecticut Department of Labor

Response:
From the online sources cited above:

WETHERSFIELD, The Connecticut Department of Labor is notifying approximately 2,100 customers that files containing copies of letters sent to them regarding their unemployment insurance claim cannot be located.

the agency strongly believes that the letters were mistakenly shredded along with others that were being rightfully destroyed

Following an extensive search, it appears the copies were inadvertently shredded and destroyed on or before May 21

we feel it is in the best interest of our customers to be proactive in our efforts to ensure that personal information is not compromised

The files contained copies of letters dated from May 2 to May 20 informing applicants that they were ineligible for the unemployment insurance.

Copies of the letters, which must be kept on file for three years, contained personal information, including name, address and Social Security number.
[Evan] Why does a letter informing someone that they are not eligible for unemployment insurance require a Social Security number?

we do not believe information on these letters will be used in a manner that will compromise the security of these residents

we have arranged for two years of free preventative services through the Debix Identity Protection Network
[Evan] Two years is much better that the semi-standard one year given by many organizations. Government breaches tick me off a little more than most. One reason is the fact that taxpayers get to foot the bill.

We sincerely regret any inconvenience or concern that has been caused by this situation

the agency takes the protection of personal information very seriously and since last year, we have been working on additional security features for the state’s unemployment insurance compensation system

Since federal law mandates that we use the entire Social Security number in the course of business, we are looking at ways to encrypt that data and still comply with regulations.
[Evan] I am glad to read that the agency is considering encryption of confidential information (albeit late, better than never), but this is only feasible for electronic information. Encryption would not have provided any protection against this particular breach which involved printed confidential information, namely Social Security numbers. I think it is generally a poor business practice to send mail with Social Security numbers in print unless it is absolutely necessary. I don't think that federal law requires that these mailings include Social Security numbers.

Residents who receive a letter from the agency and who may have questions regarding the free protection service can contact Debix directly at 888-332-4963. Those with questions about their Determination Letter can call the Labor Department’s Assistance Center at 860-263-6785.

Commentary:
If the missing letters only contained the information necessary to communicate the required message, then the impact of this breach would be considerably smaller.

Information security personnel don't currently review mailed information prior to release in the companies I consult for. This breach gets me thinking about a potential risk that I may have missed in my assessments.

Past Breaches:
September, 2007 - Stolen laptop contains names and allegations in state DCF cases
August, 2007 - State of Connecticut Stolen Laptop

AT&T management information on stolen laptop

Sun, 08 Jun 2008 14:28:48 +0000

Technorati Tag: Security Breach

Date Reported:
6/4/08

Organization:
AT&T

Contractor/Consultant/Branch:
None

Victims:
AT&T management personnel

Number Affected:
Unknown

Types of Data:
Compensation information, including employee names, Social Security numbers, and salary and bonus information.

Breach Description:
"An undisclosed number of management-level workers at AT&T have been notified that their personal information was stored unencrypted on a stolen laptop."

Reference URL:
PogoWasRight
SC Magazine
NetworkWorld

Report Credit:
PogoWasRight

Response:
From the online sources cited above:

An undisclosed number of management-level workers at AT&T have been notified that their personal information was stored unencrypted on a stolen laptop.
[Evan] Don't you think that a well known (and respected) company like AT&T would have had the forethought to encrypt laptops?

Employees were first alerted to the theft on the evening of May 22nd by email from Bill Blase, Senior Executive Vice President - Human Resources.

This is to alert you to the recent theft of an AT&T employee's laptop computer that contained AT&T management compensation information

The laptop was stolen May 15 from the car of an employee

The data on the computer was not encrypted -- a violation of company policy -- and included names, Social Security numbers and in some cases, salary and bonus information.

No customer or client data were on the stolen laptop.

the company would not disclose the number of affected individuals, but there is no reason to believe any of the data was being targeted when the machine was stolen.

AT&T repeatedly declined to disclose the number of employees affected "as a matter of policy."

"Usually these are property crimes in which the drive is wiped clean and resold for profit,"
[Evan] This used to be the case, but do you think the same still holds true today? If a thief is going to go through the trouble of wiping the drive, it seems plausible that he/she may also attempt to access/review the information contained on it. Hardware value = ~$1000, Information value = ~$10, $20, $50+ per record. Do the math and it soon becomes apparent that a thief can profit much more by selling the information. I presume that some thieves know this.

The employee who was in possession of the laptop when it was stolen has been disciplined.
[Evan] Was it the employee's responsibility to encrypt the information, or was it his/her responsibility to not store confidential information on it? If the employee was aware of his/her responsibilities, then I can understand the disciplinary action. If not, then AT&T has much bigger problems.

"There are a number of rules governing the handling of encrypted material and the mobile devices handling that material that employees must follow," Sharp said. "It is up to the employee to ensure that any sensitive material is encrypted."
[Evan] Really? It is "up to the employee" to ensure that sensitive material is encrypted? Most of the users I work with wouldn't know the first thing about how to encrypt information. This is why we usually implement policies, standards and procedures to encrypt the entire contents of hard drives as part of the standard laptop build. Encryption is then semi-transparent and we don't need to worry about an incident such as this. Take information security out of the hands of employees if feasible.

AT&T used the breach as a reminder that employees must follow policies.
[Evan] Hopefully this isn't the only time employees are reminded to follow policies.

We deeply regret this incident.

You will soon hear about additional steps we're taking to reinforce our policies to safeguard sensitive personal information and ensure strict compliance in order to avoid incidents like this in the future.

The telecom also says that it is "in the process of encrypting devices," but that may be small comfort to those whose data were on the stolen laptop.
[Evan] Sheesh, hundreds if not thousands of breaches involving lost and/or stolen laptops affecting millions of people and now AT&T is "in the process of encrypting devices"? To AT&T's credit, they do employ thousands of mobile devices which take time to encrypt and it's better late than never. Explain this to the people affected.

AT&T is offering free credit monitoring to those affected

Victim Reaction:
"I'm very disappointed in my company,"

"Eight days passed before we were notified ... and it took up to another 10 days to be informed about requesting a fraud alert and to be given instructions for signing up for credit watch."

"It is pathetic that the largest telecom company in the world -- with more than 100 million customers -- doesn't encrypt basic personal information,"

"I receive company internal e-mails reminding me to contact our legislators about relieving the company of the burdens of regulation," he says. "What happened here shows the company isn't ready to have those burdens lifted."

Commentary:
Excellent work at PogoWasRight.org. Their report contains copies of the actual AT&T correspondence. Obviously, AT&T should have known better.

The Breach Blog was notified via a comment from the wife of an affected employee on May 28th, but we did not have enough information to report. The comment was not approved by me either because the commenter used her real name (out of protection for her and her husband).

Past Breaches:
August, 2007 - AT&T Stolen Laptop, Unknown Number of Former Employees Affected