Shostack + Friends Blog Archive

 

Breach Roundup: 6/17 – 6/24

This week’s roundup is large. Rather than push other newish posts off the bottom of most people’s screens, it has been deemed preferable to prepend this introductory paragraph, at the bottom of which readers may elect to see more.

Western Illinois University

Multiple servers breached. University loses SSNs and other data on 200,000 to 240,000 current and previous students, as well as credit-card information on those using the university bookstore or hotel. According to a response received from WIU’s official “Security Alert” email address:

A majority of students potentially affected are students who took courses from
1983 to the present. A smaller number of records from 1978 to 1982
(approximately 1,000 records) may have been at risk of exposure. Anyone who
has performed an online purchase through the University bookstore or who has
stayed in the University Union Hotel may also potentially be affected

Interestingly, the Division of Student Services, which seemingly runs on-line bookstore sales, says [link to https://www.student.services.wiu.edu/privacy/ no longer works] that they “Don’t retain credit card information after credit card sales have been processed.”
Official version of events is at http://www.wiu.edu/securityalert/

ING U.S. Financial Services

Social Security Numbers and other info on 13,000 Washington, D.C. residents obtained when a thief stole a laptop from the home of an ING U.S. employee. No password, no encryption. Theft occurred June 12.
Washington Post has more.

Equifax

Laptop stolen May 29th contained name and SSN info on up to 2500 of their employees.
(AP [link to http://sfgate.com/cgi-bin/article.cgi?f=/news/archive/2006/06/20/financial/f081242D53.DTL&type=business no longer works], via Dataloss)

University of Alabama, Birmingham

The tide of theft continues. An office computer containing names, SSNs, and medical information for 9,800 kidney donors, recipients, and potential recipients was stolen in February, but “the affected people weren’t notified until earlier this month because it took months for school officials to reconstruct the missing database”.
(AP [link to http://www.timesdaily.com/apps/pbcs.dll/article?AID=/20060620/APN/606200750&cachetime=5 no longer works], via Dataloss)

Unnamed ATM transaction processor

Visa admits there’s a problem it has known about since February, but reveals no numbers or names. Thanks, guys. AP has the story [link to http://www.pe.com/ap_news/California2/CA_Visa_ATM_Breach_242145CA.shtml no longer works].

US Navy

Names, SSNs of 28,000 Navy personnel and some family members show up on a web site. Navy discovers it, has info removed. Congress is asking [link to http://markey.house.gov/index.php?option=content&task=view&id=1749&Itemid=125 no longer works] for more information (such as the name of the site).
(AP [link to http://news.moneycentral.msn.com/provider/providerarticle.asp?feed=AP&Date=20060623&ID=5821436 no longer works], via MSN)

Catawba County, NC High Schoolers

SSNs and test scores for 619 students show up on web. School blames Google.
(HeraldToday.com [link to http://www.bradenton.com/mld/bradenton/news/nation/14891995.htm no longer works], via Dataloss)

FTC loses laptops containing PII

In other news, Surgeon General caught smoking under bleachers.

In a statement, the FTC said two employee laptops were stolen from a locked vehicle. The PCs contained data on about 110 people that was “gathered in law enforcement investigations and included, variously, names, addresses, Social Security numbers, dates of birth, and in some instances, financial account numbers.”

[Brian Krebs {link to http://blog.washingtonpost.com/securityfix/2006/06/ftc_laptop_theft_exposes_consu.html no longer works}, via Dataloss]

San Francisco State University

3,000 former and current students’ SSNs, names, grades lost via a…laptop theft!
Although use of SSNs as student idenfifiers is now banned, apparently it’s just too much work to clean up the years of cruft that faculty have accumulated. An interesting research question: what is the half-life of information like this?
(SFGate.com, via Dataloss)

US Department of Agriculture

Names, photos, and SSNs of 26,000 workers revealed when a hacker was able to get into a USDA server.
(SeattlePI.com [link to http://seattlepi.nwsource.com/business/1700AP_Agriculture_Hacker.html no longer works], via Dataloss)