Smaller that Epsilon, but still clear that things are bigger in Texas!
Texas comptroller’s office data breach exposes 3.5 million teachers’ and employees’ Social Security numbers and other personal information
April 11, 2011 by admin
Kelley Shannon reports:
Texas Comptroller Susan Combs revealed Monday that the personal information of 3.5 million people has been inadvertently disclosed by her agency, making Social Security numbers, dates of birth and other data accessible to the public.
The information was available on a publicly accessible computer server and included data transferred by the Teacher Retirement System of Texas, the Texas Workforce Commission and the Employees Retirement System of Texas.
Combs said that on Wednesday her office will begin sending letters to notify those affected by the data breach, which is thought to be the largest in Texas history.
Read more on Dallas News.
The Comptroller’s Office has issued a press release today:
The Texas Comptroller’s office is sending letters beginning Wednesday, April 13, to notify a large number of Texans whose personal information was inadvertently disclosed on an agency server that was accessible to the public. The records of about three and a half million people were erroneously placed on the server with personally identifying information.
There is no indication the personal information was misused. [A common, if meaningless statement in Breach Notices. Bob]
“I deeply regret the exposure of the personal information that occurred and am angry that it happened,” Texas Comptroller Susan Combs said. “I want to reassure people that the information was sealed off from any public access immediately after the mistake was discovered and was then moved to a secure location. We take information security very seriously and this type of exposure will not happen again.”
The records contained the names and mailing addresses of individuals. The records also included Social Security numbers, and to varying degrees also contained other information such as dates of birth or driver’s license numbers – all the numbers were embedded in a chain of numbers and not in separate fields. [In other words, a typical computer record. Bob]
The information was in data transferred by the Teacher Retirement System of Texas (TRS), the Texas Workforce Commission (TWC) and the Employees Retirement System of Texas (ERS).
The TRS data transferred in January 2010 had records of 1.2 million education employees and retirees. The TWC data transferred in April 2010 had records of about 2 million individuals in their system. And the ERS data transferred in May 2010 had records of approximately 281,000 state employees and retirees.
The data files transferred by those agencies were not encrypted as required by Texas administrative rules established for agencies. In addition to that, personnel in the Comptroller’s office incorrectly allowed exposure of that data. Several internal procedures were not followed, leading to the information being placed on a server accessible to the public, and then being left on the server for a long period of time without being purged as required by internal procedures. The mistake was discovered the afternoon of March 31, at which time the agency began to seal off public access to the files. The agency has also contacted the Attorney General’s office to conduct an investigation on the data exposure and is working with them.
The information was required to be transferred per statute by these agencies and used internally at the Comptroller’s office as part of the unclaimed property verification system.
The Comptroller views the protection of personal information as a serious issue. She will be working with the Legislature to advance legislation to enhance information security as outlined in the Protecting Texans’ Identities report she released in December. This would include the designation of Chief Privacy Officers at each agency as well as the creation of an Information Security Council in the state.
The agency has set up an informational website for individuals at www.TXsafeguard.org to provide additional details and recommended steps and resources for protecting identity information.
Could Spammers connect an email address to a phone number? Sure. Why would they leave “noise” rather than a sales pitch for Viagra?
Readers question whether Epsilon breach was really names and email addresses only (updated to include response from Epsilon)
April 11, 2011 by admin
From comments under another blog entry, it seems clear that a lot of people are not believing Epsilon’s assurance that the breach involved names and email addresses only.
I received the following email, which I am reproducing except for redacting the name of the sender and the name of the Epsilon employee and their phone number, although that information was provided to me and to CERT:
I saw that you posted an article about the Epsilon breach and I am trying to make consumers aware of more information. Phone numbers were taken along with the email addresses. I am getting over 100 phone calls per day and nothing is being done about it. When contacting the phone company, they give me no other choice but to change my phone number. But I need my phone number for work and it would be very difficult to change it. I am sure there are hundreds of other people dealing with the same issue. At the least, people need to know that it was not just email addresses taken, phone numbers were taken and who knows what else. Epsilon lied to us.
———- Forwarded message ———-
Date: Sun, Apr 10, 2011 at 7:23 PM
Subject: Epsilon breach included phone numbers
Ever since I was notified that my information was compromised during the Epsilon breach, I have been getting phone calls every 4 minutes constantly for over a week. The calls will come from random computer-generated 11 digit numbers, blocked numbers, and unknown numbers. Even though the numbers are different, they always leave the same 29 second voicemail that sounds like frequencies when adjusting an old TV antenna. I called Epsilon and spoke to [redacted employee name] at [redacted phone number], and she confirmed that other customers were getting the same types of calls and it was widespread. However, they only reported that email addresses were taken and denied anything else. Clearly other information was taken and is still being abused.
I am blocking all calls that are not in my contact list. Here is a brief history of the calls that were blocked for 3 days.
Is anyone doing anything about this???
* Received and Blocked Calls
[A very very long list of timestamps and blocked calls was included in the email to CERT but is deleted here to save space]
In subsequent correspondence, the writer indicated that the phone calls started on March 31 around 2:00 pm ET and have been non-stop ever since. Note that the phone calls reportedly started after the breach occurred but the day before Epsilon issued its press release on the breach.
I asked which notifications s/he had received following the announcement of the breach, and s/he indicated New York & Company, Hilton Honors, and Capital One. The correspondent indicated some surprise that more notifications hadn’t been received because s/he has accounts with some of the other entities who were reportedly affected.
Epsilon did not respond to an email inquiry sent by DataBreaches.net by the time of this publication, but if I receive a response, I will update this post.
Update: An Epsilon spokesperson responds:
As stated in our releases, the ONLY information that was comprised was email address and/or customer name.
At this point, all I’m able to share are the statements on our website as we conduct an ongoing investigation.
No indication of numbers, yet. Data includes “sales leads” so apparently you don't need to be associated with the company to be a victim.
Hacker breaks into Barracuda Networks database
April 12, 2011 by admin
Robert McMillan reports:
The hacker, who called himself Fdf, posted proof of his attack to the Web on Monday, showing e-mail addresses of company employees and names, e-mail addresses, company affiliations and phone numbers of sales leads registered by the company’s channel partners.
[From the Register article:
Screenshots showed what was purported to be names, email addresses and phone numbers for Barracuda partners from organizations including Fitchburg State University in Massachusetts and the UK's Hartlepool College of Further Education.
… It was unclear if the hashed passwords were salted to prevent them from being cracked using various free tools available on the internet.
… SQL injection attacks exploit poorly written web applications that fail to scrutinize user-supplied data entered into search boxes and other fields included on the targeted website. By passing database commands to the site's backend server, attackers can harness the vulnerabilities to view and even modify the confidential contents.
In all, 22 databases with names including new_barracuda, information_schema and Marketing were exposed, according to the post, which was published on Tuesday.
The Barracuda Web Application Firewall in front of the Barracuda Networks Web site was unintentionally placed in passive monitoring mode and was offline through a maintenance window that started Friday night (April 8 ) after close of business Pacific time.
… After approximately two hours of nonstop attempts, [Which no one noticed because they had turned off the firewall? Bob] the script discovered a SQL injection vulnerability in a simple PHP script that serves up customer reference case studies by vertical market.
… We have logs of all the attack activity, and we believe we now fully understand the scope of the attack.
Building a Hacker Target... Your data is secure, except that “almost everyone at the university?” will have access.
UK: Student database raises privacy concerns
April 11, 2011 by Dissent
Alice Kinder reports:
Oxford University’s decision to add students to the University’s Development and Alumni Relations System database has provoked mixed reactions.
An email was sent out to students on Thursday stating that the University will be adding information on all students to the new database “in order to facilitate better communication and engagement for the entire Oxford community.”
However, students wishing to opt out of having their information migrated are given the opportunity to do so before the 4th May.
This data includes name, contact details, date of birth, gender, marital status, nationality, supervisor, college advisor, programme of study and educational history. Academic results will not be transferred.
Read more on Cherwell.
I imagine hackers are licking their lips already over this one. I thought Oxford was supposed to have some smart people, but look at this self-contradictory explanation:
It is said that details in DARS are held securely, and the data can then be used for networking purposes so that those who have left university can “connect with other, like-minded alumni”.
The email sent to students also states that the data may be used by colleges, faculties, departments, administrative units, international offices, recognised alumni societies, and sports and other entities associated with the University.
Hopefully, the students at Oxford are smarter or more savvy than the folks who came up with this plan and they will opt out immediately.
Now those Privacy Policies no one reads are even more important. Absent a Policy, you have no Privacy?
Judge rules emails in Hamilton’s case admissible
April 12, 2011 by Dissent
Frank Green reports:
A federal judge in Richmond has ruled that the government may use emails between former Del. Phillip A. Hamilton and his wife in his upcoming bribery and extortion trial.
Hamilton’s lawyers said the emails are not admissible because of his Fourth Amendment right to privacy and the privilege of protecting confidential marital communications.
But, wrote U.S. District Judge Henry E. Hudson in an eight-page ruling Monday, “Neither affords him the protection he seeks.”
The emails were stored on Hamilton’s work computer with the Newport News school system. At the time they were written, the school system had no policy on privacy expectations.
Should be amusing to watch...
Draft PRC Guidelines on Personal Data Protection
April 12, 2011 by Dissent
Gabriela Kennedy writes:
While personal data privacy law has been developing in many jurisdictions with the increasing prevalence of internet usage, the People’s Republic of China (“PRC”) has not yet enacted comprehensive laws or regulations governing the collection, use and transfer of personal data. However, this may change soon, as indicated by the recent issuance of the draft Information Security Technology — Guide of Personal Information Protection (the “Guidelines”, issued jointly by the General Administration of Quality Supervision Inspection and Quarantine and the Standardization Administration of the PRC on 30 January 2011). The draft Guidelines were developed in consultation with the Ministry of Industry and Information Technology, the government agency charged with regulating the telecoms and internet industries, and would create broadly applicable rules and principles for handling and transferring personal information. Although the draft Guidelines could be revised before implementation and have not yet been enacted, upon entering into force they could significantly impact business practices relating to storage, processing and transfer of information.
Read more of their description of the draft guidelines on Hogan Lovells Chronicle of Data Protection.
E-Discovery Changing technology, large data volumes, and the Joy of Computer Forensics...
April 11, 2011
Sedona Conference® Database Principles - Addressing the Preservation & Production of Databases & Database Information in Civil Litigation
The Sedona Conference® Database Principles - Addressing the Preservation & Production of Databases & Database Information in Civil Litigation. A Project of The Sedona Conference®Working Group on Electronic Document Retention & Production (WG1), March 2011 Public Comment Verson, by the The Sedona Conference®. Editor-in-Chief: Conrad J. Jacoby
"Disputes over the discovery of information stored in databases are increasingly common in civil litigation. Part of the reason is that more and more enterprise-level information is being stored in searchable data repositories, rather than in discrete electronic files. Another factor is that the diverse and complicated ways in which database information can be stored has made it difficult to develop universal “best-practice” approaches to requesting and producing information stored in databases. The procedures that work well for simple systems may not make sense when applied to larger server-based systems. Similarly, retention guidelines that make sense for archival databases—that is, databases that add new information without deleting past records—rapidly break down when applied to transactional databases where much of the system’s data may be retained for only thirty days—or even thirty seconds."
(Related) Not everyone tries to hide evidence, but here's what happens when you get caught.
Judge Refers Defendant’s e-Discovery Abuse to U.S. Attorney for Criminal Prosecution of the Company and Four of Its Top Officers
Not the typical knee-jerk reaction...
DRM Drives Gamers To Piracy, Says Good Old Games
"Independent retro games retailer Good Old Games has spoken out about digital rights management, saying that it can actually drive gamers to piracy, rather than acting as a deterrent. In an interview, a spokesperson for Good Old Games said that the effectiveness of DRM as a piracy-deterrent was 'None, or close to none.' 'What I will say isn't popular in the gaming industry,' says Kukawski, 'but in my opinion DRM drives people to pirate games rather than prevent them from doing that. Would you rather spend $50 on a game that requires installing malware on your system, or to stay online all the time and crashes every time the connection goes down, or would you rather download a cracked version without all that hassle?'"
Interesting idea for an application. First, find a big market (dieters) then sell them something they can use... (Now we'll have people texting and snapping photos at the table next to us when we want a quiet dinner.)
New app calculates calories through photos of food
Worried about how many calories you are going to consume in that slice of pizza, chocolate cake or bag of fries? A new iPhone application may help.
After taking a picture of the meal with the phone, the app gives a calorie read-out almost instantly.
The app, called MealSnap, was developed by DailyBurn, a fitness social network that has created several other fitness and diet-related iPhone applications.
Within minutes of taking a picture of a meal and matching it to a database of some 500,000 food items, the app sends users an alert with a range of calories for the meal that was photographed.
Might be interesting to add to your business cards as a pointer to an “always up-to-date” resume... Or the current price list... Or your Blog... Or ??? ...
Uqr: Share Websites & Other Various Things Through QR Codes
uQR is a simple and free to use web service that lets you share anything on the web using QR codes. Basically the website gives you a public profile that has two parts: a URL and a QR code pointing to this URL. When people scan the code, they are taken to your uQR sharing page where you can share almost anything: specially formatted text, your vCard, a YouTube video, or any other URL of your choosing. Things you share on the profile can be changed anytime.
You can print out the QR code and paste it anywhere in public. This way you will be sharing material with everybody who has the ability to scan the code and reach your uQR profile ““ an interesting idea indeed.
For my fellow Sci-Fi fans. I always wanted to build one in my garage...
Book Excerpt: Space Shuttle Owners’ Workshop Manual