Breach notice primary sources

Today on the Dataloss mailing list, a contributor asked whether states in addition to New Hampshire and Maryland make breach notification letters available on-line.
I responded thusly (links added for this blog post):

I know only of NH and MD. NY and NC have been asked to do it, but have no plans to. NJ won’t do it because the reports are held by the state police and not considered public. IN had that provision stripped from their revised law. I saw no evidence that ME has them on-line at the AG’s site. Unless I missed any, those are all the states with central reporting.
I personally have several hundred notices to NY and NC that I am slowly scanning and making available. Unfortunately, my site is off the net for probably a couple weeks.

A later response pointed out that Wisconsin publishes some data as well. Actually, so does New York, but it’s pretty measly.
I forgot to mention in my email that California also considered central reporting — including a web site — as part of an update to its breach law. We blogged about this at the time. I understand these features were cut because of lack of resources.
EC reader Iang made a perspicacious comment at the time:

At some stage we have to think about open governance being run by the people. That is, expect to see some quality control from open institutions, ones that arise for a need. E.g., blogs like this and other aggregators of info.

I am very happy to report that the Open Security Foundation yesterday announced just such a resource. The press release tells the story, but basically it’s crowd-sourcing information on breaches. I am very enthusiastic about getting my primary sources archive back on-line so that I can link with, and otherwise contribute to, this new DataLossDB.

Maryland Breach Notices

Case Number Date Received Business Name No. of MD residents Total breach size Information breached How breach occurred
153504 06/09/08 Argosy University name, social security number, addresses Laptop computer stolen from employee of SunGard Higher Education

Maryland Information Security Breach Notices are put online by the most-forward looking Douglas F. Gansler, attorney general.

I’m glad that they list case IDs on there. We’re getting to the point, what with Attrition.org, Identity Theft resource center, Privacy Rights ClearingHouse, Adam Dodge, Chris Walsh, and probably others I’m forgetting, it’s like chaos out there. We need a ‘CBE’ just to help us all cross-correlate.

Via “I’ve Been Mugged.”

Paper Breach

The Missing Docs

The BBC reports in “Secret terror files left on train” that an

… unnamed Cabinet Office employee apparently breached strict security rules when he left the papers on the seat of a train.

A fellow passenger spotted the envelope containing the files and gave it to the BBC, who handed them to the police.

We are also told:

Just seven pages long but classified as “UK Top Secret”, this latest intelligence assessment on al-Qaeda is so sensitive that every document is numbered and marked “for UK/US/Canadian and Australian eyes only”, according to our correspondent.

The person who lost them is

… described as a senior male civil servant, works in the Cabinet Office’s intelligence and security unit, which contributes to the work of the Joint Intelligence Committee.

His work reportedly involves writing and contributing to intelligence and security assessments, and that he has the authority to take secret documents out of the Cabinet Office – so long as strict procedures are observed.

Apparently the documents were not encrypted. Cue rimshot.

6/16ths of Chileans personal information leaked by hacker

A hacker in Chile calling himself the ‘Anonymous Coward’ published confidential data belonging to six million people on the internet.

Authorities are investigating the theft of the leaked data, which includes identity card numbers, addresses, telephone numbers, emails and academic records.

Chile has a population of about 16 million, so that’s 3/8ths of the country.

See “ALERTA: Se filtran datos personales de 6 millones de chilenos vía Internet” (Google translated). The blogger, Leo Prieto, gets a rude awakening when he reads the law, “¿Es privada la información personal en Chile?” (see translated version)

Via PogoWasRight.

¿As an aside, why doesn’t English use those awesome ‘¿’ to tell you you’re reading a question? We use the opening punctuation for quotes.

UK Information Commissioner’s Office Can Now Fine Your Ass

From the article:

The Criminal Justice and Immigration Act has received Royal Assent creating tough new sanctions for the privacy watchdog, the Information Commissioner’s Office (ICO). This new legislation gives the ICO the power to impose substantial fines on organisations that deliberately or recklessly commit serious breaches of the Data Protection Act.

It’s about time that the Data Protection Act got some teeth for dealing with breaches. Unfortunately, I haven’t been able to find out much more information on this. All I could find on the ICO’s site was a press release and this position paper on the need for the ability to fine for breaches. Anyone out there know more?

Do you feel like we do?

l1.jpg
As many EC readers realize, press reports about data breaches involving lost or stolen computers often contain statements something like “The actual risk is thought to be minimal, since a password is required to login to the missing computer”.
Such statements are sufficiently numerous that the pre-eminent source of breach data, Attrition.org, have issued a comment the topic.
I recently had an idea which I honestly think might be very useful (or pathetically impotent).
I report, you decide.
The idea is simply this:
Creating some sort of on-line document and getting infosec experts/practitioner/luminaries to add
their names to it. The document would be akin to an on-line petition, except that it would not be asking for something, it would be stating a position — as I envision it would be a couple of paragraphs, pointing out the technical facts (in lay terms) that “recovery” CDs can completely bypass OS passwords, that the better state breach laws exempt encrypted data alone for a reason (Indiana is a perfect example, having had their loophole closed so recently), that any safeguard is only as good as the threat model behind it, and that operating system passwords were not intended to be defense against a threat which bypasses the operating system completely.
When the press perpetuates the canard (and I am aware of it), I’d dash off a letter to
the editor which particularizes things, and which points to this on-line
document. Hopefully, this would raise awareness.
My thinking here is that many of us with an infosec and privacy background “get it”, but that the press has relatively little access to us. Human nature being what it is, the path of least effort is often followed, and press releases are reprinted, without regard to their technical accuracy
Is this a crazy idea? If so. please comment. If you think it makes sense, comment about that.
If there seems to be solid support, we can work out the details and make it happen.

Avoid ID theft: Don’t run for President

The Washington Post reports:

The State Department said last night that it had fired two contract employees and disciplined a third for accessing Sen. Barack Obama’s passport file.
Obama’s presidential campaign immediately called for a “complete investigation.”
State Department spokesman Tom Casey said the employees had individually looked into Obama’s passport file on Jan. 9, Feb. 21 and March 14. To access such a file, the employees must first acknowledge a pledge to keep the information private.
The employees were each caught because of a computer-monitoring system that is triggered when the passport accounts of a “high-profile person” are accessed, he said. The system was put in place after the State Department was embroiled in a scandal involving the access of the passport records of then-presidential candidate Bill Clinton in 1992.
“The State Department has strict policies and controls on access to passport records by government and contract employees,” Casey said.
The department uses contract employees to help with data entry, customer service and other administration tasks. The employee involved in the March 14 incident has only been disciplined so far, because the probe of that incident is continuing, an official said.

My translation is that the State Department, “in order to serve you better”, violates the principle of separation of privilege and allows individual contract call center people to access the passport data for everybody in the country. Then, after a high-profile person has his privacy grossly violated (they ran Clinton’s file because of malicious, false rumors he renounced his US citizenship during the Viet Nam era), they put in detective controls (not preventative — too obvious), but these only work for important people.
Nice.
Luckily, Bill Burton, spokesman for Senator Obama, has a keen grasp of the issues:

“This is a serious matter that merits a complete investigation, and we demand to know who looked at Senator Obama’s passport file, for what purpose, and why it took so long for them to reveal this security breach.”

One way to learn some of that, as I am sure Mr. Burton’s boss knows, is to get a decent national breach notification law.
While State may have been slow, they did the right thing, and canned the violators. Nothing reinforces a security policy better than a public execution, and nothing undermines one more effectively than blatant non-enforcement. With recent privacy breaches affecting not just semi-celebs like Presidential candidates, but also really important people, making sure that punishment is swift and sure seems like an obvious way to “incentivize good behavior”.

More Hardware Security Shown to be Bunk

Pix of bogus hardware

After showing that “encrypted” disk drives only encrypted the password you use, not the data, Heise-Online now shows that fingerprint-access is often bunk:

Manufacturers of USB sticks and cards with fingerprint readers promise us that their data safes can only be opened with the right fingerprint. It turns out that an easy-to-find tool allows nosy parties to get around the protection in some products.

Basically, all you have to do is get a low-level USB tool, PLscsi, and have it tell the device to ignore all that security stuff. Yes, I’m over-simplifying, but I’m disgusted. Read the article for details.

Back in the ring to take another swing

Via Kable’s Government Computing, comes news that the British House of Lords “Science and Technology Committee has announced a follow-up inquiry to its ‘Personal Internet Security’ report”.

Chair of the committee Lord Sutherland said: “The committee was disappointed with the government’s response to its report. We felt they had failed to address some of our key concerns about people’s security on the internet.
“The House of Lords is likely to be debating the report in the summer and to ensure that the debate is as well informed as possible we have decided to seek key stakeholders’ views on the government’s response.”

Kable’s Government Computing, 2008-02-21
I speak American english, so I may not be up on the nuances, but I think Lord Sutherland is saying that they’re going to line up a bunch of experts to say what absolute dolts the government were in ignoring the recommendations put forth by the Committee last year.
Excellent.

Here we go…

Experian sues Lifelock.
I think I can hear the champagne corks popping at ID Analytics from here. They, arguably, provide a service which is similar enough (a detective control against new account fraud, rather than a preventative control), but theirs operates through a different mechanism.
I’d like to see some numbers showing the efficacy of these approaches. I am pretty sure Lifelock or Debix can produce them for the ‘automated fraud alert’ approach. I don’t know what ID Analytics has.

Citibank limiting ATM withdrawals in NYC?

Title:  Citibank limits ATM cash in city
Author: KERRY BURKE and LARRY McSHANE
Source: DAILY NEWS
Date Published:January 3rd 2008
Excerpt:
The New York-based Daily News  reported today that Citibank has limited the
cash amount its  customers can take out of ATM machines.   It is being
reported that the security of Citibank's ATM machines in New York have been
seriously compromised by fraud.  According to media reports, a spokesperson
for Citibank has stated that  "Though we can't provide details of ongoing
security investigations, we are working closely with law enforcement on
this matter."  Citibank declined to specify the amount of the new
withdrawal cap.
For complete article see: http://www.nydailynews.com/money/2008/01/03/2008-01-03_citibank_limits_atm_cash_in_city-2.html
For more security News visit the FIRST Security News site at:
http://www.first.org/newsroom/globalsecurity
http://www.first.org/newsroom/globalsecurity/rss.xml

(Passed along in case folks haven’t heard)

Breach Disclosure of the Zeroeth Millennium

romulus-and-remus.jpg

The BBC reports that the whereabouts of the legendary cave where Romulus and Remus, founders of Rome, were nursed by a she-wolf, Lupa, as foundlings.

The eight-meter-high cave was found buried sixteen meters under a previously-unexplored area of Palatine hill in Rome.

Although their home address has been made public, it is unclear if the Roman founders lost any other personal information such as tax ID numbers, bank information, or date of birth.

In related news, two disks in the UK have been lost with the personal details of 25 million Britons including “name, address, date of birth, National Insurance number and, where relevant, bank details.” This is everyone in the UK who receives a tax deduction from having children.

HMRC Paul Gray resigned over the incident (as if that will help). Liberal Democrat Acting Leader, Vince Cable, clucked: “why does HMRC still use CDs for data transmission in this day and age?” proving that he doesn’t read this blog. Mr Cable as well as Shadow Chancellor George Osborne predicted the end of the National ID Database as a result of this loss.

Commissioner of Obvious Information, Richard Thomas, said: “this is an extremely serious and disturbing security breach” and Chancellor Alistair Darling pointed out that at least no one had had fiber-optic endoscopes pushed into their houses unlike those Roman foundlings.

No word on the lupins


NSW Police are investigating the possible compromise of an online florist’s database and theft of customers’ credit card details.
The Fraud Squad has set up Strike Force Parkview to investigate the case that involves the retailer Roses Only.
There are unconfirmed reports that the details were used to make a string of luxury purchases in South-East Asia.
“A strike force has been set up by the State Crime Command Fraud Squad to investigate the possible compromise of an internet-based business’ database and subsequent fraudulent transactions,” a police spokesman said.
She said the investigation was in its earliest stages and no further information was available.
Roses Only later released a statement saying that it had been recently advised that their computer systems “may have been” compromised through an unauthorised intrusion earlier in the year.
“We moved quickly to address the situation and engaged a leading international technology security firm to enhance the security of our system,” the statement said.

Sydney Morning Herald
(Image grab via Youtube)