Monthly Archives: April, 2009

Walmart, Primary Sources, Left Field

We knew when we started the Primary Sources Archive that we’d find some interesting incidents. There was little doubt that what we were seeing reported in the media was a fraction of what was really going on, and we continue to feel that even what we find in the media, and primary sources, still represents a fraction of what really goes on. We did not exactly anticipate finding enormous un-reported breaches via primary sources, however.

We recently launched a small initiative to get primary sources via volunteer contributors from across the 50 states. One volunteer recently submitted a batch of files to us, obtained through a FOIA equivalent request to the state of Illinois. Of those, most were incidents we already knew about, with some exceptions, and one rather large exception.

It would seem that Walmart experienced a significant breach in mid-2007 that we had never heard of in the media. A former employee left Walmart with personnel data of over 48,000 Walmart associates residing in the state of Illinois. That is an enormous number of records for just one state.

In reading the language of the document obtained, it would seem that the breach wasn’t exclusively affecting residents of Illinois, leading us to ask, who else was affected, and why haven’t we seen this elsewhere? If we make the assumption that the breach was nationwide, then it may have affected over a million people. Considering Walmart employs 1.8 million people, the numbers aren’t terribly off.

  • Number Affected in Illinois * Population of the USA / Population of Illinois = Number Affected in USA
  • 48,000 * 300,000,000 / 12,852,548 = 1,120,400

That assumes that the breach isn’t localized, and that population is a reliable metric for measuring data loss incidents, neither of which is known. Regardless, this is a significant breach, and we never heard of it until now.

We have several FOIA equivalent requests out for data during that timeframe which may shed more light on the incident, but we found it interesting enough to post now.

As an aside, and while on the topic of older breaches, the Oldest Data Loss Incidents contest is still underway. We have great prizes available, so be sure to compete!

Posted by d2d

Oldest Incident Contest

DataLossDB has launched a research endeavor to find the oldest documented data loss incident. The contest runs from April 1 to May 15, 2009.Winners will receive some quality rewards such as our grand prize of a Mac Mini thanks to the support from the following sponsors: CREDANT, ArcSight, ITAC Sentinel, StrikeForce and TechShield

What is the oldest documented data loss? As far as what is currently in DataLossDB, it is from January 10, 2000 when a hacker claimed to have stolen 300,000 credit card numbers from CD Universe.

We believe there are plenty of data loss incidents that happened prior to CD Universe. Does anyone have an older incident they can submit to DataLossDB? We want it, and we’ll reward you for it!

You can find the full contest rules and participation guidelines at our contest page located here: http://datalossdb.org/oldest_incidents_contest

Here are a couple points of clarifications about the contest:

What actually will count for the contest?
Small or relatively minor cases of identity theft do not qualify for inclusion. The event submitted must have affected more than 10 individuals. Incidents must have resulted in a breach of Personally Identifiable Information (PII). Specifically, incidents must have resulted in the loss as described in the contest page.

How old of an incident can I submit?
At the end of the day, any entry submitted should improve the data for the project. If you think that it is a quality entry that you believe should be included in DataLossDB based on our standards, then submit it. We hope that most people that want to participate “get it”, but if the entry is blatantly meant to be snarky we are going to simply ignore it. While it may be up for debate, a good rule of thumb to safely submit an entry would be to keep it 19th century and up. =)

What if I can’t find anything older than CD Universe?
While we believe there are plenty out there, all incidents submitted don’t have to be older than the CD Universe breach. For instance, the oldest Stolen Computer breach in the database occurred in 2003. So, submit what you find! You might find the oldest stolen laptop breach, or the oldest accidental web exposure breach.

Do I have to use the contest link?
Yes. In order for us to keep track of the contest if you want to be included, all submissions for this contest must be done via the following contest link:http://datalossdb.org/submissions/new?contest_id=1

What if I am not sure about the incident I have found?
If you are unsure that your incident qualifies please contact curators@datalossdb.org.

Just remember that the contest is aimed to improve the data in DataLossDB while at the same time trying to identify the oldest data loss incident. Anything that is submitted must pass the general ‘BS’ test. If our cynical minds detect shenanigans, it doesn’t count. The Open Security Foundation is the judge and jury in the contest, and we reserve the right to refuse any entry that we feel does not meet our standards for inclusion in the DataLossDB project.

The Open Security Foundation wants to thank our dedicated volunteers and our sponsors for their continued support. If there are any other questions or you would like to discuss other sponsorship opportunities in the future please contact curators@datalossdb.org.

Sponsors:

ArcSight is a leading provider of security and compliance management solutions that intelligently identify and mitigate business risk for enterprises, MSSPs and government agencies. Designed with the needs of highly complex, geographically dispersed and heterogeneous business and technology infrastructures in mind, ArcSight provides the industry’s only vendor-neutral solution for intelligent identification, prioritization and network response to external security attacks, insider threats and compliance breaches.

CREDANT Technologies, a leader in data security, offers advanced data encryption solutions. Every day our patented data-centric, policy-based, centrally-managed software protects the data on over 5 million devices worldwide to ensure security compliance, protect brands and enhance IT and end-user productivity. Learn more about intelligent data security for privacy compliance and avoid the damaging impact of security breaches.

ITAC Sentinel – Protection, Recovery, Trust. The must-have, essential tools needed to fight identity theft. It’s ideal for anyone looking for core identity theft protection.

StrikeForce Technologies is a leading provider that Specializes in Identity Theft Online solutions for consumers, industry and government. By leveraging StrikeForce’s breakthrough technologies, consumers and organizations can finally secure their electronic assets while protecting their employees, business partners, suppliers and customers from malicious hacking and online theft.

TechShield – When your network security technology fails where can you turn? TechShield offers comprehensive privacy and data security insurance products and risk management services to companies that use networked systems, electronic communications and ecommerce. TechShield is brought to you by Aon (NYSE: AOC), the leading global provider of risk management, insurance and reinsurance brokerage and human capital consulting

Open Security Foundation – Open Security Foundation is a 501(c)(3) non-profit public organization founded and operated by information security enthusiasts. We exist to empower all types of organizations by providing knowledge and resources so that they may properly detect, protect, and mitigate information security risks.