Category Archives: Breach Reporting

According to OSF… nothing. (was re: try asking us first)

On occasion, we look for news related to things other than data loss events. Press releases veiled as “news” are a frequent treasure chest of (not so) great information, so we often use detailed and complicated techniques to make sure we have as much information as we can gather about… Open Security Foundation and DataLossDB. In other words, YES, WE GOOGLE OURSELVES. Oh, don’t be shocked. You “ego surf” yourselves too. Admit it.

The Sixth Annual Gibbs Golden Turkey Awards – “According to the Open Security Foundation’s excellent DatalossDB Web site” – we appreciate that, and Mark did write “according to… web site.” Best one we’ve seen so far.

Config Errors Leaving Huge Security Holes: Study – “According to the Open Security Foundation, so far this year 37 organizations have lost almost 132 million sensitive records through external hacks as a result of sloppy or poorly secured network IP configurations.” – well, kinda. Our *statistics*, when gathered and analyzed, might *infer* something related to that conclusion, but we (meaning OSF) were never asked to make a statement about any number of records compromised through any particular attack vector.

IP Networks Are Vulnerable Due to Lapses in Security, Compliance and Proper Configuration, Says Telcordia – Calvin, meet Larry. Larry, meet Calvin. Your stories both use OSF and DataLossDB as a resource, but we don’t remember receiving a call or even an email asking us for comments, clarification, or any other additional insight for background. You, sirs, have an uncanny gift for being able to use each others words IN THE EXACT SAME WAY. That is a true journalistic gift. Kudos.

Journos, please, contact us about what OSF supposedly said before putting said comments into your writings. We’re usually available, and typically somewhat pleasant to deal with. We also keep tabs on current events, as well as whatever you write that makes it onto Google News. Just sayin’. 🙂

Posted by Lyger

Data Breach Notification Letters

Many of our “regular” readers are keenly familiar with data breach notification letters. They’ve seen the Primary Sources Archive, or have been unfortunate enough to have the honor of receiving one, or potentially worse, have the unfortunate honor of drafting one. Many, however, have not.Nearly every state in the United States has adopted data breach legislation, and new adoptee-states continue to trickle in each year. Several federal legislative efforts are under way to blanket the nation, and one has even passed pertaining to medical data breaches. Internationally, the issue is also progressing.

Some states, like Massachusetts and Nevada have passed laws, or are in the process of considering legislation governing the implementation of practices to protect personally identifiable information. These requirements are bringing the issue to the people, forcing businesses small and large a-like to consider their security practices, from document disposal and retention periods, to data encryption and fraud prevention. While the effectiveness of these new laws is debatable, there is no question that the laws are forcing the issue to be considered, and that isn’t necessarily a bad thing.

This is where the Primary Sources Archive can really help business of all sizes. We have samples of thousands of data breach notification letters, issued from companies big and small to various states in compliance with law. Wondering how a breach letter should look when sent to Massachusetts? We have hundreds of samples for you — real world examples. Wondering how you should fill out the New York or North Carolina data breach notification forms? We have almost a thousand of those combined. Wondering what type of incidents people are notifying on in Maine? Peruse our collection! You can even find law firms that have specialty in data breach notifications, just by browsing through and seeing what firms are doing work from what companies.

The Primary Sources Archive really is an under-tapped resource for businesses of all sizes, be it the compliance department, the legal counsel, or the small business owner. We’d like to encourage any readers to forward links to the Archive off to their privacy officers, or counsel. You’d be amazed at how useful they may find it.

Card Processor Developments & New Features

Several news outlets are reporting that RBS Worldpay and Heartland have had their PCI compliant status removed by VISA. Prior to this move, the two had been listed as being “Under Review”, and were the only two organizations on the entire list to be footnoted as such.

In other news, we have several new features. We now require a login, and acceptance of terms for downloading the database. We’ve also added a new download format. You can now download the contents of DataLossDB in mysqldump format. We also have the following new features:

  • Data Loss Stock Analysis – A Feature that allows users to analyze the potential effects of data loss incidents on publicly traded companies.
  • Stock Charts on Incident Pages – Every incident now shows the stock activity before, during, and after a data loss incident.
  • Stock Charts on Organization Pages – Every organization page of a publicly traded company now shows their stock charts during the time of the incident.

Take these stock statistics with a grain of salt. There are many things that affect the price of a given stock, and these detailed analysis of these charts is required before drawing any conclusions. These new features are also still under development, and we’re aware of some graphs not displaying properly.

We’ve recently received a new batch of Primary Sources. Two of them from volunteers in our 50 states FOIA project! Thank you to those of you participating. For those who are interested, email curators@ to find out more. Another batch was one we processed directly from Hawaii. The Hawaii batch begins with a document dated 2007-01-17, and ends with a document dated 2009-01-07. You can see all 70 of them here:

There are several in that batch that we don’t have as incidents yet, and we’ll process them as soon as we can. If you’d like to help out, let us know.

You can see the other states, Wisconsin (gathered by volunteer swtornio), and Michigan (gathered by volunteer Alina Johnson) here:

We’ll be announcing a new contest soon, with some great prizes for winning contestants, thanks to some spectacular sponsorship offers. If your organization is interested in sponsoring it, there’s also room for more prizes. Contact for more information.

New Card Processor Breach, coming soon to a news outlet near you

As we mentioned over a week ago, a new processor breach seems to have occurred. Banks around the country are being notified of a new breach unrelated to the Heartland Payment Systems breach.

When we initially wrote about it, we were acting on a tip that was corroborated by other sources who wish to remain anonymous. What we knew at the time but couldn’t publish was that it was a “card not present” breach at an “acquirer / processor”. We’re now able to say this specifically, asanother source has come out publicly with the information (props to for finding this source.)

What we still don’t know is what processor has been breached. According to the aforementioned article, and as has been confirmed by our sources, VISA and Mastercard are refusing to disclose which acquirer processor had the breach, as the organization hasn’t released a public statement on it yet themselves.

We do know, from the aforementioned article and through investigative work done here as well, that the breach in question isn’t magstripe (hence card not present). The terms “card not present” have been repeatedly used by almost every source we have, and this article as well. We also know that cards affected by the Heartland breach may also have been affected by this breach, leading to some confusion at banks regarding reissuing cards.

Our questions: No magstripes? All “card not present”? Either this was a breach in a major processor’s online transactions system, or, the breach was at a major online payment processor. Those are our guesses, but, we’ve been surprised before. Also, why hasn’t the breached organization come forward? It has been “suggested” to us that some sort of a “gag” order is in effect on the topic, but we haven’t been able to ascertain whether this is an actual judicial order, or some otherwise unofficial order to keep quiet on this.

As to the size and scale of this new breach, we’re hearing mixed responses from smaller than Heartland to larger than Heartland, and given that we don’t yet have a number regarding Heartland, it seems ever more speculative as to just how big this new breach is. One thing is certain, the two breaches amount to a lot of card replacements, a lot of bankers working overtime, and a lot of consumers inconvenienced, or worse, defrauded.

More details as this unfolds, as it no doubt will.

New Processor Breach?

Banks around the country are reportedly receiving warnings, and perhaps even new lists of cards to replace. This is apparently regarding another credit card processor, unrelated to Heartland Payment Systems, having a significant breach.

OSF has received multiple tips from multiple sources, all sounding nearly identical.

From what we’ve heard, this second breach is significant in scale, but we have not as of yet been told who the processor is.

Also has released an article about three people being arrested for allegedly using credit cards from the Heartland Breach. And also, their list grows of institutions affected by the Heartland incident (they maintain a much more comprehensive list than we did). Hats off!

We’ll post more details as we become aware of them.

Heartland Payment Systems Breach 100,000,000?

The Washington Post is reporting that the Heartland Payment Systems breach could top 100 million credit cards, though we haven’t heard anything official yet as to a grand total.

Over the past few days we’ve been hearing noises about a potentially large breach affecting banks across the country, and this morning Heartland announced their breach. There are still questions as to whether or not all the noise we’ve been hearing is directly related to this breach, but to be sure a good chunk of it must be.

It would appear per the onslaught of articles being posted about the breach (see the references section of the breach) that this was some sort of malware induced incident at the payment processor, which happens to be one of the largest in the country. Many are poking fun at the timing of this announcement.

We will set a total on the breach once the dust settles a little, and more information is released. As we learned from previous breaches, the total can and does fluctuate immediately following disclosure, as more information becomes available.

Posted by d2d.

UK: Gov’t rules out data-breach notification law…

The UK government has announced that it will not be implementing a data-breach notification law.

Following a recommendation by information commissioner Richard Thomas in July, the government announced in a report on Tuesday that it will not introduce a compulsory data-breach notification law for private-sector organisations.

“After considering the analysis of the experience of the US in the area of data-breach notification legislation, the government is not intending to implement similar legislation to that in operation in the US,” states the Response to the Data Sharing Review Report.

It is already mandatory for public-sector organisations to report any significant actual or potential losses of data to the Information Commissioner’s Office (ICO). Private-sector organisations should report data breaches “as a matter of good practice”, states the report, and the ICO should take into account of any lack of reporting by a private-sector organisation in its enforcement action.

Fines for companies that are found in breach of data-protection laws are to be raised, states the report. The Ministry of Justice is working with the ICO to determine the level of the maximum fine.

Posted by Lyger