In early April, Open Security Foundation came up with an idea for a new contest for DataLossDB. OSF had done something similar for our sister project, the Open Source Vulnerability Database (OSVDB) a few years back: an “oldest vulnerability contest”; this time, we decided to bring the same type of contest to DataLossDB. We lined up some great sponsors, and held high hopes that contestants would be reaching down into the 90’s for data loss incidents, striving to win one of the excellent prizes kindly donated by our sponsors.
On May 1, we kicked off the contest, announced it to the masses, and in they flooded. It started off encouraging but quickly went well beyond that. We watched as the dates of the submissions went further and further back in time. Some submissions were clearly humorous, such as “Eve was socially engineered by a serpent resulting in total loss of records and denial of service attack against the tree of knowledge; The computer involved was an apple.”, or the biblical tenth and final plague of Egypt, to name just a couple. Unfortunately, we can’t find any way that we can possibly include them in the data set, but they made for a good chuckle.
There were others that were much more legitimate, but which don’t really “fit” into the DataLossDB data set, such as the “loss” of public records. Government ledgers and similar records are hard to include given that the information is freely available for public inspection, such as this loss of accounting data, or this loss of town files. Good stuff, but not really threatening to personally identifiable information (which isn’t normally exposed). Other submissions were somewhat difficult to determine what, in fact, was exposed, like this 1887 New York Times article regarding service members’ pension records. OSF’s “curators” had to do some homework on that particular submission to determine what exactly was in a pension record at the time, and we came up with nothing of a conlusive sensitive nature (keep in mind that no Social Security program existed at that time.) Most of the sample records we found contained name, rank, and years served, and most didn’t even include a home address. While we liked this submission, we couldn’t accept it — it was too vague. If an entry were to qualify to win the contest or any prize, it had to be more definitive. There were other similar entries as well, such as the 1889 New York Times article regarding the loss of a Union’s meeting minutes book and their expense books. It would be a stretch to assume that there was PII contained in either of those.
Multiple contestants submitted the “most misused social security number of all time” story, regarding a wallet manufacturer who placed a social security card “look-a-like” in wallets they sold which happened to contain the Social Security number of a vice president’s secretary, Mrs. Hilda Schrader Whitcher. Reportedly, by 1943, thousands of people were using her Social Security number as their own. A data loss incident, no doubt, but number affected is less than 10, which unfortunately made it ineligible for the competition and not a fit for the data set. There was also a great submission regarding a card embosser who printed and used 3,000 fake Diner’s Club cards. A great story of credit card fraud, but not one that threatens identities, and thus not something we’d really include in the data set. The numbers were fake, as were the names.
We had several other decent submissions that we couldn’t accept as well, such as a 1998 incident where CBS SportsLine exposed information regarding thousands of March Madness contestants on their website, or the WRGT Fox 45 breach of 1999 where names, addresses, and email addresses were exposed on their website in a text file. The information wouldn’t qualify as PII (most of the information would be considered “telephone book material”), but it was interesting to see late 1990’s security breaches.
All of the entries listed above were fascinating submissions in one way or another, but didn’t make the cut for inclusion in the database, and thus didn’t make the cut for winning prizes. Most entries DID, however, make the cut… and without further ado…
In third place, we have both an oldie and a biggie. This one not only wins a prize in the contest, but also earns a spot (2nd place) on the DataLossDB top 10 breaches of all time list. “Dissent” from databreaches.net uncovered and submitted the 1984 TRW incident, where computer hackers gained access to a system holding credit histories of some 90 million people. The data included information on employment records, loans, Social Security numbers, and more. Congrats “Dissent”, great submission.
In second place, we have a 1983 submission from “midnitrcr” regarding the Memorial Sloan-Kettering Cancer Center in New York, where a Time Magazine article reports that hackers had broken into a “Digital VAX 11/780 computer, which monitors the radiation treatment for 250 patients”, and had gained access to billing records, and inherently medical treatment information. This all occurred on the heels of the “War Games” movie being released, and as Time Magazine pointed out at the time, posed “a serious question: How to safeguard information stored inside computers?”. Again, a great submission, and kudos to “midnitrcr”.
And in first place, we have two submissions from Corey J Chandler (AKA “Sorthum”), both of which qualify, and both of which are rather old. The first is a 1953 incidentreferenced in a New York Times article. This is another case of Union books being stolen, but unlike the 19th century examples, this one included names, addresses, and importantly, Social Security numbers of 700 union members. This is officially the oldest theft of Social Security numbers that we have seen that meet our criteria for inclusion in the database. Congrats Corey! Not to be outdone by a simple mid century incident, “Sorthum” also posted another qualifying incident. This one is referenced in a 1903 Los Angeles Times article, where the dispensary records for the Southern California Hospital for the Insane went missing, and were through to be stolen (or “purloined” as the LA Times put it) by ex-Steward C.N. Whitaker and former druggist, Fred W. Howard. Dispensary records would have included patients’ names, and at least information pertaining to their prescriptions. Information that, if a hospital or drug store lost today, would clearly qualify for an entry in DataLossDB. The records lost covered “the years 1896 to 1901 inclusive”, and Dr. M. B. Cambell, the hospital’s medical supervisor, was “confident” that the records would be recovered. We have no information as to whether or not they were. Anyone feel like doing more digging?
Some non-winning contestants submitted dozens of quality incidents to be included, such as “SYNACK3”, “spacerog”, and “jjturner”. These three individuals pulled in dozens of quality submissions. “jjturner” found a treasure trove of Canadian data loss incidents inside their Privacy Commisioner’s “Annual Reports to Parliament”, whichwww.priv.gc.ca has posted as PDF’s on their website going back to the early 1980’s. These reports were fascinating to read, as they highlight some initial and early awareness of the threats imposed by computers and computer networks to privacy in one of the most unlikely of places: a federal government. Hats off Canada, eh.
“spacerog” found a 1998 incident that was the most “ChoicePoint-esque” incident we’d seen (only considerably older) where employees at the Social Security Administration sold 20,000 Social Security numbers to West African credit card thieves. One of our OSVDB moderators, “cji” submitted several great incidents, even though he technically couldn’t qualify for prizes. One of them actually would have won him second place! It would have also won the “Least Sexy Submission” award — which we think we’ll give him anyways. We would summarize the breach, reported in a 1957 Chicago Daily Tribune article, but we might fall asleep re-reading it. Instead: “The case involved the looting of employment and wage information on persons not on the relief rolls from the 4 million wage record cards of the state labor department. The stolen information, sold at 50 cents a name to the operator collection agency, was obtained by a frauds unit employee.”
Some submissions came full circle, such as the 1998 submission by “SYNACK3” regarding a computer hacker who was jailed for 18 months after getting caught stealing over 1,200 credit card numbers from Ausnet. This incident is particularly amusing to us considering one of our very own, “Jericho”, posted it to the ISN mailing list some 11 years ago!
Congratulations to the winners and all the contestants. You’ll all be receiving various “stuff” in the mail shortly. A special thanks to our sponsors as well (CREDANT, Arcsight, AON TechShield, StrikeForce Technologies, Inc., ITAC Sentinel) for donating the great “stuff” we’ll be mailing out, as well as supporting the endeavor and making quick commitments on really short notice. The contest wouldn’t have been much of a contest without our sponsors, so please check out their sites as well!
Also, we *might* launch another contest this year, provided we can find the time after changing every mention of “Stolen” in the database to “Purloined”.
Chris Walsh recently sent us roughly 190 PDF’s, obtained from the state of New York (for free, thank you kindly New York!), covering what appears to be most of the breaches reported to New York during 2008. Many of these seem familiar, some not. We’ll be processing these over the course of the next few weeks, and we’ll highlight anything that stands out, as usual. They are uploaded and on the site in the NY primary sources section for your perusal.
In addition, the contest for the Oldest Data Loss incident is winding down! Get your submissions in before the deadline (May 15th). There are some awesome prizes donated by our excellent sponsors.
Lastly, we recently attended the 2009 SC Magazine Awards, where we had the opportunity to meet some great people, have a wonderful dinner, and win the editor’s choice award! Thank you kindly SC Magazine. The experience was great, and the credit highly appreciated. A big “Thank You” to all who have contributed to OSF projects over the past several years. Last, but not least, a big “Thank You” to our sponsors who have helped make all this possible.
Posted by d2d.
DataLossDB has launched a research endeavor to find the oldest documented data loss incident. The contest runs from April 1 to May 15, 2009.Winners will receive some quality rewards such as our grand prize of a Mac Mini thanks to the support from the following sponsors: CREDANT, ArcSight, ITAC Sentinel, StrikeForce and TechShield
What is the oldest documented data loss? As far as what is currently in DataLossDB, it is from January 10, 2000 when a hacker claimed to have stolen 300,000 credit card numbers from CD Universe.
We believe there are plenty of data loss incidents that happened prior to CD Universe. Does anyone have an older incident they can submit to DataLossDB? We want it, and we’ll reward you for it!
Here are a couple points of clarifications about the contest:
What actually will count for the contest?
Small or relatively minor cases of identity theft do not qualify for inclusion. The event submitted must have affected more than 10 individuals. Incidents must have resulted in a breach of Personally Identifiable Information (PII). Specifically, incidents must have resulted in the loss as described in the contest page.
How old of an incident can I submit?
At the end of the day, any entry submitted should improve the data for the project. If you think that it is a quality entry that you believe should be included in DataLossDB based on our standards, then submit it. We hope that most people that want to participate “get it”, but if the entry is blatantly meant to be snarky we are going to simply ignore it. While it may be up for debate, a good rule of thumb to safely submit an entry would be to keep it 19th century and up. =)
What if I can’t find anything older than CD Universe?
While we believe there are plenty out there, all incidents submitted don’t have to be older than the CD Universe breach. For instance, the oldest Stolen Computer breach in the database occurred in 2003. So, submit what you find! You might find the oldest stolen laptop breach, or the oldest accidental web exposure breach.
Do I have to use the contest link?
Yes. In order for us to keep track of the contest if you want to be included, all submissions for this contest must be done via the following contest link:http://datalossdb.org/submissions/new?contest_id=1
What if I am not sure about the incident I have found?
If you are unsure that your incident qualifies please contact email@example.com.
Just remember that the contest is aimed to improve the data in DataLossDB while at the same time trying to identify the oldest data loss incident. Anything that is submitted must pass the general ‘BS’ test. If our cynical minds detect shenanigans, it doesn’t count. The Open Security Foundation is the judge and jury in the contest, and we reserve the right to refuse any entry that we feel does not meet our standards for inclusion in the DataLossDB project.
The Open Security Foundation wants to thank our dedicated volunteers and our sponsors for their continued support. If there are any other questions or you would like to discuss other sponsorship opportunities in the future please contact firstname.lastname@example.org.
ArcSight is a leading provider of security and compliance management solutions that intelligently identify and mitigate business risk for enterprises, MSSPs and government agencies. Designed with the needs of highly complex, geographically dispersed and heterogeneous business and technology infrastructures in mind, ArcSight provides the industry’s only vendor-neutral solution for intelligent identification, prioritization and network response to external security attacks, insider threats and compliance breaches.
CREDANT Technologies, a leader in data security, offers advanced data encryption solutions. Every day our patented data-centric, policy-based, centrally-managed software protects the data on over 5 million devices worldwide to ensure security compliance, protect brands and enhance IT and end-user productivity. Learn more about intelligent data security for privacy compliance and avoid the damaging impact of security breaches.
ITAC Sentinel – Protection, Recovery, Trust. The must-have, essential tools needed to fight identity theft. It’s ideal for anyone looking for core identity theft protection.
StrikeForce Technologies is a leading provider that Specializes in Identity Theft Online solutions for consumers, industry and government. By leveraging StrikeForce’s breakthrough technologies, consumers and organizations can finally secure their electronic assets while protecting their employees, business partners, suppliers and customers from malicious hacking and online theft.
TechShield – When your network security technology fails where can you turn? TechShield offers comprehensive privacy and data security insurance products and risk management services to companies that use networked systems, electronic communications and ecommerce. TechShield is brought to you by Aon (NYSE: AOC), the leading global provider of risk management, insurance and reinsurance brokerage and human capital consulting
Open Security Foundation – Open Security Foundation is a 501(c)(3) non-profit public organization founded and operated by information security enthusiasts. We exist to empower all types of organizations by providing knowledge and resources so that they may properly detect, protect, and mitigate information security risks.
Since the launch of the Primary Sources Archive, we’ve added 221 new incidents discovered from primary sources research, and 616 primary sources have been linked to incidents. 56% of the primary sources we’ve classified to date either resulted in new incidents, or were attached to incidents that came from primary sources. This highlights the tremendous value of obtaining these documents, and our efforts in scanning and classifying them.
Thanks to all who have either contributed funding, time, or primary sources themselves to the project.
On other matters, Maryland released a group of primary sources on their website recently, and we’ve classified them. Many we already had, but these are either new or updated:
- Educational Testing Service (ETS) – 2009-01-29
“Missing” laptop from office building contained personal data (names, SSNs) of unspecified people.
This is a new entry.
- MassMutual Financial Group – 2009-01-26
Accidental disclosure of client information to another client.
This is a new entry.
- SRA International – 2009-1-20
Company is notifying “all” current and former employees, as well as some clients regarding a Virus that had breached a system containing personal information.
This is a new entry.
- Hewlett Packard – 2009-1-15
The December HP breach involving a stolen laptop has been increased in size (an additional 601 MD residents affected, added to the previous 626.
- Ameriprise Financial – 2008-12-24
Vague intrusion via a third party puts Ameriprise Advisor Services (Formerly H&R Block Financial Advisors) client information at risk, including transaction information, bank information, name, address, holdings, and tax information.
This is a new entry.
- Harford Community College – 2008-12-17
Lost flash drive contains personal details of 70 workforce development students.
This is a new entry.
Posted by d2d.
According to a storefrontbacktalk.com article, a suspect has been pinpointed in the Heartland breach, and the suspect is international. Also, banks around the country are in the process of notifying their customers. Some Attorney General’s Offices are also inquiring about the incident.
We are waiting a little bit for the dust to settle, and then we intend to send out FOIA equivalent requests to receive Primary Sources for the Archive. Once we know more about the total breadth and scope of this, we’ll be sure to share. But in the meantime, introducing…
The Blotter, a new resource we’re pushing news on identity theft to. Many “breaches” or breach-like incidents cross our desks every day, many don’t quite qualify for inclusion into our database as “Incidents”, such as the recent Monster.com breach that may have exposed information about millions, but does not appear to qualify as a trigger under most breach notification laws — the data simply isn’t what most laws consider “sensitive” enough. We’ll be updating this very regularly.
Lastly, we have several pending Freedom of Information requests that we’re waiting on, and several more to make, but these things are expensive! Please donate using the buttons below to help us fund this endeavor.
Posted by d2d.
OSF would like to announce a new enhancement to DataLossDB, called “Primary Sources”. Since many breaches are not announced in the media and are only available through notifications to various state agencies, DataLossDB now collects and displays breach notification letters as an additional resource.
The primary sources archive is a collection of breach notification letters sent to various jurisdictions in the United States. These were gathered mostly through the efforts of Chris Walsh, a security researcher, and OSF would like to express thanks and gratitude to Chris for helping to make this archive possible. Currently, a project is underway to accumulate many more such notices via the Freedom of Information Act, and its various local and state legislative cousins.
If you’re interested in getting involved with DataLossDB’s FOIA request project, please contact email@example.com.
For more information about the Open Security Foundation and related projects, please visit http://opensecurityfoundation.org
Posted by Lyger
We’ve received a few ideas for ways to enhance the site and would like to thank everyone who has offered suggestions and input. While we work on some of these ideas, we also have a few suggestions that would help out with making this data more accurate and more complete:
1. Please contribute! Submitting new incidents is one of the ways to help out, but you can also add incident locations, various dates (such as notifications, arrests, and when the incidents actually occurred), and additional references from the media and other resources.
2. If you find an issue with a particular incident or the site as a whole, let us know. Mail us at firstname.lastname@example.org
Other organizations, such as Privacy Rights Clearinghouse, Identity Theft Resource Center, and The Breach Blog also track data breaches. Information from their sites can easily be added to DataLossDB.org, so please check out their resources!
The Open Security Foundation DataLossDB.org’s Data Loss Mail List is available for recent news and discussion regarding data breaches.
To subscribe to Data Loss, send a mail to email@example.com
The final touches have been put on the transition of the Data Loss Mail List to DataLossDB.org. Extra special thanks to Strange for helping make this happen! If there are any questions, comments, concerns, or problems, please let us know.
To subscribe to Data Loss, send a mail to firstname.lastname@example.org
To unsubscribe from this list, send a mail to email@example.com
Beginning July 15, 2008, Open Security Foundation is the new host of DataLossDB, which will serve as a community-driven project for information about data breaches that involve personally identifying information.
Data Loss is a not-for-profit mail list that covers topics such as news releases regarding large-scale personal data loss and personal data theft incidents. Discussion about incidents, indictments, legislation, and recovery of lost or stolen personal data is encouraged. Posts and replies containing endorsements for commercial products and/or services, on or off list, are strongly discouraged by list moderators.
Currently, mail list traffic is considered low to moderate, depending on current events.
We’re back from Las Vegas and have had some good success in promoting the site and getting new volunteers to contribute. Special thanks to Jon Turner for providing new incidents and data from the UK. We don’t always hear about non-US events in a timely fashion over here in the States, so any input from overseas is appreciated!
Updates to Attrition.org’s Data Loss web page and RSS feed are gradually slowing down as we continue to migrate resources to DatalossDB.org. Our target date for a complete conversion, which will also include the Data Loss Mail List, is September 1. Hopefully, it will be a transparent migration. We’ll keep everyone posted as events happen.
Please keep in mind that during this time of transition, we would like to extend an offer to anyone interested: JUMP IN! If you would like to make an account or edit anonymously, please do. As Jericho said in a recent mail list post:
“Again, thank you for the praise, but please remember that we’re stretched thin between attrition.org, datalossdb.org and osvdb.org and those pesky day jobs and significant others. It would be extremely helpful if more people would spend fifteen minutes a week updating those sites with us, or contributing to new ideas like this one.”
Posted by Lyger.