---------- Forwarded message ----------
From: lyger <lyger@private>
To: dataloss@private
Date: Mon, 13 Aug 2007 21:29:11 +0000 (UTC)
Subject: [Dataloss] blog: Oops! SSNBreach.org exposes students' personal info in
Google
(More information and commentary regarding events surrounding the Louisiana
Board of Regents data breach...)
http://www.pogowasright.org/blogs/dissent/?p=582
On July 18th, SSNBreach.org ("SSNB") was launched by Liberty Coalition and
Aaron Titus. The site's stated purpose was to assist and empower those
whose personally identifiable information had been accessible via the web
due to the Louisiana Board of Regents. ("LBR") failure to password-protect
over 200 files containing confidential student and employee records.
Less than three weeks after its launch, SSNB's own files on some of these
students are being indexed by Google. Despite being notified of the
problem on August 7, the problem isn't fixed, with more students. names
and files appearing in Google every day.
The History of SSNBreach.org: "Finders, Keepers"
On or before June 18, Titus, a self-described "privacy advocate" and
"privacy expert," discovered that the LBR files were accessible via search
engines and cache. He did not inform LBR. Instead, he contacted the media.
WDSU broke the story on July 17, after they had notified LBR.
While they left LBR in the dark about the exposure and the files
accessible to cybercriminals, Titus and the Liberty Coalition were busy
using the contents of those sensitive and confidential files to create
their own database on everyone affected. When it was pointed out to them
that they did not seek or secure permission to use information from files
which "the reasonable man" would realize had been accidentally exposed and
were intended to be confidential, Ostrolenk responded:
"You are correct that we do not ask permission to retrieve online
information. In fact, I cannot recall a single instance when I have
contacted the proprietor of a website to ask permission to view
information placed in the public domain."
Of course, Titus and the Liberty Coalition did much more than just view
the information that had been unintentionally exposed. They used it. An
identity thief might make the same statement they did.
[...]
_______________________________________________
Dataloss Mailing List (dataloss@private)
http://attrition.org/dataloss
Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor
your traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml
____________________________________
Attend HITBSecConf2007 - Malaysia
Taking place September 3-6 2007 featuring seven tracks of technical
training and a dual-track security conference with keynote speakers
Lance Spitzner and Mikko Hypponen! - Book your seats today!
http://conference.hitb.org/hitbsecconf2007kl/
This archive was generated by hypermail 2.1.3 : Tue Aug 14 2007 - 01:11:08 PDT