AOH :: ISNQ4405.HTM

blog: Oops! SSNBreach.org exposes students' personal info in Google




blog: Oops! SSNBreach.org exposes students' personal info in Google
blog: Oops! SSNBreach.org exposes students' personal info in Google



---------- Forwarded message ----------
From: lyger  
To: dataloss@attrition.org 
Date: Mon, 13 Aug 2007 21:29:11 +0000 (UTC)
Subject: [Dataloss] blog: Oops! SSNBreach.org exposes students' personal info in
Google


(More information and commentary regarding events surrounding the Louisiana
Board of Regents data breach...)

http://www.pogowasright.org/blogs/dissent/?p=582 

On July 18th, SSNBreach.org ("SSNB") was launched by Liberty Coalition and
Aaron Titus. The site's stated purpose was to assist and empower those
whose personally identifiable information had been accessible via the web
due to the Louisiana Board of Regents. ("LBR") failure to password-protect
over 200 files containing confidential student and employee records.

Less than three weeks after its launch, SSNB's own files on some of these
students are being indexed by Google. Despite being notified of the
problem on August 7, the problem isn't fixed, with more students. names
and files appearing in Google every day.

The History of SSNBreach.org: "Finders, Keepers"

On or before June 18, Titus, a self-described "privacy advocate" and
"privacy expert," discovered that the LBR files were accessible via search
engines and cache. He did not inform LBR. Instead, he contacted the media.
WDSU broke the story on July 17, after they had notified LBR.

While they left LBR in the dark about the exposure and the files
accessible to cybercriminals, Titus and the Liberty Coalition were busy
using the contents of those sensitive and confidential files to create
their own database on everyone affected. When it was pointed out to them
that they did not seek or secure permission to use information from files
which "the reasonable man" would realize had been accidentally exposed and
were intended to be confidential, Ostrolenk responded:

      "You are correct that we do not ask permission to retrieve online
information. In fact, I cannot recall a single instance when I have
contacted the proprietor of a website to ask permission to view
information placed in the public domain."

Of course, Titus and the Liberty Coalition did much more than just view
the information that had been unintentionally exposed. They used it. An
identity thief might make the same statement they did.

[...]
_______________________________________________
Dataloss Mailing List (dataloss@attrition.org) 
http://attrition.org/dataloss 

Tenable Network Security offers data leakage and compliance monitoring 
solutions for large and small networks. Scan your network and monitor 
your traffic to find the data needing protection before it leaks out! 
http://www.tenablesecurity.com/products/compliance.shtml 


____________________________________
Attend HITBSecConf2007 - Malaysia 
Taking place September 3-6 2007 featuring seven tracks of technical 
training and a dual-track security conference with keynote speakers 
Lance Spitzner and Mikko Hypponen!  -  Book your seats today! 
http://conference.hitb.org/hitbsecconf2007kl/ 

Site design & layout copyright © 1986-2014 CodeGods