Data Loss Database Blog

0 CommentsBehind the scenes of doing the right thing

2012-05-15 by jkouns

From time to time, the Open Security Foundation is contacted about security vulnerabilities and data breaches that have yet to be made public. We always strive to handle each report in the most appropriate way possible and wanted to share with you an example from last year. In March of 2011, we had a breach anonymously submitted to DataLossDB without any further way to contact the submitter, but enough information for us to work on verifying and relaying the issue to the affected company. ...

(read more...)

0 CommentsSony had HOW many breaches?

2011-06-05 by Dissent

We thought keeping track of entities involved in the Epsilon breach was tough, but the recent spate of attacks on Sony networks has us working overtime trying to update the database. Thankfully, Jericho provided yeoman service and compiled a hyperlinked <a href="http://attrition.org/security/rant/sony_aka_sownage.html" target="_blank">chronology of recent developments</a>. <br /><br /> The Sony breaches have generated a lot of discussion. Some of it has centered on Sony's shocking failure to encrypt passwords and it being all-too-vulnerable to SQLi compromises (if those posting the data pu...

(read&nbsp;more...)

9 CommentsEpsilon Bingo

2011-04-05 by jkouns

By now, everyone has probably read about a company named Epsilon. In fact, most people likely have second hand involvement, receiving one or more emails from companies you do business with warning you to be very careful after a recent incident. Most of these companies have used a similar form letter explaining the concerns and that you should be "cautious of phishing e-mails, where the sender tries to trick the recipient into disclosing confidential or personal information." These notifica...

(read&nbsp;more...)

0 CommentsThe DataLossDB project welcomes Dissent!

2011-03-30 by jkouns

The Open Security Foundation is pleased to announce that Dissent, the publisher and maintainer of <a href="http://www.databreaches.net">DataBreaches.net</a> and <a href="http://www.phiprivacy.net">PHIprivacy.net</a> has now joined DataLossDB as a curator for the project. <br /><br /> OSF has worked with Dissent over the years and she is already known to us a DataLoss Archaeologist, as she took third place in our “Oldest Incident” contest. She found the <a href="http://datalossdb.org/incidents/2061-hackers-access-credit-reporting-database">1984 TRW incident</a>, where computer hackers gained access to a system holding credit histories of some 90 million people which happens ...

(read&nbsp;more...)

0 CommentsOpen Security Foundation Announces New Advisory Board

2010-09-07 by jkouns

As security vulnerabilities and data loss incidents become a regular occurrence, the Open Security Foundation has grown from supporting a single project in 2004 to a leading provider of filtering through security information and providing notifications and aggregation for data for data loss and cloud security incidents. <br /><br /> The Open Security Foundation has evolved into one of the most utilized resources in providing security information, and as a 501c3 non-profit organization relies heavily on ...

(read&nbsp;more...)

1 CommentsOpen Security Foundation Launches New Cloud Security Project

2010-07-27 by jkouns

The Open Security Foundation, providing independent, accurate, detailed, current, and unbiased security information to professionals around the world, announced today that it has launched Cloutage (cloutage.org) that will bring enhanced visibility and transparency to Cloud security. The name Cloutage comes from a play on two words, Cloud and Outage, that combine to describe what the new website offers: a destination for organizations to learn about cloud security issues as well as a complete ...

(read&nbsp;more...)

4 CommentsJCPenney has dodged a huge bullet... until now.

2010-03-29 by d2d

<p>Now being reported in the mainstream media, <a href="http://datalossdb.org/incidents/2632-gonzalez-installs-card-data-sniffers-potentially-accessing-credit-and-debit-card-transaction-data">JCPenney was "Company A"</a> in the recently infamous Albert Gonzalez trial. In court filings, we found some attachments that seem to have been a convincing factor in the judges decision to unseal the identity of "Company A", a.k.a JCPenney. JCP fought hard to keep its identity concealed, but ultimately it would seem that these attachments, as well as some <a href="http://www.storefrontbacktalk.com/securityfraud/j-c-penney-target-added-to-list-of-gonzalez-retail-victims/">reporting</a> by Evan Schuman made the difference.</p> <>Attachment A, filed in document 14 of the case (f</>...

(read&nbsp;more...)

6 CommentsCourt Says Posting PII Online is Cool -- First Amendment Cool

2010-03-24 by d2d

<p>I'm going to have to apologize in advance for the extreme use of ellipses here. I'm frankly confused as can be over this blog post, and the result is aggressive punctuation.</p> <>In what seems to be one of the most ridiculous situations we've read about recently, the <a href="http://www2.timesdispatch.com/rtd/news/local/article/SSNS24_20100323-223006/332515/ ">Richmond Times reports</a> that a U.S. District Court judge has ruled that a woman posting Social Security numbers of government workers online was, well... *cough*... *pains me to type this*...protected by the First Amendment. Yes... p</>...

(read&nbsp;more...)

0 CommentsFringe Incidents

2010-03-23 by d2d

<p>Since the database's inception, we have added incidents based on specific criteria and omitted incidents that didn't quite fit that criteria. The criteria has traditionally been:</p> <> <li>An incident must have lost one or more of the following data types: <ul> <li>Social Security or national ID number</li> <li>Credit card number</li> <li>Bank account number</li> <li>Medical record</li> <li>Financial account number</li> </ul> </li> <li> AND the number of records lost/stolen/missing must be greater than 10, </li> <>AND the data lost must have had</></>...

(read&nbsp;more...)

0 CommentsOpen Security Foundation - Advisory Board - Call for Nominations

2010-02-12 by jkouns

The Open Security Foundation (OSF) is an internationally recognized 501(c)(3) non-profit public organization seeking senior leaders capable of providing broad-based perspective on information security, business management and fundraising to volunteer for an Advisory Board. The Advisory Board will provide insight and guidance when developing future plans, an open forum for reviewing community feedback and a broader view when prioritizing potential new services. <br /><br /> OSF was founded in 2004 and ...

(read&nbsp;more...)