Oldest Data Loss Incident - Contest Winners

2009-05-31 by d2d Trophy

In early April, Open Security Foundation came up with an idea for a new contest for DataLossDB.  OSF had done something similar for our sister project, the Open Source Vulnerability Database (OSVDB) a few years back: an "oldest vulnerability contest"; this time, we decided to bring the same type of contest to DataLossDB.  We lined up some great sponsors, and held high hopes that contestants would be reaching down into the 90's for data loss incidents, striving to win one of the excellent prizes kindly donated by our sponsors.

On May 1, we kicked off the contest, announced it to the masses, and in they flooded.  It started off encouraging but quickly went well beyond that.  We watched as the dates of the submissions went further and further back in time.  Some submissions were clearly humorous, such as "Eve was socially engineered by a serpent resulting in total loss of records and denial of service attack against the tree of knowledge; The computer involved was an apple.", or the biblical tenth and final plague of Egypt, to name just a couple.  Unfortunately, we can't find any way that we can possibly include them in the data set, but they made for a good chuckle.

There were others that were much more legitimate, but which don't really "fit" into the DataLossDB data set, such as the "loss" of public records.  Government ledgers and similar records are hard to include given that the information is freely available for public inspection, such as this loss of accounting data, or this loss of town files.  Good stuff, but not really threatening to personally identifiable information (which isn't normally exposed).  Other submissions were somewhat difficult to determine what, in fact, was exposed, like this 1887 New York Times article regarding service members' pension records.  OSF's "curators" had to do some homework on that particular submission to determine what exactly was in a pension record at the time, and we came up with nothing of a conlusive sensitive nature (keep in mind that no Social Security program existed at that time.)  Most of the sample records we found contained name, rank, and years served, and most didn't even include a home address.  While we liked this submission, we couldn't accept it -- it was too vague.  If an entry were to qualify to win the contest or any prize, it had to be more definitive.  There were other similar entries as well, such as the 1889 New York Times article regarding the loss of a Union's meeting minutes book and their expense books.  It would be a stretch to assume that there was PII contained in either of those.

Multiple contestants submitted the "most misused social security number of all time" story, regarding a wallet manufacturer who placed a social security card "look-a-like" in wallets they sold which happened to contain the Social Security number of a vice president's secretary, Mrs. Hilda Schrader Whitcher.  Reportedly, by 1943, thousands of people were using her Social Security number as their own.  A data loss incident, no doubt, but number affected is less than 10, which unfortunately made it ineligible for the competition and not a fit for the data set.  There was also a great submission regarding a card embosser who printed and used 3,000 fake Diner's Club cards.  A great story of credit card fraud, but not one that threatens identities, and thus not something we'd really include in the data set.  The numbers were fake, as were the names.

We had several other decent submissions that we couldn't accept as well, such as a 1998 incident where CBS SportsLine exposed information regarding thousands of March Madness contestants on their website, or the WRGT Fox 45 breach of 1999 where names, addresses, and email addresses were exposed on their website in a text file.  The information wouldn't qualify as PII (most of the information would be considered "telephone book material"), but it was interesting to see late 1990's security breaches.

All of the entries listed above were fascinating submissions in one way or another, but didn't make the cut for inclusion in the database, and thus didn't make the cut for winning prizes.  Most entries DID, however, make the cut... and without further ado...

In third place, we have both an oldie and a biggie.  This one not only wins a prize in the contest, but also earns a spot (2nd place) on the DataLossDB top 10 breaches of all time list.  "Dissent" from databreaches.net uncovered and submitted the 1984 TRW incident, where computer hackers gained access to a system holding credit histories of some 90 million people.  The data included information on employment records, loans, Social Security numbers, and more.  Congrats "Dissent", great submission.

In second place, we have a 1983 submission from "midnitrcr" regarding the Memorial Sloan-Kettering Cancer Center in New York, where a Time Magazine article reports that hackers had broken into a "Digital VAX 11/780 computer, which monitors the radiation treatment for 250 patients", and had gained access to billing records, and inherently medical treatment information.  This all occurred on the heels of the "War Games" movie being released, and as Time Magazine pointed out at the time, posed "a serious question: How to safeguard information stored inside computers?".  Again, a great submission, and kudos to "midnitrcr".

And in first place, we have two submissions from Corey J Chandler (AKA "Sorthum"), both of which qualify, and both of which are rather old.  The first is a 1953 incident referenced in a New York Times article.  This is another case of Union books being stolen, but unlike the 19th century examples, this one included names, addresses, and importantly, Social Security numbers of 700 union members.  This is officially the oldest theft of Social Security numbers that we have seen that meet our criteria for inclusion in the database.  Congrats Corey!  Not to be outdone by a simple mid century incident, "Sorthum" also posted another qualifying incident.  This one is referenced in a 1903 Los Angeles Times article, where the dispensary records for the Southern California Hospital for the Insane went missing, and were through to be stolen (or "purloined" as the LA Times put it) by ex-Steward C.N. Whitaker and former druggist, Fred W. Howard.  Dispensary records would have included patients' names, and at least information pertaining to their prescriptions.  Information that, if a hospital or drug store lost today, would clearly qualify for an entry in DataLossDB.  The records lost covered "the years 1896 to 1901 inclusive", and Dr. M. B. Cambell, the hospital's medical supervisor, was "confident" that the records would be recovered.  We have no information as to whether or not they were.  Anyone feel like doing more digging?

Some non-winning contestants submitted dozens of quality incidents to be included, such as "SYNACK3", "spacerog", and "jjturner".  These three individuals pulled in dozens of quality submissions.  "jjturner" found a treasure trove of Canadian data loss incidents inside their Privacy Commisioner's "Annual Reports to Parliament", which www.priv.gc.ca has posted as PDF's on their website going back to the early 1980's.  These reports were fascinating to read, as they highlight some initial and early awareness of the threats imposed by computers and computer networks to privacy in one of the most unlikely of places: a federal government.  Hats off Canada, eh.  

"spacerog" found a 1998 incident that was the most "ChoicePoint-esque" incident we'd seen (only considerably older) where employees at the Social Security Administration sold 20,000 Social Security numbers to West African credit card thieves. One of our OSVDB moderators, "cji" submitted several great incidents, even though he technically couldn't qualify for prizes.  One of them actually would have won him second place!  It would have also won the "Least Sexy Submission" award -- which we think we'll give him anyways.  We would summarize the breach, reported in a 1957 Chicago Daily Tribune article, but we might fall asleep re-reading it.  Instead: "The case involved the looting of employment and wage information on persons not on the relief rolls from the 4 million wage record cards of the state labor department. The stolen information, sold at 50 cents a name to the operator collection agency, was obtained by a frauds unit employee."

Some submissions came full circle, such as the 1998 submission by "SYNACK3" regarding a computer hacker who was jailed for 18 months after getting caught stealing over 1,200 credit card numbers from Ausnet.  This incident is particularly amusing to us considering one of our very own, "Jericho", posted it to the ISN mailing list some 11 years ago!

Congratulations to the winners and all the contestants.  You'll all be receiving various "stuff" in the mail shortly.  A special thanks to our sponsors as well (CREDANTArcsightAON TechShieldStrikeForce Technologies, Inc.ITAC Sentinel) for donating the great "stuff" we'll be mailing out, as well as supporting the endeavor and making quick commitments on really short notice.  The contest wouldn't have been much of a contest without our sponsors, so please check out their sites as well!

Also, we *might* launch another contest this year, provided we can find the time after changing every mention of "Stolen" in the database to "Purloined".


by Anonymous on 2009-06-01 (almost 5 years ago)

Great and scary submissions. I wish Germany had a central location to report this kind to.
I even had to look up "purloin" in a dictionary. :)

by Anonymous on 2009-06-01 (almost 5 years ago)

Great contest and congratulations to the winners!!

i just received a little something in the mail---I wasnt even expecting anything, so it was nice--Thank you OSF for the work you do!


by Dissent [DataLoss Archaeologist] on 2009-06-05 (almost 5 years ago)

I agree -- it was a great contest, and thank you!

In gratitude, I did some more digging on Corey's gem of a find. I haven't (yet) found anything on whether the records from the Southern California Hospital for the Insane were ever located or recovered. I can't even verify (yet) that they were ever "purloined." I did find some other follow-up, though, of sorts:

Campbell's report to the California State Board of Control for the period ending June 1903 (right before the incident) shows no problems, which is not necessarily surprising, but his report to the board in June 2004 makes no reference to any such incident or personnel problems since the last report.

Although I found no evidence about Whitaker or Howard, I found several references to an incident involving Campbell's personal secretary, one A. C. Clarke. Clarke was allegedly embezzling patient funds over a period of years. On the day in May 2004 when the Attorney General's Office was coming to inspect the records, Clarke committed suicide.

I don't (yet) know whether Campbell tendered his resignation before or after that date in May 2004, but he did tender his resignation sometime after the Whitaker/Howard accusations and prior to June 2004.

Campbell was ultimately sued by the state in his official capacity so that the state could recover over $11,000 that it was due from the embezzlement. The lawsuit was commenced after Campbell had resigned, but the embezzlement had been on his watch.

Many state hospitals had problems with mismanagement and corruption during that period and while I found specific reference to other criminal conduct, I found nothing about records being stolen from this one hospital.

The steward who was presumably suspect, C. N. Whitaker, showed up in subsequent records of the state. The <a href="http://books.google.com/books/download/First_biennial_report_of_the_State_board.pdf?id=t28uAAAAYAAJ&output=pdf&sig=ACfU3U17SWmqvCk8cbpPtlw7U8XUu8iB-w">First Biennial Report of the State Board of Control of California</a> covers 1906-1912 and was published in 1913. That book specifically mentions C. N. Whitaker and talks about him as being promoted as a man of "undoubted integrity, ability, and experience." A 1912 report also showed his supervisor praising him for his work. So I'm guessing that he was never charged or convicted with stealing records in 1903.

I could find no reference to F. W. Howard in any of the records I searched.

If anyone digs up more, please share. This is fun!


<a href="http://www.databreaches.net">DataBreaches.net</a>;
Your friendly "archaeologist"

by Anonymous on 2009-06-17 (almost 5 years ago)

Guys, this was a good contest and awesome from a historical standpoint. Thanks!

New Comment

Are you human?

Sponsored By: Rbs Zecurion
Use of the DataLossDB, and its exports, RSS feeds, reports, or other materials produced on this site by the Open Security Foundation requires authorization and potential licensing arrangements. For more information, please e-mail [email protected] with a brief summary of how you would like to use this information; product, service, research, etc.
© 2005 - 2014, Open Security Foundation, All Rights Reserved.