In early April, Open Security Foundation came up with an idea for a new contest for DataLossDB. OSF had done something similar for our sister project, the Open Source Vulnerability Database (OSVDB) a few years back: an "oldest vulnerability contest"; this time, we decided to bring the same type of contest to DataLossDB. We lined up some great sponsors, and held high hopes that contestants would be reaching down into the 90's for data loss incidents, striving to win one of the excellent prizes kindly donated by our sponsors.
On May 1, we kicked off the contest, announced it to the masses, and in they flooded. It started off encouraging but quickly went well beyond that. We watched as the dates of the submissions went further and further back in time. Some submissions were clearly humorous, such as "Eve was socially engineered by a serpent resulting in total loss of records and denial of service attack against the tree of knowledge; The computer involved was an apple.", or the biblical tenth and final plague of Egypt, to name just a couple. Unfortunately, we can't find any way that we can possibly include them in the data set, but they made for a good chuckle.
There were others that were much more legitimate, but which don't really "fit" into the DataLossDB data set, such as the "loss" of public records. Government ledgers and similar records are hard to include given that the information is freely available for public inspection, such as this loss of accounting data, or this loss of town files. Good stuff, but not really threatening to personally identifiable information (which isn't normally exposed). Other submissions were somewhat difficult to determine what, in fact, was exposed, like this 1887 New York Times article regarding service members' pension records. OSF's "curators" had to do some homework on that particular submission to determine what exactly was in a pension record at the time, and we came up with nothing of a conlusive sensitive nature (keep in mind that no Social Security program existed at that time.) Most of the sample records we found contained name, rank, and years served, and most didn't even include a home address. While we liked this submission, we couldn't accept it -- it was too vague. If an entry were to qualify to win the contest or any prize, it had to be more definitive. There were other similar entries as well, such as the 1889 New York Times article regarding the loss of a Union's meeting minutes book and their expense books. It would be a stretch to assume that there was PII contained in either of those.
Multiple contestants submitted the "most misused social security number of all time" story, regarding a wallet manufacturer who placed a social security card "look-a-like" in wallets they sold which happened to contain the Social Security number of a vice president's secretary, Mrs. Hilda Schrader Whitcher. Reportedly, by 1943, thousands of people were using her Social Security number as their own. A data loss incident, no doubt, but number affected is less than 10, which unfortunately made it ineligible for the competition and not a fit for the data set. There was also a great submission regarding a card embosser who printed and used 3,000 fake Diner's Club cards. A great story of credit card fraud, but not one that threatens identities, and thus not something we'd really include in the data set. The numbers were fake, as were the names.
We had several other decent submissions that we couldn't accept as well, such as a 1998 incident where CBS SportsLine exposed information regarding thousands of March Madness contestants on their website, or the WRGT Fox 45 breach of 1999 where names, addresses, and email addresses were exposed on their website in a text file. The information wouldn't qualify as PII (most of the information would be considered "telephone book material"), but it was interesting to see late 1990's security breaches.
All of the entries listed above were fascinating submissions in one way or another, but didn't make the cut for inclusion in the database, and thus didn't make the cut for winning prizes. Most entries DID, however, make the cut... and without further ado...
In third place, we have both an oldie and a biggie. This one not only wins a prize in the contest, but also earns a spot (2nd place) on the DataLossDB top 10 breaches of all time list. "Dissent" from databreaches.net uncovered and submitted the 1984 TRW incident, where computer hackers gained access to a system holding credit histories of some 90 million people. The data included information on employment records, loans, Social Security numbers, and more. Congrats "Dissent", great submission.
In second place, we have a 1983 submission from "midnitrcr" regarding the Memorial Sloan-Kettering Cancer Center in New York, where a Time Magazine article reports that hackers had broken into a "Digital VAX 11/780 computer, which monitors the radiation treatment for 250 patients", and had gained access to billing records, and inherently medical treatment information. This all occurred on the heels of the "War Games" movie being released, and as Time Magazine pointed out at the time, posed "a serious question: How to safeguard information stored inside computers?". Again, a great submission, and kudos to "midnitrcr".
And in first place, we have two submissions from Corey J Chandler (AKA "Sorthum"), both of which qualify, and both of which are rather old. The first is a 1953 incident referenced in a New York Times article. This is another case of Union books being stolen, but unlike the 19th century examples, this one included names, addresses, and importantly, Social Security numbers of 700 union members. This is officially the oldest theft of Social Security numbers that we have seen that meet our criteria for inclusion in the database. Congrats Corey! Not to be outdone by a simple mid century incident, "Sorthum" also posted another qualifying incident. This one is referenced in a 1903 Los Angeles Times article, where the dispensary records for the Southern California Hospital for the Insane went missing, and were through to be stolen (or "purloined" as the LA Times put it) by ex-Steward C.N. Whitaker and former druggist, Fred W. Howard. Dispensary records would have included patients' names, and at least information pertaining to their prescriptions. Information that, if a hospital or drug store lost today, would clearly qualify for an entry in DataLossDB. The records lost covered "the years 1896 to 1901 inclusive", and Dr. M. B. Cambell, the hospital's medical supervisor, was "confident" that the records would be recovered. We have no information as to whether or not they were. Anyone feel like doing more digging?
Some non-winning contestants submitted dozens of quality incidents to be included, such as "SYNACK3", "spacerog", and "jjturner". These three individuals pulled in dozens of quality submissions. "jjturner" found a treasure trove of Canadian data loss incidents inside their Privacy Commisioner's "Annual Reports to Parliament", which www.priv.gc.ca has posted as PDF's on their website going back to the early 1980's. These reports were fascinating to read, as they highlight some initial and early awareness of the threats imposed by computers and computer networks to privacy in one of the most unlikely of places: a federal government. Hats off Canada, eh.
"spacerog" found a 1998 incident that was the most "ChoicePoint-esque" incident we'd seen (only considerably older) where employees at the Social Security Administration sold 20,000 Social Security numbers to West African credit card thieves. One of our OSVDB moderators, "cji" submitted several great incidents, even though he technically couldn't qualify for prizes. One of them actually would have won him second place! It would have also won the "Least Sexy Submission" award -- which we think we'll give him anyways. We would summarize the breach, reported in a 1957 Chicago Daily Tribune article, but we might fall asleep re-reading it. Instead: "The case involved the looting of employment and wage information on persons not on the relief rolls from the 4 million wage record cards of the state labor department. The stolen information, sold at 50 cents a name to the operator collection agency, was obtained by a frauds unit employee."
Some submissions came full circle, such as the 1998 submission by "SYNACK3" regarding a computer hacker who was jailed for 18 months after getting caught stealing over 1,200 credit card numbers from Ausnet. This incident is particularly amusing to us considering one of our very own, "Jericho", posted it to the ISN mailing list some 11 years ago!
Congratulations to the winners and all the contestants. You'll all be receiving various "stuff" in the mail shortly. A special thanks to our sponsors as well (CREDANT, Arcsight, AON TechShield, StrikeForce Technologies, Inc., ITAC Sentinel) for donating the great "stuff" we'll be mailing out, as well as supporting the endeavor and making quick commitments on really short notice. The contest wouldn't have been much of a contest without our sponsors, so please check out their sites as well!
Also, we *might* launch another contest this year, provided we can find the time after changing every mention of "Stolen" in the database to "Purloined".