NIST Site Search
Search NIST.GOV
Custom Search
[Official NIST.GOV TIME]
Product Research

Advertise on this site
Non-Encrypted Hall of Shame
print the content item {PDF=create pdf file of the content item^plugin:content.54}
in General IT Security > Non-Encrypted Hall of Shame


The Non-Encrypted Hall of Shame



May 2006 was the first month we started tracking companies that allowed their devices to leave company property with consumer's personal information in a non-encrypted form. We're probably going to scour old news sources for some of the more infamous data loss stories and post that as well.

In today's world not protecting other people's personal information that has been entrusted to you is a shameful act. It should be considered as bad as stealing. When you don't take prudent steps to guard their personal information you are negligent. Too bad there isn't a law called “negligent theft”, until such time we give you “The Non-Encrypted Hall of Shame”. If your company loses other people's information on a laptop, backup tape, thumb drive, or other portable device, or any media that has left your company's properly secured physical control, and that data is non-encrypted your are likely to end up here. If your device was lost and the data was properly encrypted you will not be listed here.

May 31, 2006 – ComputerWorld
Omega World Travel - A laptop containing the names and credit card numbers of about 80,000 U.S. Department of Justice (DOJ) workers. DOJ includes the FBI and the Bureau of Alcohol, Tobacco, Firearms, and Explosives. The laptop was stolen between May 7 and May 9 from the Fairfax, Va., headquarters of Omega World Travel, a travel agency used by the DOJ for its employees. For what it is worth Omega World Travel stated “All the data was password-protected to prevent unauthorized access”. “Password-protected” can mean most anything and is not the same thing as data encryption. So apparently the laptop was not using data encryption.


May 23, 2006 – numbrX
M T Bank, New York – A laptop with bank account holder information was stolen from a vehicle of a PFPC employee. PFPC provides record keeping services for M T. The laptop a file with names, account numbers, and social security numbers. The number of people affected was not disclosed. The bank said the laptop “is equipped with technology designed to prevent unauthorized access”, but they don't say want this is. My guess is it simply had a login userid and password or they would be saying more. So apparently the laptop was not using data encryption.


May 22, 2006 - NIST.org
U.S. Veterans Administration (VA) – Laptop with the names, social security numbers, dates of birth, of over 26.5 million veterans and active duty personal stolen from government employees home. This is one of the largest loss of private information ever reported. Laptop and external hard drive were not using encryption. This is a huge story that will have ramifications for months or years, especially within the U.S. Government.


May 13, 2006 - TMCNet.com
Baltimore's Mercantile Bankshares Corp - A laptop computer containing Social Security and account numbers for nearly 50,000 customers of its Bethesda-based Mercantile Potomac Bank was stolen a week earlier from a worker's car off company property. The employee apparently violated bank policy by taking the laptop out of the office Apparently the laptop was not using data encryption.


May 5, 2006 - Wells Fargo Press Release
Wells Fargo – Computer with names, addresses, Social Security numbers and mortgage loan account numbers of Wells Fargo customers was lost in transit. In what should be considered a completely meaningless statement they had this to say “The computer has two layers of security, making it difficult to access the information.”. No mention of encryption so this statement should not be considered sufficient security.


May 2, 2006 – Gwinnett Daily Post
State of Georgia – Surplus state government computers were sold at auction without being properly erased. Credit card numbers, birth dates and Social Security numbers of citizens were still on the hard drives of computers which state workers failed to erase before they were sold, WSB-TV reported. More than 150 surplus computers were in one man’s work shed. It is not known how many citizens were affected. The state has suspended the sale of state surplus computers indefinitely. The computers were not using data encryption.


April 28, 2006 – ComputerWorld
Aetna Inc. - Health insurer Aetna Inc. said a laptop computer containing personal information on about 38,000 of its members was stolen from an employee's car. The data includes names, addresses and Social Security numbers. Aetna said the employee "did not follow our corporate policies, and it was coupled with a criminal theft." Apparently the laptop was not using data encryption.


April 28, 2006 – Boston.com
Iron Mountain – The company known for providing safe and secure tape backup storage lost a tape belonging to Long Island Rail Road. The tape included personal information about 17,000 current and former Long Island Rail Road employee's, including Social Security numbers. In an odd twist to this story the following has gone pretty much unnoticed: “The New York Police Department said the loss also involved data tapes belonging to the US Department of Veterans Affairs, and the loss was reported by the driver while his van was parked near a VA hospital in the Bronx”. Apparently the tape was not encrypted.


April 10, 2006 – LA Times
U.S. Military, all branches - The LA Times did a nice investigative piece where they were able to purchase several unencrypted USB drives and hard drives at bazaars in Afghanistan. Most of these devices were stolen by local workers at the military bases. Some of the devices were marked “Secret” and apparently judging by some of the documents had Secret information still stored on them. 'The drives also included deployment rosters and other documents that identified nearly 700 U.S. service members and their Social Security numbers, information that identity thieves could use to open credit card accounts in soldiers' names.' The vast majority of the devices were not using data encryption.


March 28, 2006 – Stars & Stripes
U.S. Marines - A portable drive with personal information on more than 207,750 Marines was lost earlier this month, possibly jeopardizing those troops’ credit records and privacy. The drive contained the names, Social Security numbers, marital status and enlistment contract details for enlisted Marines on active duty between January 2001 and December 2005. “the information is in an unusual file format,” said Lt. Col. Mike Perry, head of the information technology branch. Sorry Colonel an “unusual file format” is not the same thing as encryption. As you would probably say “close only counts in horse shoes and hand grenades.


March 24, 2006 – Boston.com
Vermont State Colleges - A laptop computer was stolen Feb. 25 from the car of a Vermont State Colleges employee who works in technology. Officials say the computer contains six years worth of personal information, including Social Security Numbers. The theft could affect as many as 20,000 faculty, staff and current and former students of Lyndon State College, Johnson State College, Castleton State College, Vermont Technical College and the Community College of Vermont. The laptop was not using data encryption.


March 23, 2006 – San Francisco Chronicle
Fidelity Investments - A laptop with the personal information such as names, addresses, birthdates and Social Security numbers of about 196,0000 Hewlett-Packard (HP) current and former employees has been stolen from mutual fund company Fidelity Investments. Fidelity manages HP's pension and retirement plans. Anyone have any clues as to what this means? “Crowley said the information was also stored "in a scrambled format that will be difficult to read or interpret" without a special software application. The application is also on the laptop, but its license expired shortly after the theft so the thief will likely not be able to use it to access the files.” It could mean data encryption but its hard to say.


February 25, 2006 – The Register
Ernst and Young - Ernst and Young lost a laptop containing data such as the social security numbers of its customers. One of the people affected by the data loss appears to be Sun Microsystems CEO Scott McNealy, who was notified that his social security number and personal information had been compromised. While pushing all out transparency for its customers, Ernst and Young failed to cop to the security breach until contacted by us. "This is an organization that we spend an enormous amount of money on to determine whether we are Sarbanes-Oxley compliant," McNealy said. On the flip side - "We deeply regret that a laptop containing confidential client information was stolen, in what appears to be a random act, from the locked car of one of our employees," said Ernst and Young spokesman Charles Perkins. The laptop was not using data encryption.


February 25, 2006 - Metro State College
Metro State College of Denver – A laptop computer containing a database of college information that was stolen from a Metro State employee’s residence. The database contains approximately 93,000 names, social security numbers, dates of birth, and addresses of students who were registered in a Metro State course anytime between the beginning of the 1996 fall semester and the end of the 2005 summer semester. The laptop apparently was not using data encryption.


February 23, 2006 – CNET.com
Deloitte & Touche USA – Deloitte & Touche lost a CD with information about 6,000 current and former McAfee employees, putting them at risk of identity fraud. Deloitte & Touche is McAfee's external auditor. Deloitte & Touche confirmed the incident. "A Deloitte & Touche employee left an unlabeled backup CD in an airline seat pocket". The information was not encrypted and potentially includes names, Social Security numbers and stock holdings in McAfee.


January 26, 2006 – KARE 11
State of Minnesota, Department of Employment and Economic Development – Note: this laptop was supposedly taken from a locked cabinet in a secured building. The contained personal information about 3,000 Minnesotans. Apparently the information was used to open credit card accounts in the names of several people. Though this laptop was not using data encryption the State apparently was taking prudent measures to safeguard the information at the time it was lost since is was locked in a secure area.


January 25, 2006 – FOXNEWS
Ameriprise Financial Inc. - A laptop computer was stolen from an employee's vehicle with personal account information on 226,000 people. For approximately 68,000 people the information included social security numbers, for 158,000 it was only name and account numbers. Also see the NYTimes article. The laptop was not using data encryption to protect the information.


January 12, 2006 – CNET.com
People's Bank, Bridgeport, Conn. - A tape with confidential data on about 90,000 customers was lost, putting the bank's clients at risk of identity fraud. The tape was being shipped by UPS to a credit reporting bureau. The data on the missing People's Bank tape includes names, addresses, Social Security numbers and checking account numbers of customers. The computer tape cannot be read without sophisticated mainframe equipment and software, the bank said. So apparently another poor attempt to disguise the fact that the tape was not protected by data encryption.


October 7, 2005 – InfoWorld
Bank of America Corp. – Users of BoA's Visa Buxx prepaid debit cards were warned that they may have had sensitive information compromised following the theft of an unencrypted laptop computer. Customers may have had their bank account numbers, routing transit numbers, names and credit card numbers compromised by the theft. BoA had refused to say how many customers were affected. But they did admit that the laptop was not using data encryption to protect the information.


June 7, 2005, MSNBC
CitiFinancial part of Citigroup Inc. – Backup tapes lost in UPS shipment. The tapes contained the personal data of 3.9 million U.S. customers. Data on the tapes included account information, payment histories and Social Security numbers. The tapes were not encrypted. To CitiFinancial's credit (no pun intended) they have implemented a policy to send backup information electronically and fully encrypted


March 29, 2005 – CNET.com
University of California, Berkeley – A laptop contained names, dates of birth, addresses and Social Security numbers of 98,369 graduate students or graduate-school applicants, was stolen University of California, Berkeley. The files go back three decades in some cases. Apparently the laptop was not using data encryption.


November 2004 – ComputerWorld
Wells Fargo - Three laptops and one desktop computer containing personal data on thousands of the bank’s borrowers were stolen from an Atlanta-based subcontractor that printed monthly statements for Wells Fargo. That incident prompted two of the affected individuals to sue the bank for negligence and breach of contract. The case was decided in the bank’s favor in March. The computers were apparently not using data encryption.


February 2004- ComputerWorld
Wells Fargo - Laptop containing confidential information on more than 35,000 Wells Fargo customers was lost by a company employee when it was left in a car that was stolen from a gas station.


----
©2006-2007 NIST.org - All materials on this site, including, but not limited to, articles, text, images, and illustrations (the "Materials") are protected by copyrights which are owned or licensed by NIST.org. You may not reproduce, perform, create derivative works from, republish, upload, post, transmit, or distribute in any way whatsoever any Materials from NIST.org without prior written permission of NIST.org. However, you may download or make one copy of the Materials for personal non-commercial home use only, provided all copyright and other notices contained in the Materials are left intact. Any use of the Materials for any other purpose constitutes an infringement of NIST.org's copyrights.

article index
page 1 : March 2007 to Present
page 2 : February 2007
page 3 : January 2007
page 4 : December 2006
page 5 : November 2006
page 6 : October 2006
page 7 : September 2006
page 8 : August 2006
page 9 : July 2006
page 10 - current : Prior to July 2006
Translate to: {GOOGLETRANS}
Google Ads




Headlines

»CVE-2014-9970
jasypt before 1.9.2 allows a timing attack against the password hash comparison.
»CVE-2015-1529
Integer overflow in soundtrigger/ISoundTriggerHwService.cpp in Android allows attacks to cause a den ...
»CVE-2015-4045
The sudoers file in the asset discovery scanner in AlienVault OSSIM before 5.0.1 allows local users ...
»CVE-2015-4046
The asset discovery scanner in AlienVault OSSIM before 5.0.1 allows remote authenticated users to ex ...
»CVE-2015-4054
PgBouncer before 1.5.5 allows remote attackers to cause a denial of service (NULL pointer dereferenc ...
»CVE-2015-4455
Unrestricted file upload vulnerability in includes/upload.php in the Aviary Image Editor Add-on For ...
»CVE-2015-4704
Directory traversal vulnerability in the Download Zip Attachments plugin 1.0 for WordPress allows re ...
»CVE-2015-5241
After logging into the portal, the logout jsp page redirects the browser back to the login page afte ...
»CVE-2015-5381
Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube Webmail 1.1.x be ...
»CVE-2015-5382
program/steps/addressbook/photo.inc in Roundcube Webmail before 1.0.6 and 1.1.x before 1.1.2 allows ...
»CVE-2015-5383
Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to obtain sensitive information by read ...
»CVE-2015-5401
Teradata Gateway before 15.00.03.02-1 and 15.10.x before 15.10.00.01-1 and TD Express before 15.00.0 ...
»CVE-2015-5468
Directory traversal vulnerability in the WP e-Commerce Shop Styling plugin before 2.6 for WordPress ...
»CVE-2015-5469
Absolute path traversal vulnerability in the MDC YouTube Downloader plugin 2.1.0 for WordPress allow ...
»CVE-2015-5609
Absolute path traversal vulnerability in the Image Export plugin 1.1 for WordPress allows remote att ...


Date published: 2017-05-23T16:00:01Z
Details

»ICS-CERT Releases WannaCry Fact Sheet
Original release date: May 17, 2017 | Last revised: May 19, 2017 The Industrial Control Syste ...
»Joomla! Releases Security Update for CMS
Original release date: May 17, 2017 Joomla! has released version 3.7.1 of its Content Managem ...
»Cisco Releases Security Updates
Original release date: May 17, 2017 Cisco has released updates to address vulnerabilities aff ...
»WordPress Releases Security Update
Original release date: May 17, 2017 WordPress versions prior to 4.7.5 are affected by multipl ...
»FTC Releases Alert on Fraudulent Emails
Original release date: May 16, 2017 The Federal Trade Commission (FTC) has released an alert ...
»Apple Releases Security Updates
Original release date: May 15, 2017 Apple has released security updates to address vulnerabil ...
»Multiple Ransomware Infections Reported
Original release date: May 12, 2017 | Last revised: May 15, 2017 US-CERT has received multipl ...
»Cisco Releases Security Update
Original release date: May 10, 2017 Cisco has released a security update to address a vulnera ...
»FTC Announces Resource for Small Business Owners
Original release date: May 09, 2017 The Federal Trade Commission (FTC) has released an announ ...
»Microsoft Releases May 2017 Security Updates
Original release date: May 09, 2017 Microsoft has released updates to address vulnerabilities ...


Date published: not known
Details

»WannaCry shows we need to understand why organizations don't patch
Perhaps the question we should be asking about WannaCry is not ...
»Modern security software is not necessarily powerless against threats like WannaCry
The WannaCry ransomware has affected many organisations around the ...
»Throwback Thursday: CARO: A personal view
This week sees the 11th International CARO Workshop taking place in ...
»VB2016 paper: Uncovering the secrets of malvertising
Malicious advertising, a.k.a. malvertising, has evolved tremendousl ...
»Throwback Thursday: Tools of the DDoS Trade
As DDoS attacks become costlier to fix and continue to increase in ...
»VB2016 paper: Building a local passiveDNS capability for malware incident response
At VB2016, Splunk researchers Kathy Wang and Steve Brant presented ...
»VB2016 video: Last-minute paper: A malicious OS X cocktail served from a tainted bottle
In a VB2016 last-minute presentation, ESET researchers Peter Kalnai ...
»Consumer spyware: a serious threat with a different threat model
Consumer spyware is a growing issue and one that can have serious c ...
»VB2016 paper: Debugging and monitoring malware network activities with Haka
In their VB2016 paper, Stormshield researchers Benoît Ancel and Meh ...


Date published: not known
Details
Main Menu
· Home
Current Security News
 
US-CERT Current Activity

» ICS-CERT Releases WannaCry Fact Sheet
[17 May 2017 09:14pm]

» Joomla! Releases Security Update for CMS
[17 May 2017 11:48am]

» Cisco Releases Security Updates
[17 May 2017 11:31am]

» WordPress Releases Security Update
[17 May 2017 07:09am]

» FTC Releases Alert on Fraudulent Emails
[16 May 2017 03:10pm]

» Apple Releases Security Updates
[15 May 2017 03:33pm]

» Multiple Ransomware Infections Reported
[12 May 2017 01:05pm]

» Cisco Releases Security Update
[10 May 2017 11:33am]

» FTC Announces Resource for Small Business Owners
[09 May 2017 07:14pm]

» Microsoft Releases May 2017 Security Updates
[09 May 2017 02:50pm]

***
US-CERT Alerts

» TA17-132A: Indicators Associated With WannaCry Ransomware
[12 May 2017 07:36pm]

» TA17-117A: Intrusions Affecting Multiple Victims Across Multiple Sectors
[27 Apr 2017 04:50pm]

» TA17-075A: HTTPS Interception Weakens TLS Security
[16 Mar 2017 06:40am]

» TA16-336A: Avalanche (crimeware-as-a-service infrastructure)
[30 Nov 2016 10:00pm]

» TA16-288A: Heightened DDoS Threat Posed by Mirai and Other Botnets
[14 Oct 2016 05:59pm]

» TA16-250A: The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations
[06 Sep 2016 04:29pm]

» TA16-187A: Symantec and Norton Security Products Contain Critical Vulnerabilities
[05 Jul 2016 08:50am]

» TA16-144A: WPAD Name Collision Vulnerability
[23 May 2016 05:38am]

» TA16-132A: Exploitation of SAP Business Applications
[11 May 2016 05:31am]

» TA16-105A: Apple Ends Support for QuickTime for Windows; New Vulnerabilities Announced
[14 Apr 2016 01:48pm]

***
Computerworld Security

» 4 ways blockchain is the new business collaboration tool
[23 May 2017 04:01am]

» Connecting with work from the road? Here's how to stay safe
[23 May 2017 04:00am]

» 5 ways to stop future global malware attacks
[22 May 2017 03:06pm]

» No, Windows XP didn't fuel WannaCry
[22 May 2017 01:57pm]

» IDG Contributor Network: Winning the war on ransomware
[22 May 2017 12:00pm]

» Leak: Secret Facebook rules on what violence, self-harm and child abuse can be posted
[22 May 2017 07:18am]

» For enterprise protection, antivirus software is no longer enough
[22 May 2017 04:00am]

» Windows Defender does not defend Windows 7 against WannaCry
[21 May 2017 06:37pm]

» The ransomware epidemic: How to prep for a shakedown
[19 May 2017 02:37pm]

» The Windows firewall is the overlooked defense against WannaCry and Adylkuzz
[19 May 2017 10:25am]

» IDG Contributor Network: Who you gonna call?: Getting ready for the next cyber disaster
[19 May 2017 07:03am]

» CW@50: Vint Cerf on his 'love affair' with tech and what’s coming next
[19 May 2017 04:00am]

» Get 72% off NordVPN Virtual Private Network Service For a Limited Time - Deal Alert
[18 May 2017 09:29am]

» 55% off Panda Security Ransomware and Virus Protection Products for Home Users - Deal Alert
[18 May 2017 07:49am]

» IDG Contributor Network: FTC to crack down on bogus ‘tech support’ lines
[17 May 2017 12:30pm]

***
Microsoft Security Advisories

» 4022345 - Identifying and correcting failure of Windows Update client to receive updates - Version: 1.3
[12 May 2017 11:00am]

» 4021279 - Vulnerabilities in .NET Core, ASP.NET Core Could Allow Elevation of Privilege - Version: 1.1
[10 May 2017 11:00am]

» 4010323 - Deprecation of SHA-1 for SSL/TLS Certificates in Microsoft Edge and Internet Explorer 11 - Version: 1.0
[09 May 2017 11:00am]

» 3123479 - SHA-1 Hashing Algorithm for Microsoft Root Certificate Program - Version: 2.0
[14 Mar 2017 11:00am]

» 4010983 - Vulnerability in ASP.NET Core MVC 1.1.0 Could Allow Denial of Service - Version: 1.0
[27 Jan 2017 11:00am]

» 3214296 - Vulnerabilities in Identity Model Extensions Token Signing Verification Could Allow Elevation of Privilege - Version: 1.0
[10 Jan 2017 11:00am]

» 3181759 - Vulnerabilities in ASP.NET Core View Components Could Allow Elevation of Privilege - Version: 1.0
[13 Sep 2016 11:00am]

» 3174644 - Updated Support for Diffie-Hellman Key Exchange - Version: 1.0
[13 Sep 2016 11:00am]

» 3179528 - Update for Kernel Mode Blacklist - Version: 1.0
[09 Aug 2016 11:00am]

» 2880823 - Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program - Version: 2.0
[18 May 2016 11:00am]

» 3155527 - Update to Cipher Suites for FalseStart - Version: 1.0
[10 May 2016 11:00am]

» 3152550 - Update to Improve Wireless Mouse Input Filtering - Version: 1.1
[22 Apr 2016 11:00am]

» 3137909 - Vulnerabilities in ASP.NET Templates Could Allow Tampering - Version: 1.1
[10 Feb 2016 11:00am]

» 2871997 - Update to Improve Credentials Protection and Management - Version: 5.0
[09 Feb 2016 11:00am]

» 3109853 - Update to Improve TLS Session Resumption Interoperability - Version: 1.0
[12 Jan 2016 11:00am]

***


***
Network World Security

» IDG Contributor Network: Do you know where your data is?
[23 May 2017 12:00pm]

» IDG Contributor Network: Educating the public about security – are we doing it all wrong?
[23 May 2017 10:35am]

» IDG Contributor Network: How security executives can feel comfortable in the boardroom and server room
[23 May 2017 10:15am]

» IDG Contributor Network: How quantum computing increases cybersecurity risks
[23 May 2017 10:00am]

» Network monitoring tools: Features users love and hate
[01 May 2017 04:51am]

» Fight firewall sprawl with AlgoSec, Tufin, Skybox suites
[10 Apr 2017 04:32am]

» Review: Canary Flex security camera lives up to its name
[24 Mar 2017 07:01am]

» Smackdown: Office 365 vs. G Suite management
[16 Mar 2017 07:01am]

» Zix wins 5-vendor email encryption shootout
[13 Mar 2017 04:00am]

» Review: vArmour flips security on its head
[06 Mar 2017 03:50am]

» 5 open source security tools too good to ignore
[21 Feb 2017 07:12am]

» Review: Samsung SmartCam PT network camera
[15 Feb 2017 07:00am]

» Review: Arlo Pro cameras offer true flexibility for home security
[09 Feb 2017 07:01am]

» IDG Contributor Network: Educating the public about security – are we doing it all wrong?
[23 May 2017 10:35am]

» IDG Contributor Network: How security executives can feel comfortable in the boardroom and server room
[23 May 2017 10:15am]

***


More IT Security
News Feeds
More Sponsors

Advertise on this site
RSS Feeds
Our news can be syndicated by using these rss feeds.
rss1.0
rss2.0
rdf

NIST.org is in no way connected to the U.S. government site NIST.gov

This site is © John Herron, CISSP. All Rights Reserved.

Please visit daily to stay up to date on all your IT Security compliance issues.

http://www.nist.org -
Hosted by BlueHost. We've never had a better hosting company.
{THEMEDISCLAIMER}