NIST Site Search
Search NIST.GOV
Custom Search
[Official NIST.GOV TIME]
Product Research

Advertise on this site
Non-Encrypted Hall of Shame
print the content item {PDF=create pdf file of the content item^plugin:content.54}
in General IT Security > Non-Encrypted Hall of Shame


The Non-Encrypted Hall of Shame



May 2006 was the first month we started tracking companies that allowed their devices to leave company property with consumer's personal information in a non-encrypted form. We're probably going to scour old news sources for some of the more infamous data loss stories and post that as well.

In today's world not protecting other people's personal information that has been entrusted to you is a shameful act. It should be considered as bad as stealing. When you don't take prudent steps to guard their personal information you are negligent. Too bad there isn't a law called “negligent theft”, until such time we give you “The Non-Encrypted Hall of Shame”. If your company loses other people's information on a laptop, backup tape, thumb drive, or other portable device, or any media that has left your company's properly secured physical control, and that data is non-encrypted your are likely to end up here. If your device was lost and the data was properly encrypted you will not be listed here.

May 31, 2006 – ComputerWorld
Omega World Travel - A laptop containing the names and credit card numbers of about 80,000 U.S. Department of Justice (DOJ) workers. DOJ includes the FBI and the Bureau of Alcohol, Tobacco, Firearms, and Explosives. The laptop was stolen between May 7 and May 9 from the Fairfax, Va., headquarters of Omega World Travel, a travel agency used by the DOJ for its employees. For what it is worth Omega World Travel stated “All the data was password-protected to prevent unauthorized access”. “Password-protected” can mean most anything and is not the same thing as data encryption. So apparently the laptop was not using data encryption.


May 23, 2006 – numbrX
M T Bank, New York – A laptop with bank account holder information was stolen from a vehicle of a PFPC employee. PFPC provides record keeping services for M T. The laptop a file with names, account numbers, and social security numbers. The number of people affected was not disclosed. The bank said the laptop “is equipped with technology designed to prevent unauthorized access”, but they don't say want this is. My guess is it simply had a login userid and password or they would be saying more. So apparently the laptop was not using data encryption.


May 22, 2006 - NIST.org
U.S. Veterans Administration (VA) – Laptop with the names, social security numbers, dates of birth, of over 26.5 million veterans and active duty personal stolen from government employees home. This is one of the largest loss of private information ever reported. Laptop and external hard drive were not using encryption. This is a huge story that will have ramifications for months or years, especially within the U.S. Government.


May 13, 2006 - TMCNet.com
Baltimore's Mercantile Bankshares Corp - A laptop computer containing Social Security and account numbers for nearly 50,000 customers of its Bethesda-based Mercantile Potomac Bank was stolen a week earlier from a worker's car off company property. The employee apparently violated bank policy by taking the laptop out of the office Apparently the laptop was not using data encryption.


May 5, 2006 - Wells Fargo Press Release
Wells Fargo – Computer with names, addresses, Social Security numbers and mortgage loan account numbers of Wells Fargo customers was lost in transit. In what should be considered a completely meaningless statement they had this to say “The computer has two layers of security, making it difficult to access the information.”. No mention of encryption so this statement should not be considered sufficient security.


May 2, 2006 – Gwinnett Daily Post
State of Georgia – Surplus state government computers were sold at auction without being properly erased. Credit card numbers, birth dates and Social Security numbers of citizens were still on the hard drives of computers which state workers failed to erase before they were sold, WSB-TV reported. More than 150 surplus computers were in one man’s work shed. It is not known how many citizens were affected. The state has suspended the sale of state surplus computers indefinitely. The computers were not using data encryption.


April 28, 2006 – ComputerWorld
Aetna Inc. - Health insurer Aetna Inc. said a laptop computer containing personal information on about 38,000 of its members was stolen from an employee's car. The data includes names, addresses and Social Security numbers. Aetna said the employee "did not follow our corporate policies, and it was coupled with a criminal theft." Apparently the laptop was not using data encryption.


April 28, 2006 – Boston.com
Iron Mountain – The company known for providing safe and secure tape backup storage lost a tape belonging to Long Island Rail Road. The tape included personal information about 17,000 current and former Long Island Rail Road employee's, including Social Security numbers. In an odd twist to this story the following has gone pretty much unnoticed: “The New York Police Department said the loss also involved data tapes belonging to the US Department of Veterans Affairs, and the loss was reported by the driver while his van was parked near a VA hospital in the Bronx”. Apparently the tape was not encrypted.


April 10, 2006 – LA Times
U.S. Military, all branches - The LA Times did a nice investigative piece where they were able to purchase several unencrypted USB drives and hard drives at bazaars in Afghanistan. Most of these devices were stolen by local workers at the military bases. Some of the devices were marked “Secret” and apparently judging by some of the documents had Secret information still stored on them. 'The drives also included deployment rosters and other documents that identified nearly 700 U.S. service members and their Social Security numbers, information that identity thieves could use to open credit card accounts in soldiers' names.' The vast majority of the devices were not using data encryption.


March 28, 2006 – Stars & Stripes
U.S. Marines - A portable drive with personal information on more than 207,750 Marines was lost earlier this month, possibly jeopardizing those troops’ credit records and privacy. The drive contained the names, Social Security numbers, marital status and enlistment contract details for enlisted Marines on active duty between January 2001 and December 2005. “the information is in an unusual file format,” said Lt. Col. Mike Perry, head of the information technology branch. Sorry Colonel an “unusual file format” is not the same thing as encryption. As you would probably say “close only counts in horse shoes and hand grenades.


March 24, 2006 – Boston.com
Vermont State Colleges - A laptop computer was stolen Feb. 25 from the car of a Vermont State Colleges employee who works in technology. Officials say the computer contains six years worth of personal information, including Social Security Numbers. The theft could affect as many as 20,000 faculty, staff and current and former students of Lyndon State College, Johnson State College, Castleton State College, Vermont Technical College and the Community College of Vermont. The laptop was not using data encryption.


March 23, 2006 – San Francisco Chronicle
Fidelity Investments - A laptop with the personal information such as names, addresses, birthdates and Social Security numbers of about 196,0000 Hewlett-Packard (HP) current and former employees has been stolen from mutual fund company Fidelity Investments. Fidelity manages HP's pension and retirement plans. Anyone have any clues as to what this means? “Crowley said the information was also stored "in a scrambled format that will be difficult to read or interpret" without a special software application. The application is also on the laptop, but its license expired shortly after the theft so the thief will likely not be able to use it to access the files.” It could mean data encryption but its hard to say.


February 25, 2006 – The Register
Ernst and Young - Ernst and Young lost a laptop containing data such as the social security numbers of its customers. One of the people affected by the data loss appears to be Sun Microsystems CEO Scott McNealy, who was notified that his social security number and personal information had been compromised. While pushing all out transparency for its customers, Ernst and Young failed to cop to the security breach until contacted by us. "This is an organization that we spend an enormous amount of money on to determine whether we are Sarbanes-Oxley compliant," McNealy said. On the flip side - "We deeply regret that a laptop containing confidential client information was stolen, in what appears to be a random act, from the locked car of one of our employees," said Ernst and Young spokesman Charles Perkins. The laptop was not using data encryption.


February 25, 2006 - Metro State College
Metro State College of Denver – A laptop computer containing a database of college information that was stolen from a Metro State employee’s residence. The database contains approximately 93,000 names, social security numbers, dates of birth, and addresses of students who were registered in a Metro State course anytime between the beginning of the 1996 fall semester and the end of the 2005 summer semester. The laptop apparently was not using data encryption.


February 23, 2006 – CNET.com
Deloitte & Touche USA – Deloitte & Touche lost a CD with information about 6,000 current and former McAfee employees, putting them at risk of identity fraud. Deloitte & Touche is McAfee's external auditor. Deloitte & Touche confirmed the incident. "A Deloitte & Touche employee left an unlabeled backup CD in an airline seat pocket". The information was not encrypted and potentially includes names, Social Security numbers and stock holdings in McAfee.


January 26, 2006 – KARE 11
State of Minnesota, Department of Employment and Economic Development – Note: this laptop was supposedly taken from a locked cabinet in a secured building. The contained personal information about 3,000 Minnesotans. Apparently the information was used to open credit card accounts in the names of several people. Though this laptop was not using data encryption the State apparently was taking prudent measures to safeguard the information at the time it was lost since is was locked in a secure area.


January 25, 2006 – FOXNEWS
Ameriprise Financial Inc. - A laptop computer was stolen from an employee's vehicle with personal account information on 226,000 people. For approximately 68,000 people the information included social security numbers, for 158,000 it was only name and account numbers. Also see the NYTimes article. The laptop was not using data encryption to protect the information.


January 12, 2006 – CNET.com
People's Bank, Bridgeport, Conn. - A tape with confidential data on about 90,000 customers was lost, putting the bank's clients at risk of identity fraud. The tape was being shipped by UPS to a credit reporting bureau. The data on the missing People's Bank tape includes names, addresses, Social Security numbers and checking account numbers of customers. The computer tape cannot be read without sophisticated mainframe equipment and software, the bank said. So apparently another poor attempt to disguise the fact that the tape was not protected by data encryption.


October 7, 2005 – InfoWorld
Bank of America Corp. – Users of BoA's Visa Buxx prepaid debit cards were warned that they may have had sensitive information compromised following the theft of an unencrypted laptop computer. Customers may have had their bank account numbers, routing transit numbers, names and credit card numbers compromised by the theft. BoA had refused to say how many customers were affected. But they did admit that the laptop was not using data encryption to protect the information.


June 7, 2005, MSNBC
CitiFinancial part of Citigroup Inc. – Backup tapes lost in UPS shipment. The tapes contained the personal data of 3.9 million U.S. customers. Data on the tapes included account information, payment histories and Social Security numbers. The tapes were not encrypted. To CitiFinancial's credit (no pun intended) they have implemented a policy to send backup information electronically and fully encrypted


March 29, 2005 – CNET.com
University of California, Berkeley – A laptop contained names, dates of birth, addresses and Social Security numbers of 98,369 graduate students or graduate-school applicants, was stolen University of California, Berkeley. The files go back three decades in some cases. Apparently the laptop was not using data encryption.


November 2004 – ComputerWorld
Wells Fargo - Three laptops and one desktop computer containing personal data on thousands of the bank’s borrowers were stolen from an Atlanta-based subcontractor that printed monthly statements for Wells Fargo. That incident prompted two of the affected individuals to sue the bank for negligence and breach of contract. The case was decided in the bank’s favor in March. The computers were apparently not using data encryption.


February 2004- ComputerWorld
Wells Fargo - Laptop containing confidential information on more than 35,000 Wells Fargo customers was lost by a company employee when it was left in a car that was stolen from a gas station.


----
©2006-2007 NIST.org - All materials on this site, including, but not limited to, articles, text, images, and illustrations (the "Materials") are protected by copyrights which are owned or licensed by NIST.org. You may not reproduce, perform, create derivative works from, republish, upload, post, transmit, or distribute in any way whatsoever any Materials from NIST.org without prior written permission of NIST.org. However, you may download or make one copy of the Materials for personal non-commercial home use only, provided all copyright and other notices contained in the Materials are left intact. Any use of the Materials for any other purpose constitutes an infringement of NIST.org's copyrights.

article index
page 1 : March 2007 to Present
page 2 : February 2007
page 3 : January 2007
page 4 : December 2006
page 5 : November 2006
page 6 : October 2006
page 7 : September 2006
page 8 : August 2006
page 9 : July 2006
page 10 - current : Prior to July 2006
Translate to: {GOOGLETRANS}
Google Ads




Headlines

»CVE-2013-6446
The JobHistory Server in Cloudera CDH 4.x before 4.6.0 and 5.x before 5.0.0 Beta 2, when using MRv2/ ...
»CVE-2014-0229
Apache Hadoop 0.23.x before 0.23.11 and 2.x before 2.4.1, as used in Cloudera CDH 5.0.x before 5.0.2 ...
»CVE-2014-7279
The Konke Smart Plug K does not require authentication for TELNET sessions, which allows remote atta ...
»CVE-2014-8731
PHPMemcachedAdmin 1.2.2 and earlier allows remote attackers to execute arbitrary PHP code via vector ...
»CVE-2014-9832 (imagemagick)
Heap overflow in ImageMagick 6.8.9-9 via a crafted pcx file.
»CVE-2014-9833 (imagemagick)
Heap overflow in ImageMagick 6.8.9-9 via a crafted psd file.
»CVE-2014-9834 (imagemagick)
Heap overflow in ImageMagick 6.8.9-9 via a crafted pict file.
»CVE-2014-9835 (imagemagick)
Heap overflow in ImageMagick 6.8.9-9 via a crafted wpf file.
»CVE-2014-9836 (imagemagick)
ImageMagick 6.8.9-9 allows remote attackers to cause a denial of service via a crafted xpm file.
»CVE-2014-9838 (imagemagick)
magick/cache.c in ImageMagick 6.8.9-9 allows remote attackers to cause a denial of service (crash).
»CVE-2014-9839 (imagemagick)
magick/colormap-private.h in ImageMagick 6.8.9-9 allows remote attackers to cause a denial of servic ...
»CVE-2014-9840 (imagemagick)
ImageMagick 6.8.9-9 allows remote attackers to cause a denial of service (out-of-bounds access) via ...
»CVE-2014-9915 (imagemagick)
Off-by-one error in ImageMagick before 6.6.0-4 allows remote attackers to cause a denial of service ...
»CVE-2014-9939 (binutils)
ihex.c in GNU Binutils before 2.26 contains a stack buffer overflow when printing bad bytes in Intel ...
»CVE-2015-0855
The _mediaLibraryPlayCb function in mainwindow.py in pitivi before 0.95 allows attackers to execute ...


Date published: 2017-03-26T05:00:01Z
Details

»Apple Releases Security Update for iTunes
Original release date: March 24, 2017 Apple has released a security update for Apple iTunes t ...
»Aviation Phishing Scams
Original release date: March 23, 2017 US-CERT has received reports of email-based phishing ca ...
»Cisco Releases Security Updates
Original release date: March 22, 2017 Cisco has released security updates to address vulnerab ...
»Vulnerabilities Identified in Network Time Protocol Daemon (ntpd)
Original release date: March 22, 2017 The Network Time Foundation's NTP Project has has relea ...
»Cisco Releases Security Updates
Original release date: March 21, 2017 Cisco has released security updates to address vulnerab ...
»IRS Warns of Last-Minute Tax Scams
Original release date: March 17, 2017 The Internal Revenue Service (IRS) has released an aler ...
»Mozilla Releases Security Updates
Original release date: March 17, 2017 Mozilla has released security updates to address a vuln ...
»Microsoft Ending Support for Windows Vista
Original release date: March 17, 2017 All software products have a lifecycle. After April 11, ...
»Microsoft SMBv1 Vulnerability
Original release date: March 16, 2017 Microsoft has released a security update to address a v ...
»Cisco Releases Security Updates
Original release date: March 15, 2017 Cisco has released several updates to address vulnerabi ...


Date published: not known
Details

»Mostly blocked, but still good enough: Necurs sending pump-and-dump spam
The Necurs botnet has started sending pump-and-dump spam. Almost al ...
»Why the SHA-1 collision means you should stop using the algorithm
Realistically speaking, if your software or system uses the SHA-1 h ...
»VB2017 Call for Papers: frequently asked questions
The call for papers for VB2017, which takes place 4 to 6 October i ...
»Throwback Thursday: Michelangelo - Graffiti Not Art
This week marked the 25th anniversary of the trigger date of the in ...
»How are you defending your network? Come and tell us at VB2017!
Is it your job to defend your company’s network? Are you defending ...
»Quick impressions from BSides Budapest
At Virus Bulletin, we love the BSides concept and we have attended ...
»First sponsors of VB2017 announced
We are excited to announce the first five sponsors of VB2017, compa ...
»Security products and HTTPS: let's do it better
A recent paper showed that many HTTPS-intercepting security solutio ...
»The SHA-1 hashing algorithm has been 'shattered'
Researchers from Google and CWI Amsterdam have created the first kn ...


Date published: not known
Details
Main Menu
· Home
Current Security News
 
US-CERT Current Activity

» Apple Releases Security Update for iTunes
[24 Mar 2017 12:07pm]

» Aviation Phishing Scams
[23 Mar 2017 02:27pm]

» Cisco Releases Security Updates
[22 Mar 2017 04:02pm]

» Vulnerabilities Identified in Network Time Protocol Daemon (ntpd)
[22 Mar 2017 11:20am]

» Cisco Releases Security Updates
[21 Mar 2017 09:57am]

» IRS Warns of Last-Minute Tax Scams
[17 Mar 2017 09:21pm]

» Mozilla Releases Security Updates
[17 Mar 2017 06:54pm]

» Microsoft Ending Support for Windows Vista
[16 Mar 2017 10:45pm]

» Microsoft SMBv1 Vulnerability
[16 Mar 2017 04:12pm]

» Cisco Releases Security Updates
[15 Mar 2017 06:26pm]

***
US-CERT Alerts

» TA17-075A: HTTPS Interception Weakens TLS Security
[16 Mar 2017 06:40am]

» TA16-336A: Avalanche (crimeware-as-a-service infrastructure)
[30 Nov 2016 10:00pm]

» TA16-288A: Heightened DDoS Threat Posed by Mirai and Other Botnets
[14 Oct 2016 05:59pm]

» TA16-250A: The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations
[06 Sep 2016 04:29pm]

» TA16-187A: Symantec and Norton Security Products Contain Critical Vulnerabilities
[05 Jul 2016 08:50am]

» TA16-144A: WPAD Name Collision Vulnerability
[23 May 2016 05:38am]

» TA16-132A: Exploitation of SAP Business Applications
[11 May 2016 05:31am]

» TA16-105A: Apple Ends Support for QuickTime for Windows; New Vulnerabilities Announced
[14 Apr 2016 01:48pm]

» TA16-091A: Ransomware and Recent Variants
[31 Mar 2016 04:00pm]

» TA15-337A: Dorkbot
[03 Dec 2015 04:40pm]

***
Computerworld Security

» Get 72% off NordVPN Virtual Private Network Service For a Limited Time - Deal Alert
[25 Mar 2017 06:37pm]

» How to protect yourself from ATM crime
[25 Mar 2017 05:00am]

» CIA, WikiLeaks and Doctor Who?
[24 Mar 2017 03:55pm]

» Apple: Macs and iPhones are safe from newly revealed CIA exploits
[24 Mar 2017 01:11pm]

» Google Play faces cat-and-mouse game with Android malware
[24 Mar 2017 12:16pm]

» To punish Symantec, Google may distrust a third of the web's SSL certificates
[24 Mar 2017 11:32am]

» FBI director floats international framework on encrypted data access
[23 Mar 2017 04:21pm]

» Leaked iCloud credentials came from third parties, Apple says
[23 Mar 2017 03:13pm]

» Google: Half of Android devices haven’t been patched in a year or more
[23 Mar 2017 01:41pm]

» Newly leaked documents show low-level CIA Mac and iPhone hacks
[23 Mar 2017 12:53pm]

» Senate votes to kill FCC's broadband privacy rules
[23 Mar 2017 11:13am]

» Snowden's ex-boss offers advice on stopping insider threats
[23 Mar 2017 11:10am]

» Look before you leap: 4 hard truths about IoT
[23 Mar 2017 06:21am]

» LastPass fixes serious password leak flaws
[22 Mar 2017 03:21pm]

» iPhone, Mac owners: How to stymie hackers extorting Apple, threatening to wipe devices
[22 Mar 2017 02:23pm]

***
Microsoft Security Advisories

» 3123479 - SHA-1 Hashing Algorithm for Microsoft Root Certificate Program - Version: 2.0
[14 Mar 2017 11:00am]

» 4010983 - Vulnerability in ASP.NET Core MVC 1.1.0 Could Allow Denial of Service - Version: 1.0
[27 Jan 2017 11:00am]

» 3214296 - Vulnerabilities in Identity Model Extensions Token Signing Verification Could Allow Elevation of Privilege - Version: 1.0
[10 Jan 2017 11:00am]

» 3181759 - Vulnerabilities in ASP.NET Core View Components Could Allow Elevation of Privilege - Version: 1.0
[13 Sep 2016 11:00am]

» 3174644 - Updated Support for Diffie-Hellman Key Exchange - Version: 1.0
[13 Sep 2016 11:00am]

» 3179528 - Update for Kernel Mode Blacklist - Version: 1.0
[09 Aug 2016 11:00am]

» 2880823 - Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program - Version: 2.0
[18 May 2016 11:00am]

» 3155527 - Update to Cipher Suites for FalseStart - Version: 1.0
[10 May 2016 11:00am]

» 3152550 - Update to Improve Wireless Mouse Input Filtering - Version: 1.1
[22 Apr 2016 11:00am]

» 3137909 - Vulnerabilities in ASP.NET Templates Could Allow Tampering - Version: 1.1
[10 Feb 2016 11:00am]

» 2871997 - Update to Improve Credentials Protection and Management - Version: 5.0
[09 Feb 2016 11:00am]

» 3109853 - Update to Improve TLS Session Resumption Interoperability - Version: 1.0
[12 Jan 2016 11:00am]

» 3118753 - Updates for ActiveX Kill Bits 3118753 - Version: 1.0
[12 Jan 2016 11:00am]

» 2755801 - Update for Vulnerabilities in Adobe Flash Player in Internet Explorer and Microsoft Edge - Version: 53.0
[05 Jan 2016 11:00am]

» 3123040 - Inadvertently Disclosed Digital Certificate Could Allow Spoofing - Version: 1.0
[08 Dec 2015 11:00am]

***
WIRED

» Security News This Week: FedEx Offered Customers Five Bucks to Re-Install Flash
[25 Mar 2017 05:00am]

» Instagram Has Two-Factor Authentication Now, So Turn It On
[23 Mar 2017 01:30pm]

» WikiLeaks Reveals How the CIA Can Hack a Mac’s Hidden Code
[23 Mar 2017 12:09pm]

» The Clever ‘DoubleAgent’ Attack Turns Antivirus Into Malware
[23 Mar 2017 09:33am]

» Don’t Buy the Latest Trump Surveillance Hype
[22 Mar 2017 04:18pm]

» Good News: Android’s Huge Security Problem Is Getting Less Huge
[22 Mar 2017 08:00am]

» A Cybersecurity Arsenal That’ll Help ‘Protect Your Election’
[21 Mar 2017 05:00am]

» Inside the Hunt for Russia’s Most Notorious Hacker
[21 Mar 2017 04:00am]

» Russia? Nah. The House GOP Goes After Leakers Instead
[20 Mar 2017 04:02pm]

» Trump’s TSA Budget Fails to Cut the Obvious: Air Marshals
[20 Mar 2017 12:00pm]

***
Network World Security

» Get 72% off NordVPN Virtual Private Network Service For a Limited Time - Deal Alert
[25 Mar 2017 06:37pm]

» Consultant urges never pay ransomware demands
[24 Mar 2017 03:40pm]

» Apple: Macs and iPhones are safe from newly revealed CIA exploits
[24 Mar 2017 12:58pm]

» IDG Contributor Network: 7 best practices for securing your cloud service
[24 Mar 2017 12:36pm]

» Review: Canary Flex security camera lives up to its name
[24 Mar 2017 07:01am]

» Smackdown: Office 365 vs. G Suite management
[16 Mar 2017 07:01am]

» Zix wins 5-vendor email encryption shootout
[13 Mar 2017 04:00am]

» Review: vArmour flips security on its head
[06 Mar 2017 03:50am]

» 5 open source security tools too good to ignore
[21 Feb 2017 07:12am]

» Review: Samsung SmartCam PT network camera
[15 Feb 2017 07:00am]

» Review: Arlo Pro cameras offer true flexibility for home security
[09 Feb 2017 07:01am]

» Face-off: Oracle vs. CA for identity management
[26 Jan 2017 10:30am]

» 6 steps to secure a home security camera
[23 Jan 2017 04:00am]

» CIA, WikiLeaks and Doctor Who?
[24 Mar 2017 03:55pm]

» Consultant urges never pay ransomware demands
[24 Mar 2017 03:40pm]

***


More IT Security
News Feeds
More Sponsors

Advertise on this site
RSS Feeds
Our news can be syndicated by using these rss feeds.
rss1.0
rss2.0
rdf

NIST.org is in no way connected to the U.S. government site NIST.gov

This site is © John Herron, CISSP. All Rights Reserved.

Please visit daily to stay up to date on all your IT Security compliance issues.

http://www.nist.org -
Hosted by BlueHost. We've never had a better hosting company.
{THEMEDISCLAIMER}