NIST Site Search
Search NIST.GOV
Custom Search
[Official NIST.GOV TIME]
Product Research

Advertise on this site
Non-Encrypted Hall of Shame
print the content item {PDF=create pdf file of the content item^plugin:content.54}
in General IT Security > Non-Encrypted Hall of Shame


The Non-Encrypted Hall of Shame



May 2006 was the first month we started tracking companies that allowed their devices to leave company property with consumer's personal information in a non-encrypted form. We're probably going to scour old news sources for some of the more infamous data loss stories and post that as well.

In today's world not protecting other people's personal information that has been entrusted to you is a shameful act. It should be considered as bad as stealing. When you don't take prudent steps to guard their personal information you are negligent. Too bad there isn't a law called “negligent theft”, until such time we give you “The Non-Encrypted Hall of Shame”. If your company loses other people's information on a laptop, backup tape, thumb drive, or other portable device, or any media that has left your company's properly secured physical control, and that data is non-encrypted your are likely to end up here. If your device was lost and the data was properly encrypted you will not be listed here.

May 31, 2006 – ComputerWorld
Omega World Travel - A laptop containing the names and credit card numbers of about 80,000 U.S. Department of Justice (DOJ) workers. DOJ includes the FBI and the Bureau of Alcohol, Tobacco, Firearms, and Explosives. The laptop was stolen between May 7 and May 9 from the Fairfax, Va., headquarters of Omega World Travel, a travel agency used by the DOJ for its employees. For what it is worth Omega World Travel stated “All the data was password-protected to prevent unauthorized access”. “Password-protected” can mean most anything and is not the same thing as data encryption. So apparently the laptop was not using data encryption.


May 23, 2006 – numbrX
M T Bank, New York – A laptop with bank account holder information was stolen from a vehicle of a PFPC employee. PFPC provides record keeping services for M T. The laptop a file with names, account numbers, and social security numbers. The number of people affected was not disclosed. The bank said the laptop “is equipped with technology designed to prevent unauthorized access”, but they don't say want this is. My guess is it simply had a login userid and password or they would be saying more. So apparently the laptop was not using data encryption.


May 22, 2006 - NIST.org
U.S. Veterans Administration (VA) – Laptop with the names, social security numbers, dates of birth, of over 26.5 million veterans and active duty personal stolen from government employees home. This is one of the largest loss of private information ever reported. Laptop and external hard drive were not using encryption. This is a huge story that will have ramifications for months or years, especially within the U.S. Government.


May 13, 2006 - TMCNet.com
Baltimore's Mercantile Bankshares Corp - A laptop computer containing Social Security and account numbers for nearly 50,000 customers of its Bethesda-based Mercantile Potomac Bank was stolen a week earlier from a worker's car off company property. The employee apparently violated bank policy by taking the laptop out of the office Apparently the laptop was not using data encryption.


May 5, 2006 - Wells Fargo Press Release
Wells Fargo – Computer with names, addresses, Social Security numbers and mortgage loan account numbers of Wells Fargo customers was lost in transit. In what should be considered a completely meaningless statement they had this to say “The computer has two layers of security, making it difficult to access the information.”. No mention of encryption so this statement should not be considered sufficient security.


May 2, 2006 – Gwinnett Daily Post
State of Georgia – Surplus state government computers were sold at auction without being properly erased. Credit card numbers, birth dates and Social Security numbers of citizens were still on the hard drives of computers which state workers failed to erase before they were sold, WSB-TV reported. More than 150 surplus computers were in one man’s work shed. It is not known how many citizens were affected. The state has suspended the sale of state surplus computers indefinitely. The computers were not using data encryption.


April 28, 2006 – ComputerWorld
Aetna Inc. - Health insurer Aetna Inc. said a laptop computer containing personal information on about 38,000 of its members was stolen from an employee's car. The data includes names, addresses and Social Security numbers. Aetna said the employee "did not follow our corporate policies, and it was coupled with a criminal theft." Apparently the laptop was not using data encryption.


April 28, 2006 – Boston.com
Iron Mountain – The company known for providing safe and secure tape backup storage lost a tape belonging to Long Island Rail Road. The tape included personal information about 17,000 current and former Long Island Rail Road employee's, including Social Security numbers. In an odd twist to this story the following has gone pretty much unnoticed: “The New York Police Department said the loss also involved data tapes belonging to the US Department of Veterans Affairs, and the loss was reported by the driver while his van was parked near a VA hospital in the Bronx”. Apparently the tape was not encrypted.


April 10, 2006 – LA Times
U.S. Military, all branches - The LA Times did a nice investigative piece where they were able to purchase several unencrypted USB drives and hard drives at bazaars in Afghanistan. Most of these devices were stolen by local workers at the military bases. Some of the devices were marked “Secret” and apparently judging by some of the documents had Secret information still stored on them. 'The drives also included deployment rosters and other documents that identified nearly 700 U.S. service members and their Social Security numbers, information that identity thieves could use to open credit card accounts in soldiers' names.' The vast majority of the devices were not using data encryption.


March 28, 2006 – Stars & Stripes
U.S. Marines - A portable drive with personal information on more than 207,750 Marines was lost earlier this month, possibly jeopardizing those troops’ credit records and privacy. The drive contained the names, Social Security numbers, marital status and enlistment contract details for enlisted Marines on active duty between January 2001 and December 2005. “the information is in an unusual file format,” said Lt. Col. Mike Perry, head of the information technology branch. Sorry Colonel an “unusual file format” is not the same thing as encryption. As you would probably say “close only counts in horse shoes and hand grenades.


March 24, 2006 – Boston.com
Vermont State Colleges - A laptop computer was stolen Feb. 25 from the car of a Vermont State Colleges employee who works in technology. Officials say the computer contains six years worth of personal information, including Social Security Numbers. The theft could affect as many as 20,000 faculty, staff and current and former students of Lyndon State College, Johnson State College, Castleton State College, Vermont Technical College and the Community College of Vermont. The laptop was not using data encryption.


March 23, 2006 – San Francisco Chronicle
Fidelity Investments - A laptop with the personal information such as names, addresses, birthdates and Social Security numbers of about 196,0000 Hewlett-Packard (HP) current and former employees has been stolen from mutual fund company Fidelity Investments. Fidelity manages HP's pension and retirement plans. Anyone have any clues as to what this means? “Crowley said the information was also stored "in a scrambled format that will be difficult to read or interpret" without a special software application. The application is also on the laptop, but its license expired shortly after the theft so the thief will likely not be able to use it to access the files.” It could mean data encryption but its hard to say.


February 25, 2006 – The Register
Ernst and Young - Ernst and Young lost a laptop containing data such as the social security numbers of its customers. One of the people affected by the data loss appears to be Sun Microsystems CEO Scott McNealy, who was notified that his social security number and personal information had been compromised. While pushing all out transparency for its customers, Ernst and Young failed to cop to the security breach until contacted by us. "This is an organization that we spend an enormous amount of money on to determine whether we are Sarbanes-Oxley compliant," McNealy said. On the flip side - "We deeply regret that a laptop containing confidential client information was stolen, in what appears to be a random act, from the locked car of one of our employees," said Ernst and Young spokesman Charles Perkins. The laptop was not using data encryption.


February 25, 2006 - Metro State College
Metro State College of Denver – A laptop computer containing a database of college information that was stolen from a Metro State employee’s residence. The database contains approximately 93,000 names, social security numbers, dates of birth, and addresses of students who were registered in a Metro State course anytime between the beginning of the 1996 fall semester and the end of the 2005 summer semester. The laptop apparently was not using data encryption.


February 23, 2006 – CNET.com
Deloitte & Touche USA – Deloitte & Touche lost a CD with information about 6,000 current and former McAfee employees, putting them at risk of identity fraud. Deloitte & Touche is McAfee's external auditor. Deloitte & Touche confirmed the incident. "A Deloitte & Touche employee left an unlabeled backup CD in an airline seat pocket". The information was not encrypted and potentially includes names, Social Security numbers and stock holdings in McAfee.


January 26, 2006 – KARE 11
State of Minnesota, Department of Employment and Economic Development – Note: this laptop was supposedly taken from a locked cabinet in a secured building. The contained personal information about 3,000 Minnesotans. Apparently the information was used to open credit card accounts in the names of several people. Though this laptop was not using data encryption the State apparently was taking prudent measures to safeguard the information at the time it was lost since is was locked in a secure area.


January 25, 2006 – FOXNEWS
Ameriprise Financial Inc. - A laptop computer was stolen from an employee's vehicle with personal account information on 226,000 people. For approximately 68,000 people the information included social security numbers, for 158,000 it was only name and account numbers. Also see the NYTimes article. The laptop was not using data encryption to protect the information.


January 12, 2006 – CNET.com
People's Bank, Bridgeport, Conn. - A tape with confidential data on about 90,000 customers was lost, putting the bank's clients at risk of identity fraud. The tape was being shipped by UPS to a credit reporting bureau. The data on the missing People's Bank tape includes names, addresses, Social Security numbers and checking account numbers of customers. The computer tape cannot be read without sophisticated mainframe equipment and software, the bank said. So apparently another poor attempt to disguise the fact that the tape was not protected by data encryption.


October 7, 2005 – InfoWorld
Bank of America Corp. – Users of BoA's Visa Buxx prepaid debit cards were warned that they may have had sensitive information compromised following the theft of an unencrypted laptop computer. Customers may have had their bank account numbers, routing transit numbers, names and credit card numbers compromised by the theft. BoA had refused to say how many customers were affected. But they did admit that the laptop was not using data encryption to protect the information.


June 7, 2005, MSNBC
CitiFinancial part of Citigroup Inc. – Backup tapes lost in UPS shipment. The tapes contained the personal data of 3.9 million U.S. customers. Data on the tapes included account information, payment histories and Social Security numbers. The tapes were not encrypted. To CitiFinancial's credit (no pun intended) they have implemented a policy to send backup information electronically and fully encrypted


March 29, 2005 – CNET.com
University of California, Berkeley – A laptop contained names, dates of birth, addresses and Social Security numbers of 98,369 graduate students or graduate-school applicants, was stolen University of California, Berkeley. The files go back three decades in some cases. Apparently the laptop was not using data encryption.


November 2004 – ComputerWorld
Wells Fargo - Three laptops and one desktop computer containing personal data on thousands of the bank’s borrowers were stolen from an Atlanta-based subcontractor that printed monthly statements for Wells Fargo. That incident prompted two of the affected individuals to sue the bank for negligence and breach of contract. The case was decided in the bank’s favor in March. The computers were apparently not using data encryption.


February 2004- ComputerWorld
Wells Fargo - Laptop containing confidential information on more than 35,000 Wells Fargo customers was lost by a company employee when it was left in a car that was stolen from a gas station.


----
©2006-2007 NIST.org - All materials on this site, including, but not limited to, articles, text, images, and illustrations (the "Materials") are protected by copyrights which are owned or licensed by NIST.org. You may not reproduce, perform, create derivative works from, republish, upload, post, transmit, or distribute in any way whatsoever any Materials from NIST.org without prior written permission of NIST.org. However, you may download or make one copy of the Materials for personal non-commercial home use only, provided all copyright and other notices contained in the Materials are left intact. Any use of the Materials for any other purpose constitutes an infringement of NIST.org's copyrights.

article index
page 1 : March 2007 to Present
page 2 : February 2007
page 3 : January 2007
page 4 : December 2006
page 5 : November 2006
page 6 : October 2006
page 7 : September 2006
page 8 : August 2006
page 9 : July 2006
page 10 - current : Prior to July 2006
Translate to: {GOOGLETRANS}
Google Ads




Headlines

»CVE-2016-7815
Remote Service Manager 3.0.0 to 3.1.4 fails to verify client certificates, which may allow remote at ...
»CVE-2016-7839
Cross-site scripting vulnerability in Olive Blog allows remote attackers to inject arbitrary web scr ...
»CVE-2016-7840
Cross-site scripting vulnerability in WEB SCHEDULE allows remote attackers to inject arbitrary web s ...
»CVE-2016-7841
Cross-site scripting vulnerability in Olive Diary DX allows remote attackers to inject arbitrary web ...
»CVE-2016-7842
Directory traversal vulnerability in AttacheCase 2.8.2.8 and earlier and 3.2.0.4 and earlier allows ...
»CVE-2016-7843
Directory traversal vulnerability in AttacheCase for Java 0.60 and earlier, AttacheCase Lite 1.4.6 a ...
»CVE-2016-8030
A memory corruption vulnerability in Scriptscan COM Object in McAfee VirusScan Enterprise 8.8 Patch ...
»CVE-2016-8584
Trend Micro Threat Discovery Appliance 2.6.1062r1 and earlier uses predictable session values, which ...
»CVE-2016-8585
admin_sys_time.cgi in Trend Micro Threat Discovery Appliance 2.6.1062r1 and earlier allows remote au ...
»CVE-2016-8586
detected_potential_files.cgi in Trend Micro Threat Discovery Appliance 2.6.1062r1 and earlier allows ...
»CVE-2016-8587
dlp_policy_upload.cgi in Trend Micro Threat Discovery Appliance 2.6.1062r1 and earlier allows remote ...
»CVE-2016-8588
The hotfix_upload.cgi in Trend Micro Threat Discovery Appliance 2.6.1062r1 and earlier allows remote ...
»CVE-2016-8589
log_query_dae.cgi in Trend Micro Threat Discovery Appliance 2.6.1062r1 and earlier allows remote aut ...
»CVE-2016-8590
log_query_dlp.cgi in Trend Micro Threat Discovery Appliance 2.6.1062r1 and earlier allows remote aut ...
»CVE-2016-8591
log_query.cgi in Trend Micro Threat Discovery Appliance 2.6.1062r1 and earlier allows remote authent ...


Date published: 2017-05-01T00:00:01Z
Details

»FTC Releases Announcement on Identity Theft
Original release date: April 27, 2017 The Federal Trade Commission (FTC) recommends that cons ...
»Adobe Releases Security Updates for ColdFusion
Original release date: April 26, 2017 Adobe has released security updates to address a vulner ...
»Pre-Installed Applications Developed with Portrait Displays SDK Contain Critical Vulnerability
Original release date: April 25, 2017 Applications developed using the Portrait Displays soft ...
»IBM Releases Security Update
Original release date: April 25, 2017 IBM has released a security update to address a vulnera ...
»Drupal Releases Security Updates
Original release date: April 19, 2017 Drupal has released an advisory to address a vulnerabil ...
»Cisco Releases Security Updates
Original release date: April 19, 2017 Cisco has released updates to address several high-impa ...
»Mozilla Releases Security Updates
Original release date: April 19, 2017 Mozilla has released security updates to address a vuln ...
»Google Releases Security Updates for Chrome
Original release date: April 19, 2017 Google has released Chrome version 58.0.3029.81 for Win ...
»VMware Releases Security Updates
Original release date: April 18, 2017 VMware has released security updates to address vulnera ...
»Oracle Releases Security Bulletin
Original release date: April 18, 2017 Oracle has released its Critical Patch Update for April ...


Date published: not known
Details

»VB2016 video: Last-minute paper: A malicious OS X cocktail served from a tainted bottle
In a VB2016 last-minute presentation, ESET researchers Peter Kalnai ...
»Consumer spyware: a serious threat with a different threat model
Consumer spyware is a growing issue and one that can have serious c ...
»VB2016 paper: Debugging and monitoring malware network activities with Haka
In their VB2016 paper, Stormshield researchers Benoît Ancel and Meh ...
»VB2017: a wide ranging and international conference programme
We are proud to announce a very broad and very international progra ...
»John Graham-Cumming and Brian Honan to deliver keynote addresses at VB2017
Virus Bulletin is excited to announce John-Graham Cumming and Brian ...
»Virus Bulletin says a fond farewell to John Hawes
As VB's COO John Hawes moves on to new challenges, the team wish hi ...
»VB2016 paper: One-Click Fileless Infection
Symantec researchers Himanshu Anand and Chastine Menrige explain ho ...
»Mostly blocked, but still good enough: Necurs sending pump-and-dump spam
The Necurs botnet has started sending pump-and-dump spam. Almost al ...
»Why the SHA-1 collision means you should stop using the algorithm
Realistically speaking, if your software or system uses the SHA-1 h ...


Date published: not known
Details
Main Menu
· Home
Current Security News
 
US-CERT Current Activity

» FTC Releases Announcement on Identity Theft
[27 Apr 2017 08:55pm]

» Adobe Releases Security Updates for ColdFusion
[26 Apr 2017 07:03am]

» Pre-Installed Applications Developed with Portrait Displays SDK Contain Critical Vulnerability
[25 Apr 2017 04:15pm]

» IBM Releases Security Update
[25 Apr 2017 06:47am]

» Drupal Releases Security Updates
[19 Apr 2017 06:17pm]

» Cisco Releases Security Updates
[19 Apr 2017 06:14pm]

» Mozilla Releases Security Updates
[19 Apr 2017 06:04pm]

» Google Releases Security Updates for Chrome
[19 Apr 2017 06:02pm]

» VMware Releases Security Updates
[18 Apr 2017 02:34pm]

» Oracle Releases Security Bulletin
[18 Apr 2017 02:30pm]

***
US-CERT Alerts

» TA17-117A: Intrusions Affecting Multiple Victims Across Multiple Sectors
[27 Apr 2017 04:50pm]

» TA17-075A: HTTPS Interception Weakens TLS Security
[16 Mar 2017 06:40am]

» TA16-336A: Avalanche (crimeware-as-a-service infrastructure)
[30 Nov 2016 10:00pm]

» TA16-288A: Heightened DDoS Threat Posed by Mirai and Other Botnets
[14 Oct 2016 05:59pm]

» TA16-250A: The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations
[06 Sep 2016 04:29pm]

» TA16-187A: Symantec and Norton Security Products Contain Critical Vulnerabilities
[05 Jul 2016 08:50am]

» TA16-144A: WPAD Name Collision Vulnerability
[23 May 2016 05:38am]

» TA16-132A: Exploitation of SAP Business Applications
[11 May 2016 05:31am]

» TA16-105A: Apple Ends Support for QuickTime for Windows; New Vulnerabilities Announced
[14 Apr 2016 01:48pm]

» TA16-091A: Ransomware and Recent Variants
[31 Mar 2016 04:00pm]

***
Computerworld Security

» NSA ends surveillance tactic that pulled in citizens' emails, texts
[30 Apr 2017 08:01am]

» How seven mesh routers deal with Wi-Fi Protected Setup (WPS)
[28 Apr 2017 12:20pm]

» Your car will eventually live-stream video of your driving to the cloud
[28 Apr 2017 11:40am]

» IDG Contributor Network: Book Review: Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems
[27 Apr 2017 12:45pm]

» Ransomware attacks are taking a bigger toll on victims' wallets
[27 Apr 2017 12:26pm]

» BlackBerry KeyOne smartphone to launch in U.S. and Canada in late May
[27 Apr 2017 04:37am]

» Fitbit: One explodes, data from another used to charge husband with wife's murder
[26 Apr 2017 09:54am]

» Old Windows Server machines can still fend off hacks. Here's how
[26 Apr 2017 05:01am]

» How your company needs to train workers in cybersecurity
[25 Apr 2017 10:21am]

» Customers roast Microsoft over security bulletins' demise
[24 Apr 2017 12:49pm]

» Researchers remotely kill the engine of a moving car by hacking vulnerable car dongle
[24 Apr 2017 10:54am]

» Russian man receives longest-ever prison sentence in the U.S. for hacking
[24 Apr 2017 09:17am]

» FAQ: What is blockchain and how can it help business?
[24 Apr 2017 04:01am]

» How to minimize the risks of phishing scams
[24 Apr 2017 01:00am]

» There's now a tool to test for NSA spyware
[22 Apr 2017 05:43am]

***
Microsoft Security Advisories

» 3123479 - SHA-1 Hashing Algorithm for Microsoft Root Certificate Program - Version: 2.0
[14 Mar 2017 11:00am]

» 4010983 - Vulnerability in ASP.NET Core MVC 1.1.0 Could Allow Denial of Service - Version: 1.0
[27 Jan 2017 11:00am]

» 3214296 - Vulnerabilities in Identity Model Extensions Token Signing Verification Could Allow Elevation of Privilege - Version: 1.0
[10 Jan 2017 11:00am]

» 3181759 - Vulnerabilities in ASP.NET Core View Components Could Allow Elevation of Privilege - Version: 1.0
[13 Sep 2016 11:00am]

» 3174644 - Updated Support for Diffie-Hellman Key Exchange - Version: 1.0
[13 Sep 2016 11:00am]

» 3179528 - Update for Kernel Mode Blacklist - Version: 1.0
[09 Aug 2016 11:00am]

» 2880823 - Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program - Version: 2.0
[18 May 2016 11:00am]

» 3155527 - Update to Cipher Suites for FalseStart - Version: 1.0
[10 May 2016 11:00am]

» 3152550 - Update to Improve Wireless Mouse Input Filtering - Version: 1.1
[22 Apr 2016 11:00am]

» 3137909 - Vulnerabilities in ASP.NET Templates Could Allow Tampering - Version: 1.1
[10 Feb 2016 11:00am]

» 2871997 - Update to Improve Credentials Protection and Management - Version: 5.0
[09 Feb 2016 11:00am]

» 3118753 - Updates for ActiveX Kill Bits 3118753 - Version: 1.0
[12 Jan 2016 11:00am]

» 3109853 - Update to Improve TLS Session Resumption Interoperability - Version: 1.0
[12 Jan 2016 11:00am]

» 2755801 - Update for Vulnerabilities in Adobe Flash Player in Internet Explorer and Microsoft Edge - Version: 53.0
[05 Jan 2016 11:00am]

» 3057154 - Update to Harden Use of DES Encryption - Version: 1.1
[08 Dec 2015 11:00am]

***


***
Network World Security

» Hackers leak 10 new Orange Is the New Black episodes after Netflix failed to pay ransom
[30 Apr 2017 09:25am]

» NSA ends surveillance tactic that pulled in citizens' emails, texts
[28 Apr 2017 05:23pm]

» Stealthy Mac malware spies on encrypted browser traffic
[28 Apr 2017 02:33pm]

» Google's Chrome will soon start warning you more about HTTP pages
[28 Apr 2017 01:21pm]

» Fight firewall sprawl with AlgoSec, Tufin, Skybox suites
[10 Apr 2017 04:32am]

» Review: Canary Flex security camera lives up to its name
[24 Mar 2017 07:01am]

» Smackdown: Office 365 vs. G Suite management
[16 Mar 2017 07:01am]

» Zix wins 5-vendor email encryption shootout
[13 Mar 2017 04:00am]

» Review: vArmour flips security on its head
[06 Mar 2017 03:50am]

» 5 open source security tools too good to ignore
[21 Feb 2017 07:12am]

» Review: Samsung SmartCam PT network camera
[15 Feb 2017 07:00am]

» Review: Arlo Pro cameras offer true flexibility for home security
[09 Feb 2017 07:01am]

» Face-off: Oracle vs. CA for identity management
[26 Jan 2017 10:30am]

» NSA ends surveillance tactic that pulled in citizens' emails, texts
[28 Apr 2017 05:23pm]

» Stealthy Mac malware spies on encrypted browser traffic
[28 Apr 2017 02:33pm]

***


More IT Security
News Feeds
More Sponsors

Advertise on this site
RSS Feeds
Our news can be syndicated by using these rss feeds.
rss1.0
rss2.0
rdf

NIST.org is in no way connected to the U.S. government site NIST.gov

This site is © John Herron, CISSP. All Rights Reserved.

Please visit daily to stay up to date on all your IT Security compliance issues.

http://www.nist.org -
Hosted by BlueHost. We've never had a better hosting company.
{THEMEDISCLAIMER}