NIST Site Search
Custom Search
[Official NIST.GOV TIME]
Product Research

Advertise on this site
Non-Encrypted Hall of Shame
print the content item {PDF=create pdf file of the content item^plugin:content.54}
in General IT Security > Non-Encrypted Hall of Shame

The Non-Encrypted Hall of Shame

May 2006 was the first month we started tracking companies that allowed their devices to leave company property with consumer's personal information in a non-encrypted form. We're probably going to scour old news sources for some of the more infamous data loss stories and post that as well.

In today's world not protecting other people's personal information that has been entrusted to you is a shameful act. It should be considered as bad as stealing. When you don't take prudent steps to guard their personal information you are negligent. Too bad there isn't a law called “negligent theft”, until such time we give you “The Non-Encrypted Hall of Shame”. If your company loses other people's information on a laptop, backup tape, thumb drive, or other portable device, or any media that has left your company's properly secured physical control, and that data is non-encrypted your are likely to end up here. If your device was lost and the data was properly encrypted you will not be listed here.

May 31, 2006 – ComputerWorld
Omega World Travel - A laptop containing the names and credit card numbers of about 80,000 U.S. Department of Justice (DOJ) workers. DOJ includes the FBI and the Bureau of Alcohol, Tobacco, Firearms, and Explosives. The laptop was stolen between May 7 and May 9 from the Fairfax, Va., headquarters of Omega World Travel, a travel agency used by the DOJ for its employees. For what it is worth Omega World Travel stated “All the data was password-protected to prevent unauthorized access”. “Password-protected” can mean most anything and is not the same thing as data encryption. So apparently the laptop was not using data encryption.

May 23, 2006 – numbrX
M T Bank, New York – A laptop with bank account holder information was stolen from a vehicle of a PFPC employee. PFPC provides record keeping services for M T. The laptop a file with names, account numbers, and social security numbers. The number of people affected was not disclosed. The bank said the laptop “is equipped with technology designed to prevent unauthorized access”, but they don't say want this is. My guess is it simply had a login userid and password or they would be saying more. So apparently the laptop was not using data encryption.

May 22, 2006 -
U.S. Veterans Administration (VA) – Laptop with the names, social security numbers, dates of birth, of over 26.5 million veterans and active duty personal stolen from government employees home. This is one of the largest loss of private information ever reported. Laptop and external hard drive were not using encryption. This is a huge story that will have ramifications for months or years, especially within the U.S. Government.

May 13, 2006 -
Baltimore's Mercantile Bankshares Corp - A laptop computer containing Social Security and account numbers for nearly 50,000 customers of its Bethesda-based Mercantile Potomac Bank was stolen a week earlier from a worker's car off company property. The employee apparently violated bank policy by taking the laptop out of the office Apparently the laptop was not using data encryption.

May 5, 2006 - Wells Fargo Press Release
Wells Fargo – Computer with names, addresses, Social Security numbers and mortgage loan account numbers of Wells Fargo customers was lost in transit. In what should be considered a completely meaningless statement they had this to say “The computer has two layers of security, making it difficult to access the information.”. No mention of encryption so this statement should not be considered sufficient security.

May 2, 2006 – Gwinnett Daily Post
State of Georgia – Surplus state government computers were sold at auction without being properly erased. Credit card numbers, birth dates and Social Security numbers of citizens were still on the hard drives of computers which state workers failed to erase before they were sold, WSB-TV reported. More than 150 surplus computers were in one man’s work shed. It is not known how many citizens were affected. The state has suspended the sale of state surplus computers indefinitely. The computers were not using data encryption.

April 28, 2006 – ComputerWorld
Aetna Inc. - Health insurer Aetna Inc. said a laptop computer containing personal information on about 38,000 of its members was stolen from an employee's car. The data includes names, addresses and Social Security numbers. Aetna said the employee "did not follow our corporate policies, and it was coupled with a criminal theft." Apparently the laptop was not using data encryption.

April 28, 2006 –
Iron Mountain – The company known for providing safe and secure tape backup storage lost a tape belonging to Long Island Rail Road. The tape included personal information about 17,000 current and former Long Island Rail Road employee's, including Social Security numbers. In an odd twist to this story the following has gone pretty much unnoticed: “The New York Police Department said the loss also involved data tapes belonging to the US Department of Veterans Affairs, and the loss was reported by the driver while his van was parked near a VA hospital in the Bronx”. Apparently the tape was not encrypted.

April 10, 2006 – LA Times
U.S. Military, all branches - The LA Times did a nice investigative piece where they were able to purchase several unencrypted USB drives and hard drives at bazaars in Afghanistan. Most of these devices were stolen by local workers at the military bases. Some of the devices were marked “Secret” and apparently judging by some of the documents had Secret information still stored on them. 'The drives also included deployment rosters and other documents that identified nearly 700 U.S. service members and their Social Security numbers, information that identity thieves could use to open credit card accounts in soldiers' names.' The vast majority of the devices were not using data encryption.

March 28, 2006 – Stars & Stripes
U.S. Marines - A portable drive with personal information on more than 207,750 Marines was lost earlier this month, possibly jeopardizing those troops’ credit records and privacy. The drive contained the names, Social Security numbers, marital status and enlistment contract details for enlisted Marines on active duty between January 2001 and December 2005. “the information is in an unusual file format,” said Lt. Col. Mike Perry, head of the information technology branch. Sorry Colonel an “unusual file format” is not the same thing as encryption. As you would probably say “close only counts in horse shoes and hand grenades.

March 24, 2006 –
Vermont State Colleges - A laptop computer was stolen Feb. 25 from the car of a Vermont State Colleges employee who works in technology. Officials say the computer contains six years worth of personal information, including Social Security Numbers. The theft could affect as many as 20,000 faculty, staff and current and former students of Lyndon State College, Johnson State College, Castleton State College, Vermont Technical College and the Community College of Vermont. The laptop was not using data encryption.

March 23, 2006 – San Francisco Chronicle
Fidelity Investments - A laptop with the personal information such as names, addresses, birthdates and Social Security numbers of about 196,0000 Hewlett-Packard (HP) current and former employees has been stolen from mutual fund company Fidelity Investments. Fidelity manages HP's pension and retirement plans. Anyone have any clues as to what this means? “Crowley said the information was also stored "in a scrambled format that will be difficult to read or interpret" without a special software application. The application is also on the laptop, but its license expired shortly after the theft so the thief will likely not be able to use it to access the files.” It could mean data encryption but its hard to say.

February 25, 2006 – The Register
Ernst and Young - Ernst and Young lost a laptop containing data such as the social security numbers of its customers. One of the people affected by the data loss appears to be Sun Microsystems CEO Scott McNealy, who was notified that his social security number and personal information had been compromised. While pushing all out transparency for its customers, Ernst and Young failed to cop to the security breach until contacted by us. "This is an organization that we spend an enormous amount of money on to determine whether we are Sarbanes-Oxley compliant," McNealy said. On the flip side - "We deeply regret that a laptop containing confidential client information was stolen, in what appears to be a random act, from the locked car of one of our employees," said Ernst and Young spokesman Charles Perkins. The laptop was not using data encryption.

February 25, 2006 - Metro State College
Metro State College of Denver – A laptop computer containing a database of college information that was stolen from a Metro State employee’s residence. The database contains approximately 93,000 names, social security numbers, dates of birth, and addresses of students who were registered in a Metro State course anytime between the beginning of the 1996 fall semester and the end of the 2005 summer semester. The laptop apparently was not using data encryption.

February 23, 2006 –
Deloitte & Touche USA – Deloitte & Touche lost a CD with information about 6,000 current and former McAfee employees, putting them at risk of identity fraud. Deloitte & Touche is McAfee's external auditor. Deloitte & Touche confirmed the incident. "A Deloitte & Touche employee left an unlabeled backup CD in an airline seat pocket". The information was not encrypted and potentially includes names, Social Security numbers and stock holdings in McAfee.

January 26, 2006 – KARE 11
State of Minnesota, Department of Employment and Economic Development – Note: this laptop was supposedly taken from a locked cabinet in a secured building. The contained personal information about 3,000 Minnesotans. Apparently the information was used to open credit card accounts in the names of several people. Though this laptop was not using data encryption the State apparently was taking prudent measures to safeguard the information at the time it was lost since is was locked in a secure area.

January 25, 2006 – FOXNEWS
Ameriprise Financial Inc. - A laptop computer was stolen from an employee's vehicle with personal account information on 226,000 people. For approximately 68,000 people the information included social security numbers, for 158,000 it was only name and account numbers. Also see the NYTimes article. The laptop was not using data encryption to protect the information.

January 12, 2006 –
People's Bank, Bridgeport, Conn. - A tape with confidential data on about 90,000 customers was lost, putting the bank's clients at risk of identity fraud. The tape was being shipped by UPS to a credit reporting bureau. The data on the missing People's Bank tape includes names, addresses, Social Security numbers and checking account numbers of customers. The computer tape cannot be read without sophisticated mainframe equipment and software, the bank said. So apparently another poor attempt to disguise the fact that the tape was not protected by data encryption.

October 7, 2005 – InfoWorld
Bank of America Corp. – Users of BoA's Visa Buxx prepaid debit cards were warned that they may have had sensitive information compromised following the theft of an unencrypted laptop computer. Customers may have had their bank account numbers, routing transit numbers, names and credit card numbers compromised by the theft. BoA had refused to say how many customers were affected. But they did admit that the laptop was not using data encryption to protect the information.

June 7, 2005, MSNBC
CitiFinancial part of Citigroup Inc. – Backup tapes lost in UPS shipment. The tapes contained the personal data of 3.9 million U.S. customers. Data on the tapes included account information, payment histories and Social Security numbers. The tapes were not encrypted. To CitiFinancial's credit (no pun intended) they have implemented a policy to send backup information electronically and fully encrypted

March 29, 2005 –
University of California, Berkeley – A laptop contained names, dates of birth, addresses and Social Security numbers of 98,369 graduate students or graduate-school applicants, was stolen University of California, Berkeley. The files go back three decades in some cases. Apparently the laptop was not using data encryption.

November 2004 – ComputerWorld
Wells Fargo - Three laptops and one desktop computer containing personal data on thousands of the bank’s borrowers were stolen from an Atlanta-based subcontractor that printed monthly statements for Wells Fargo. That incident prompted two of the affected individuals to sue the bank for negligence and breach of contract. The case was decided in the bank’s favor in March. The computers were apparently not using data encryption.

February 2004- ComputerWorld
Wells Fargo - Laptop containing confidential information on more than 35,000 Wells Fargo customers was lost by a company employee when it was left in a car that was stolen from a gas station.

©2006-2007 - All materials on this site, including, but not limited to, articles, text, images, and illustrations (the "Materials") are protected by copyrights which are owned or licensed by You may not reproduce, perform, create derivative works from, republish, upload, post, transmit, or distribute in any way whatsoever any Materials from without prior written permission of However, you may download or make one copy of the Materials for personal non-commercial home use only, provided all copyright and other notices contained in the Materials are left intact. Any use of the Materials for any other purpose constitutes an infringement of's copyrights.

article index
page 1 : March 2007 to Present
page 2 : February 2007
page 3 : January 2007
page 4 : December 2006
page 5 : November 2006
page 6 : October 2006
page 7 : September 2006
page 8 : August 2006
page 9 : July 2006
page 10 - current : Prior to July 2006
Translate to: {GOOGLETRANS}
Google Ads


A VMSF_DELTA memory corruption was discovered in unrar before 5.5.5, as used in Sophos Anti-Virus Th ...
»CVE-2015-3913 (s12700_firmware, s2300_firmware, s2350ei_firmware, s2700_firmware, s2750ei_firmware, s3300_firmware, s3700_firmware, s5300ei_firmware, s5300hi_firmware, s5300li_firmware, s5300si_firmware, s5700ei_firmware, s5700hi_firmware, s5700li_firmware, s5700si_firmware, s5710hi_firmware, s5720hi_firmware, s6300ei_firmware, s6700ei_firmware, s7700_firmware, s9300_firmware, s9700_firmware)
The IP stack in multiple Huawei Campus series switch models allows remote attackers to cause a denia ...
In Redgate SQL Monitor before 3.10 and 4.x before 4.2, a remote attacker can gain unauthenticated ac ...
The lame_init_params function in lame.c in libmp3lame.a in LAME 3.99.5 allows remote attackers to ca ...
The fill_buffer_resample function in util.c in libmp3lame.a in LAME 3.99.5 allows remote attackers t ...
The fill_buffer_resample function in util.c in libmp3lame.a in LAME 3.99.5 allows remote attackers t ...
»CVE-2016-0726 (nagios)
The Fedora Nagios package uses "nagiosadmin" as the default password for the "nagiosadmin" administr ...
»CVE-2016-3690 (jboss_enterprise_application_platform)
The PooledInvokerServlet in JBoss EAP 4.x and 5.x allows remote attackers to execute arbitrary code ...
»CVE-2016-3696 (fedora, pulp)
The pulp-qpid-ssl-cfg script in Pulp before 2.8.5 allows local users to obtain the CA key.
»CVE-2016-3704 (fedora, pulp)
Pulp before 2.8.5 uses bash's $RANDOM in an unsafe way to generate passwords.
»CVE-2016-4902 (the_public_certification_service_for_individuals, the_public_certification_service_for_individuals_for_windows_7, the_public_certification_service_for_individuals_for_windows_vista)
Untrusted search path vulnerability in The Public Certification Service for Individuals "The JPKI us ...
»CVE-2016-5391 (fedora, libreswan)
libreswan before 3.18 allows remote attackers to cause a denial of service (NULL pointer dereference ...
IBM Sterling B2B Integrator Standard Edition 5.2 allows web pages to be stored locally which can be ...
»CVE-2016-6655 (cf-mysql-release, cf-release)
An issue was discovered in Cloud Foundry Foundation Cloud Foundry release versions prior to v245 and ...
»CVE-2016-7469 (big-ip_access_policy_manager, big-ip_advanced_firewall_manager, big-ip_analytics, big-ip_application_acceleration_manager, big-ip_application_security_manager, big-ip_domain_name_system, big-ip_edge_gateway, big-ip_global_traffic_manager, big-ip_link_controller, big-ip_local_traffic_manager, big-ip_policy_enforcement_manager, big-ip_protocol_security_manager, big-ip_wan_optimization_manager, big-ip_webaccelerator, big-ip_websafe, enterprise_manager)
A stored cross-site scripting (XSS) vulnerability in the Configuration utility device name change pa ...

Date published: 2017-06-26T12:00:41Z

»FTC Releases Alert on Tech-Support Scams
Original release date: June 23, 2017 The Federal Trade Commission (FTC) has released an alert ...
»IC3 Issues Internet Crime Report for 2016
Original release date: June 21, 2017 | Last revised: June 23, 2017 The Internet Crime Complai ...
»Drupal Releases Security Updates
Original release date: June 21, 2017 Drupal has released an advisory to address several vulne ...
»Cisco Releases Security Updates
Original release date: June 21, 2017 Cisco has released updates to address several vulnerabil ...
»Mozilla Releases Security Update
Original release date: June 15, 2017 Mozilla has released a security update to address multip ...
»Google Releases Security Updates for Chrome
Original release date: June 15, 2017 Google has released Chrome version 59.0.3071.104 for Win ...
»ISC Releases Security Updates for BIND
Original release date: June 15, 2017 | Last revised: June 16, 2017 The Internet Systems Conso ...
»Microsoft Releases June 2017 Security Updates
Original release date: June 13, 2017 Microsoft has released updates to address vulnerabilitie ...
»Mozilla Releases Security Updates
Original release date: June 13, 2017 Mozilla has released security updates to address multipl ...
»Adobe Releases Security Updates
Original release date: June 13, 2017 Adobe has released security updates to address vulnerabi ...

Date published: not known

»VB2016 paper: Steam stealers: it's all fun and games until someone's account gets hijacked
Last year, Kaspersky Lab researcher Santiago Pontiroli and PwC's Ba ...
»Research paper shows it may be possible to distinguish malware traffic using TLS
Researchers at Cisco have published a paper describing how it may b ...
»Is CVE-2017-0199 the new CVE-2012-0158?
After five years of exploitation in a wide variety of attacks, CVE- ...
»Review: BSides London 2017
Virus Bulletin was a proud sponsor of BSides London 2017 - Martijn ...
»VB2017: one of the most international security conferences
It is well known that the problem of cybersecurity is a global one ...
»VB2016 paper: Diving into Pinkslipbot's latest campaign
Qakbot or Qbot, is a banking trojan that makes the news every once ...
»Book review: Spam: A Shadow History of the Internet
VB Editor Martijn Grooten reviews Finn Brunton's book 'Spam: A Shad ...
»Virus Bulletin to sponsor BSides London
Virus Bulletin is proud to be a Silver sponsor of BSides London nex ...
»VB2016 video: Last-minute paper: Malicious proxy auto-configs: an easy way to harvest banking credentials
In a VB2016 last-minute presentation, Jaromír Horejší and Jan Širme ...

Date published: not known
Main Menu
· Home
Current Security News
US-CERT Current Activity

» FTC Releases Alert on Tech-Support Scams
[23 Jun 2017 02:09pm]

» IC3 Issues Internet Crime Report for 2016
[21 Jun 2017 04:40pm]

» Drupal Releases Security Updates
[21 Jun 2017 03:30pm]

» Cisco Releases Security Updates
[21 Jun 2017 01:45pm]

» Mozilla Releases Security Update
[15 Jun 2017 07:29pm]

» Google Releases Security Updates for Chrome
[15 Jun 2017 07:27pm]

» ISC Releases Security Updates for BIND
[14 Jun 2017 11:26pm]

» Microsoft Releases June 2017 Security Updates
[13 Jun 2017 02:56pm]

» Mozilla Releases Security Updates
[13 Jun 2017 02:52pm]

» Adobe Releases Security Updates
[13 Jun 2017 02:51pm]

US-CERT Alerts

» TA17-164A: HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure
[13 Jun 2017 09:45am]

» TA17-163A: CrashOverride Malware
[12 Jun 2017 03:44pm]

» TA17-156A: Reducing the Risk of SNMP Abuse
[05 Jun 2017 06:11pm]

» TA17-132A: Indicators Associated With WannaCry Ransomware
[12 May 2017 07:36pm]

» TA17-117A: Intrusions Affecting Multiple Victims Across Multiple Sectors
[27 Apr 2017 04:50pm]

» TA17-075A: HTTPS Interception Weakens TLS Security
[16 Mar 2017 06:40am]

» TA16-336A: Avalanche (crimeware-as-a-service infrastructure)
[30 Nov 2016 10:00pm]

» TA16-288A: Heightened DDoS Threat Posed by Mirai and Other Botnets
[14 Oct 2016 05:59pm]

» TA16-250A: The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations
[06 Sep 2016 04:29pm]

» TA16-187A: Symantec and Norton Security Products Contain Critical Vulnerabilities
[05 Jul 2016 08:50am]

Computerworld Security

» 8 reasons why you should strengthen your iOS passcode today
[23 Jun 2017 07:57am]

» How IT should prep for Apple's public OS betas
[22 Jun 2017 10:22am]

» Not the disaster recovery we were expecting
[22 Jun 2017 04:00am]

» Q&A: AppDynamics CIO sees SaaS as the future of mobile management
[21 Jun 2017 04:11am]

» 4 ways blockchain is the new business collaboration tool
[20 Jun 2017 03:58pm]

» 2 handy yet hidden Chromebook security features
[20 Jun 2017 10:04am]

» The Microsoft security hole at the heart of Russian election hacking
[20 Jun 2017 09:29am]

» The price of security is eternal phone calls
[16 Jun 2017 04:00am]

» Rogue cell phone surveillance gives rise to mobile threat defense
[15 Jun 2017 04:01am]

» Microsoft resurrects Windows XP patches for second month straight
[13 Jun 2017 04:22pm]

» What Microsoft owes customers, and answers to other 'WannaCry' questions
[12 Jun 2017 01:57pm]

» For real Windows 10 privacy, you need the China Government Edition
[12 Jun 2017 12:19pm]

» IDG Contributor Network: Can Dell change endpoint security?
[12 Jun 2017 10:15am]

» 24% off Resqme Keychain Car Escape Tool 2-Pack - Deal Alert
[09 Jun 2017 07:42am]

» Blockchain integration turns ERP into a collaboration platform
[09 Jun 2017 04:06am]

Microsoft Security Advisories

» 4025685 - Guidance related to June 2017 security update release - Version: 1.0
[13 Jun 2017 11:00am]

» 4022345 - Identifying and correcting failure of Windows Update client to receive updates - Version: 1.3
[12 May 2017 11:00am]

» 4022344 - Security Update for Microsoft Malware Protection Engine - Version: 1.2
[12 May 2017 11:00am]

» 4021279 - Vulnerabilities in .NET Core, ASP.NET Core Could Allow Elevation of Privilege - Version: 1.1
[10 May 2017 11:00am]

» 4010323 - Deprecation of SHA-1 for SSL/TLS Certificates in Microsoft Edge and Internet Explorer 11 - Version: 1.0
[09 May 2017 11:00am]

» 3123479 - SHA-1 Hashing Algorithm for Microsoft Root Certificate Program - Version: 2.0
[14 Mar 2017 11:00am]

» 4010983 - Vulnerability in ASP.NET Core MVC 1.1.0 Could Allow Denial of Service - Version: 1.0
[27 Jan 2017 11:00am]

» 3214296 - Vulnerabilities in Identity Model Extensions Token Signing Verification Could Allow Elevation of Privilege - Version: 1.0
[10 Jan 2017 11:00am]

» 3181759 - Vulnerabilities in ASP.NET Core View Components Could Allow Elevation of Privilege - Version: 1.0
[13 Sep 2016 11:00am]

» 3174644 - Updated Support for Diffie-Hellman Key Exchange - Version: 1.0
[13 Sep 2016 11:00am]

» 3179528 - Update for Kernel Mode Blacklist - Version: 1.0
[09 Aug 2016 11:00am]

» 2880823 - Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program - Version: 2.0
[18 May 2016 11:00am]

» 3155527 - Update to Cipher Suites for FalseStart - Version: 1.0
[10 May 2016 11:00am]

» 3152550 - Update to Improve Wireless Mouse Input Filtering - Version: 1.1
[22 Apr 2016 11:00am]

» 3137909 - Vulnerabilities in ASP.NET Templates Could Allow Tampering - Version: 1.1
[10 Feb 2016 11:00am]


Network World Security

» Even weak hackers can pull off a password reset MitM attack via account registration
[25 Jun 2017 09:42am]

» It's time to upgrade to TLS 1.3 already, says CDN engineer
[23 Jun 2017 05:03am]

» 6 things you need to know about virtual private networks
[22 Jun 2017 02:35pm]

» IDG Contributor Network: The fight to defend the Internet of Things
[22 Jun 2017 09:00am]

» Gravityscan, keeping WordPress sites safe
[24 May 2017 02:34pm]

» Network monitoring tools: Features users love and hate
[01 May 2017 04:51am]

» Fight firewall sprawl with AlgoSec, Tufin, Skybox suites
[10 Apr 2017 04:32am]

» Review: Canary Flex security camera lives up to its name
[24 Mar 2017 07:01am]

» Zix wins 5-vendor email encryption shootout
[13 Mar 2017 04:00am]

» Review: vArmour flips security on its head
[06 Mar 2017 03:50am]

» 5 open source security tools too good to ignore
[21 Feb 2017 07:12am]

» Review: Samsung SmartCam PT network camera
[15 Feb 2017 07:00am]

» Review: Arlo Pro cameras offer true flexibility for home security
[09 Feb 2017 07:01am]

» It's time to upgrade to TLS 1.3 already, says CDN engineer
[23 Jun 2017 05:03am]

» 6 things you need to know about virtual private networks
[22 Jun 2017 02:35pm]


More IT Security
News Feeds
More Sponsors

Advertise on this site
RSS Feeds
Our news can be syndicated by using these rss feeds.
rdf is in no way connected to the U.S. government site

This site is © John Herron, CISSP. All Rights Reserved.

Please visit daily to stay up to date on all your IT Security compliance issues. -
Hosted by BlueHost. We've never had a better hosting company.