Saturday, September 1, 2012

Into the Breach - Popular Online News Service Announces Passwords Downloaded

LinkedIn (6.5M), Yahoo (400K), Microsoft Online Store, OLDaily...what do they have in common? Passwords released to the world.
Passwords and online information, in fact, is the No. 1 target of hacking incidents, according to the Web Hacking Incident Database, a semi-annual report from Trustwave, an international computer security agency based in Chicago. (Source)
Over the last few months, we know that there have been privacy breaches. It may have been a hard drive left in a car, an unencrypted file put on an internet server...these things happen and with increasing frequency. That's why I put together 5 Encryption Tips for School Administrators. Of course, there's the approach some have taken--posting passwords on a server, making them available for download unintentionally.

These days, you can go online to track all the privacy breaches, at the Privacy Breach Clearinghouse:
Consider a few from 2012 alone, and this is not the whole list...there's about one or two privacy breaches PER DAY, which is simply amazing:
A dishonest employee was arrested for using a skimming device to steal customer credit card numbers at Chili's.  Investigators were able to link another fraudulent credit card crime to a credit card stored in the dishonest employee's skimmer.  This led to the discovery of a credit card making machine, a credit card skimmer, laptops, blank credit cards, and pages of names, Social Security numbers, and dates of birth at a separate residence


An employee's computer bag was stolen on July 19.  The bag contained a computer server back-up that had patient and employee names, Social Security numbers, dates of birth, insurance information, medical record numbers, limited clinical information, and addresses.


A student was able to access and distribute information from a classroom management system called PowerTeacher.  The student used user names and passwords to access grades, demographics, Social Security numbers, and other personal information.  Some parents reported receiving strange calls that disclosed personal information.


Ten people consisting of assistant managers, sales representatives, and other employees of banks were arrested for participating in an identity theft ring.  Information was stolen and misused between November 2011 and February 2012. 


A UA student ran a Google search and found her private information posted publicly.  The data belonged to several thousand people who had submitted their names and tax ID numbers to UA in order to receive payments or reimbursements.  Vendors, consultants, guest speakers, and UA students had their names and tax ID numbers exposed in February and early March.  Some people had their Social Security numbers exposed in lieu of tax ID numbers. The sensitive data was embedded within a larger set of files being transferred to the UA new financial system.  The files were thought to only contain public information.
 All these breaches aside, there's one I bet you didn't see coming--OLDaily, Stephen Downes' .
 Goes to can happen to anyone. Let's help each other be on guard. Some suggestions on how to do that with passwords:
  1. Get accustomed to using tough passwords like the ones generated here. You can use the online password generator or download a program and run that on your computer.
  2. Safeguard your passwords using one of the following: KeePass, LastPass, and 1Password. My favorite is KeePass since it works on every mobile device I own and operating system.
  3. Change your passwords frequently and check the strength of your passwords: Several sites can check the strength of your password:
 When is the last time you changed your password?
Final Note of Humor: I hope Stephen Downes will forgive me for mentioning 5 downloads of passwords for OLDaily News Service in the same breath as LinkedIn (6.5 million passwords) and Yahoo (400,000 passwords), but I hope he realizes that OLDaily is JUST AS IMPORTANT as those services, if not more so.

Get Blog Updates via Email!
Enter your email address:
Delivered by FeedBurner

Everything posted on Miguel Guhlin's blogs/wikis are his personal opinion and do not necessarily represent the views of his employer(s) or its clients. Read Full Disclosure


Stephen Downes said...

It's OK - it reminds me of Rik Hall's law:

"There are two types of people, those who have accidentally broadcast a personal message to the entire mailing list, and those who will."

p.s. The capchas are almost impossible to read; I would turn them off.

koba hoba said...

Thanks for your suggestion well written article with lot of helpful information.
security devices

The Courage to Lead