Data Breach

Data breach | GAO data breach study — The World Privacy Forum made an information request to the GAO asking for a copy of the single, non-duplicative list of data breaches its June, 2007 data breach report (GAO -07-737) refers to and was based on. The list was not included in the GAO report. The GAO used a figure in its report of “more than 570 data breaches” from January 2005 to December 2006 based on this non-duplicative breach list. The GAO breach list is straightforward, it tallies data breaches chronologically from January 1, 2005 to December 31, 2006 from three organizations that maintain data breach lists. If the breach appeared on at least one of the three lists, it was apparently included in the final tally. The GAO states that the list was based on a February 15, 2007 download of the lists.

Note: the WPF scan of the GAO list includes the first page twice. The front page of the scan is of the GAO list as it looks in the original document, and then the list was scanned for maximum readability into PDF format.

Consumer Alert | Internet privacy | Job search safety and privacy — The World Privacy Forum issued a consumer alert today warning about a data breach at Monster.com. Security firms that analyzed the breach have stated the breach impacts hundreds of thousands of job seekers. The immediate information that was stolen included job seekers’ home address, phone numbers, email address, and resume IDs. Some victims may have received further phishing emails. Job seekers who have safety concerns such as law enforcement professionals, victims of domestic violence and other victims of crimes such as stalking — who typically do not make their home addresses or personal phone numbers public — have an immediate need to know if their personal information may be in the hands of criminals. The consumer alert contains tips for victims and links to resources and more information.

Identity theft | Consumer Alert — The Federal Trade Commission has set up a new web site and phone number for identity theft victims of the Choicepoint data breach. The new site and phone number gives victims information on how to file claims for monetary reimbursement if out- of- pocket losses accrued as a result of the ID theft. A fund of $5 million is available to victims, the deadline for filing is February 4, 2007.

Privacy Act of 1974 — The Department of Justice published a notice proposing to update the Routine Uses of its systems and databases under the Privacy Act of 1974. The proposal was not precise enough, and was written in such a way as to allow sensitive Privacy Act systems such as the Criminal Division Witness Security File (CRM-002), the Witness Immunity Records (CRM-022), and the National Instant Criminal Background Check System (NICS, FBI-018) to be disclosed to almost anyone in certain circumstances, including to individuals working outside of law enforcement. The World Privacy Forum is requesting that the DOJ significantly tighten its language in the proposal, and to specify what individuals or entities may have access to these sensitive records, under what specific conditions. The World Privacy Forum is also requesting the DOJ republish all of its up-to-date system of records notices in their entirety immediately and at least every two years thereafter.

AOL released three months’ worth of the detailed search queries of 657,000-plus of its users. The approximately 20 million search queries and the additional data on users’ click-throughs to web sites in the search results are generally highly revealing of individuals’ personal, financial, political, medical, religious, and other preferences as well as the businesses and people they associate with.