Unintentional Information Disclosure

It seems that if the worse thing that can happen to hackers is a real accident to Apple's CEO Steve Jobs. The number of hacks devoted to informing us about his fictitious accidents is just overwhelming. In this case AnantaSec reports a hack into Mac Rumors feed that was possible simply because a file with the administrator password was laying around accessible to anyone due to an administration error.

At the Oklahoma State Universitiy (OSU) a security breach has exposed the names, addresses and Social Security numbers of 70,000 students, faculty and staff who bought parking and transit services permits in the past six years. The university failed to report the incident to affected individuals for two months after it was detected.

Additional information:

• OSU breach raises fears of ID theft [cr80 News, May 16 2008]

An Excel spreadsheet was published on containing sensitive information regarding police officers in York, England. The information included Social Security numbers of 46 offices and the home addresses of 74 offices. As a result identities of 3 offices where stolen.

While the information was pulled of line after a short period of time, it remained in the cache of several major search engines.

Additional information:

Personal information on anyone who worked or volunteered for the Pembroke schools in the last four years was accessible via the Internet because of a weakness in the district's computer system. The information, including names, birth dates and Social Security numbers, was available from May until Oct. 2, when school officials learned of the problem.

Additional information:

Fox News left non public files on a directory accessible to everyone on their web server.

Additional information:

• Foxnews File Disclosure [The Hacker Webzine, Jul 23 2007]
• Fox News leaks secret files [The Inquierer, Jul 24 2007]

Google left some files at the wrong place at the wrong time. These files includes, surprisingly, database connection strings, including a user name and a password. Hardly news, but this time it is Google.

Additional information:

• Breaking News: Files From Google On the Streets [The Hacker Webzine, May 30 2007]

A spreadsheet left on the web site of the US office of national intelligence includes secret information on the total budget of the US intelligence. Interestingly the not all the required information appears in the document, but combined with other pieces of information made available prior, the total number can be calculated.

This is a very interesting example of the sensitivity of partial data or small pieces of information and not just the big secrets.

Additional information:

A report within the help desk system used to track the status of open service calls created a file that was a accessible to everyone. A hacker abused the problem to get information regarding 22,000 current and former students.

Additional information:

Details about 63,000 loans granted to farmers by USDA (The US department of agriculture) where posted online by mistake.

Additional information:

• USDA admits data breach, thousands of social security numbers revealed [Axcess News, Apr 23 2007]

Personal information about 2,000 patients was mistakenly published on the hospital's web site. The leakage was discovered only when a patient found her information when "Googling" herself.

The information included personal data such as social security numbers, birth dates, address, phone number, insurance numbers and in some cases the reason for the visit.

Additional information: