This message may repeat. This message may repeat. For those of us old enough to have fond memories of the phonograph, the phrase “broken record” may come to mind.
Yes, more user information has been leaked and in a totally preventable fashion. A season ticket sales representative for the New York Yankees accidentally emailed a spreadsheet to “several hundred” affiliates with the personal details of over 21,000 Yankees ticket holders.
According to the Yankees, the spreadsheet contained customers’ names, addresses, phone numbers, fax numbers, e-mail addresses and other information like their seat numbers and which ticket packages they purchased.
Implementing data loss prevention (DLP) for sensitive customer data is easy to do. There are at least three ways this could have been prevented…
1. Encrypt the spreadsheet to prevent accidental disclosure
2. Implement endpoint DLP software to watch for the transfer of sensitive data to instant message, email and other communication tools
3. Scan outgoing email messages for personally identifiable information to prevent accidental disclosure.
Later this afternoon DSLReports.com disclosed that they had been the victims of a SQL injection attack that succeeded in stealing usernames and passwords. Justin, the owner of DSLReports, wrote in a forum message that a “sql injection attack by a botnet on wednesday afternoon obtained a large number of email / password pairs.”
Strangely, Justin stated that he had notified account holders who either created their accounts in the last 12 months, or had logged in over the last 12 months. This seems like a terrible practice. Many users have had accounts for more than 10 years and may not even remember having created one.
To not notify everyone who may have been affected seems to be a lapse in judgement, but it gets worse. All of the passwords in DSLReports’ database were in clear text. No hashing, no salting, totally unencrypted.
Once again we find that if we re-use passwords for seemingly unimportant websites, we may be putting our reputations at risk. You can count on the attackers trying to use these email addresses and passwords on as many popular sites as possible.
They may only use them to spread forum spam, but do you really want your name/profile/identity associated with this kind of activity?
Creative Commons image of New York Yankees helmet courtesy of Mr. T in DC’s Flickr photostream.
Related Posts
- Tom Tom sounds the privacy drum – road safety or no road safety!
Dutch GPS and navigation software giant, Tom Tom, recently took what I consider to be a small privacy step for the company, but a giant privacy step for mankind.Faced with evidence that the Dutch poli... - Why you shouldn’t reveal your Royal Wedding Guest name on Facebook
In the absence of a genuine ticket to the real event, Facebook users are encouraging each other to reveal their Royal Wedding Guest name.Here's a typical message that is currently being spread by well... - Sony says credit card details *were* encrypted, but questions still remain
Sony has published a new blog entry, confirming that credit card details which could have been stolen in the recent hack of the PlayStation Network were encrypted.Sony reassured users of the PlayStati... - Sony PlayStation data breach fiasco: what bugs me about it
I have been skimming the glut of news stories covering the PlayStation hack following Sony's statement yesterday.
The issues that keeps coming back to me are these:
1. Sony, like any company who ke... - Easter Egg locations remain safe, says Bunny spokesperson
Reports surfaced late today that the Easter Bunny had a minor incident while hiding the last of his eggs during his traditional Easter mission.Every year the Easter Bunny travels the world hiding brig... - Anger after scam-exposing community shut down by Facebook
In a bizarre and hard-to-understand move, a Facebook page which claims it helped countless Facebook members stay safe online on the social network has been shut down... by Facebook.
The Bulldog Estate... - An open letter to Facebook about safety and privacy
Dear Facebook,
As you know, for some years we have been discussing with your security team our concerns about safety and privacy on Facebook.
Every day, victims report to us numerous incidents of crim... - How NOT to redact a PDF – Nuclear submarine secrets spilled
If you're an organisation that is making public an internal document, you best make sure that you have deleted or blacked out any personal, confidential or actionable information.
The act of obscuring... - Data thefts far more common than just Sony and Epsilon
In the wake of the press reports concerning the recent data breaches at Sony and Epsilon, some organizations are getting the wrong idea about modern online attacks. The media largely chooses to cover ... - FBI takes on Coreflood botnet – but is this a step too far?
Two weeks ago, the Federal Bureau of Investigation (FBI) obtained a court order in Connecticut, USA. This court order allowed the FBI to undertake an anti-cybercrime operation of a sort which had neve...
Posted on 29 April 2011. Tags: *NEW*, Data, DLP, DLSReports, Email, encryption, Featured, loss, passwords, Privacy, Yankees, York
The above information is reprinted from and copyrighted © by Naked Security - Sophos.
