Oops! SSNBreach.org exposes students’ personal info in Google

By , August 13, 2007 3:06 pm

On July 18th, SSNBreach.org (“SSNB”) was launched by Liberty Coalition and Aaron Titus. The site’s stated purpose was to assist and empower those whose personally identifiable information had been accessible via the web due to the Louisiana Board of Regents‘ (“LBR”) failure to password-protect over 200 files containing confidential student and employee records.

Less than three weeks after its launch, SSNB’s own files on some of these students are being indexed by Google. Despite being notified of the problem on August 7, the problem isn’t fixed, with more students’ names and files appearing in Google every day.

The History of SSNBreach.org: “Finders, Keepers”

On or before June 18, Titus, a self-described “privacy advocate” and “privacy expert,” discovered that the LBR files were accessible via search engines and cache. He did not inform LBR. Instead, he contacted the media. WDSU broke the story on July 17, after they had notified LBR.

While they left LBR in the dark about the exposure and the files accessible to cybercriminals, Titus and the Liberty Coalition were busy using the contents of those sensitive and confidential files to create their own database on everyone affected. When it was pointed out to them that they did not seek or secure permission to use information from files which “the reasonable man” would realize had been accidentally exposed and were intended to be confidential, Ostrolenk responded:

You are correct that we do not ask permission to retrieve online information. In fact, I cannot recall a single instance when I have contacted the proprietor of a website to ask permission to view information placed in the public domain.

Of course, Titus and the Liberty Coalition did much more than just view the information that had been unintentionally exposed. They used it. An identity thief might make the same statement they did.

On July 16th (approximately one month after Titus discovered the exposure), the Liberty Coalition sent LBR a letter, informing them that they had set up SSNB to “assist” in notifying victims.

LBR responded to their letter with a request dated July 27th that they remove the files, destroy them and take down the site (pdf). Liberty Coalition then deleted the files that they say they had maintained in encrypted form on an offline server, but they did not remove the site or cease use of the information.

Publish First, Establish Privacy Policy Later?

As pointed out by Attrition.org, SSNB went “live” without even having a privacy policy in place for its site. The subsequently uploaded privacy policy states:

Before information about a breach is documented on SSNBreach.org, we follow strict protocols to mitigate risk:

  • We ensure the Breaching Entity is aware of the Breach, and has had ample time to fix the problems.

Titus did not inform the “Breaching Entity,” LBR. After contacting security site Attrition.org on June 18th to get their advice on disclosure, and after being told by them that very same day that he should go to LBR “FIRST,” Titus ignored their advice and went to the media. During the time between his discovery and notification to LBR by WDSU, how many people in the news room and curious people or cybercriminals around the world did or might have accessed the files? I do not mean to disparage the ethics of anyone at WDSU, but the fact is that they were printing out sheets of files there, viewing files online, and thereby increasing the risk that someone might misuse the information — apart from what others might be doing with the information left accessible online — and all because Titus did not ensure that LBR was made aware of the breach immediately so that they could fix it.

  • We request that the Breach be fixed.

To the best of my knowledge and belief, they did not do that for this breach nor for the Arkansas Board of Psychology breach. Maybe SSNB should amend their description to state: “We request that the Breach be fixed after we contact the media, set up a website, and solicit donations.”

  • When applicable, we request major search engines clear their caches.
  • When appropriate, we may also notify the media of the breach.

Apparently, they think it’s always appropriate. This was the second time that month that Titus did not inform a “Breaching Entity” and published or went to the media first. I realize that some advocates are in favor of that approach (cf, Jim Malmberg’s comments on a previous blog entry). I am not.

  • We never store sensitive information in our databases.

The Liberty Coalition acknowledged to me in email that they did store sensitive information in their databases, so that statement is patently false as stated. Some of their storage was reportedly offline and encrypted, but they did store it and were storing it on July 18 when they launched the site. And they apparently continued to store it until they received LBR’s letter on August 6th. Furthermore, they also stored what many would consider to be sensitive personal information in their online databases and continue to store and publish personal information on people who have already been the victims of a breach.

How SSNBreach.org REALLY Works

Throughout its web site and statements to media, SSNB claims that all the site does is give yes/no indication for each type of data record. Figure 1 is part of their explanation from their site for how it works.

In actuality, the site visitor does not see any “yes” or “no” in their records. Every site visitor sees “May” for each record type listed under their name. Figure 2 is a screen shot of output of an actual student IXR record from SSNB. The student’s name is redacted by me, as is the name of the specific student database the student’s files were in.

In many cases, the student’s first name, last name, and middle initial are provided. When the site originally launched, it also showed a partial street address for the student. Note that the bottom of the output helps us identify this student as being a Louisiana high school student who was in the 10th grade between 2001 and 2003 and who took the EPAS test during that time.

For faculty records, the person’s employment status/job position appeared with their first name, middle initial and last name, and their list of “may” records might include items such as pension plan, health care plan, etc. At the bottom of their records would also be a database name and an indication of faculty database. The name of the database often provided direct clues as to the actual location of employment (i.e., the database name was often an abbreviation of the name of the college). And of course, the description of the breach on the faculty record output page would tell us what years the person was employed at that college or location (and might still be employed there): “Any public college or university faculty or staff member who was employed in either 2000 or 2001.”

Although some people expressed appreciation for SSNB, both PogoWasRight.org and Attrition.org criticized the site for violating the privacy of the people it purported to help. Both I and staff from Attrition.org were in private email with Titus before our public criticisms were published and I have continued in email to the Liberty Coalition.

In response to our criticisms, Liberty Coalition made some small changes in the site. They eliminated the partial street addresses for students. They also changed the front end of the search engine so that you have to input more than a just single letter to start seeing records, although you can still get a list of names with links simply by entering any string of letters in the last name field without any entry in the first name field. And once you have any name, you can use the “one up” approach to edit the URL to get the next person’s records, etc.

So major privacy issues concerning the site remained. But perhaps the worst was yet to come.

Sure, Google, Come Right on In

On August 7th, I discovered that SSNB was allowing Google to index students’ names and their SSNB records.

I wrote to Michael Ostrolenk of the Liberty Coalition that day to alert him and to tell him to secure the files, disallow indexing, and then implement procedures for emergency removal from cache. I also pointed out the “one up” problem with the site.

Student and faculty names are redacted from the edited copy of my letter to him, below, to protect the privacy of the students and employees.

Dear Michael,

[…]

Today, I revisited SSNbreach.org and noted that you have made some changes, e.g. one cannot simply input a single last letter and get a list of results. However, there are still serious problems. You may wish to go to the site and follow the directions below to see what I am describing:

1. Type in the name “<redacted>” in the form. You will see 5 names returned. Open all of those five links in separate windows and look at the output. From what you provide, I can tell that, for starters:

(a) <redacted2> was a student at a Louisiana public high school and took the EPAS between 2001 and 2003.
(b) <redacted3> was a student at a Louisiana public high school and took the EPAS between 2001 and 2003.
(c) <redacted4> was a student at a Louisiana public high school and took the EPAS between 2001 and 2003.

So I have their names, approximate ages, and the fact that they attended a Louisiana public high school and took EPAS within a 2-year window. Given only what’s on your site, I then went to Google and found that <redacted2> was a football player (position wide receiver), he’s 5’8″ about 180 pounds, and is in Baton Rouge, LA. He was class of 2005 at Glen Oaks and has a relative named <redacted>. That took me less than 5 minutes.

[…]

But go back to <redacted3’s> output. Scroll down and you’ll see “redacted.xls” at the bottom of the page. Plug that into Google search, and click on “repeat the search with the omitted results included” at the bottom of the results page. You’ll see the names of 4 other students in that database:

<first name, middle initial, last name – redacted>
<first name, middle initial, last name – redacted>
<first name, middle initial, last name – redacted>
<first name, middle initial, last name – redacted>

with links to their output on SSNbreach.org

You are exposing personal information about students in Google because you didn’t secure your own files from being indexed by Google — the very same thing you blamed LBR for, only it’s easier to find your files than LBR’s. Can you say “hypocrisy?”

[…]

I typed in some random numbers for the ID part of the URL and learned that:

“<redacted first, MI, last name>l” was an employee between 2000 and 2001 and from the file name at the bottom of her output page, it’s not difficult to figure out that she was in a database for the Louisiana Community and Technical College System. That’s three pieces [there were more than 4, actually] of personal information about her you just gave to me, a total stranger. Same thing with <redacted first, MI, last>, an employee in 2000 or 2001 who was employed by Lousiana Tech. And <redacted> was enrolled in an electronics course in Louisiana in the Fall of 2003.

[…]

I will not blog about the security problems on your site immediately, in order to give you a chance to put in an emergency request to Google to get rid of the cache on redacted.xls. I don’t know if any of the other databases are also similarly exposed, but I’d suggest you check them all.

Note that I am giving you the opportunity to stop the bleeding before I go public — unlike what you did to LBR by going to the media first.

[…]

/Dissent

Michael responded the next morning that he was swamped with post-Congress reports and he’d try to get back to me the following day. I responded to him promptly that the problem was growing with Google indexing more students’ names and links to records and that he needed to deal with that that day.

That night, Michael wrote to me to look at the site. I did, but it didn’t tell me whether they had done some very specific things I had asked them to inform me about. All I saw was a note that the site was down for maintenance.

As even more students’ names were being indexed in Google, and I wrote him again on Thursday, in part:

[…]

Third: Some of these students in your database are not indexed or locatable via a Google search except for links to your site. Google “<redacted1>” and you will see only one result — a link to your site. Google “<redacted2>” and you will see only one exact result — a link to your site. Maybe LBR potentially exposed their records, but that’s “potentially” and I do not personally know whether any of those files were ever accessed by anyone other than Aaron Titus. So LBR potentially exposed a lot of information, but you actually did access the information and now you expose information and got it indexed by Google. Your “cure” may have done much more harm than their “disease.”

Given that you have exposed full name plus at least two pieces of personal information, do you intend to personally contact all of the students whose names you have exposed in Google to inform them of your breach? If not, how do you intend to notify them? If it were any other site, I suspect that Aaron would probably argue that all 200,000 people should be notified that their records weren’t properly secured and could be accessed easily by others. Particularly when you consider that those were confidential student records that you accessed and downloaded without express authorization and use without permission despite what appears to be a polite “cease and desist” from LBR.

[…]

That evening, Michael responded that he would respond to my emails “shortly.” I emailed him again Friday morning to alert him that new names were still showing up in Google and that they clearly had not secured the files properly.

Friday afternoon, he emailed me to tell me that they would respond on Saturday and what they had done so far.

By Monday morning (this morning), there were now 20 students’ names showing up in Google with links to SSNB’s records on them; 13 out of the 20 students would have absolutely no results or records in Google if SSNBreach.org hadn’t decided it could make information about them publicly available without their consent or knowledge. Figure 3 is a redacted version of what shows up if you Google for one of these students’ names. The first redacted portion is the student’s full name, complete with middle initial. Clicking on the “Cached” link in the Google entries still displays cached IXR records, identifying them as a victim of the LBR breach, etc.

The Liberty Coalition Responds

Late on August 11, I received an email from Michael Ostrolenk, responding to my concerns.

I have responded to some of his other points already, but am not responding to all of his points in this post, because some of what he claims in terms of definitions and the like are a matter of law, and there are jurisdictional differences, e.g., he may wish to define “sensitive personal information” or “personally identifiable information” as a “complete set….” but the reality is that different jurisdictions define these terms differently. Michael asserts (as does the web site):

SSNBreach.org does not contain Sensitive Personal Information or Personally Identifying Information. Period.

Not by his definition, perhaps. But he is not the final authority on that. And his definition of “sensitive personal information” includes “…. with which a malicious individual could negatively affect another’s financial standing, commit a crime in another’s name, affect another’s medical history, or otherwise impersonate another without their consent.” I can do that with much less than a “complete” set of information. So can others. So is Liberty Coalition saying that it is permissible for them to publish personal information on individuals that could lead to harm as long as they are not publishing a “complete set?”

It seems that because he and his friends cannot figure out how to misuse information, they are less inclined to recognize the problem with all of the information they are revealing. To quote part of his email here:

Merely knowing a person’s name and state does not put a person at risk. To demonstrate this point, I had three colleagues independently pick a first name, last name, and state at random. They came up with “Linda Gaines” of Arkansas. Without additional information, it is impossible for me to contact, positively identify Linda, or even know whether Linda exists. It was only after I did a Google search that I was able to determine that Linda is a real person, or find out any information about her. Had Linda removed herself from phone books and website, I would not have been able to find out anything else about her.

Perhaps, but the example does not provide as much information as SSNB actually provides about each person. To conduct a real test, Ostrolenk should have given his colleagues a first name, middle initial, last name, and a two-year window during which the person worked at a named college with a particular job description. To use Ostrolenk’s hypothetical person, edited to reflect the type of information SSNB actually exposes, his colleagues should have been looking for “Linda A. Gaines” who was employed by the Arkansas School of Privacy Violations in 2001 as a faculty member. Let’s assume that there is no such person found in Google, to make it more challenging. If they wanted to harm her or misuse the information, the SSNB information would still be enough information to get them started. They could check with the Arkansas School of Privacy Violations to see if she was still employed there, and then if she was, they could take it from there, particularly if they’re skilled at social engineering. Or if they just want to harm her reputation, they could start emailing her employer, accusing her of pedophilia. They could create a MySpace profile about her in her name, soliciting kinky sex. And all because SSNB let people know where she was employed and when.

And oh look — there’s my long-lost son listed in your database, Michael! His mother had run away with him because I was beating the crap out of both of them and I didn’t know where they had gone. Thank you SO MUCH, Liberty Coalition, for giving me clues as to where to start looking for them and for making that information readily available via a Google search on his name!

Even if Ostrolenk and Titus and their colleagues can’t figure out how to misuse the information in their records, it doesn’t mean that others can’t.

And even if you couldn’t do any serious harm to someone, it doesn’t mean that they have any right to publish personal information on people who have a right to privacy of their information.

Hotel SSNB: You Can Check Out Any Time You Like, But We Decide If You Can Leave

In his response, Ostrolenk also writes:

Since Information Exposure Reports do not contain sensitive information, and since the person may choose to remove his record at any time, Exposure Reports are accessible through search engines, our own search, or other methods such as you described.

That helps explain why they have not really dealt with the Google exposure of student records. They think it’s just fine, apparently.

But consider his statement that the person can choose to remove his record at any time (if they become aware of it, of course). The site says:

In order to remove your IXR, follow these steps:

  • Click this link to turn on the IXR Removal Tool . You only have to do this once each time you visit the website.
  • Once you’ve turned on the IXR Removal Tool, search for your name.
  • Once you’ve found your IXR, scroll to the bottom of the page, and click the link that says “Remove my record.”
  • Follow the directions on the screen and in the confirmation e-mail.
  • We save the details of all removal requests to prevent abuse of the website. In rare circumstances, we may choose to deny a removal request.

    I know that some people appreciate what Titus and Liberty Coalition did. Jim Malmberg gave his “take.” And I can certainly understand why others who don’t know the whole story might think that SSNB is a great idea. Because Titus didn’t notify LBR immediately but worked to set up the site, LBR was unable to contact those affected until after SSNB went “live,” and so it became the first source of information to people. Then, too, why wouldn’t people be appreciative when the site hasn’t told them the whole truth:

  • SSNB doesn’t tell them that Titus knowingly left their data exposed to cybercriminals for what may have been weeks, instead of going to LBR to alert them.
  • SSNB doesn’t tell them that LBR has set up totally free (not “discounted”) services for them to access. If you look at the bottom of a page of output, you see this:
  • You may still be eligible for discounts on identity theft protection services. Consider protective services only if your individual circumstances warrant:
  • LifeLock.com
  • The Liberty Coalition has negotiated a 20% discount, and first 30 days free for LifeLock’s ID theft prevention service: $1 million Guarantee.

  • TrustedID.com
  • The Liberty Coalition has negotiated an 18% discount off TrustedID’s Identity Theft Prevention & Credit Freeze service. Code: SSNBREACH

    Ostrolenk did not reply to my direct question as to whether the Liberty Coalition and/or SSNBreach.org are now receiving any money or support of any kind from either LifeLock.com or TrustedID.com. Why doesn’t SSNB prominently tell people that LBR set up free services for them with the Identity Theft Resource Center?

  • SSNB doesn’t tell them that LBR tried to protect them from exactly the type of breach that SSNB experienced with the Google indexing mess by asking SSNB to take the site down and that SSNB did not comply.
  • SSNB doesn’t tell them that SSNB is allowing Google to index their information and that if they had been making efforts to leave no footprint in Google, SSNB may have just blown it for them.
  • In his email to me, Ostrolenk wrote:

    We welcome any reporting you can do to bring attention to this important resource for victims of identity breach, especially among security professionals who would be able to give additional feedback.

    Important resource for victims of identity breach? I’d be more inclined to describe the site as a potential source of identity breach.

    Maybe one of you “security professionals” out there can get through to these folks. God knows I’ve tried.

    A Challenge to SSNBreach.org

    Perhaps Titus and the Liberty Coalition would like to set up a little test to see whether the information on their site can be misused. I know a few people who would probably take the challenge, as long as we could ensure that they wouldn’t face criminal charges for participation in the test.

    How about it, Michael? Are you prepared to take SSNBreach.org down if we provide you with proof of concept of misuse?

    And in the meantime, how about you take this blog entry of mine and your email to any reputable privacy organization and ask them whether they think you are violating privacy. Your site links to the FTC ID Theft Resource program, the Privacy Rights Clearinghouse, and the ID Theft Resource Center. Ask them, and email me their responses. But do be sure to show them this blog entry and my emails and not just your claims of how your site operates or what it reveals. If they say that you’re being irresponsible or violating privacy, will you take the site down?

    Show this blog entry to Titus’s law school professors and ask them whether they think your site violates privacy. And if they tell you that there’s nothing necessarily illegal about it, but it’s a violation of privacy or just plain sleazy, will you take the site down?

    You don’t have to take my opinion on this, and you obviously haven’t. So take this post to organizations and individuals who have a name and credentials in privacy and ask them what they think.

    And oh yes, I just got Aaron’s email asking me to direct all future email to him, as project manager. But since I have decided not to waste any more of my time “in pursuit of the futile,” I will not be emailing Aaron. He cut off communications about the site, and I am happy to keep it that way and make my concerns known publicly.

    I do see that the site is now back up, with all of its inherent weaknesses. And that 20 students still have their personal information exposed and indexed in Google by SSNBreach.org. Maybe someone should notify them of this breach of their privacy.

    9 Responses to “Oops! SSNBreach.org exposes students’ personal info in Google”

    1. Lamont Cranston says:

      The site is not down or offline as of 4:40pm EDT 13th August 2007.

      I am thoroughly disgusted by what’s going on at ssnbreach.org. It may be time to bring in the press because this sort of thing is really shady.

    2. Lyger says:

      fwiw, their SSL certificate was issued on 7/6/07 – so their intent to use the info was defined at least a good ten days before the story went public…

      http://attrition.org/dataloss/sslcert.jpg

    3. dissent says:

      Lovely.

      Maybe the next time I see a car accident, instead of stopping to assist the victims, I should run to the media with a story about how there’s been an accident, show them my photos of it and make sure they spell my name correctly, and then race to open up a clinic to help people recover from the accident — but never call 9/11 so that someone stops the bleeding?

    4. l3d.l3d@gmail.com says:

      You know you could make a name for yourself by you know, doing hard work over time, sticking by your morals even if it doesn’t directly benefit you at the time, and supporting the community……..

      or you could just develop a gimmick, try to make yourself some money and become another part of the problem that everyone else is trying to fix.

      Which one did SSNBreach creators Aaron Titus and Liberty Coalition pick?

      Thanks for making things worse. Good Job!

    5. Max Verdi says:

      Disclosure is a layered process that’s been developed by security professionals world-wide to properly route known security issues/breaches in a manner be suited to ASSIST in securing a website, not advance the participation by would-be exploiters. In order to properly disclose a security breach, whether it’s a minor issue or a major disaster, the person issuing the disclosure MUST notify the victim prior to releasing the information to the general public. This ensures that the victim has time to secure the breach prior to the information being released, keeping prying eyes away from the insecurities. There’s no excuse for a pseudo-security firm releasing information, targeting a victim, prior to the breach being pointed out to the owner.

      When an entity finds information, private, confidential or otherwise, “just laying around” a website, and their intent is to secure the information, rather than garner publicity through a press-release, their goal should be to secure the information, not make it freely available. If in the event an entity archives said information and then allows this information to be freely available through yet-another website, they’re doing nothing, ABSOLUTELY NOTHING to prevent this from occuring again. In fact, they’re simply propagating the exploit by providing it via another medium or address. This is a childish attempt of obtaining free publicity, bordering on the criminal.

      Max Verdi,
      Security Specialist

    6. John Doe! says:

      Well, This is my first time reading about this. I am a student that attented a Louisiana public high school between the time frame. I went to the ssnbreach site and searched for my name. Low and behold, I came up. I am dismayed. I dont know what to do, I assume I should contact the free service set up by the LBR. I did a free credit report, and they said it seems as if i set up a home loan?!?! and they said for security reasons, I need to identify the name of my lender to see my credit report. Needless to say, it didn’t come through because I have never took a loan in my life. I am scared. What does this mean.

    7. dissent says:

      That sounds like a catch-22 — you can’t see your report because you can’t name someone you didn’t apply for a loan from??

      Yes, I would encourage you to contact the free counseling service the Louisiana Board of Regents made arrangements with (the Identity Theft Resource Center). Juat tell them what you posted here, and they’ll advise you. They may advise you to put a freeze on your credit, for starters, and they can give you other advice as to what steps to take next as you’ll probably have a number of things to do to ensure your credit is protected and any mess straightened out.

      Best of luck.

    8. John Doe! says:

      I REALLY want to give it to you guys. I would have never learned about this AT ALL if it wasn’t for you guys criticizing this profiteer scumbag.

      I have followed up with the IDTR center, and they have excellent staff members. I am trying to email Arron Titus, but i have no way to get his email. The board of regents are giving me the run around, they wouldn’t even send me a letter because i wasn’t in their database. But after looking on ssnbreach i spent like 30 minutes convincing them that my identity was out there, they finally called in the “computer guy” who scanned his database and found that my name was compromised! What a crapshoot. If i do get in trouble for this, I want to have a hard copy of a letter saying they leaked my info so i wont be as liable.

      I hope Titus tells me all the information that I have on me out there, because his site says they dont have my SSN and so does LBR. Never thought I would have to put up with this shit. I guess thats what you get when you have a government beauracy running things.
      Your fucking identity stolen

      NOW, does anyone think that the LBR is possibly able to be held liable for their negligence? How about Titus?

      I’m thinking lawsuit time, esp. if i have to spend time and money in fixing my broke identity.

    9. dissent says:

      I have an understanding with lawyers — I don’t practice law without a license if they don’t practice psychology without a license.

      Although I can understand why you’re angry, don’t get the cart too far ahead of the horse. For all you know right now, any “shady” activity might be due to someone at a local store stealing your cc data and using it to set up other accounts in your name. You haven’t even seen the details of this “home loan” to get a sense of what’s going on with it, when it was taken out, etc. etc. IOW, whatever may have happened may have nothing to do with LBR’s breach.

      First get your credit and credit record straightened out if they’re erroneous or affected. Everything else is actually secondary, however infuriation or frustrating. Hopefully the staff at ITRC is helping you through the process step by step.

    Panorama Theme by Themocracy