sale or publication
This page highlights recent examples of large scale exposure
of sensitive consumer information through sale of that
data, its unintentional publication or abandonment.
It covers -
In 2005 major reference agency ChoicePoint
sold the personal financial information of 145,000 people
to criminals purporting to be legitimate businesses, a
large-scale form of pretexting.
The incident has attracted particular attention because
ChoicePoint initially sent notice of breach only to Californians.
Following criticism after announcement of its security
failure it spent US$11.4 million during the following
six months on credit reports and credit monitoring for
A damning report by the US Federal Trade Commission noted
that ChoicePoint ignored 'red flags', failed to match
statements with action and continued to furnish consumer
reports to clients "even after receiving subpoenas
from law enforcement authorities between 2001 and 2005
alerting it to fraudulent accounts".
In 2005 US police charged Orazio Lembo and bank employees
working for Wachovia, Bank of America, Commerce Bancorp
and PNC Bank with selling customer information to over
40 debt collection agencies, law firms and others. The
data included names, account numbers and balances regarding
over 500,000 consumers.
Lembo's gang reportedly operated for over four years,
with Lembo pocketing several million dollars. He was also
charged with narcotics, forgery and theft counts.
New York attorney general Eliot Spitzer sued Washington-based
Gratis Internet for selling email addresses, despite that
organisation's promise of confidentiality to consumers,
in what is claimed as "the biggest deliberate breach
of Internet privacy".
Consumers thought that they were simply registering to
see a site. Contrary to a Gratis statement that it "does
not ... sell/rent e-mails" it allegedly sold 7 million
addresses to three independent marketers, resulting in
hundreds of millions of spam
In 2005 the London Sun illustrated concerns about
offshoring call centres by buying information about 1,000
UK customers from a Delhi call
centre worker for £4.25 each. The information
included bank account details, passwords, addresses, phone
numbers and passport details. The worker reportedly indicated
that he could provide information on up to 200,000 accounts
each month. India's IT & communications minister commented
that the government had nothing to do with the "freak
In 2006 Nadeem Kashmiri of HSBC's Bangalore call centre
was arrested after over £230,000 was stolen from
the accounts of British customers, with claims that he
sold confidential information to a criminal gang.
During the same year Australian current affairs program
Four Corners revealed
sale by an Indian call centre of personal information
about Australians, including birth certificate details,
ATM numbers, passport and driver licence details, phone
numbers, address (including time at that address), marital
status, number of dependants, occupation, job title and
employer's business name.
In 2007 UK insurer Norwich Union was fined £1.26
million by the Financial Services Authority after security
failures at its call centres allowed fraudsters access
to policyholder details. Criminals were able to obtain
details of customer policies by supplying basic information
such as the account holder's surname, first and middle
name, first line of address, date of birth and postcode.
Over 632 policies were targeted by the fraudsters, resulting
in 74 fraudulent surrenders (including nine held by Aviva
directors) worth £3.3 million. The FSA criticised
Norwich Union (PDF)
for responding to fraud against its its directors ahead
of its 6.8 million policyholders.
South Korean ISPs
During 2006 personal information regarding some 8.37 million
high-speed internet subscribers in South Korea was sold
by staff of four leading ISPs: KT, Hanaro Telecom, Onse
Telecom and Thrunet. Former and current staff of the ISPs
appear to have sold customer names, identification numbers,
telephone numbers and addresses to marketers for around
US$0.01 per head.
Critics alleged that management of the ISPs was negligent
(if not complicit in the sales) and as highlighted in
the final page of this note initiated class action for
In 2006 Japanese telecommunications group KDDI confirmed
that information about 3.9 million of its DION internet
customers, as of 2003, had been provided to a third party.
The data included names, gender, addresses, birth dates
and telephone numbers, although apparently not bank details
and passwords. Akio Minomura and Akihiko Torii are suspected
of having sought to extort some ¥10 million from KDDI
in exchange for the information.
IPCC, USCB, USN and Air Miles
In 2006 personal details of 20,000 people who made complaints
about the Hong Kong police appeared on the net. Publication
of the data, originally provided to the HK Independent
Police Complaints Council (IPPC), was apparently accidental.
The IPCC database contained full details of complaints
made from 1996 to 2004, including the dates of each complaint,
full name of the complainant, their address, the nature
of alleged offences, information on allegedly corrupt
police and the outcome of complaints. Corporate monitor
webb-site.com has speculated that the publication may
have occurred when an IPCC contractor mistakenly copied
the files onto a commercial server in the course of maintenance
The US Census Bureau reported in 2007 that it had inadvertently
posted personal information from 302 households on a public
site multiple times over a five-month period. The information
included names, addresses, phone numbers, birth dates
and family income ranges.
Also in 2006 the US Navy reported that five spreadsheets
with sensitive information on some 28,000 personnel and
their families were posted on a civilian web site. The
spreadsheets included names, Social Security numbers and
The Navy announced that it had "moved quickly to
have the spreadsheets taken down" and of course had
"no evidence that any of the compromised information
has been used fraudulently".
A month later the Naval Safety Center reported that it
had discovered personal information on over 100,000 Navy
and Marine Corps aviators was publicly accessible on its
site. The data included Social Security numbers. The same
data was featured on 1,083 web-enabled 'safety program
disks' mailed to all USN and Marine Corps commands; the
Center said it was "working to recall the disks".
The Privacy Commissioner of Canada reported
in 1999 that Canadian business Air Miles left 50,000 records
of people in its loyalty
program (the dot-ca version of Australia's Frequent Flyer
scheme) on its site "for several months and possibly
for as long as a year". The information included
the individual's Air Miles card number, name, home phone
numbers, email addresses, business name and phone number.
In 2007 journalists disclosed that they were able to access
the social insurance numbers, birthdates and driver's
licence numbers of people applying for new passports on
the Passport Canada website and that customer account
details were also incorrectly accessible on Canada Post's
business shipping website.
In 2006 Automatic Data Processing (ADP), one of the world's
largest payroll service companies, confirmed that it had
provided a scammer with personal information of investors
who had purchased stock through brokerages that use ADP's
investor communications services. Fidelity Investments
indicated that the breach compromised 125,000 of 72 million
active accounts; Morgan Stanley said 3,800 of its clients
were affected; UBS said 10,000 of its clients were affected.
The data included investors' names, mailing addresses
and the number of shares they held in certain companies.
It apparently did not include Social Security numbers
or brokerage account numbers.
We have been advised that the information disclosed
was not sufficient by itself to permit unauthorized
access to your account, and we have no evidence that
the information on the lists has been improperly used.
However, we recommend that you be alert to any unusual
or unexpected contact or correspondence
In 2007 the NSW government suggested that health insurer
HCF has provided medical histories, without the consent
of customers, to a company trying to sell services to
The insurer reportedly provided McKesson Asia Pacific
with details of patients' gender, age, mental health and
recent hospital admissions, presumably of interest in
McKesson's marketing of telephone-based health care services.
HCF rejected the claim that it was in breach of privacy
In 2007 the Texas Attorney General announced that the
state was suing retailer RadioShack over dumping thousands
of customer records in garbage bins at Corpus Christi.
The records contained Social Security numbers, credit
and debit card information, names, addresses and telephone
The suit alleges that RadioShack violated the state's
2005 Identity Theft Enforcement & Protection Act
(which requires businesses to protect and properly destroy
any consumer records that contain sensitive information)
and Chapter 35 of the Texas Business & Commerce Code
(which requires businesses to develop retention and disposal
procedures for customer personal information and features
fines of up to US$500 for each record).
BioFilm, manufacturer of personal lubricants such as AstroGlide,
exposed 263,822 customer data files dating from 2003 to
2007. Those files, which contained names, residential/postal
addresses and phone numbers, were provided to BioFilm
in response to an offer of a free product.
The information was not encrypted. It was found by Google
and other search engines; Google for example indexed the
pages and made local cache copies, so that a search on
an individual's name now reveals that person's address
and the product they requested.
including the claim that
take reasonable steps to protect your personally identifiable
information [PII] as you transmit your information from
your computer to our site and to protect such information
from loss, misuse, unauthorized access, disclosure,
alteration, or destruction. ... Other than as disclosed
marketing material or share your PII with outside parties
unless such use or disclosure is clearly identified
at the time you provide your PII or we provide you the
opportunity to consent or prohibit such use or disclosure.
CareerOne and the BNP
In 2007 the Australian CareerOne online job site accidentally
enabled public access to confidential client information,
with visitors being able to sight and files on CareerOne's
customer relationship management database.
The files included spreadsheets with information dating
back to 2000. One featured a list of 485 clients, with
names, email addresses and CareerOne login details. Another
contained a list of 5188 potential clients, with names,
addresses and telephone numbers. Exposure attracted attention
because the information included acid comments by CareerOne
account executives about clients, for example description
as a "retard" and as a "lazy good for nothing".
In 2008 the membership list of the far-right British National
Party (BNP) was published on the net, allegedly by a disaffected
The list featured the names, addresses, home and mobile
phone numbers of over 13,500 current and former members.
It also included personal details such as the occupations
and hobbies of the members, including teachers, scientists
and police personnel.
In July 2007 Certegy Check Services, a subsidiary of major
US payment processor Fidelity National Information Services,
revealed that an employee improperly sold 2.3 million
consumer records to an unidentified data
broker. The broker then sold the information to several
direct marketing companies, so that "as a result
of this apparent theft, the consumers affected received
marketing solicitations from the companies that bought
2.2 million of the records contained bank account information;
99,000 featured credit card information. Certegy indicated
that it has requested a court to "get back"
all the information from the employee (described as a
senior level database administrator who was a "rogue
and dishonest employee") and from the marketers.
It will seek civil penalties against the former worker
and wants criminal charges filed against him.
next page (law)