1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Cyber-incident at Dept. of Energy

Discussion in 'Bits & Bytes' started by SixofNine, Nov 3, 2013.

  1. SixofNine

    SixofNine Jedi Sage Staff Member

    As an independent consultant I had a cup of coffee on a Dept of Energy (DOE) project about 18 years ago, long enough to get a contractor ID. Lo and behold, I just received a letter from the DOE that a "cyber incident" at the end of July compromised my name, SSN, and date of birth. Is that all? What can anybody do with that? (/sarcasm)

    In any case DOE is footing the bill for a free year of credit monitoring. I'm also going to put a fraud alert on my credit file. No untoward activity so far.
     
  2. Andy

    Andy ΜΟΛΩΝ ΛΑΒΕ

    Got one of those every year I was a CTR for the Army.

    Made me feel all warm and fuzzy about how secure stuff was. :sarcasm-50:
     
  3. cmhbob

    cmhbob Did...did I do that? Staff Member

    On the brighter side, at least they found you and notified you. Wow.
     
  4. Allene

    Allene Registered User

    Wow! Would you believe it, I got a year of the same when someone hacked the University of Utah Medical Center's system some years ago.
     
  5. Greg

    Greg Full Member

    Well the next stop would be a genealogy site to look up your family tree and find out your mother's maiden name. With name, SSN, DOB and MMN an identity thief could wreak all kinds of havoc.

    But wait, it gets even better! You can't change any of those identifiers, so you are compromised forever.

    Our system is so screwed. With more and more companies, organizations and governmental entities getting our identifiers or access to our identifiers, each of them is subject to compromise. That results in everybody having multiple security weaknesses, and the more you give your info to the more potential breaches you have.

    I doubt if hardly anybody doesn't already have several or dozens of potential attacks just waiting to happen.

    I sure wish I could kill all those genealogy sites. That's where the identity thief gets the last necessary identifier, your MMN.

    Also, it's possible to predict SSN usually to within all but the last 4 digits if they know your date and place of birth. Some of the sites that have our info seemingly give us the impression that they have only last 4 SSN, and even if they do it's possible for an identity thief to reconstruct the rest, or at least several good guesses on the first 5.

    Credit card companies lose money all the time to identity thieves (lots of money) and they're required to cover any losses over (I forget) $50 or $100, and most card issuers voluntarily cover all fraud as long as you notify them of the fraud within a reasonable time. Which means they eat ALL that loss. With the incentive they have to protect you and the amount of losses they eat, it's clear that the name-DOB-SSN-MMN system has failed. We need a new system.

    And Obamacare... Almost everybody except Obama and Sebelius thinks that the Obamacare site has security weaknesses.

    BTW, Obama's real SSN has leaked multiple times. Of course he probably pays several identity guard services to ensure against identity theft.

    Goddamn genealogy sites.......
     
  6. Allene

    Allene Registered User

    Hey, Greg, lay off the genealogy sites, :). Responsible genealogists don't put living people's information out there. I don't even have my own trees on the Internet. They're not the people responsible for fraud. That's like blaming the gun for the crime instead of the culprit who used the gun.
     
  7. Greg

    Greg Full Member

    Well I can find sites that have my name and my mother's maiden name. Isn't that part of genealogy, finding currently living relatives you've lost contact with?

    I'd be satisfied if they just leave my own MMN off the Internet. But they don't/didn't.
     
  8. Allene

    Allene Registered User

    Greg, you have a right to ask the owner of the site to remove or privatize your personal information. If your mother is still living, she shouldn't be there either. These people are irresponsible!

    I don't use genealogy to find currently living people I have lost contact with. There are better, more direct ways of doing that. I am mostly focused on more distant Y-chromosome DNA testing of male lines to fill in gaps in the 1700s. I also have taken an autosomal DNA test. That resulted in over 300 living cousins, but they aren't people I've lost touch with. I never even heard of them before--most are 3rd cousins or more distant, like 5th and 6th cousins. They are helping fill the information gap between the Clearances and the time record-keeping started over here, and they are real relatives, whose ancestors are buried in the innards of my tree. The public doesn't see the results of the test or the names of the matches, and I have no intention of putting them on display in a public tree.
     
  9. Greg

    Greg Full Member

    I would have complained to the site but I realized that it would be a life long task to keep swatting down genealogy sites with my MMN on them.

    Do you really think a genealogy site would remove you if you asked them?
     
  10. Allene

    Allene Registered User

    The person who posts the tree is usually an individual, even at huge sites like Ancestry.com. I was working with someone who has a tree on there last week. He's in Boston, and he had his wires crossed re a couple of families with exactly the same names back in Cape Breton in the 1800s. He fixed them right away and thanked me for it. Some of the Ancestry trees are so bad that I wouldn't know where to start on them--like the one with my g-g-g-grandfather in there with the wrong parents assigned to him. He was older than his parents, LOL!

     
  11. Greg

    Greg Full Member

    Maybe I can post misinformaton about myself. I have no idea who in my family would post that stuff. (And I have a very small of living relatives left.)

    Problem is, though, how many sites are there? And some of them charge to use them, right? If I were to try to protect my MMN it would be like playing Whack-a-Mole.
     
  12. Andy

    Andy ΜΟΛΩΝ ΛΑΒΕ

    Ancestry.com gets their data from 2 specific sources.

    1. User input
    2. Publicly available government data such as birth/death certs. Census, military records, immigration records, social security records, etc.

    Good luck with whackamole with those.
     
  13. Allene

    Allene Registered User

    Yes, I have a subscription to Ancestry.com. The birth and death registration records aren't for living people. They have to be dead a number of years before those are made available. The most recent U.S. census available is the one for 1940. In Canada, they released the 1921 census this year.

    Genealogy is the second most popular hobby after gardening in this country.
     
  14. Greg

    Greg Full Member

    Well I googled my family name and couldn't find my MMN out to 15 pages. But I did find my sister's address and phone number, and how much she makes salary ($52K/year -- she teaches at an elementary school), and how much she paid for her house ($299K in 2006 in Las Vegas) and a nice sample of her signature, very useful for any identity thief who wants to forge it. (I have enough exemplars on family documents.) Oh and she filed a lawsuit over a traffic accident in 1995, cost her $126 in filing charges and the case was dismissed, with prejudice. Didn't say how much her lawyer took.) Heh, I never knew any of that stuff. We are not close.

    I found my old address and old (unlisted) phone number. So far they haven't caught up to me in my new location. I found my corporation but it's dissolved and shows my old address (and always will--it's a dead corporation now).

    That reminds me, when I moved I got a new--unlisted--phone number but somebody blabbed it all over and I got plenty of phone calls wanting to sell me stuff that new home owners might want. I registered at donotcall.gov but I still get them. (I report each one of them. We have a zero tolerance policy here. You're commersh, you call me, you get reported on the gummint site.)

    Back on topic, we have lost our control over privacy. Anybody can find anything they want about us on the Internet, and if they're willing to pay a bit ($10-$25) they can get a full report. I don't know what's in the full report since it's not worth paying for.
     
  15. Greg

    Greg Full Member

    Well I had a look at google page #16 and found a genealogy site that has my name and MMN posted, but they got my MMN wrong (it shows my last name). But my sister's listing is on the same page a couple lines away with the correct MMN.

    I used the site's contact form to ask them to remove my listing. If it works I'll impersonate my sister and ask her listing to be removed too. I have the domain [my last name].com (substitute real last name for the parts in brackets) and I can stamp out as many email addresses as I like in any of my domains (5 of them).

    I'll be surprised if they remove the listing. They'll probably either ignore the complaint or tell me that somebody else posted it and they can't do anything. It has my correct DOB and birth place so they can predict my first 5 SSN and probably take a few good guesses to get that part right. If they can find my last 4 anywhere (like at a hacked commercial or medical site) then I am pWned.
     
  16. Greg

    Greg Full Member

    Well color me surprised!!! I got an email about 24 hours after I posted my complaint, and they removed the document with my MMN. I checked and it's gone!

    I wish there were more good 'Netizens like this site!
     
  17. Allene

    Allene Registered User

    Glad they took it off. It is one of the unwritten rules for genealogists. Actually, I saw a written list of rules last week from an organization that certifies genealogists (the ones who charge for their help), and that rule was on it.
     
  18. Greg

    Greg Full Member

    I found another site with same, sent them an email too. This just sucks, having sites that post your full name (including middle), birth date, place of birth and mother's maiden name. Why don't they just post your SSN and make it identity theft one stop shopping?
     

Share This Page