Someone hacked the list of attendees for the recent Cisco Live 2010 users' conference, a security breach that led Cisco to notify the customers as well as a broader group who have dealings with the company.
Cisco says it won't release details about where the data was stored or how it was breached but sometime last Thursday afternoon a vendor told Cisco that someone had made "an unexpected attempt to access attendee information through ciscolive2010.com," the event Web site.
That lead to the general notification that Cisco sent to attendees and others who had been invited but did not attend. According to Cisco, details about less than 20% of those on the list were compromised.
Cisco says the breach was closed quickly, "but not before some conference listings were accessed." The compromised information consisted of Cisco Live badge numbers, names, titles, company addresses and e-mail addresses. "No other information was available or accessed," according to the warning Cisco Live's event team sent via e-mail Thursday.
The same information is accessible to Cisco's World of Solutions partners, vendors that exhibit their technology collaborations with Cisco at public events.
Apparently the unexpected access attempt might have been made by someone who was actually authorized to access it, but Cisco isn't sure. "As we cannot yet confirm the information was accessed by an authorized Cisco Live partner, we encourage you to consider the appropriate precautions to protect against any unwanted email," the warning reads.
Others besides those who attended the conference also received the notification e-mail from the Cisco Live 2010 staff, including Network World blogger Larry Chaffin, who raises questions about implications of the breach.
Cisco says it has taken measures to lock down the data and has no more to say about it. "Due to security and privacy considerations, we do not plan to release additional details," a Cisco spokeswoman wrote in response to e-mailed questions about the data breach.
In general, if certain categories of data are compromised, businesses responsible for the integrity of the data must by law notify the people whose data was exposed. Cisco says this was not the case here. "No, we were not required to do so but felt it was our responsibility to inform impacted attendees as quickly as possible," the spokeswoman wrote in response to an e-mailed question.
This is the text of the notice Cisco sent to the Cisco Live 2010 attendee list and those who were invited but did not attend:
"We hope you have returned home safely and are back into your normal routine after a busy week at Cisco Live 2010.
"We are contacting you because on the final afternoon of Cisco Live, one of our vendors identified an unexpected attempt to access attendee information through ciscolive2010.com. The ability to access this information was quickly removed, but not before some conference listings were accessed.
"Cisco Live takes the security of attendee information very seriously and immediately elevated this matter to our chief security officer. His team completed a thorough review and as a result we believe your registration information -- specifically your Cisco Live badge number, name, title, company address and email address -- was accessed. No other information was available or accessed.
"Although these details are commonly accessed by our World of Solutions partners and often freely provided by Cisco Live attendees, we felt it was our responsibility to inform you as quickly as possible. As we cannot yet confirm the information was accessed by an authorized Cisco Live partner, we encourage you to consider the appropriate precautions to protect against any unwanted email. Please accept our apologies for any inconvenience that may result and feel free to contact us directly at firstname.lastname@example.org if you have any additional questions or information.
"We hope you enjoyed your Cisco Live experience and we look forward to welcoming you to Las Vegas in 2011.
"Cisco Live 2010 Team"