Technorati Tag: Security Breach
Date Reported:
6/23/08
Organization:
State of California
Contractor/Consultant/Branch:
Department of Consumer Affairs
Victims:
"employees, contractors and board members"
Number Affected:
5,000
Types of Data:
Names, Social Security numbers, salaries and job titles
Breach Description:
"The state Department of Consumer Affairs (DCA) has sent letters to 5,000 employees, contractors and board members warning them of a security breach that has compromised their names and social security numbers. "
Reference URL:
Capitol Weekly
Central Valley Business Times
Props to PogoWasRight
Report Credit:
Malcolm Maclachlan, Capitol Weekly
Response:
From the online sources cited above:
The state Department of Consumer Affairs (DCA) has sent letters to 5,000 employees, contractors and board members warning them of a security breach that has compromised their names and social security numbers.
About 2,800 of the people on the list are current, full-time employees of the DCA.
The document also included some former employees and numerous contractors, such as people who proctor state job examinations.
The rest of the names were employees and board members of the 56 professional boards and bureaus administered by the DCA, such as the Bureau of Automotive Repair and the Medical Board.
The breach occurred on June 5 or 6 when a Microsoft Word document was improperly transmitted electronically outside of the department, said DCA spokesman Russ Heimerich.
The document also contained the salaries and titles of everyone on the list, but Heimerich noted that this was public information.
"The thing that is troubling to us is that information was coupled with their social security numbers," Heimerich said.
[Evan] Troubling to you? It's probably hard for the victims to have much sympathy.
The main danger with giving away a social security number is that it can be used to set up new credit cards, loans or purchases in someone's name.
However, a thief would generally need other information that was not included and could be harder to get, such as addresses, phone numbers and driver's license numbers.
[Evan] Addresses and phone numbers are usually pretty easy to obtain and I would think are much easier to get than Social Security numbers. Unless of course, somebody emails them to you.
The DCA is the main state agency charged with protecting consumers in California.
[Evan] Ironic.
From 2003 to 2007, it also housed the office charged with educating consumers and businesses about identity theft and fraud.
[Evan] More Ironic
One agency whose employees were not on the list is the California Office of Privacy Protection (OPP).
Heimerich said the incident is still being investigated, and that he could not disclose who had received the document.
He said that so far there is no evidence that any information has been used. It was not even clear the recipient had opened the document.
"We know that it left the building and that it wound up somewhere it shouldn't have wound up," Heimerich. "We're looking into how that happened."
“We kind of know where it was sent,” Mr. Heimerich says
[Evan] Sounds obvious, but did anyone check "Sent Items"? Yeah, probably. Seriously though, does the California DCA not log email sends and receives? It's hard to believe that the sender does not recall to whom they sent the email and there is no evidence of where it was sent.
The breach was discovered on Monday, June 9
[Evan] It took 3 or 4 days for the DCA to discover the breach.
People's whose names were on the list were sent an email the next day and an official letter a week later.
[Evan] Excellent quick notification. The earlier that a breach is detected and communicated to the data owner, the better.
Heimerich said the DCA will pay for a year of free credit reports and provide fraud insurance of up to $25,000 for everyone on the list.
[Evan] One year of protection does not adequately protect information that has a lifespan that far exceeds that one year. Most bad guys (or gals) know that the "standard" organization response to a breach includes one year of free credit monitoring/protection, so many of them wait a year to use the information. It is also important to point out that just because a person monitors their credit, does not mean that their identity isn't being used elsewhere. It's a scary thought, but it's a broken system.
He said the DCA had not yet determined how much these protections were going to cost.
[Evan] You can estimate the cost yourself.
Commentary:
I like how Microsoft Outlook helps me when I am typing an email address in the "To:" field of my email. It saves me some keystrokes and a few precious seconds. Sometimes I am in such a hurry that I don't even notice that Outlook put in the wrong email address. I type my email, click send and away I go onto another task. A couple of days later, I get a call from a customer asking where their information is. I state that I sent it to them a couple of days ago, but they claim to have never gotten my email. I look through my sent items, and HOLY #*@^! I just sent some confidential (sensitive and potentially damaging) information to a competitor instead of my customer.
Sound conceivable? Have you ever sent an embarrassing email to the wrong person? It is very easy to do if your not paying attention.
There are a number of controls us information security guys can put in place to reduce the risk of this happening. One of the best is information security training and awareness (kind of an administrative control).
Past Breaches:
State of California:
March, 2008 - San Quentin visitor and volunteer information lost
Date Reported: 6/23/08
Organization:
State of California
Contractor/Consultant/Branch:
Department of Consumer Affairs
Victims:
"employees, contractors and board members"
Number Affected:
5,000
Types of Data:
Names, Social Security numbers, salaries and job titles
Breach Description:
"The state Department of Consumer Affairs (DCA) has sent letters to 5,000 employees, contractors and board members warning them of a security breach that has compromised their names and social security numbers. "
Reference URL:
Capitol Weekly
Central Valley Business Times
Props to PogoWasRight
Report Credit:
Malcolm Maclachlan, Capitol Weekly
Response:
From the online sources cited above:
The state Department of Consumer Affairs (DCA) has sent letters to 5,000 employees, contractors and board members warning them of a security breach that has compromised their names and social security numbers.
About 2,800 of the people on the list are current, full-time employees of the DCA.
The document also included some former employees and numerous contractors, such as people who proctor state job examinations.
The rest of the names were employees and board members of the 56 professional boards and bureaus administered by the DCA, such as the Bureau of Automotive Repair and the Medical Board.
The breach occurred on June 5 or 6 when a Microsoft Word document was improperly transmitted electronically outside of the department, said DCA spokesman Russ Heimerich.
The document also contained the salaries and titles of everyone on the list, but Heimerich noted that this was public information.
"The thing that is troubling to us is that information was coupled with their social security numbers," Heimerich said.
[Evan] Troubling to you? It's probably hard for the victims to have much sympathy.
The main danger with giving away a social security number is that it can be used to set up new credit cards, loans or purchases in someone's name.
However, a thief would generally need other information that was not included and could be harder to get, such as addresses, phone numbers and driver's license numbers.
[Evan] Addresses and phone numbers are usually pretty easy to obtain and I would think are much easier to get than Social Security numbers. Unless of course, somebody emails them to you.
The DCA is the main state agency charged with protecting consumers in California.
[Evan] Ironic.
From 2003 to 2007, it also housed the office charged with educating consumers and businesses about identity theft and fraud.
[Evan] More Ironic
One agency whose employees were not on the list is the California Office of Privacy Protection (OPP).
Heimerich said the incident is still being investigated, and that he could not disclose who had received the document.
He said that so far there is no evidence that any information has been used. It was not even clear the recipient had opened the document.
"We know that it left the building and that it wound up somewhere it shouldn't have wound up," Heimerich. "We're looking into how that happened."
“We kind of know where it was sent,” Mr. Heimerich says
[Evan] Sounds obvious, but did anyone check "Sent Items"? Yeah, probably. Seriously though, does the California DCA not log email sends and receives? It's hard to believe that the sender does not recall to whom they sent the email and there is no evidence of where it was sent.
The breach was discovered on Monday, June 9
[Evan] It took 3 or 4 days for the DCA to discover the breach.
People's whose names were on the list were sent an email the next day and an official letter a week later.
[Evan] Excellent quick notification. The earlier that a breach is detected and communicated to the data owner, the better.
Heimerich said the DCA will pay for a year of free credit reports and provide fraud insurance of up to $25,000 for everyone on the list.
[Evan] One year of protection does not adequately protect information that has a lifespan that far exceeds that one year. Most bad guys (or gals) know that the "standard" organization response to a breach includes one year of free credit monitoring/protection, so many of them wait a year to use the information. It is also important to point out that just because a person monitors their credit, does not mean that their identity isn't being used elsewhere. It's a scary thought, but it's a broken system.
He said the DCA had not yet determined how much these protections were going to cost.
[Evan] You can estimate the cost yourself.
Commentary:
I like how Microsoft Outlook helps me when I am typing an email address in the "To:" field of my email. It saves me some keystrokes and a few precious seconds. Sometimes I am in such a hurry that I don't even notice that Outlook put in the wrong email address. I type my email, click send and away I go onto another task. A couple of days later, I get a call from a customer asking where their information is. I state that I sent it to them a couple of days ago, but they claim to have never gotten my email. I look through my sent items, and HOLY #*@^! I just sent some confidential (sensitive and potentially damaging) information to a competitor instead of my customer.
Sound conceivable? Have you ever sent an embarrassing email to the wrong person? It is very easy to do if your not paying attention.
There are a number of controls us information security guys can put in place to reduce the risk of this happening. One of the best is information security training and awareness (kind of an administrative control).
Past Breaches:
State of California:
March, 2008 - San Quentin visitor and volunteer information lost
