http://securityratty.com/tag/asi Mon, 11 Feb 2008 11:53:04 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss http://securityratty.com/article/3313abd868212bd3a9ed98811169e851 http://securityratty.com/article/3313abd868212bd3a9ed98811169e851 Security Breach

Date Reported:
6/13/08

Organization:
CNET Networks, Inc. ("CNET")

Contractor/Consultant/Branch:
Colt Express Outsourcing Services, Inc. ("Colt")

Victims:
"current and former employees and their dependants"

Number Affected:
"around 6,500"

Types of Data:
"first names, last names, date of birth, Social Security numbers, address, employer, hire date, benefits group numbers, and relationship to the policy holder"

Breach Description:
"Colt informed our client by this letter that on Memorial Day, Monday, May 26, 2008, Colt's offices in Walnut Creek, California were burglarized.  Certain computer equipment was taken which contains the human resources data of several of their clients, including CNET.  The theft of this equipment may have compromised the personal information of our client's current and former employees and their dependants, and our client is working to understand the extent of any exposure for its employees."

Reference URL:
Maryland State Attorney General breach notification
PCWorld
WebProNews
PogoWasRight

Report Credit:
The Maryland State Attorney General

Response:
From the online sources cited above:

On June 6, 2008, CNET received the attached letter from Colt Express Outsourcing Services, Inc., ("Colt") who has provided our client with employee benefit plan administrative services for the past 8 years.

Colt informed our client by this letter that on Memorial Day, Monday, May 26, 2008, Colt's offices in Walnut Creek, California were burglarized.
[Evan] Uh Oh!, this is starting to read like and smell like the ASI breach reported in February.

The breach occurred on Memorial Day, Monday, May 26, 2008, between approximately 4:30 p.m. and 5:00 p.m. PST, when someone broke into Colt Express's office at 2125 Oak Grove Road, Suite 210, Walnut Creek, California, 94598

Certain computer equipment was taken which contains the human resources data of several of their clients, including CNET.
[Evan] According to a CNET spokesperson, via PogoWasRight.org, the "computer equipment" did not employ encryption to protect the information.  Encryption could have been a prudent control in a defense-in-depth approach, a mitigating control to protect information against a physical break-in and theft.

The theft of this equipment may have compromised the personal information of our client's current and former employees and their dependants, and our client is working to understand the extent of any exposure for its employees.
[Evan] Not "may have", but did.  Information security and control can no longer be reasonably assured, which in my book constitutes a compromise.

Colt has also informed us that they reported the break-in to Walnut Creek police and to REACT High Tech Crimes Task Force in Silicon Valley when they discovered the burglary and that there is an ongoing criminal investigation.

report number 08-12367

In speaking directly with the Walnut Creek Police on June 12, 2008, Officer Greg Leonard, the primary investigator for the incident informed us that they are not aware of any misuse of personal information as a result of this theft at this time.

The information included first names, last names, Social Security numbers, address, employer, hire date, benefits group numbers, and relationship to the policy holder for around 6,500 of our client's current and former employees, and their dependants.



some of your current and former employees and their dependants during the time period of 01-Aug-00 to present.
[Evan] August 1st, 2000 through May 26th, 2008 is almost eight years of information!  I wonder what the data retention policy states at Colt, supposing one exists.

We do not have any understanding that the computers stored personal health information.

Our client is providing written notification to all affected individuals at the last home address we have on record

Although there is no evidence of misuse of the data to date, our client's notification will also inform affected individuals that it has contracted with Equifax to provide Equifax Credit Watch Gold with 3 in 1 Monitoring service, including identity theft insurance, for one full year at no cost.
[Evan] I have said it before, and I will say it again.  One year of semi-effective protection should not be considered adequate for information that has a usable life that far exceeds this time frame.  It should be pointed out howevere that it is better than nothing and the company is not required to offer it.

Although we are not aware of the exact number of individuals affected by the Colt breach, we do know that we were among many of Colt's clients whose data were stored on the stolen computers.
[Evan] The word that catches my attention almost immediately is "many".  How many clients will be affected in the end?  PogoWasRight is already following up on another company that may be affected.

Colt Express takes the protection of its customer and personal information very seriously.
[Evan] Making a statement like this and the demonstration by action are two entirely different matters.  An organization such as Colt Express creates, collects, stores and transfers very sensitive information as an integral part of their business.  This being said, I wonder why this information was not protected better.

Colt Express is taking steps to ensure that a potential data security breach does not occur in the future.

We installed an alarm system on Friday, May 30th.
[Evan] Are we to assume that there was none prior to May 30th?  I hope not!

Colt Express is looking into what additional steps may be taken to provide enhanced security.

By this letter and enclosures, we are providing you with all the information we believe you need, and that we are able to give you.  We do not have the resources, financial and otherwise, to assist you further.
[Evan] Say huh?

Towards the end of last year, our customer base was reduced to an unsustainable level.

Colt has been in the process of going out of business, while at the same time providing time for remaining customers to find alternative solutions.
[Evan] This is a twist.  How long has the company been in the process of going out of business and was CNET (and the "many" other clients) aware of it?  If so, this could have been a sign that could have spurred some action.  Then again, maybe not.


http://www.colthr.com/



Those decisions are now final.

We are firmly committed to protecting all of the information that is entrusted to us both before and after we close down.

We sincerely apologize for the inconvenience and concern this incident will cause.

Commentary:
As I stated earlier in the post, I am a little fearful that this breach could end up as significant or more significant (in terms of number of people and organizations affected) than the ASI breach reported in February.  The ASI breach was the 2nd most popular posting in The Breach Blog's history at the time, based on number of online page reads and comments posted.

This breach has got me thinking.  Some of the key risks that we address with the organizations we work with are those involving the management of vendor and third-party relationships.  Ideally, information security personnel are involved throughout the relationship, including the initial vendor feasibility assessment.  Vendors and "trusted" third-parties need to be held to the same high security standards that we set for the organization.  The methods in which this can be accomplished vary from organization to organization, but typically include risk assessments (initial and ongoing), information security requirements built into contractual language, and enforcement actions if necessary.  If a vendor is not encrypting confidential information or employing burglar alarms, it is known (and hopefully addressed).

Past Breaches:
Unknown

]]> Wed, 25 Jun 2008 07:25:20 +0000 information personal information information security confidential information protect information breach sensitive information information security requirements colt "many of Colt's clients" affected by breach, CNET included http://securityratty.com/article/491b6ad9d6d8e74acd41c8dbfaab7a33 http://securityratty.com/article/491b6ad9d6d8e74acd41c8dbfaab7a33 Security Breach

Date Reported:
2/8/08

Organization:
Administrative Systems, Inc. (ASI)*

*ASI is a licensed third party administrator that provides certain administrative services on behalf of its clients, which include insurance companies and other financial services companies. These services often include processing employee applications for insurance coverage, issuing of insurance plans and employee certificates, managing premium billing and collection for insurance plans, responding to customer service requests and other record-keeping functions.

Contractor/Consultant/Branch:
None

Victims:
Customers of various ASI partner companies**

** Lists of companies in " Strategic Partnerships"  and forms.

Number Affected:
Unknown

Types of Data:
Name, dates of birth, mailing addresses, and Social Security numbers

Breach Description:
On December 29th, 2008, a desktop computer was stolen from the Seattle offices of Administrative Systems, Inc. ("ASI") that contained a database of sensitive personal information belonging to customers of the company's clients.

Reference URL:
Administrative Systems, Inc. official notice to victims
PogoWasRight.org Story

Report Credit:
Administrative Systems, Inc., with a special thanks to PogoWasRight.org

Response:
From the online sources cited above:

A desktop computer stolen from an Administrative Systems, Inc. (ASI) office in Seattle on December 29th contained names and sensitive information about customers or employees of several of the firm's clients: Continental American Medical, EyeMed Vision/Kelly Services Vision, and Jefferson Pilot Financial Dental.

ASI is a licensed third party administrator that provides certain administrative services on behalf of its clients, which include insurance companies and other financial services companies. These services often include processing employee applications for insurance coverage, issuing of insurance plans and employee certificates, managing premium billing and collection for insurance plans, responding to customer service requests and other record-keeping functions.
[Evan] Sheesh, this is some very sensitive information.  There is no mention in the notification or the Administrative Systems, Inc. web site about what is done to protect this information.

personal information about customers including name, date of birth, mailing address, social security number (“sensitive information”). The information did not include credit card information or driver’s license numbers.

We are writing to notify you of this incident and to assure you that we take this matter seriously and are taking steps designed to minimize the likelihood of such an event occurring in the future.
[Evan] What specifically is being done?

We have tightened our security measures to provide greater protection for the information we maintain and are working closely with local authorities to minimize future risks.
[Evan] Again, no specifics.

The Seattle Police Department is investigating this incident and ASI is cooperating fully with this investigation.

We suggest that you remain vigilant over the next twelve to twenty-four months by reviewing your financial account statements and monitoring your credit reports to minimize your potential risk of identity theft or fraud.
[Evan] The onus is on the data custodian to protect the information according to what is expected by the data owner.  The victims can remain vigilant, but what if data custodians are not?  Take your business elsewhere?

ASI sincerely regrets any inconvenience this incident may cause you. We know our clients value your trust and confidence and we remain committed to ensuring the security of your personal information. If you have questions for ASI regarding this incident, please call toll free 1-866-614-9454. We will be available Monday through Friday from 8 am to 8 pm Eastern time.

In its notification letter, ASI did not indicate whether the data were encrypted nor why it took over a month for individuals to be notified of the theft


Commentary:
This is a very unfortunate breach.  I assume that many of the victims do not even know who ASI is or how they came into the possession of their information.  If I received one of the notifications from ASI, I would have more questions than answers and I would be frustrated.  As customers of companies, we provide certain personal information.  We trust that the companies we do business with will see to it that our information is adequately protected.  In this instance, information was passed on to a third-party and that third-party did not do what they should have done to protect personal information.

There is no mention of any existing controls or what controls ASI plans to evaluate to further strengthen their information security and reduce risk.  Victims and customers are left in the dark.  One can only assume what type of physical controls were in place to protect against the physical theft or what technological controls were in place to protect against compromised confidentiality.  Your guess is as good as mine.

Past Breaches:
Unknown

]]> Mon, 11 Feb 2008 11:53:04 +0000 protect personal information personal information sensitive personal information companies include insurance companies financial services companies information information security asi partner companies Desktop computer stolen from Administrative Systems, Inc.