[SecurityRatty] tag: contractual

Software Liabilities and Free Software

Mon, 28 Jul 2008 10:42:33 +0000

Whenever I write about software liabilities, many people ask about free and open source software. If people who write free software, like PasswordSafe, are forced to assume liabilities, they will simply not be able to and free software would disappear.

Don't worry, they won't be.

The key to understanding this is that this sort of contractual liability is part of a contract, and with free software -- or free anything -- there's no contract. Free software wouldn't fall under a liability regime because the writer and the user have no business relationship; they are not seller and buyer. I would hope the courts would realize this without any prompting, but we could always pass a Good Samaritan-like law that would protect people who distribute free software. (The opposite would be an Attractive Nuisance-like law -- that would be bad.)

There would be an industry of companies who provide liabilities for free software. If Red Hat, for example, sold free Linux, they would have to provide some liability protection. Yes, this would mean that they would charge more for Linux; that extra would go to the insurance premiums. That same sort of insurance protection would be available to companies who use other free software packages.

The insurance industry is key to making this work. Luckily, they're good at protecting people against liabilities. There's no reason to think they won't be able to do it here.

I've written more about liabilities and the insurance industry here.

Have you googled, HR security breaches lately?

Tue, 08 Jul 2008 05:38:15 +0000

Blogger: Randall Gamby

As briefly mentioned in a Burton Group IdPS blog and a ZDNet Australia published article on July 3, 2008, HR data from Google was stolen from one of their previous HR outsource partners. It seems that the partner, Colt Express Outsource Partners, had equipment stolen that contained HR data from some of its clients, including Google. The data was unencrypted and stored on systems that were apparently portable.

So what does this mean for all of us?

First, it shows that even large SaaS companies like Google can be bitten by a lack of security at their partners, just like many of us can. Burton Group has been warning clients for a long time about the dangers of sending confidential information to outsource partners without proper security and audit processes in place. Of course this should also be backed by strong contractual language.

Second, be prepared to pay. Even if Google had breach mitigation terms in their contract, Colt Express announced that it was in financial difficulty. So Google has had to pay for financial reporting and other compensation to its own employees, even though Google did nothing wrong.

Third, a Google representative stated "We take the security of our employees very seriously and require outside vendors to meet appropriate security standards. We review and update these standards on an on-going basis.” Does this mean that Google doesn’t require encryption of its confidential information since encryption of the data was not deployed at Colt Express? When working with third parties, whether it’s financial data or confidential personal data, this information needs to be protected from unauthorized access. One of the simplest ways is encrypting the data while at rest, regardless of where it’s located.

Final, the Colt Express breach brings to mind a question Burton Group is always asking: “What is your exit strategy if the contract is terminated with your outsourcing partner?” A lot of effort is expended in creating an outsourcing agreement around use and protection of data, but what happens when the contract is ended? Do you obtain and retain the information the outsource partner maintained? Do you have the outsource partner destroy the information and any archives of it (and verify this was done)? Do you create a custodial contract with the outsourcing partner for them to maintain the information and archives on your behalf (ensuring the data is properly protected)? As was found in this incident, after their contract with Google was terminated the outsourcing partner apparently retained the employee data unencrypted on their servers. This was the fatal mistake that allowed the breach to occur.

So as you work with your outsourcing and SaaS vendors, you should not only consider how day-to-day operations should be secured to maintain the confidentiality of your data. You should also think about how that data is being maintained over time, and what are your procedures should the unthinkable happen if your partner allows your data to be compromised.

"many of Colt's clients" affected by breach, CNET included

Wed, 25 Jun 2008 07:25:20 +0000

Technorati Tag: Security Breach

Date Reported:
6/13/08

Organization:
CNET Networks, Inc. ("CNET")

Contractor/Consultant/Branch:
Colt Express Outsourcing Services, Inc. ("Colt")

Victims:
"current and former employees and their dependants"

Number Affected:
"around 6,500"

Types of Data:
"first names, last names, date of birth, Social Security numbers, address, employer, hire date, benefits group numbers, and relationship to the policy holder"

Breach Description:
"Colt informed our client by this letter that on Memorial Day, Monday, May 26, 2008, Colt's offices in Walnut Creek, California were burglarized. Certain computer equipment was taken which contains the human resources data of several of their clients, including CNET. The theft of this equipment may have compromised the personal information of our client's current and former employees and their dependants, and our client is working to understand the extent of any exposure for its employees."

Reference URL:
Maryland State Attorney General breach notification
PCWorld
WebProNews
PogoWasRight

Report Credit:
The Maryland State Attorney General

Response:
From the online sources cited above:

On June 6, 2008, CNET received the attached letter from Colt Express Outsourcing Services, Inc., ("Colt") who has provided our client with employee benefit plan administrative services for the past 8 years.

Colt informed our client by this letter that on Memorial Day, Monday, May 26, 2008, Colt's offices in Walnut Creek, California were burglarized.
[Evan] Uh Oh!, this is starting to read like and smell like the ASI breach reported in February.

The breach occurred on Memorial Day, Monday, May 26, 2008, between approximately 4:30 p.m. and 5:00 p.m. PST, when someone broke into Colt Express's office at 2125 Oak Grove Road, Suite 210, Walnut Creek, California, 94598

Certain computer equipment was taken which contains the human resources data of several of their clients, including CNET.
[Evan] According to a CNET spokesperson, via PogoWasRight.org, the "computer equipment" did not employ encryption to protect the information. Encryption could have been a prudent control in a defense-in-depth approach, a mitigating control to protect information against a physical break-in and theft.

The theft of this equipment may have compromised the personal information of our client's current and former employees and their dependants, and our client is working to understand the extent of any exposure for its employees.
[Evan] Not "may have", but did. Information security and control can no longer be reasonably assured, which in my book constitutes a compromise.

Colt has also informed us that they reported the break-in to Walnut Creek police and to REACT High Tech Crimes Task Force in Silicon Valley when they discovered the burglary and that there is an ongoing criminal investigation.

report number 08-12367

In speaking directly with the Walnut Creek Police on June 12, 2008, Officer Greg Leonard, the primary investigator for the incident informed us that they are not aware of any misuse of personal information as a result of this theft at this time.

The information included first names, last names, Social Security numbers, address, employer, hire date, benefits group numbers, and relationship to the policy holder for around 6,500 of our client's current and former employees, and their dependants.

some of your current and former employees and their dependants during the time period of 01-Aug-00 to present.
[Evan] August 1st, 2000 through May 26th, 2008 is almost eight years of information! I wonder what the data retention policy states at Colt, supposing one exists.

We do not have any understanding that the computers stored personal health information.

Our client is providing written notification to all affected individuals at the last home address we have on record

Although there is no evidence of misuse of the data to date, our client's notification will also inform affected individuals that it has contracted with Equifax to provide Equifax Credit Watch Gold with 3 in 1 Monitoring service, including identity theft insurance, for one full year at no cost.
[Evan] I have said it before, and I will say it again. One year of semi-effective protection should not be considered adequate for information that has a usable life that far exceeds this time frame. It should be pointed out howevere that it is better than nothing and the company is not required to offer it.

Although we are not aware of the exact number of individuals affected by the Colt breach, we do know that we were among many of Colt's clients whose data were stored on the stolen computers.
[Evan] The word that catches my attention almost immediately is "many". How many clients will be affected in the end? PogoWasRight is already following up on another company that may be affected.

Colt Express takes the protection of its customer and personal information very seriously.
[Evan] Making a statement like this and the demonstration by action are two entirely different matters. An organization such as Colt Express creates, collects, stores and transfers very sensitive information as an integral part of their business. This being said, I wonder why this information was not protected better.

Colt Express is taking steps to ensure that a potential data security breach does not occur in the future.

We installed an alarm system on Friday, May 30th.
[Evan] Are we to assume that there was none prior to May 30th? I hope not!

Colt Express is looking into what additional steps may be taken to provide enhanced security.

By this letter and enclosures, we are providing you with all the information we believe you need, and that we are able to give you. We do not have the resources, financial and otherwise, to assist you further.
[Evan] Say huh?

Towards the end of last year, our customer base was reduced to an unsustainable level.

Colt has been in the process of going out of business, while at the same time providing time for remaining customers to find alternative solutions.
[Evan] This is a twist. How long has the company been in the process of going out of business and was CNET (and the "many" other clients) aware of it? If so, this could have been a sign that could have spurred some action. Then again, maybe not.

http://www.colthr.com/

Those decisions are now final.

We are firmly committed to protecting all of the information that is entrusted to us both before and after we close down.

We sincerely apologize for the inconvenience and concern this incident will cause.

Commentary:
As I stated earlier in the post, I am a little fearful that this breach could end up as significant or more significant (in terms of number of people and organizations affected) than the ASI breach reported in February. The ASI breach was the 2nd most popular posting in The Breach Blog's history at the time, based on number of online page reads and comments posted.

This breach has got me thinking. Some of the key risks that we address with the organizations we work with are those involving the management of vendor and third-party relationships. Ideally, information security personnel are involved throughout the relationship, including the initial vendor feasibility assessment. Vendors and "trusted" third-parties need to be held to the same high security standards that we set for the organization. The methods in which this can be accomplished vary from organization to organization, but typically include risk assessments (initial and ongoing), information security requirements built into contractual language, and enforcement actions if necessary. If a vendor is not encrypting confidential information or employing burglar alarms, it is known (and hopefully addressed).

Past Breaches:
Unknown

Personal information stolen from State Street mystery vendor

Tue, 03 Jun 2008 07:28:32 +0000

Technorati Tag: Security Breach

Date Reported:
5/29/08

Organization:
State Street Corporation

Stock Symbol:
NYSE: STT

Contractor/Consultant/Branch:
Unnamed vendor hired "to provide legal support services"

Victims:
"employees and some customers of the former Investors Financial Services Corp. (“IBT”)"

Number Affected:
"more than 45,000"

Types of Data:
Names, addresses, dates of birth, and, in some cases, Social Security numbers.

Breach Description:
"State Street Corp. (STT) sent notices to employees and some customers of the former Investors Financial Services Corp. that computer equipment containing personal data was stolen from a vendor's facility."

Reference URL:
State Street Corporation News Release
The Boston Globe
Dow Jones Newswires via CNNMoney
Boston Business Journal
Reuters via CNBC

Report Credit:
State Street Corporation

Response:
From the online sources cited above:

State Street Corp. said yesterday that a disk drive containing personal details from 5,500 employees and 40,000 customer accounts was stolen

BOSTON, MAY 29, 2008 – State Street Corporation (NYSE: STT) today began sending precautionary notifications to employees and some customers of the former Investors Financial Services Corp. (“IBT”) that computer equipment containing certain personal data was stolen from a vendor’s facility.
[Evan] So this vendor relationship is probably governed by a vendor/third-party security policy and supporting documentation and processes, right?

IBT had engaged the vendor for legal support services.

the compromised information was among a batch of data sent to the analysis firm, which she declined to identify except to say it was in the United States. (A spokeswoman for State Street of Boston)
[Evan] Why decline to identify? If I were someone affected by this (thank God I am not), do you think that I should have the right to know? After all, am I not the owner of my personal information?

At the time of the transfer, the data were encrypted, making it much more difficult to misuse. But the firm had unencrypted the information for its work and stored it on the hard drive that was then stolen
[Evan] This is why data-at-rest encryption is as (or more) important that data-in-transit encryption. Both applications have their place in many information protection strategies.

Lost details included individuals' names, addresses, dates of birth, and, in some cases, Social Security numbers.

There is no evidence to date to suggest that the data has been misused or that legacy State Street customers or employees are impacted.

The theft was reported to federal authorities

the theft occurred in December and was reported to State Street in January

State Street didn't disclose the breach publicly or to individuals until yesterday because it took months to determine who was affected
[Evan] Yeah, like more than four months! Let's say that only one FTE was assigned to determining what data was on the stolen computer equipment. One FTE x 40 hours x 17 weeks (est.) = 680 hours.

As a precaution, State Street is notifying legacy IBT employees and certain legacy IBT customers whose personal data was on the stolen computer equipment.
[Evan] I don't like the word "precaution" used in notification that is a "reaction".

This notification process is expected to be completed shortly.

State Street has developed a dedicated section of its website with more details for the legacy IBT customers and employees who will receive these precautionary notifications. This information can be found at www.statestreet.com/notification and includes detail about a number of credit monitoring services being made available by State Street at no cost for two years.

State Street said this was the first case of data theft in its history.
[Evan] State Street was founded in 1792, and this is the first case of data theft? If so, that's amazing!

Contact Information:
Customers:
Please contact your usual customer representative.
Media:
Please contact publicrelations@statestreet.com.
Employees:
Please contact GHR Customer Service at +1 617 985 8040.

Commentary:
Make sure that your information security program takes into account the information that is shared with vendors, partners, and other third-party providers. There are numerous approaches that can be employed and customized to an individual business or organization. Most effective information security programs govern the security of confidential information shared with third-parties through policy, contractual language, standards, and periodic assessments for compliance. If possible, get information security personnel involved very early on in the establishment of the relationship.

Past Breaches:
Unknown

Consultant loses laptop with Park National employee information

Fri, 16 May 2008 07:23:50 +0000

Technorati Tag: Security Breach

Date Reported:
5/10/08

Organization:
Park National Corporation

Contractor/Consultant/Branch:
Aon Consulting Inc.

Victims:
"past and present employees"

Number Affected:
~2,000

Types of Data:
"personal information"

Breach Description:
"About 2,000 past and present employees of Park National Corp. are keeping their fingers crossed that they don't become identity theft victims after their pension administrator lost a laptop computer containing their personal information."

Reference URL:
Columbus Business First
PogoWasRight

Report Credit:
Columbus Business First via PogoWasRight

Response:
From the online sources cited above:

About 2,000 past and present employees of Park National Corp. are keeping their fingers crossed that they don't become identity theft victims after their pension administrator lost a laptop computer containing their personal information.
[Evan] Do you suppose finger crossing works? I didn't really think of this or include it in my 2008 information security strategic plan.

Aon Consulting Inc., which provides administration services for Newark-based Park's pension plan, lost the laptop in March.
[Evan] One of Aon Consulting's offerings is Enterprise Risk Management ("ERM"). There is no mention of whether or not this lost laptop was encrypted. If it weren't, do you think this is a good demonstration of sound risk management? I posed the question; I'll let you decide the answer.

The bank has received no reports that data on the computer has been accessed and used by thieves, said Park spokeswoman Bethany White.

"This was not our breach and we are the victim," she said. "We are absolutely unhappy to be a victim of this and Aon is working to fix this."
[Evan] Hold on a second! I respectfully but completely disagree with Ms. White. There is a misunderstanding or roles. The data owner is the victim. The data custodians are Park National AND Aon. If the information was given to Park National by the victim and not directly to Aon, then this is absolutely a Park National breach. It is the responsibility of organizations to ensure the security of the information they share with their contractors, consultants, vendors, etc. This is accomplished by creating policy that governs information security in these relationships, including information security in contractual language, and periodic audit and compliance assessments.

Aon is providing free credit-monitoring and fraud-protection insurance services from Experian to those who have been affected, according to a letter from Park CEO C. Daniel DeLawder to those affected by the theft.

Commentary:
The reference article is short, but the information still allows for plenty of commentary and speculation. I would be very interested to read the actual notification letter that went out to the victims. It may shed some more light on the subject.

It is troubling that Park National wants to absolve themselves of any responsibility in this breach.

Past Breaches:
Unknown

Chipotle Mexican Grill employee information on USi stolen laptop

Sat, 26 Apr 2008 18:39:08 +0000

Technorati Tag: Security Breach

Date Reported:
4/15/08 (this incident is also the cause of Stolen USinternetworking laptop affects hundreds of SPX employees AND Stolen USinternetworking laptop also affects XL employees)

Organization:
Chipotle Mexican Grill

Contractor/Consultant/Branch:
USinternetworking ("USi")*

*From the USinternetworking "About Us" page:
Founded in 1998, USinternetworking, Inc. (USi), an AT&T company, is the most experienced Application Service Provider (ASP). We use a highly automated, efficient, systematic approach to deliver managed hosting, application management, remote management, professional services, SaaS enablement, and eBusiness development and hosting to more than 150 enterprise-level organizations in over 30 countries.

Victims:
Current and former Chipotle employees

Number Affected:
Unknown

Types of Data:
"name, address, Social Security number, and payroll information"

Breach Description:
"USi, a service company that was doing information technology work for Chipotle to support human resources and payroll, has notified Chipotle that on or about March 23, 2008, a USi employee residing in Columbus, Ohio was the victim of a burglary, during which a laptop computer, containing Chipotle information, was stolen."

Reference URL:
New Hampshire State Attorney General breach notification part 1
New Hampshire State Attorney General breach notification part 2

Report Credit:
The New Hampshire State Attorney General

Response:
From the online sources cited above:

USi, a service company that was doing information technology work for Chipotle to support human resources and payroll, has notified Chipotle that on or about March 23, 2008, a USi employee residing in Columbus, Ohio was the victim of a burglary, during which a laptop computer, containing Chipotle information, was stolen.
[Evan] USi was storing confidential information obtained from at least three different companies on a single, poorly protected laptop computer. Sad, but true.

Unfortunately, USi informs us that some information, including name, address, Social Security number, and payroll information for Chipotle employees and former employees was contained on the stolen laptop.
[Evan] "Unfortunately"? Is the cause of this breach attributed more to fortune than it is to poor information security management? I don't fortune has all that much to do with it.

USi has reported the theft to Ohio law enforcement authorities and believes the theft was a random act.

At this time, we have no evidence that this information has been misused, and USi indicates that the laptop was password protected.
[Evan] This statement (or very similar) appears in each of the three breach notifications that I have read about this incident. You could almost copy and paste it, eh? It is probably too early for any evidence of misuse (a smart fraudster would wait until the identity theft protection runs out, or would sell the information to someone else). Password protection (likely operating system) is little more than no protection. An operating system password would not suffice as adequate protection for most information security professionals.

we want to make you aware of the incident and the steps that have been taken to prevent a reoccurence
[Evan] USi also made this (or similar) statement in each of the breach notifications, but there were never any "steps" listed anywhere

access to Continuous Credit Monitoring and Enhanced Identity Theft Restoration at no cost to you for 2 years.

If you have questions or feel you may have an identity theft issue, please call ID TheftSmart member services at 1-800-588-9839 between 8:00 a.m. and 5:00 p.m. (Central Time), Monday through Friday

Chipotle sincerely regrets this unfortunate incident and is currently taking steps to ensure that its privacy policies are strictly followed to avoid similar issues.
[Evan] Chipotle, its employees, its investors, and its customers would all benefit from information security improvement, including (but certainly not limited to) vendor/contractor information security policies and mandatory standards, enforcement of the policies and standards, and periodic auditing of vendor compliance with the policies and standards. Information security is necessary at all phases of vendor relationships (need definition, negotiation, contractual language, etc.) just as it is at all phases of software development.

Commentary:
Well, I wonder if this is the last company affected by this single stolen USi laptop.

Past Breaches:
Chipotle:
Unknown
USinternetworking:
April, 2008 - Stolen USinternetworking laptop also affects XL employees
April, 2008 - Stolen USinternetworking laptop affects hundreds of SPX employees

Stolen USinternetworking laptop affects hundreds of SPX employees

Tue, 22 Apr 2008 16:58:03 +0000

Technorati Tag: Security Breach

Date Reported:
4/15/08

Organization:
SPX Corporation

Contractor/Consultant/Branch:
USinternetworking, Inc.*

*From the USinternetworking "About Us" page:
Founded in 1998, USinternetworking, Inc. (USi), an AT&T company, is the most experienced Application Service Provider (ASP). We use a highly automated, efficient, systematic approach to deliver managed hosting, application management, remote management, professional services, SaaS enablement, and eBusiness development and hosting to more than 150 enterprise-level organizations in over 30 countries.

Victims:
SPX employees from the APV acquisition

Number Affected:
403

Types of Data:
Names, Social Security numbers, and banking information

Breach Description:
"Please be advised that on March 25, 2008, we received notice from one of our vendors, USintemetworking, Inc. (USi), that a USi laptop was stolen from the home of one of its employees. USi originally informed us that the laptop included personal identifying information, including names, Social Security numbers, and banking information, on approximately 329 individuals" "We later received word from USi that an additional 74 individuals were affected by this incident"

Reference URL:
The New Hampshire State Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

Please be advised that on March 25, 2008, we received notice from one of our vendors, USinternetworking, Inc. (USi), that a USi laptop was stolen from the home of one of its employees. USi originally informed us that the laptop included personal identifying information, including names, Social Security numbers, and banking information, on approximately 329 individuals

We later received word from USi that an additional 74 individuals were affected by this incident

USi provides payroll processing and data management services for SPX companies, and has been a trusted partner for many years.
[Evan] What kind of "service" is unnecessarily exposing confidential information? I can only imagine how many confidential records USI collects, creates, stores, and transfers for their clients. USI is a large company with the resources to know better than to store confidential information on a poorly secured laptop (assuming little more than password protection).

Upon learning of this incident, in an effort to notify affected individuals as soon as possible, we forwarded a copy of the USi's March 25, 2008, communication to each of the affected individuals.

we have and continue to take steps to protect the security of the personal information.

Also, in addition to continuing to monitor this situation, we are reexamining our current data privacy and security policies and procedures to find ways of reducing the risk of future data breaches
[Evan] One improvement that I can suggest is to mandate baseline information security controls through policy and contractual language. SPX should also audit vendors for information security compliance on a regular basis.

USi has reported the theft to law enforcement authorities and we believe the theft was a random act, based on the fact that other items, including a television set, were stolen from the home.
[Evan] Statements like this have become common in breach notifications. If this were the case, then why do we read headlines like "The FTC estimates that as many as 9 million Americans have their identities stolen each year."

The laptop was password protected and we have no evidence that your employees' personal information has been, or will be, used for unauthorized purposes.
[Evan] Organizations should almost not even mention "password protected" anymore. It almost insults peoples' intelligence.

However, as a precaution, we are notifying you that the possibility exists that this information could be used to open or access your employees' credit or bank accounts.

Furthermore, USi is going to offer to your affected employees, free of charge, one year of credit monitoring and identity-theft protection

USi deeply regrets this incident and apologizes for any inconvenience this may have caused you or your employees.

USi is taking steps to enhance the protection of the information you have entrusted to us to avoid future such incidents.
[Evan] Like what? This statement means nothing to me.

SPX has established a help line you can access at (704) 752-7499 with questions or concerns.

We take this very seriously and we apologize for any inconvenience this incident may cause.

We treat all sensitive employee information in a confidential manner and are proactive in the careful handling of such information.
[Evan] Based on what I have read and assumptions where there were gaps, this statement is simply not true.

Commentary:
Again, assuming that the laptop was not encrypted. USi clearly did not take adequate steps to reduce the risk of exposure to a generally acceptable level. There was no mention of encryption or what USi's policies are in regards to storing confidential information on mobile devices. Readers only get "USi is taking steps to enhance protection" blah blah blah. Frustrating.

Past Breaches:
Unknown

Stolen SunGard laptop affects at least 10 post-secondary schools

Mon, 21 Apr 2008 10:49:39 +0000

Technorati Tag: Security Breach

Date Reported:
4/17/08

Organization:
Various post-secondary schools, including but not necessarily limited to:
Central Connecticut State University
Eastern Connecticut State University
Southern Connecticut State University
Western Connecticut State University
Northwestern Michigan College
Northwest Missouri State University
Buffalo State College
State University College at Brockport
Monroe Community College

Contractor/Consultant/Branch:
SunGard Higher Education*

*From the SunGard Higher Education "About Us" page:
"SunGard Higher Education provides software, strategic consulting, and technology management services to colleges and universities. We help more than 1,600 institutions worldwide strengthen institutional performance by improving constituent services, increasing accountability, and enhancing the education experience.

SunGard Higher Education has a vision to unify people, process, and technology in an environment that addresses the needs of higher education institutions and the people they serve. We call this vision the Unified Digital Campus."
[Evan] All of "the needs" except one critical one... SECURITY!

Victims:
Students and a limited number of employees

Number Affected:
Unknown, but at least 23702

Types of Data:
Personal information including names, Social Security numbers and financial aid information

Breach Description:
"A laptop belonging to a consultant at SunGard Higher Education was stolen on March 13, 2008. The theft was immediately reported to law enforcement but the laptop has not been recovered. After analyzing a backup of the computer, SunGard Higher Education found that the stolen laptop contained data from projects with a number of customers."

Reference URL:
SunGard Higher Education (general)
The News-Times (Connecticut State University Schools)
Associated Press Connecticut (Connecticut State University System)
Associated Press Michigan (Northwestern Michigan College)
Maryville Daily Forum (Northwest Missouri State University)
The Buffalo News (Buffalo State College)
Democrat and Chronicle (State University of New York schools)
Northwestern Michigan College
Buffalo State College
State University College at Brockport

Report Credit:
SunGard Higher Education

Response:
From the online sources cited above:

A laptop belonging to a consultant at SunGard Higher Education was stolen on March 13, 2008. The theft was immediately reported to law enforcement but the laptop has not been recovered. After analyzing a backup of the computer, SunGard Higher Education found that the stolen laptop contained data from projects with a number of customers.

Security teams from affected institutions and SunGard Higher Education are working together to analyze and verify the data and notify affected individuals.

The laptop was protected with a strong password to access the operating system.
[Evan] It could be the strongest damn password in the world and still not provide an adequate level of security in my opinion. Operating system passwords (especially Windows) can be bypassed in a matter of seconds. This is a poor attempt to minimize the incident.

The computer was password-protected but contained unencrypted files with personally identifiable data
[Evan] Even though encryption is not the "end all", it would have (in conjunction with other controls) reduced the risk of exposure to a level that is acceptable to many organizations (mine included).

All affected customers have been notified. Customer names will not be disclosed for privacy and security reasons as the investigation continues.
[Evan] We already know of at least 10 post-secondary institutions.

The laptop was stolen in New York on March 13 and state officials say it contains the names and personal information of 3,502 present and former students of the four CSU universities.

could put the personal information of 1,600 Northern Michigan College students from 2003 at risk.

could potentially put personal information about Northwest Missouri State University students and alumni in the wrong hands.

Northwest believes it followed all appropriate internal procedures for protecting the privacy of its students. For its part, SunGard Higher Education has accepted responsibility for this incident and is working with the University to minimize any adverse consequences.
[Evan] This is a classic misunderstanding of the roles and responsibilities for information security governance and management. The custodians of the personal information were the schools AND SunGard, not only SunGard. It is the responsibility of the schools (as co-custodians) to require certain information protections from their vendors and contractors. This should be done through policy, contractual language and regular audit/enforcement.

Social Security numbers of about 16,000 current and former Buffalo State College students

affected thousands of students at State University College at Buffalo, State University College at Brockport and Monroe Community College.

We believe that the laptop was stolen for the hardware rather than the data. We do not know if any personally identifiable data was accessed by the thieves.
[Evan] This is another statement meant to minimize the impact of the incident. I do not doubt that often times computer equipment is stolen for the hardware value, but how do we know? I am guessing that more and more criminals are examining the contents of poorly secured computing devices and looking for additional opportunities. The "laptop was stolen for the hardware" argument doesn't work anymore.

The nature of that employee’s job included analysis of customer data as part of software implementation and upgrade projects.

The laptop was taken from an employee of SunGard, a Pennsylvania-based computer software company that provides Buffalo State’s records system, said Voldemar Innus, a college vice president and chief information officer.

Innus also said the laptop was secure.
[Evan] No offense Mr. Innus, but the laptop WAS NOT secure.

"The laptop was stolen for its own worth as hardware," Innus said. "We do not believe it was stolen because of the information that was on it. And it was heavily password protected, we’re told."

"The risk I would say is not that high, but that doesn’t matter," Innus said. "There are steps we need to take because of what happened."
[Evan] People like to throw these terms like "secure" and "risk" around without any validation. How did Mr. Innus determine the risk (of exposure and/or misuse) with respect to this incident?

The data was originally provided for SunGard to perform various services for the university system, but it was apparently retained longer than necessary to perform those services,

A dedicated Web site containing updated information may be accessed at www.sungardhe.com/laptoptheft.

A help desk has been established with a toll-free number, (866) 520-2408, to respond to questions from affected individuals.

Credit monitoring will be provided at no cost to the affected individuals, for a period of one year.
[Evan] Credit monitoring is a post-fraud activity. One year is very limited for information that has a much longer lifespan.

Buffalo State student reaction:
In a campus dormitory, Ben Bissell, a sophomore special education major, and his friend Thomas Dennis, a freshman English education major, were making housing arrangements for next year. Bissell said he got the e-mail and was aware of the situation. Dennis was not.

Bissell was surprised such sensitive information could be placed in such a portable device as a laptop, which could easily be lost or stolen.
[Evan] Mr. Bissell is a "data owner" in this instance. The school and SunGard are "data custodians". In simplistic terms, data owners dictate what level of protection is required for the data that they own and data custodians apply the designated level of protection. Did the school and SunGard apply the designated level of protection in this case?

"You’d think it would be somewhat secure," Bissell said of his personal information.

He plans to closely monitor his bank statements and account activity following the announcement.

Omar Vargas, a sophomore elementary education major, told a reporter it was the first he had heard of the stolen laptop, admitting he feels "less secure" knowing about it.

"There’s enough things to handle being on campus, like going to classes and deadlines," Vargas said. "Then, just to find out my personal information is threatened is like, man, who knows what that could jeopardize."
[Evan] Very true. If we all just did what we were supposed to do, we wouldn't have to worry so much about what others aren't doing.

"I could wind up with bad credit when I’m on a good roll."

Commentary:
I provided a lot of my commentary above. There is no excuse that I can think of for such poor information security practice and management. Can the people running these companies (such as SunGard) and those responsible for information security claim they didn't know any better? Does it not go against SunGard Higher Education (or school) policy to store confidential information on a laptop while relying solely on operating system level passwords?

Nuts.

Past Breaches:
Unknown

L.A. Dept. of Water of Power employees exposed

Tue, 19 Feb 2008 14:11:13 +0000

Technorati Tag: Security Breach

Date Reported:
2/15/08

Organization:
Los Angeles Department of Water and Power ("DWP")

Contractor/Consultant/Branch:
Systematic Automation Inc.

*This breach appears to be related to "Theft from vendor affects Modesto City Schools employees" dated 2/12/08

Victims:
Employees

Number Affected:
8,275

Types of Data:
"names, Social Security numbers, dates of birth, employee identification numbers, salaries, work locations, deferred compensation balances (but not account numbers), insurance plan coverage and health care benefits selection"

Breach Description:
Computer equipment was stolen from a Los Angeles Department of Water and Power vendor, Systematic Automation that contained sensitive personal information belonging to every employee of the utility.

Reference URL:
Los Angeles Daily News online story
Los Angeles Times online story

Report Credit:
Beth Barrett, Los Angeles Daily News

Response:
From the online sources cited above:

Computer equipment containing the private financial data of every employee of the Los Angeles Department of Water and Power was stolen earlier this week, prompting the utility to pay for a credit monitoring service for each of its 8,275 workers.

DWP General Manager H. David Nahai sent a letter to employees Wednesday informing them of the "possible security breach" and of steps being taken to safeguard them from the risk of identity theft.

DWP officials said the theft occurred at Systematic Automation Inc. in Fullerton and is being investigated by Fullerton law enforcement.
[Evan] From last week's Modesto City Schools breach, in which "A computer hard drive containing sensitive personal information belonging to Modesto City School district employees was stolen from Systematic Automation Inc. in Fullerton, California." Do you suppose this means that Systematic Automation was storing multiple client data sets on the same drive?

The data that was taken on active DWP employees included names, Social Security numbers, dates of birth, employee identification numbers, salaries, work locations, deferred compensation balances (but not account numbers), insurance plan coverage and health care benefits selection.

Nahai said the DWP had contracted with the company to print retirement booklets showing employees' benefits and other information

"This kind of work is done by very specialized companies, and I think many companies contract out this kind of work," he said. (Nahai)
[Evan] This may justify why DWP sent the information out to a vendor, but it does not justify the breach or the lack of oversight (vendor management). Vendors trusted with confidential information MUST be held to the same strict standards as the company itself.

Nahai said the DWP was taking "extraordinary steps to protect our employees.

He said the data is encrypted and that the thieves may not be able to extract it.
[Evan] Encrypting the information is a very good call by DWP, but according to the Modesto City Schools breach, "Snelling said the district sent the employee information in an encrypted format to Systematic Automation, where it apparently was stored on the computer in an unencrypted format." I would be surprised if the DWP information were not in a similar state.

The utility's Retirement Office (213-367-1692) also has made arrangements for a one-year subscription to a credit monitoring service for employees.

"It's in the very early stages of the investigation, and very early to point fingers," he said. (Nahai)

DWP spokesman Joe Ramallo said the utility had no evidence that the missing information had been misused

"We're required by law to notify our employees that this theft occurred," he said. "But we don't have any knowledge at this point that the data was the target, and law enforcement said they don't believe that it is."

a spokesman for the International Brotherhood of Electrical Workers Local 18, the union that represents DWP employees, said Friday that his workers were "shocked and upset" by the loss of the data.

"They believe this is a direct result of the mania for outsourcing that the DWP has had," said Bob Cherry, a communications consultant for the union. "The DWP should have been paying more attention to the potential impact of sensitive data like this getting sent to outside vendors."
[Evan] Bob Cherry knows a thing or two. The security of information is the responsibility of the organization to whom it was originally given to by the owner. This is a simple owner/custodian relationship. Just because the custodian did not lose the hard drive directly does not mean that the custodian is not responsible for the breach.

Vince Foley, who serves on the board of the DWP Retired Employees Assn., said he has received anxious calls from retirees. The stolen computer equipment also contained financial data on employees who retired between July 1, 2006, and June 30, 2007.

Foley said. "DWP's computers are, of course, encrypted and protected. But this is a situation where they had . . . a consultant who's given all this data so they can prepare the [benefits] statements."

Commentary:
I wonder how many more organizations are affected by the Systematic Automation burglary. So far, we know of two organizations and over 11,000 affected persons.

There are lessons to be learned from almost any breach, and it's easier to play the "Monday morning quarterback". Good information security programs recognize the importance of managing security throughout the life-cycle of the information, no matter where it resides. At a minimum:

Thoroughly evaluate the information security practices of vendors before engaging in formal business agreements.
Information security language should be included in contractual agreements.
Conduct regular audits of vendors to ensure that they continue to abide by your information security policies, standards, guidelines and procedures.
If your company engages vendors on a regular basis, formalize the vendor security evaluation, approval and audit process.

These are just some tips that could easily be expanded upon and refined to your individual situation.

Past Breaches:
Related:
February, 2008 - Theft from vendor affects Modesto City Schools employees

Viewpoint Two: The recession wont affect security folks

Wed, 13 Feb 2008 09:51:37 +0000

OK, for arguments’ sake let's suppose we’re in a recession. What does that really mean for us security folks?

To answer that question, let’s turn the question on its head. What did security spending look like when times were pretty good? Say from early 2005 to 2007 for example - did we see an upturn in spending? Our research found that security spending was flat or declining as a proportion of overall IT spending during that period. So then why, when the economy goes south would we spend less on security?

The vast majority of organizations spend money to counter threats and incidents that they’re seeing, and to comply with governmental and contractual requirements. Neither of these two factors are hugely dependent on economic cycles.

OK, so there’ll be less cash floating around for the big banks to fill their labs with new product evaluations, but does that really affect the majority of us? I would say not. Yes, we’re going to have to show more business justification for our technology. Yes, we’re going to have to consolidate. Yes, we’re going to have to streamline process. But weren’t we doing that anyway?

We’ve come to learn that security is a necessary cost of doing business – not a luxury item where we can turn spending on and off at the behest of economic demand. Luckily for us, I reckon there’s fewer of us that are going to be on the streets looking for jobs than other disciplines.