[SecurityRatty] tag: deputy

The power of communication.

Fri, 13 Jun 2008 13:24:00 +0000

I think many of us fail to realize the extreme importance of communicating in a way that ensures we are understood.When I was working for the United Nations in different countries around the world, I would often be told by other UN staff that they were surprised that they could actually understand what I was saying. Apparently, they had met other Irish and could only understand a few words here and there. That was easy for me to understand. As the Deputy and later Chief of the United Nation's Special Investigation Unit, it was of the utmost importance that people could understand me. Imagine questioning a person who was facing deportation back to their country for an alleged crime. It would be unfair to them if I didn't make my self understood, even if it meant that I had to slow down my fast Irish speech and leave out the Irish slang words (that very few people around the world can ever understand).

I was in Dublin last weekend, passing through on my way to the Middle East. The big topic was the Irish referendum on the Lisbon treaty. It seems that the country was fairly evenly divided by those who were; voting yes, voting no, did not know. I wasn't that terribly sure what it was all about so I asked my sister and her husband. They had to admit that the whole thing was rather unclear and that the Politicians didn't do a great job of explaining. Then I met up with my brother. He too was not 100% about the importance of a "yes" or "no" vote. I got the impression that Ireland might lose their National identity if they voted "yes", so I left thinking that "no" was the way to go.

Apparently the rest of Ireland thought so too, as I am sitting in my hotel room in Dubai listening to the BBC and Sky news talking about the after effects of Ireland's rejection of the Lisbon treaty. That got me thinking. The only time we really ever had any problems with a client involved communicating, or a lapse on somebody's part. It is amazing how large the repercussions can be when you are talking about a whole country. Next time you are involved in a negotiation, remember the Lisbon treaty and make sure you know what is at stake. You could be avoiding a costly mistake.

University of South Carolina Moore School of Business breach

Mon, 09 Jun 2008 09:38:01 +0000

Technorati Tag: Security Breach

Date Reported:
6/9/08

Organization:
University of South Carolina

Contractor/Consultant/Branch:
Moore School of Business

Victims:
"faculty, staff and students"

Number Affected:
~7,000

Types of Data:
"some personally identifiable data"

Breach Description:
"The University of South Carolina is warning about 7,000 faculty, staff and students that some of their personal information was on a desktop computer stolen from an office at the business school."

Reference URL:
The State

Report Credit:
The State

Response:
From the online source cited above:

The University of South Carolina is warning about 7,000 faculty, staff and students that some of their personal information was on a desktop computer stolen from an office at the business school.

Monday evening, May 26th, 2008 computer hardware containing data files was stolen from the Dean’s Office

"Among the items was a desktop computer belonging to Deputy Dean Dr. Scott Koerwer,"
[Evan] I am semi-sure that a business case could be made to allow Dr. Scott access to confidential information, but there should be NO business case allowing for the storage of this information on the desktop computer he uses. I also doubt that he needs access to Social Security numbers.

"As a result of the computer being stolen, we feel it is possible that some personally identifiable data could have been compromised."

There is a possibility that some personal information such as social security numbers, annual pay, and term of service at the University may have been compromised.

As soon as the unauthorized access was discovered (May 27, 2008), USC initiated its incident handling procedures, which includes notification of affected individuals.
[Evan] I am glad to read that USC has incident handling procedures. Many organizations do not.

university officials have no evidence anyone's personal information was accessed
[Evan] It's probably too soon for evidence.

"We feel the responsible thing for us to do is to notify those persons whose data was contained in the computer, and advise them of the fact, and share with them some useful steps they may want to take for additional protection,"

the university is notifying about 130 faculty and staff at the Moore School, and just under 7,000 students who took business courses in the last academic year

the university’s Division of Law Enforcement and Safety and Office of Information Technology are investigating the matter

The Moore School of Business has taken precautions to minimize future security risks.
[Evan] Like what? Anybody can make a statement like this. People should be provided with some details. Details that don't give away too much, but enough to instill confidence. This statement means little to me.

Deputy Dean Koerwer circulated a letter to students dated June 6 that suggested some steps they might take to protect themselves from identity theft.

Guidance regarding the burglary, including answers to frequently asked questions that we anticipate on identity protection, identity theft, and precautionary measures is available at the University’s website: www.sc.edu/identity/index.shtml

We deeply regret any inconvenience or concern that this incident may cause. We assure you that the University, along with the Dean’s Office, is working diligently to prevent this type of incident from recurring.

Please know that the university faculty and staff are committed to protecting all personal information.

Commentary:
This is a physical, administrative and potentially logical information security breach. There is no information provided about what physical controls were present to prevent an intruder from stealing the desktop computer, so it is difficult to comment. There is little information provided around the administrative controls in place, but we can imply some things. Due to the fact that the school did not state that the storage of confidential information on client computers is prohibited, maybe we can assume that it is permitted. There was no mention of encryption, so I question whether or not this is a logical control that may have been lacking.

Information security is a holistic discipline and the controls I mention above are a very, very small part of the big picture.

Past Breaches:
September, 2007 - University of South Carolina Mistake Leads to Breach of 3,199 Records

US-CERT Gets New Boss

Thu, 05 Jun 2008 22:51:45 +0000

Former DOJ staffer Mischel Kwon to head up the US-CERT.

From Network World:

The U.S. Department of Homeland Security has chosen a new head of its U.S. Computer Emergency Readiness Team (US-CERT).

Mischel Kwon, will start as director of US-CERT on June 24, a DHS spokeswoman said Thursday. She is presently acting deputy director of IT security and the chief IT security technologist at the U.S. Department of Justice. She is also an adjunct professor at The George Washington University, where she runs the school’s Cyber Defense Lab.

She replaces Cheri McGuire, who left in March, and will report to Cornelius Tate, director of the DHS’s National Cyber Security Division.

Deducting 10 points for excessive use of the word “cyber”.

Article Link

Did the Rent-a-Center manager knowingly expose personal information?

Mon, 12 May 2008 11:05:33 +0000

Technorati Tag: Security Breach

Date Reported:
5/9/08

Organization:
Rent-a-Center*

*formerly RentWay

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
Unknown

Types of Data:
"photocopies of Social Security cards and driver's licenses, credit card numbers, home addresses and phone numbers"

Breach Description:
"Hundreds of RentWay customer files — including Social Security, driver's license and credit card numbers — were abandoned in a parking lot, leaving consumers at risk for identity fraud."

Reference URL:
Sarasota Herald-Tribune
Bradenton Herald
Sarasota Herald-Tribune (May 10)

Report Credit:
Anthony Cormier, Sarasota Herald-Tribune

Response:
From the online sources cited above:

Hundreds of RentWay customer files — including Social Security, driver's license and credit card numbers — were abandoned in a parking lot, leaving consumers at risk for identity fraud.

The files were discovered in a plaza off Cortez Road on Friday morning.

In the files were photocopies of Social Security cards and driver's licenses, credit card numbers, home addresses and phone numbers of people who leased furniture, TVs and appliances from RentWay.

A Manatee Sheriff's deputy arrived at about 10:30 a.m. and called workers from Rent-A-Center, which acquired RentWay in 2006, to clean up the mess.

In dress slacks and business shirts, Rent-A-Center employees crawled in a Dumpster on Friday afternoon.

it was unclear how long the files were in the lot and who may have accessed the sensitive information

Rather than shredding the documents that contained personal information of clients and taking them to their own Dumpster, the employees left the papers piled in the bottom of the Dots' store Dumpster

Kimberly Lash, manager of Dots, a women's clothing store next door to the the vacant storefront, said the mess had been out in the corner of the building for nearly a week.

She said the Rent-A-Center store manager said there were personal documents in the Dumpster.
[Evan] If I understand this correctly, the Rent-A-Center manager knew that there were personal documents being discarded in the dumpster?! What the *&^# kind of manager would knowingly put his/her customers at risk? I wouldn't hold the Dot's store manager ultimately responsible, but I wonder why she didn't do or say anything when she was told that there was personal information in the dumpster.

"All they did was pick it up and put it in my Dumpster," she said.

On Friday morning, a transient was seen rifling through the paperwork until he was shooed off by Don McLucas, who found the mess and called police

"Unbelievable," McLucas said. "Imagine the fraud you could commit with this stuff. And they just dump it like that? Unbelievable."

"You could open a bank account, apply for a credit card, anything. That information could be worth hundreds of thousands of dollars." - Robert Siciliano, CEO of IDTheftSecurity.com
[Evan] The bad guys certainly know this. It seems like others either don't care or don't know.

The store manager of the Rent-A-Center store declined to comment. It's unclear what happened to the documents once they were removed from the Dots Dumpster.

Lt. William Vitaioli said it would not be a criminal violation to dispose of personal information such as Social Security numbers, credit card numbers, driver's license numbers or phone numbers.
[Evan] Should it be? This is a hot debate.

Florida law requires companies to notify consumers if the security of their personal information has been breached.
[Evan] Are notification laws working? Another hot debate.

Commentary:
If I had the time, I would check dumpsters on the way home one of these days. Think I would find anything along my 25 mile ride home?

Past Breaches:
Unknown

Stolen Hong Kong Child Assessment Service flash drive

Tue, 29 Apr 2008 18:05:03 +0000

Technorati Tag: Security Breach

Date Reported:
4/25/08

Organization:
People's Republic of China

Contractor/Consultant/Branch:
The Government of Hong Kong Special Administrative Region of the People's Republic of China
Department of Health
Child Assessment Service (Tuen Mun Centre)

Victims:
Adolescent patients

Number Affected:
700

Types of Data:
"detailed records of interviews with troubled youngsters including assessments and, in some cases, their photos, identity card numbers and addresses"

Breach Description:
"The Department of Health ( DH ) is working closely with the police in the investigation of a suspected theft case involving a removable electronic storage device ( USB flash drive ) containing patients’ information."

Reference URL:
Media Newswire
Monsters & Critics
Health & Community News

Report Credit:
Hong Kong Department of Health

Response:
From the online sources cited above:

Hong Kong - Medical data on almost 700 Hong Kong children and teenagers with social and developmental problems have been lost, the territory's government admitted Friday.
[Evan] This is the first breach that we have reported on The Breach Blog concerning information lost in Hong Kong. Want to know Hong Kong's laws and practices concerning personal information? Check out the Office of the Privacy Commissioner web site. I was impressed with what I saw.

The records were held on a memory card which was stolen from an unlocked room at a Child Assessment Centre in the city's Tuen Mun district
[Evan] I DO know that storing confidential information on a memory card (USB drive, flash drive, etc.) without encryption is a bad. bad idea.

The USB flash drive, which contained medical reports and referral letters of about 700 named patients, was found to be missing at the Child Assessment Centre ( CAC ) in Tuen Mun on April 18. Attempts to locate the device failed and the incident was reported to the Police on April 22.

The lost data included detailed records of interviews with troubled youngsters including assessments and, in some cases, their photos, identity card numbers and addresses.
[Evan] Is a Hong Kong identity card at all comparable to a Social Security card?

Hong Kong's Deputy Director of Health Gloria Tam apologized to the families affected and said they should contact police if anyone suspicious approached them with their personal details.

The Department of Health ( DH ) is working closely with the police in the investigation

The department has sent letters to parents of the involved patients to inform them of the situation and the Privacy Commissioner of Personal Data has also been notified.
[Evan] Here is the Commisioner's office "Response to the loss of medical data by Department of Health".

As the case involved personal privacy, the affected families should remain alert and report to the police if they were approached by suspicious people with their personal data, she said.

'We have reminded our staff about the absolute importance of office security and to strictly adhere to the government's security regulations,' she said in a statement.

With immediate effect, staff have been asked to keep storage of identifiable patient information in removable electronic devices to a minimum essential for the efficient conduct of business. The information should be encrypted.
[Evan] Not "should be encrypted", MUST be encrypted.

These should not be removed from the specific office/clinic unless with prior approval from the respective service heads.

A government hotline has been set up to deal with calls from youngsters and family members concerned over the loss of the data, she added.

There is a Department of Health hotline ( 2125 1133 ) for enquiries. The hotline will operate until 9pm today, from 9am to 1pm tomorrow and Sunday and from 9am to 5pm during weekdays from next Monday.

Dr Tam said the concerned doctor's case may be dealt with under civil-service regulations after the investigation is completed.
[Evan] I fear what this could mean.

Commentary:
The response from the Privacy Commissioner for Personal Data sums it up pretty well. Section 4 made good sense:

"The Privacy Commissioner for Personal Data Mr. Roderick B Woo takes the opportunity to remind both the public and private sectors to exercise particular caution when handling personal data. Stringent handling procedure and sufficient security safeguards should be implemented. In particular, when sensitive personal data are stored or transmitted by electronic means, the data shall be encrypted."

Past Breaches:
Unknown

Rhode Island Dept. of Administration can't find HR disk

Mon, 24 Mar 2008 12:36:58 +0000

Technorati Tag: Security Breach

Date Reported:
3/21/08

Organization:
State of Rhode Island

Contractor/Consultant/Branch:
Department of Administration

Victims:
State employees

Number Affected:
~1,400

Types of Data:
Human resources records including Social Security numbers

Breach Description:
"A state computer disk containing the social security numbers of nearly 1,400 people has been reported missing."

Reference URL:
SouthCoast Today
WPRI Eyewitness News

Report Credit:
Associated Press

Response:
From the online sources cited above:

A state computer disk containing the Social Security numbers of nearly 1,400 people is missing, the state Department of Administration announced Friday.

The department said there was no evidence that any number had been misused or that the disk had fallen into the hands of an unauthorized person.

It was working with the Rhode Island State Police to find the disk.

"We do not believe that it was stolen, we just believe it was misplaced at this point in time," said Melanie Marcaccio, the department's deputy personnel director. "We don't believe that individuals outside of the organization had any access to that data at any point in that time."
[Evan] Eventually the lost disk will be found. The question is by who and what will they do with it? The sad thing is that the information could cause damage if the answers are wrong.

The majority of the 1,400 people affected are state employees whose Social Security numbers were kept in human resources records

The information was discovered missing within the last two weeks when human resources staff members who had relocated from Providence to Cranston could not find the data on the server

The DOA sent a letter Thursday to all those affected, telling them the disk was missing and urging them to put a fraud alert on their credit file so creditors would contact them before any new accounts opened or any existing accounts changed.

Commentary:
Has anyone seen a disk lying around labeled "State of Rhode Island, Department of Administration - CONFIDENTIAL"?

Sensitive personal information requires more control than this. Was the disk encrypted?

Past Breaches:
Unknown

Oklahoma County Social Security numbers online

Thu, 13 Mar 2008 06:46:09 +0000

Technorati Tag: Security Breach

Date Reported:
3/11/08

Organization:
Oklahoma County

Contractor/Consultant/Branch:
Office of the County Clerk

Victims:
Oklahoma County residents

Number Affected:
"thousands"

Types of Data:
Information found on court documents including many Social Security numbers

Breach Description:
"The Social Security numbers of thousands of Oklahoma County residents are available on County Clerk Carolynn Caudill's website to anyone who wants to look, apparently in violation of federal law."

Reference URL:
Tulsa Today

Report Credit:
Mike McCarville, Tulsa Today

Response:
From the online source cited above:

The Social Security numbers of thousands of Oklahoma County residents are available on County Clerk Carolynn Caudill's website to anyone who wants to look, apparently in violation of federal law.

The numbers are contained on numerous documents filed of record in the county and are easily found by anyone with computerized research experience.

Social Security numbers of numerous prominent Oklahoma County residents were found with ease and in no case did we find a document where the Social Security number had been redacted, or blacked out, as is required under federal law.

Almost all of some 8.7 million documents - 17 million pages - are online, from mortgage documents, mineral deeds, liens and other legal "papers," from original land patents granted after the Land Run of 1889 to last week’s property deals, said Mark Mishoe, chief deputy for County Clerk Carolynn Caudill

While the Social Security numbers appear to have been available for several years on the clerk's site, it's been only recently that others have discovered them.

there are no reports yet of identity theft as a result so far as could be determined
[Evan] I don't know how it would be possible to determine identity theft victims if the information has been online for "several years".

Those discoveries apparently resulted in protests made to Caudill, who at tomorrow's Board of County Commissioner's meeting will request a requisition of almost $30,000 to hire a firm to begin redacting the numbers.

The board's agenda contains this item:
28. Discussion and possible action for approval of Statement of Work, HTC Global Services Inc., Redaction Quality Check Services.
[Evan] According to the Statement of Work (SOW), a company named AmCad performed the original redaction. It's not clear who is responsible for ongoing redaction for newly posted documents. Does an employee with the County Clerk's office have this responsibility? Where is the process failing that allows non-redacted documents to be posted? I'm glad that the county is taking steps to remediate the immediate exposure, but what will they do to prevent this from occurring again?

Easily located on Caudill's site were the Social Security numbers of television news anchors, public officials and prominent business leaders.
[Evan] Finding confidential information that affects prominent persons is a ticket to getting attention.

Commentary:
I could find nothing posted about this breach on the Oklahoma County or County Clerk web sites. I could not find any other news stories to corroborate this story either.

Security issues surrounding the duties of county clerks can be challenging from both a confidentiality and an integrity standpoint. I have seen instances where court decisions were made based on publicly available court documents that were inaccurate. Then there are cases where court documents should be public in whole, but contain sensitive confidential information in the details. What effective process should be in place to review court documents for accuracy and information sensitivity?

Does the county have an obligation to notify the residents that were affected by this breach? I think that they do ethically, but after a quick search I was not able to find anything legally binding.

Past Breaches:
Unknown

Security vs. Privacy

Tue, 29 Jan 2008 02:21:41 +0000

If there's a debate that sums up post-9/11 politics, it's security versus privacy. Which is more important? How much privacy are you willing to give up for security? Can we even afford privacy in this age of insecurity? Security versus privacy: It's the battle of the century, or at least its first decade.

In a Jan. 21 New Yorker article, Director of National Intelligence Michael McConnell discusses a proposed plan to monitor all -- that's right, all -- internet communications for security purposes, an idea so extreme that the word "Orwellian" feels too mild.

The article (now online here) contains this passage:

In order for cyberspace to be policed, internet activity will have to be closely monitored. Ed Giorgio, who is working with McConnell on the plan, said that would mean giving the government the authority to examine the content of any e-mail, file transfer or Web search. "Google has records that could help in a cyber-investigation," he said. Giorgio warned me, "We have a saying in this business: 'Privacy and security are a zero-sum game.'"

I'm sure they have that saying in their business. And it's precisely why, when people in their business are in charge of government, it becomes a police state. If privacy and security really were a zero-sum game, we would have seen mass immigration into the former East Germany and modern-day China. While it's true that police states like those have less street crime, no one argues that their citizens are fundamentally more secure.

We've been told we have to trade off security and privacy so often -- in debates on security versus privacy, writing contests, polls, reasoned essays and political rhetoric -- that most of us don't even question the fundamental dichotomy.

But it's a false one.

Security and privacy are not opposite ends of a seesaw; you don't have to accept less of one to get more of the other. Think of a door lock, a burglar alarm and a tall fence. Think of guns, anti-counterfeiting measures on currency and that dumb liquid ban at airports. Security affects privacy only when it's based on identity, and there are limitations to that sort of approach.

Since 9/11, approximately three things have potentially improved airline security: reinforcing the cockpit doors, passengers realizing they have to fight back and -- possibly -- sky marshals. Everything else -- all the security measures that affect privacy -- is just security theater and a waste of effort.

By the same token, many of the anti-privacy "security" measures we're seeing -- national ID cards, warrantless eavesdropping, massive data mining and so on -- do little to improve, and in some cases harm, security. And government claims of their success are either wrong, or against fake threats.

The debate isn't security versus privacy. It's liberty versus control.

You can see it in comments by government officials: "Privacy no longer can mean anonymity," says Donald Kerr, principal deputy director of national intelligence. "Instead, it should mean that government and businesses properly safeguard people's private communications and financial information." Did you catch that? You're expected to give up control of your privacy to others, who -- presumably -- get to decide how much of it you deserve. That's what loss of liberty looks like.

It should be no surprise that people choose security over privacy: 51 to 29 percent in a recent poll. Even if you don't subscribe to Maslow's hierarchy of needs, it's obvious that security is more important. Security is vital to survival, not just of people but of every living thing. Privacy is unique to humans, but it's a social need. It's vital to personal dignity, to family life, to society -- to what makes us uniquely human -- but not to survival.

If you set up the false dichotomy, of course people will choose security over privacy -- especially if you scare them first. But it's still a false dichotomy. There is no security without privacy. And liberty requires both security and privacy. The famous quote attributed to Benjamin Franklin reads: "Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety." It's also true that those who would give up privacy for security are likely to end up with neither.

This essay originally appeared on Wired.com.

Locked Call Boxes and Banned Geiger Counters

Fri, 18 Jan 2008 04:44:31 +0000

According to Fire Engineering magazine, one reason for the slow response to the Great Chicago Fire of 1871 was that fire alarms were kept locked to prevent false alarms:

Q: Prior to 1870, street corner fire alarm pull boxes were kept locked. Why were they kept locked and how did a person gain access to 'pull the box?'
A: They were kept locked due to false alarms. Nearby shopkeepers or beat cops carried the keys.

Here's Robert Cromie, writing in The Great Chicago Fire (Thomas Nelson: 1994), page 33:

William Lee, the O'Leary's neighbor, rushed into Goll's drugstore, and gasped out a request for the key to the alarm box. The new boxes were attached to the walls of stores or other convenient locations. To prevent false alarms and crank calls, the boxes were locked, and the keys given to trustworthy citizens nearby.
What happened when Lee made his request is not clear. Only one fact emerges from the confusion: No alarm was registered from any box in the vicinity of the fire until it was too late to do any good.

Apparently, Lee said that Goll refused to give him the key because he'd already seen a fire engine go past; Goll said he actually did pull the alarm, twice, but if so it must not have worked.

(There's more about what sounds like a really bad communications failure, but it's a little too hard for me to read on the Amazon website.)

Here's more:

But did you know that the fire burned for over half an hour before an alarm was ever sounded? Alarm boxes were actually kept locked in those days, to prevent false alarms!
When the first alarm box was finally opened and the lever pulled, the alarm somehow did not get through. The fire dispatcher was playing a guitar for a couple of girls at the time and he kept on serenely strumming, completely unawares. After the fire had been growing and blazing for nearly an hour a watchman screamed at the dispatcher to sound an alarm, which he did, and the first three engines, two hose wagons, and two hook and ladders were sent out -- but in the wrong direction!

At first the dispatcher refused to sound another alarm, hoping to avoid further confusion.

Compare this with a proposed law in New York City that will require people to get a license before they can buy chemical, biological, or radiological attack detectors:

The legislation — which was proposed by the Bloomberg administration and would be the first of its kind in the nation — would empower the police commissioner to decide whether to grant a free five-year permit to individuals and companies seeking to "possess or deploy such detectors." Common smoke alarms and carbon monoxide detectors would not be covered by the law, the Police Department said. Violations of the law would be considered a misdemeanor.
Why does the administration think such a law is necessary? Richard A. Falkenrath, the Police Department’s deputy commissioner for counterterrorism, told the Council’s Public Safety Committee at a hearing today, "Our mutual goal is to prevent false alarms and unnecessary public concern by making sure that we know where these detectors are located and that they conform to standards of quality and reliability."

The law would also require anyone using such a detector -- regardless of whether they have obtained the required permit -- to notify the Police Department if the detector alerted them to a biological, chemical or radiological agent. “In this way, emergency response personnel will be able to assess threats and take appropriate action based on the maximum information available,” Dr. Falkenrath said.

False positives are a problem with any detection system, and certainly putting Geiger counters in the hands of everyone will mean a lot of amateurs calling false alarms into the police. But the way to handle that isn't to ban Geiger counters. (Just as the way to deal with false fire alarms 100 yeras ago wasn't to lock the alarm boxes.) The way to deal with it is by 1) putting a system in place to quickly separate the real alarms from the false alarms, and 2) prosecuting those who maliciously sound false alarms.

Iowa DNR loses personal information on 7,000

Wed, 19 Dec 2007 11:22:00 +0000

Technorati Tag: Security Breach

Date Reported:
12/11/07

Organization:
State of Iowa

Contractor/Consultant/Branch:
Department of Natural Resources (DNR)
Salem Associates

Victims:
Waste water and drinking water worker permit applicants

Number Affected:
7,000

Types of Data:
Applicant data including names, addresses, phone numbers, and Social Security numbers.

Breach Description:
An employee of Salem Associates, a contractor working for the Iowa DNR lost a thumb (flash) drive containing sensitive personal information belonging to DNR waster water and drinking water permit and certification applicants.

Reference URL:
KCRG-TV News Story
Radio Iowa News Story
The Des Moines Register

Report Credit:
Mike Wagner, Managing Editor with KCRG-TV News

Response:
From the online sources cited above:

A contractor for the Iowa Department of Natural Resources lost a computer flash drive containing the names and Social Security numbers of more than 7,000 Iowans

The information on the flash drive was about people who operate water and sewage treatment plants, landfills and well-drilling operations.

the records, kept by Salem Associates of Des Moines on behalf of the DNR, were related to the certifications.
[Evan] Salem Associates is a an IT services contractor for the DNR. You would think that a company that makes a living off of IT would know better than to copy un-encrypted confidential data to a thumb drive.

Salem told DNR managers on Dec. 5 that the flash drive…went missing on Nov. 21 and probably ended up in the trash at the department's office complex in Des Moines.

Liz Christiansen, deputy director of the DNR, sent a letter to the affected people on Friday.

The records included information about retirees in addition to active workers.

Rick Hindman, an information technology supervisor at the DNR, said that Iowa government policy bans the use of flash drives to back up sensitive information but that the DNR's policy is not as specific.
[Evan] A non-specific policy is doomed to fail as is the entire program built around it.

The department was already reviewing its security policies when the Salem incident happened and probably will ban the use of flash drives in similar situations, he said.
[Evan] Probably? If the Iowa DNR decides not to ban them, I hope they at least decide to control them (encrypt).

State law and U.S. Environmental Protection Agency rules often require that Social Security numbers be listed on the databases, Hindman said.
[Evan] Is this true? Ugh, outdated regulation and bureaucracy.

He said it is unlikely that people could access the records even if they had the flash drive. That's because the file was a backup copy that would have to be restored, meaning the user would need the same program used to create the file - a program that isn't on many home or office computers. "The information is not encrypted, but it isn't very accessible," Hindman said.
[Evan] Just because the data "isn't very accessible" does not mean it is secure and it does not excuse the Iowa DNR from treating confidential data in risky manner. This is nothing more than an attempt to minimize the situation and draw attention away from the true problem(s).

He said the state has not received any reports of fraud or identity theft and doubts that it will.

The DNR is paying for a year's worth of credit-monitoring service for the workers. The workers have been told to contact the Iowa attorney general's office if they suspect fraud or identity theft.
[Evan] One year of credit monitoring may help all of those people who have expriring Social Security numbers. Do you have an expiring Social Security number? I don't.

"We sincerely apologize for the inconvenience this situation causes you and reiterate our commitment to achieving and maintaining information technology security systems," Christiansen said in her letter.

Victim Reaction:
"We were told the state system is secure and there is no way anyone could hack into it," - Scott Smith of the Boone County landfill and past president of the state landfill operators association.

"They don't have to hack to get the information - they are handing it out on flash drives." - Scott Smith

Commentary:
Breaches like this irk me. An employee working for an IT contractor for some reason thought it would be OK to copy confidential data onto a thumb drive. Thumb drives are inherently an information security nightmare if they are not properly controlled. They are small, high-capacity and easily lost or stolen. Some of the options we have explored in the past include disabling USB ports and employing technological controls (check out TrueCrypt, BeCrypt Connect Protect, GFI EndPointSecurity and Pointsec to name just a few).

According to a May, 2007 Information Week article, "Thumb Drives Replace Malware As Top Security Concern"

Why is the DNR policy "not as specific"?

Past Breaches:
Unknown