http://securityratty.com/tag/dpw Wed, 12 Dec 2007 12:10:53 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss http://securityratty.com/article/e8b36cb6c44070799de7b29f38f06218 http://securityratty.com/article/e8b36cb6c44070799de7b29f38f06218 Security Breach

Date Reported:
12/6/07

Organization:
State of Pennsylvania

Contractor/Consultant/Branch:
Department of Public Welfare (DPW)

Victims:
Certain welfare clients

Number Affected:
86*

*Names and Social Security numbers of 14 clients
*Names and addresses of 72 clients

Types of Data:
Names, addresses and Social Security numbers (see above)

Breach Description:
On December 5th, 2007 Edward Novak from the Pennsylvania Department of Public Welfare (DPW) sent a news release announcing the theft of a DPW computer that contained sensitive personal information about a limited number of DPW clients.  This is the second such breach of 2007 at DPW.

Reference URL:
The Pennsylvania Department of Public Welfare Press Release

Report Credit:
State of Pennsylvania Department of Public Welfare

Response:
The official DPW news release in it's entirety:

The Department of Public Welfare today began notifying 86 clients whose personal information was contained on a computer stolen from a DPW office in Philadelphia.

While there is no indication that any of the information on the stolen computer has been used inappropriately, DPW wants to ensure that potentially affected clients are notified of the incident, and understand that the department is taking every possible precaution to
protect them.

"We sincerely apologize to all of those who may be affected by this regrettable incident," said Secretary of Public Welfare Estelle B. Richman. "The department is working closely with law enforcement throughout their investigation and is ready to assist every client who may be impacted."
[Evan] I really like this statement from Estelle B. Richman.  It feels genuine to me.

The information on the computers was password protected. The information contained the names and Social Security numbers of approximately 14 clients and the  names and addresses only of another 72 clients.
[Evan] You know my thoughts on password protection. If this breach is indicative of other computers and data-at-rest locations within the department, then there is another breach just waiting to happen.  Encryption is a must and Password protection = momentary nuisance to a crook.  This is the second such breach at DPW this year.

The department today has began mailing notification letters to all 86 individuals who could potentially be affected in order to explain what has happened and to assist them with any remediation steps they will need to take. 

Consumers with questions or those who believe they have been affected can call the Philadelphia Change Center at (215) 560-7226 in the Philadelphia area, from 7:30 a.m. to 5 p.m.

For additional information on identify theft or to learn about steps to take if you believe you have been a victim, visit the Pennsylvania Commission on Crime and Delinquency's Web site at www.identitytheftactionplan.com

CONTACT:    Anne C. Bale (717) 787-4592

Commentary:
This breach was relatively small in terms of numbers or people affected, but I have a hunch that it exposes a relatively large risk within the DPW.  All confidential data at rest need to be encrypted with the keys managed securely.

The DPW should be applauded in their response and disclosure (i.e. a link to the press release is prominently displayed on the DPW home page), but admonished for not encrypting sensitive data at rest.

Past Breaches:
September, 2007 - Pennsylvania DPW computers stolen, exposing 375,000 citizens



]]> Wed, 12 Dec 2007 12:10:53 +0000 dpw computer dpw pennsylvania pennsylvania dpw computers dpw clients pennsylvania department sensitive personal information personal information department Another stolen Pennsylvania DPW computer, more victims