http://securityratty.com/tag/dwp Tue, 19 Feb 2008 14:11:13 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss http://securityratty.com/article/9b792cac1e080d88a38cc9805a13d12f http://securityratty.com/article/9b792cac1e080d88a38cc9805a13d12f Security Breach

Date Reported:
3/11/08

Organization:
19 organizations, including Modesto City Schools, Torrance Unified School District, Clovis Unified School District, Los Angeles Department of Water and Power ("DWP"),  and Nestle Waters North America Inc. ("NWNA")

Contractor/Consultant/Branch:
Systematic Automation Inc.*

*This breach is related to:
"Theft from vendor affects Modesto City Schools employees" dated 2/12/08,
"L.A. Dept. of Water of Power employees exposed" dated 2/19/08,
"Clovis Unified School District employees receive notice" dated 2/21/08
"Systematic Automation breach continued..." dated 2/22/08, and
"Nestle Waters North America employee affected by Systematic Automation breach" dated 3/4/08

Update:
The Modesto Bee and the Whittier Daily News are reporting that a computer has been recovered from the home of Todd Irvine, 43 from La Habra.  The computer "contained more than 40,000 names, addresses and Social Security numbers of California residents" according to a Fullerton police sergeant.

Reference URL:
Whittier Daily News
Modesto Bee

Report Credit:
Whittier Daily News

Response:
From the online sources cited above:

Fullerton police detectives analyzed data Tuesday from a stolen computer seized from a La Habra man that contained more than 40,000 names, addresses and Social Security numbers of California residents, a sergeant said.

Todd Irvine, 43, was arrested on Friday after Fullerton detectives served a search warrant at his home in the 700 block of La Serna Avenue, said Fullerton police Sgt. Linda King.

The computer was stolen in a Feb. 11 commercial burglary of Systematic Automation Inc., a Fullerton data processing firm. The company prints individualized annual statements customized for employees with a summary of their health and other employee benefits, King said.

Fullerton police received information that the stolen computer was being used to access the Internet, which led to detectives obtaining the search warrant, King said.

Several other computers also were seized, she said.

Police are analyzing the computer to determine if the employee information files had been compromised, but no related cases of identity theft have been reported, she said.

Irvine, a parolee, faces possession of stolen property charges, King said.

Commentary:
Mr. Irvine is not a very bright individual, is he?  I suspect that the confidential information was not accessed by Mr. Irvine, and I also suspect he didn't even know what he had.

Police did a superb job by following up on leads and treating this crime very seriously.  They should be commended on their work.

This has been one of the most popular breaches in terms of the number of times the articles have been read, since The Breach Blog was launched in September, 2007

What should become of Systematic Automations?

]]> Wed, 12 Mar 2008 09:22:26 +0000 fullerton police sergeant fullerton police fullerton police sgt systematic automation fullerton police detectives police systematic automation breach computer breach UPDATE: A computer stolen from Systematic Automation is found http://securityratty.com/article/662c821c98ea5a31b7ba3df83725eae5 http://securityratty.com/article/662c821c98ea5a31b7ba3df83725eae5 Security Breach

Date Reported:
2/16/08

Organization:
Clovis Unified School District

Contractor/Consultant/Branch:
Systematic Automation*

*This breach is related to:
"Theft from vendor affects Modesto City Schools employees" dated 2/12/08, and
"L.A. Dept. of Water of Power employees exposed" dated 2/19/08

Victims:
Employees

Number Affected:
~4,000**

**Over 15,000 total (and counting)

Types of Data:
Names, addresses and Social Security numbers

Breach Description:
Computer equipment was stolen from a Clovis Unified School District vendor, Systematic Automation that contained sensitive personal information belonging to employees of the district.  Systematic Automation manages employee benefit information, and the district is the third reported organization affected by the loss.

Reference URL:
CBS Channel 47 News online story
The Fresno Bee online story

Report Credit:
CBS Channel 47 News

Response:
From the online sources cited above:

Clovis Unified School District employees were notified that a computer stolen this week from a Fullerton company contained personal information -- including Social Security numbers -- for about 4,000 district employees.

police do not believe the intent of the burglary was to steal identity information
[Evan] I don't know how you would determine intent based on the limited information available.  At some point in time thieves are going to figure out that there is a heckuva lot more to gain by using the stolen information than there is in the pawning off the hardware.

Fullerton police say the computers are password protected but that doesn't mean the code can't be cracked
[Evan] This is very true.  Most Windows passwords can be bypassed in less than five minutes.

the district has recommended that employees establish fraud alerts on their credit files

The district also held two fraud-prevention seminars for employees Wednesday, with seven more planned during the next week.

Employee information for Clovis Unified and 15 other organizations was jeopardized when Systematic Automation of Fullerton was burglarized about 4:30 a.m. Monday.
[Evan] Wow.  15 organizations and their employees are at risk due to one breach.  We know of at least three; Clovis Unified School District, Los Angeles Department of Water and Power ("DWP"), and Modesto City Schools.

District employees were alerted in an e-mail about 3:30 p.m. Tuesday
[Evan] Quick notification.  This was a good decision on the part of district management

The stolen computer contained Clovis Unified employee names, addresses and salaries, as well as Social Security numbers. It did not contain birth dates or other personal information.

Systematic Automation handles the online benefits enrollment for Clovis Unified employees and publishes information on what benefits each employee receives
[Evan] Might need to change "handles" to "handled".  I wonder how this single breach affects Systematic Automation's business viability.

The police believe the computers contained tens of thousands of pieces of information.

Commentary:
What is there to say that hasn't already been said in the two previous postings?  Did any of the 15 organizations audit Systematic Automation's information security practices?

Past Breaches:
Clovis Unified School District:
Unknown
Systematic Automation:
February, 2008 - L.A. Dept. of Water of Power employees exposed
February, 2008 - Theft from vendor affects Modesto City Schools employees

]]> Wed, 20 Feb 2008 22:57:26 +0000 district district employees school district district management school district vendor school district employees employees sensitive personal information personal information Clovis Unified School District employees receive notice http://securityratty.com/article/f70613215508b1a91be5d9f49aab2c95 http://securityratty.com/article/f70613215508b1a91be5d9f49aab2c95 Security Breach

Date Reported:
2/15/08

Organization:
Los Angeles Department of Water and Power ("DWP")

Contractor/Consultant/Branch:
Systematic Automation Inc.

*This breach appears to be related to "Theft from vendor affects Modesto City Schools employees" dated 2/12/08

Victims:
Employees

Number Affected:
8,275

Types of Data:
"names, Social Security numbers, dates of birth, employee identification numbers, salaries, work locations, deferred compensation balances (but not account numbers), insurance plan coverage and health care benefits selection"

Breach Description:
Computer equipment was stolen from a Los Angeles Department of Water and Power vendor, Systematic Automation that contained sensitive personal information belonging to every employee of the utility.

Reference URL:
Los Angeles Daily News online story
Los Angeles Times online story

Report Credit:
Beth Barrett, Los Angeles Daily News

Response:
From the online sources cited above:

Computer equipment containing the private financial data of every employee of the Los Angeles Department of Water and Power was stolen earlier this week, prompting the utility to pay for a credit monitoring service for each of its 8,275 workers.

DWP General Manager H. David Nahai sent a letter to employees Wednesday informing them of the "possible security breach" and of steps being taken to safeguard them from the risk of identity theft.

DWP officials said the theft occurred at Systematic Automation Inc. in Fullerton and is being investigated by Fullerton law enforcement.
[Evan] From last week's Modesto City Schools breach, in which "A computer hard drive containing sensitive personal information belonging to Modesto City School district employees was stolen from Systematic Automation Inc. in Fullerton, California."  Do you suppose this means that Systematic Automation was storing multiple client data sets on the same drive?

The data that was taken on active DWP employees included names, Social Security numbers, dates of birth, employee identification numbers, salaries, work locations, deferred compensation balances (but not account numbers), insurance plan coverage and health care benefits selection.

Nahai said the DWP had contracted with the company to print retirement booklets showing employees' benefits and other information

"This kind of work is done by very specialized companies, and I think many companies contract out this kind of work," he said. (Nahai)
[Evan] This may justify why DWP sent the information out to a vendor, but it does not justify the breach or the lack of oversight (vendor management).  Vendors trusted with confidential information MUST be held to the same strict standards as the company itself.

Nahai said the DWP was taking "extraordinary steps to protect our employees.

He said the data is encrypted and that the thieves may not be able to extract it.
[Evan] Encrypting the information is a very good call by DWP, but according to the Modesto City Schools breach, "Snelling said the district sent the employee information in an encrypted format to Systematic Automation, where it apparently was stored on the computer in an unencrypted format."  I would be surprised if the DWP information were not in a similar state.

The utility's Retirement Office (213-367-1692) also has made arrangements for a one-year subscription to a credit monitoring service for employees.

"It's in the very early stages of the investigation, and very early to point fingers," he said. (Nahai)

DWP spokesman Joe Ramallo said the utility had no evidence that the missing information had been misused

"We're required by law to notify our employees that this theft occurred," he said. "But we don't have any knowledge at this point that the data was the target, and law enforcement said they don't believe that it is."

a spokesman for the International Brotherhood of Electrical Workers Local 18, the union that represents DWP employees, said Friday that his workers were "shocked and upset" by the loss of the data.

"They believe this is a direct result of the mania for outsourcing that the DWP has had," said Bob Cherry, a communications consultant for the union. "The DWP should have been paying more attention to the potential impact of sensitive data like this getting sent to outside vendors."
[Evan] Bob Cherry knows a thing or two.  The security of information is the responsibility of the organization to whom it was originally given to by the owner.  This is a simple owner/custodian relationship.  Just because the custodian did not lose the hard drive directly does not mean that the custodian is not responsible for the breach.

Vince Foley, who serves on the board of the DWP Retired Employees Assn., said he has received anxious calls from retirees. The stolen computer equipment also contained financial data on employees who retired between July 1, 2006, and June 30, 2007.

Foley said. "DWP's computers are, of course, encrypted and protected. But this is a situation where they had . . . a consultant who's given all this data so they can prepare the [benefits] statements."

Commentary:
I wonder how many more organizations are affected by the Systematic Automation burglary.  So far, we know of two organizations and over 11,000 affected persons.

There are lessons to be learned from almost any breach, and it's easier to play the "Monday morning quarterback".  Good information security programs recognize the importance of managing security throughout the life-cycle of the information, no matter where it resides.  At a minimum:

1. Thoroughly evaluate the information security practices of vendors before engaging in formal business agreements.
2. Information security language should be included in contractual agreements.
3. Conduct regular audits of vendors to ensure that they continue to abide by your information security policies, standards, guidelines and procedures.
4. If your company engages vendors on a regular basis, formalize the vendor security evaluation, approval and audit process.
   

These are just some tips that could easily be expanded upon and refined to your individual situation.

Past Breaches:
Related:
February, 2008 - Theft from vendor affects Modesto City Schools employees

]]> Tue, 19 Feb 2008 14:11:13 +0000 employee information information information security practices confidential information information security policies sensitive personal information dwp dwp officials represents dwp employees L.A. Dept. of Water of Power employees exposed