http://securityratty.com/tag/fullerton Tue, 12 Feb 2008 12:03:09 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss http://securityratty.com/article/9b792cac1e080d88a38cc9805a13d12f http://securityratty.com/article/9b792cac1e080d88a38cc9805a13d12f Security Breach

Date Reported:
3/11/08

Organization:
19 organizations, including Modesto City Schools, Torrance Unified School District, Clovis Unified School District, Los Angeles Department of Water and Power ("DWP"),  and Nestle Waters North America Inc. ("NWNA")

Contractor/Consultant/Branch:
Systematic Automation Inc.*

*This breach is related to:
"Theft from vendor affects Modesto City Schools employees" dated 2/12/08,
"L.A. Dept. of Water of Power employees exposed" dated 2/19/08,
"Clovis Unified School District employees receive notice" dated 2/21/08
"Systematic Automation breach continued..." dated 2/22/08, and
"Nestle Waters North America employee affected by Systematic Automation breach" dated 3/4/08

Update:
The Modesto Bee and the Whittier Daily News are reporting that a computer has been recovered from the home of Todd Irvine, 43 from La Habra.  The computer "contained more than 40,000 names, addresses and Social Security numbers of California residents" according to a Fullerton police sergeant.

Reference URL:
Whittier Daily News
Modesto Bee

Report Credit:
Whittier Daily News

Response:
From the online sources cited above:

Fullerton police detectives analyzed data Tuesday from a stolen computer seized from a La Habra man that contained more than 40,000 names, addresses and Social Security numbers of California residents, a sergeant said.

Todd Irvine, 43, was arrested on Friday after Fullerton detectives served a search warrant at his home in the 700 block of La Serna Avenue, said Fullerton police Sgt. Linda King.

The computer was stolen in a Feb. 11 commercial burglary of Systematic Automation Inc., a Fullerton data processing firm. The company prints individualized annual statements customized for employees with a summary of their health and other employee benefits, King said.

Fullerton police received information that the stolen computer was being used to access the Internet, which led to detectives obtaining the search warrant, King said.

Several other computers also were seized, she said.

Police are analyzing the computer to determine if the employee information files had been compromised, but no related cases of identity theft have been reported, she said.

Irvine, a parolee, faces possession of stolen property charges, King said.

Commentary:
Mr. Irvine is not a very bright individual, is he?  I suspect that the confidential information was not accessed by Mr. Irvine, and I also suspect he didn't even know what he had.

Police did a superb job by following up on leads and treating this crime very seriously.  They should be commended on their work.

This has been one of the most popular breaches in terms of the number of times the articles have been read, since The Breach Blog was launched in September, 2007

What should become of Systematic Automations?

]]> Wed, 12 Mar 2008 09:22:26 +0000 fullerton police sergeant fullerton police fullerton police sgt systematic automation fullerton police detectives police systematic automation breach computer breach UPDATE: A computer stolen from Systematic Automation is found http://securityratty.com/article/2037234f20d359e95edd4fe9f57e2ede http://securityratty.com/article/2037234f20d359e95edd4fe9f57e2ede Security Breach

Date Reported:
2/26/08

Organization:
Nestle Waters North America Inc. ("NWNA")

Contractor/Consultant/Branch:
Systematic Automation*

*This breach is related to:
"Theft from vendor affects Modesto City Schools employees" dated 2/12/08,
"L.A. Dept. of Water of Power employees exposed" dated 2/19/08, and
"Clovis Unified School District employees receive notice" dated 2/21/08
"Systematic Automation breach continued..." dated 2/22/08

Victims:
Employees of NWNA in 2006

Number Affected:
8,245

Types of Data:
Names, dates of birth, addresses and Social Security numbers.

Breach Description:
Computer equipment was stolen from a Nestle Waters North America ("NWNA") vendor, Systematic Automation that contained sensitive personal information belonging to persons employed with NWNA in 2006.  Systematic Automation was employed by NWNA to create and distribute employee benefits statements.  So far, this single breach has affected persons affiliated with five separate organizations.

Reference URL:
The New Hampshire State Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

An Important Notification To Our NWNA Employees:
Systematic Automation Inc. ("SAI"), one of our vendors, recently experienced a breakin at their facility in Fullerton, California. Among other things, a desktop computer was stolen that contained a database of sensitive personal informatiion about NWNA employees, including a list of NWNA employees' names, addresses, dates of birth, and social security numbers.

This database only contained information about employees that were on the payroll as of February 1, 2006.

The information was password protected, but was not in an encrypted format.
[Evan] A username and password (most likely Windows operating system) is not adequate protection for confidential information.  A Windows XP/2000 password can be bypassed in a matter of minutes.  IF the desktop computer were stolen for the information it contained, then we should consider it disclosed.  Although encryption is not a perfect solution, it reduces the risk of exposure to an acceptable level in most circumstances.

We use SAI to create and distribute your employee benefits statements. In order for SAI to properly complete the work, we must provide SAI with certain personal information.
[Evan] Understood, but then SAI needs to be regularly monitored for compliance with policy around the protection of such information.

We deeply regret that this incident occurred and we are talking immediate steps to make sure that something like this does not happen again.

At this time, we do not know if the thieves stole the computer with the intent to use the personal information for credit fraud purposes or whether this was merely a random criminal act.

The Fullerton Police Department is investigating the incident and SAI is cooperating fully with the Police Department investigation.

If this stolen personal information got in the wrong hands, however, you are at risk for identity theft or fraud.

NWNA will also provide, at no cost to you, one year of premium credit monitoring from Equifax, a leading credit monitoring company.
[Evan] Equifax is a leading credit monitoring company, but also one of the three credit reporting agencies.  It amazes me how Experian has capitalized on the information they collect, manage and sell.  They are responsible for keeping accurate records, but at the same time will charge people a fee to make sure that they are doing what they are supposed to be doing.  Something should give.

In the near future, instructions on enrollment will be mailed directly to your homes.

In addition, NWNA is in the process of establishing a hotline to provide you with the resources you need to get your questions answered.

NWNA sincerely regrets any inconvenience this incident may cause you.

Commentary:
As mentioned earlier, NWNA is the fifth known organization to be affected by the single breakin at Systematic Automation.  It is becoming more and more clear that Systematic Automation did not follow some information security "best practices" by segmenting confidential customer data and encrypting it at rest.

I have not yet seen a statement from Systematic Automation.

Past Breaches:
Nestle Waters North America:
Unknown
Systematic Automation:
February, 2008 - Systematic Automation breach continued...
February, 2008 - Clovis Unified School District employees receive notice
February, 2008 - L.A. Dept. of Water of Power employees exposed
February, 2008 - Theft from vendor affects Modesto City Schools employees

]]> Tue, 04 Mar 2008 07:08:42 +0000 systematic automation breach systematic automation sensitive personal information personal information breach employees power employees information nwna Nestle Waters North America employee affected by Systematic Automation breach http://securityratty.com/article/32ca930ef71fb370c271d0c682b7a939 http://securityratty.com/article/32ca930ef71fb370c271d0c682b7a939 Security Breach

Date Reported:
2/22/08

Organization:
Torrance Unified School District

Contractor/Consultant/Branch:
Systematic Automation*

*This breach is related to:
"Theft from vendor affects Modesto City Schools employees" dated 2/12/08,
"L.A. Dept. of Water of Power employees exposed" dated 2/19/08, and
"Clovis Unified School District employees receive notice" dated 2/21/08

Victims:
Employees

Number Affected:
~2,200**

**Over 17,000 total (and counting)

Types of Data:
Names, addresses, dates of birth and Social Security numbers

Breach Description:
Computer equipment was stolen from a Torrance Unified School District vendor, Systematic Automation that contained sensitive personal information belonging to employees of the 33 campus district.  Systematic Automation manages employee benefit information, and the district is the fourth reported organization affected by the loss.

Reference URL:
The dailybreeze.com online news story

Report Credit:
Shelly Leachman, dailybreeze.com, also submitted to The Breach Blog by an informed reader

Response:
From the online source cited above:

Personal information about 2,200 Torrance Unified School District staffers was housed on a hard drive recently stolen from an Orange County company that helps agencies administer employee health benefits.

Names, addresses, birth dates and Social Security numbers were among the personal details stored on equipment at Systematic Automation Inc. of Fullerton, district officials confirmed Friday.

"I'm a little disappointed with my school district for not having done something about it. They have had a lot of time to respond to us," said Irmi Lake, a 10-year Torrance Unified para-educator and chapter vice president of her union, the California School Employees Association.

Noting that members of her union "don't fault the district for the incident," Lake added, "I was hoping that we would get some more assistance to help all the employees in the district."
[Evan] The district DOES share some fault in this breach.  The personal information was given to the district with the assumption that the district would protect the information.  The responsibility for the protection of information does not cease because the district contracted a third-party to work with the information.  Vendors, contractors and consultants must all comply with an organization's information security policies and practices.  The organization must demand compliance and audit vendors on a regular basis.

Business chief Don Stabler said Friday that letters addressing the theft and including information about fraud alerts are en route to all those affected.

"We're not downplaying it at all," Stabler said, noting that such a breach is a first for the 33-campus district. "It is a serious situation, and we're doing everything we can to notify our employees and give them some information so they can protect themselves."

Torrance Unified has contracted with Systematic Automation for about one year, Stabler said, explaining that the company digitally enrolls district staffers for health benefits.

In addition to the data-containing hard drive, three monitors were stolen.

Commentary:
As stated earlier in the posting, this is the fourth organization affected by this single breach.  I wonder if any one of the organizations inspected Systematic Automation's information security practices.  If they had, would they have known that Systematic Automation stores sensitive personal information entrusted to multiple organizations on a shared unencrypted hard drive?

A couple of tips if you are contacting with a company that you share confidential information with (beyond what was shared in the commentary here):

1. Demand that your vendors segment your confidential information from those of their other clients.
2. Demand encryption of confidential information while in transit and at rest.
   

Of course there are no guarantees, but each security best practice followed decreases the amount of risk to unauthorized disclosure of confidential information.

Past Breaches:
Torrance Unified School District:
Unknown
Systematic Automation:
February, 2008 - Clovis Unified School District employees receive notice
February, 2008 - L.A. Dept. of Water of Power employees exposed
February, 2008 - Theft from vendor affects Modesto City Schools employees

]]> Mon, 25 Feb 2008 07:28:07 +0000 sensitive personal information personal information district information 33-campus district district officials enrolls district staffers information security practices school district vendor Systematic Automations breach continued... http://securityratty.com/article/662c821c98ea5a31b7ba3df83725eae5 http://securityratty.com/article/662c821c98ea5a31b7ba3df83725eae5 Security Breach

Date Reported:
2/16/08

Organization:
Clovis Unified School District

Contractor/Consultant/Branch:
Systematic Automation*

*This breach is related to:
"Theft from vendor affects Modesto City Schools employees" dated 2/12/08, and
"L.A. Dept. of Water of Power employees exposed" dated 2/19/08

Victims:
Employees

Number Affected:
~4,000**

**Over 15,000 total (and counting)

Types of Data:
Names, addresses and Social Security numbers

Breach Description:
Computer equipment was stolen from a Clovis Unified School District vendor, Systematic Automation that contained sensitive personal information belonging to employees of the district.  Systematic Automation manages employee benefit information, and the district is the third reported organization affected by the loss.

Reference URL:
CBS Channel 47 News online story
The Fresno Bee online story

Report Credit:
CBS Channel 47 News

Response:
From the online sources cited above:

Clovis Unified School District employees were notified that a computer stolen this week from a Fullerton company contained personal information -- including Social Security numbers -- for about 4,000 district employees.

police do not believe the intent of the burglary was to steal identity information
[Evan] I don't know how you would determine intent based on the limited information available.  At some point in time thieves are going to figure out that there is a heckuva lot more to gain by using the stolen information than there is in the pawning off the hardware.

Fullerton police say the computers are password protected but that doesn't mean the code can't be cracked
[Evan] This is very true.  Most Windows passwords can be bypassed in less than five minutes.

the district has recommended that employees establish fraud alerts on their credit files

The district also held two fraud-prevention seminars for employees Wednesday, with seven more planned during the next week.

Employee information for Clovis Unified and 15 other organizations was jeopardized when Systematic Automation of Fullerton was burglarized about 4:30 a.m. Monday.
[Evan] Wow.  15 organizations and their employees are at risk due to one breach.  We know of at least three; Clovis Unified School District, Los Angeles Department of Water and Power ("DWP"), and Modesto City Schools.

District employees were alerted in an e-mail about 3:30 p.m. Tuesday
[Evan] Quick notification.  This was a good decision on the part of district management

The stolen computer contained Clovis Unified employee names, addresses and salaries, as well as Social Security numbers. It did not contain birth dates or other personal information.

Systematic Automation handles the online benefits enrollment for Clovis Unified employees and publishes information on what benefits each employee receives
[Evan] Might need to change "handles" to "handled".  I wonder how this single breach affects Systematic Automation's business viability.

The police believe the computers contained tens of thousands of pieces of information.

Commentary:
What is there to say that hasn't already been said in the two previous postings?  Did any of the 15 organizations audit Systematic Automation's information security practices?

Past Breaches:
Clovis Unified School District:
Unknown
Systematic Automation:
February, 2008 - L.A. Dept. of Water of Power employees exposed
February, 2008 - Theft from vendor affects Modesto City Schools employees

]]> Wed, 20 Feb 2008 22:57:26 +0000 district district employees school district district management school district vendor school district employees employees sensitive personal information personal information Clovis Unified School District employees receive notice http://securityratty.com/article/f70613215508b1a91be5d9f49aab2c95 http://securityratty.com/article/f70613215508b1a91be5d9f49aab2c95 Security Breach

Date Reported:
2/15/08

Organization:
Los Angeles Department of Water and Power ("DWP")

Contractor/Consultant/Branch:
Systematic Automation Inc.

*This breach appears to be related to "Theft from vendor affects Modesto City Schools employees" dated 2/12/08

Victims:
Employees

Number Affected:
8,275

Types of Data:
"names, Social Security numbers, dates of birth, employee identification numbers, salaries, work locations, deferred compensation balances (but not account numbers), insurance plan coverage and health care benefits selection"

Breach Description:
Computer equipment was stolen from a Los Angeles Department of Water and Power vendor, Systematic Automation that contained sensitive personal information belonging to every employee of the utility.

Reference URL:
Los Angeles Daily News online story
Los Angeles Times online story

Report Credit:
Beth Barrett, Los Angeles Daily News

Response:
From the online sources cited above:

Computer equipment containing the private financial data of every employee of the Los Angeles Department of Water and Power was stolen earlier this week, prompting the utility to pay for a credit monitoring service for each of its 8,275 workers.

DWP General Manager H. David Nahai sent a letter to employees Wednesday informing them of the "possible security breach" and of steps being taken to safeguard them from the risk of identity theft.

DWP officials said the theft occurred at Systematic Automation Inc. in Fullerton and is being investigated by Fullerton law enforcement.
[Evan] From last week's Modesto City Schools breach, in which "A computer hard drive containing sensitive personal information belonging to Modesto City School district employees was stolen from Systematic Automation Inc. in Fullerton, California."  Do you suppose this means that Systematic Automation was storing multiple client data sets on the same drive?

The data that was taken on active DWP employees included names, Social Security numbers, dates of birth, employee identification numbers, salaries, work locations, deferred compensation balances (but not account numbers), insurance plan coverage and health care benefits selection.

Nahai said the DWP had contracted with the company to print retirement booklets showing employees' benefits and other information

"This kind of work is done by very specialized companies, and I think many companies contract out this kind of work," he said. (Nahai)
[Evan] This may justify why DWP sent the information out to a vendor, but it does not justify the breach or the lack of oversight (vendor management).  Vendors trusted with confidential information MUST be held to the same strict standards as the company itself.

Nahai said the DWP was taking "extraordinary steps to protect our employees.

He said the data is encrypted and that the thieves may not be able to extract it.
[Evan] Encrypting the information is a very good call by DWP, but according to the Modesto City Schools breach, "Snelling said the district sent the employee information in an encrypted format to Systematic Automation, where it apparently was stored on the computer in an unencrypted format."  I would be surprised if the DWP information were not in a similar state.

The utility's Retirement Office (213-367-1692) also has made arrangements for a one-year subscription to a credit monitoring service for employees.

"It's in the very early stages of the investigation, and very early to point fingers," he said. (Nahai)

DWP spokesman Joe Ramallo said the utility had no evidence that the missing information had been misused

"We're required by law to notify our employees that this theft occurred," he said. "But we don't have any knowledge at this point that the data was the target, and law enforcement said they don't believe that it is."

a spokesman for the International Brotherhood of Electrical Workers Local 18, the union that represents DWP employees, said Friday that his workers were "shocked and upset" by the loss of the data.

"They believe this is a direct result of the mania for outsourcing that the DWP has had," said Bob Cherry, a communications consultant for the union. "The DWP should have been paying more attention to the potential impact of sensitive data like this getting sent to outside vendors."
[Evan] Bob Cherry knows a thing or two.  The security of information is the responsibility of the organization to whom it was originally given to by the owner.  This is a simple owner/custodian relationship.  Just because the custodian did not lose the hard drive directly does not mean that the custodian is not responsible for the breach.

Vince Foley, who serves on the board of the DWP Retired Employees Assn., said he has received anxious calls from retirees. The stolen computer equipment also contained financial data on employees who retired between July 1, 2006, and June 30, 2007.

Foley said. "DWP's computers are, of course, encrypted and protected. But this is a situation where they had . . . a consultant who's given all this data so they can prepare the [benefits] statements."

Commentary:
I wonder how many more organizations are affected by the Systematic Automation burglary.  So far, we know of two organizations and over 11,000 affected persons.

There are lessons to be learned from almost any breach, and it's easier to play the "Monday morning quarterback".  Good information security programs recognize the importance of managing security throughout the life-cycle of the information, no matter where it resides.  At a minimum:

1. Thoroughly evaluate the information security practices of vendors before engaging in formal business agreements.
2. Information security language should be included in contractual agreements.
3. Conduct regular audits of vendors to ensure that they continue to abide by your information security policies, standards, guidelines and procedures.
4. If your company engages vendors on a regular basis, formalize the vendor security evaluation, approval and audit process.
   

These are just some tips that could easily be expanded upon and refined to your individual situation.

Past Breaches:
Related:
February, 2008 - Theft from vendor affects Modesto City Schools employees

]]> Tue, 19 Feb 2008 14:11:13 +0000 employee information information information security practices confidential information information security policies sensitive personal information dwp dwp officials represents dwp employees L.A. Dept. of Water of Power employees exposed http://securityratty.com/article/592543590c35731d2d9c029ff59afde2 http://securityratty.com/article/592543590c35731d2d9c029ff59afde2 Security Breach

Date Reported:
2/11/08

Organization:
Modesto City Schools

Contractor/Consultant/Branch:
Systematic Automation Inc.

Victims:
School district employees

Number Affected:
3,500

Types of Data:
Names, addresses, birth dates and Social Security numbers

Breach Description:
A computer hard drive containing sensitive personal information belonging to Modesto City School district employees was stolen from Systematic Automation Inc. in Fullerton, California.  Systematic Automation Inc. prints annual benefits summaries for employees.

Reference URL:
The Modesto Bee online story
KCRA Channel 3 News story
ABC News Channel 10 story

Report Credit:
KCRA Channel 3 News

Response:
From the online sources cited above:

All 3,500 employees were affected by the breach, which happened after a computer drive with names, addresses, birth dates and Social Security numbers was stolen from a Southern California data processing firm in Fullerton.

Systematic Automation Inc., prints benefits information for employees including health benefits for the district.

The hard drive and three monitors were stolen at 4:30 a.m. in a "window smash" burglary, said Sgt. Linda King with the Fullerton Police Department.

An e-mail was sent out to all affected employees.

Snelling said the district sent the employee information in an encrypted format to Systematic Automation, where it apparently was stored on the computer in an unencrypted format.
[Evan] Good and bad.  Good that the school district encrypted the information before sending it out.  Bad that the school either did not communicate it's security expectations well or enforce them through regular audits of vendors.

"We want to do the accountable thing, which is to let everyone know so they can take their own steps to protect themselves," Modesto City Schools Superintendent Arturo Flores said.

Director of Business Services Dennis Snelling said no cases of identity theft connected with the data breach have been reported.

"We’re keeping an eye out," Snelling said. "We want our people to be able to protect themselves."

Snelling said other agencies had their data compromised in the theft, but he did not have details.
[Evan] Not cool.

Snelling sent a memo by e-mail and hard copy on paper just before 2 p.m. to warn employees and provide information about how to monitor for fraud.

District officials said they plan to look into the security practices of each agency to which that receives employee information is sent.
[Evan] Excellent addition to their practices.  Vendors and contractors are extensions of the organization.

"We’d certainly be taking that up with Systematic Automation," he said. Employees with concerns can contact Louise Baker, supervisor of payroll and benefits, at 576-4192.

Victim Reaction:
"There are a lot of very unhappy people," said Ray Duran, vice president of the Modesto Teachers Association. "I just hate to think all my stuff is out there. We know these things happen. We just hope the district will find a way to remedy the problem."
[Evan] Unfortunately, there is little remedy for exposed information.  Once information has been exposed, it stays exposed.

Sonoma Elementary teacher Judy Pierce said she was pleased at how quickly the district notified district employees and provided steps to help prevent identity theft.

"I think all of us hope in our lifetime we won’t be faced with these issues," Pierce said. "But (the district) gave us an entire two pages of steps of who to go to, who to contact. It made it very, very easy for us to follow through on it."

Commentary:
I am actually impressed with how well the school responded to this breach.  It appears that they notified employees in a timely manner.  The school also appears to know a thing or two about information security as demonstrated by encrypting the data and now recognizing the importance of evaluating vendor security practices.

Past Breaches:
Unknown

]]> Tue, 12 Feb 2008 12:03:09 +0000 district officials district district employees school district school district employees employees sensitive personal information information provide information Theft from vendor affects Modesto City Schools employees