[SecurityRatty] tag: identifiable

Massachusetts issues new rules for businesses to protect personally identifiable information, Congress considers FISMA reform

Wed, 24 Sep 2008 20:00:00 +0000

As reported in the Boston Globe on September 23rd, the Massachusetts Office of Consumer Affairs and Business Regulation issued regulations earlier this week that will place new requirements on businesses to safeguard personally-identifiable information (PII)...

Regulatory compliance tops issues facing IT managers

Mon, 04 Aug 2008 20:00:00 +0000

Regulatory compliance will be the top business and technology issue facing IT managers and executives worldwide in the next 12 to 18 months, with a major emphasis on protecting personally identifiable information (PII) and transaction monitoring.

Gonzo: Two Thumbs In and Up

Thu, 17 Jul 2008 06:10:12 +0000

Just saw the Hunter S. Thompson movie - Gonzo, and if you are a fan you should to. Lots of good stuff in there, the film links various part of his life and career, and gives a pretty unvarnished view of the high highs and the low lows. Weaves in writing, politics, and fame seamlessly. I have never really had as much fun as early on in my career in the early-mid 90s I was a web programmer in Aspen, hacking CGI/PERL. Among the most fun things was building and running HST's site. My boss, Ed, was his neighbor. Ed was also seriously allergic to bees. One day he was alone in his house and got stung. He was dying. Luckily Hunter was due over to his house to watch a basketball game, walked in and called 911. My boss woke up in the ambulance with Hunter pounding on him chest and screaming at him. Ed said - "Waking up to that face screaming at me, I didn't know if I was alive or dead." Seeing the movie it was also great to see a lot of the Woody Creek folks again like George Stranahan, who lovingly said about Hunter - "my friend and neighbor who never paid his rent, broke up my marriage and taught my children to smoke dope. " Of course, there was no way he could match his early productivity and this is true of almost all artists. Most of the last two decades were wasted from a writing standpoint. However his piece written on 9/11 is as good as its gets:

The towers are gone now, reduced to bloody rubble, along with all hopes for Peace in Our Time, in the United States or any other country. Make no mistake about it: We are At War now -- with somebody -- and we will stay At War with that mysterious Enemy for the rest of our lives.

It will be a Religious War, a sort of Christian Jihad, fueled by religious hatred and led by merciless fanatics on both sides. It will be guerilla warfare on a global scale, with no front lines and no identifiable enemy. Osama bin Laden may be a primitive "figurehead" -- or even dead, for all we know -- but whoever put those All-American jet planes loaded with All-American fuel into the Twin Towers and the Pentagon did it with chilling precision and accuracy. The second one was a dead-on bullseye. Straight into the middle of the skyscraper.

Nothing -- even George Bush's $350 billion "Star Wars" missile defense system -- could have prevented Tuesday's attack, and it cost next to nothing to pull off. Fewer than 20 unarmed Suicide soldiers from some apparently primitive country somewhere on the other side of the world took out the World Trade Center and half the Pentagon with three quick and costless strikes on one day. The efficiency of it was terrifying.

We are going to punish somebody for this attack, but just who or what will be blown to smithereens for it is hard to say. Maybe Afghanistan, maybe Pakistan or Iraq, or possibly all three at once. Who knows? Not even the Generals in what remains of the Pentagon or the New York papers calling for WAR seem to know who did it or where to look for them.

This is going to be a very expensive war, and Victory is not guaranteed -- for anyone, and certainly not for anyone as baffled as George W. Bush. All he knows is that his father started the war a long time ago, and that he, the goofy child-President, has been chosen by Fate and the global Oil industry to finish it Now. He will declare a National Security Emergency and clamp down Hard on Everybody, no matter where they live or why. If the guilty won't hold up their hands and confess, he and the Generals will ferret them out by force.

Good luck. He is in for a profoundly difficult job -- armed as he is with no credible Military Intelligence, no witnesses and only the ghost of Bin Laden to blame for the tragedy.

One unintended lesson I take away from Hunter's life is how important patience is. Obama is a politician and may yet disappoint us all, but I gotta believe Hunter would be seriously impressed. If he had waited another couple of years, he may have seen a lot of the stuff he fought for in 1968 and 72 come to fruition. Sometimes you are just 36-40 years ahead of your time and you have to be ok with that and figure out how to deal if possible. (Note - it sure sometimes feels this way in software security). Speaking of security:

Security

by Hunter S. Thompson (1955).

Security ... what does this word mean in relation to life as we know it today? For the most part, it means safety and freedom from worry. It is said to be the end that all men strive for; but is security a utopian goal or is it another word for rut?

Let us visualize the secure man; and by this term, I mean a man who has settled for financial and personal security for his goal in life. In general, he is a man who has pushed ambition and initiative aside and settled down, so to speak, in a boring, but safe and comfortable rut for the rest of his life. His future is but an extension of his present, and he accepts it as such with a complacent shrug of his shoulders. His ideas and ideals are those of society in general and he is accepted as a respectable, but average and prosaic man. But is he a man? has he any self-respect or pride in himself? How could he, when he has risked nothing and gained nothing? What does he think when he sees his youthful dreams of adventure, accomplishment, travel and romance buried under the cloak of conformity? How does he feel when he realizes that he has barely tasted the meal of life; when he sees the prison he has made for himself in pursuit of the almighty dollar? If he thinks this is all well and good, fine, but think of the tragedy of a man who has sacrificed his freedom on the altar of security, and wishes he could turn back the hands of time. A man is to be pitied who lacked the courage to accept the challenge of freedom and depart from the cushion of security and see life as it is instead of living it second-hand. Life has by-passed this man and he has watched from a secure place, afraid to seek anything better What has he done except to sit and wait for the tomorrow which never comes?

Turn back the pages of history and see the men who have shaped the destiny of the world. Security was never theirs, but they lived rather than existed. Where would the world be if all men had sought security and not taken risks or gambled with their lives on the chance that, if they won, life would be different and richer? It is from the bystanders (who are in the vast majority) that we receive the propaganda that life is not worth living, that life is drudgery, that the ambitions of youth must he laid aside for a life which is but a painful wait for death. These are the ones who squeeze what excitement they can from life out of the imaginations and experiences of others through books and movies. These are the insignificant and forgotten men who preach conformity because it is all they know. These are the men who dream at night of what could have been, but who wake at dawn to take their places at the now-familiar rut and to merely exist through another day. For them, the romance of life is long dead and they are forced to go through the years on a treadmill, cursing their existence, yet afraid to die because of the unknown which faces them after death. They lacked the only true courage: the kind which enables men to face the unknown regardless of the consequences.

As an afterthought, it seems hardly proper to write of life without once mentioning happiness; so we shall let the reader answer this question for himself: who is the happier man, he who has braved the storm of life and lived or he who has stayed securely on shore and merely existed?

A ship is safest at port, but thats not why we build ships.

A backup tape is stolen from Greensboro Gynecology Associates

Wed, 16 Jul 2008 12:16:26 +0000

Technorati Tag: Security Breach

Date Reported:
7/15/08

Organization:
Greensboro Gynecology Associates

Contractor/Consultant/Branch:
None

Victims:
Physicians, staff members, and patients

Number Affected:
Unknown

Types of Data:
"names, addresses, Social Security numbers, employers, insurance companies, policy numbers and family members"

Breach Description:
"GREENSBORO - Patients at a Greensboro doctors’ office have been notified that their personal information - including Social Security numbers and addresses - was stolen in May."

Reference URL:
News & Record

Report Credit:
Ryan Seals, News & Record

Response:
From the online source cited above:

In a letter mailed to patients, Greensboro Gynecology Associates said a backup tape of their computer database was stolen.
[Evan] Does "their computer database" include billing information and other confidential information other than personally identifiable information?

The letter was dated June 16, but some letters weren't postmarked until July 9.

The medical practice said a backup tape of patient information was stolen on May 29 from an employee who was taking the tape to an off-site storage facility for safekeeping.
[Evan] I wonder what type of off-site storage facility. Some of the small businesses that I have encountered consider an employee's home to be an "off-site" storage facility.

The stolen information included patients' name, address, Social Security number, employer, insurance company, policy numbers and family members.

The tape did not include treatment or specific medical data.

"We are very concerned about this theft, as we too are victims," Pat Higgins, the practice's administrator, wrote in an e-mail Tuesday. "We are notifying our present and former patients. ..."

The practice at 719 Green Valley Road Suite 305 said personal information for its physicians and other staff members also was on the stolen tape.

the case is under investigation

did not respond to inquiries about how many patients were affected, how the theft occurred and whether anything else was taken

The practice's letter said the theft had been reported to police. However, officials with the Greensboro Police Department and the Guilford County Sheriff's Office said they had no such report on file.
[Evan] This is interesting news.

The data was not encrypted, but Greensboro Gynecology Associates said the stolen data isn't likely to be accessed.

"We have consulted with several computer security experts, and they have advised it is highly unlikely the tapes can be accessed because of the program used and the language (the information) is written in," according to a recording on a hotline set up to address patients' concerns.
[Evan] Who are these several computer security "experts'? I hate to disagree, but... The assessment is based on "the program used and the language" that the archived information is written in. Really? How hard is it to obtain the necessary hardware and software to access the information? Someone interested in accessing the tape could conceivably flip the data protection tab on the tape (to prevent data corruption through inadvertent writes), download some of the more popular backup software programs, buy a compatible drive (stolen or on eBay), and go to town. Couldn't they? Backup Exec is a very popular backup program. Anyone can download a 60-day trial for free. More talented professionals have even more sophisticated methods of accessing data on tape.

Greensboro Gynecology Associates said they are consulting with computer security experts to prevent similar thefts in the future.
[Evan] I kind of hope that they are not consulting with the same computer security "experts" referenced above.

"We sincerely regret and apologize that this incident occurred," the letter said

Commentary:
Many backup software solutions include the option to encrypt the written data built-in. Why not use it?

Greensboro Gynecology Associates has established a hotline for concerned patients. The phone number is (336) 544-4590. The hotline asks patients to leave their name and telephone number for a staff member to return their call.

Past Breaches:
Unknown

P2P-related breach affects high-profile clients from Wagner Resource Group

Mon, 14 Jul 2008 13:08:21 +0000

Technorati Tag: Security Breach

Date Reported:
7/9/08

Organization:
Wagner Resource Group

Contractor/Consultant/Branch:
None

Victims:
Clients*

*Most notably Supreme Court Justice Stephen G. Breyer, which has been well publicized.

Number Affected:
~2,000

Types of Data:
"names, dates of birth and Social Security numbers"

Breach Description:
"The Washington Post today ran a story I wrote on a data breach of a local investment firm that exposed the names, birth dates and Social Security numbers of some of the Washington area's most powerful attorneys, including Supreme Court Justice Stephen Breyer."

Reference URL:
SecurityFix
Washington Post
United Press International
NBC Universal, Inc

Report Credit:
Brian Krebs, Washington Post

Response:
From the online sources cited above:

Sometime late last year, an employee of a McLean investment firm decided to trade some music, or maybe a movie, with like-minded users of the online file-sharing network LimeWire while using a company computer
[Evan] P2P file sharing and other client software use can pose a very significant risk in most companies. It is typically an easy risk to address however. A mixture of any one or more of the following controls can help to mitigate the risk; information security training and awareness, egress traffic monitoring and filtering, intrusion detection/prevention, and hardened workstations (i.e. removal of administrative access) to name a few.

In doing so, he inadvertently opened the private files of his firm, Wagner Resource Group, to the public.
[Evan] This is a common oversight. LimeWire and other P2P file sharing applications are wonderful tools for doing what they are designed to do. Before allowing their use (or any other software), an organization must evaluate the risks in doing so. If you intend to use or allow the use of LimeWire in your organization, understand how the software works and how it is configured. During the install you will be prompted for the "Save Folder and Shared Folders". Be careful what you choose, and be careful about what information you put in these locations in the future. Most organizations that are aware of risks just choose not to allow P2P use.

That exposed the names, dates of birth and Social Security numbers of about 2,000 of the firm's clients, including a number of high-powered lawyers and Supreme Court Justice Stephen G. Breyer.
[Evan] The high-profile nature of this breach is what has grabbed headlines all last week.

Of the 2,000 records from Wagner Resource Group that were found online, 700 included Social Security numbers, names and birth dates, while other records included only one or two of those details.

The breach was not discovered for nearly six months.
[Evan] This is another danger posed by information leaked through P2P. Once information has leaked, how does an organization detect that it has been leaked? There is no longer any control.

A reader of washingtonpost.com's Security Fix blog found the information while searching LimeWire in June.
[Evan] I wonder why the reader did not notify the authorities and/or Wagner at the time of its discovery. Maybe he/she did. I don't know.

Robert Boback, chief executive of Tiversa, the company hired by Wagner to help contain the data breach, said such breaches are hardly rare.

About 40 to 60 percent of all data leaks take place outside of a company's secured network, usually as a result of employees or contractors installing file-sharing software on company computers.
[Evan] Really?! I would have not guessed that the percentage would be so high. Interesting.

"We've seen a lot of instances where a company will be working on a product that's not even released yet, and the diagrams for that product are already out on the Net," Boback said.
[Evan] Very good point. It isn't just personally identifiable information that is leaked, there are plenty of instances where intellectual property (IP) is exposed. I have read estimates that as much as 80% or organizational assets globally are intangible (information, knowledge, etc.).

"This case is unique because of the high profile of the targets. The individuals on this list are at a very high risk, almost imminent, of identity theft."

Tiversa officials found that more than a dozen LimeWire users in places as far away as Sri Lanka and Colombia downloaded the list of personal data from the Wagner network.

"To me, this was devastating," said Phylyp Wagner, founder of the investment firm. "I didn't even know what peer-to-peer was. I do now."
[Evan] This is a big problem! Corporate leaders must be made aware of the risks surrounding the information for which they are ultimately responsible for.

Wagner said his company has contracted with FirstAdvantage of Poway, Calif., which last week sent out letters notifying affected clients of the breach and offering each six months of free credit-report monitoring.

He emphasized that the peer-to-peer disclosure never endangered his clients' financial records, which are stored by a separate company.
[Evan] Maybe not their financial records, but it did affect some people's financial status (at least temporarily).

But that may be small consolation to several lawyers on the list who said they recently experienced unexplained financial activity.

"This may explain why two weeks ago I got a $9,000 cellphone bill from AT&T," said Steven Agresta, a partner with the law firm Alston & Bird.

Someone had opened a phone account using his date of birth and Social Security number, but with a different address.

this morning I heard from reader Christopher Lynt, a patent attorney from Virginia whose personal data was included in the file exposed via P2P.

He told me that last July, an identity thief used his SSN and birth date to have $1,000 wired to Mexico from Lynt's bank and credit accounts.

Commentary:
This certainly isn't the first time we have read about P2P file sharing network exposures. If your organization can find a way to use the technology without posing an unacceptable risk, then fine. If not, then don't allow the technology to be used. Seems pretty plain and simple.

There is much work to be done. At Wagner and elsewhere.

Past Breaches:
Unknown

Senators question NebuAd, targeted ad privacy

Thu, 10 Jul 2008 09:00:00 +0000

Senators question NebuAd on its information collection practices at a hearing in which the company's CEO said it does not collect personally identifiable information or keep the information it collects for an extended time.

Simple oversight at TNS Infratest exposes participant information

Wed, 09 Jul 2008 19:37:10 +0000

Technorati Tag: Security Breach

Date Reported:
7/4/08

Organization:
Taylor Nelson Sofres plc (TNS)

Contractor/Consultant/Branch:
TNS Infratest

Victims:
Survey participants

Number Affected:
41,000

Types of Data:
"Name and address, date of birth, email address and phone numbers", "Some of the data included monthly income, education, bank account information, health insurance data, and which credit cards are used"

Breach Description:
"The scientific journal of the Chaos Computer Club (CCC), Die Datenschleuder, reports that market research firm TNS Infratest/Emnid has lost 41,000 private data records of their survey participants."

Reference URL:
Chaos Computer Club e.V.
The Inquirer

Report Credit:
Chaos Computer Club e.V.

Response:
From the online sources cited above:

TOP MARKET RESEARCH firm TNS Infratest/Emnid has 'lost' 41,000 private data records of its survey participants, the Chaos Computer Club (CCC) has revealed in its official organ Die Datenschleuder.

As the magazine reports [1], it was possible for participants to read master data records and consumer profiles without bypassing even basic security measures.

Access to the comprehensive survey results could be gained by simply changing the customer ID number in the browser's address bar.
[Evan] This type of development mistake too common. The vulnerability is very easy to find by good pen testers and the bad guys. Actually, I am surprised that we don't hear about more of these types of breaches.

Besides name and address, the data records included date of birth, email address and phone number.

Many records also included very sensitive information: monthly income, education, bank account information, health insurance data, if and which credit cards are used, which electronic devices are used in the household, children's ages and yet more private data.
[Evan] Clearly this is some very sensitive information, all provided by people completing surveys.

"TNS Infratest made a beginner's mistake in their software development. This is unprofessional, grossly negligent and above all deeply worrying," commented CCC spokesman Dirk Engling regarding the incident.
[Evan] Mr. Engling is dead on. I couldn't have said it better myself.

"As this information is very sensitive, where abuse such as identity theft or its use in connection with burglary cannot be excluded, THS Infratest needs to inform the victims immediately," he continued

This case continues a disastrous, never-ending series of information leaks of data held by public and private sector organisations.

The need for more strict control of sensitive data collections is evidenced by the recent snooping affairs by German Telecom as well as the data leaks from the "Meldeämtern" (registration of address offices).

It is obvious here that data security only plays a minor role in companies.
[Evan] Very sad, but very true. Too many organizations still take the wrong view of information security as a "cost center" instead of a business driver. Well designed and managed information security programs, the ones that are aligned with the business and not IT, can actually provide value to the business.

"Especially for companies surveying the most confidential data, the highest security standards have to apply," said Engling.

The press team of the Chaos Computer Club is available for questions at the following addresses:

presse@ccc.de (preferred)
0700-CHAOSFON (0700 - 24267366)

Commentary:
TNS is a large company, a large company with resources to hire good management, programmers, and information security personnel. What is the excuse for making such a significant, yet simple oversight? There are a number of controls that could have reduced the risk of this occurring.

One a secondary note, but no less important in my opinion. It seems that people (in general) provide too much information willingly, without understanding what the risks could be. Personally, I rarely complete surveys that ask me for personally identifiable information (name, address, etc.). I suggest that you give some serious thought to providing any of your personal information. Ask yourself if you trust the organization collecting your information. If so, question what your trust is based on. Do NOT hesitate to ask questions and err on the side of caution.

Past Breaches:
Unknown

Laptop stolen from a Quest Diagnostics employee

Tue, 17 Jun 2008 08:09:12 +0000

Technorati Tag: Security Breach

Date Reported:
5/30/08

Organization:
Quest Diagnostics

Contractor/Consultant/Branch:
None

Victims:
Patients*

*assumed

Number Affected:
Unknown

Types of Data:
"name, address, and social security number"

Breach Description:
On May 1, 2008 a Quest Diagnostics employee's password protected laptop computer, which contained certain personally identifiable information, was stolen.

Reference URL:
Maryland State Attorney General breach notification

Report Credit:
The Maryland State Attorney General

Response:
From the online source cited above:

This letter is being sent to you in accordance with the requirements of the Maryland Personal Information Protection Act to advise you of the breach of security of personal data of certain Maryland residents.

The breach arose out of the theft of a password protected laptop computer of one of our employees on May 1, 2008.
[Evan] Really, what does the "password protected" mention have to do with anything other than to convince someone into thinking that the laptop was more protected than it actually is/was? Password protection (alone) is just not adequate for sensitive confidential information, unless of course an organization has deemed the risk to be not significant enough to warrant further protection such as encryption coupled with strong authentication. I presume that the laptop was not protected with encryption due to the fact that there is no mention of it. To me, the risk seems significant enough.

The personal data includes the name, address and social security number

At this time we have no reason to believe this incident will lead to fraudulent credit applications or other identity theft crimes.
[Evan] Yep, but the company DID unnecessarily increase the risk of this happening to someone now and in the future.

Nevertheless, because the laptop which includes this information cannot be located, we want to notify you about this incident.

To further reduce the risk of any harm to you we are offering you a credit monitoring product to identify any potential misuse of your personal information.

Quest Diagnostics takes the issue of safeguarding private information very seriously. For this reason, our data privacy and security policies incorporate comprehensive physical, technical and administrative processes and employee training designed to protect the privacy and security of data and minimize the risk of inappropriate access to sensitive information.
[Evan] Nice! This statement sounds very impressive and uses some common information security best practices lingo. Did any of these "data privacy and security policies" that "incorporate comprehensive physical, technical and administrative processes and employee training designed to protect the privacy and security of data and minimize the risk of inappropriate access to sensitive information" protect the information on the laptop? Do any of these things include restrictions on confidential information stored on mobile devices or encryption of data at rest?

We deeply regret any inconvenience caused by this incident and appreciate your understanding.

If you have any questions, please feel free to call Lisa Mullaly, Information Technology Compliance Director at (800)877-8824, extension 6147 at your convenience.

Commentary:
I may have been a little harsh in my comments, but I think I was justified. Breaches like these are so preventable. Hey, there's another best practice security lingo term, preventative controls. This breach only affected three Maryland residents, according to the breach notification. It is not known if the breach only affects these three people.

Past Breaches:
Unknown

Laptop stolen from R.E. Moulton may affect 19,000

Sun, 15 Jun 2008 18:15:45 +0000

Technorati Tag: Security Breach

Date Reported:
5/23/08

Organization:
OneAmerica

Contractor/Consultant/Branch:
R.E. Moulton, Inc.

Victims:
Customers

Number Affected:
~19,000

Types of Data:
"names in combination with social security numbers"

Breach Description:
A laptop computer containing sensitive personal information belonging to approximately 19,000 individuals was stolen from the Irving, Texas offices of R.E. Moulton on or around March 7th, 2008.

Reference URL:
New Hampshire State Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

R.E. Moulton is a leader in the medical stop-loss insurance industry and the stop-loss insurance products administered by it are available nation-wide.
[Evan] The notification to the New Hampshire State Attorney General starts with this sentence. It's nice if you can add a little marketing to your breach notification.

We are writing to inform you of an incident involving the possible disclosure of personal information.

Specifically, on or around March 7, 2008, thieves broke into our Irving, Texas regional office and stole a laptop computer containing personally identifiable information of numerous individuals, including names in combination with social security numbers.
[Evan] We don't know much about the physical security controls protecting the office and laptop, but we do have a clue. The fact that R.E. Moulton states "on or around March 7" leads me to believe that the physical controls were not sophisticated enough to detect the theft when it occurred. The practice or storing confidential information on a laptop is not a good idea in most cases and there is also no mention of encryption, so I assume it was not used. Bad, bad, and bad.

A police report was filed and the police are actively investigating this crime.

Personal information was on the stolen laptop because R.E. Moulton receives requests to provide quotes for stop-loss insurance coverage.
[Evan] In my opinion, this may be justification for collecting personal information, but certainly not a justification for storing it on a laptop.

Approximately 19,000 individuals were affected, although there may be duplicates on our master list; this means that the list of affected individuals may be smaller.

At this time. we are unable to determine the number of New Hampshire residents, if any, who will be notified of this incident because the information maintained on the laptop did not include addresses, but we will provide a list at a later date if we find that New Hampshire residents were affected.

Letters will be sent to these individuals as soon as we receive their addresses from their employers or the third parties who arranged for the insurance quotes.
[Evan] It seems to me that the "employers or the third parties" have a significant role in this breach also. I wonder if information security personnel at the "employers or the third parties" were aware and approved of the sharing of personal information with R.E. Moulton. If they were, then I wonder if they followed good protocol and evaluated the information security practices of R.E. Moulton.

Those employers and third parties were notified of this incident during the week of May 5, 2008 and are currently collecting the needed addresses.
[Evan] Employers and third parties were notified almost 2 months after the theft.

Depending on the length of time needed to collect addresses, we hope to start sending letters to the affected individuals in June.
[Evan] Add the amount of time referred to in this sentence to the ~2 months that have already passed and then add this to the time to address letters and you get a long time before victims are notified. I presume some victims will never be notified.

Please know that we have taken this incident very seriously.
[Evan] Action speaks louder than words.

While we do not anticipate that any of the information will be used for unauthorized or malicious purposes, to help those whose information was involved, we have engaged ConsumerInfo.com, Inc., an Experian company, to provide those individuals with one year of credit monitoring at no cost to them.

Please note that we are committed to protecting our customer and that we are constantly improving our processes to avoid any further reoccurrences.

In addition, appropriate steps have been take to prevent future disclosures of this information.
[Evan] What steps have been taken? It seems to me that data owners deserve more detail and explanation.

We sincerely apologize for any inconvenience or worry this may have caused you.

We encourage you to contact the company at 800-553-5318 with any questions or concerns.

From the FAQs:
Q. What is being done by R.E. Moulton to prevent a similar incident from occurring?
A. R.E. Moulton had procedures in place to protect customer information and is constantly reviewing those procedures in light of developments in information security and the evolution of criminal activity.
[Evan] What do you think of this answer?

Commentary:
I get especially frustrated by breaches that involve confidential information on a stolen laptop. Stolen laptops are one of, if not the most common types of breaches that we read about, yet the frequency of reports does not seem to be subsiding. Can an organization claim that they didn't know any better? At what point does risky information security behavior become negligent?

I suspect that most victims don't even know that R.E. Moulton had their personal information. This make the breach a little more troubling.

I accept mistakes because we all make them. I also accept security incidents that occur despite an organization's best efforts at protection. I don't accept poor behavior that seems to go against common sense.

Past Breaches:
Unknown

University of South Carolina Moore School of Business breach

Mon, 09 Jun 2008 09:38:01 +0000

Technorati Tag: Security Breach

Date Reported:
6/9/08

Organization:
University of South Carolina

Contractor/Consultant/Branch:
Moore School of Business

Victims:
"faculty, staff and students"

Number Affected:
~7,000

Types of Data:
"some personally identifiable data"

Breach Description:
"The University of South Carolina is warning about 7,000 faculty, staff and students that some of their personal information was on a desktop computer stolen from an office at the business school."

Reference URL:
The State

Report Credit:
The State

Response:
From the online source cited above:

The University of South Carolina is warning about 7,000 faculty, staff and students that some of their personal information was on a desktop computer stolen from an office at the business school.

Monday evening, May 26th, 2008 computer hardware containing data files was stolen from the Dean’s Office

"Among the items was a desktop computer belonging to Deputy Dean Dr. Scott Koerwer,"
[Evan] I am semi-sure that a business case could be made to allow Dr. Scott access to confidential information, but there should be NO business case allowing for the storage of this information on the desktop computer he uses. I also doubt that he needs access to Social Security numbers.

"As a result of the computer being stolen, we feel it is possible that some personally identifiable data could have been compromised."

There is a possibility that some personal information such as social security numbers, annual pay, and term of service at the University may have been compromised.

As soon as the unauthorized access was discovered (May 27, 2008), USC initiated its incident handling procedures, which includes notification of affected individuals.
[Evan] I am glad to read that USC has incident handling procedures. Many organizations do not.

university officials have no evidence anyone's personal information was accessed
[Evan] It's probably too soon for evidence.

"We feel the responsible thing for us to do is to notify those persons whose data was contained in the computer, and advise them of the fact, and share with them some useful steps they may want to take for additional protection,"

the university is notifying about 130 faculty and staff at the Moore School, and just under 7,000 students who took business courses in the last academic year

the university’s Division of Law Enforcement and Safety and Office of Information Technology are investigating the matter

The Moore School of Business has taken precautions to minimize future security risks.
[Evan] Like what? Anybody can make a statement like this. People should be provided with some details. Details that don't give away too much, but enough to instill confidence. This statement means little to me.

Deputy Dean Koerwer circulated a letter to students dated June 6 that suggested some steps they might take to protect themselves from identity theft.

Guidance regarding the burglary, including answers to frequently asked questions that we anticipate on identity protection, identity theft, and precautionary measures is available at the University’s website: www.sc.edu/identity/index.shtml

We deeply regret any inconvenience or concern that this incident may cause. We assure you that the University, along with the Dean’s Office, is working diligently to prevent this type of incident from recurring.

Please know that the university faculty and staff are committed to protecting all personal information.

Commentary:
This is a physical, administrative and potentially logical information security breach. There is no information provided about what physical controls were present to prevent an intruder from stealing the desktop computer, so it is difficult to comment. There is little information provided around the administrative controls in place, but we can imply some things. Due to the fact that the school did not state that the storage of confidential information on client computers is prohibited, maybe we can assume that it is permitted. There was no mention of encryption, so I question whether or not this is a logical control that may have been lacking.

Information security is a holistic discipline and the controls I mention above are a very, very small part of the big picture.

Past Breaches:
September, 2007 - University of South Carolina Mistake Leads to Breach of 3,199 Records