http://securityratty.com/tag/nwna Tue, 04 Mar 2008 07:08:42 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss http://securityratty.com/article/9b792cac1e080d88a38cc9805a13d12f http://securityratty.com/article/9b792cac1e080d88a38cc9805a13d12f Security Breach

Date Reported:
3/11/08

Organization:
19 organizations, including Modesto City Schools, Torrance Unified School District, Clovis Unified School District, Los Angeles Department of Water and Power ("DWP"),  and Nestle Waters North America Inc. ("NWNA")

Contractor/Consultant/Branch:
Systematic Automation Inc.*

*This breach is related to:
"Theft from vendor affects Modesto City Schools employees" dated 2/12/08,
"L.A. Dept. of Water of Power employees exposed" dated 2/19/08,
"Clovis Unified School District employees receive notice" dated 2/21/08
"Systematic Automation breach continued..." dated 2/22/08, and
"Nestle Waters North America employee affected by Systematic Automation breach" dated 3/4/08

Update:
The Modesto Bee and the Whittier Daily News are reporting that a computer has been recovered from the home of Todd Irvine, 43 from La Habra.  The computer "contained more than 40,000 names, addresses and Social Security numbers of California residents" according to a Fullerton police sergeant.

Reference URL:
Whittier Daily News
Modesto Bee

Report Credit:
Whittier Daily News

Response:
From the online sources cited above:

Fullerton police detectives analyzed data Tuesday from a stolen computer seized from a La Habra man that contained more than 40,000 names, addresses and Social Security numbers of California residents, a sergeant said.

Todd Irvine, 43, was arrested on Friday after Fullerton detectives served a search warrant at his home in the 700 block of La Serna Avenue, said Fullerton police Sgt. Linda King.

The computer was stolen in a Feb. 11 commercial burglary of Systematic Automation Inc., a Fullerton data processing firm. The company prints individualized annual statements customized for employees with a summary of their health and other employee benefits, King said.

Fullerton police received information that the stolen computer was being used to access the Internet, which led to detectives obtaining the search warrant, King said.

Several other computers also were seized, she said.

Police are analyzing the computer to determine if the employee information files had been compromised, but no related cases of identity theft have been reported, she said.

Irvine, a parolee, faces possession of stolen property charges, King said.

Commentary:
Mr. Irvine is not a very bright individual, is he?  I suspect that the confidential information was not accessed by Mr. Irvine, and I also suspect he didn't even know what he had.

Police did a superb job by following up on leads and treating this crime very seriously.  They should be commended on their work.

This has been one of the most popular breaches in terms of the number of times the articles have been read, since The Breach Blog was launched in September, 2007

What should become of Systematic Automations?

]]> Wed, 12 Mar 2008 09:22:26 +0000 fullerton police sergeant fullerton police fullerton police sgt systematic automation fullerton police detectives police systematic automation breach computer breach UPDATE: A computer stolen from Systematic Automation is found http://securityratty.com/article/2037234f20d359e95edd4fe9f57e2ede http://securityratty.com/article/2037234f20d359e95edd4fe9f57e2ede Security Breach

Date Reported:
2/26/08

Organization:
Nestle Waters North America Inc. ("NWNA")

Contractor/Consultant/Branch:
Systematic Automation*

*This breach is related to:
"Theft from vendor affects Modesto City Schools employees" dated 2/12/08,
"L.A. Dept. of Water of Power employees exposed" dated 2/19/08, and
"Clovis Unified School District employees receive notice" dated 2/21/08
"Systematic Automation breach continued..." dated 2/22/08

Victims:
Employees of NWNA in 2006

Number Affected:
8,245

Types of Data:
Names, dates of birth, addresses and Social Security numbers.

Breach Description:
Computer equipment was stolen from a Nestle Waters North America ("NWNA") vendor, Systematic Automation that contained sensitive personal information belonging to persons employed with NWNA in 2006.  Systematic Automation was employed by NWNA to create and distribute employee benefits statements.  So far, this single breach has affected persons affiliated with five separate organizations.

Reference URL:
The New Hampshire State Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

An Important Notification To Our NWNA Employees:
Systematic Automation Inc. ("SAI"), one of our vendors, recently experienced a breakin at their facility in Fullerton, California. Among other things, a desktop computer was stolen that contained a database of sensitive personal informatiion about NWNA employees, including a list of NWNA employees' names, addresses, dates of birth, and social security numbers.

This database only contained information about employees that were on the payroll as of February 1, 2006.

The information was password protected, but was not in an encrypted format.
[Evan] A username and password (most likely Windows operating system) is not adequate protection for confidential information.  A Windows XP/2000 password can be bypassed in a matter of minutes.  IF the desktop computer were stolen for the information it contained, then we should consider it disclosed.  Although encryption is not a perfect solution, it reduces the risk of exposure to an acceptable level in most circumstances.

We use SAI to create and distribute your employee benefits statements. In order for SAI to properly complete the work, we must provide SAI with certain personal information.
[Evan] Understood, but then SAI needs to be regularly monitored for compliance with policy around the protection of such information.

We deeply regret that this incident occurred and we are talking immediate steps to make sure that something like this does not happen again.

At this time, we do not know if the thieves stole the computer with the intent to use the personal information for credit fraud purposes or whether this was merely a random criminal act.

The Fullerton Police Department is investigating the incident and SAI is cooperating fully with the Police Department investigation.

If this stolen personal information got in the wrong hands, however, you are at risk for identity theft or fraud.

NWNA will also provide, at no cost to you, one year of premium credit monitoring from Equifax, a leading credit monitoring company.
[Evan] Equifax is a leading credit monitoring company, but also one of the three credit reporting agencies.  It amazes me how Experian has capitalized on the information they collect, manage and sell.  They are responsible for keeping accurate records, but at the same time will charge people a fee to make sure that they are doing what they are supposed to be doing.  Something should give.

In the near future, instructions on enrollment will be mailed directly to your homes.

In addition, NWNA is in the process of establishing a hotline to provide you with the resources you need to get your questions answered.

NWNA sincerely regrets any inconvenience this incident may cause you.

Commentary:
As mentioned earlier, NWNA is the fifth known organization to be affected by the single breakin at Systematic Automation.  It is becoming more and more clear that Systematic Automation did not follow some information security "best practices" by segmenting confidential customer data and encrypting it at rest.

I have not yet seen a statement from Systematic Automation.

Past Breaches:
Nestle Waters North America:
Unknown
Systematic Automation:
February, 2008 - Systematic Automation breach continued...
February, 2008 - Clovis Unified School District employees receive notice
February, 2008 - L.A. Dept. of Water of Power employees exposed
February, 2008 - Theft from vendor affects Modesto City Schools employees

]]> Tue, 04 Mar 2008 07:08:42 +0000 systematic automation breach systematic automation sensitive personal information personal information breach employees power employees information nwna Nestle Waters North America employee affected by Systematic Automation breach