San Quentin visitor and volunteer information lost

Mon, 31 Mar 2008 07:14:31 +0000

Technorati Tag: Security Breach

Date Reported:
3/29/08

Organization:
State of California

Contractor/Consultant/Branch:
Department of Corrections and Rehabilitation
San Quentin State Prison

Victims:
Volunteers and visitors

Number Affected:
3,500+

Types of Data:
"names, birth dates and driver's license numbers"

Breach Description:
"A flash memory drive containing names, birth dates and driver's license numbers of more than 3,500 people who either volunteered or visited San Quentin State Prison in a group tour has been lost, a prison official said Friday."

Reference URL:
The San Francisco Chronicle
KCBS 740 AM News

Report Credit:
Matthew Yi, The San Francisco Chronicle

Response:
From the online sources cited above:

A flash memory drive containing names, birth dates and driver's license numbers of more than 3,500 people who either volunteered or visited San Quentin State Prison in a group tour has been lost, a prison official said Friday.

The flash drive was used to move the data each evening from the prison's administrative office near the parking lot to computers at the two entrance gates to the facility to allow guards to identify volunteers or groups, such as college students, that tour the prison, said Samuel Robinson, a San Quentin spokesman.
[Evan] Huh? How about a network employing encryption? They have this new technology called WPA2 (Wi-Fi Protected Access 2). It would be much more efficient, secure and cost effective to network this securely.

"What happens is that we have to transport that information out to individual areas where we let people through" onto prison grounds, he said. "It's our security measure to walk the flash drive."

The flash drive did not contain Social Security numbers, but the personal information on visitors was not encrypted, he said, adding that the prison has since decided to encrypt the data.
[Evan] It's too bad that it took a breach before prison officials noticed the risk of carrying confidential information on unencrypted mobile devices. Going forward this is a good decision by the prison, but this is what we call "reactive security".

Prison officials have not received any reports of identify theft tied to this incident

Sen. Gloria Romero, D-Los Angeles, chairwoman of the Senate Public Safety Committee, criticized the Corrections Department for losing such sensitive information, and said she will call prisons secretary James Tilton to address the issue.

"This is how cavalier the Corrections Department can be with private information," she said. "There has been a breach of security."

The unit was discovered missing March 4 and a preliminary investigation shows that it was last used on March 3, Robinson said. It's yet unclear how the flash drive was lost or if it may be somewhere on prison grounds, he said. There is no indication that the flash drive was stolen for malicious reasons, such as identity theft

Prison officials recently sent out letters alerting the individuals whose information is believed to be on the flash drive.

Anyone who has visited San Quentin and is concerned their personal information could be on the flash drive may call Sgt. Rudy Luna, administrative assistant, at (415) 455-5000 or Laura Bowman, community partnership manager, at (415) 454-1460, extension 5400.

Commentary:
Thankfully, the flash drive did not contain Social Security numbers. Can names, addresses and driver's license numbers be used for identity theft, directly?

Carrying confidential information on mobile devices is risky. Not encrypting it is reckless.

Past Breaches:
Unknown

Rudy Giuliani on Terrorism Security

Wed, 16 Jan 2008 11:17:37 +0000

A longish article by Rudy Giuliani on his philosophy to secure the nation from terrorism. I may write a long blog post on the article after I read it, but I wanted to post the link as soon as I saw it.

[SecurityRatty] tag: rudy

San Quentin visitor and volunteer information lost

Rudy Giuliani on Terrorism Security