http://securityratty.com/tag/utuia Mon, 16 Jun 2008 05:37:36 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss http://securityratty.com/article/3cca53a16c51f77342f6ce79b4c1eee9 http://securityratty.com/article/3cca53a16c51f77342f6ce79b4c1eee9 Security Breach

Date Reported:
6/9/08

Organization:
United Transportation Union Insurance Association ("UTUIA")

Contractor/Consultant/Branch:
Westin Hotels and Resorts
United Parcel Service

Victims:
Policyholders

Number Affected:
Unknown

Types of Data:
"names and social security numbers"

Breach Description:
Two laptop computers shipped via UPS to UTUIA offices are missing.  One of the laptops may contain sensitive personal information belonging to UTUIA policyholders.

Reference URL:
New Hampshire State Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

We are writing to inform you of a recent security incident involving UTUIA, headquartered in Ohio.

During shipment of UTUIA laptop computers to UTUIA offices, laptops have been reported missing.
[Evan] The notification letter sent to victims mentions two laptops.

The laptops may have contained personal information, including names and social security numbers, about policyholders

UTUIA has reported the missing laptops to law enforcement authorities and is pursuing the return of these laptops.

United Transportation Union Insurance Association has filed police reports, is coordinating with the hotel involved (Westin San Francisco) and has notified UPS of the missing items.
[Evan] Based on the information so far, it appears that UTUIA arranged for Westin to ship two laptops via UPS.  One of the laptops contained sensitive personal information.  There is no mention of encryption or any other protections in the breach notification, so we can only imagine.

Given the time that has passed since notification, we believe the likelihood of timely recovery is low and therefore are proceeding with notification.
[Evan] How much time has passed since the laptops were lost/stolen?  Neither the New Hampshire or victim notifications disclose this important piece of information.

Currently, there is no indication that the laptop was stolen for its content, but it is possible that there was unauthorized access to information
[Evan] Do you think that a thief would announce his/her intentions for stealing the laptop?  I don't think so.  What indication an investigator look for to explain a thief's motives?

We regret this unfortunate situation, and although we have no evidence at this time that any personal information has been accessed or misused, we encourage you to take preventative measures.
[Evan] What "preventative measures" did UTUIA use to protect personal information for which they were not the owners?  Who knows?

We sincerely apologize for any inconvenience that this may cause you.

If you have additional questions, please call us toll-free at 866-753-3631 between 8:30 a.m. and 4:30 p.m. eastern time, or contact us by mail at 14600 Detroit Avenue, Cleveland, Ohio 44107.

Commentary:
In my opinion, there is not enough information in the breach notification sent to the New Hampshire Attorney General or victims.  Customers deserve more information about what an organization plans to do in order to provide an adequate amount (owner's discretion) of security.  Based on the information we've read in the breach notification, there is no basis for judgment, which is sad.

What exactly does UTUIA do to protect the confidential information belonging to policyholders?

Past Breaches:
Unknown

]]> Mon, 16 Jun 2008 05:37:36 +0000 sensitive personal information personal information utuia protect personal information laptop computers utuia laptop computers information laptops utuia offices UTUIA laptops are missing after shipment