http://securityratty.com/tag/ywca Tue, 11 Dec 2007 09:23:19 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss http://securityratty.com/article/2e5799582306cfe7453bce0221b53e76 http://securityratty.com/article/2e5799582306cfe7453bce0221b53e76 Security Breach

Date Reported:
10/9/07 (backdated)

Organization:
The Young Women's Christian Association (YWCA) Retirement Fund, Inc.

Contractor/Consultant/Branch:
None

Victims:
Active fund participants between January 1st, 2002 and September 28th, 2007

Number Affected:
Unknown

Types of Data:
Name and Social Security number.

Breach Description:
On Monday, October 1st, 2007 YWCA Retirement Fund employees noticed that a computer had been stolen from the Fund's office in New York.  The computer contained sensitive personal information including names and Social Security numbers for active fund participants from January 1st, 2002 to September 28th, 2007.

Reference URL:
State of New Hampshire Attorney General's Breach Notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the official breach notification and letter to victims:

We are writing to inform you that some of your personal identification information may have been compromised recently.
[Comfyllama] "May have been compromised"?  No, no, no.  If you do not have a reasonable assurance that data confidentiality, integrity, and availability remain intact, then the data IS compromised.

On Monday, October 1 when The Young Women's Christian Association Retirement Fund, Inc. staff arrived at the Fund's office we discovered one computer had been stolen.

The stolen computer contained the names and Social Security numbers of individuals who were active Participants in the Fund at anytime during the period from January 1, 2002 to September 28, 2007.
[Comfyllama] We couldn't find any information to give us an idea of how many people this refers to, but we didn't look long.

The stolen computer did not contain addresses, telephone or email contact points and most importantly no account balances.
[Comfyllama] Unauthorized access to any of this information is bad, but "most importantly no account balances"?  If I had a choice, I think I would rather have my account balance disclosed than I would my name and Social Security number.

Several factors lead us to believe that the risk to your personal data is rather low.

Here is further information about what occurred and these facts should help you assess the risk to your personal identification information:

1.  only the computer was stolen, not the monitor, nor the mouse, not the power pack
[Comfyllama] I am confused.  What does this have to do with the risk of unauthorized data access?

2.  the stolen computer was of a type that requires a power pack, not a power cord.  Power packs are not sold through retail outlets but must be ordered from the computer manufacturer which requires the computer's serial number, the customer's account number and name.  Dell has been notified of the theft.  Any attempted order will be flagged, the caller id will be recorded and forwarded to both the Fund and the New York Police Department with whom we met Monday afternoon, October 1.
[Comfyllama] This is simply untrue and useless information.  If you need a Dell power cord for a laptop, go to Dell and order one without proving a serial number, customer account number and name, or go to one of many of retail outlets that DO sell them.

3.  a passcode is required to access the personal identification information stored on the stolen computer.
[Comfyllama] This "passcode" is nothing more that a momentary nuisance to anyone with simple computer skills.

The fund has reviewed the pertinent 24-hour surveillance tapes from the week-end and they have been turned over to the NYPD.

We have already purchased and installed DEFCON cable locks on all computers.

In the next few weeks the Fund will consult with a security firm to evaluate our entire operation.  It is the intent of the Fund to implement the security firm's recommendations for improving data protection.
[Comfyllama] Let's hope that the "security firm" is worth at least half the price.

We sincerely apologize for causing you concern

Please be assured that we will be ever more vigilant in protecting your data.  If you have any questions, or if we may be of any further assistance at anytime, please call us toll-free at 1-800-222-4738.

Commentary:
This breach occurred not just as a result of a break-in and theft of a computer.  This breach occurred as a result of a fundamental failure of information security.  We don't have the privilege of looking at the YWCA Retirement Fund's information security program (assuming one exists), so we don't know much more than what we read in the Fund's response.  From reading the Fund's response, we can judge that the YWCA Retirement Fund is a poor custodian of sensitive information.  The response is one of the most clueless that we have seen to date.

I sincerely hope that the security firm eluded to in the response will recommend some serious changes, one of which would include encryption of data at rest.  I am sure the list will be long (assuming the security firm knows what they are doing).

Past Breaches:
Unknown



]]> Tue, 11 Dec 2007 09:23:19 +0000 ywca retirement fund retirement fund fund computer information security information sensitive information personal identification information active fund participants YWCA Retirement Fund participants exposed in stolen computer