State of Connecticut Stolen Laptop

Technorati Tag:

Date Reported:
 8/28/07

 Organization:
 State of Connecticut

 Contractor/Consultant:
Department of Revenue Services (DRS)

 Number Affected:
106,000

 Types of Data:
Taxpayer names and Social Security numbers

 Breach Description:
A laptop computer containing the personally identifiable information was stolen from a DRS employee's vehicle more than one week prior to the report.

 Reference URL:
http://www.connpost.com/breakingnews/ci_6741050

Report Credit:
Connecticut Post

 Commentary:
Yet another unencrypted laptop lost or stolen containing personal information.  There is absolutely NO excuse for not encrypting laptops and personal storage devices.

 Response:
The Connecticut DRS issued the standard set of responses meant to ensure the poorly informed victims that their data is safe.

Standard Response #1:
"We believe somebody took if for the value of the hardware," DRS spokeswoman Sarah Kaufman   NOTE: The real money is in the information.  Personally identifiable information is trading for $20 - 100/record in online forums frequented by criminals.  106,000 records @ $20/ea = over $2 million!  Why would I even care about the hardware?

Standard Response #2:
"taxpayer names and Social Security numbers and was password protected."  NOTE: Novice computer professionals can get past password protection.  Anyway, if the persons responsible are stupid enough to believe that confidential information is OK on an unencrypted laptop, then they are probably stupid enough to store the passwords on a Post-It note too!

We see these types of minimizing statements time and time again from organizations that have not taken the proper steps to protect the information entrusted to them.

Past Breaches:
None since August 2007

Posted by Evan Francen at 8/28/2007 3:30 PM
Categories: State of Connecticut, Stolen Laptop
 
Trackbacks
Trackback specific URL for this post
  • No trackbacks exist for this post.
Comments
Display comments as (Linear | Threaded)
Page: 1 of 1
  • 9/6/2007 7:37 AM Trustedtoolkit wrote:
    UPDATE:
    You think we were unhappy with the response? Sounds like quite a few people are, judging from this article today:

    "The governor agrees it's inexcusable that this happened," said Christopher Cooper, Rell's spokesman. "The bottom line is the incident never should have happened." I sincerely hope that the State of Connecticut will mandate encryption on all portable computing devices. It is a VERY doable project and would cost less than this faux pas. I have deployed encryption to over 50,000 mobile devices to date and would be glad to help.

    Also from the article:
    "House Majority Leader Christopher Donovan, one of the highest-ranking lawmakers at the Capitol and a taxpayer on the list, said he is unhappy with the response of the state Department of Revenue Services."

    I am glad to hear that lawmakers have been affected personally so that they have a first-hand understanding of the problem.
    Reply to this
  • 9/7/2007 6:25 PM Trustedtoolkit wrote:
    This stolen laptop "was just one of 29 laptops that state employees reported lost or stolen since July 2006." according to state Comptroller Nancy Wyman. Unbelievable! 29 lost or stolen laptops, and nobody thought that this might be a problem? How does someone explain this?

    Click here for latest story.
    Reply to this
  • 9/11/2007 7:41 AM Trustedtoolkit wrote:
    According to an article posted at theday.com, Connecticut Governor M. Jodi Rell announces new laptop and mobile device policy for state employees. Although this will do little to help the current victims, this goes a long way in the protection against future breaches. I once led a project to encrypt 44,000 laptops at a fortune 100 company, so I know the implementation challenge this will be. This won't be completed overnight.

    Policy Highlights:
    1. "mandatory risk assessment and written authorization from a state agency head any time “restricted or confidential” data is placed on a portable device"
    2. "limits on the length of time the data may be stored on portable devices"
    3. "requires that it be encrypted"

    Amen! Sounds like someone listened to security and privacy experts and decided to follow their advice.

    After implementation should come training and awareness. Let's not forget about the critical part of authentication best practices (which unlocks encryption).

    Kudos to the Great State of Connecticut!
    Reply to this
  • 10/5/2007 8:22 AM Ghost wrote:
    It would suck to have the name Jason Purslow and live in Connecticut today. Police released the name of the DRS employee who had his laptop stolen.

    "The report says Department of Revenue Services supervisor Jason Purslow's $950 Dell computer was stolen from his 2005 Honda Pilot on Aug. 17 at a hotel in Hauppauge. Police said it was possible the vehicle was not locked because there were no signs of a break-in." - Newsday.com
    Reply to this

Page: 1 of 1
    Leave a comment