1,400 King County Transportation Department employees exposed
Technorati Tag: Security Breach
Date Reported:
10/12/07
Organization:
King County Transportation Department*
*King County is located on Puget Sound in Washington State. It is the 13th most populous county in the United States with 1.8 million people.
Contractor/Consultant/Branch:
None
Victims:
Current and former King County Transportation Department employees working in the Roads, Airport, and Fleet divisions.
Number Affected:
1,400
Types of Data:
Name, address and Social Security number.
Breach Description:
A laptop computer containing sensitive employee information was stolen from the home of a King County human resources employee during a home burglary that occurred on September 28th.
Reference URL:
The Seattle Times Online Story
Report Credit:
Keith Ervin, Seattle Times
Response:
From the online resource cited above:
"The King County Transportation Department has informed 1,400 current and former employees that a laptop computer containing personal information about them has been stolen."
"Workers' names, addresses and Social Security numbers were on the password-protected laptop, which was stolen during a Sept. 28 home burglary. The information was not encrypted, department spokeswoman Rochelle Ogershok said Thursday."
[Comfyllama] Great! The password-protection does not help, encryption would have.
"The laptop was taken from the home of a Transportation Department human-resources employee while the employee was traveling outside the country, Ogershok said. The employee routinely carries the laptop from one work site to another."
[Comfyllama] ANYONE who routinely carries confidential data from one site to another MUST encrypt it. It was only a matter of time before this breach happened.
"Transportation officials learned of the theft Oct. 1 and, after determining what information was on the computer, sent letters to current and former employees Oct. 3 advising them of the incident."
"The affected employees work or worked in the Roads, Airport and Fleet divisions. Managers have held meetings with employees to discuss steps they can take to protect themselves from possible identity theft. The county will provide free credit monitoring for one year, Ogershok said."
[Comfyllama] IF an identity thief got their hands on this information, all they would need to do is wait a year. No big deal, just an inconvenience. How does it make sense to only offer a year of identity theft protection? An identity doesn't expire after a year, does it? Maybe if organizations were forced to offer lifetime identity theft protection, they would treat the data belonging to others with a little more respect.
"County Executive Ron Sims' office has been following the incident closely and is working with managers and union representatives to better protect workers' privacy in the future, said spokeswoman Annie Kolb-Nelson. She said it hasn't been decided whether the best approach is to encrypt information, keep personal information off portable computers, or adopt new guidelines on taking sensitive computers home."
[Comfyllama] Why "or"? How about, "yes", "yes", AND "yes"?! All three at the same time would offer what us security people call "defense in depth".
Commentary:
This is another lost or stolen laptop containing personal information without proper protection, namely encryption. It sounds like King County is contemplating the correct actions that would help to ensure that a similar breach does not occur in the future. I hope they follow-through.
Past Breaches:
Unknown
Date Reported:10/12/07
Organization:
King County Transportation Department*
*King County is located on Puget Sound in Washington State. It is the 13th most populous county in the United States with 1.8 million people.
Contractor/Consultant/Branch:
None
Victims:
Current and former King County Transportation Department employees working in the Roads, Airport, and Fleet divisions.
Number Affected:
1,400
Types of Data:
Name, address and Social Security number.
Breach Description:
A laptop computer containing sensitive employee information was stolen from the home of a King County human resources employee during a home burglary that occurred on September 28th.
Reference URL:
The Seattle Times Online Story
Report Credit:
Keith Ervin, Seattle Times
Response:
From the online resource cited above:
"The King County Transportation Department has informed 1,400 current and former employees that a laptop computer containing personal information about them has been stolen."
"Workers' names, addresses and Social Security numbers were on the password-protected laptop, which was stolen during a Sept. 28 home burglary. The information was not encrypted, department spokeswoman Rochelle Ogershok said Thursday."
[Comfyllama] Great! The password-protection does not help, encryption would have.
"The laptop was taken from the home of a Transportation Department human-resources employee while the employee was traveling outside the country, Ogershok said. The employee routinely carries the laptop from one work site to another."
[Comfyllama] ANYONE who routinely carries confidential data from one site to another MUST encrypt it. It was only a matter of time before this breach happened.
"Transportation officials learned of the theft Oct. 1 and, after determining what information was on the computer, sent letters to current and former employees Oct. 3 advising them of the incident."
"The affected employees work or worked in the Roads, Airport and Fleet divisions. Managers have held meetings with employees to discuss steps they can take to protect themselves from possible identity theft. The county will provide free credit monitoring for one year, Ogershok said."
[Comfyllama] IF an identity thief got their hands on this information, all they would need to do is wait a year. No big deal, just an inconvenience. How does it make sense to only offer a year of identity theft protection? An identity doesn't expire after a year, does it? Maybe if organizations were forced to offer lifetime identity theft protection, they would treat the data belonging to others with a little more respect.
"County Executive Ron Sims' office has been following the incident closely and is working with managers and union representatives to better protect workers' privacy in the future, said spokeswoman Annie Kolb-Nelson. She said it hasn't been decided whether the best approach is to encrypt information, keep personal information off portable computers, or adopt new guidelines on taking sensitive computers home."
[Comfyllama] Why "or"? How about, "yes", "yes", AND "yes"?! All three at the same time would offer what us security people call "defense in depth".
Commentary:
This is another lost or stolen laptop containing personal information without proper protection, namely encryption. It sounds like King County is contemplating the correct actions that would help to ensure that a similar breach does not occur in the future. I hope they follow-through.
Past Breaches:
Unknown
Posted by Evan Francen at 10/14/2007 7:14 PM 
Categories: King County Transportation Department, Stolen Laptop
Categories: King County Transportation Department, Stolen Laptop
Posts Atom 1.0
Comments