Iron Mountain loses LOSFA backup case
Technorati Tag: Security Breach
Date Reported:
10/15/07
Organization:
Louisiana Office of Student Financial Assistance (LOSFA)
Contractor/Consultant/Branch:
Iron Mountain
Victims:
Potentially:
Number Affected:
Unknown
Types of Data:
Name, address, bank account information, and Social Security numbers.
Breach Description:
A case containing LOSFA backup data was lost by an Iron Mountain driver who supposedly failed to follow company procedures. The backup data included thousands of records on Louisiana residents who have applied for various LOSFA programs and federal student financial aid. The driver was fired.
Reference URL:
LOFSA Notification Site
Report Credit:
Louisiana Office of Student Financial Assistance (LOSFA)
Associated Press
Response:
From the official LOSFA announcement/information site and online resource cited above:
"Iron Mountain Incorporated has notified the Louisiana Office of Student Financial Assistance (LOSFA) that it lost back-up media belonging to LOSFA on September 19, 2007."
[Comfyllama] To be honest, this is the first breach concerning Iron Mountain that I recall. Iron Mountain handles so much confidential information on so many companies. This breach immediately caught my eye.
"The case was lost Sept. 19 when a driver for a Boston-based contractor failed to follow company procedures when loading it onto his vehicle, according to a statement e-mailed Wednesday by Laura Sudnik, spokeswoman for Iron Mountain Inc."
"Iron Mountain Incorporated, which is the State of Louisiana’s data storage contractor, began efforts to locate the media the same day after discovering the loss."
""Our entire business is built around high security and reliability and we regret that this employee error took place," the data-protection and storage company said."
[Comfyllama] Business is bad today.
"The driver was fired. Sudnik said the man had worked five years for Iron Mountain and his work record had been in good standing. The loss of the case was an accident without malicious intent, Sudnik said."
"The data was being moved from Iron Mountain's Port Allen storage building to Baton Rouge. Iron Mountain said it notified the state immediately of the problem"
"LOSFA immediately reported the incident to appropriate state authorities and has begun its public notifications. To date, the media has not been found, and the investigations by state and local law enforcement are ongoing."
"Bank account data and Social Security numbers for virtually all Louisiana college applicants and their parents over the past nine years were lost last month during a move, officials said."
"A lost case held backup data for every Louisiana application for federal student aid — just about anyone who applied to college — from 1998 through Sept. 13 of this year, Amrhein (AM-rine) said."
"The data is compressed and requires special software, specific computer equipment and sophisticated computer skills to access it."
[Comfyllama] I almost fell off my chair when I read this statement from LOSFA. Compression offfers no security and the "special software", "specific computer equipment" and "sophisticated computer skills" and NOT that special, specific or sophisticated. All are easy obtained.
"LOSFA has no reason to believe that the information has been accessed or that it has been misused in any way, however, you are entitled to be informed of the risks associated with the loss of this media and of the steps that you can take to protect yourself."
[Comfyllama] "entitled" because the personally identifiable information belongs to the victims NOT LOSFA.
"LOSFA has contracted with a nationally recognized organization specializing in the field of identity theft to assist it in providing the best information available to you. "
[Comfyllama] Who? Why not name the "nationally recognized organization"?
"LOSFA is committed to ensuring data security for our clients, and is taking all steps necessary to help those who are affected."
[Comfyllama] Start by encrypting personal information.
LOSFA has created an online query for a concerned person to check in order to determine if they might be affected: osfantweb.osfa.state.la.us/Notice.nsf/
Commentary:
What a sad breach of security this is. I wonder how many records Iron Mountain moves every day and how easily this could happen under even the most strict controls.
I can understand the mistake that this employee made (assuming it was a mistake), but I do not understand why LOSFA thought it was OK to store confidential personal information without encryption. LOSFA creates and uses thousands of personal records every year, and nobody thought to encrypt?! Personal data at rest (on disk, in flash memory, on tape, etc.) MUST be encrypted. Someday we will all understand, eh?
Past Breaches:
Unknown
Date Reported:10/15/07
Organization:
Louisiana Office of Student Financial Assistance (LOSFA)
Contractor/Consultant/Branch:
Iron Mountain
Victims:
Potentially:
- Anyone who has a Louisiana College Savings account (START Saving Program).
- Any resident of the state of Louisiana who has completed a Free Application for Federal Student Aid (FAFSA).
- Anyone who has completed a FAFSA and included a Louisiana postsecondary institution as an institution to which FAFSA data should be sent.
- Anyone who has applied for or received a Tuition Opportunity Program for Students (TOPS) Scholarship.
-
Anyone who has applied for or who has received student financial aid in the State of Louisiana.
Number Affected:
Unknown
Types of Data:
Name, address, bank account information, and Social Security numbers.
Breach Description:
A case containing LOSFA backup data was lost by an Iron Mountain driver who supposedly failed to follow company procedures. The backup data included thousands of records on Louisiana residents who have applied for various LOSFA programs and federal student financial aid. The driver was fired.
Reference URL:
LOFSA Notification Site
Report Credit:
Louisiana Office of Student Financial Assistance (LOSFA)
Associated Press
Response:
From the official LOSFA announcement/information site and online resource cited above:
"Iron Mountain Incorporated has notified the Louisiana Office of Student Financial Assistance (LOSFA) that it lost back-up media belonging to LOSFA on September 19, 2007."
[Comfyllama] To be honest, this is the first breach concerning Iron Mountain that I recall. Iron Mountain handles so much confidential information on so many companies. This breach immediately caught my eye.
"The case was lost Sept. 19 when a driver for a Boston-based contractor failed to follow company procedures when loading it onto his vehicle, according to a statement e-mailed Wednesday by Laura Sudnik, spokeswoman for Iron Mountain Inc."
"Iron Mountain Incorporated, which is the State of Louisiana’s data storage contractor, began efforts to locate the media the same day after discovering the loss."
""Our entire business is built around high security and reliability and we regret that this employee error took place," the data-protection and storage company said."
[Comfyllama] Business is bad today.
"The driver was fired. Sudnik said the man had worked five years for Iron Mountain and his work record had been in good standing. The loss of the case was an accident without malicious intent, Sudnik said."
"The data was being moved from Iron Mountain's Port Allen storage building to Baton Rouge. Iron Mountain said it notified the state immediately of the problem"
"LOSFA immediately reported the incident to appropriate state authorities and has begun its public notifications. To date, the media has not been found, and the investigations by state and local law enforcement are ongoing."
"Bank account data and Social Security numbers for virtually all Louisiana college applicants and their parents over the past nine years were lost last month during a move, officials said."
"A lost case held backup data for every Louisiana application for federal student aid — just about anyone who applied to college — from 1998 through Sept. 13 of this year, Amrhein (AM-rine) said."
"The data is compressed and requires special software, specific computer equipment and sophisticated computer skills to access it."
[Comfyllama] I almost fell off my chair when I read this statement from LOSFA. Compression offfers no security and the "special software", "specific computer equipment" and "sophisticated computer skills" and NOT that special, specific or sophisticated. All are easy obtained.
"LOSFA has no reason to believe that the information has been accessed or that it has been misused in any way, however, you are entitled to be informed of the risks associated with the loss of this media and of the steps that you can take to protect yourself."
[Comfyllama] "entitled" because the personally identifiable information belongs to the victims NOT LOSFA.
"LOSFA has contracted with a nationally recognized organization specializing in the field of identity theft to assist it in providing the best information available to you. "
[Comfyllama] Who? Why not name the "nationally recognized organization"?
"LOSFA is committed to ensuring data security for our clients, and is taking all steps necessary to help those who are affected."
[Comfyllama] Start by encrypting personal information.
LOSFA has created an online query for a concerned person to check in order to determine if they might be affected: osfantweb.osfa.state.la.us/Notice.nsf/
Commentary:
What a sad breach of security this is. I wonder how many records Iron Mountain moves every day and how easily this could happen under even the most strict controls.
I can understand the mistake that this employee made (assuming it was a mistake), but I do not understand why LOSFA thought it was OK to store confidential personal information without encryption. LOSFA creates and uses thousands of personal records every year, and nobody thought to encrypt?! Personal data at rest (on disk, in flash memory, on tape, etc.) MUST be encrypted. Someday we will all understand, eh?
Past Breaches:
Unknown
Posted by Evan Francen at 10/17/2007 2:12 PM 
Categories: Iron Mountain, Lost Tape, Louisiana Office of Student Financial Assistance
Categories: Iron Mountain, Lost Tape, Louisiana Office of Student Financial Assistance
Posts Atom 1.0
Hi Comfyllama,
This is not the first time that a security breach happened at this company.
One way of mitigating a risk of disaster is to have an online backup service. I have been reading about the online backup and storage industry for a while now. It is becoming a commonly accepted technology these days. For online backup news, information and articles, there is an excellent website:
http://www.BackupReview.info
This site lists more than 400 online backup companies and ranks the top 25 on a monthly basis. It also features a CEO Spotlight page, where senior management people from the industry are interviewed.
Check out the search section of this website and look for older cases by typing keywords in the News / Title or News / Content.
http://www.backupreview.info/index.php?pid=articles_search
Cheers,
Reply to this
Very good information Jenny!
Thank you for sharing.
Reply to this