Stolen laptops expose thousands of TSA records
Technorati Tag: Security Breach
Date Reported:
10/16/07
Organization:
U.S. Government
Contractor/Consultant/Branch:
Transportation Security Administration (TSA)
Victims:
Commercial hazardous materials drivers
Number Affected:
3,930
Types of Data:
Name, address, birthday, commercial driver's license number, and Social Security number.
Breach Description:
Two laptop computers used by a contractor working for the TSA went missing. One or both of the lost or stolen laptops contained sensitive personal information about commercial hazardous materials drivers.
Reference URL:
SC News Report
Report Credit:
Associated Press
Response:
From the online resources cited above:
"Two laptop computers with detailed personal information about commercial drivers across the country who transport hazardous materials are missing and considered stolen."
"The laptops belong to a contractor working for the Transportation Security Administration and contain the names, addresses, birthdays, commercial driver's license numbers and, in some cases, Social Security numbers of 3,930 people, according to an Oct. 12 letter from TSA to lawmakers."
"The contractor told the agency that all personal information was deleted from the laptops, but TSA investigators found that an individual with data recovery skills could recover the personal information."
[Comfyllama] Deletion of confidential data may reduce the probability of disclosing confidential data, but it certainly does not protect it adequately. I commend the TSA investigators for being thorough and disclosing this fact.
"The contractor for the agency's Hazardous Materials Endorsement Threat Assessment program is LexisNexis, the report said."
[Comfyllama] LexisNexis?! I will assume then that this laptop belonged to LexisNexis. This is the same LexisNexis that has three breach disclosure notices on the New Hampshire Attorney General web site. I have little sympathy for a contractor that handles confidential data insecurely.
"News of the security breach came the day before TSA begins collecting similar personal information from employees with access to areas at the port of Wilmington, Del. The Transportation Worker Identification Credential program is set to launch in Wilmington on Tuesday. Eventually 750,000 employees across the country with access to port areas will be required to submit information for background checks."
[Comfyllama] I hope LexisNexis isn't going to be the contractor on this project.
"Since the two laptops were stolen, TSA has instructed the contractor to fully encrypt hard drives."
[Comfyllama] Absolutely! Kudos to the TSA, but why does LexisNexis need to be told? Did they not learn from past breaches?
Commentary:
This is now the third lost or stolen laptop breach in a row on The Breach Blog. I can think of at least four lessons that can be learned from this breach.
TSA - Unknown
LexisNexis - Multiple
Date Reported:10/16/07
Organization:
U.S. Government
Contractor/Consultant/Branch:
Transportation Security Administration (TSA)
Victims:
Commercial hazardous materials drivers
Number Affected:
3,930
Types of Data:
Name, address, birthday, commercial driver's license number, and Social Security number.
Breach Description:
Two laptop computers used by a contractor working for the TSA went missing. One or both of the lost or stolen laptops contained sensitive personal information about commercial hazardous materials drivers.
Reference URL:
SC News Report
Report Credit:
Associated Press
Response:
From the online resources cited above:
"Two laptop computers with detailed personal information about commercial drivers across the country who transport hazardous materials are missing and considered stolen."
"The laptops belong to a contractor working for the Transportation Security Administration and contain the names, addresses, birthdays, commercial driver's license numbers and, in some cases, Social Security numbers of 3,930 people, according to an Oct. 12 letter from TSA to lawmakers."
"The contractor told the agency that all personal information was deleted from the laptops, but TSA investigators found that an individual with data recovery skills could recover the personal information."
[Comfyllama] Deletion of confidential data may reduce the probability of disclosing confidential data, but it certainly does not protect it adequately. I commend the TSA investigators for being thorough and disclosing this fact.
"The contractor for the agency's Hazardous Materials Endorsement Threat Assessment program is LexisNexis, the report said."
[Comfyllama] LexisNexis?! I will assume then that this laptop belonged to LexisNexis. This is the same LexisNexis that has three breach disclosure notices on the New Hampshire Attorney General web site. I have little sympathy for a contractor that handles confidential data insecurely.
"News of the security breach came the day before TSA begins collecting similar personal information from employees with access to areas at the port of Wilmington, Del. The Transportation Worker Identification Credential program is set to launch in Wilmington on Tuesday. Eventually 750,000 employees across the country with access to port areas will be required to submit information for background checks."
[Comfyllama] I hope LexisNexis isn't going to be the contractor on this project.
"Since the two laptops were stolen, TSA has instructed the contractor to fully encrypt hard drives."
[Comfyllama] Absolutely! Kudos to the TSA, but why does LexisNexis need to be told? Did they not learn from past breaches?
Commentary:
This is now the third lost or stolen laptop breach in a row on The Breach Blog. I can think of at least four lessons that can be learned from this breach.
- Vendors and third-party contractors need to comply with organizational security policies and practices. Work with the legal department and make compliance a part of the contract itself., AND
- Just like organizational information assets need to be assessed and audited from time-to-time, do the same with your vendor and third-party contractors., AND
- Recognize that files which are simply deleted are very easily accessible. Write secure file deletion standards and enforce them for computers that access confidential data., AND/OR
- Encrypt confidential data at rest, especially on mobile devices. Encryption can be used in lieu of secure file deletion or used in combination (recommended).
TSA - Unknown
LexisNexis - Multiple
Posted by Evan Francen at 10/18/2007 8:19 AM 
Categories: Transportation Security Administration, Stolen Laptop, LexisNexis
Categories: Transportation Security Administration, Stolen Laptop, LexisNexis
Posts Atom 1.0
Andy Prozes has denied that they are LN laptops
http://www.my-india.net/cgi-bin/n/viewnews.cgi?newsid1192982778,57566,
Reply to this
So it appears that my original assumption regarding LexisNexis may be incorrect, however the only reference I can find is:
http://www.dailyindia.com/show/184384.php/LexisNexis-CEO-denies-laptop-theft-allegations
(the link provided above did not work)
PortSecurityNews.com reports that the contractor was Biometric Technology, "The computers belong to TSA contactor Biometric Technology" at http://portsecuritynews.com/news/templates/registered.asp?articleid=1788&zoneid=1.
Reply to this