USPS stolen laptop exposes 3,000 employees
Technorati Tag: Security Breach
Date Reported:
10/29/07
Organization:
United States Postal Service (USPS)
Contractor/Consultant/Branch:
Oahu, Hawaii
Victims:
Oahu postal employees
Number Affected:
3,000
Types of Data:
Name, Social Security number and "other information"
Breach Description:
A laptop belonging to the United States Postal Service (USPS) was stolen in August, 2007 that contained personally identifiable information on roughly 3,000 Oahu postal workers.
Reference URL:
KITV Channel 4 News Story
KGMB Channel 9 News Story
Report Credit:
KITV - Honolulu (HI)
Response:
From the online articles cited above:
"About 3,000 Oahu postal employees received letters in the mail this weekend warning them that their personal information may be compromised."
[Comfyllama] May be compromised? If the confidentiality, integrity or availability of information cannot be assured, then it IS compromised.
"The employees' names, Social Security numbers and other information were on a laptop computer that was stolen in August."
"So far, there is no indication the thief was able to access the employees' information, U.S. Postal Service spokesman Duke Gonzales said."
[Comfyllama] If there is no encryption employed, then there is every indication that the thief "was able" to access the information. Now whether or not a thief actually did is a different story.
"An employee called KITV concerned about why it took so long for the postal service to issue an alert."
"It took so long to notify our employees because it took that long for investigators to determine that one file out of the thousands that were on the laptop contained personal identifying information. As soon as the one file was discovered, the notification process began," Gonzalves said.
[Comfyllama] This is not atypical in this type of investigation.
"The laptop was password protected, Gonzalves said."
[Comfyllama] Oh yes, the "password protected" statement. A response almost wouldn't be a response without it. Password protection is little more than no protection.
"Employees are being urged to check their credit card and other financial statements for suspicious activity and to monitor their credit reports."
Commentary:
A lost or stolen laptop containing confidential information always brings up the same two points:
I am interested to know what the USPS policy is on controls around confidential information. If they are inadequate (which I assume they probably are), I am not only concerned about USPS employees but all persons who are USPS customers. The USPS has a vast amount of information that they collect (and store).
Past Breaches:
Unknown
Date Reported:10/29/07
Organization:
United States Postal Service (USPS)
Contractor/Consultant/Branch:
Oahu, Hawaii
Victims:
Oahu postal employees
Number Affected:
3,000
Types of Data:
Name, Social Security number and "other information"
Breach Description:
A laptop belonging to the United States Postal Service (USPS) was stolen in August, 2007 that contained personally identifiable information on roughly 3,000 Oahu postal workers.
Reference URL:
KITV Channel 4 News Story
KGMB Channel 9 News Story
Report Credit:
KITV - Honolulu (HI)
Response:
From the online articles cited above:
"About 3,000 Oahu postal employees received letters in the mail this weekend warning them that their personal information may be compromised."
[Comfyllama] May be compromised? If the confidentiality, integrity or availability of information cannot be assured, then it IS compromised.
"The employees' names, Social Security numbers and other information were on a laptop computer that was stolen in August."
"So far, there is no indication the thief was able to access the employees' information, U.S. Postal Service spokesman Duke Gonzales said."
[Comfyllama] If there is no encryption employed, then there is every indication that the thief "was able" to access the information. Now whether or not a thief actually did is a different story.
"An employee called KITV concerned about why it took so long for the postal service to issue an alert."
"It took so long to notify our employees because it took that long for investigators to determine that one file out of the thousands that were on the laptop contained personal identifying information. As soon as the one file was discovered, the notification process began," Gonzalves said.
[Comfyllama] This is not atypical in this type of investigation.
"The laptop was password protected, Gonzalves said."
[Comfyllama] Oh yes, the "password protected" statement. A response almost wouldn't be a response without it. Password protection is little more than no protection.
"Employees are being urged to check their credit card and other financial statements for suspicious activity and to monitor their credit reports."
Commentary:
A lost or stolen laptop containing confidential information always brings up the same two points:
- What is confidential information doing on the laptop in the first place?
- Why are these laptops not encrypted?
I am interested to know what the USPS policy is on controls around confidential information. If they are inadequate (which I assume they probably are), I am not only concerned about USPS employees but all persons who are USPS customers. The USPS has a vast amount of information that they collect (and store).
Past Breaches:
Unknown
Posts Atom 1.0
USPS AS-805:
http://www.usps.com/cpim/ftp/bulletin/2006/html/pb22190/pb10i-s_001.html
Reply to this
Excellent information Jeff!
My attention was immediately drawn to:
3-5.4 Encryption of Information
[Revise the title and text of 3-5.4.1 to read as follows:]
3-5.4.1 Encryption of Information in Transit Across Networks
Sensitive and business-controlled sensitive information must be encrypted in transit across networks.
[Revise the title and text of 3-5.4.2 to read as follows:]
3-5.4.2 Encryption of Information on Removable Devices or Media and in Offsite Storage
Sensitive and business-controlled sensitive information on removable devices or media must be encrypted. Sensitive and business-controlled sensitive information that is stored off Postal Service premises must also be encrypted.
[Insert a new section, 3-5.4.3, as follows:]
3-5.4.3 Encryption of Payment Card Industry Information
Payment card industry (PCI) information must be encrypted throughout the lifecycle.
Reply to this
Yes, great info indeed. I was also drawn to the encryption of payment part.
Reply to this