470 missing CDs with State of Nevada payroll information
Technorati Tag: Security Breach
Date Reported:
11/12/07
Organization:
State of Nevada
Contractor/Consultant/Branch:
Department of Personnel and various other state agencies
Victims:
Nevada state employees
Number Affected:
Unknown*
*there are 16,752 employees currently listed in the Nevada Government Directory
Types of Data:
Payroll information including Social Security numbers
Breach Description:
As many as 470 compact discs (CDs) containing sensitive payroll information about Nevada state employees are missing and presumed lost or stolen. The CDs were among the more than 13,000 shipped from the Nevada State Department of Personnel to the other 80 state agencies over the past three years. The incident came to light by a former state employee who contends he was fired because he urged the state to notify the victims.
Reference URL:
The Reno Gazette-Journal Story
Associated Press Story on kren.com
Report Credit:
Reno Gazette-Journal
submitted to The Breach Blog by an informed reader
Response:
From the and online sources cited above:
"Hundreds of CDs containing payroll information about state employees, including Social Security numbers, have either been lost or stolen over the last three years, state Personnel Director Todd Rich said."
"Rich said his department sent a total of more than 13,000 CDs to 80 agencies for review every two-week pay period over the last three years. He said as many as 470 are still missing."
[Comfyllama] Since there is no mention about encryption, I am going to assume for the remainder of this posting that there was no encryption. So, who in their right mind would agree that this is an acceptable method fo transporting confidential information? Someone must be living under a rock. There is absolutely no excuse for this type of negligence when dealing with people's personal information. Not only is this behavior negligent in terms of security, but how can it be cost effective?
“We haven’t had any notification from anybody that, ‘Hey, my identity has been stolen,’” Rich told the Nevada Appeal.
[Comfyllama] What is this supposed to mean?! So, because nobody said "Hey, my identity has been stolen" it is OK? Seems a little arrogant to me.
"He said it would be up to Attorney General Catherine Cortez Masto whether to issue a breach notification. If so, he said, it would be done by agencies with missing discs."
[Comfyllama] Pass the buck.
"The system has been tightened to prevent unauthorized people from getting employee information, Rich added. "
“It’s on top of my list because we want to make sure foremost our employees’ personal information is protected,” said Rich, who assumed his position in May. “It concerns me greatly.”
[Comfyllama] Empty words come with no action.
"Under the new system, discs will be signed for and returned to the personnel department after each pay period, Rich said. "
[Comfyllama] How does this ensure the security of the information on the discs? This would only tell you if you are missing a disc and as such is a reactive measure only.
"The CDs now require a password in order to read data, and employee identities will be better protected with a switch from Social Security numbers to a unique employee identification number"
[Comfyllama] The password protection means nothing to me because passwords be easily cracked, guessed or disclosed. I do like the switch from Social Security numbers to employee IDs very much! Social Security numbers were never supposed to be used for identification anyway.
"The issue was raised by Jim Elste, a former state Department of Information Technology security manager, who says his efforts to prod the state to notify workers their personal information may have fallen into the wrong hands caused him to be fired."
"He made the argument during hearings before a state hearing officer. Elste is appealing his termination, saying he’s covered by whistleblower statutes."
"Elste said he discovered in June that there was no system for tracking the CDS after they were sent and no system for getting them back or destroying them."
[Comfyllama] Not to mention ensuring confidentiality if a disc were lost or stolen.
"DOIT Director Dan Stockwell testified Elste was fired for poor management and lack of anger control. "
[Comfyllama] If I witnessed personal information being treated with disregard for security like this, it would be VERY HARD for me to control my anger too!
Commentary:
This breach is so unbelievable to me that I am finding it difficult to know where to start. Mr. Rich states that preventing "unauthorized people from getting employee information" is at the top of his list. I will give him the benefit of the doubt and assume that he just doesn't know how (and maybe nobody working for the state does either). The tightened controls that Mr. Rich mentioned are all fine and dandy, but why is there no mention of encryption. I can say this until I am blue in the face, CONFIDENTIAL INFORMATION MUST BE ENCRYPTED! If encrypted confidential information is lost on a CD then no worries, assuming that keys remained secret (in private key cryptography).
This breach really irks me. I wonder if it would have ever been disclosed without a state hearing, and I also wonder if there was an effort to cover this up. To even question whether or not victims should be notified is crazy. Every person affected should absolutely be notified, no question!
On another somewhat related note, the State of Nevada Department of Personnel should look at their own Web site too. There is more information disclosed than there probably should be.
Past Breaches:
Unknown
Date Reported:11/12/07
Organization:
State of Nevada
Contractor/Consultant/Branch:
Department of Personnel and various other state agencies
Victims:
Nevada state employees
Number Affected:
Unknown*
*there are 16,752 employees currently listed in the Nevada Government Directory
Types of Data:
Payroll information including Social Security numbers
Breach Description:
As many as 470 compact discs (CDs) containing sensitive payroll information about Nevada state employees are missing and presumed lost or stolen. The CDs were among the more than 13,000 shipped from the Nevada State Department of Personnel to the other 80 state agencies over the past three years. The incident came to light by a former state employee who contends he was fired because he urged the state to notify the victims.
Reference URL:
The Reno Gazette-Journal Story
Associated Press Story on kren.com
Report Credit:
Reno Gazette-Journal
submitted to The Breach Blog by an informed reader
Response:
From the and online sources cited above:
"Hundreds of CDs containing payroll information about state employees, including Social Security numbers, have either been lost or stolen over the last three years, state Personnel Director Todd Rich said."
"Rich said his department sent a total of more than 13,000 CDs to 80 agencies for review every two-week pay period over the last three years. He said as many as 470 are still missing."
[Comfyllama] Since there is no mention about encryption, I am going to assume for the remainder of this posting that there was no encryption. So, who in their right mind would agree that this is an acceptable method fo transporting confidential information? Someone must be living under a rock. There is absolutely no excuse for this type of negligence when dealing with people's personal information. Not only is this behavior negligent in terms of security, but how can it be cost effective?
“We haven’t had any notification from anybody that, ‘Hey, my identity has been stolen,’” Rich told the Nevada Appeal.
[Comfyllama] What is this supposed to mean?! So, because nobody said "Hey, my identity has been stolen" it is OK? Seems a little arrogant to me.
"He said it would be up to Attorney General Catherine Cortez Masto whether to issue a breach notification. If so, he said, it would be done by agencies with missing discs."
[Comfyllama] Pass the buck.
"The system has been tightened to prevent unauthorized people from getting employee information, Rich added. "
“It’s on top of my list because we want to make sure foremost our employees’ personal information is protected,” said Rich, who assumed his position in May. “It concerns me greatly.”
[Comfyllama] Empty words come with no action.
"Under the new system, discs will be signed for and returned to the personnel department after each pay period, Rich said. "
[Comfyllama] How does this ensure the security of the information on the discs? This would only tell you if you are missing a disc and as such is a reactive measure only.
"The CDs now require a password in order to read data, and employee identities will be better protected with a switch from Social Security numbers to a unique employee identification number"
[Comfyllama] The password protection means nothing to me because passwords be easily cracked, guessed or disclosed. I do like the switch from Social Security numbers to employee IDs very much! Social Security numbers were never supposed to be used for identification anyway.
"The issue was raised by Jim Elste, a former state Department of Information Technology security manager, who says his efforts to prod the state to notify workers their personal information may have fallen into the wrong hands caused him to be fired."
"He made the argument during hearings before a state hearing officer. Elste is appealing his termination, saying he’s covered by whistleblower statutes."
"Elste said he discovered in June that there was no system for tracking the CDS after they were sent and no system for getting them back or destroying them."
[Comfyllama] Not to mention ensuring confidentiality if a disc were lost or stolen.
"DOIT Director Dan Stockwell testified Elste was fired for poor management and lack of anger control. "
[Comfyllama] If I witnessed personal information being treated with disregard for security like this, it would be VERY HARD for me to control my anger too!
Commentary:
This breach is so unbelievable to me that I am finding it difficult to know where to start. Mr. Rich states that preventing "unauthorized people from getting employee information" is at the top of his list. I will give him the benefit of the doubt and assume that he just doesn't know how (and maybe nobody working for the state does either). The tightened controls that Mr. Rich mentioned are all fine and dandy, but why is there no mention of encryption. I can say this until I am blue in the face, CONFIDENTIAL INFORMATION MUST BE ENCRYPTED! If encrypted confidential information is lost on a CD then no worries, assuming that keys remained secret (in private key cryptography).
This breach really irks me. I wonder if it would have ever been disclosed without a state hearing, and I also wonder if there was an effort to cover this up. To even question whether or not victims should be notified is crazy. Every person affected should absolutely be notified, no question!
On another somewhat related note, the State of Nevada Department of Personnel should look at their own Web site too. There is more information disclosed than there probably should be.
Past Breaches:
Unknown
Posts Atom 1.0
Submitted anonymously from an informed reader:
To clarity: The data was NOT encrypted, according to former CISO James Elste ; The State has a disclosure law (347), modeled after SB1386 in Calf, and that law appears to have been violate; The ONLY reason this went public was Jim's PUBLIC hearing
Reply to this
It is clear that their technology transfer services worked as bad as they could and such a breach clearly happened because somebody wanted to hide or to get their hands on some of the information stored on those cds.
Reply to this
How come they don't use some method of encryption for their data? It's only common sense as long as they have very important informations stored on CD's.
Reply to this
Services at Nevada state is not good.
Reply to this