Iowa DNR loses personal information on 7,000
Technorati Tag: Security Breach
Date Reported:
12/11/07
Organization:
State of Iowa
Contractor/Consultant/Branch:
Department of Natural Resources (DNR)
Salem Associates
Victims:
Waste water and drinking water worker permit applicants
Number Affected:
7,000
Types of Data:
Applicant data including names, addresses, phone numbers, and Social Security numbers.
Breach Description:
An employee of Salem Associates, a contractor working for the Iowa DNR lost a thumb (flash) drive containing sensitive personal information belonging to DNR waster water and drinking water permit and certification applicants.
Reference URL:
KCRG-TV News Story
Radio Iowa News Story
The Des Moines Register
Report Credit:
Mike Wagner, Managing Editor with KCRG-TV News
Response:
From the online sources cited above:
A contractor for the Iowa Department of Natural Resources lost a computer flash drive containing the names and Social Security numbers of more than 7,000 Iowans
The information on the flash drive was about people who operate water and sewage treatment plants, landfills and well-drilling operations.
the records, kept by Salem Associates of Des Moines on behalf of the DNR, were related to the certifications.
[Evan] Salem Associates is a an IT services contractor for the DNR. You would think that a company that makes a living off of IT would know better than to copy un-encrypted confidential data to a thumb drive.
Salem told DNR managers on Dec. 5 that the flash drive…went missing on Nov. 21 and probably ended up in the trash at the department's office complex in Des Moines.
Liz Christiansen, deputy director of the DNR, sent a letter to the affected people on Friday.
The records included information about retirees in addition to active workers.
Rick Hindman, an information technology supervisor at the DNR, said that Iowa government policy bans the use of flash drives to back up sensitive information but that the DNR's policy is not as specific.
[Evan] A non-specific policy is doomed to fail as is the entire program built around it.
The department was already reviewing its security policies when the Salem incident happened and probably will ban the use of flash drives in similar situations, he said.
[Evan] Probably? If the Iowa DNR decides not to ban them, I hope they at least decide to control them (encrypt).
State law and U.S. Environmental Protection Agency rules often require that Social Security numbers be listed on the databases, Hindman said.
[Evan] Is this true? Ugh, outdated regulation and bureaucracy.
He said it is unlikely that people could access the records even if they had the flash drive. That's because the file was a backup copy that would have to be restored, meaning the user would need the same program used to create the file - a program that isn't on many home or office computers. "The information is not encrypted, but it isn't very accessible," Hindman said.
[Evan] Just because the data "isn't very accessible" does not mean it is secure and it does not excuse the Iowa DNR from treating confidential data in risky manner. This is nothing more than an attempt to minimize the situation and draw attention away from the true problem(s).
He said the state has not received any reports of fraud or identity theft and doubts that it will.
The DNR is paying for a year's worth of credit-monitoring service for the workers. The workers have been told to contact the Iowa attorney general's office if they suspect fraud or identity theft.
[Evan] One year of credit monitoring may help all of those people who have expriring Social Security numbers. Do you have an expiring Social Security number? I don't.
"We sincerely apologize for the inconvenience this situation causes you and reiterate our commitment to achieving and maintaining information technology security systems," Christiansen said in her letter.
Victim Reaction:
"We were told the state system is secure and there is no way anyone could hack into it," - Scott Smith of the Boone County landfill and past president of the state landfill operators association.
"They don't have to hack to get the information - they are handing it out on flash drives." - Scott Smith
Commentary:
Breaches like this irk me. An employee working for an IT contractor for some reason thought it would be OK to copy confidential data onto a thumb drive. Thumb drives are inherently an information security nightmare if they are not properly controlled. They are small, high-capacity and easily lost or stolen. Some of the options we have explored in the past include disabling USB ports and employing technological controls (check out TrueCrypt, BeCrypt Connect Protect, GFI EndPointSecurity and Pointsec to name just a few).
According to a May, 2007 Information Week article, "Thumb Drives Replace Malware As Top Security Concern"
Why is the DNR policy "not as specific"?
Past Breaches:
Unknown
Date Reported:12/11/07
Organization:
State of Iowa
Contractor/Consultant/Branch:
Department of Natural Resources (DNR)
Salem Associates
Victims:
Waste water and drinking water worker permit applicants
Number Affected:
7,000
Types of Data:
Applicant data including names, addresses, phone numbers, and Social Security numbers.
Breach Description:
An employee of Salem Associates, a contractor working for the Iowa DNR lost a thumb (flash) drive containing sensitive personal information belonging to DNR waster water and drinking water permit and certification applicants.
Reference URL:
KCRG-TV News Story
Radio Iowa News Story
The Des Moines Register
Report Credit:
Mike Wagner, Managing Editor with KCRG-TV News
Response:
From the online sources cited above:
A contractor for the Iowa Department of Natural Resources lost a computer flash drive containing the names and Social Security numbers of more than 7,000 Iowans
The information on the flash drive was about people who operate water and sewage treatment plants, landfills and well-drilling operations.
the records, kept by Salem Associates of Des Moines on behalf of the DNR, were related to the certifications.
[Evan] Salem Associates is a an IT services contractor for the DNR. You would think that a company that makes a living off of IT would know better than to copy un-encrypted confidential data to a thumb drive.
Salem told DNR managers on Dec. 5 that the flash drive…went missing on Nov. 21 and probably ended up in the trash at the department's office complex in Des Moines.
Liz Christiansen, deputy director of the DNR, sent a letter to the affected people on Friday.
The records included information about retirees in addition to active workers.
Rick Hindman, an information technology supervisor at the DNR, said that Iowa government policy bans the use of flash drives to back up sensitive information but that the DNR's policy is not as specific.
[Evan] A non-specific policy is doomed to fail as is the entire program built around it.
The department was already reviewing its security policies when the Salem incident happened and probably will ban the use of flash drives in similar situations, he said.
[Evan] Probably? If the Iowa DNR decides not to ban them, I hope they at least decide to control them (encrypt).
State law and U.S. Environmental Protection Agency rules often require that Social Security numbers be listed on the databases, Hindman said.
[Evan] Is this true? Ugh, outdated regulation and bureaucracy.
He said it is unlikely that people could access the records even if they had the flash drive. That's because the file was a backup copy that would have to be restored, meaning the user would need the same program used to create the file - a program that isn't on many home or office computers. "The information is not encrypted, but it isn't very accessible," Hindman said.
[Evan] Just because the data "isn't very accessible" does not mean it is secure and it does not excuse the Iowa DNR from treating confidential data in risky manner. This is nothing more than an attempt to minimize the situation and draw attention away from the true problem(s).
He said the state has not received any reports of fraud or identity theft and doubts that it will.
The DNR is paying for a year's worth of credit-monitoring service for the workers. The workers have been told to contact the Iowa attorney general's office if they suspect fraud or identity theft.
[Evan] One year of credit monitoring may help all of those people who have expriring Social Security numbers. Do you have an expiring Social Security number? I don't.
"We sincerely apologize for the inconvenience this situation causes you and reiterate our commitment to achieving and maintaining information technology security systems," Christiansen said in her letter.
Victim Reaction:
"We were told the state system is secure and there is no way anyone could hack into it," - Scott Smith of the Boone County landfill and past president of the state landfill operators association.
"They don't have to hack to get the information - they are handing it out on flash drives." - Scott Smith
Commentary:
Breaches like this irk me. An employee working for an IT contractor for some reason thought it would be OK to copy confidential data onto a thumb drive. Thumb drives are inherently an information security nightmare if they are not properly controlled. They are small, high-capacity and easily lost or stolen. Some of the options we have explored in the past include disabling USB ports and employing technological controls (check out TrueCrypt, BeCrypt Connect Protect, GFI EndPointSecurity and Pointsec to name just a few).
According to a May, 2007 Information Week article, "Thumb Drives Replace Malware As Top Security Concern"
Why is the DNR policy "not as specific"?
Past Breaches:
Unknown
Posted by Evan Francen at 12/19/2007 2:04 PM 
Categories: Salem Associates, State of Iowa, Lost Device
Categories: Salem Associates, State of Iowa, Lost Device
Posts Atom 1.0
Comments