Laptop stolen from Minnesota Department of Commerce vendor
Technorati Tag: Security Breach
Date Reported:
12/28/07
Organization:
State of Minnesota
Contractor/Consultant/Branch:
Department of Commerce
Promissor Corporation
Victims:
Certain real estate, abstractor, appraiser, and debt collection license applicants and licensees
Number Affected:
219
Types of Data:
Names, Social Security numbers, addresses and state license numbers.
Breach Description:
A laptop computer containing sensitive personal information belonging to 219 Minnesota real estate, abstractor, appraiser and debt collection license applicants and licensees was stolen from an employee of Promissor Corporation, a contractor employed by the Minnesota Department of Commerce.
Reference URL:
Minnesota Department of Commerce News Release
St. Paul Pioneer Press News Story
Report Credit:
Minnesota Department of Commerce
Response:
From the official news release and online source cited above:
On December 6, 2007 a laptop computer containing the personal information of 219 Minnesota residents was stolen from an employee of Promissor Corporation in Philadelphia, Pennsylvania. Promissor is a vendor used by the Minnesota Department of Commerce to manage licensing data for the real estate, mortgage, and debt collection industries in Minnesota.
The theft of this computer has been reported to the Philadelphia Police Department and at this point it has not been recovered. Regrettably, Promissor waited until December 21 to alert the Minnesota Department of Commerce about this theft and since then Department staff has been working with the vendor to identify the extent to which Minnesota licensees have been affected and to notify them so they can take action to protect their identity.
[Evan] I can sense the frustration with the vendor. Vendors working with confidential information in any manner must be held to the same standards as everyone else. We recommend the creation and enforcement of a seperate Vendor/Third-Party Access Policy (sample) to our customers that employ vendors.
The laptop was used to support and test the real estate, abstractors, appraisers and debt collection licensing system and data base used by several states including Minnesota.
[Evan] The use of production (real) data for support and test purposes is NOT a recommended practice. Promissor Corporation should know better.
password protected, but not encrypted.
information included some or all of the following data fields for 257 applicants/licensees in the licensing system (including 219 Minnesota licensees): name, social security number, address and state license number.
On Friday, December 28, the Department of Commerce received from Promissor a list of the 219 individuals affected by the theft. Department staff is currently contacting these licensees by phone to notify them of the theft of their data and suggest steps they should take to protect their identity. Promissor also sent each licensee written notification which includes an offer by the company to purchase the credit watch monitoring service from Equifax for one year at no cost to the licensee.
[Evan] Credit monitoring only monitors for fraud and alerts a victim after it has already occurred. One year's worth of protection is only good for information that is no good after a year.
The Department is also demanding from Promissor stricter measures of security for all other data containing Minnesota licensee information on all of their computer systems.
[Evan] Like?
Commentary:
What information security measures are required of Minnesota Department of Commerce vendors and contractors? Stolen or lost laptops containing sensitive information without encryption is nothing new, although no more excusable. A twist in this breach is the use of production data in support and test functions. I can't tell you how many times I have butted heads with programmers that insisted on using real data for code testing. Developers should ONLY use fabricated and/or sanitized data for testing, no exceptions.
I am a Minnesota resident. This is the second breach in the past month related to an unencrypted stolen laptop for my state. The other breach concerned the Memorial Blood Centers and the disclosure that a laptop containing information belonging to 268,000 donors was stolen.
Past Breaches:
Unknown
Date Reported:12/28/07
Organization:
State of Minnesota
Contractor/Consultant/Branch:
Department of Commerce
Promissor Corporation
Victims:
Certain real estate, abstractor, appraiser, and debt collection license applicants and licensees
Number Affected:
219
Types of Data:
Names, Social Security numbers, addresses and state license numbers.
Breach Description:
A laptop computer containing sensitive personal information belonging to 219 Minnesota real estate, abstractor, appraiser and debt collection license applicants and licensees was stolen from an employee of Promissor Corporation, a contractor employed by the Minnesota Department of Commerce.
Reference URL:
Minnesota Department of Commerce News Release
St. Paul Pioneer Press News Story
Report Credit:
Minnesota Department of Commerce
Response:
From the official news release and online source cited above:
On December 6, 2007 a laptop computer containing the personal information of 219 Minnesota residents was stolen from an employee of Promissor Corporation in Philadelphia, Pennsylvania. Promissor is a vendor used by the Minnesota Department of Commerce to manage licensing data for the real estate, mortgage, and debt collection industries in Minnesota.
The theft of this computer has been reported to the Philadelphia Police Department and at this point it has not been recovered. Regrettably, Promissor waited until December 21 to alert the Minnesota Department of Commerce about this theft and since then Department staff has been working with the vendor to identify the extent to which Minnesota licensees have been affected and to notify them so they can take action to protect their identity.
[Evan] I can sense the frustration with the vendor. Vendors working with confidential information in any manner must be held to the same standards as everyone else. We recommend the creation and enforcement of a seperate Vendor/Third-Party Access Policy (sample) to our customers that employ vendors.
The laptop was used to support and test the real estate, abstractors, appraisers and debt collection licensing system and data base used by several states including Minnesota.
[Evan] The use of production (real) data for support and test purposes is NOT a recommended practice. Promissor Corporation should know better.
password protected, but not encrypted.
information included some or all of the following data fields for 257 applicants/licensees in the licensing system (including 219 Minnesota licensees): name, social security number, address and state license number.
On Friday, December 28, the Department of Commerce received from Promissor a list of the 219 individuals affected by the theft. Department staff is currently contacting these licensees by phone to notify them of the theft of their data and suggest steps they should take to protect their identity. Promissor also sent each licensee written notification which includes an offer by the company to purchase the credit watch monitoring service from Equifax for one year at no cost to the licensee.
[Evan] Credit monitoring only monitors for fraud and alerts a victim after it has already occurred. One year's worth of protection is only good for information that is no good after a year.
The Department is also demanding from Promissor stricter measures of security for all other data containing Minnesota licensee information on all of their computer systems.
[Evan] Like?
Commentary:
What information security measures are required of Minnesota Department of Commerce vendors and contractors? Stolen or lost laptops containing sensitive information without encryption is nothing new, although no more excusable. A twist in this breach is the use of production data in support and test functions. I can't tell you how many times I have butted heads with programmers that insisted on using real data for code testing. Developers should ONLY use fabricated and/or sanitized data for testing, no exceptions.
I am a Minnesota resident. This is the second breach in the past month related to an unencrypted stolen laptop for my state. The other breach concerned the Memorial Blood Centers and the disclosure that a laptop containing information belonging to 268,000 donors was stolen.
Past Breaches:
Unknown
Posted by Evan Francen at 12/28/2007 11:46 PM 
Categories: Promissor Corporation, Stolen Laptop, State of Minnesota
Categories: Promissor Corporation, Stolen Laptop, State of Minnesota
Posts Atom 1.0
Comments