Stolen laptops affect 337,000 Davidson County voters
Technorati Tag: Security Breach
Date Reported:
12/28/07
Organization:
Davidson County Election Commission*
*Davidson County, Tennessee has an estimated population of 607,413. The county seat is Nashville.
Contractor/Consultant/Branch:
None
Victims:
Registered Davidson County voters
Number Affected:
337,000
Types of Data:
Names, Social Security numbers, addresses and telephone numbers.
Breach Description:
A pair of laptop computers containing sensitive personal information belonging to 337,000 registered Davidson County, Tennessee voters was stolen from the Davidson County Election Commission office during the Christmas break.
Reference URL:
WTVF News Channel 5 Story
WKRN Channel 2 News Story
Nashville Business Journal
Report Credit:
News Channel 5
Response:
From the online sources cited above:
A break-in at the Davidson County Election Office at 800 Second Ave. has jeopardized a large number of voters' personal data, according to Ray Barrett, election administrator.
It looks as though they used a rock to break their way in.
[Evan] A rock is all it took. There is no mention of any alarm system and it appears that nobody noticed until they came back to the office.
taken were two Dell Latitude laptops containing information of 337,000 registered Davidson County voters
"As we look deeper into determining the extent of loss that occurred during the holiday break-in, we now know that full social security numbers were included on the voter files contained on one or more of the stolen computers." said Ray Barrett.
"Initially, we thought that the only information was the same that the public can purchase when putting together mailing lists, we now know that was incorrect."
The Election Commission says it will formally notify the public by mail that their full Social Security numbers may be available to outside parties and is asking voters monitor their financial and personal accounts for any suspicious activity.
Barrett says he has asked Metro's information technology department to make immediate changes to safeguard against any future security problems.
[Evan] I wonder what these people will come up with. Not only "immediate changes", but also effective changes. There are likely numerous changes that could be suggested. It all starts with policy.
The Election Commission says it does not anticipate that the theft will cause any problems in the upcoming Tennessee presidential primary.
Commentary:
This is an example of typical reactionary information security. "Immediate changes" are made after the significant loss of confidential information. I assume that there is not a well written or communicated information security policy at Davidson County. If there is, it is obviously not well enforced or supported by procedural, administrative, or technical controls.
Why are the offices not physically secure? If a rock is all that is needed to break-in and go undetected for x number of days, then the offices were not physically secure.
Why is confidential information stored on mobile devices (laptop in this instance)? Confidential information should be stored, whenever possible in a secure (physically and logically), centralized location.
Why are mobile devices that access, process, store, create, or transmit confidential data not encrypted? This is a point that I have been trying to drill home for years. Some people get it, some people fear it, and some people are oblivious. The sad thing is that consumers don't know which category the organization is in. Until consumers demand more, business as usual.
Past Breaches:
Unknown
Date Reported:12/28/07
Organization:
Davidson County Election Commission*
*Davidson County, Tennessee has an estimated population of 607,413. The county seat is Nashville.
Contractor/Consultant/Branch:
None
Victims:
Registered Davidson County voters
Number Affected:
337,000
Types of Data:
Names, Social Security numbers, addresses and telephone numbers.
Breach Description:
A pair of laptop computers containing sensitive personal information belonging to 337,000 registered Davidson County, Tennessee voters was stolen from the Davidson County Election Commission office during the Christmas break.
Reference URL:
WTVF News Channel 5 Story
WKRN Channel 2 News Story
Nashville Business Journal
Report Credit:
News Channel 5
Response:
From the online sources cited above:
A break-in at the Davidson County Election Office at 800 Second Ave. has jeopardized a large number of voters' personal data, according to Ray Barrett, election administrator.
It looks as though they used a rock to break their way in.
[Evan] A rock is all it took. There is no mention of any alarm system and it appears that nobody noticed until they came back to the office.
taken were two Dell Latitude laptops containing information of 337,000 registered Davidson County voters
"As we look deeper into determining the extent of loss that occurred during the holiday break-in, we now know that full social security numbers were included on the voter files contained on one or more of the stolen computers." said Ray Barrett.
"Initially, we thought that the only information was the same that the public can purchase when putting together mailing lists, we now know that was incorrect."
The Election Commission says it will formally notify the public by mail that their full Social Security numbers may be available to outside parties and is asking voters monitor their financial and personal accounts for any suspicious activity.
Barrett says he has asked Metro's information technology department to make immediate changes to safeguard against any future security problems.
[Evan] I wonder what these people will come up with. Not only "immediate changes", but also effective changes. There are likely numerous changes that could be suggested. It all starts with policy.
The Election Commission says it does not anticipate that the theft will cause any problems in the upcoming Tennessee presidential primary.
Commentary:
This is an example of typical reactionary information security. "Immediate changes" are made after the significant loss of confidential information. I assume that there is not a well written or communicated information security policy at Davidson County. If there is, it is obviously not well enforced or supported by procedural, administrative, or technical controls.
Why are the offices not physically secure? If a rock is all that is needed to break-in and go undetected for x number of days, then the offices were not physically secure.
Why is confidential information stored on mobile devices (laptop in this instance)? Confidential information should be stored, whenever possible in a secure (physically and logically), centralized location.
Why are mobile devices that access, process, store, create, or transmit confidential data not encrypted? This is a point that I have been trying to drill home for years. Some people get it, some people fear it, and some people are oblivious. The sad thing is that consumers don't know which category the organization is in. Until consumers demand more, business as usual.
Past Breaches:
Unknown
Posts Atom 1.0
Can they just get away with this flagrant attitude and lack of consideration for the security and well being of the voters - my name was on that list! All they are doing is sending a disk to the reporting agencies and suggesting we put a fraud alert on our records... They should be held liable for damages and required to pay for credit monitoring services.
Reply to this
UPDATE:
The laptops, hard drives and content have all been recovered.
http://www.bizjournals.com/nashville/stories/2008/01/21/daily2.html
Reply to this