Laptop stolen from Workers Compensation Fund auditor
Technorati Tag: Security Breach
Date Reported:
1/2/08
Organization:
Workers Compensation Fund (WCF)*
*The Salt Lake City-based WCF provides worker compensation insurance coverage to more than 30,000 companies, representing about 61 percent of the businesses operating in the state.
Contractor/Consultant/Branch:
None
Victims:
Client workers and companies
Number Affected:
2,800 workers AND 1,400 companies
Types of Data:
Social Security numbers and "other personal information"
Breach Description:
A laptop computer was stolen from an auditor working for the Workers Compensation Fund on December 9, 2007 that contained sensitive personal and business confidential information. The laptop was inside a car which was inside the home garage of the employee.
Reference URL:
The Salt Lake Tribune Story
Report Credit:
Dawn House, The Salt Lake Tribune
Response:
From the source cited above:
Officials with one of Utah's largest insurance companies are searching for a stolen laptop containing Social Security numbers and other personal information for about 2,800 people and 1,400 companies.
The computer was taken from a car parked in the home garage of an auditor for the Workers Compensation Fund (WCF) on Dec. 9.
[Evan] The laptop was in the car which was in a home garage and was still stolen.
WCF said it chose not to issue a public statement at that time out of fear of alerting anyone that the laptop contained information that could be used for identity thefts.
The agency said it has informed companies and workers of the theft, and is covering fees for a professional security watch for the affected workers that could total $200,000, said WCF spokeswoman Peggy Larsen.
[Evan] $200,000 would cover the licensing, implementation and support costs of encrypting well over 1,000 laptops. We are in the process of encrypting 450 laptops (+ security tokens for two-factor authentication) for less that $90,000.
"As soon as this was discovered, every auditor brought in their laptops so that all information was removed," she said. "And, we've added additional levels of password protection."
[Evan] I wonder how many auditors this entails. Additional levels of password protection could add more risk by increasing a user's chances or writing passwords down. In a recent security audit we found that 20% (13 of 65) of one company's field laptop users were writing passwords down on Post-It notes (and similar) attached to the laptop itself.
The stolen laptop was password protected
as an additional precaution, auditors are now not allowed to store personal information, such as Social Security numbers, in their laptops and the computer information will be better encrypted
[Evan] "better encrypted"? Was the information ever encrypted? Encryption of confidential data at rest will certainly help given it is done right.
"This is the first time anything like this has happened," the agency's CEO Lane Summerhays said in a statement released Wednesday. "We are taking steps so it can be the last."
[Evan] Reactive vs. Proactive. The bad thing about reactive security is that there are victims.
there is no indication that the information has fallen into the hands of identity thieves, "and now the only information on laptops is what anyone can get from a telephone book,"
Victim Reaction:
"WCF has failed to assure us that their procedures have changed to avoid such breaches of security in the future,"
Commentary:
I am somewhat amazed by the audacity that the thief displayed in stealing the laptop from a car in a garage. Maybe I shouldn't be. I guess this goes to show that information can be physically compromised in any place where strong physical controls are not present (i.e. a secure office or data center). Although this breach was easily prevented through the application of sound information security principles, I am always impressed with a CEO that speaks about information security matters. CEOs need to understand that ultimately, the information security buck stops with them.
Past Breaches:
Unknown
Date Reported:1/2/08
Organization:
Workers Compensation Fund (WCF)*
*The Salt Lake City-based WCF provides worker compensation insurance coverage to more than 30,000 companies, representing about 61 percent of the businesses operating in the state.
Contractor/Consultant/Branch:
None
Victims:
Client workers and companies
Number Affected:
2,800 workers AND 1,400 companies
Types of Data:
Social Security numbers and "other personal information"
Breach Description:
A laptop computer was stolen from an auditor working for the Workers Compensation Fund on December 9, 2007 that contained sensitive personal and business confidential information. The laptop was inside a car which was inside the home garage of the employee.
Reference URL:
The Salt Lake Tribune Story
Report Credit:
Dawn House, The Salt Lake Tribune
Response:
From the source cited above:
Officials with one of Utah's largest insurance companies are searching for a stolen laptop containing Social Security numbers and other personal information for about 2,800 people and 1,400 companies.
The computer was taken from a car parked in the home garage of an auditor for the Workers Compensation Fund (WCF) on Dec. 9.
[Evan] The laptop was in the car which was in a home garage and was still stolen.
WCF said it chose not to issue a public statement at that time out of fear of alerting anyone that the laptop contained information that could be used for identity thefts.
The agency said it has informed companies and workers of the theft, and is covering fees for a professional security watch for the affected workers that could total $200,000, said WCF spokeswoman Peggy Larsen.
[Evan] $200,000 would cover the licensing, implementation and support costs of encrypting well over 1,000 laptops. We are in the process of encrypting 450 laptops (+ security tokens for two-factor authentication) for less that $90,000.
"As soon as this was discovered, every auditor brought in their laptops so that all information was removed," she said. "And, we've added additional levels of password protection."
[Evan] I wonder how many auditors this entails. Additional levels of password protection could add more risk by increasing a user's chances or writing passwords down. In a recent security audit we found that 20% (13 of 65) of one company's field laptop users were writing passwords down on Post-It notes (and similar) attached to the laptop itself.
The stolen laptop was password protected
as an additional precaution, auditors are now not allowed to store personal information, such as Social Security numbers, in their laptops and the computer information will be better encrypted
[Evan] "better encrypted"? Was the information ever encrypted? Encryption of confidential data at rest will certainly help given it is done right.
"This is the first time anything like this has happened," the agency's CEO Lane Summerhays said in a statement released Wednesday. "We are taking steps so it can be the last."
[Evan] Reactive vs. Proactive. The bad thing about reactive security is that there are victims.
there is no indication that the information has fallen into the hands of identity thieves, "and now the only information on laptops is what anyone can get from a telephone book,"
Victim Reaction:
"WCF has failed to assure us that their procedures have changed to avoid such breaches of security in the future,"
Commentary:
I am somewhat amazed by the audacity that the thief displayed in stealing the laptop from a car in a garage. Maybe I shouldn't be. I guess this goes to show that information can be physically compromised in any place where strong physical controls are not present (i.e. a secure office or data center). Although this breach was easily prevented through the application of sound information security principles, I am always impressed with a CEO that speaks about information security matters. CEOs need to understand that ultimately, the information security buck stops with them.
Past Breaches:
Unknown
Posts Atom 1.0
Comments