Thieves steal four Diocese of Providence computers
Technorati Tag: Security Breach
Date Reported:
2/1/08
Organization:
Roman Catholic Diocese of Providence
Contractor/Consultant/Branch:
None
Victims:
Current and former Catholic school employees
Number Affected:
about 5,000
Types of Data:
Names, addresses and Social Security numbers
Breach Description:
Sometime during the weekend of January 27th, 2008 thieves broke into the Chancery of the Roman Catholic Diocese of Providence and stolen four desktop computers, one of which contained sensitive personal information belonging to current and former Catholic school employees.
Reference URL:
The Diocese of Providence online announcement
The Providence Journal online story
Report Credit:
The Diocese of Providence
Response:
From the online sources cited above:
An individual or individuals broke into the Diocesan Office Building (also known as the Chancery) located at One Cathedral Square in Providence. The perpetrator(s) gained access by breaking through an office window in the Catholic School Office suite.
Once in the building, the perpetrators forcibly entered through two locked office doors where they stole desktop computers and other equipment.
The office suite that was burglarized did not have an alarm system
[Evan] It was reported that the Diocese does employ a security guard, but it is not known where he/she was at the time of the break-in. The fact that the timeframe in question is 8 hours (10 PM Friday - 6 AM Saturday) is interesting. Typically security guards are expected to make regular rounds (~ once every hour or two) throughout the area being guarded. Eight hours is a long time for a break-in to go undetected, so an alarm system would have been very beneficial as an alert if not a deterrent.
One of the stolen computers (a desktop computer, not a laptop) contained a substantial amount of data that included personnel information on present and former Catholic school employees throughout the Diocese of Providence.
The Rhode Island State Police have been notified of this incident. Additionally, the Providence Police Department has assumed responsibility for the investigation.
Thus far, the stolen equipment has not been recovered however, the Catholic Schools Office is fully cooperating with law enforcement who are investigating the situation.
Present and former employees of Rhode Island Catholic schools may be affected.
A number of safeguards are in place such as: locked offices, password protected computers, local administrator account password protected, guest accounts disabled.
[Evan] These are all good security practices.
Employees have unique passwords that they are required to change every few weeks
[Evan] Another good security practice, but every few weeks might be a little too often. If we make people change their passwords too often we increase the chances that they will write them down.
Additionally, personal information of students, teachers, parents and others associated with the Catholic Schools Office are prohibited from storage on lap top computers.
[Evan] Yet another good security practice.
Personal information of students and their parents and or guardians was not stored on the stolen equipment.
In addition to notifying current and former employees by letters sent to last known addresses, the Catholic Schools Office has created this page on the web site and established a special phone number, 401/278-4678 to answer inquiries from those who feel they may have been affected
Another diocese office was broken into about a year ago and a computer stolen
“The Catholic schools office sincerely apologizes for any inconvenience this incident may cause its current and former employees,”
Commentary:
Judging from what the Diocese has told us about their security practices it is easy to see that they have made a conscious effort to secure confidential information. They put some sound information security practices to use, but now we understand that it wasn't enough. At least two vital information security controls were missed; data at rest encryption and adequate physical security (alarm system missing). There is no mention as to whether or not the Diocese or Chancery are surveilled.
Past Breaches:
Unknown
Date Reported:2/1/08
Organization:
Roman Catholic Diocese of Providence
Contractor/Consultant/Branch:
None
Victims:
Current and former Catholic school employees
Number Affected:
about 5,000
Types of Data:
Names, addresses and Social Security numbers
Breach Description:
Sometime during the weekend of January 27th, 2008 thieves broke into the Chancery of the Roman Catholic Diocese of Providence and stolen four desktop computers, one of which contained sensitive personal information belonging to current and former Catholic school employees.
Reference URL:
The Diocese of Providence online announcement
The Providence Journal online story
Report Credit:
The Diocese of Providence
Response:
From the online sources cited above:
An individual or individuals broke into the Diocesan Office Building (also known as the Chancery) located at One Cathedral Square in Providence. The perpetrator(s) gained access by breaking through an office window in the Catholic School Office suite.
Once in the building, the perpetrators forcibly entered through two locked office doors where they stole desktop computers and other equipment.
The office suite that was burglarized did not have an alarm system
[Evan] It was reported that the Diocese does employ a security guard, but it is not known where he/she was at the time of the break-in. The fact that the timeframe in question is 8 hours (10 PM Friday - 6 AM Saturday) is interesting. Typically security guards are expected to make regular rounds (~ once every hour or two) throughout the area being guarded. Eight hours is a long time for a break-in to go undetected, so an alarm system would have been very beneficial as an alert if not a deterrent.
One of the stolen computers (a desktop computer, not a laptop) contained a substantial amount of data that included personnel information on present and former Catholic school employees throughout the Diocese of Providence.
The Rhode Island State Police have been notified of this incident. Additionally, the Providence Police Department has assumed responsibility for the investigation.
Thus far, the stolen equipment has not been recovered however, the Catholic Schools Office is fully cooperating with law enforcement who are investigating the situation.
Present and former employees of Rhode Island Catholic schools may be affected.
A number of safeguards are in place such as: locked offices, password protected computers, local administrator account password protected, guest accounts disabled.
[Evan] These are all good security practices.
Employees have unique passwords that they are required to change every few weeks
[Evan] Another good security practice, but every few weeks might be a little too often. If we make people change their passwords too often we increase the chances that they will write them down.
Additionally, personal information of students, teachers, parents and others associated with the Catholic Schools Office are prohibited from storage on lap top computers.
[Evan] Yet another good security practice.
Personal information of students and their parents and or guardians was not stored on the stolen equipment.
In addition to notifying current and former employees by letters sent to last known addresses, the Catholic Schools Office has created this page on the web site and established a special phone number, 401/278-4678 to answer inquiries from those who feel they may have been affected
Another diocese office was broken into about a year ago and a computer stolen
“The Catholic schools office sincerely apologizes for any inconvenience this incident may cause its current and former employees,”
Commentary:
Judging from what the Diocese has told us about their security practices it is easy to see that they have made a conscious effort to secure confidential information. They put some sound information security practices to use, but now we understand that it wasn't enough. At least two vital information security controls were missed; data at rest encryption and adequate physical security (alarm system missing). There is no mention as to whether or not the Diocese or Chancery are surveilled.
Past Breaches:
Unknown
Posted by Evan Francen at 2/4/2008 8:41 AM 
Categories: Stolen Computer, Roman Catholic Diocese of Providence
Categories: Stolen Computer, Roman Catholic Diocese of Providence
Posts Atom 1.0
Comments