L.A. Dept. of Water of Power employees exposed
Technorati Tag: Security Breach
Date Reported:
2/15/08
Organization:
Los Angeles Department of Water and Power ("DWP")
Contractor/Consultant/Branch:
*This breach appears to be related to "Theft from vendor affects Modesto City Schools employees" dated 2/12/08
Victims:
Employees
Number Affected:
8,275
Types of Data:
"names, Social Security numbers, dates of birth, employee identification numbers, salaries, work locations, deferred compensation balances (but not account numbers), insurance plan coverage and health care benefits selection"
Breach Description:
Computer equipment was stolen from a Los Angeles Department of Water and Power vendor, Systematic Automation that contained sensitive personal information belonging to every employee of the utility.
Reference URL:
Los Angeles Daily News online story
Los Angeles Times online story
Report Credit:
Beth Barrett, Los Angeles Daily News
Response:
From the online sources cited above:
Computer equipment containing the private financial data of every employee of the Los Angeles Department of Water and Power was stolen earlier this week, prompting the utility to pay for a credit monitoring service for each of its 8,275 workers.
DWP General Manager H. David Nahai sent a letter to employees Wednesday informing them of the "possible security breach" and of steps being taken to safeguard them from the risk of identity theft.
DWP officials said the theft occurred at Systematic Automation Inc. in Fullerton and is being investigated by Fullerton law enforcement.
[Evan] From last week's Modesto City Schools breach, in which "A computer hard drive containing sensitive personal information belonging to Modesto City School district employees was stolen from Systematic Automation Inc. in Fullerton, California." Do you suppose this means that Systematic Automation was storing multiple client data sets on the same drive?
The data that was taken on active DWP employees included names, Social Security numbers, dates of birth, employee identification numbers, salaries, work locations, deferred compensation balances (but not account numbers), insurance plan coverage and health care benefits selection.
Nahai said the DWP had contracted with the company to print retirement booklets showing employees' benefits and other information
"This kind of work is done by very specialized companies, and I think many companies contract out this kind of work," he said. (Nahai)
[Evan] This may justify why DWP sent the information out to a vendor, but it does not justify the breach or the lack of oversight (vendor management). Vendors trusted with confidential information MUST be held to the same strict standards as the company itself.
Nahai said the DWP was taking "extraordinary steps to protect our employees.
He said the data is encrypted and that the thieves may not be able to extract it.
[Evan] Encrypting the information is a very good call by DWP, but according to the Modesto City Schools breach, "Snelling said the district sent the employee information in an encrypted format to Systematic Automation, where it apparently was stored on the computer in an unencrypted format." I would be surprised if the DWP information were not in a similar state.
The utility's Retirement Office () also has made arrangements for a one-year subscription to a credit monitoring service for employees.
"It's in the very early stages of the investigation, and very early to point fingers," he said. (Nahai)
DWP spokesman Joe Ramallo said the utility had no evidence that the missing information had been misused
"We're required by law to notify our employees that this theft occurred," he said. "But we don't have any knowledge at this point that the data was the target, and law enforcement said they don't believe that it is."
a spokesman for the International Brotherhood of Electrical Workers Local 18, the union that represents DWP employees, said Friday that his workers were "shocked and upset" by the loss of the data.
"They believe this is a direct result of the mania for outsourcing that the DWP has had," said Bob Cherry, a communications consultant for the union. "The DWP should have been paying more attention to the potential impact of sensitive data like this getting sent to outside vendors."
[Evan] Bob Cherry knows a thing or two. The security of information is the responsibility of the organization to whom it was originally given to by the owner. This is a simple owner/custodian relationship. Just because the custodian did not lose the hard drive directly does not mean that the custodian is not responsible for the breach.
Vince Foley, who serves on the board of the DWP Retired Employees Assn., said he has received anxious calls from retirees. The stolen computer equipment also contained financial data on employees who retired between July 1, 2006, and June 30, 2007.
Foley said. "DWP's computers are, of course, encrypted and protected. But this is a situation where they had . . . a consultant who's given all this data so they can prepare the [benefits] statements."
Commentary:
I wonder how many more organizations are affected by the Systematic Automation burglary. So far, we know of two organizations and over 11,000 affected persons.
There are lessons to be learned from almost any breach, and it's easier to play the "Monday morning quarterback". Good information security programs recognize the importance of managing security throughout the life-cycle of the information, no matter where it resides. At a minimum:
These are just some tips that could easily be expanded upon and refined to your individual situation.
March 12, 2008 - UPDATE: A computer stolen from Systematic Automation is found
Past Breaches:
Related:
February, 2008 - Theft from vendor affects Modesto City Schools employees
Date Reported:2/15/08
Organization:
Los Angeles Department of Water and Power ("DWP")
Contractor/Consultant/Branch:
*This breach appears to be related to "Theft from vendor affects Modesto City Schools employees" dated 2/12/08
Victims:
Employees
Number Affected:
8,275
Types of Data:
"names, Social Security numbers, dates of birth, employee identification numbers, salaries, work locations, deferred compensation balances (but not account numbers), insurance plan coverage and health care benefits selection"
Breach Description:
Computer equipment was stolen from a Los Angeles Department of Water and Power vendor, Systematic Automation that contained sensitive personal information belonging to every employee of the utility.
Reference URL:
Los Angeles Daily News online story
Los Angeles Times online story
Report Credit:
Beth Barrett, Los Angeles Daily News
Response:
From the online sources cited above:
Computer equipment containing the private financial data of every employee of the Los Angeles Department of Water and Power was stolen earlier this week, prompting the utility to pay for a credit monitoring service for each of its 8,275 workers.
DWP General Manager H. David Nahai sent a letter to employees Wednesday informing them of the "possible security breach" and of steps being taken to safeguard them from the risk of identity theft.
DWP officials said the theft occurred at Systematic Automation Inc. in Fullerton and is being investigated by Fullerton law enforcement.
[Evan] From last week's Modesto City Schools breach, in which "A computer hard drive containing sensitive personal information belonging to Modesto City School district employees was stolen from Systematic Automation Inc. in Fullerton, California." Do you suppose this means that Systematic Automation was storing multiple client data sets on the same drive?
The data that was taken on active DWP employees included names, Social Security numbers, dates of birth, employee identification numbers, salaries, work locations, deferred compensation balances (but not account numbers), insurance plan coverage and health care benefits selection.
Nahai said the DWP had contracted with the company to print retirement booklets showing employees' benefits and other information
"This kind of work is done by very specialized companies, and I think many companies contract out this kind of work," he said. (Nahai)
[Evan] This may justify why DWP sent the information out to a vendor, but it does not justify the breach or the lack of oversight (vendor management). Vendors trusted with confidential information MUST be held to the same strict standards as the company itself.
Nahai said the DWP was taking "extraordinary steps to protect our employees.
He said the data is encrypted and that the thieves may not be able to extract it.
[Evan] Encrypting the information is a very good call by DWP, but according to the Modesto City Schools breach, "Snelling said the district sent the employee information in an encrypted format to Systematic Automation, where it apparently was stored on the computer in an unencrypted format." I would be surprised if the DWP information were not in a similar state.
The utility's Retirement Office () also has made arrangements for a one-year subscription to a credit monitoring service for employees.
"It's in the very early stages of the investigation, and very early to point fingers," he said. (Nahai)
DWP spokesman Joe Ramallo said the utility had no evidence that the missing information had been misused
"We're required by law to notify our employees that this theft occurred," he said. "But we don't have any knowledge at this point that the data was the target, and law enforcement said they don't believe that it is."
a spokesman for the International Brotherhood of Electrical Workers Local 18, the union that represents DWP employees, said Friday that his workers were "shocked and upset" by the loss of the data.
"They believe this is a direct result of the mania for outsourcing that the DWP has had," said Bob Cherry, a communications consultant for the union. "The DWP should have been paying more attention to the potential impact of sensitive data like this getting sent to outside vendors."
[Evan] Bob Cherry knows a thing or two. The security of information is the responsibility of the organization to whom it was originally given to by the owner. This is a simple owner/custodian relationship. Just because the custodian did not lose the hard drive directly does not mean that the custodian is not responsible for the breach.
Vince Foley, who serves on the board of the DWP Retired Employees Assn., said he has received anxious calls from retirees. The stolen computer equipment also contained financial data on employees who retired between July 1, 2006, and June 30, 2007.
Foley said. "DWP's computers are, of course, encrypted and protected. But this is a situation where they had . . . a consultant who's given all this data so they can prepare the [benefits] statements."
Commentary:
I wonder how many more organizations are affected by the Systematic Automation burglary. So far, we know of two organizations and over 11,000 affected persons.
There are lessons to be learned from almost any breach, and it's easier to play the "Monday morning quarterback". Good information security programs recognize the importance of managing security throughout the life-cycle of the information, no matter where it resides. At a minimum:
- Thoroughly evaluate the information security practices of vendors before engaging in formal business agreements.
- Information security language should be included in contractual agreements.
- Conduct regular audits of vendors to ensure that they continue to abide by your information security policies, standards, guidelines and procedures.
- If your company engages vendors on a regular basis, formalize the vendor security evaluation, approval and audit process.
These are just some tips that could easily be expanded upon and refined to your individual situation.
March 12, 2008 - UPDATE: A computer stolen from Systematic Automation is found
Past Breaches:
Related:
February, 2008 - Theft from vendor affects Modesto City Schools employees
Posted by Evan Francen at 2/19/2008 5:03 PM 
Categories: Systematic Automation Inc, Stolen Device, L.A. Department of Water and Power
Categories: Systematic Automation Inc, Stolen Device, L.A. Department of Water and Power
Posts Atom 1.0
Just wanted to advise that the Bonita Unified School District of La Verne / San Dimas, CA has also sent out letters of security breach regarding this same exact theft!
Reply to this
Thank you for the information John!
Reply to this
The Employees at Torrance Unified School District were sent a letter on February 15, 2008, regarding this same theft and subsequent breach in our personal information. I'm upset that it took four to five days to be notified. The letter was sent out in an envelope from Systematic Automation, Inc. envelope that looks, quite frankly, like junk mail. Many of our employees just tossed it before opening. On Wednesday, a week after the breach, employees who have school district e-mail received a notice from Human Resources with basically the same information that was mailed out.
Reply to this
need help. dwp moved to a location in sun valley, ca years ago and built a beautiful waterfall in front, what happen to that location and why did it move they just built it. advise
Reply to this