Systematic Automation breach continued...
Technorati Tag: Security Breach
Date Reported:
2/22/08
Organization:
Torrance Unified School District
Contractor/Consultant/Branch:
*
*This breach is related to:
"Theft from vendor affects Modesto City Schools employees" dated 2/12/08,
"L.A. Dept. of Water of Power employees exposed" dated 2/19/08, and
"Clovis Unified School District employees receive notice" dated 2/21/08
Victims:
Employees
Number Affected:
~2,200**
**Over 17,000 total (and counting)
Types of Data:
Names, addresses, dates of birth and Social Security numbers
Breach Description:
Computer equipment was stolen from a Torrance Unified School District vendor, Systematic Automation that contained sensitive personal information belonging to employees of the 33 campus district. Systematic Automation manages employee benefit information, and the district is the fourth reported organization affected by the loss.
Reference URL:
The dailybreeze.com online news story
Report Credit:
Shelly Leachman, dailybreeze.com, also submitted to The Breach Blog by an informed reader
Response:
From the online source cited above:
Personal information about 2,200 Torrance Unified School District staffers was housed on a hard drive recently stolen from an Orange County company that helps agencies administer employee health benefits.
Names, addresses, birth dates and Social Security numbers were among the personal details stored on equipment at Systematic Automation Inc. of Fullerton, district officials confirmed Friday.
"I'm a little disappointed with my school district for not having done something about it. They have had a lot of time to respond to us," said Irmi Lake, a 10-year Torrance Unified para-educator and chapter vice president of her union, the California School Employees Association.
Noting that members of her union "don't fault the district for the incident," Lake added, "I was hoping that we would get some more assistance to help all the employees in the district."
[Evan] The district DOES share some fault in this breach. The personal information was given to the district with the assumption that the district would protect the information. The responsibility for the protection of information does not cease because the district contracted a third-party to work with the information. Vendors, contractors and consultants must all comply with an organization's information security policies and practices. The organization must demand compliance and audit vendors on a regular basis.
Business chief Don Stabler said Friday that letters addressing the theft and including information about fraud alerts are en route to all those affected.
"We're not downplaying it at all," Stabler said, noting that such a breach is a first for the 33-campus district. "It is a serious situation, and we're doing everything we can to notify our employees and give them some information so they can protect themselves."
Torrance Unified has contracted with Systematic Automation for about one year, Stabler said, explaining that the company digitally enrolls district staffers for health benefits.
In addition to the data-containing hard drive, three monitors were stolen.
Commentary:
As stated earlier in the posting, this is the fourth organization affected by this single breach. I wonder if any one of the organizations inspected Systematic Automation's information security practices. If they had, would they have known that Systematic Automation stores sensitive personal information entrusted to multiple organizations on a shared unencrypted hard drive?
A couple of tips if you are contracting with a company that you share confidential information with (beyond what was shared in the commentary here):
Of course there are no guarantees, but each security best practice followed decreases the amount of risk to unauthorized disclosure of confidential information.
March 12, 2008 - UPDATE: A computer stolen from Systematic Automation is found
Past Breaches:
Torrance Unified School District:
Unknown
Systematic Automation:
February, 2008 - Clovis Unified School District employees receive notice
February, 2008 - L.A. Dept. of Water of Power employees exposed
February, 2008 - Theft from vendor affects Modesto City Schools employees
Date Reported:2/22/08
Organization:
Torrance Unified School District
Contractor/Consultant/Branch:
*
*This breach is related to:
"Theft from vendor affects Modesto City Schools employees" dated 2/12/08,
"L.A. Dept. of Water of Power employees exposed" dated 2/19/08, and
"Clovis Unified School District employees receive notice" dated 2/21/08
Victims:
Employees
Number Affected:
~2,200**
**Over 17,000 total (and counting)
Types of Data:
Names, addresses, dates of birth and Social Security numbers
Breach Description:
Computer equipment was stolen from a Torrance Unified School District vendor, Systematic Automation that contained sensitive personal information belonging to employees of the 33 campus district. Systematic Automation manages employee benefit information, and the district is the fourth reported organization affected by the loss.
Reference URL:
The dailybreeze.com online news story
Report Credit:
Shelly Leachman, dailybreeze.com, also submitted to The Breach Blog by an informed reader
Response:
From the online source cited above:
Personal information about 2,200 Torrance Unified School District staffers was housed on a hard drive recently stolen from an Orange County company that helps agencies administer employee health benefits.
Names, addresses, birth dates and Social Security numbers were among the personal details stored on equipment at Systematic Automation Inc. of Fullerton, district officials confirmed Friday.
"I'm a little disappointed with my school district for not having done something about it. They have had a lot of time to respond to us," said Irmi Lake, a 10-year Torrance Unified para-educator and chapter vice president of her union, the California School Employees Association.
Noting that members of her union "don't fault the district for the incident," Lake added, "I was hoping that we would get some more assistance to help all the employees in the district."
[Evan] The district DOES share some fault in this breach. The personal information was given to the district with the assumption that the district would protect the information. The responsibility for the protection of information does not cease because the district contracted a third-party to work with the information. Vendors, contractors and consultants must all comply with an organization's information security policies and practices. The organization must demand compliance and audit vendors on a regular basis.
Business chief Don Stabler said Friday that letters addressing the theft and including information about fraud alerts are en route to all those affected.
"We're not downplaying it at all," Stabler said, noting that such a breach is a first for the 33-campus district. "It is a serious situation, and we're doing everything we can to notify our employees and give them some information so they can protect themselves."
Torrance Unified has contracted with Systematic Automation for about one year, Stabler said, explaining that the company digitally enrolls district staffers for health benefits.
In addition to the data-containing hard drive, three monitors were stolen.
Commentary:
As stated earlier in the posting, this is the fourth organization affected by this single breach. I wonder if any one of the organizations inspected Systematic Automation's information security practices. If they had, would they have known that Systematic Automation stores sensitive personal information entrusted to multiple organizations on a shared unencrypted hard drive?
A couple of tips if you are contracting with a company that you share confidential information with (beyond what was shared in the commentary here):
- Demand that your vendors segment your confidential information from those of their other clients.
- Demand encryption of confidential information while in transit and at rest.
Of course there are no guarantees, but each security best practice followed decreases the amount of risk to unauthorized disclosure of confidential information.
March 12, 2008 - UPDATE: A computer stolen from Systematic Automation is found
Past Breaches:
Torrance Unified School District:
Unknown
Systematic Automation:
February, 2008 - Clovis Unified School District employees receive notice
February, 2008 - L.A. Dept. of Water of Power employees exposed
February, 2008 - Theft from vendor affects Modesto City Schools employees
Posted by Evan Francen at 2/25/2008 10:19 AM 
Categories: Systematic Automation Inc, Stolen Device, Torrance Unified School District
Categories: Systematic Automation Inc, Stolen Device, Torrance Unified School District
Posts Atom 1.0
Comments