Nevada Department of Public Safety applicants exposed
Technorati Tag: Security Breach
Date Reported:
3/4/08
Organization:
State of Nevada
Contractor/Consultant/Branch:
Nevada Department of Public Safety
Crown, Stanley and Silverman
Victims:
Job applicants
Number Affected:
~300
Types of Data:
Names, addresses, Social Security numbers, and other personal information required for thorough background checks.
Breach Description:
"A private firm working for the Nevada Department of Public Safety has lost personal information provided by 109 individuals seeking jobs with the agency."
Reference URL:
KTVN Channel 2 News
Las Vegas Review-Journal
The Houston Chronicle
Report Credit:
KTVN Channel 2 News
Response:
From the online sources cited above:
Crown, Stanley and Silverman (CSS), a company contracted by The Nevada Department of Public Safety (DPS), has lost personal background information on 109 people.
CSS was conducting background checks on applicants for DPS positions.
[Evan] Crown, Stanley and Silverman does not appear to have a web site, but their Reno business license information can be found here.
The information was stored on a portable computer memory device (thumb drive) that was owned by an employee of CSS.
The DPS is in the process of notifying the 109 applicants that personal information about them, including their social security numbers, addresses and background check information about them has been lost.
The DPS has ordered CSS to cease all background check activities and to return all files to DPS.
The DPS has suspended the use of outside vendors for background checks while a review of processes and procedures is conducted.
[Evan] This seems like a prudent decision.
There is currently no indication the data that was lost has been used for any unlawful purpose.
From the Crown, Stanley and Silverman statement:
The drive contained unencrypted personal information of approximately 300 individuals.
[Evan] The Nevada DPS reports 109 people and Crown, Stanley and Silverman reports 300. Are there actually 300 affected individuals related to Nevada DPS, or was Crown Stanley and Silverman not segmenting client data on separate devices and another organization involved?
"We deeply regret this incident," said Gina Crown, President of the firm.
"Crown, Stanley and Silverman is deeply committed to protecting the privacy and security of all the personal information that is entrusted to us by our clients and generated in the course of our investigations. We are currently reviewing all of our security processes, and we are strengthening our processes to help ensure that this incident will not reoccur," she said.
[Evan] Much of Crown, Stanley and Silverman's work is with sensitive personal information. Using confidential information provides much of the basis of their company.
Commentary:
Crown, Stanley and Silverman is a security investigative services company. It seems like many of these companies are staffed by ex-law enforcement personnel, and I wonder how many of them have ever received formal information security training.
Obviously (maybe not so much), using thumb drives for the storage and transportation of confidential personal information is discouraged in many circumstances. IF the business benefit provided by using thumb drives is too great, then at least use encryption to reduce the risk of exposure.
Past Breaches:
November, 2007 - 470 missing CDs with State of Nevada payroll information
Date Reported:3/4/08
Organization:
State of Nevada
Contractor/Consultant/Branch:
Nevada Department of Public Safety
Crown, Stanley and Silverman
Victims:
Job applicants
Number Affected:
~300
Types of Data:
Names, addresses, Social Security numbers, and other personal information required for thorough background checks.
Breach Description:
"A private firm working for the Nevada Department of Public Safety has lost personal information provided by 109 individuals seeking jobs with the agency."
Reference URL:
KTVN Channel 2 News
Las Vegas Review-Journal
The Houston Chronicle
Report Credit:
KTVN Channel 2 News
Response:
From the online sources cited above:
Crown, Stanley and Silverman (CSS), a company contracted by The Nevada Department of Public Safety (DPS), has lost personal background information on 109 people.
CSS was conducting background checks on applicants for DPS positions.
[Evan] Crown, Stanley and Silverman does not appear to have a web site, but their Reno business license information can be found here.
The information was stored on a portable computer memory device (thumb drive) that was owned by an employee of CSS.
The DPS is in the process of notifying the 109 applicants that personal information about them, including their social security numbers, addresses and background check information about them has been lost.
The DPS has ordered CSS to cease all background check activities and to return all files to DPS.
The DPS has suspended the use of outside vendors for background checks while a review of processes and procedures is conducted.
[Evan] This seems like a prudent decision.
There is currently no indication the data that was lost has been used for any unlawful purpose.
From the Crown, Stanley and Silverman statement:
The drive contained unencrypted personal information of approximately 300 individuals.
[Evan] The Nevada DPS reports 109 people and Crown, Stanley and Silverman reports 300. Are there actually 300 affected individuals related to Nevada DPS, or was Crown Stanley and Silverman not segmenting client data on separate devices and another organization involved?
"We deeply regret this incident," said Gina Crown, President of the firm.
"Crown, Stanley and Silverman is deeply committed to protecting the privacy and security of all the personal information that is entrusted to us by our clients and generated in the course of our investigations. We are currently reviewing all of our security processes, and we are strengthening our processes to help ensure that this incident will not reoccur," she said.
[Evan] Much of Crown, Stanley and Silverman's work is with sensitive personal information. Using confidential information provides much of the basis of their company.
Commentary:
Crown, Stanley and Silverman is a security investigative services company. It seems like many of these companies are staffed by ex-law enforcement personnel, and I wonder how many of them have ever received formal information security training.
Obviously (maybe not so much), using thumb drives for the storage and transportation of confidential personal information is discouraged in many circumstances. IF the business benefit provided by using thumb drives is too great, then at least use encryption to reduce the risk of exposure.
Past Breaches:
November, 2007 - 470 missing CDs with State of Nevada payroll information
Posted by Evan Francen at 3/7/2008 10:13 AM 
Categories: Nevada Department of Public Safety, State of Nevada, Crown Stanley and Silverman, Lost Device
Categories: Nevada Department of Public Safety, State of Nevada, Crown Stanley and Silverman, Lost Device
Posts Atom 1.0
Ever wonder what happens to a mobile storage device when it gets lost? We hear about these breaches more and more frequently, but rarely hear what happens to the actual device.
For this reason, I set up the Honey Stick Project at http://www.honeystickproject.com to publish the results of a number of experiments in this area.
Please feel free to visit and comment.
- Scott
Reply to this
Thank you Scott.
I will be sure to visit your site soon!
Reply to this